FortiAnalyzer 3.0 MR7
Table of contents
Loading...
www.fortinet.com
FortiAnalyzer
Version 3.0 MR7
ADMINISTRATION GUIDE
FortiAnalyzer Administration Guide
Version 3.0 MR7
08 September 2008
05-30007-0082-20080908
© Copyright 2008 Fortinet, Inc. All rights reserved. No part of this
publication including text, examples, diagrams or illustrations may be
reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose,
without prior written permission of Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC,
FortiBIOS, FortiBridge, FortiClient, FortiGate®, FortiGate Unified Threat
Management System, FortiGuard®, FortiGuard-Antispam, FortiGuard-
Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer,
FortiManager, Fortinet®, FortiOS, FortiPartner, FortiProtect,
FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are
trademarks of Fortinet, Inc. in the United States and/or other countries.
The names of actual companies and products mentioned herein may be
the trademarks of their respective owners.
Regulatory compliance
FCC Class A Part 15 CSA/CUS
!
CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type.
Dispose of Used Batteries According to the Instructions.
Contents
FortiAnalyzer Version 3.0 MR7 Administration Guide
05-30007-0082-20080908 3
Contents
Introduction ........................................................................................ 9
About this document......................................................................................... 9
Fortinet documentation................................................................................... 10
Fortinet Tools and Documentation CD ........................................................ 10
Fortinet Knowledge Center ......................................................................... 11
Comments on Fortinet technical documentation......................................... 11
Customer service and technical support ...................................................... 11
What’s new for 3.0 MR7................................................................... 13
3.0 MR7 new features and changes ............................................................... 15
Power supply monitoring for FortiAnlayzer-2000A and 4000A ................... 15
Registered devices’ hard limits ................................................................... 15
CLI displays the tasks in the upload queue................................................. 15
Dashboard enhancements .......................................................................... 15
Custom fields for log messages .................................................................. 16
Reports........................................................................................................ 16
Report configuration enhancements..................................................... 16
VoIP reports.......................................................................................... 17
Alert email configuration changes ............................................................... 17
Administrative Domains (ADOMs).................................................. 19
About administrative domains (ADOMs)....................................................... 19
Configuring ADOMs ........................................................................................ 22
Accessing ADOMs as the admin administrator............................................ 23
Assigning administrators to an ADOM.......................................................... 24
System .............................................................................................. 25
Dashboard........................................................................................................ 25
Tabs ............................................................................................................ 27
RAID Monitor............................................................................................... 28
System Information ..................................................................................... 29
Setting the time..................................................................................... 29
Changing the host name....................................................................... 30
Changing the firmware.......................................................................... 30
License Information..................................................................................... 30
System Resources ...................................................................................... 31
Viewing operational history................................................................... 32
System Operation ....................................................................................... 33
Formatting the log disks........................................................................ 33
Resetting to the default configuration ................................................... 33
Alert Message Console ............................................................................... 34
Viewing alert console messages .......................................................... 34
Statistics...................................................................................................... 35
FortiAnalyzer Version 3.0 MR7 Administration Guide
4 05-30007-0082-20080908
Contents
Viewing session information ................................................................. 35
Filtering session information................................................................. 36
Report Engine ............................................................................................. 36
Log Receive Monitor ................................................................................... 37
Intrusion Activity.......................................................................................... 38
Virus Activity ............................................................................................... 39
Top FTP Traffic ........................................................................................... 40
Top Email Traffic......................................................................................... 41
Top IM/P2P Traffic ...................................................................................... 42
Top Traffic................................................................................................... 43
Top Web Traffic .......................................................................................... 44
Network ............................................................................................................ 45
Interface ...................................................................................................... 45
Changing interface settings .................................................................. 45
About Fortinet Discovery Protocol ........................................................ 47
DNS ............................................................................................................ 47
Routing........................................................................................................ 47
Adding a route ...................................................................................... 48
Admin ............................................................................................................... 48
Adding or editing an administrator account................................................. 49
Changing an administrator’s password ................................................ 50
Access Profile ............................................................................................. 50
Auth Group.................................................................................................. 51
RADIUS Server........................................................................................... 51
Administrator Settings................................................................................. 52
Monitor ........................................................................................................ 52
Network Sharing.............................................................................................. 53
Adding share users ..................................................................................... 53
Adding share groups................................................................................... 54
Configuring Windows shares ...................................................................... 54
Assigning user permissions.................................................................. 55
Configuring NFS shares.............................................................................. 55
Default file permissions on NFS shares ............................................... 56
Config ............................................................................................................... 56
Automatic file deletion and local log settings .............................................. 57
Configuring log aggregation........................................................................ 58
Configuring an aggregation client......................................................... 59
Configuring an aggregation server ....................................................... 59
Configuring log forwarding .......................................................................... 60
Configuring IP aliases ................................................................................. 60
Importing an IP alias list file.................................................................. 61
IP alias ranges...................................................................................... 62
Configuring RAID ........................................................................................ 62
RAID levels........................................................................................... 62
Hot swapping hard disks ...................................................................... 64
Contents
FortiAnalyzer Version 3.0 MR7 Administration Guide
05-30007-0082-20080908 5
Hot swapping the FortiAnalyzer-2000/2000A and FortiAnalyz-
er-4000/4000A................................................................................... 66
Configuring RAID on the FortiAnalyzer-400 and FortiAnalyzer-800/800B.
