Fortinet FortiLog-400, FortiLog-800, FortiLog-100 User Manual

FortiLog

Administration Guide

FortiLog-400

FortiLog-100

FortiLog-800

FortiLog Administration Guide

Version 1.6

January 15, 2004

05-16000-0082-20050115

No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc.

FortiLog Administration Guide

Version 1.6 January 15, 2005 05-16000-0082-20050115

Trademarks

Products mentioned in this document are trademarks or registered trademarks of their respective holders.

Regulatory Compliance

FCC Class A Part 15, UL, CE

CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS.

For technical support, please visit http://www.fortinet.com.

Send information about errors or omissions in this document or any Fortinet technical documentation to

techdoc@fortinet.com.

Introduction............................................................................................................ 7

Operational Modes.............................................................................................................. 8

Active Mode .................................................................................................................... 8

Passive Mode ................................................................................................................. 9

About this guide ................................................................................................................ 10

FortiLog documentation .................................................................................................... 10

Related documentation ..................................................................................................... 11

FortiGate documentation .............................................................................................. 11

FortiManager documentation ........................................................................................ 12

FortiClient documentation ............................................................................................. 12

FortiMail documentation................................................................................................ 12

Fortinet Knowledge Center ........................................................................................... 12

Comments on Fortinet technical documentation........................................................... 12

Customer service and technical support........................................................................... 13

Setting up the FortiLog unit................................................................................ 15

Contents

Checking the package contents........................................................................................ 15

Hardware specifications................................................................................................ 16

Dimensions ............................................................................................................... 16

Weight....................................................................................................................... 16

Power requirements.................................................................................................. 17

Environmental specifications..................................................................................... 17

Air flow ...................................................................................................................... 17

Mechanical loading ................................................................................................... 17

Planning the installation.................................................................................................... 17

Connecting the FortiLog unit............................................................................................. 18

Configuring the FortiLog unit............................................................................................. 19

Using the web-based manager ..................................................................................... 19

Using the command line interface................................................................................. 20

Using the front panel buttons and LCD......................................................................... 21

Connecting to the FortiLog Unit......................................................................... 23

Sending device logs to the FortiLog unit........................................................................... 23

Configuring FortiGate unit running FortiOS 2.8 ............................................................ 23

Configuring FortiGate devices running FortiOS 2.5 ...................................................... 24

Configuring FortiMail devices........................................................................................ 25

Configuring the FortiLog unit............................................................................................. 26

Adding a device ............................................................................................................ 26

Defining device port interfaces.................................................................................. 27

Creating Device Groups................................................................................................ 28

FortiLog Administration Guide 05-16000-0082-20050115 3

Contents

Managing the FortiLog unit................................................................................. 29

Status................................................................................................................................ 29

Status............................................................................................................................ 29

Changing the FortiLog host name............................................................................. 31

Changing operating modes....................................................................................... 31

Viewing system resources information...................................................................... 32

Changing the firmware.................................................................................................. 32

Installing firmware from a system reboot .................................................................. 33

Testing a new firmware image .................................................................................. 35

Installing a backup firmware image........................................................................... 36

Switching to a backup firmware image...................................................................... 38

Switching to the default firmware image ................................................................... 38

Backing up system settings .......................................................................................... 39

Downlading the FortiLog debug log .............................................................................. 39

Restoring system settings............................................................................................. 40

Restore factory default system settings ........................................................................ 40

Restoring a FortiLog unit............................................................................................... 40

RAID ............................................................................................................................. 41

Config................................................................................................................................ 42

Network......................................................................................................................... 42

RAID ............................................................................................................................. 43

Log settings................................................................................................................... 44

Log policy.................................................................................................................. 45

Time .............................................................................................................................. 46

Options.......................................................................................................................... 46

Admin............................................................................................................................ 46

Configure Administrator access ................................................................................ 47

Administrator account levels ..................................................................................... 48

Administrator options ................................................................................................ 48

Changing the Administrator password ...................................................................... 49

Devices (Active mode)...................................................................................................... 49

Device list...................................................................................................................... 50

Adding and registering a device.................................................................................... 50

Editing device information............................................................................................. 50

Alert Email......................................................................................................................... 51

Server ........................................................................................................................... 51

Local ............................................................................................................................. 52

Device (Active mode).................................................................................................... 52

Creating a new device alert....................................................................................... 52

Alerts................................................................................................................................. 54

Network Sharing ............................................................................................................... 55

Defining IP aliases ............................................................................................................ 55

4 05-16000-0082-20050115 Fortinet Inc.

