Fortinet 3.0 MR7 specification

Connecting the FortiAnalyzer unit to analyze network traffic

Network Analyzer

Figure 1: Example network topology for Network Analyzer use

Internal network

Hub or switch

Internet

Span/mirror

port is connected

to Network Analyzer port

To connect the FortiAnalyzer unit for use with Network Analyzer

1Connect an Ethernet cable to a port on the FortiAnalyzer unit other than the port used to collect device logs.

For example, if you receive logs and quarantined files on port 1, you might use Network Analyzer on port 2. Using a separate port for sniffing prevents log and quarantine traffic from cluttering Network Analyzer messages, and enables you to analyze networks without tampering with network settings related to normal logging and quarantine activity.

2Connect the other end of the Ethernet cable to the span or mirroring port of an Ethernet switch.

If connected to the span or mirror port of a switch, Network Analyzer will be able to observe all traffic passing through the switch.

3In the CLI, enable Network Analyzer on the port where you attached the Ethernet cable by entering the commands:

config log settings

set enable_analyzer yes

end

If you are currently logged in to the web-based manager when enabling or disabling Network Analyzer, you must log out and then log in again for the menu changes to take effect.

4In the web-based manager, go to System > Network > Interface.

5If the interface you will use with Network Analyzer is currently down, select Bring Up to enable it.

6Select Modify for the interface you will use with Network Analyzer.

7Enter the IP/Netmask.

8Select OK.

You can now configure Network Analyzer settings in Tools > Network Analyzer > Config.

