M I N I S T R a T I O N G U I D E
Trademarks
Regulatory compliance
FCC Class a Part 15 CSA/CUS
Contents
Log Receive Monitor Intrusion Activity
Radius Server Administrator Settings
Viewing session information Filtering session information
Adding a route
Content Archive 107
Device
Log
Alert 133
Reports 113
Quarantine 131
Network Analyzer 141
Tools 157
Managing firmware versions 169
Appendix FortiAnalyzer reports in 3.0 MR7 185
Index 213
Introduction
About this document
Describes how to install and set up the FortiAnalyzer unit
Fortinet documentation
Fortinet Knowledge Center
Customer service and technical support
Fortinet Tools and Documentation CD
Comments on Fortinet technical documentation
Customer service and technical support
What’s new for 3.0 MR7
High-end FortiAnalyzer units support additional
FortiAnalyzerVersion 3.0 MR7 Administration Guide
Registered devices’ hard limits
MR7 new features and changes
Power supply monitoring for FortiAnlayzer-2000A and 4000A
CLI displays the tasks in the upload queue
Custom fields for log messages
Report configuration enhancements
Config log settings Set custom-field1-5
Reports
VoIP reports
All other reports, for example
ReportHeadquarters-2008-05-26-1030
Alert email configuration changes
Administrative Domains ADOMs
About administrative domains ADOMs
About administrative domains ADOMs
FortiAnalyzer Model Number of Administrative Domains
Go to System Admin Settings
Configuring ADOMs
To enable ADOMs
Enable Admin Domain Configuration Select OK Message appears
To add or edit an Adom
To disable ADOMs
Go to Global Configuration System Admin Settings
Select OK FortiAnalyzer unit logs you out
To access an Adom
Accessing ADOMs as the admin administrator
Assigning administrators to an Adom
To assign an administrator to an Adom
System
Dashboard
System Information
To rearrange a Dashboard widget Go to System Dashboard
To refresh a Dashboard widget Go to System Dashboard
To omit a Dashboard widget Go to System Dashboard
Tabs
To include a Dashboard widget Go to System Dashboard
To add a tab Go to System Dashboard
Enter a new name and press Enter
Double-click on the name of the tab and select the X symbol
RAID Monitor
To delete a tab Go to System Dashboard
System Information
Rebuilding icon
Setting the time
05-30007-0082-20080908
License Information
Changing the host name
Changing the firmware
To change the host name Go to System Dashboard
RVS Plug-ins Device License
System Resources
Viewing operational history
Memory Usage
To format the log disks Go to System Dashboard
System Operation
Formatting the log disks
Systems Operations area, select Format Log Disks Select OK
Viewing alert console messages
Resetting to the default configuration
Alert Message Console
To view alert console messages Go to System Dashboard
Select the delete icon
Statistics
Viewing session information
Connections
To view the session information Go to System Dashboard
Filtering session information
Report Engine
Statistics area, next to Connections, select Details
Top N
Log Receive Monitor
Type
Period
Intrusion Activity
Virus Activity
Display by
Top FTP Traffic
Virus Activity widget
Top Email Traffic
Top Email Traffic, select Edit
Top IM/P2P Traffic
Top IM/P2P Traffic, select Edit in the title bar area
Top Traffic
To edit information for Top Traffic Go to System Dashboard
Top Traffic, select Edit in the title bar area
Top Web Traffic
Top Web Traffic, select Edit
Network
Interface
Status
Changing interface settings
Administrative
Modify
Routing
To configure DNS settings Go to System Network DNS
About Fortinet Discovery Protocol
Enter an IP address for a primary and secondary DNS server
Adding a route
Admin
Select Create New Configure the following options
To add a static route Go to System Network Routing
Adding or editing an administrator account
Access Profile
Changing an administrator’s password
Access Profile
Admin Domain
None
To add a group Go to System Admin Auth Group
Auth Group
Read Only
Select Create New Configure the following and select OK
Administrator Settings
To add a Radius server Go to System Admin Radius Server
Radius Server
Adding share users
Network Sharing
Monitor
To add a user account Go to System Network Sharing User
Configuring Windows shares
Adding share groups
To add a user group Go to System Network Sharing Group
Assigning user permissions
Permissions
Configuring NFS shares
Remote Clients
Config
Default file permissions on NFS shares
Automatic file deletion and local log settings
FortiAnalyzer unit log settings Log Locally
Log Level Allocated Disk Space MB
Configuring log aggregation
FortiAnalyzer-2000/2000A
FortiAnalyzer-400
FortiAnalyzer-800/800B
FortiAnalyzer-4000/4000A
Configuring log forwarding
Configuring an aggregation client
Configuring an aggregation server
To forward log events Go to System Config Log Forwarding
To edit an IP alias Go to System Config IP Alias
Configuring IP aliases
To add an IP alias Go to System Config IP Alias
To import the alias file Go to System Config IP Alias
Configuring RAID
IP alias ranges
RAID levels
Linear
RAID
Hot swapping hard disks
RAID 5 with hot spare
FortiAnalyzer-400 disk drive configuration
FortiAnalyzer-800/800B disk drive configuration
To swap a hard disk Go to System Config RAID
FortiAnalyzer-2000/2000A disk drive configuration
FortiAnalyzer-4000 disk drive configuration
FortiAnalyzer-800/800B
Configuring RAID on the FortiAnalyzer-400
As well as from System Config RAID
Level 1
Configuring Ldap connections
Size GB
To define an Ldap server query Go to System Config Ldap
Select Create New. Complete the following
Maintenance
Backup & Restore
Backup Back up the current configuration
FortiGuard Center
10.10.1.108889
Every
Update
Scheduled
Daily
Maintenance
Device
Viewing the device list
Unregistered Device Options
Add Device
Show
Hardware
Secure Connection Disk Space MB Used/Allocated
Action
Maximum number of devices
To delete a device Go to Device All Device
Unregistered vs. registered devices