Reports ................................................................................................................. 57

Creating and generating a report...................................................................................... 57

Configuring report parameters ...................................................................................... 58

Configuring a report query ............................................................................................ 59

Creating a query profile............................................................................................. 60

Selecting the devices for the report .............................................................................. 60

Creating a device profile ........................................................................................... 61

Select filtering options................................................................................................... 61

Creating a filter profile............................................................................................... 62

Setting a report schedule .............................................................................................. 62

Creating a report schedule profile ............................................................................. 63

Choosing the report destination and format.................................................................. 63

Creating a report destination and format profile........................................................ 64

Reports on demand ...................................................................................................... 64

Viewing reports ................................................................................................................. 65

Roll up report ................................................................................................................ 66

Individual reports........................................................................................................... 66

Vulnerability reports .......................................................................................................... 67

Creating and generating a report .................................................................................. 67

Selecting report result parameters................................................................................ 68

Selecting plug-ins.......................................................................................................... 68

Creating a plug-in profile........................................................................................... 69

Selecting the scan targets for the report ....................................................................... 69

Creating a scan target profile.................................................................................... 70

Choosing the report destination and format.................................................................. 71

Creating a report destination and format profile........................................................ 71

Viewing the vulnerability report ..................................................................................... 72

Contents

Using Logs ........................................................................................................... 73

The Log view interface...................................................................................................... 74

Viewing logs...................................................................................................................... 74

Finding log information.................................................................................................. 75

Importing log files.............................................................................................................. 77

Log Search........................................................................................................................ 78

Log watch (Active mode) .................................................................................................. 78

Event correlation (Active mode)........................................................................................ 79

Using the FortiLog unit as a NAS....................................................................... 81

Connecting to the FortiLog file system.............................................................................. 81

Providing access to the FortiLog hard disk....................................................................... 82

Selecting a file sharing protocol .................................................................................... 82

Adding and modifying user accounts ............................................................................ 82

FortiLog Administration Guide 05-16000-0082-20050115 5

Contents

Adding and modifying group accounts.......................................................................... 83

Assigning access to folders .......................................................................................... 83

Modifying the user or group folder access ................................................................ 85

Setting folder and file properties ....................................................................................... 86

FortiLog CLI reference ........................................................................................ 87

CLI documentation conventions........................................................................................ 87

Connecting to the CLI ....................................................................................................... 88

Connecting to the FortiLog-800 console ....................................................................... 88

Setting administrative access for SSH or Telnet........................................................... 89

Connecting to the FortiLog CLI using SSH ................................................................... 90

Connecting to the FortiLog CLI using Telnet ................................................................ 90

CLI commands.................................................................................................................. 91

execute branch ............................................................................................................. 91

get branch ..................................................................................................................... 92

set branch ..................................................................................................................... 94

set alertemail............................................................................................................. 94

set console................................................................................................................ 97

set log........................................................................................................................ 98

set NAS................................................................................................................... 103

set report................................................................................................................. 104

set system............................................................................................................... 104

unset branch ............................................................................................................... 110

Appendix A: Log Report Types ........................................................................ 113

Network Activity....................................................................................................... 113

Web Activity ............................................................................................................ 113

FTP Activity ............................................................................................................. 114

Terminal Activity...................................................................................................... 115

Mail Activity ............................................................................................................. 115

Intrusion Activity...................................................................................................... 116

Antivirus Activity ...................................................................................................... 116

Web Filter Activity ................................................................................................... 116

Mail Filter Activity .................................................................................................... 117

VPN Activity ............................................................................................................ 118

Content Activity ....................................................................................................... 118

Index .................................................................................................................... 121

6 05-16000-0082-20050115 Fortinet Inc.

Introduction

FortiLog units are network appliances that provide integrated log collection, analysis tools and data storage. Detailed log reports provide historical as well as current analysis of network and email activity to help identify security issues and reduce network misuse and abuse.

FortiLog units operate in one of two modes:

• In Active mode as a log collection and analysis tool to collect logs from FortiGate and FortiMail devices and generate reports based on log data.

• In Passive mode as a Network Attached Storage (NAS) server to act as an additional storage device.

The models in the FortiLog family:

FortiLog Administration Guide Version 1.6

• FortiLog-100, desktop model with one hard drive.

• FortiLog-400, desktop model with four hard drives.

• FortiLog-800, rackmount model with four hard drives.