67
Configuring RAID on the FortiAnalyzer-2000/2000A and FortiAnalyz-
er-4000/4000A ................................................................................... 67
Configuring LDAP connections ................................................................... 68
Maintenance..................................................................................................... 69
Backup & Restore ....................................................................................... 69
FortiGuard Center ....................................................................................... 70
Device................................................................................................ 73
Viewing the device list .................................................................................... 73
Maximum number of devices ...................................................................... 76
Unregistered vs. registered devices............................................................ 77
Configuring unregistered device connection attempt handling ................. 79
Manually adding a device ............................................................................... 80
Classifying FortiGate network interfaces..................................................... 84
Manually adding a FortiGate unit using the Fortinet Discovery Protocol (FDP)
85
Blocking device connection attempts ........................................................... 86
Configuring device groups............................................................................. 88
Log..................................................................................................... 91
Viewing log messages .................................................................................... 91
Viewing current log messages .................................................................... 91
Viewing historical log messages ................................................................. 92
Browsing log files............................................................................................ 93
Viewing log file contents.............................................................................. 94
Importing a log file....................................................................................... 95
Downloading a log file ................................................................................. 96
Customizing the log view................................................................................ 97
Displaying and arranging log columns ........................................................ 97
Filtering logs................................................................................................ 98
Filtering tips .......................................................................................... 99
Searching the logs......................................................................................... 100
Search tips ................................................................................................ 102
Printing the search results......................................................................... 103
Downloading the search results ................................................................ 103
Rolling and uploading logs........................................................................... 104
Content Archive ............................................................................. 107
Viewing content archives.............................................................................. 107
FortiAnalyzer Version 3.0 MR7 Administration Guide
6 05-30007-0082-20080908
Contents
Customizing the content archive view ........................................................ 108
Displaying and arranging log columns ...................................................... 109
Filtering logs.............................................................................................. 110
Filtering tips ........................................................................................ 110
Searching full email content archives......................................................... 111
Reports ........................................................................................... 113
Configuring reports....................................................................................... 113
Configuring report layout........................................................................... 114
Editing charts in a report layout ................................................................ 116
Configuring report schedules .................................................................... 118
Configuring data filter templates ............................................................... 121
Configuring report output templates.......................................................... 123
Configuring language................................................................................ 126
Browsing reports........................................................................................... 130
Quarantine...................................................................................... 131
Viewing quarantined files ............................................................................. 131
Alert................................................................................................. 133
Alert Events.................................................................................................... 133
Adding an alert event ................................................................................ 133
Output............................................................................................................. 135
Configuring alerts by email server ............................................................ 135
Testing the mail server configuration.................................................. 136
Configuring SNMP traps and alerts .......................................................... 136
Adding an SNMP server ..................................................................... 137
FortiAnalyzer SNMP support.............................................................. 138
Configuring alerts by Syslog server .......................................................... 140
Adding a Syslog server....................................................................... 140
Network Analyzer........................................................................... 141
Connecting the FortiAnalyzer unit to analyze network traffic................... 141
Viewing Network Analyzer log messages ................................................... 142
Viewing current Network Analyzer log messages..................................... 143
Viewing historical Network Analyzer log messages.................................. 143
Browsing Network Analyzer log files .......................................................... 144
Viewing Network Analyzer log file contents .............................................. 145
Downloading a Network Analyzer log file.................................................. 147
Customizing the Network Analyzer log view .............................................. 148
Displaying and arranging log columns ...................................................... 148
Filtering logs.............................................................................................. 149
Filtering tips ........................................................................................ 150
Contents
FortiAnalyzer Version 3.0 MR7 Administration Guide
05-30007-0082-20080908 7
Searching the Network Analyzer logs ......................................................... 150
Search tips ................................................................................................ 152
Printing the search results......................................................................... 153
Downloading the search results ................................................................ 153
Rolling and uploading Network Analyzer logs ........................................... 153
Tools................................................................................................ 157
Preparing for the vulnerability scan job ...................................................... 157
Preparing Windows target hosts ............................................................... 158
Preparing Unix target hosts....................................................................... 160
Viewing vulnerability scan modules............................................................ 161
Configuring vulnerability scan jobs............................................................. 162
Viewing vulnerability scan reports .............................................................. 166
File Explorer................................................................................................... 167
Managing firmware versions......................................................... 169
Backing up your configuration..................................................................... 169
Backing up your configuration using the web-based manager ................. 170
Backing up your configuration using the CLI............................................. 170
Backing up your log files ........................................................................... 170
Testing firmware before upgrading ............................................................. 172
Upgrading your FortiAnalyzer unit .............................................................. 174
Upgrading to FortiAnalyzer 3.0 ................................................................. 174
Upgrading using the web-based manager.......................................... 174
Upgrading using the CLI ..................................................................... 175
Verifying the upgrade ................................................................................ 176
Reverting to a previous firmware version................................................... 177
Downgrading to FortiLog 1.6..................................................................... 177
Verifying the downgrade ........................................................................... 178
Downgrading to FortiLog 1.6 using the CLI............................................... 178
Restoring your configuration ....................................................................... 180
Restoring configuration settings on a FortiAnalyzer unit........................... 180
Restoring your configuration settings using the web-based manager ...... 182
Restoring your configuration settings using the CLI.................................. 182
FortiAnalyzer Version 3.0 MR7 Administration Guide
8 05-30007-0082-20080908
Contents
Appendix: FortiAnalyzer reports in 3.0 MR7 ............................... 185
FortiGate reports ........................................................................................... 185
Intrusion Activity........................................................................................ 186
Antivirus Activity........................................................................................ 186
Webfilter Activity ....................................................................................... 189
Antispam Activity....................................................................................... 190
IM Activity.................................................................................................. 191
VoIP reports .............................................................................................. 192
Content Activity ......................................................................................... 193
Network Activity ........................................................................................ 194
Web Activity .............................................................................................. 195
Mail Activity ............................................................................................... 196
FTP Activity............................................................................................... 196
Terminal Activity........................................................................................ 197
VPN Activity .............................................................................................. 197
Event Activity ............................................................................................ 198
P2P Activity............................................................................................... 199
Audit Activity ............................................................................................. 200
Summary Reports.......................................................................................... 201
Forensic Reports........................................................................................... 202
Audit.......................................................................................................... 202
Detailed..................................................................................................... 202
Summary................................................................................................... 203
FortiMail Reports........................................................................................... 203
Mail High Level ......................................................................................... 203
Mail Sender............................................................................................... 205
Mail Recipient Activity ............................................................................... 206
Mail Destination IP .................................................................................... 206
Spam Sender ............................................................................................ 207
Spam Recipient......................................................................................... 208
Spam Destination IP ................................................................................. 209
Virus Sender ............................................................................................. 209
Virus Recipient.......................................................................................... 211
Virus Destination IP .................................................................................. 212
FortiClient Reports........................................................................................ 212
Index................................................................................................ 213
Introduction About this document
FortiAnalyzer Version 3.0 MR7 Administration Guide
05-30007-0082-20080908 9
Introduction
FortiAnalyzer units are network appliances that provide integrated log collection
and reporting tools. Reports analyze logs for email, FTP, web browsing, security
events, and other network activity to help identify security issues and reduce
network misuse and abuse.
