Network Analyzer | Fortinet 3.0 MR7 instruction


Network Analyzer	Connecting the FortiAnalyzer unit to analyze network traffic

Network Analyzer

Network Analyzer can be used as an enhanced local network traffic sniffer to diagnose areas of the network where firewall policies may require adjustment, or where traffic anomalies occur.

Network Analyzer logs all traffic seen by the interface for which it is enabled. If that network interface is connected to the span port of a switch, observed traffic will include all traffic sent through the switch by other hosts. You can then locate traffic which should be blocked, or which contains other anomalies.

All captured traffic information is saved to the FortiAnalyzer hard disk. You can then display this traffic information directly, search it, or generate reports from it.

This section describes how to enable and view traffic captured by the Network Analyzer. It also describes Network Analyzer log storage configuration options.

Network Analyzer is not visible in Tools > Network Analyzer until enabled in the CLI. To enable Network Analyzer, access the CLI and enter the commands:

config log settings

set enable_analyzer yes

end

If you are currently logged in to the web-based manager when enabling or disabling Network Analyzer, you must log out and then log in again for the menu changes to take effect.

This section includes the following topics:

•Connecting the FortiAnalyzer unit to analyze network traffic

•Viewing Network Analyzer log messages

•Browsing Network Analyzer log files

•Customizing the Network Analyzer log view

•Searching the Network Analyzer logs

•Rolling and uploading Network Analyzer logs

Note: Network Analyzer available all FortiAnalzyer units except the FortiAnalyzer-100.

Connecting the FortiAnalyzer unit to analyze network traffic

You usually first connect the FortiAnalyzer unit to the span (or mirroring) port of an Ethernet switch to sniff traffic with the FortiAnalyzer unit,. Both the management and sniffing ports can be connected to the same switch.

FortiAnalyzer Version 3.0 MR7 Administration Guide
05-30007-0082-20080908	141

Image 151

Fortinet 3.0 MR7 manual Network Analyzer, Config log settings Set enableanalyzer yes End

