Fortinet FortiAnalyzer-4000A, FortiAnalyzer-100B, FortiAnalyzer-400, FortiAnalyzer-4000, FortiAnalyzer-2000 Administration Manual

...

ADMINISTRATION GUIDE

FortiAnalyzer Version 3.0 MR3

www.fortinet.com

FortiAnalyzer Administration Guide

Version 3.0 MR3 25 September 2006 05-30003-0082-20060925

© Copyright 2006 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

Trademarks

ABACAS, APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Regulatory compliance

FCC Class A Part 15 CSA/CUS

Caution: If you install a battery that is not the correct type, it could explode. Dispose of used batteries according to local regulations.

Contents

Introduction ...................................................................................... 11

The FortiAnalyzer Unit .................................................................................... 11

FortiAnalyzer-100A/100B ............................................................................ 11

FortiAnalyzer-400........................................................................................ 12

FortiAnalyzer-800........................................................................................ 12

FortiAnalyzer-2000...................................................................................... 13

FortiAnalyzer-4000...................................................................................... 13

FortiAnalyzer-4000A ................................................................................... 13

FortiAnalyzer features..................................................................................... 14

Reporting..................................................................................................... 14

Data mining ................................................................................................. 14

Network analyzer ........................................................................................ 14

Log viewer................................................................................................... 15

Real-time log viewing .................................................................................. 15

Log Aggregation.......................................................................................... 15

Quarantine .................................................................................................. 15

Network Attached Storage .......................................................................... 15

About this guide .............................................................................................. 15

FortiAnalyzer documentation......................................................................... 16

Fortinet Tools and Documentation CD ........................................................ 17

Fortinet Knowledge Center ......................................................................... 17

Comments on Fortinet technical documentation......................................... 17

Customer service and technical support ...................................................... 17

Installing the FortiAnalyzer unit ..................................................... 19

Planning the installation ................................................................................. 19

Connecting the FortiAnalyzer unit ................................................................. 20

Environmental specifications....................................................................... 20

Air flow ........................................................................................................ 20

Mechanical loading ..................................................................................... 20

Connecting to the network .......................................................................... 20

Configuring the FortiAnalyzer unit ................................................................ 21

Using the web-based manager ................................................................... 23

Using the command line interface............................................................... 24

Using the front panel buttons and LCD ....................................................... 25

Upgrading the FortiAnalyzer firmware .......................................................... 25

Backing up the FortiAnalyzer hard disk........................................................ 26

Shutting down the FortiAnalyzer unit............................................................ 26

FortiAnalyzer Version 3.0 MR3 Administration Guide 05-30003-0082-20060925 3

Contents

Configure the FortiAnalyzer unit .................................................... 27

Dashboard........................................................................................................ 27

System Information ..................................................................................... 28

System Resources...................................................................................... 28

License Information..................................................................................... 29

Alert Message Console............................................................................... 29

Statistics...................................................................................................... 29

Report Engine ............................................................................................. 29

Automatic Refresh Interval.......................................................................... 29

System Operation ....................................................................................... 29

Viewing operational history ......................................................................... 30

Viewing Session information....................................................................... 30

Filtering session information................................................................. 31

Viewing Alert messages.............................................................................. 31

Setting the time ........................................................................................... 32

Restore factory default system settings ...................................................... 32

Format the log disks.................................................................................... 33

Restoring a FortiAnalyzer unit..................................................................... 33

Restoring a FortiAnalyzer-100 or FortiAnalyzer-400 ............................ 33

Restoring a FortiAnalyzer-100A/100B, 800, 2000 and 4000/4000A..... 34

Changing the firmware................................................................................ 35

Changing the host name............................................................................. 36

Network settings.............................................................................................. 36

Interface ...................................................................................................... 36

Changing the interface settings ............................................................ 37

About FortiDiscovery ............................................................................ 37

DNS ............................................................................................................ 38

Routing........................................................................................................ 38

Adding a route ...................................................................................... 38

Administrator settings .................................................................................... 39

Adding a new administrator ........................................................................ 39

Changing the administrator password .................................................. 40

Access Profile ............................................................................................. 40

Auth Groups................................................................................................ 41

RADIUS Server........................................................................................... 42

Administrator Settings................................................................................. 42

Monitor ........................................................................................................ 42

Administrative domains.................................................................................. 43

Enabling administrative domains ................................................................ 43

Disabling administrative domains ............................................................... 44

Configuring ADOM settings ........................................................................ 44

Creating a new ADOM ................................................................................ 45

Adding a device to an ADOM...................................................................... 45

FortiAnalyzer Version 3.0 MR3 Administration Guide

4 05-30003-0082-20060925

Contents

Network sharing............................................................................................... 45

Adding users ............................................................................................... 46

Adding groups ............................................................................................. 46

Configuring Windows shares ...................................................................... 46

Assigning user access ................................................................................ 47

Configuring NFS shares.............................................................................. 48

Setting folder and file privileges .................................................................. 49

Configuring the FortiAnalyzer unit ................................................................ 49

Log Settings ................................................................................................ 50

Log Aggregation.......................................................................................... 51

Configuring an aggregation client ......................................................... 52

Configuring an aggregation server ....................................................... 53

IP Aliases .................................................................................................... 53

Importing an IP alias list file.................................................................. 53

IP alias ranges ...................................................................................... 54

RAID............................................................................................................ 54

Configuring RAID on the FortiAnalyzer-400 and FortiAnalyzer-800..... 54

Configuring RAID on the FortiAnalyzer-2000 and FortiAnalyz-

er-4000/4000A ................................................................................... 55

Maintenance..................................................................................................... 57

Backup & Restore ....................................................................................... 57