	FortiAnalyzer Version 3.0 MR7 Administration Guide
142	05-30007-0082-20080908

Image 152

Fortinet 3.0 MR7 manual Example network topology for Network Analyzer use

Contents

M I N I S T R a T I O N G U I D E FCC Class a Part 15 CSA/CUS TrademarksRegulatory compliance Contents Radius Server Administrator Settings Viewing session information Filtering session informationLog Receive Monitor Intrusion Activity Adding a route Log Content Archive 107Device Reports 113 Quarantine 131Alert 133 Network Analyzer 141 Tools 157 Managing firmware versions 169 Appendix FortiAnalyzer reports in 3.0 MR7 185 Index 213 Introduction About this document Describes how to install and set up the FortiAnalyzer unit Fortinet documentation Customer service and technical support Fortinet Tools and Documentation CDFortinet Knowledge Center Comments on Fortinet technical documentation Customer service and technical support What’s new for 3.0 MR7 High-end FortiAnalyzer units support additional FortiAnalyzerVersion 3.0 MR7 Administration Guide MR7 new features and changes Power supply monitoring for FortiAnlayzer-2000A and 4000ARegistered devices’ hard limits CLI displays the tasks in the upload queue Report configuration enhancements Config log settings Set custom-field1-5Custom fields for log messages Reports ReportHeadquarters-2008-05-26-1030 VoIP reportsAll other reports, for example Alert email configuration changes Administrative Domains ADOMs About administrative domains ADOMs About administrative domains ADOMs FortiAnalyzer Model Number of Administrative Domains Configuring ADOMs To enable ADOMsGo to System Admin Settings Enable Admin Domain Configuration Select OK Message appears To disable ADOMs Go to Global Configuration System Admin SettingsTo add or edit an Adom Select OK FortiAnalyzer unit logs you out Accessing ADOMs as the admin administrator Assigning administrators to an AdomTo access an Adom To assign an administrator to an Adom System Information SystemDashboard To rearrange a Dashboard widget Go to System Dashboard To refresh a Dashboard widget Go to System Dashboard Tabs To include a Dashboard widget Go to System DashboardTo omit a Dashboard widget Go to System Dashboard To add a tab Go to System Dashboard Double-click on the name of the tab and select the X symbol RAID MonitorEnter a new name and press Enter To delete a tab Go to System Dashboard System Information Rebuilding icon Setting the time 05-30007-0082-20080908 Changing the host name Changing the firmwareLicense Information To change the host name Go to System Dashboard System Resources Viewing operational historyRVS Plug-ins Device License Memory Usage System Operation Formatting the log disksTo format the log disks Go to System Dashboard Systems Operations area, select Format Log Disks Select OK Resetting to the default configuration Alert Message ConsoleViewing alert console messages To view alert console messages Go to System Dashboard Statistics Viewing session informationSelect the delete icon Connections Filtering session information Report EngineTo view the session information Go to System Dashboard Statistics area, next to Connections, select Details Log Receive Monitor TypeTop N Period Display by Intrusion ActivityVirus Activity Top FTP Traffic Virus Activity widget Top Email Traffic Top Email Traffic, select Edit Top IM/P2P Traffic Top IM/P2P Traffic, select Edit in the title bar area Top Traffic, select Edit in the title bar area Top TrafficTo edit information for Top Traffic Go to System Dashboard Top Web Traffic Top Web Traffic, select Edit Network Interface Changing interface settings AdministrativeStatus Modify To configure DNS settings Go to System Network DNS About Fortinet Discovery ProtocolRouting Enter an IP address for a primary and secondary DNS server Admin Select Create New Configure the following optionsAdding a route To add a static route Go to System Network Routing Adding or editing an administrator account Changing an administrator’s password Access ProfileAccess Profile Admin Domain To add a group Go to System Admin Auth Group Auth GroupNone Read Only Administrator Settings To add a Radius server Go to System Admin Radius ServerSelect Create New Configure the following and select OK Radius Server Network Sharing MonitorAdding share users To add a user account Go to System Network Sharing User To add a user group Go to System Network Sharing Group Configuring Windows sharesAdding share groups Assigning user permissions Permissions Configuring NFS shares Remote Clients Automatic file deletion and local log settings ConfigDefault file permissions on NFS shares FortiAnalyzer unit log settings Log Locally Log Level Allocated Disk Space MB Configuring log aggregation FortiAnalyzer-400 FortiAnalyzer-800/800BFortiAnalyzer-2000/2000A FortiAnalyzer-4000/4000A Configuring an aggregation client Configuring an aggregation serverConfiguring log forwarding To forward log events Go to System Config Log Forwarding Configuring IP aliases To add an IP alias Go to System Config IP AliasTo edit an IP