Figure 1: FortiLog models

FortiLog-400

FortiLog-100

FortiLog-800

FortiLog Administration Guide 05-16000-0082-20050115 7

Operational Modes Introduction

Operational Modes

The FortiLog device can operate in two modes: Active mode or Passive mode. The web-based interface provides an interface that reflects each models’ functionality.

Active Mode

Active mode is the default mode for the FortiLog unit. In Active mode, the FortiLog unit can receive log files from FortiGate, FortiClient, FortiMail and syslog devices. Using the reporting features, you can use the FortiLog unit to view the log files and generate more than 130 different reports for hourly, daily, weekly, monthly, and even quarterly reviews of any device traffic.

Figure 2: FortiLog unit in Active mode

Using FortiLog to analyze logs and generate reports enables you to proactively secure networks before threats arise, avoid network abuses, manage bandwidth requirements, monitor Web site visits, and ensure appropriate usage of the network by employees.

The FortiLog unit also acts as a Network Attached Storage (NAS) device. Use the FortiLog unit as a means of backing up or storing important information or using the extra hard disk space as a file server or repository. Any computer using NFS or Windows sharing can mount the FortiLog hard drive to save and retrieve files.

8 05-16000-0082-20050115 Fortinet Inc.

Introduction Operational Modes

Figure 3: FortiLog Active mode network architecture

CONSOLE

Esc Enter

FortiGate Unit

FortiMail UnitFortiGate Unit

4 / HA3

CONSOLE

4 / HA3

Esc Enter

CONSOLE

PWE

FortiGate Unit

CONSOLE

Esc Enter

4 / HA3

Passive Mode

CONSOLE

Esc Enter

FortiGate Unit

CONSOLE

Esc Enter

FortiGate Unit

4 / HA3

Internet

FortiGate Unit

4 / HA3

CONSOLE

Esc Enter

Switch

Management PC

Reports

FortiLog Unit

Passive mode enables you to use the FortiLog unit solely as a Network Attached Server (NAS) storage device. The collection of device log files and the log reporting features are not available in passive mode.

Figure 4: FortiLog unit in Passive mode

FortiLog units running in Passive mode provide secure storage space. Using the integrated RAID (Redundant Arrays of Inexpensive Disks) functionality provides better data security.

Note: RAID functionality is only available on the FortiLog-400 and 800. These units contain four hard disks and support RAID level 0, 1, and 5.

FortiLog Administration Guide 05-16000-0082-20050115 9

About this guide Introduction

About this guide

This document describes how to set up and configure the FortiLog unit. The configuration and features of the FortiLog unit are similar in either mode. Section titles indicate where the features or configuration differs or is unique to each mode. For example, Devices (Active mode).

This document has the following sections:

• Setting up the FortiLog unit describes how to set up and install the FortiLog unit in your network.

• Connecting to the FortiLog Unit describes how to connect a FortiGate and FortiMail device to the FortiLog unit to for collecting log files. It also discusses the requirements to help users to connect and view files on the FortiLog hard disk.

• Managing the FortiLog unit describes how to view and configure the FortiLog system settings, such as system time, session information, and user management.

• Reports describes how to generate, customize and view log reports and generate vulnerability reports for selected devices.

• Using Logs describes how to select, and view device and FortiLog log files. It also describes customizing the log views to find information in the logs easier, as well as watch logs in real time.

• Using the FortiLog unit as a NAS describes how to use the FortiLog unit as a file storage device and how to provide access to users and groups.

• FortiLog CLI reference is a source for commands when accessing the FortiLog unit from the CLI.

• Appendix A: Log Report Types provides an extensive list of the more than 130 log reports that the FortiLog unit can generate.

This document is available in online help format from the web-based manager. To access the online help, select the question mark icon in the upper-right corner of the web-based manager window.

FortiLog documentation

• FortiLog Administration Guide Describes how to install and configure a FortiLog unit to collect FortiGate and

FortiMail log files. It also describes how to view FortiGate and FortiMail log files, generate and view log reports, and use the FortiLog unit as a NAS server.

• FortiLog online help

Provides a searchable version of the Administration Guide in HTML format. You can access online help from the web-based manager as you work.

• FortiLog QuickStart Guide Explains how to install and set up the FortiLog unit.

10 05-16000-0082-20050115 Fortinet Inc.

Introduction Related documentation

Customer service and technical support

For antivirus and attack definition updates, firmware updates, updated product documentation, technical support information, and other resources, please visit the Fortinet technical support web site at http://support.fortinet.com.

You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and change your registration information at any time.