In addition to logging and reporting, FortiAnalyzer units also have several major
features that augment or enable certain FortiGate unit functionalities, such as
content archiving and quarantining, and improve your ability to stay informed
about the state of your network.
This chapter contains the following topics:
• About this document
• Fortinet documentation
• Customer service and technical support
About this document
This document describes how to configure and use FortiAnalyzer units through
their web-based manager.
This document contains the following chapters:
• What’s new for 3.0 MR7 describes what the new maintenance release
contains.
• Administrative Domains (ADOMs) describes how to enable and configure
domain-based access to data and configurations for connected devices and
the FortiAnalyzer unit itself.
• System describes how to configure FortiAnalyzer system settings, such as
network interfaces, system time, administrators, network shares (NAS), and
local logging.
• Device describes how to configure and manage connections to the
FortiAnalyzer unit from FortiGate, FortiMail, FortiClient, FortiManager, and
Syslog device types.
• Log describes how to view logs from devices or the FortiAnalyzer unit itself. It
also describes how to customize the log view.
• Content Archive describes how to view logs and files that have been full and/or
summary content archived by FortiGate units using the FortiGate content
archiving feature.
• Quarantine describes how to view files quarantined by FortiGate units, and to
configure the quarantine disk space quota.
Note: The recommended minimum screen resolution for the management computer
connecting to the web-based manager is 1280 by 1024 pixels.
FortiAnalyzer Version 3.0 MR7 Administration Guide
10 05-30007-0082-20080908
Fortinet documentation Introduction
• Reports describes how to configure report profiles for one-time or scheduled
reports on your network devices, users, or groups.
• Alert describes how define log message criteria that signify critical network
events. As log messages arrive, if they meet those criteria, FortiAnalyzer units
send alert messages using a method of your choice: email, SNMP, or Syslog.
This chapter also lists SNMP traps that the FortiAnalyzer unit supports.
• Network Analyzer describes how to connect the FortiAnalyzer unit to a span or
mirror port on a network switch to analyze, or sniff, the network traffic passing
through the FortiAnalyzer unit.
• Tools describes how to configure vulnerability scans and view the resulting
reports as well as viewing all files on the FortiAnalyzer unit.
• Managing firmware versions describes how to properly back up your current
configuration, upgrade/downgrade firmware, and restore your configuration.
This chapter also describes how to test a firmware image before installing the
image on the FortiAnalyzer unit.
• Appendix: FortiAnalyzer reports in 3.0 MR7 describes the FortiAnalyzer reports
that changed or were moved to other categories or both. This appendix also
includes what reports were removed and what were unchanged in
FortiAnalyzer 3.0 MR7.
Fortinet documentation
The most up-to-date publications and previous releases of Fortinet product
documentation are available from the Fortinet Technical Documentation web site
at http://docs.forticare.com.
The following FortiAnalyzer product documentation is available:
• FortiAnalyzer Administration Guide
Describes how to use the web-based manager of the FortiAnalyzer unit to
configure all available features.
• FortiAnalyzer CLI Reference
Describes how to use the command line interface of the FortiAnalyzer unit to
configure all available features, CLI structure and available commands.
• FortiAnalyzer online help
Provides a searchable version of the Administration Guide in HTML format.
You can access context-appropriate online help using the online help button in
the web-based manager as you work.
• FortiAnalyzer QuickStart Guides
Describes how to install and set up the FortiAnalyzer unit.
• FortiAnalyzer Install Guide
Describes in detail how to install and set up the FortiAnalyzer unit, how to
connect to the CLI and web-based manager, default settings, and how to
manage firmware.
Introduction Customer service and technical support
FortiAnalyzer Version 3.0 MR7 Administration Guide
05-30007-0082-20080908 11
Fortinet Tools and Documentation CD
All Fortinet documentation is available from the Fortinet Tools and Documentation
CD shipped with your Fortinet product. The documents on this CD are current at
shipping time. For up-to-date versions of Fortinet documentation, see the Fortinet
Technical Documentation web site at http://docs.forticare.com.
Fortinet Knowledge Center
The knowledge center contains short how-to articles, FAQs, technical notes,
product and feature guides, and much more. Visit the Fortinet Knowledge Center
at http://kc.forticare.com.
Comments on Fortinet technical documentation
Please send information about any errors or omissions in this document, or any
Fortinet technical documentation, to techdoc@fortinet.com.
Customer service and technical support
Fortinet Technical Support provides services designed to make sure that your
Fortinet systems install quickly, configure easily, and operate reliably in your
network.
Visit the Fortinet Technical Support web site at http://support.fortinet.com to learn
about the technical support services that Fortinet provides.
FortiAnalyzer Version 3.0 MR7 Administration Guide
12 05-30007-0082-20080908
Customer service and technical support Introduction
What’s new for 3.0 MR7
FortiAnalyzerVersion 3.0 MR7 Administration Guide
05-30007-0082-20080908 13
What’s new for 3.0 MR7
This section lists and describes the new features and changes in FortiAnalyzer
3.0 MR7. The chapter, “Managing firmware versions” on page 169, provides
detailed information about how to properly upgrade to FortiAnalyzer 3.0 MR7.
New CLI commands, as well as changes to existing CLI commands, are found in
the What’s new chapter of the FortiAnalyzer CLI Reference.
The following bulleted list includes links to other sections in this document where
you can find additional information about these new features and changes.
New features and changes for FortiAnalyzer 3.0 MR7 are:
• High-end FortiAnalyzer units support additional
terabytes (TB) of space – The higher-end FortiAnalyzer units, such as the
FortiAnalyzer-2000/2000A and FortiAnalyzer-4000/4000A, now support up to
8 TB for log disk file systems. There is no additional information available.
• Power supply monitoring feature – A new feature, power supply monitoring,
provides a notification when a power supply failure occurs or an administrator
adds a power supply to the FortiAnalyzer unit. See “Power supply monitoring
for FortiAnlayzer-2000A and 4000A” on page 15 for more information.