alias Go to System Config IP Alias To import the alias file Go to System Config IP Alias RAID levels Configuring RAIDIP alias ranges Linear RAID Hot swapping hard disks RAID 5 with hot spare FortiAnalyzer-400 disk drive configuration FortiAnalyzer-800/800B disk drive configuration FortiAnalyzer-4000 disk drive configuration To swap a hard disk Go to System Config RAIDFortiAnalyzer-2000/2000A disk drive configuration Configuring RAID on the FortiAnalyzer-400 As well as from System Config RAIDFortiAnalyzer-800/800B Level 1 Configuring Ldap connections Size GB To define an Ldap server query Go to System Config Ldap Select Create New. Complete the following Backup Back up the current configuration MaintenanceBackup & Restore FortiGuard Center 10.10.1.108889 Update ScheduledEvery Daily Maintenance Device Viewing the device list Add Device ShowUnregistered Device Options Hardware Secure Connection Disk Space MB Used/Allocated Action Maximum number of devices To delete a device Go to Device All Device Unregistered vs. registered devices Configuring unregistered device connection attempt handling Or the following options for unknown device types Manually adding a device Device Name Device IDMode Member IDs When Allocated Disk Space is All Used Devices Privileges Group Membership FortiGate Interface Specification Classifying FortiGate network interfaces Configure the FortiGate device For more information, see Manually adding a device on Go to System Network To enable the FortiAnalyzer unit to reply to FDP packetsOn the FortiAnalyzer unit, go to Device All Blocking device connection attempts Hardware Model To unblock a device Go to Device All Blocked Device Configuring device groupsTo block a device Go to Device All Device To configure a device group Go to Device Group Device Group To delete a device group Go to Device Group Device GroupGroup Name Members Viewing current log messages LogViewing log messages Viewing historical log messages Settings Column Import Browsing log filesTo view historical logs Go to Log Log Viewer Historical Viewing log file contents Importing a log file To import a log file Go to Log Browse Downloading a log file To download a whole log file Go to Log BrowseTo download a partial log file Go to Log Browse Convert to CSV format Compress with gzip Select Download Current View Configure the following Customizing the log viewDisplaying and arranging log columns To display logs in Raw or Formatted view To change the order of the columns Filtering logsTo display or hide columns Filtering tips To filter log messages by column contentsTo disable a filter Searching the logs 101 Searching the logs From 103 Search tipsTo search the logs Go to Log Search Downloading the search results 192.168.* action=loginPrinting the search results 105 Rolling and uploading logsTo download log search results Go to Log Search Exceed Not exceededServer IP address Username 107 108 Content Archive Viewing content archives Timeframe View per page Page n of n Column SettingsPrintable Version Delete associated content archive files Customizing the content archive view 109 Filter icons in the content logs 111 Searching full email content archives Last activity 113 114 Configuring reports Reports Configuring report layout 115 To configure a report layout Go to Report Config LayoutName Enter a name for the report Description Category Title Page LogoHeader Logo Editing charts in a report layout 117 To edit a chart Maximum Entries Top N Time Scale Advanced Configuring report schedules To edit textTo edit section 119 To configure a report schedule Go to Report Schedule Schedule NameReport layout Name Schedule Log Data Filtering Data FilterTime Period 121 Configuring data filter templates Data filter templates 123 Filter logicSources Destinations InterfacesPolicy IDs Day of the Week Configuring report output templates 125 FTP/SFTP/SCP Server Action Output template 127 Configuring language Nomatch=No matching log data for this report 129 Comment is# Localization uses a Latin character set Languages Font 131 Language file error messages Error message DescriptionSave the format file Browsing reports 133 134 Quarantine Viewing quarantined filesQuarantined files for a specific device See Service Date & TimeChecksum Status Description Triggers AlertAlert Events Adding an alert event To add a new alert event Go to Alert Alert Event Configuring alerts by email server OutputTo Email Address Add Testing the mail server configuration Configuring Snmp traps and alertsEnable Smtp Server 137 Adding an Snmp server FortiAnalyzer Snmp support Fortinet MIB Administrator Accounts Fortinet MIB System TrapsFortinet MIB Logging Traps Fortinet MIB VPN Traps Configuring alerts by Syslog server Adding a Syslog serverRFC-1213 MIB RFC-2665 Ethernet-like MIB Configure the following options, and select OK 141 142 Config log settings Set enableanalyzer yes End Network Analyzer Example network topology for Network Analyzer use 143 Viewing Network Analyzer log messagesViewing current Network Analyzer log messages Protocol