Fortinet email support is available from the following addresses:

amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin

apac_support@fortinet.com For customers in Japan, Korea, China, Hong Kong, Singapore,

eu_support@fortinet.com For customers in the United Kingdom, Scandinavia, Mainland

America and South America.

Malaysia, all other Asian countries, and Australia.

Europe, Africa, and the Middle East.

For information on Fortinet telephone support, see http://support.fortinet.com. When requesting technical support, please provide the following information:

• Your name

• Company name

•Location

• Email address

• Telephone number

• FortiGate unit serial number

• FortiGate model

• FortiGate FortiOS firmware version

• Detailed description of the problem

FortiLog Administration Guide 05-16000-0082-20050115 13

Customer service and technical support Introduction

14 05-16000-0082-20050115 Fortinet Inc.

FortiLog Administration Guide Version 1.6

Setting up the FortiLog unit

This chapter includes:

• Checking the package contents

• Hardware specifications

• Planning the installation

• Connecting the FortiLog unit

• Configuring the FortiLog unit

Checking the package contents

The FortiLog family includes three models. Check the model number on the front panel of your FortiLog unit. All three models are shown in the picture below.

• FortiLog-100, desktop model with one hard drive.

• FortiLog-400, desktop model with four hard drives.

• FortiLog-800, rackmount model with four hard drives.

Table 1: FortiLog unit connectors

Connector Type Speed Protocol Description

LAN for FortiLog-100 LAN1 for

FortiLog-400 and 800

CONSOLE

(FortiLog-800 only)

RJ-45 10/100Base-T

(FortiLog-100 and

400) 10/100/1000Base-T (FortiLog-800)

DB-9 9600 bps RS-232

Ethernet Connection to the network.

serial

Connection to the management computer.

Provides access to the command line interface (CLI).

FortiLog Administration Guide 05-16000-0082-20050115 15

Checking the package contents Setting up the FortiLog unit

Figure 5: FortiLog front and back diagrams

FortiLog-100 FortiLog-400

Front

LED indicators:

Power, Error, Network,

and Disk Access

LCD

Panel

Setting

Switches

A and B

Hard Disk

Power Connection

LCD

Panel

Back

LED indicators:

Power, Error, Network,

LEDs

and Disk Access

ATX Redundant Power Supplies

Setting Switches

A and B

Power Switch

LAN

Power

Connection

FortiLog-800

Front

Back

RS-232

Serial

Connection

Reset

Switch

LCD

Panel

SCSI Connector

For Tape Drive For Future Use

Setting

Switches

A and B

Hard Disk

LEDs

(Network

Connection)

LAN1

Front

Rack-Mount

Back

Accessories for each model

Orange - Crossover

Grey - Straight-through

Brackets

Power Switch

LAN2

For Future Use

USER MANUAL

Null-Modem Cable

Ethernet Cables:

(RS-232)

for FortiLog-800

AC Adapter

for FortiLog-100

Power Cable

FortiLog-100,400, 800

QuickStart Guide

Documentation

Reset Switch

Power Switch

LAN1 (Network Connection)

LAN2 and LAN3

For Future Use

Power Connection

ATX Redundant Power Supplies

Hardware specifications

Dimensions

• FortiLog-100: 38 x 17 x 31 cm

• FortiLog-400: 54 x 33 x 44 cm

• FortiLog-800: 78 x 65 x 25 cm

Weight

• FortiLog-100: 2.5 kg

• FortiLog-400: 11 kg

• FortiLog-800:14 kg

16 05-16000-0082-20050115 Fortinet Inc.

Setting up the FortiLog unit Planning the installation

Power requirements

• FortiLog-100

• AC input voltage: 100 to 240 VAC

• AC input current: 1.0 A

• Frequency: 47 to 63 Hz

• FortiLog-400 and 800

• AC input voltage: 115 to 230 VAC

• AC input current: 4 to 2 A

• Frequency: 47 to 63 Hz

Environmental specifications

• Operating temperature: 41 to 95°F (5 to 35°C) If you install the FortiLog unit in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient temperature. Therefore, make sure to install the equipment in an

environment compatible with the manufacturer's maximum rated ambient temperature.

• Storage temperature: -4 to 176°F (-20 to 80°C)

• Humidity: 10 to 90% non-condensing

Air flow

• For rack installation, make sure that the amount of air flow required for safe operation of the equipment is not compromised.

• For free-standing installation, make sure that the appliance has at least 1.5 in. (3.75 cm) of clearance on each side to allow for adequate air flow and cooling.

Mechanical loading

For rack installation, ensure an even mechanical loading of the FortiLog unit to avoid a hazardous condition.