Contents

M I N I S T R a T I O N G U I D E Regulatory compliance TrademarksFCC Class a Part 15 CSA/CUS Contents Adding a route Radius Server Administrator SettingsViewing session information Filtering session information Log Receive Monitor Intrusion Activity Device Content Archive 107Log Network Analyzer 141 Reports 113Quarantine 131 Alert 133 Managing firmware versions 169 Tools 157 Index 213 Appendix FortiAnalyzer reports in 3.0 MR7 185 About this document Introduction Fortinet documentation Describes how to install and set up the FortiAnalyzer unit Comments on Fortinet technical documentation Customer service and technical supportFortinet Tools and Documentation CD Fortinet Knowledge Center Customer service and technical support High-end FortiAnalyzer units support additional What’s new for 3.0 MR7 FortiAnalyzerVersion 3.0 MR7 Administration Guide CLI displays the tasks in the upload queue MR7 new features and changesPower supply monitoring for FortiAnlayzer-2000A and 4000A Registered devices’ hard limits Reports Report configuration enhancementsConfig log settings Set custom-field1-5 Custom fields for log messages All other reports, for example VoIP reportsReportHeadquarters-2008-05-26-1030 Alert email configuration changes About administrative domains ADOMs Administrative Domains ADOMs About administrative domains ADOMs FortiAnalyzer Model Number of Administrative Domains Enable Admin Domain Configuration Select OK Message appears Configuring ADOMsTo enable ADOMs Go to System Admin Settings Select OK FortiAnalyzer unit logs you out To disable ADOMsGo to Global Configuration System Admin Settings To add or edit an Adom To assign an administrator to an Adom Accessing ADOMs as the admin administratorAssigning administrators to an Adom To access an Adom Dashboard SystemSystem Information To refresh a Dashboard widget Go to System Dashboard To rearrange a Dashboard widget Go to System Dashboard To add a tab Go to System Dashboard TabsTo include a Dashboard widget Go to System Dashboard To omit a Dashboard widget Go to System Dashboard To delete a tab Go to System Dashboard Double-click on the name of the tab and select the X symbolRAID Monitor Enter a new name and press Enter Rebuilding icon System Information 05-30007-0082-20080908 Setting the time To change the host name Go to System Dashboard Changing the host nameChanging the firmware License Information Memory Usage System ResourcesViewing operational history RVS Plug-ins Device License Systems Operations area, select Format Log Disks Select OK System OperationFormatting the log disks To format the log disks Go to System Dashboard To view alert console messages Go to System Dashboard Resetting to the default configurationAlert Message Console Viewing alert console messages Connections StatisticsViewing session information Select the delete icon Statistics area, next to Connections, select Details Filtering session informationReport Engine To view the session information Go to System Dashboard Period Log Receive MonitorType Top N Virus Activity Intrusion ActivityDisplay by Virus Activity widget Top FTP Traffic Top Email Traffic, select Edit Top Email Traffic Top IM/P2P Traffic, select Edit in the title bar area Top IM/P2P Traffic To edit information for Top Traffic Go to System Dashboard Top TrafficTop Traffic, select Edit in the title bar area Top Web Traffic, select Edit Top Web Traffic Interface Network Modify Changing interface settingsAdministrative Status Enter an IP address for a primary and secondary DNS server To configure DNS settings Go to System Network DNSAbout Fortinet Discovery Protocol Routing To add a static route Go to System Network Routing AdminSelect Create New Configure the following options Adding a route Adding or editing an administrator account Admin Domain Changing an administrator’s passwordAccess Profile Access Profile Read Only To add a group Go to System Admin Auth GroupAuth Group None Radius Server Administrator SettingsTo add a Radius server Go to System Admin Radius Server Select Create New Configure the following and select OK To add a user account Go to System Network Sharing User Network SharingMonitor Adding share users Adding share groups Configuring Windows sharesTo add a user group Go to System Network Sharing Group Permissions Assigning user permissions Remote Clients Configuring NFS shares Default file permissions on NFS shares ConfigAutomatic file deletion and local log settings Log Level Allocated Disk Space MB FortiAnalyzer unit log settings Log Locally Configuring log aggregation FortiAnalyzer-4000/4000A FortiAnalyzer-400FortiAnalyzer-800/800B FortiAnalyzer-2000/2000A To forward log events Go to System Config Log Forwarding Configuring an aggregation clientConfiguring an aggregation server Configuring log forwarding To import the alias file Go to System Config IP Alias Configuring IP aliasesTo add an IP alias Go to System Config IP Alias To edit an IP alias Go to System Config IP Alias IP alias ranges Configuring