• Registered devices’ limits changed – Registered device limits have
increased. See “Maximum number of devices” on page 76 for more
information.
• Web-based manager change – The Action column is now an unnamed
column across all menus and tabs within the web-based manager. There is no
additional information on this change.
• CLI displays tasks in the upload queue – The command, diagnose
upload status, displays what files are waiting to be uploaded. See “CLI
displays the tasks in the upload queue” on page 15 for more information.
• Dashboard enhancements – There are several new widgets added to the
Dashboard in FortiAnalyzer, including a widget for configuring and displaying
RAID status. See “Dashboard” on page 25 for more information.
• Administration admin name enhancement – Administrators can now
configure names with the @ symbol. For additional information, see “Admin”
on page 48 in the System chapter.
• HTTPS certificates – Administrators can now change and customize (text
only) HTTPS certificates. This is only available in the CLI. See the
FortiAnalyzer CLI Reference for additional information.
• Security engine removed – The security engine feature has been removed
for FortiAnalyzer 3.0 MR7. There is no additional information available.
• Software RAID changes – When using software RAID5, the system becomes
overloaded on units with software RAID. If redundancy is required, Fortinet
now recommends RAID 10. RAID 5, unless selected from the CLI, will not
appear on the web-based manager. For additional information, see
“Configuring RAID” on page 62 in the System chapter.
FortiAnalyzerVersion 3.0 MR7 Administration Guide
14 05-30007-0082-20080908
What’s new for 3.0 MR7
• Network Summary menu removed – The Network Summary menu was
removed in FortiAnalyzer 3.0 MR7. This menu was removed because most of
the information that previously displayed, now displays as widgets on the
Dashboard. See “Dashboard” on page 25 for more information about these
new widgets that have replaced the Network Summary menu.
• Log Viewer menu enhancements – When viewing real-time logs or historical
logs, the options Resolve Host and Resolve Service are no longer available.
From within the Real-time tab, you can now view up to 1000 log messages;
you can also view up to 1000 log messages from the Historical tab as well. See
“Viewing log messages” on page 91 for more information.
• Custom fields for log messages – You can now enable custom fields for log
messages that are received from FortiGate units from the CLI. See “Custom
fields for log messages” on page 16 for more information.
• Report configuration enhancements – Reports contain several
enhancements in FortiAnalyzer 3.0 MR7, as well as the additional of VoIP
reports. See both “Report configuration enhancements” on page 16 and
“Reports” on page 113 for more information.
• Logs for HA members – Logs that are viewed on the FortiGate unit now
contain device ID fields for HA members. See the FortiGate Administration
Guide and the FortiGate Log Message Reference for additional information.
• Log search results enhancement – You can now view log search results in
both Format and Raw formats. See “Searching the logs” on page 100 for more
information.
• Alert email configuration changes – When configuring an alert email, you
are now required to enter information in the alert name field, destination field,
and device field and a drop-down list is included for selecting a destination.
See “Alert” on page 133 for more information.
• Alert emails – Alert emails now contain the FortiAnalyzer serial number in the
Source Device field in the body of the email. The FortiAnalyzer serial number
replaces the IP address of port 1 (FortiAnalyzer unit), which was used to
identify the FortiAnalyzer unit that sent the alert email. See “Alert” on page 133
for additional information about configuring alert emails.
• SNMP enhancements – When configuring SNMP communities in Alert >
Output > SNMP Access List, you can now specify that traps for certain local
system events will be generated that meet certain criteria. See “Configuring
SNMP traps and alerts” on page 136 for more information.
• File directory menu – You can now access all files that are on the
FortiAnalyzer unit in Tools > File Directory. See “File Explorer” on page 167
for more information.
What’s new for 3.0 MR7 3.0 MR7 new features and changes
FortiAnalyzerVersion 3.0 MR7 Administration Guide
05-30007-0082-20080908 15
3.0 MR7 new features and changes
The following descriptions includes only menus containing new features, changes
to features, or both. Additional information is provided within this document.
Power supply monitoring for FortiAnlayzer-2000A and 4000A
In FortiAnalyzer 3.0 MR7, the new feature power supply monitoring provides a
notification when a power supply fails or an administrator adds a power supply to
the system. This notification is sent by the hardware monitoring daemon and in
the following forms:
• Log – a log message is recorded at the system level
• Email – an email is sends out a critical event email message
• SNMP trap – a power supply event trap is sent
Both the web-based manager and CLI include settings for this new feature.
Registered devices’ hard limits
In previous FortiAnalyzer 3.0 releases, the license limits of registered devices was
reduced, causing those registered devices to not carry forward. The limit is now
back to the maximum limit in FortiAnalyzer 3.0 MR4. This limit number prevents
any loss of registered devices during upgrade. You can view the limits for
registered devices on “Maximum number of devices” on page 76 in the Device
chapter.
CLI displays the tasks in the upload queue
A new diagnose command, diagnose upload status, has been added in
FortiAnalyzer 3.0 MR7 for displaying files that are in the upload queue. Previously,
in FortiAnalyzer 3.0 MR6, a queue maintained the upload’s tasks but there was no
way of verifying what was and what was not included in the queue.
Dashboard enhancements
The Dashboard contains nine new widgets in FortiAnalyzer 3.0 MR7.
Administrators can have up to five tabs to the Dashboard as well.
Tabs allow administrators to customize what widgets display, for example, if
administrators only need to view traffic widgets a tab can be configured so that it
only displays all the traffic widgets.
The following are the new widgets that are available for display on the Dashboard:
• Log Receive Monitor
• RAID Monitor (if RAID is available on the FortiAnalyzer unit)
•Top Traffic
• Top Web Traffic
• Top Email Traffic
•Top FTP Traffic
• Top IM/P2P Traffic
• Virus Activity
• Intrusion Activity
FortiAnalyzerVersion 3.0 MR7 Administration Guide
16 05-30007-0082-20080908
3.0 MR7 new features and changes What’s new for 3.0 MR7
For the Log Receive Monitor widget, a diagnose command will be introduced to
provide information about total message rate, message rate per-protocol, and
message rate per-device in the CLI.
See “System” on page 25 for information about the new widgets for FortiAnalyzer
3.0 MR7.
Custom fields for log messages
In FortiAnalyzer 3.0 MR7, you can now enable custom fields for log messages so
that when the FortiAnalyzer unit receives these types of log messages, it can
index them properly for reports or searching logs.