Planning the installation

You can add the FortiLog unit to your local network to receive log messages from your local FortiGate and FortiMail devices or act as a NAS server.

You can also connect the FortiLog unit to devices remotely through the Internet.

To connect the FortiLog unit to devices remotely, you must configure the DNS server and the default gateway.

To manage the FortiLog unit, you can use a computer within the local network or over the Internet.

FortiLog Administration Guide 05-16000-0082-20050115 17

Connecting the FortiLog unit Setting up the FortiLog unit

Figure 6: FortiLog connection option

Internal Network

FortiLog unit

Management PC

Connecting the FortiLog unit

You can install the FortiLog unit as a free-standing appliance on any stable surface. You can mount the FortiLog-800 unit in a standard 19-inch rack. It requires 1 U of

vertical space in the rack.

FortiMail unit

CONSOLE

FortiGate units

PWE

Esc Enter

FortiGate unit

Esc Enter

Management P

Internet

Esc Enter Esc Enter

FortiGate unit

Esc Enter

FortiGate unit

To connect the FortiLog unit to the network 1 Place the unit on a stable surface. 2 If you have a FortiLog-800 unit, you can also mount it in a 19-inch rack. The units

require 1.5 inches (3.75 cm) clearance on each side to allow for cooling.

3 Make sure the power of the unit is turned off. 4 Connect the network cable to the LAN interface. 5 Connect the power cable to a power outlet. 6 Turn on the power switch.

18 05-16000-0082-20050115 Fortinet Inc.

Setting up the FortiLog unit Configuring the FortiLog unit

Configuring the FortiLog unit

Use the web-based manager or the Command Line Interface (CLI) to configure the FortiLog unit

IP address, netmask, DNS server IP address, and default gateway IP address.

Table 2: Factory defaults

Administrator account

LAN

User name: admin Password: (none) IP: 192.168.1.99 Netmask: 255.255.255.0 Management Access: HTTPS, Ping

Using the web-based manager

The web-based manager provides a GUI interface to configure and administer the

FortiLog unit. The web-based manager has a similar look and feel as the FortiGate 2.8

family.

You can use the web-based manager to configure most FortiLog settings. You can

also use the web-based manager to monitor the status of the FortiLog unit, administer

users, groups and set access rights.The web-based manager has a similar look and

feel as a FortiGate 2.8 web-based manager.

Using a secure HTTPS connection from any computer running Internet Explorer, you

can configure and manage the FortiLog unit.

Configuration changes made using the web-based manager are effective immediately

without resetting the firewall or interrupting service. Once you are satisfied with a

configuration, you can download and save it. You can restore the saved configuration

at any time.

For all the three FortiLog models, use the following procedure to connect to the

web-based manager for the first time.

To connect to the web-based manager, you need:

• An Ethernet connection between the FortiLog unit and management computer.

• Internet Explorer version 4.0 or higher on the management computer.

To connect to the web-based manager 1 Connect the LAN interface of the FortiLog unit to the Ethernet port of the management

computer. 2 Use a cross-over Ethernet cable to connect the devices directly. Use straight-through

Ethernet cables to connect the devices through a hub or switch. 3 Configure the management computer to be on the same subnet as the FortiLog LAN

interface. 4 To do this, change the IP address of the management computer to 192.168.1.2 and

the netmask to 255.255.255.0. 5 To access the FortiLog web-based manager, start Internet Explorer and browse to

https://192.168.1.99 (remember to include the “s” in https://).

FortiLog Administration Guide 05-16000-0082-20050115 19

Configuring the FortiLog unit Setting up the FortiLog unit

6 Type admin in the Name field and select Login.

After connecting to the Web-based manager, you can configure the FortiLog unit IP

address, DNS server IP address, and default gateway to connect the FortiLog unit to

the network.

To configure the FortiLog unit using the web-based manager 1 In the web-based manager, go to System > Config > Network. 2 Enter the IP address, netmask, primary DNS server IP address, secondary DNS

server IP address (optional), and the default gateway IP address if the FortiLog unit

connects to the Internet.

Using the command line interface

You can use a terminal emulation software to connect to the command line interface

(CLI) from any network that is connected to the FortiLog unit, including the Internet.

This applies to all FortiLog models.

You can also access the FortiLog-800 CLI by using the null-modem cable provided to

connect to the unit’s console port.

The CLI supports the same configuration and monitoring functionality as the

web-based manager. In addition, you can use the CLI for advanced configuration

options that are not available from the web-based manager.