Update center.............................................................................................. 58

RAID levels....................................................................................................... 59

Linear .......................................................................................................... 60

RAID 0......................................................................................................... 60

RAID 1......................................................................................................... 60

RAID 5......................................................................................................... 60

RAID 10....................................................................................................... 61

RAID 50....................................................................................................... 61

RAID 5 and RAID 10 with hot spare............................................................ 61

Hot swapping hard disks ............................................................................. 61

Hot swapping in the FortiAnalyzer-400 and FortiAnalyzer-800 ............ 61

Hot swapping the FortiAnalyzer-2000 and FortiAnalyzer-4000/4000A. 62

Devices.............................................................................................. 65

Devices List...................................................................................................... 65

Device interaction with a FortiAnalyzer unit ................................................ 66

Maximum allowed devices .......................................................................... 66

Unregistered device options........................................................................ 67

FortiGate units connecting with FortiDiscovery........................................... 67

Unknown devices connecting to the FortiAnalyzer unit............................... 68

Adding a FortiGate unit................................................................................... 68

Defining FortiGate port interfaces ............................................................... 70

Adding an HA cluster .................................................................................. 70

Adding FortiClient installations ..................................................................... 71

FortiAnalyzer Version 3.0 MR3 Administration Guide 05-30003-0082-20060925 5

Contents

Adding a FortiManager unit............................................................................ 72

Adding a Syslog server................................................................................... 73

Device Groups ................................................................................................. 74

Blocked Devices.............................................................................................. 74

Viewing blocked devices............................................................................. 75

Logs .................................................................................................. 77

Log Viewer ....................................................................................................... 77

Real-time log viewer ................................................................................... 77

Historical log viewer .................................................................................... 78

Browse.............................................................................................................. 80

Browsing log files ........................................................................................ 81

Importing a log file....................................................................................... 82

Downloading a log file................................................................................. 82

Customizing the log view ............................................................................... 83

Customizing the log column views.............................................................. 83

Filtering logs................................................................................................ 84

Filtering tip............................................................................................ 84

Search the logs................................................................................................ 84

Basic search ............................................................................................... 85

Advanced search ........................................................................................ 85

Search tips .................................................................................................. 86

Printing the search results .......................................................................... 86

Log rolling........................................................................................................ 86

Content archive................................................................................ 89

Content viewer................................................................................................. 89

Customizing the content log view ................................................................. 90

Customizing the log column views.............................................................. 90

Filtering content logs................................................................................... 91

Filtering tip............................................................................................ 91

Log rolling........................................................................................................ 91

Quarantine........................................................................................ 95

Configuring quarantine settings .................................................................... 95

Viewing the quarantined files list................................................................... 96

Forensic Analysis ............................................................................ 97

Users and groups............................................................................................ 97

Adding users ............................................................................................... 97

Creating groups .......................................................................................... 98

Lookup ........................................................................................................ 98

Where does FortiAnalyzer get this information?................................... 99

FortiAnalyzer Version 3.0 MR3 Administration Guide

6 05-30003-0082-20060925

Contents

Searching user data ...................................................................................... 100

Saving search results................................................................................ 100

Local archive ............................................................................................ 101

Forensic Reports ........................................................................................... 101

Configuring reports.................................................................................... 101

Customizing the report properties....................................................... 102

Configuring the report criteria ............................................................. 102

Configuring the time period................................................................. 104

Configuring the report types ............................................................... 104

Configuring the report output .............................................................. 104

Viewing Forensic Reports ......................................................................... 106

Traffic summary and security events........................................... 107

Traffic Summaries ......................................................................................... 107

Top Users.................................................................................................. 107

Viewing Web traffic ............................................................................. 107

Viewing Email traffic ........................................................................... 108

Viewing FTP traffic.............................................................................. 109

Viewing Instant Messaging and P2P traffic ........................................ 109

Filtering traffic summaries ......................................................................... 110

Filtering tip .......................................................................................... 111

Device Summary....................................................................................... 111

Traffic Report ............................................................................................ 112

Configuring a traffic report .................................................................. 112

Viewing traffic summary reports ......................................................... 112

Security event summaries ............................................................................ 113

Adding a security event report .................................................................. 113

Viewing the security event reports ............................................................ 113

Viewing virus activity ................................................................................. 114

Viewing Intrusion activity........................................................................... 115

Viewing Suspicious activity ....................................................................... 116

Viewing administrative activities................................................................ 117

Reports............................................................................................ 119

Configuring reports....................................................................................... 119

Configuring a report profile........................................................................ 120

Customizing the report properties....................................................... 121

Configuring the report devices............................................................ 122

Configuring the report scope .............................................................. 122

Configuring the report types ............................................................... 124

Configuring the report Format............................................................. 124

Configuring the report schedule.......................................................... 125

Configuring the report output .............................................................. 125

FortiAnalyzer Version 3.0 MR3 Administration Guide 05-30003-0082-20060925 7

Contents

Browsing reports........................................................................................... 127

Viewing reports ......................................................................................... 128

Default reports .......................................................................................... 128

Report types.............................................................................................. 129

Roll up report...................................................................................... 129

Individual reports ................................................................................ 129

Event activity codes............................................................................ 129

Alerts............................................................................................... 131

Alert Events.................................................................................................... 131

Adding an alert event ................................................................................ 131

Output............................................................................................................. 132

Mail server ................................................................................................ 133

Testing the Mail server configuration.................................................. 133

SNMP access ........................................................................................... 133

Adding an SNMP server ..................................................................... 134

Syslog Servers.......................................................................................... 134

Adding a Syslog server....................................................................... 135

FortiAnalyzer SNMP support.............................................................. 135

FortiAnalyzer traps.................................................................................... 136