This feature is enabled only in the CLI using the following command syntax:
config log settings
set custom-field<1-5>
The previous logs require re-indexing for this feature to be effective on them, and
is only available in the CLI using the diagnose log-indexer command. This
particular command can index per device and type, or all devices.
Reports
Reports have been enhanced and modified for FortiAnalyzer 3.0 MR7. VoIP report
charts were also included in FortiAnalyzer 3.0 MR7. These changes are also
reflected in the CLI. See the FortiAnalyzer CLI Reference for additional
information about the associated commands.
Report configuration enhancements
Report configuration has changed dramatically from FortiAnalyzer 3.0 MR6 to
FortiAnalyzer 3.0 MR7. These changes are also reflected in the FortiGate unit’s
web-based manager and CLI. These dramatic changes do not affect previously
configured reports in FortiAnalyzer 3.0 MR6 and earlier; however, you may want
to reconfigure certain settings to simplify the previously configured reports.
These previously configured reports are separated based on what is included; for
example, if DeviceSummary1_layout contains filters and output settings, the filters
will be put in the Data Filter tab and given a name, and the output settings will be
put in the Output tab and also given a name.
Figure 1: The previous FortiAnalyzer 3.0 MR6 reports, outlined in red, carried
forward to FortiAnalyzer 3.0 MR7 and displayed in Layout with default
report layouts
What’s new for 3.0 MR7 3.0 MR7 new features and changes
FortiAnalyzerVersion 3.0 MR7 Administration Guide
05-30007-0082-20080908 17
Fortinet recommends configuring a test report layout and report schedule to
familiarize yourself with how reports are configured in FortiAnalyzer 3.0 MR7. See
“Reports” on page 113 about how to configure reports in FortiAnalyzer 3.0 MR7.
In Report > Config, new tabs were added: Layout, Data Filter, Output, and
Language. These new tabs allow you to configure multiple data filters, output
destinations, report layouts (previously referred to as report profiles), and
languages. The new menu, Schedule, provides settings and options for
configuring a scheduled report.
Previously, you could configure specific report layouts such as Device Summary,
Forensic, and User/Client report profiles. These report types were combined with
other report types and removed from their respective tabs, which now provide
greater flexibility for configuring report layouts. Forensic report options are now
available when you select [Add Chart(s)] from the Chart List section of Report
Layout.
Report schedules should be configured after configuring the report layout
because you need to apply the report layout to the report schedules. Report
schedules can also be configured from the FortiGate unit’s web-based manager.
After configuring a report, you can generate that report immediately by selecting
Run Now and view it in Report > Browse. You can also generate scheduled
reports this way in Report > Schedule.
When viewing generated reports in Report Browse, the naming scheme is
changed to the following:
• On-Demand-<name of report>-<yyyy-mm-dd>-<time initiated by
admin_hhmm> – for reports that are generated immediately, for example:
On-Demand-Report_Headquarters-2008-06-03-0830
• <name of scheduled report>-<yyyy-mm-dd>-<time_scheduled>
– all other reports, for example:
Report_Headquarters-2008-05-26-1030
These generated reports in Report Browse also contain only one rolled report
when you expand a report. The name of rolled reports has changed as well and
each is named after the section title that was configured in Layout. For example, if
you had two section titles, Top Web Attacks and Top Viruses, the rolled reports
would be named Top Web Attacks and Top Viruses. The default name for the
rolled report is FortiAnalyzer Report. If generated reports carry forward from
FortiAnalyzer 3.0 MR6, rolled reports might be renamed to the default name,
FortiAnalyzer Report.
VoIP reports
VoIP activities and events are now available in reports. There are three log files
that contain VoIP activity and event information: tlog.log, plog.log and clog.log.
These log will be used for the following information:
• tlog.log – number of bytes pass per session
• plog.log – blocked VoIP activity
• clog.log – user registration information and call duration information
The individual reports that you select when configuring a report are available in
the Fortinet Knowledge Center article, FortiAnalyzer Reports in 3.0 MR7, on the
Fortinet Knowledge Center website.
FortiAnalyzerVersion 3.0 MR7 Administration Guide
18 05-30007-0082-20080908
3.0 MR7 new features and changes What’s new for 3.0 MR7
Alert email configuration changes
When configuring an alert email in Alert > Alert Event, you now are required to
enter information in the following fields:
•alert name
• destination (or destinations)
• device
Another configuration change is a drop-down list, providing the destinations of
syslog servers, mail servers and SNMP access lists. The Syslog servers and
SNMP access lists only display in the list when configured in Alert > Output.
Figure 2: The Destination drop-down list, circled, provides three destinations
Administrative Domains (ADOMs) About administrative domains (ADOMs)
FortiAnalyzer Version 3.0 MR7 Administration Guide
05-30007-0082-20080908 19
Administrative Domains (ADOMs)
Administrative Domains (ADOMs) enable the admin administrator to constrain
other FortiAnalyzer unit administrators’ access privileges to a subset of devices in
the device list. For FortiGate devices with virtual domains (VDOMs), ADOMs can
further restrict access to only data from a specific FortiGate VDOM.
This section includes the following topics:
• About administrative domains (ADOMs)
• Configuring ADOMs
About administrative domains (ADOMs)
Enabling ADOMs alters the structure and available functionality of the web-based
manager and CLI according to whether you are logging in as the admin
administrator, and, if you are not logging in as the admin administrator, the
administrator account’s assigned access profile.
Table 1: Characteristics of the CLI and web-based manager when ADOMs are
enabled
admin administrator account Other administrators
Access to Global
Configuration
Yes No
Access to Administrative
Domain Configuration (can
create ADOMs)
Yes No
Can create administrator
accounts
Yes No
Can enter all ADOMs Yes No
FortiAnalyzer Version 3.0 MR7 Administration Guide
20 05-30007-0082-20080908
About administrative domains (ADOMs) Administrative Domains (ADOMs)
• If ADOMs are enabled and you log in as admin, you first access
Administration Domain Configuration. A superset of the typical menus and CLI
commands appear, allowing unrestricted access and ADOM configuration.
