M I N I S T R a T I O N G U I D E
Trademarks
Regulatory compliance
FCC Class a Part 15 CSA/CUS
Contents
Radius Server Administrator Settings
Viewing session information Filtering session information
Log Receive Monitor Intrusion Activity
Adding a route
Content Archive 107
Device
Log
Reports 113
Quarantine 131
Alert 133
Network Analyzer 141
Tools 157
Managing firmware versions 169
Appendix FortiAnalyzer reports in 3.0 MR7 185
Index 213
Introduction
About this document
Describes how to install and set up the FortiAnalyzer unit
Fortinet documentation
Customer service and technical support
Fortinet Tools and Documentation CD
Fortinet Knowledge Center
Comments on Fortinet technical documentation
Customer service and technical support
What’s new for 3.0 MR7
High-end FortiAnalyzer units support additional
FortiAnalyzerVersion 3.0 MR7 Administration Guide
MR7 new features and changes
Power supply monitoring for FortiAnlayzer-2000A and 4000A
Registered devices’ hard limits
CLI displays the tasks in the upload queue
Report configuration enhancements
Config log settings Set custom-field1-5
Custom fields for log messages
Reports
VoIP reports
All other reports, for example
ReportHeadquarters-2008-05-26-1030
Alert email configuration changes
Administrative Domains ADOMs
About administrative domains ADOMs
About administrative domains ADOMs
FortiAnalyzer Model Number of Administrative Domains
Configuring ADOMs
To enable ADOMs
Go to System Admin Settings
Enable Admin Domain Configuration Select OK Message appears
To disable ADOMs
Go to Global Configuration System Admin Settings
To add or edit an Adom
Select OK FortiAnalyzer unit logs you out
Accessing ADOMs as the admin administrator
Assigning administrators to an Adom
To access an Adom
To assign an administrator to an Adom
System
Dashboard
System Information
To rearrange a Dashboard widget Go to System Dashboard
To refresh a Dashboard widget Go to System Dashboard
Tabs
To include a Dashboard widget Go to System Dashboard
To omit a Dashboard widget Go to System Dashboard
To add a tab Go to System Dashboard
Double-click on the name of the tab and select the X symbol
RAID Monitor
Enter a new name and press Enter
To delete a tab Go to System Dashboard
System Information
Rebuilding icon
Setting the time
05-30007-0082-20080908
Changing the host name
Changing the firmware
License Information
To change the host name Go to System Dashboard
System Resources
Viewing operational history
RVS Plug-ins Device License
Memory Usage
System Operation
Formatting the log disks
To format the log disks Go to System Dashboard
Systems Operations area, select Format Log Disks Select OK
Resetting to the default configuration
Alert Message Console
Viewing alert console messages
To view alert console messages Go to System Dashboard
Statistics
Viewing session information
Select the delete icon
Connections
Filtering session information
Report Engine
To view the session information Go to System Dashboard
Statistics area, next to Connections, select Details
Log Receive Monitor
Type
Top N
Period
Intrusion Activity
Virus Activity
Display by
Top FTP Traffic
Virus Activity widget
Top Email Traffic
Top Email Traffic, select Edit
Top IM/P2P Traffic
Top IM/P2P Traffic, select Edit in the title bar area
Top Traffic
To edit information for Top Traffic Go to System Dashboard
Top Traffic, select Edit in the title bar area
Top Web Traffic
Top Web Traffic, select Edit
Network
Interface
Changing interface settings
Administrative
Status
Modify
To configure DNS settings Go to System Network DNS
About Fortinet Discovery Protocol
Routing
Enter an IP address for a primary and secondary DNS server
Admin
Select Create New Configure the following options
Adding a route
To add a static route Go to System Network Routing
Adding or editing an administrator account
Changing an administrator’s password
Access Profile
Access Profile
Admin Domain
To add a group Go to System Admin Auth Group
Auth Group
None
Read Only
Administrator Settings
To add a Radius server Go to System Admin Radius Server
Select Create New Configure the following and select OK
Radius Server
Network Sharing
Monitor
Adding share users
To add a user account Go to System Network Sharing User
Configuring Windows shares
Adding share groups
To add a user group Go to System Network Sharing Group
Assigning user permissions
Permissions
Configuring NFS shares
Remote Clients
Config
Default file permissions on NFS shares
Automatic file deletion and local log settings
FortiAnalyzer unit log settings Log Locally
Log Level Allocated Disk Space MB
Configuring log aggregation
FortiAnalyzer-400
FortiAnalyzer-800/800B
FortiAnalyzer-2000/2000A
FortiAnalyzer-4000/4000A
Configuring an aggregation client
Configuring an aggregation server
Configuring log forwarding
To forward log events Go to System Config Log Forwarding
Configuring IP aliases
To add an IP alias Go to System Config IP Alias
To edit an IP alias Go to System Config IP Alias
To import the alias file Go to System Config IP Alias
Configuring RAID
IP alias ranges