FortiGate MIB System Traps .............................................................. 136

FortiGate MIB Logging Traps ............................................................. 136

FortiGate MIB VPN Traps................................................................... 136

Fortinet MIB System fields.................................................................. 136

Fortinet Administrator Accounts ......................................................... 136

Fortinet Options .................................................................................. 136

Fortinet Active IP Sessions................................................................. 137

RFC-1213 (MIB II) .............................................................................. 137

RFC-2665 (Ethernet-like MIB) ............................................................ 137

Network Analyzer........................................................................... 139

Connecting the FortiAnalyzer for analyzing network traffic ..................... 139

Traffic viewer ................................................................................................. 140

Real-time traffic viewer ............................................................................. 140

Historical traffic viewer .............................................................................. 141

Changing the historical view criteria................................................... 142

Browsing network traffic logs ...................................................................... 142

Browsing network traffic log files............................................................... 143

Downloading a network traffic log file ....................................................... 144

Customizing the traffic analyzer log view ................................................... 145

Customizing the log column views............................................................ 145

Filtering network traffic logs ...................................................................... 145

Filtering tip.......................................................................................... 146

FortiAnalyzer Version 3.0 MR3 Administration Guide

8 05-30003-0082-20060925

Contents

Search the network traffic logs .................................................................... 146

Basic search.............................................................................................. 146

Advanced search ...................................................................................... 146

Search tips ................................................................................................ 147

Printing the search results......................................................................... 147

Log rolling ...................................................................................................... 147

Vulnerability scan .......................................................................... 151

Modules .......................................................................................................... 151

Jobs ................................................................................................................ 152

Adding a new vulnerability scan job .......................................................... 153

Reports ........................................................................................................... 155

Index................................................................................................ 157

FortiAnalyzer Version 3.0 MR3 Administration Guide 05-30003-0082-20060925 9

Contents

FortiAnalyzer Version 3.0 MR3 Administration Guide

10 05-30003-0082-20060925

Introduction The FortiAnalyzer Unit

Introduction

FortiAnalyzer units are network appliances that provides robust reporting, data analysis and integrated log collection tools. Detailed log reports provide historical as well as current analysis of network traffic, such as email, FTP and web browsing activity, to help identify security issues and reduce network misuse and abuse.

The FortiAnalyzer unit provides a robust selection of reporting tools from detailed reports that can be scheduled or generated on demand, to basic traffic sniffing and real-time network monitoring.

This section introduces you to the FortiAnalyzer appliance and includes the following topics:

• The FortiAnalyzer Unit

• About this guide

• FortiAnalyzer documentation

• Customer service and technical support

The FortiAnalyzer Unit

The FortiAnalyzer family includes the following models:

FortiAnalyzer-100A/100B

Ports 4 10/100 Ethernet ports Memory 256 MB Disk Drives 1 Disk Drive Capacity 120 GB FortiGate Devices Supported 10 FortiGate devices or VDOM licenses.

FortiClient installations Supported None AC Input Voltage 100-240V 0.8Amp Max

4321

POWER

STATUS

10/100

LINK / ACT

Supports FortiGate-50A to FortiGate-100A only.

FortiAnalyzer Version 3.0 MR3 Administration Guide 05-30003-0082-20060925 11

The FortiAnalyzer Unit Introduction

FortiAnalyzer-400

Ports 3 10/100 Ethernet ports Memory 256 MB Disk Drives 4 x 120MB hot-swappable (3.0 MR1) Disk Drive Capacity 480 GB FortiGate Devices Supported 200 FortiGate units or VDOM licenses.

Supports FortiGate-50A to FortiGate-800 only.

FortiClient installations Supported 2000 AC Input Voltage 100-240V 4Amp Max

FortiAnalyzer-800

Ports 2 10/100 Ethernet ports Memory 512 MB Disk Drives 4 x 120MB hot-swappable (3.0 MR1) Disk Drive Capacity 480 GB FortiGate Devices Supported 250 FortiGate units or VDOM licenses.

FortiClient installations Supported 2500 AC Input Voltage 100-240V 04Amp Max

Supports FortiGate-50A to FortiGate-800 only.

FortiAnalyzer Version 3.0 MR3 Administration Guide

12 05-30003-0082-20060925

Introduction The FortiAnalyzer Unit

FortiAnalyzer-2000

Ports 4 gigabit Ethernet ports Memory 2 GB Disk Drives 6 x 400GB hot-swappable Disk Drive Capacity 2.4 TB FortiGate Devices Supported 500 FortiGate units or VDOM licenses.

Supports all FortiGate models.

FortiClient installations Supported 5000 AC Input Voltage 100-240V 9Amp Max

FortiAnalyzer-4000

FortiAnalyzer-4000A

1 2

Ports 2 gigabit ethernet ports Memory 1 GB Disk Drives 12 x 250GB - hot-swappable Disk Drive Capacity 3 TB FortiGate Devices Supported 500 FortiGate units or VDOM licenses.

FortiClient installations Supported 5 AC Input Voltage 100-240V 9Amp Max

Ports 2 gigabit ethernet ports Memory 1 GB Disk Drives 12 x 250GB - hot-swappable Disk Drive Capacity 3 TB

Supports all FortiGate models.

FortiAnalyzer Version 3.0 MR3 Administration Guide 05-30003-0082-20060925 13

FortiAnalyzer features Introduction

FortiGate Devices Supported 500 FortiGate units or VDOM licenses.

Supports all FortiGate models.