• Global Configuration contains settings used by the FortiAnalyzer unit itself
and settings shared by ADOMs, such as the device list, RAID, and
administrator accounts. It does not include ADOM-specific settings or data,
such as logs and reports. When configuring other administrator accounts,
an additional option appears allowing you to restrict other administrators to
an ADOM.
If you enter Global Configuration, a Main Menu item appears in the menu,
enabling you to return to the top level menu area, Administrative Domain
Configuration.
• Administrative Domains allows you to configure or access ADOMs. You can
add a device to one or more ADOMs. If you enter an ADOM, a Main Menu
item appears in the menu, enabling you to return to the top level menu
area, Administrative Domain Configuration.
Table 2: Configuration locations when ADOMs are enabled
Within Global Configuration: Within each ADOM:
System > Dashboard (includes tabs, if
configured)
System > Network > Interface
System > Network > DNS
System > Network > Routing
System > Admin > Administrator
System > Admin > Access Profile
System > Admin > Auth Group
System > Admin > RADIUS Server
System > Admin > Settings
System > Admin > Monitor
System > Network Sharing > Windows
Share
System > Network Sharing > NFS Export
System > Network Sharing > User
System > Network Sharing > Group
System > Config > Log Setting
System > Config > Log Aggregation
System > Config > Log Forwarding
System > Config > RAID
System > Maintenance > Backup &
Restore
System >
Maintenance > FortiGuard
Center
Device > All > Device (devices assigned to
an ADOM other than root cannot be
deleted)
Device > All > Blocked Device
Log > Config > Log Config
Report > Config > Language
Quarantine > Config > Quarantine Config
Alert > Alert Event > Alert Event
Alert > Output > SNMP Access List
Alert > Output > Syslog Server
Too ls > Vulnerability Scan > Module
Tools > File Explorer > File Explorer
System > Config > IP Alias
System > Config > LDAP
Device > All > Device (read only)
Device > All > Group
Log > Log Viewer > Real-time
Log > Log Viewer > Historical
Log > Search > Log Search
Log > Browse > Log Browser
Content Archive > Web Archive
Content Archive >
Email Archive
Content Archive > File Transfer
Content Archive > IM Chat
Content Archive > VoIP Archive
Report > Browse > Result
Report > Schedule > Schedule
Report > Config > Layout
Report > Config > Data Filter
Report > Config > Output
Quarantine > Repository > Repository
Alert > Output > Mail Server
Tools > Vulnerability Scan > Job
Tools > Vulnerability Scan > Report
Tools > File Explorer > File Explorer
Administrative Domains (ADOMs) About administrative domains (ADOMs)
FortiAnalyzer Version 3.0 MR7 Administration Guide
05-30007-0082-20080908 21
• If ADOMs are enabled and you log in as any other administrator, you enter the
ADOM assigned to your account. A subset of the typical menus or CLI
commands appear, allowing access only to only logs, reports, quarantine files,
content archives, IP aliases, and LDAP queries specific to your ADOM. You
cannot access Global Configuration, or enter other ADOMs.
By default, administrator accounts other than the admin account are assigned
to the root ADOM, which includes all devices in the device list. By creating
ADOMs that contain a subset of devices in the device list, and assigning them
to administrator accounts, you can restrict other administrator accounts to a
subset of the FortiAnalyzer unit’s total devices or VDOMs.
The admin administrator account cannot be restricted to an ADOM. Other
administrators are restricted to their ADOM, and cannot configure ADOMs or
Global Configuration.
The maximum number of ADOMs varies by FortiAnalyzer model.
FortiAnalyzer Model Number of Administrative Domains
FortiAnalyzer-400 10
FortiAnalyzer-800/800B 50
FortiAnalyzer-2000/2000A 100
FortiAnalyzer-4000/4000A 250
Note: ADOMs are not available on the FortiAnalyzer-100 or FortiAnalyzer-100A/100B.
The admin administrator can further restrict other administrators’ access to specific
configuration areas within their ADOM by using access profiles. For more information, see
“Access Profile” on page 50
FortiAnalyzer Version 3.0 MR7 Administration Guide
22 05-30007-0082-20080908
Configuring ADOMs Administrative Domains (ADOMs)
Configuring ADOMs
Administrative domains (ADOMs) are disabled by default. To use administrative
domains, the admin administrator must first enable the feature, create ADOMs,
and assign other FortiAnalyzer administrators to an ADOM.
Figure 1: Administrative Domain Configuration
To enable ADOMs
1 Log in as admin.
Other administrators cannot enable, disable, or configure ADOMs.
2 Go to System > Admin > Settings.
3 Enable Admin Domain Configuration.
4 Select OK.
A message appears:
Enabling/Disabling the admin domain configuration will
require you to re-login. Are you sure you want to continue?
5 Select OK.
The FortiAnalyzer unit logs you out.
6 To confirm that ADOMs are enabled, log in as admin.
Administrative Domain Configuration appears, providing access to both Global
Configuration and ADOM configuration. See “To add or edit an ADOM” on
page 22 to create ADOMs. See “Assigning administrators to an ADOM” on
page 24 to assign an administrator to an ADOM.
Global Configuration The admin administrator can access the global configuration.
Select Main Menu to return to the Admin Domain Configuration
page.
Create New Select to create a new ADOM.
Edit Select an ADOM’s check box, then select Edit to change the name
or member devices and VDOMs of the selected ADOM.
Delete Select an ADOM’s check box, then select Delete to remove the
selected ADOM.
Name Select a name to enter that ADOM.
Select Main Menu to return to Admin Domain Configuration.
!
Caution: Enabling ADOMs moves non-global configuration items to the root ADOM. Back
up the FortiAnalyzer unit configuration before beginning the following procedure, To enable
ADOMs. For more information about backing up your configuration, see “Backup &
Restore” on page 69.
Administrative Domains (ADOMs) Configuring ADOMs
FortiAnalyzer Version 3.0 MR7 Administration Guide
05-30007-0082-20080908 23
To add or edit an ADOM
1 Log in as admin.
Other administrators cannot enable, disable, or configure ADOMs.
2 Select Create New, or select the check box next to an ADOM and select Edit.
3 Enter a Name for the ADOM.
4 Select which devices to associate with the ADOM from Available Devices, then
select the right arrow to move them to Selected Devices.