Protocol used when sending the traffic Message Viewing historical Network Analyzer log messages Viewing Network Analyzer log file contents Browsing Network Analyzer log files Resolve Service View n per page Page n of n Column Settings Printable Version Download Current View Downloading a Network Analyzer log file 147 Customizing the Network Analyzer log view Displaying and arranging Network Analyzer log columns Filter icons in Network Analyzer 149 150 Searching the Network Analyzer logs KeywordsQuick Search Full Search To search the logs Go to Tools Network Analyzer Search Other 172.20.120.127 tcp 153 Rolling and uploading Network Analyzer logs Select the download options that you want, then select OK Log file should be rolled... even if size is not exceeded 155 Select the protocol to use when uploading to the server 157 ToolsPreparing for the vulnerability scan job Preparing Windows target hosts 159 To enable NetBIOS Go to Start Control Panel 161 Viewing vulnerability scan modulesPreparing Unix target hosts Vulnerability Scan modules View modules with severity 163 Configuring vulnerability scan jobsDetails Job Name Target Remote Authentication User Name Select Create New Complete the followingScan Targets Quick Scan Email Body File outputEmail Attachment Viewing vulnerability scan reports 167 Formats File ExplorerEnd Time File Explorer with Storage directory expanded 169 170 Backing up your configuration Managing firmware versions Backing up your configuration using the web-based manager Backing up your configuration using the CLITo back up your configuration file using the CLI Execute backup config filename addressip passwd 171 To test the firmware image before upgrading Testing firmware before upgradingPress any key to display configuration menu… Enter Tftp server address Enter Local AddressEnter firmware image file name image.out 173 Upgrading using the web-based manager Upgrading your FortiAnalyzer unitUpgrading to FortiAnalyzer Only Upgrading using the CLI To upgrade to FortiAnalyzer 3.0 using the web-based managerTo upgrade to FortiAnalyzer 3.0 using the CLI Execute restore image namestr tftpip4 Verifying the upgrade Get system status Reverting to a previous firmware version Downgrading to FortiLogSelect OK Following message appears 177 Downgrading to FortiLog 1.6 using the CLI To downgrade using the CLIExecute restore image tftp namestr tftpipv4 Execute restore image tftp image.out 179 Restoring your configuration Restoring configuration settings on a FortiAnalyzer unitTo restore a firmware image to the FortiAnalyzer unit Execute reboot When this message appears Press any key to display configuration menuEnter File Name image.out 181 Restoring your configuration settings using the CLI To restore configuration settings using the CLIExecute restore config namestr tftpipv4 passwrd Execute restore config confall 192.168.1.168 ghrffdt123 183 184 185 Appendix FortiAnalyzer reports in 3.0 MR7FortiGate reports Antivirus Activity reports MR6 reports MR7 reports Antivirus ActivityIntrusion Activity reports MR6 reports MR7 reports Antivirus Activity reports 187 Top Virus Destinations over POP3 189 Webfilter ActivityWebFilter Activity reports MR6 reports MR7 reports Antispam Activity reports MR6 reports MR7 reports Antispam ActivityWebFilter Activity reports IM Activity Antispam Activity reportsIM reports MR6 reports MR7 reports 191 IM reports VoIP reports MR7 reports 193 Content ActivityVoIP reports Network Activity reports MR6 reports MR7 reports Content Activity reports MR6 reports MR7 reportsNetwork Activity 195 Web ActivityNetwork Activity reports Report, Top Mail Servers Connections remains unchanged Mail ActivityFTP Activity Terminal Activity VPN ActivityFTP Activity reports Terminal Activity reports MR6 reports MR7 reports Event Activity reports MR6 reports MR7 reports Event ActivityVPN Activity reports MR6 reports MR7 reports P2P Activity Report, Top Event Categories by Status, was removedEvent Activity reports P2P Activity reports MR6 reports MR7 reports Audit Activity P2P Activity reports Summary Reports 201 Forensic Reports AuditDetailed Report, Top Client Requests to Permitted Sites, was removed FortiMail Reports SummaryMail High Level 203 Mail High Level reports 205 Mail SenderMail Sender reports MR6 reports MR7 reports Mail Recipient Activity Mail Destination IPMail Sender reports Mail Recipient Activity reports MR6 reports MR7 reports Spam Sender Mail Destination IP reports MR6 reports MR7 reportsSpam Sender reports MR6 reports MR7 reports 207 Spam Recipient reports MR6 reports MR7 reports Spam RecipientSpam Sender reports Spam Destination IP Virus SenderSpam Recipient reports Spam Destination IP reports MR6 reports MR7 reports Virus Sender reports MR6 reports MR7 reports Virus Recipient Virus Sender reportsVirus Recipient reports MR6 reports MR7 reports 211 FortiClient Reports Virus Destination IP Index 213 FDN FTP 215 Mail server 135 Main Menu 20 managing firmware RFC 217 See also protocol test 219 Index FortiAnalyzer Version 3.0 MR7 Administration Guide