FortiClient installations Supported 5 AC Input Voltage 100-240V 9Amp Max

FortiAnalyzer features

The FortiAnalyzer unit receives log files from multiple FortiGate and syslog devices. Using the FortiAnalyzer unit’s robust reporting capabilities, you can monitor the traffic, attacks, and misuses from network users. The FortiAnalyzer unit includes the following features:

Reporting

The FortiAnalyzer reporting includes:

• Log analysis and reporting Analyze logs submitted from multiple devices and generate a variety of reports

that enables you to proactively secure networks as threats arise, avoid network abuses, manage bandwidth requirements, monitor Web site visits, and ensure appropriate usage of the network. Analysis includes by firewall and by user or group of users.

• Vulnerability reports Vulnerability reports show potential weaknesses to attacks that may exist for a

selected device. The FortiAnalyzer unit queries for open ports, and where possible, gathers information about the running services. Known vulnerabilities that exist for a service or version of the service is included in the report.

Note: Vulnerability reports are not available on the FortiAnalyzer-100.

Data mining

The FortiAnalyzer unit provides data mining features that enables you to easily access simple reports to obtain information on the intrusion attempts on your network as well as the types of traffic occurring on your network. Security event summaries provide a snapshot of what unwanted traffic is attempting to breach the firewall and the top traffic producers on the network, while traffic summaries provide a snapshot of the traffic passing through the firewall on your network. These reports can help you identify the high volume users, or attack events that may be slowing down overall network traffic.

Network analyzer

The FortiAnalyzer network analyzer enables you to reach areas of the network where FortiGate firewalls are not employed, or if you do not have a FortiGate unit as a firewall. The FortiAnalyzer network analyzer functions as a sniffer to capture traffic data, save it to the FortiAnalyzer hard disk, and display it or generate reports using the data.

Note: The network analyzer is not available on the FortiAnalyzer-100.

FortiAnalyzer Version 3.0 MR3 Administration Guide

14 05-30003-0082-20060925

Introduction About this guide

Log viewer

The log browser, enables you to view the log messages sent to the FortiAnalyzer unit from registered devices. With the log viewer you can view any log file and messages saved on the FortiAnalyzer hard disk. All log files and messages are searchable and can be filtered to drill down and locate specific information.

Real-time log viewing

The FortiAnalyzer unit provides real-time logging of web, FTP and email traffic through content logs.The content viewer provides a real-time display of meta-information from registered devices. Meta-information includes where the information is coming from and going to. For example, HTTP content includes the source IP address and the destination URL to allow you to follow real-time trends in network usage.

Log Aggregation

Log aggregation is a method of collating log data from remote FortiAnalyzer units or other third party network devices that support the syslog format to a central FortiAnalyzer unit. For example, a company may have a headquarters and a number of branch offices. Each branch office has a FortiGate unit and a FortiAnalyzer-100A/100B to collect local log information. The headquarters has a FortiAnalyzer-2000 as the central log aggregator.

Quarantine

Network Attached Storage

About this guide

For FortiGate units that do not have a hard disk, the FortiAnalyzer unit offers the ability to quarantine infected or suspicious files entering your network environment. Use the quarantine browser on the FortiAnalyzer unit to view the files to determine whether they are dangerous or not. Set the option on the FortiGate unit to send the quarantined files to the FortiAnalyzer unit.

The FortiAnalyzer unit also acts as a Network Attached Storage (NAS) device. Use the FortiAnalyzer unit as a means of backing up or storing important information or using the extra hard disk space as a file server or repository. Any computer using NFS or Windows sharing can mount the FortiAnalyzer hard drive to save and retrieve files.

This guide describes how to set up, configure and use the FortiAnalyzer unit to collect logs and generate reports on network use.

This guide has the following sections:

• Installing the FortiAnalyzer unit describes how to set up and install the FortiAnalyzer unit in your network environment.

• Configure the FortiAnalyzer unit describes how to configure the FortiAnalyzer system settings, such as system time, session information, and user management.

FortiAnalyzer Version 3.0 MR3 Administration Guide 05-30003-0082-20060925 15

FortiAnalyzer documentation Introduction

• Devices describes how to add and configure FortiGate, FortiManager units and Syslog servers so that the FortiAnalyzer unit can maintain a connection with the device.

• Alerts describes how to set up alert messages and configure the FortiAnalyzer unit to send messages via email through a mail server, to a syslog server or using SNMP traps. This chapter also lists the SNMP traps supported by the FortiAnalyzer unit.

• Traffic summary and security events describes how to configure and view reports on intrusion attempts against your network as well as viewing the types of traffic occurring on your network.

• Content archive describes how to monitor metadata content for all users using email, FTP, Instant Messages and web browsing.

• Logs describes how to select and view device and FortiAnalyzer log files. It also describes customizing the log views using filters and columns settings to find information in the logs easier, as well as watch logs in real time.

• Quarantine describes how to configure the FortiAnalyzer unit to receive quarantined files from a FortiGate unit and view them on the FortiAnalyzer hard disk.

• Vulnerability scan describes how to set up vulnerability scans and view the generated reports.

• Reports describes how to create report profiles for running regular reports on the log information collected by the FortiAnalyzer unit. It also describes how to view the generated reports.

• Network Analyzer describes how to connect the FortiAnalyzer unit to a SPAN or mirror port on a network switch to analyze, or sniff, the network traffic passing through it.

• Forensic Analysis describes how to view and report on an individuals network habits and activities and generate reports for analysis.

FortiAnalyzer documentation

• FortiAnalyzer Administration Guide

Describes how to install and configure a FortiAnalyzer unit to collect FortiGate, and Syslog log files, and connect to a FortiManager device for management purposes. It also describes how to view log files, generate and view reports on various network activities, and use the FortiAnalyzer unit as a NAS server.

• FortiAnalyzer CLI Reference

Describes how to use the command line interface of the FortiAnalyzer unit, and describes all the commands available.