RAID levels
Linear
RAID
Hot swapping hard disks
RAID 5 with hot spare
FortiAnalyzer-400 disk drive configuration
FortiAnalyzer-800/800B disk drive configuration
To swap a hard disk Go to System Config RAID
FortiAnalyzer-2000/2000A disk drive configuration
FortiAnalyzer-4000 disk drive configuration
Configuring RAID on the FortiAnalyzer-400
As well as from System Config RAID
FortiAnalyzer-800/800B
Level 1
Configuring Ldap connections
Size GB
To define an Ldap server query Go to System Config Ldap
Select Create New. Complete the following
Maintenance
Backup & Restore
Backup Back up the current configuration
FortiGuard Center
10.10.1.108889
Update
Scheduled
Every
Daily
Maintenance
Device
Viewing the device list
Add Device
Show
Unregistered Device Options
Hardware
Secure Connection Disk Space MB Used/Allocated
Action
Maximum number of devices
To delete a device Go to Device All Device
Unregistered vs. registered devices
Configuring unregistered device connection attempt handling
Or the following options for unknown device types
Manually adding a device
Device Name
Device ID
Mode
Member IDs
When Allocated Disk Space is All Used Devices Privileges
Group Membership FortiGate Interface Specification
Classifying FortiGate network interfaces
Configure the FortiGate device
For more information, see Manually adding a device on
To enable the FortiAnalyzer unit to reply to FDP packets
On the FortiAnalyzer unit, go to Device All
Go to System Network
Blocking device connection attempts
Hardware Model
Configuring device groups
To block a device Go to Device All Device
To unblock a device Go to Device All Blocked Device
To configure a device group Go to Device Group Device Group
To delete a device group Go to Device Group Device Group
Group Name
Members
Log
Viewing log messages
Viewing current log messages
Viewing historical log messages
Settings
Column
Browsing log files
To view historical logs Go to Log Log Viewer Historical
Import
Viewing log file contents
Importing a log file
To import a log file Go to Log Browse
Downloading a log file
To download a whole log file Go to Log Browse
To download a partial log file Go to Log Browse
Convert to CSV format Compress with gzip
Select Download Current View Configure the following
Customizing the log view
Displaying and arranging log columns
To display logs in Raw or Formatted view
Filtering logs
To display or hide columns
To change the order of the columns
To filter log messages by column contents
To disable a filter
Filtering tips
Searching the logs
101
Searching the logs
From
Search tips
To search the logs Go to Log Search
103
192.168.* action=login
Printing the search results
Downloading the search results
Rolling and uploading logs
To download log search results Go to Log Search
105
Exceed
Not exceeded
Server IP address
Username
107
108
Content Archive
Viewing content archives
View per page Page n of n Column Settings
Printable Version Delete associated content archive files
Timeframe
Customizing the content archive view
109
Filter icons in the content logs
111
Searching full email content archives
Last activity
113
114
Configuring reports
Reports
Configuring report layout
To configure a report layout Go to Report Config Layout
Name Enter a name for the report Description
115
Title Page Logo
Header Logo
Category
Editing charts in a report layout
117
To edit a chart
Maximum Entries Top N Time Scale Advanced
Configuring report schedules
To edit text
To edit section
119
To configure a report schedule Go to Report Schedule
Schedule Name
Report layout Name
Schedule
Log Data Filtering
Data Filter
Time Period
121
Configuring data filter templates
Data filter templates
Filter logic
Sources
123
Destinations
Interfaces
Policy IDs
Day of the Week
Configuring report output templates
125
FTP/SFTP/SCP Server Action
Output template
127
Configuring language
Nomatch=No matching log data for this report
Comment is
# Localization uses a Latin character set
129
Languages
Font
Language file error messages Error message Description
Save the format file
131
Browsing reports
133
134
Quarantine
Viewing quarantined files
Quarantined files for a specific device
See
Service
Date & Time
Checksum
Status Description
Alert
Alert Events
Triggers
Adding an alert event
To add a new alert event Go to Alert Alert Event
Configuring alerts by email server
Output
To Email Address
Add
Testing the mail server configuration
Configuring Snmp traps and alerts
Enable
Smtp Server
137
Adding an Snmp server
FortiAnalyzer Snmp support
Fortinet MIB Administrator Accounts
Fortinet MIB System Traps
Fortinet MIB Logging Traps
Fortinet MIB VPN Traps
Configuring alerts by Syslog server
Adding a Syslog server
RFC-1213 MIB
RFC-2665 Ethernet-like MIB
Configure the following options, and select OK
141
142
Config log settings Set enableanalyzer yes End
Network Analyzer
Example network topology for Network Analyzer use
Viewing Network Analyzer log messages
Viewing current Network Analyzer log messages
143
Protocol Protocol used when sending the traffic Message