RAIDRAID levels RAID Linear RAID 5 with hot spare Hot swapping hard disks FortiAnalyzer-800/800B disk drive configuration FortiAnalyzer-400 disk drive configuration FortiAnalyzer-2000/2000A disk drive configuration To swap a hard disk Go to System Config RAIDFortiAnalyzer-4000 disk drive configuration Level 1 Configuring RAID on the FortiAnalyzer-400As well as from System Config RAID FortiAnalyzer-800/800B Size GB Configuring Ldap connections Select Create New. Complete the following To define an Ldap server query Go to System Config Ldap Backup & Restore MaintenanceBackup Back up the current configuration FortiGuard Center 10.10.1.108889 Daily UpdateScheduled Every Maintenance Viewing the device list Device Hardware Add DeviceShow Unregistered Device Options Action Secure Connection Disk Space MB Used/Allocated To delete a device Go to Device All Device Maximum number of devices Unregistered vs. registered devices Configuring unregistered device connection attempt handling Or the following options for unknown device types Manually adding a device Member IDs Device NameDevice ID Mode Group Membership FortiGate Interface Specification When Allocated Disk Space is All Used Devices Privileges Classifying FortiGate network interfaces For more information, see Manually adding a device on Configure the FortiGate device On the FortiAnalyzer unit, go to Device All To enable the FortiAnalyzer unit to reply to FDP packetsGo to System Network Hardware Model Blocking device connection attempts To block a device Go to Device All Device Configuring device groupsTo unblock a device Go to Device All Blocked Device Members To configure a device group Go to Device Group Device GroupTo delete a device group Go to Device Group Device Group Group Name Viewing log messages LogViewing current log messages Viewing historical log messages Column Settings To view historical logs Go to Log Log Viewer Historical Browsing log filesImport Viewing log file contents To import a log file Go to Log Browse Importing a log file Convert to CSV format Compress with gzip Downloading a log fileTo download a whole log file Go to Log Browse To download a partial log file Go to Log Browse To display logs in Raw or Formatted view Select Download Current View Configure the followingCustomizing the log view Displaying and arranging log columns To display or hide columns Filtering logsTo change the order of the columns To disable a filter To filter log messages by column contentsFiltering tips 101 Searching the logs From Searching the logs To search the logs Go to Log Search Search tips103 Printing the search results 192.168.* action=loginDownloading the search results To download log search results Go to Log Search Rolling and uploading logs105 Username ExceedNot exceeded Server IP address 107 108 Viewing content archives Content Archive Printable Version Delete associated content archive files View per page Page n of n Column SettingsTimeframe 109 Customizing the content archive view Filter icons in the content logs 111 Searching full email content archives 113 Last activity 114 Reports Configuring reports Configuring report layout Name Enter a name for the report Description To configure a report layout Go to Report Config Layout115 Header Logo Title Page LogoCategory 117 Editing charts in a report layout Maximum Entries Top N Time Scale Advanced To edit a chart 119 Configuring report schedulesTo edit text To edit section Schedule To configure a report schedule Go to Report ScheduleSchedule Name Report layout Name 121 Log Data FilteringData Filter Time Period Data filter templates Configuring data filter templates Sources Filter logic123 Day of the Week DestinationsInterfaces Policy IDs 125 Configuring report output templates Output template FTP/SFTP/SCP Server Action 127 Nomatch=No matching log data for this report Configuring language # Localization uses a Latin character set Comment is129 Font Languages Save the format file Language file error messages Error message Description131 Browsing reports 133 134 See QuarantineViewing quarantined files Quarantined files for a specific device Status Description ServiceDate & Time Checksum Alert Events AlertTriggers To add a new alert event Go to Alert Alert Event Adding an alert event Add Configuring alerts by email serverOutput To Email Address Smtp Server Testing the mail server configurationConfiguring Snmp traps and alerts Enable 137 FortiAnalyzer Snmp support Adding an Snmp server Fortinet MIB VPN Traps Fortinet MIB Administrator AccountsFortinet MIB System Traps Fortinet MIB Logging Traps RFC-2665 Ethernet-like MIB Configuring alerts by Syslog serverAdding a Syslog server RFC-1213 MIB 141 Configure the following options, and select OK 142 Network Analyzer Config log settings Set enableanalyzer yes End Example network topology for Network Analyzer use Viewing current Network Analyzer log messages Viewing Network Analyzer log messages143 Viewing historical Network Analyzer log messages Protocol Protocol