• FortiAnalyzer online help

Provides a searchable version of the Administration Guide in HTML format. You can access online help from the web-based manager as you work.

• FortiAnalyzer QuickStart Guides

Explains how to install and set up the FortiAnalyzer unit.

FortiAnalyzer Version 3.0 MR3 Administration Guide

16 05-30003-0082-20060925

Introduction Customer service and technical support

Fortinet Tools and Documentation CD

All Fortinet documentation is available from the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For up-to-date versions of Fortinet documentation see the Fortinet Technical Documentation web site at http://docs.forticare.com.

Fortinet Knowledge Center

The knowledge center contains short how-to articles, FAQs, technical notes, product and feature guides, and much more. Visit the Fortinet Knowledge Center at http://kc.forticare.com.

Comments on Fortinet technical documentation

Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com.

Customer service and technical support

Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly, configure easily, and operate reliably in your network.

Please visit the Fortinet Technical Support web site at http://support.fortinet.com to learn about the technical support services that Fortinet provides.

FortiAnalyzer Version 3.0 MR3 Administration Guide 05-30003-0082-20060925 17

Customer service and technical support Introduction

FortiAnalyzer Version 3.0 MR3 Administration Guide

18 05-30003-0082-20060925

Installing the FortiAnalyzer unit Planning the installation

Installing the FortiAnalyzer unit

This section describes the FortiAnalyzer hardware and how to connect the FortiAnalyzer unit to the network. This section includes the following topics:

• Planning the installation

• Connecting the FortiAnalyzer unit

• Configuring the FortiAnalyzer unit

• Upgrading the FortiAnalyzer firmware

• Backing up the FortiAnalyzer hard disk

• Shutting down the FortiAnalyzer unit

Planning the installation

You can add the FortiAnalyzer unit to your local network to receive log message packets from FortiGate and Syslog devices.

You can connect the FortiAnalyzer unit locally or remotely through the Internet. To connect the FortiAnalyzer unit to devices remotely, you must configure the DNS server and the default gateway. To manage the FortiAnalyzer unit, you can use a computer within the local network or over the Internet.

Figure 1: FortiAnalyzer connection option

Internet

FortiAnalyzer Version 3.0 MR3 Administration Guide 05-30003-0082-20060925 19

Connecting the FortiAnalyzer unit Installing the FortiAnalyzer unit

Connecting the FortiAnalyzer unit

You can install the FortiAnalyzer unit as a free-standing appliance on any stable surface. You can also mount the FortiAnalyzer-800, FortiAnalyzer-2000 and FortiAnalyzer-4000/4000A onto a rack unit.

Environmental specifications

• Operating temperature: 41 to 95°F (5 to 35°C) If you install the FortiAnalyzer unit in a closed or multi-unit rack assembly, the

operating ambient temperature of the rack environment may be greater than room ambient temperature. Therefore, make sure to install the equipment in an environment compatible with the manufacturer's maximum rated ambient temperature.

• Storage temperature: -4 to 176°F (-20 to 80°C)

• Humidity: 10 to 90% non-condensing

Note: The FortiAnalyzer unit may overload your supply circuit and impact your surge protection and supply wiring. Use appropriate equipment nameplate ratings to address this concern. Make sure that the FortiAnalyzer unit has reliable grounding. Fortinet recommends direct connections to the branch circuit.

Air flow

• For rack installation, make sure that the amount of air flow required for safe operation of the equipment is not compromised.

• For free-standing installation, make sure that the appliance has at least 1.5 in. (3.75 cm) of clearance on each side to allow for adequate air flow and cooling.

Mechanical loading

You can mount the FortiAnalyzer-800, FortiAnalyzer-2000 and FortiAnalyzer-4000/4000A units in a standard 19-inch rack. The FortiAnalyzer-800 requires 1U of vertical space and the FortiAnalyzer-2000 and FortiAnalyzer-4000/4000A requires 2U of vertical space in the rack.

For rack installation, ensure an even mechanical loading of the FortiAnalyzer-800, FortiAnalyzer-2000 and FortiAnalyzer-4000/4000A to avoid a hazardous condition.

Connecting to the network

To connect the FortiAnalyzer unit to the network 1 Place the unit on a stable surface, or in a 19-inch rack unit. 2 Make sure the power of the unit is turned off. 3 Connect the network cable to the LAN or Port 1 interface. 4 Connect the power cable to a power outlet. 5 Turn on the power switch.

FortiAnalyzer Version 3.0 MR3 Administration Guide

20 05-30003-0082-20060925

Installing the FortiAnalyzer unit Configuring the FortiAnalyzer unit

Configuring the FortiAnalyzer unit

Use the web-based manager or the Command Line Interface (CLI) to configure the

FortiAnalyzer unit IP address, netmask, DNS server IP address, and default gateway IP

address.

Table 1: FortiAnalyzer-100A and FortiAnalyzer-100B factory defaults

Administrator account

Port 1

Port 2

Port 3

Port 4

Table 2: FortiAnalyzer-400 factory defaults

Administrator account

Port 1

Port 2

Port 3

User name: admin Password: (none) IP: 192.168.1.99 Netmask: 255.255.255.0 Management Access: HTTP, HTTPS, PING, SSH IP: 192.168.2.99 Netmask: 255.255.255.0 Management Access: HTTP, HTTPS, PING, SSH IP: 192.168.3.99 Netmask: 255.255.255.0 Management Access: HTTP, HTTPS, PING, SSH IP: 192.168.4.99 Netmask: 255.255.255.0 Management Access: HTTP, HTTPS, PING, SSH