To connect to the FortiLog-800 unit 1 Use a null modem cable to connect the FortiLog-800 serial port to the management

computer serial port. 2 Start a terminal emulation program (such as HyperTerminal) on the management

computer. Use these settings:

• Baud Rate (bps) 9600

• Data bits 8,

• Parity None

• Stop bits 1

• Flow Control None.

3 At the login: prompt, type admin and press Enter twice. 4 (The

1 Set the IP address and netmask of the LAN interface:

2 Confirm that the address is correct:

prompt is preceded by the server IP address.)

After connecting to the CLI, you can configure the FortiLog-800 unit IP address, DNS

server IP address, and default gateway to connect the FortiLog-800 unit to the

network.

To configure the FortiLog unit using the CLI

set system interface port1 mode static ip <IP_address>

get system interface

20 05-16000-0082-20050115 Fortinet Inc.

Setting up the FortiLog unit Configuring the FortiLog unit

3 Set the primary DNS server IP address:

set system dns primary <IP_address>

4 Optionally set the secondary DNS server IP address:

set system dns secondary <IP_address>

5 Set the default gateway:

set system route number <route_no> dst 0.0.0.0 0.0.0.0 gw1

<gw_ip>

Using the front panel buttons and LCD

You can use the front panel buttons to set up the FortiLog unit’s IP address, netmask,

and default gateway.

FortiLog Administration Guide 05-16000-0082-20050115 21

Configuring the FortiLog unit Setting up the FortiLog unit

22 05-16000-0082-20050115 Fortinet Inc.

FortiLog Administration Guide Version 1.6

Connecting to the FortiLog Unit

In order for FortiLog to receive log files, you need to configure the FortiGate, FortiMail

or syslog devices to send log files to the FortiLog unit. You also need to configure the

FortiLog unit to accept the log files from these devices.

This chapter explains how to set up your devices to send log files to the FortiLog unit

running in Active mode. If you are using the FortiLog device in Passive mode, you do

not have to read this chapter.

This chapter includes:

• Sending device logs to the FortiLog unit

• Configuring the FortiLog unit

Sending device logs to the FortiLog unit

When running in Active mode, the FortiLog unit collects log files from FortiGate,

FortiMail and syslog devices and uses those logs to generate detailed reports. Before

this can occur, you need to configure the devices to send the log files to the FortiLog

unit. You also need to configure the FortiLog unit to receive the log files.

Configuring FortiGate unit running FortiOS 2.8

To configure the FortiGate unit to send log files to the FortiLog unit 1 Log on to the FortiGate unit. 2 Go to Log&Report > Log Config. 3 Select FortiLog. 4 Select the blue arrow beside the FortiLog selection.

FortiLog Administration Guide 05-16000-0082-20050115 23

Sending device logs to the FortiLog unit Connecting to the FortiLog Unit

Figure 7: FortiGate 2.8 log settings

5 Enter the IP address of the FortiLog unit. 6 Set the level that the FortiGate unit logs messages to the FortiLog unit.

The FortiGate unit logs all messages at and above the logging severity you select. For

example, if you select Error, the device logs Error, Critical, Alert and Emergency level

messages. For a list of severity levels, see “Log policy” on page 45. 7 Select Enable encryption to send the log files through an IPsec connection.

If you choose to send encrypted log files:

• Enter a Local ID for the FortiGate unit. Use an ID that represents the FortiGate unit. For example, FGT-500A. You will use this entry on the FortiLog unit as the device name when registering the FortiGate unit.

• Enter an encryption key. You must also specify the identical value on the FortiLog unit. For security reasons, the encryption key should be more than six characters in length and contain a mixture of alpha and numeric characters.

Configuring FortiGate devices running FortiOS 2.5

If your FortiGate unit is running with FortiOS version 2.5, use the following procedure to configure the FortiGate unit to record log messages on a remote system.

To configure the FortiGate unit to send log files to the FortiLog unit

1 Go to Log&Report > Log Setting.

24 05-16000-0082-20050115 Fortinet Inc.

Connecting to the FortiLog Unit Sending device logs to the FortiLog unit

Figure 8: FortiGate 2.5 Log settings

2 Select Log to Remote Host to send the logs to a syslog server. 3 Enter the IP address of the FortiLog unit. 4 Enter the port number of the FortiLog unit. 5 Select the severity level for which you want to record log messages.

The FortiGate device logs all messages at and above the logging severity you select. For example, if you select Error, the device logs Error, Critical, Alert and Emergency level messages. For a list of severity levels, see “Log policy” on page 45.