You can move multiple devices at once. To select multiple devices, select the first
device, then hold the Shift key while selecting the last device in a continuous
range, or hold the Ctrl key while selecting each additional device.
To remove a device from Selected Devices, select one or more devices, then
select the left arrow to move them to Available Devices.
5 If the ADOM includes a FortiGate unit and you want to restrict the ADOM to a
specific VDOM, enable Restrict to a FortiGate VDOM, then enter the VDOM
name.
6 Select OK.
To disable ADOMs
1 Log in as admin.
Other administrators cannot enable, disable, or configure ADOMs.
2 Select the check boxes next to each ADOM except the root (Management
Administrative Domain) ADOM, then select Delete.
If any other ADOMs except the root ADOM remain, the option to disable ADOMs
will not appear.
3 Go to Global Configuration > System > Admin > Settings.
4 Disable Admin Domain Configuration.
5 Select OK.
A message appears:
Enabling/Disabling the admin domain configuration will
require you to re-login. Are you sure you want to continue?
6 Select OK.
The FortiAnalyzer unit logs you out.
!
Caution: Deleting ADOMs, which can occur when disabling the ADOM feature, removes
administrator accounts assigned to ADOMs other than the root ADOM. Back up the
FortiAnalyzer unit configuration before beginning this procedure. For more information, see
“Backup & Restore” on page 69.
If you do not wish to delete those administrator accounts, assign them to the root ADOM
before disabling ADOMs.
FortiAnalyzer Version 3.0 MR7 Administration Guide
24 05-30007-0082-20080908
Accessing ADOMs as the admin administrator Administrative Domains (ADOMs)
Accessing ADOMs as the admin administrator
When ADOMs are enabled, additional ADOM items become available to the
admin administrator and the structure of the web-based manager menu changes.
After logging in, other administrators implicitly access the subset of the web-based
manager that pertains only to their ADOM, while the admin administrator
accesses the root of the web-based manager and can use all menus. The admin
administrator must explicitly enter the part of the web-based manager that
contains an ADOM’s settings and data to configure items specific to an ADOM.
To access an ADOM
1 Log in as admin.
Other administrators can access only the ADOM assigned to their account.
2 In the Administrative Domains area, select the name of the ADOM you want to
enter.
The ADOM-specific menu subset appears. While in this menu subset, any
changes you make affect this ADOM only, and do not affect devices in other
ADOMs or global FortiAnalyzer unit settings.
You can return to Administrative Domain Configuration by going to Main Menu.
Assigning administrators to an ADOM
The admin administrator can create other administrators and assign an ADOM to
their account, constraining them to configurations and data that apply only to
devices in their ADOM.
To assign an administrator to an ADOM
1 Log in as admin.
Other administrators cannot configure administrator accounts when ADOMs are
enabled.
2 Go to Global Configuration > System > Admin > Administrator.
3 Configure the administrator account as described in “Adding or editing an
administrator account” on page 49, selecting the Admin Domain that the
administrator will be able to access.
Do not select Edit for the admin account. The admin administrator account
cannot be restricted to an ADOM.
Note: By default, when ADOMs are enabled, existing administrator accounts other than
admin are assigned to the root ADOM, which contains all devices in the device list. For
more information about creating other ADOMs, see “Configuring ADOMs” on page 22.
System Dashboard
FortiAnalyzer Version 3.0 MR7 Administration Guide
05-30007-0082-20080908 25
System
The System menu contains basic FortiAnalyzer unit system settings, such as
network interfaces, DNS, routing, local logging, administrators, and network
shares, and displays system statistics and provides basic system operations from
the Dashboard. From the System menu, you can also back up or restore a
configuration, or update the firmware on the FortiAnalyzer unit.
This section includes the following topics:
• Dashboard
• Network
• Admin
• Network Sharing
• Config
• Maintenance
Dashboard
Dashboard provides a summary view of the current operating status of the
FortiAnalyzer unit, including any additional information happening on the network,
such as top attacks or what types of logs were received.
The Dashboard also provides tabs so that you can customize different widget
displays. For example, if administrators want to view only traffic activity, a tab
called Traffic Activity would be added to the Dashboard with only the traffic activity
widgets displaying on that tab.
The following widgets are available on the Dashboard:
• System Information • Log Receive Monitor
• License Information • Virus Activity
• CLI Console • Intrusion Activity
• System Resources • Top Traffic
• System Operation • Top FTP Traffic
• Alert Message Console • Top Email Traffic
• Statistics • Top Web Traffic
• Report Engine • Top IM/P2P Traffic
• RAID Monitor
FortiAnalyzer Version 3.0 MR7 Administration Guide
26 05-30007-0082-20080908
Dashboard System
Figure 1: Dashboard of a FortiAnalyzer-100A unit displaying one of the new widgets
Log Receive Monitor and a tab, Branch Office
To rearrange a Dashboard widget
1 Go to System > Dashboard.
2 Place your mouse cursor over the widget’s title bar area, but not over buttons such
as Hide or Close.
The cursor changes to a multidirectional arrow.
3 Select and drag the widget to its new location.
While dragging the widget, a red dashed line outlines the widget’s current
destination, and other widgets reposition themselves to display the resulting
layout.
To refresh a Dashboard widget
1 Go to System > Dashboard.
2 Place your mouse cursor over the widget’s title bar area.
Refresh Now appears on the right side of the title bar.
3 Select Refresh Now.
The widget refreshes with current data.
To minimize or expand a Dashboard widget
1 Go to System > Dashboard.
2 Place your mouse cursor over the widget’s icon, located on the right side of the
title bar area.
• If the widget is currently minimized, the arrow appears on its side, pointing to
the right.
• If the widget is currently expanded, the arrow appears pointing downward.
System Dashboard
FortiAnalyzer Version 3.0 MR7 Administration Guide
05-30007-0082-20080908 27
3 Select Show or Hide.
The widget toggles between showing the full widget and being minimized to show
only its title bar.
To include a Dashboard widget
1 Go to System > Dashboard.
2 Select “+ Widget”.
3 A widget selection overlay appears.
4 Select one or more widgets. Alternatively, to restore the default set of widgets,
select Back to Default.