FortiAnalyzer Version 3.0 MR3 Administration Guide 05-30003-0082-20060925 21

Configuring the FortiAnalyzer unit Installing the FortiAnalyzer unit

Table 3: FortiAnalyzer-800 factory defaults

Administrator account

Port 1

Port 2

Table 4: FortiAnalyzer-2000 factory defaults

Administrator account

Port 1

Port 2

Port 3

Port 4

User name: admin Password: (none) IP: 192.168.1.99 Netmask: 255.255.255.0 Management Access: HTTP, HTTPS, PING, SSH IP: 192.168.2.99 Netmask: 255.255.255.0 Management Access: HTTP, HTTPS, PING, SSH

Table 5: FortiAnalyzer-4000/4000A factory defaults

Administrator account

Port 1

Port 2

22 05-30003-0082-20060925

User name: admin Password: (none) IP: 192.168.1.99 Netmask: 255.255.255.0 Management Access: HTTP, HTTPS, PING, SSH IP: 192.168.2.99 Netmask: 255.255.255.0 Management Access: HTTP, HTTPS, PING, SSH

FortiAnalyzer Version 3.0 MR3 Administration Guide

Installing the FortiAnalyzer unit Configuring the FortiAnalyzer unit

Using the web-based manager

The web-based manager provides a GUI interface to configure and administer the FortiAnalyzer unit.

Use the web-based manager to:

• configure most FortiAnalyzer settings

• monitor the status of the FortiAnalyzer unit

• configure and view reports

• view log files and messages

• administer users, groups and set access rights. You can configure and manage the FortiAnalyzer unit using a secure HTTPS

connection from any computer running Internet Explorer 6.0 or other current browser.

Configuration changes made using the web-based manager are effective immediately without resetting the firewall or interrupting service.For all FortiAnalyzer models, use the following procedure to connect to the web-based manager for the first time.

To connect to the web-based manager, you need:

• An Ethernet connection between the FortiAnalyzer unit and management computer.

• Internet Explorer version 6.0 or higher or other current popular web browser on the management computer.

To connect to the web-based manager

1 Connect the Port1 interface of the FortiAnalyzer unit to the Ethernet port of the

management computer.

2 Use a cross-over Ethernet cable to connect the devices directly. Use

straight-through Ethernet cables to connect the devices through a hub or switch.

3 Configure the management computer to be on the same subnet as the

FortiAnalyzer LAN interface.

4 To do this, change the IP address of the management computer to 192.168.1.2

and the netmask to 255.255.255.0.

5 To access the FortiAnalyzer web-based manager, start your browser and browse

to https://192.168.1.99 (remember to include the “s” in https://).

6 Type admin in the Name field and select Login.

After connecting to the Web-based manager, you can configure the FortiAnalyzer unit IP address, DNS server IP address, and default gateway to connect the FortiAnalyzer unit to the network.

To configure the FortiAnalyzer unit using the web-based manager 1 In the web-based manager, go to System > Network > Interface. 2 Select Edit for Port1. 3 Enter the IP address and netmask and select OK.

If the FortiAnalyzer unit will be connected to the internet: 4 Go to System > Network > DNS.

FortiAnalyzer Version 3.0 MR3 Administration Guide 05-30003-0082-20060925 23

Configuring the FortiAnalyzer unit Installing the FortiAnalyzer unit

5 Enter the, primary DNS server IP address, secondary DNS server IP address

(optional).

6 Select Apply. 7 Got to System > Network > Routing. 8 Select Create New and add the default gateway IP address and any other routes

as required.

9 Select OK.

Using the command line interface

You can also use terminal emulation software to connect to the command line interface (CLI) from any network that is connected to the FortiAnalyzer unit, including the Internet. This applies to all FortiAnalyzer models.

You can also access the FortiAnalyzer-100A/100B, FortiAnalyzer-800 and FortiAnalyzer-4000/4000A CLI by using the null-modem cable provided to connect to the unit’s console port.

The CLI supports the same configuration and monitoring functionality as the web-based manager.

To connect to the FortiAnalyzer unit through the console

1 Use a null-modem cable to connect the serial port on the

FortiAnalyzer-100A/100B, FortiAnalyzer-800 and FortiAnalyzer-4000/4000A to the management computer serial port.

2 Start a terminal emulation program (such as HyperTerminal) on the management

computer. Use these settings:

• Baud Rate (bps) 9600

• Data bits 8

•Parity None

• Stop bits 1

• Flow Control None.

3 At the login: prompt, type admin and press Enter twice. 4 (The

prompt is preceded by the server IP address.)

After connecting to the CLI, you can configure the unit IP address, DNS server IP address, and default gateway to connect the FortiAnalyzer unit to the network.

To configure the FortiAnalyzer unit using the CLI

1 Set the IP address and netmask of the LAN interface:

config system interface

edit port1 set ip <ip_address><netmask> end

2 Confirm that the address is correct:

get system interface

FortiAnalyzer Version 3.0 MR3 Administration Guide

24 05-30003-0082-20060925

Installing the FortiAnalyzer unit Upgrading the FortiAnalyzer firmware

3 Set the primary and optionally the secondary DNS server IP address:

config system dns

set primary <dns-server_ip> set secondary <dns-server_ip> end

4 Set the default gateway:

config system route

edit 1 set device port1 set dst <destination_ip><netmask> set gateway <gateway_ip> end

Using the front panel buttons and LCD

You can use the front panel buttons on the FortiAnalyzer-400 and

FortiAnalyzer-800 to set up the unit’s IP address, netmask, and default gateway.

Press the cycle button to cycle through options and select the IP address information.

Press the enter button to select a menu option or number in the IP address.

On the FortiAnalyzer-2000, use the up and down arrow buttons to cycle through

the options and enter the IP address information, and select Enter to select a

menu option or number in the IP address.