6 Select Config Policy to select log types and activities. 7 Select Apply.

Configuring FortiMail devices

To configure a FortiMail device to send log files to a FortiLog unit 1 On the FortiMail web-based manager, go to Log&Report > Log Setting. 2 Select the Log to Remote Host check box. 3 Enter the FortiLog IP address. 4 Select the severity level for which you want to record log messages.

The FortiMail device logs all messages at and above the logging severity you select.

For example, if you select Error, the device logs Error, Critical, Alert and Emergency

level messages. For a list of severity levels, see “Log policy” on page 45. 5 Select Config Policy.

• Select the Log type for which you want the FortiMail Server to record logs.

• For each Log type, select the activities for which you want the FortiMail Server to record log messages.

6 Select OK. 7 Select Apply.

FortiLog Administration Guide 05-16000-0082-20050115 25

Configuring the FortiLog unit Connecting to the FortiLog Unit

Configuring the FortiLog unit

When you configure a device to send logs to the FortiLog unit, an entry for the device appears automatically in the Unregistered Devices tab.

Adding a device

The Devices screen provides a easy access to all devices currently sending log files to the FortiLog unit. It also provides a way to add unregistered or other new devices to the FortiLog unit so it can receive log files.

Figure 9: FortiLog device tabs

All Displays all registered devices available to the FortiLog unit. Groups Displays the groups available. You can also edit, delete and create new

Unregistered Displays a list of unregistered devices available to the FortiLog unit. This

Device tabs A tab is available for each device supported by the FortiLog unit.

To add a device

1 For a FortiGate device, go to System > Devices > Unregistered.

For devices that are not automatically registered, such as a syslog server, select the device tab and select Create New.

2 In the Register column, select Add for the device you wish to add.

Figure 10: Adding/registering a new device to the FortiLog unit

groups from this tab.

does not indicate that a FortiGate device is not registered with Fortinet.

26 05-16000-0082-20050115 Fortinet Inc.

Connecting to the FortiLog Unit Configuring the FortiLog unit

3 Enter a device name.

For a FortiGate device, this is the same entry as entered as the Local ID set in the Log&Config settings for FortiLog. For example, FGT-500A.

4 Select a group to add the device to if desired. For details on creating a group see

“Creating Device Groups” on page 28.

5 For Secure Connection, select Yes.

If you select secure connection between the FortiLog unit and the FortiGate unit, the device name must match the local ID you entered on the FortiGate unit. For information about how to configure the FortiGate unit, see “Configuring FortiGate unit

running FortiOS 2.8” and “Configuring FortiGate devices running FortiOS 2.5” on page 24.

6 If you select Secure connection, enter the Pre-shared Key. The preshared key must

be the same as what you entered on the device. You must enter the key in the exact same way including upper and lower case.

7 Enter the Allocated Disk Space. Set disk quota from 0 to 4000 MB. A disk quota of 0 is

unlimited.

8 Enter the size limit for the log files.

9 For Max Logfile Age, enter the time limit for the FortiLog unit to keep the log files.

10 Select what the FortiLog unit should do when the allocated disk space for the

FortiGate device is used up.

11 When adding a FortiGate unit, expand the device Interface Specification to set the

default port settings for the device.

Define the port interface options using the arrow buttons. For details on port interface settings see “Defining device port interfaces” on page 27.

If you want to add a VLAN or other interface, type the name of the interface and select Add.

12 Select Apply.

Defining device port interfaces

FortiLog Network activity log reports include information on inbound and outbound traffic flow. Traffic flow information is based on the source and destination interfaces of the device and how they are configured to send and receive information.

To ensure that the traffic information is represented correctly in these reports, you need to assign the FortiGate interfaces to an interface type. The device interface can include an interface name or a defined VLAN on the device.

FortiLog Administration Guide 05-16000-0082-20050115 27

Configuring the FortiLog unit Connecting to the FortiLog Unit

You can classify the device interfaces as one of None, LAN, WAN or DMZ to match the type of traffic the interface will process. When the FortiLog unit generates the traffic log report, the FortiLog unit compares the source and destination interface classifications and determines the traffic direction. The traffic direction is one of:

• Incoming

• Outgoing

• Internal

• External

• Unclassified.

The table below illustrates how the source and destination interface types are represented in the log report as traffic direction.

Table 3: Log report traffic direction identification

Source Destination Traffic Direction

None All types Unclassified All types None Unclassified WAN LAN, DMZ Incoming WAN WAN External LAN, DMZ LAN, DMZ Internal LAN, DMZ WAN Outgoing

Creating Device Groups

if you have a number of devices belonging to a department or section of the company, you can create groups to keep these devices together for easier access. Once you create a group you can add or remove devices from the groups as required.