Viewing historical Network Analyzer log messages
Viewing Network Analyzer log file contents
Browsing Network Analyzer log files
Resolve Service View n per page Page n of n Column Settings
Printable Version Download Current View
Downloading a Network Analyzer log file
147
Customizing the Network Analyzer log view
Displaying and arranging Network Analyzer log columns
Filter icons in Network Analyzer
149
150
Searching the Network Analyzer logs
Keywords
Quick Search
Full Search
To search the logs Go to Tools Network Analyzer Search
Other
172.20.120.127 tcp
153
Rolling and uploading Network Analyzer logs
Select the download options that you want, then select OK
Log file should be rolled... even if size is not exceeded
155
Select the protocol to use when uploading to the server
Tools
Preparing for the vulnerability scan job
157
Preparing Windows target hosts
159
To enable NetBIOS Go to Start Control Panel
Viewing vulnerability scan modules
Preparing Unix target hosts
161
Vulnerability Scan modules View modules with severity
Configuring vulnerability scan jobs
Details
163
Job Name
Target
Remote Authentication User Name
Select Create New Complete the following
Scan Targets
Quick Scan
File output
Email Attachment
Email Body
Viewing vulnerability scan reports
167
File Explorer
End Time
Formats
File Explorer with Storage directory expanded
169
170
Backing up your configuration
Managing firmware versions
Backing up your configuration using the web-based manager
Backing up your configuration using the CLI
To back up your configuration file using the CLI
Execute backup config filename addressip passwd
171
Testing firmware before upgrading
Press any key to display configuration menu…
To test the firmware image before upgrading
Enter Tftp server address
Enter Local Address
Enter firmware image file name image.out
173
Upgrading using the web-based manager
Upgrading your FortiAnalyzer unit
Upgrading to FortiAnalyzer
Only
Upgrading using the CLI
To upgrade to FortiAnalyzer 3.0 using the web-based manager
To upgrade to FortiAnalyzer 3.0 using the CLI
Execute restore image namestr tftpip4
Verifying the upgrade
Get system status
Reverting to a previous firmware version
Downgrading to FortiLog
Select OK Following message appears
177
Downgrading to FortiLog 1.6 using the CLI
To downgrade using the CLI
Execute restore image tftp namestr tftpipv4
Execute restore image tftp image.out
179
Restoring your configuration
Restoring configuration settings on a FortiAnalyzer unit
To restore a firmware image to the FortiAnalyzer unit
Execute reboot
When this message appears
Press any key to display configuration menu
Enter File Name image.out
181
Restoring your configuration settings using the CLI
To restore configuration settings using the CLI
Execute restore config namestr tftpipv4 passwrd
Execute restore config confall 192.168.1.168 ghrffdt123
183
184
Appendix FortiAnalyzer reports in 3.0 MR7
FortiGate reports
185
Antivirus Activity
Intrusion Activity reports MR6 reports MR7 reports
Antivirus Activity reports MR6 reports MR7 reports
Antivirus Activity reports
187
Top Virus Destinations over POP3
Webfilter Activity
WebFilter Activity reports MR6 reports MR7 reports
189
Antispam Activity
WebFilter Activity reports
Antispam Activity reports MR6 reports MR7 reports
IM Activity
Antispam Activity reports
IM reports MR6 reports MR7 reports
191
IM reports
VoIP reports MR7 reports
Content Activity
VoIP reports
193
Content Activity reports MR6 reports MR7 reports
Network Activity
Network Activity reports MR6 reports MR7 reports
Web Activity
Network Activity reports
195
Mail Activity
FTP Activity
Report, Top Mail Servers Connections remains unchanged
Terminal Activity
VPN Activity
FTP Activity reports
Terminal Activity reports MR6 reports MR7 reports
Event Activity
VPN Activity reports MR6 reports MR7 reports
Event Activity reports MR6 reports MR7 reports
P2P Activity
Report, Top Event Categories by Status, was removed
Event Activity reports
P2P Activity reports MR6 reports MR7 reports
Audit Activity
P2P Activity reports
Summary Reports
201
Forensic Reports
Audit
Detailed
Report, Top Client Requests to Permitted Sites, was removed
FortiMail Reports
Summary
Mail High Level
203
Mail High Level reports
Mail Sender
Mail Sender reports MR6 reports MR7 reports
205
Mail Recipient Activity
Mail Destination IP
Mail Sender reports
Mail Recipient Activity reports MR6 reports MR7 reports
Spam Sender
Mail Destination IP reports MR6 reports MR7 reports
Spam Sender reports MR6 reports MR7 reports
207
Spam Recipient
Spam Sender reports
Spam Recipient reports MR6 reports MR7 reports
Spam Destination IP
Virus Sender
Spam Recipient reports
Spam Destination IP reports MR6 reports MR7 reports
Virus Sender reports MR6 reports MR7 reports
Virus Recipient
Virus Sender reports
Virus Recipient reports MR6 reports MR7 reports
211
FortiClient Reports
Virus Destination IP
Index
213
FDN
FTP
215
Mail server 135 Main Menu 20 managing firmware
RFC
217
See also protocol test
219
Index FortiAnalyzer Version 3.0 MR7 Administration Guide