Upgrading the FortiAnalyzer firmware

Upgrade the FortiAnalyzer firmware using the instructions in the topic “Changing

the firmware” on page 35. Ensure you backup all configuration settings and log

files before upgrading the firmware.

Note: If you are upgrading from FortiAnalyzer firmware version 0.8, the file system has

changed. After upgrading the firmware, all log data will be destroyed. Ensure you backup all

log information before proceeding with the upgrade. When upgrading from FortiLog 0.8 to

FortiAnalyzer

To format the hard disk, go to System > Dashboard. Select Format Log Disks for the

System Operation.

3.0, the FortiAnalyzer hard disks must be reformatted.

FortiAnalyzer Version 3.0 MR3 Administration Guide 05-30003-0082-20060925 25

Backing up the FortiAnalyzer hard disk Installing the FortiAnalyzer unit

Backing up the FortiAnalyzer hard disk

Before upgrading the FortiAnalyzer firmware, formatting the log disk or changing the RAID configuration (on a FortiAnalyzer-400, FortiAnalyzer-800, FortiAnalyzer-2000 and FortiAnalyzer-4000/4000A), it is extremely important that you back up the log data first. Using the CLI, you can perform a global backup of all log information to an FTP server.

Note: In the case of changing RAID configurations and formatting log disks, this command is designed to backup and restore all logs from the FTP server.

To backup the log information on the FortiAnalyzer hard disk, use the CLI to enter the following command:

execute backup logs <ftp_ip_address> <ftp_username> <ftp_password> <ftp_dir>

Once the firmware upgrade or the RAID configuration is complete, you can restore the log information to the FortiAnalyzer hard disk.

Note: Before using the restore CLI command, ensure you add the devices for the logs first. The command will not function without the devices to associate with the logs. For details on adding devices, see the chapter “Devices” on page 65.

execute restore logs <device> <ftp_ip_address> <ftp_username> <ftp_password> <ftp_dir>

Shutting down the FortiAnalyzer unit

When powering off the FortiAnalyzer unit, always shut down the unit using the following procedures before disconnecting the power supply. By not following this procedure you risk damaging the FortiAnalyzer hard disk.

To power off the FortiAnalyzer unit 1 From the web-based manager, go to System > Dashboard. 2 In the System Operation list, select Shut Down and select Go.

from the CLI, enter:

execute shutdown

3 Disconnect the power supply.

FortiAnalyzer Version 3.0 MR3 Administration Guide

26 05-30003-0082-20060925

Configure the FortiAnalyzer unit Dashboard

Configure the FortiAnalyzer unit

The FortiAnalyzer unit provides a number of configuration options to customize the FortiAnalyzer unit using the System settings.

This section describes the configuration settings you can apply to use the FortiAnalyzer in your network environment.

This section includes the following topics:

• Dashboard

• Network settings

• Administrator settings

• Network sharing

• Configuring the FortiAnalyzer unit

• Maintenance

• RAID levels

Dashboard

The system dashboard provides a view of the current operating status of the FortiAnalyzer unit. All FortiAnalyzer administrators with read access to system configuration can view system status information.

Figure 2: FortiAnalyzer-400 dashboard

Connect to the web-based manager to view the current system status of the FortiAnalyzer unit, and modify the system information. The status information that appears includes the system information, alert messages, system resources, license information and session statistics.

FortiAnalyzer Version 3.0 MR3 Administration Guide 05-30003-0082-20060925 27

Dashboard Configure the FortiAnalyzer unit

System Information

The System Information area of the Dashboard displays the current state of the

FortiAnalyzer unit. The System Status area includes the following information:

Serial Number The serial number of the FortiAnalyzer unit. The serial number is

Uptime The time in days, hours and minutes since the FortiAnalyzer was

System Time The current time according to the FortiAnalyzer internal clock.

Host Name The name of the FortiAnalyzer unit. For details on changing the

Firmware Version The version of the firmware installed on the FortiAnalyzer unit.

System Resources

The system resources displays how the FortiAnalyzer unit’s resources are being

used. You can monitor the CPU, memory and hard disk use and quickly see at

what capacity the FortiAnalyzer unit is running. System resources includes the

following information:

CPU Usage The current CPU status. The web-based manager displays CPU

Memory Usage The current memory status. The web-based manager displays

Hard Disk Usage /

RAID status

History icon Select History to view a graphical representation of the last minute

unique to the FortiAnalyzer unit and does not change with firmware updates. Use this number when registering your FortiAnalyzer unit with Fortinet.

started or last rebooted.

Select Change to change the time or configure the FortiAnalyzer unit to obtain the time from an NTP server. For details see “Setting

the time” on page 32.

name see “Changing the host name” on page 36.

Select Update to upload a new version of the firmware. For details on updating the firmware see “Changing the firmware” on

page 35.

usage for core processes only. CPU usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded.

memory usage for core processes only. Memory usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded.

For the FortiAnalyzer-100 and FortiAnalyzer-100A/100B, the current status of the hard disk. The web-based manager displays the amount of hard disk space used.

For the FortiAnalyzer-400, FortiAnalyzer-800, FortiAnalyzer-2000 and FortiAnalyzer-4000/4000A, the current RAID status of the hard disks. Each circle indicates the status of a hard disk. Green indicates the hard disk is functioning normally. If the disk is flashing red and yellow, there is a problem with the hard disk.

The hard disks on the FortiAnalyzer-2000 and FortiAnalyzer-4000/4000A are hot swappable. For details see “Hot

swapping the FortiAnalyzer-2000 and FortiAnalyzer-4000/4000A” on page 62.

of CPU, memory, sessions, and network usage. For more information see “Viewing operational history” on page 30.