To create a device group

1 Go to System > Devices > Groups.

2 Select Create New.

3 Enter a group name.

4 Select the devices you wish to add to the group.

5 Select OK.

You do not have to add device to the group when you first create the group. There are a number of alternate ways of adding a device to a group:

• add devices when registering them

• select Edit to add or remove devices when required.

• In the selected devices tab, select the device and select Assign Selected.

28 05-16000-0082-20050115 Fortinet Inc.

FortiLog Administration Guide Version 1.6

Managing the FortiLog unit

Using the FortiLog system settings, you can view the operating status of the FortiLog unit and configure the FortiLog unit for your network. You can also use system settings to configure RAID (Redundant Arrays of Inexpensive Disks) settings for the FortiLog unit (for the FortiLog-400 and FortiLog-800), set email alerts and set system time. This chapter includes topics on:

• Status

• Config

• Devices (Active mode)

• Alert Email

• Network Sharing

Status

Use system status pages to view and monitor the status of the FortiLog unit. The status information includes basic system information, alerts information, CPU usage, memory usage, hard disk usage and network utilization, RAID information (for the FortiLog-400 and FortiLog-800), and a list of all of the communication sessions with the FortiLog unit.

• Status

• RAID

• Config

You can connect to the web-based manager and view the current system status of the FortiLog unit. The status information displays basic system information such as the host name, firmware version, and serial number of the FortiLog unit.

FortiLog Administration Guide 05-16000-0082-20050115 29

Status Managing the FortiLog unit

Figure 11: System status (Active mode)

Automatic Refresh Interval

Go Select to set the selected automatic refresh interval. Refresh Select to manually update the system status display. Alerts Provides immediate information on any system alerts from connected

Notifications Select Password to change the password for administrative access. See

Up time The time in days, hours, and minutes since the FortiLog unit was last

System Time The current time according to the FortiLog unit internal clock. Log Hard Disk The current RAID status. Select Intact to set automatic refresh interval and

Host Name The current host name of the FortiLog unit. See “Changing the FortiLog

Operating Mode The current mode for the FortiLog unit. The mode is either Active or

Firmware version The current FortiLog firmware version. To upgrade the firmware, see

Serial number The serial number of the FortiLog unit. The serial number is a unique

System Settings Backup and restore system settings. See “Backing up system settings” on

Reports Status List the generated log reports, log reports being generated, and the

Select to control how often the web-based manager updates the system status display.

devices. Select More when available to view the details of the alerts for the FortiLog unit and connected devices. For details on the alert messages see “Alerts” on page 54.

“To change the admin account password” on page 49.

started.

view the detailed log device configuration and status information. See

“RAID” on page 41.

host name” on page 31.

Passive. For details on the different modes see “Operational Modes” on

page 8. To change the operating mode for the FortiLog unit, see “To change the operating mode in the CLI” on page 31.

“Changing the firmware” on page 32.

identifier for the FortiLog unit and is required when you register the FortiLog unit.

page 39 and “Restoring system settings” on page 40. Restore system

settings to factory defaults, “Restore factory default system settings” on

page 40. You can also download a debug log, see “Downlading the FortiLog debug log” on page 39.

scheduled time to generate next log report.

30 05-16000-0082-20050115 Fortinet Inc.

+ 94 hidden pages

Fortinet FortiLog-400, FortiLog-800, FortiLog-100 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Table of Contents

Introduction

Operational Modes

Active Mode

Passive Mode

About this guide

FortiLog documentation

Related documentation

FortiGate documentation

FortiManager documentation

FortiClient documentation

FortiMail documentation

Fortinet Knowledge Center

Comments on Fortinet technical documentation

Customer service and technical support

Setting up the FortiLog unit

Checking the package contents

Hardware specifications

Dimensions

Weight

Power requirements

Environmental specifications

Air flow

Mechanical loading

Planning the installation

Connecting the FortiLog unit

Configuring the FortiLog unit

Using the web-based manager

Using the command line interface

Using the front panel buttons and LCD

Connecting to the FortiLog Unit

Sending device logs to the FortiLog unit

Configuring FortiGate unit running FortiOS 2.8

Configuring FortiGate devices running FortiOS 2.5

Configuring FortiMail devices

Configuring the FortiLog unit

Adding a device

Defining device port interfaces

Creating Device Groups

Managing the FortiLog unit

Status

Status