used when sending the traffic Message Browsing Network Analyzer log files Viewing Network Analyzer log file contents Printable Version Download Current View Resolve Service View n per page Page n of n Column Settings 147 Downloading a Network Analyzer log file Displaying and arranging Network Analyzer log columns Customizing the Network Analyzer log view 149 Filter icons in Network Analyzer 150 Full Search Searching the Network Analyzer logsKeywords Quick Search Other To search the logs Go to Tools Network Analyzer Search 153 172.20.120.127 tcp Select the download options that you want, then select OK Rolling and uploading Network Analyzer logs 155 Log file should be rolled... even if size is not exceeded Select the protocol to use when uploading to the server Preparing for the vulnerability scan job Tools157 Preparing Windows target hosts 159 To enable NetBIOS Go to Start Control Panel Preparing Unix target hosts Viewing vulnerability scan modules161 Vulnerability Scan modules View modules with severity Details Configuring vulnerability scan jobs163 Target Job Name Quick Scan Remote Authentication User NameSelect Create New Complete the following Scan Targets Email Attachment File outputEmail Body 167 Viewing vulnerability scan reports End Time File ExplorerFormats 169 File Explorer with Storage directory expanded 170 Managing firmware versions Backing up your configuration Execute backup config filename addressip passwd Backing up your configuration using the web-based managerBacking up your configuration using the CLI To back up your configuration file using the CLI 171 Press any key to display configuration menu… Testing firmware before upgradingTo test the firmware image before upgrading 173 Enter Tftp server addressEnter Local Address Enter firmware image file name image.out Only Upgrading using the web-based managerUpgrading your FortiAnalyzer unit Upgrading to FortiAnalyzer Execute restore image namestr tftpip4 Upgrading using the CLITo upgrade to FortiAnalyzer 3.0 using the web-based manager To upgrade to FortiAnalyzer 3.0 using the CLI Get system status Verifying the upgrade 177 Reverting to a previous firmware versionDowngrading to FortiLog Select OK Following message appears Execute restore image tftp image.out Downgrading to FortiLog 1.6 using the CLITo downgrade using the CLI Execute restore image tftp namestr tftpipv4 179 Execute reboot Restoring your configurationRestoring configuration settings on a FortiAnalyzer unit To restore a firmware image to the FortiAnalyzer unit 181 When this message appearsPress any key to display configuration menu Enter File Name image.out Execute restore config confall 192.168.1.168 ghrffdt123 Restoring your configuration settings using the CLITo restore configuration settings using the CLI Execute restore config namestr tftpipv4 passwrd 183 184 FortiGate reports Appendix FortiAnalyzer reports in 3.0 MR7185 Intrusion Activity reports MR6 reports MR7 reports Antivirus ActivityAntivirus Activity reports MR6 reports MR7 reports 187 Antivirus Activity reports Top Virus Destinations over POP3 WebFilter Activity reports MR6 reports MR7 reports Webfilter Activity189 WebFilter Activity reports Antispam ActivityAntispam Activity reports MR6 reports MR7 reports 191 IM ActivityAntispam Activity reports IM reports MR6 reports MR7 reports VoIP reports MR7 reports IM reports VoIP reports Content Activity193 Network Activity Content Activity reports MR6 reports MR7 reportsNetwork Activity reports MR6 reports MR7 reports Network Activity reports Web Activity195 FTP Activity Mail ActivityReport, Top Mail Servers Connections remains unchanged Terminal Activity reports MR6 reports MR7 reports Terminal ActivityVPN Activity FTP Activity reports VPN Activity reports MR6 reports MR7 reports Event ActivityEvent Activity reports MR6 reports MR7 reports P2P Activity reports MR6 reports MR7 reports P2P ActivityReport, Top Event Categories by Status, was removed Event Activity reports P2P Activity reports Audit Activity 201 Summary Reports Report, Top Client Requests to Permitted Sites, was removed Forensic ReportsAudit Detailed 203 FortiMail ReportsSummary Mail High Level Mail High Level reports Mail Sender reports MR6 reports MR7 reports Mail Sender205 Mail Recipient Activity reports MR6 reports MR7 reports Mail Recipient ActivityMail Destination IP Mail Sender reports 207 Spam SenderMail Destination IP reports MR6 reports MR7 reports Spam Sender reports MR6 reports MR7 reports Spam Sender reports Spam RecipientSpam Recipient reports MR6 reports MR7 reports Spam Destination IP reports MR6 reports MR7 reports Spam Destination IPVirus Sender Spam Recipient reports Virus Sender reports MR6 reports MR7 reports 211 Virus RecipientVirus Sender reports Virus Recipient reports MR6 reports MR7 reports Virus Destination IP FortiClient Reports 213 Index FDN 215 FTP Mail server 135 Main Menu 20 managing firmware 217 RFC See also protocol test 219 Index FortiAnalyzer Version 3.0 MR7 Administration Guide