FortiAnalyzer Version 3.0 MR3 Administration Guide

28 05-30003-0082-20060925

Configure the FortiAnalyzer unit Dashboard

License Information

Support Contract The support contract number and expiry date. RVS Engine The version of the RVS engine. Select Update to upload a new

RVS Plug-ins The version of the RVS plug-in.

Device License A listing of the number of devices connected to the FortiAnalyzer

version of the engine. This feature is not available on the FortiAnalyzer-100.

This feature is not available on the FortiAnalyzer-100.

unit. Registered is the number of devices added to the FortiAnalyzer

unit. Unregistered is the number of devices attempting to connect to

the FortiAnalyzer unit that need configuring. To configure the FortiAnalyzer unit to accept logs from a device see “Devices List”

on page 65.

Alert Message Console

The Alert display shows alert messages for the FortiAnalyzer and connected FortiGate units. The Alerts display shows hard disk failure messages, virus outbreak, or suspicious event warnings. To view all the alert messages recorded by the FortiAnalyzer unit, select More Alerts. For details on viewing alert messages see “Viewing Alert messages” on page 31.

Statistics

Since The date and time when the statistics were last reset. Connections The number of communication sessions occurring on the

Logs & Reports A display of the log file activity and volume delivered to the

Report Engine

The Report Engine display shows the FortiAnalyzer report generation activity. The report engine activity information includes whether the report engine is active or inactive, what reports are running when active and the percentage completed.

Select the Generate report button to create a new report profile.

Automatic Refresh Interval

Select how often the Status page automatically updates. Select Refresh Now to update the status page immediately.

System Operation

Perform the following operations from the Status page. These options are not available if your access privileges include write permissions.

FortiAnalyzer unit. Select Details for more information on the connections. For details on the session information, see “Viewing

Session information” on page 30.

FortiAnalyzer unit.

Reboot Restart the FortiAnalyzer unit. ShutDown Shut down the FortiAnalyzer unit. You can only restart the

FortiAnalyzer Version 3.0 MR3 Administration Guide 05-30003-0082-20060925 29

FortiAnalyzer unit by turning the power off and then on again.

Dashboard Configure the FortiAnalyzer unit

Format log disks Format the FortiAnalyzer hard disk. Selecting this option will

Reset to factory

default

Viewing operational history

The System resource history page displays four graphs representing system

resources and network utilization history, updated every three seconds.

To view the FortiAnalyzer operational history 1 Go to System > Dashboard. 2 Select History in the upper right corner of the System Resources area.

CPU Usage The CPU usages for the previous minute.

Memory Usage The memory usages for the previous minute.

Session The session history for the previous minute.

Network utilization The network use for the last minute.

delete all log files and reports from the hard disk. Ensure that you back up all information before selecting this option. Formatting the hard disk will also interrupt FortiAnalyzer operations for several minutes.

Restart the FortiAnalyzer unit with its original configuration when it was initially powered on. This will delete all configuration changes you have made, but does not changes the firmware version. This also includes resetting the IP address and netmask. You will need to reconnect to the FortiAnalyzer device using the default IP address of 192.168.1.99.

Viewing Session information

Session information displays information about the current communication

sessions on the FortiAnalyzer unit.

To view the session information 1 Go to System > Dashboard. 2 In the Statistics area, select Details for the Connection information.

Resolve Host Name Select to display host names by a recognizable name rather than

Resolve Service Select to display network service names rather than port numbers.

Refresh Time Select the frequency of the refresh of the Connections page to

Stop Refresh Select to stop the refreshing of the connections page. To start the

View per page Select the number of rows to display per page.

Page n of n Enter a page number to jump to and press Enter.

Search Enter a keyword to perform a simple search on the session

Protocol The service protocol of the connection. For example, udp and tcp.

From IP The source IP address of the connection.

From Port The source port of the connection.

To IP The destination IP address of the connection.

IP addresses. For details on configuring IP address host names see “IP Aliases” on page 53.

For example, HTTP rather than port 80.

view the connection activity.

refresh, select a refresh time.

information available. Select Go to begin the search. The number of matches appears above the Search field.

FortiAnalyzer Version 3.0 MR3 Administration Guide

30 05-30003-0082-20060925

+ 132 hidden pages

Fortinet FortiAnalyzer-4000A, FortiAnalyzer-100B, FortiAnalyzer-400, FortiAnalyzer-4000, FortiAnalyzer-2000 Administration Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

Introduction

The FortiAnalyzer Unit

FortiAnalyzer-100A/100B

FortiAnalyzer-400

FortiAnalyzer-800

FortiAnalyzer-2000

FortiAnalyzer-4000

FortiAnalyzer-4000A

FortiAnalyzer features

Reporting

Data mining

Network analyzer

Log viewer

Real-time log viewing

Log Aggregation

Quarantine

Network Attached Storage

About this guide

FortiAnalyzer documentation

Fortinet Tools and Documentation CD

Fortinet Knowledge Center

Comments on Fortinet technical documentation

Customer service and technical support

Installing the FortiAnalyzer unit

Planning the installation

Connecting the FortiAnalyzer unit

Environmental specifications

Air flow

Mechanical loading

Connecting to the network

Configuring the FortiAnalyzer unit

Using the web-based manager

Using the command line interface

Using the front panel buttons and LCD

Upgrading the FortiAnalyzer firmware

Backing up the FortiAnalyzer hard disk

Shutting down the FortiAnalyzer unit

Configure the FortiAnalyzer unit

Dashboard

System Information

System Resources

License Information

Alert Message Console

Statistics

Report Engine

Automatic Refresh Interval

System Operation

Viewing operational history

Viewing Session information