The selected widgets appear on the Dashboard layout. Widgets whose names are
gray are already included on the Dashboard layout, and cannot be included more
than once.
5 Select “X” in the upper right corner.
The widget selection overlay closes.
To omit a Dashboard widget
1 Go to System > Dashboard.
2 Place your mouse cursor over the widget’s title bar area.
Close appears on the right side of the title bar.
3 Select Close.
A confirmation dialog appears.
4 Select OK.
The widget is removed from the Dashboard layout.
Tabs
Tabs provide a way to customize what widgets administrators view, for example,
administrators only need to view traffic widgets. You can add, delete, or rename
tabs.
When adding widgets to tabs, you cannot have duplicate widgets on multiple tabs.
For example, if you have the RAID Monitor widget in the Dashboard and you want
to add the same widget to your new tab, Office_1, the RAID Monitor widget will
only display in the Dashboard.
To add a tab
1 Go to System > Dashboard.
2 Select the plus (+) symbol beside the Dashboard tab.
3 Enter a name for the new tab.
4 Select +Widget to add the widgets you want to the new tab.
5 If applicable, edit the widgets to customize what each displays.
To rename a tab
1 Go to System > Dashboard.
2 Double-click on the name of the tab and press Delete.
FortiAnalyzer Version 3.0 MR7 Administration Guide
28 05-30007-0082-20080908
Dashboard System
3 Enter a new name and press Enter.
To delete a tab
1 Go to System > Dashboard.
2 Double-click on the name of the tab and select the (X) symbol.
RAID Monitor
The RAID Monitor area of the Dashboard displays information about the status of
RAID disks as well as what RAID level has been selected. The RAID Monitor also
displays how much disk space is being used.
The RAID Monitor layout is similar to the look of the front panel. The Device Status
Indicator allows you to view each disk’s name and the amount of space in GB
each has. For example, Disk 2: Ready 465.76GB.
You can configure RAID settings from the RAID Monitor area as well by selecting
RAID Settings. This option is only available when you move your mouse over the
title bar.
Figure 2: RAID Monitor displaying a RAID array without any failures
Figure 3: RAID Monitor displaying a failed disk
In Figure 5, the Drive Status Indicator is indicating that Disk 1 has problems. This
is displayed by both a warning symbol and text. The text appears when you hover
your mouse over the warning symbol; the text also indicates the amount of space
in GB. When a disk has failed, a circle with an X appears in Drive Status Indicator.
Drive Status
Indicator
Array
Status
Array
Capacity
Graph
Warning symbol in
Drive Status
Indicator indicating
Disk 1 has
problems
System Dashboard
FortiAnalyzer Version 3.0 MR7 Administration Guide
05-30007-0082-20080908 29
Figure 4: RAID Monitor displaying a disk that is being rebuilt
System Information
The System Information area of the Dashboard displays basic information about
the FortiAnalyzer unit, such as up time and firmware version.
Array Status Displays the following icons and status text when the RAID disk is
okay, failed or being rebuilt:
• green checkmark (OK) – indicates that the RAID disk has no
problems
• warning symbol (Warning) – indicates that there is a problem
with the RAID disk, such as a failure, and needs replacing. The
RAID disk is also in reduced reliability mode when this status is
indicated in the widget.
• wrench symbol (Rebuilding) – indicates that a drive has been
replaced and the RAID array is being rebuilt; it is also in
reduced reliability mode
• exclamation point (Failure) – indicates that multiple drives
have failed and the RAID array is corrupted and that the drive
must be reinitialized
Disk space usage Displays the amount of disk used in both percentage and a fill line.
Used/Free/Total Displays the amount of used disk space, available or free disk
space, and the total available disk space. These numbers are
displayed in GB.
Rebuild Status
progress bar
A bar indicating the progress of the rebuilding of a RAID array.
This bar displays the progress in percent. This bar displays only
when a RAID array is being rebuilt.
Estimated rebuild
time
[start and end time]
(For software RAID
only)
The time period of when the rebuild will be complete. The time is
displayed by the number of hours, minutes and seconds. The time
period also indicates when the rebuilding process will end,
displaying the name of the day, and the time in 12-hour format, for
example, Friday at 3:14 pm.
This time period displays only when an array is being rebuilt.
This time period will not display in hardware RAID, such as
FortiAnalyzer-2000/2000A, and FortiAnalyzer-4000/4000A.
Rebuild Warning A bar and text reminding you the system has no redundancy
protection until the rebuilding process is complete. This text
displays only when an array is being rebuilt.
Rebuild
Status bar
Rebuilding
icon
FortiAnalyzer Version 3.0 MR7 Administration Guide
30 05-30007-0082-20080908
Dashboard System
Figure 5: System Information
Setting the time
Set the system time to ensure correct report time ranges and scheduling and
accurate logging. You can either manually set the FortiAnalyzer system time or
you can configure the FortiAnalyzer unit to automatically keep its system time
correct by synchronizing with a Network Time Protocol (NTP) server.
To set the system time, go to System > Dashboard and select Change for the
System Time.
Figure 6: Time Settings
Serial Number The serial number of the FortiAnalyzer unit. The serial number is
unique to the FortiAnalyzer unit and does not change with
firmware updates. Use this number when registering your
FortiAnalyzer unit with Fortinet.
Uptime The time in days, hours and minutes since the FortiAnalyzer was
started or last rebooted.
System Time The current time according to the FortiAnalyzer internal clock.
Select Change to change the time or configure the FortiAnalyzer
unit to obtain the time from an NTP server. For more information,
see “Setting the time” on page 29.
Host Name The name of the FortiAnalyzer unit. For more information about
changing the name, see “Changing the host name” on page 30.
Firmware Version The version of the firmware installed on the FortiAnalyzer unit.
Select Update to upload a new version of the firmware. For more
information about updating the firmware, see “Changing the
firmware” on page 30.
System Time The current FortiAnalyzer system date and time.
Refresh Update the display of the current FortiAnalyzer system date and
time.
Time Zone Select the FortiAnalyzer unit’s time zone.
Set Time Select to set the FortiAnalyzer system date and time to the values
you set in the Year, Month, Day, Hour, Minute and Second fields.
Alternatively, select Synchronize with NTP Server.
Loading...