Configuring unregistered device connection attempt handling
Or the following options for unknown device types
Manually adding a device
Mode
Device Name
Device ID
Member IDs
When Allocated Disk Space is All Used Devices Privileges
Group Membership FortiGate Interface Specification
Classifying FortiGate network interfaces
Configure the FortiGate device
For more information, see Manually adding a device on
To enable the FortiAnalyzer unit to reply to FDP packets
On the FortiAnalyzer unit, go to Device All
Go to System Network
Blocking device connection attempts
Hardware Model
Configuring device groups
To block a device Go to Device All Device
To unblock a device Go to Device All Blocked Device
Group Name
To configure a device group Go to Device Group Device Group
To delete a device group Go to Device Group Device Group
Members
Log
Viewing log messages
Viewing current log messages
Viewing historical log messages
Settings
Column
Browsing log files
To view historical logs Go to Log Log Viewer Historical
Import
Viewing log file contents
Importing a log file
To import a log file Go to Log Browse
To download a partial log file Go to Log Browse
Downloading a log file
To download a whole log file Go to Log Browse
Convert to CSV format Compress with gzip
Displaying and arranging log columns
Select Download Current View Configure the following
Customizing the log view
To display logs in Raw or Formatted view
Filtering logs
To display or hide columns
To change the order of the columns
To filter log messages by column contents
To disable a filter
Filtering tips
Searching the logs
101
Searching the logs
From
Search tips
To search the logs Go to Log Search
103
192.168.* action=login
Printing the search results
Downloading the search results
Rolling and uploading logs
To download log search results Go to Log Search
105
Server IP address
Exceed
Not exceeded
Username
107
108
Content Archive
Viewing content archives
View per page Page n of n Column Settings
Printable Version Delete associated content archive files
Timeframe
Customizing the content archive view
109
Filter icons in the content logs
111
Searching full email content archives
Last activity
113
114
Configuring reports
Reports
Configuring report layout
To configure a report layout Go to Report Config Layout
Name Enter a name for the report Description
115
Title Page Logo
Header Logo
Category
Editing charts in a report layout
117
To edit a chart
Maximum Entries Top N Time Scale Advanced
To edit section
Configuring report schedules
To edit text
119
Report layout Name
To configure a report schedule Go to Report Schedule
Schedule Name
Schedule
Time Period
Log Data Filtering
Data Filter
121
Configuring data filter templates
Data filter templates
Filter logic
Sources
123
Policy IDs
Destinations
Interfaces
Day of the Week
Configuring report output templates
125
FTP/SFTP/SCP Server Action
Output template
127
Configuring language
Nomatch=No matching log data for this report
Comment is
# Localization uses a Latin character set
129
Languages
Font
Language file error messages Error message Description
Save the format file
131
Browsing reports
133
134
Quarantined files for a specific device
Quarantine
Viewing quarantined files
See
Checksum
Service
Date & Time
Status Description
Alert
Alert Events
Triggers
Adding an alert event
To add a new alert event Go to Alert Alert Event
To Email Address
Configuring alerts by email server
Output
Add
Enable
Testing the mail server configuration
Configuring Snmp traps and alerts
Smtp Server
137
Adding an Snmp server
FortiAnalyzer Snmp support
Fortinet MIB Logging Traps
Fortinet MIB Administrator Accounts
Fortinet MIB System Traps
Fortinet MIB VPN Traps
RFC-1213 MIB
Configuring alerts by Syslog server
Adding a Syslog server
RFC-2665 Ethernet-like MIB
Configure the following options, and select OK
141
142
Config log settings Set enableanalyzer yes End
Network Analyzer
Example network topology for Network Analyzer use
Viewing Network Analyzer log messages
Viewing current Network Analyzer log messages
143
Protocol Protocol used when sending the traffic Message
Viewing historical Network Analyzer log messages
Viewing Network Analyzer log file contents
Browsing Network Analyzer log files
Resolve Service View n per page Page n of n Column Settings
Printable Version Download Current View
Downloading a Network Analyzer log file
147
Customizing the Network Analyzer log view
Displaying and arranging Network Analyzer log columns
Filter icons in Network Analyzer
149
150
Quick Search
Searching the Network Analyzer logs
Keywords
Full Search
To search the logs Go to Tools Network Analyzer Search
Other
172.20.120.127 tcp
153
Rolling and uploading Network Analyzer logs
Select the download options that you want, then select OK
Log file should be rolled... even if size is not exceeded
155
Select the protocol to use when uploading to the server
Tools
Preparing for the vulnerability scan job
157
Preparing Windows target hosts
159
To enable NetBIOS Go to Start Control Panel
Viewing vulnerability scan modules
Preparing Unix target hosts
161
Vulnerability Scan modules View modules with severity
Configuring vulnerability scan jobs
Details
163
Job Name
Target
Scan Targets
Remote Authentication User Name
Select Create New Complete the following
Quick Scan
File output
Email Attachment
Email Body
Viewing vulnerability scan reports
167
File Explorer
End Time
Formats
File Explorer with Storage directory expanded
169
170
Backing up your configuration
Managing firmware versions
To back up your configuration file using the CLI
Backing up your configuration using the web-based manager
Backing up your configuration using the CLI
Execute backup config filename addressip passwd
171
Testing firmware before upgrading
Press any key to display configuration menu…
To test the firmware image before upgrading
Enter firmware image file name image.out
Enter Tftp server address
Enter Local Address
173
Upgrading to FortiAnalyzer
Upgrading using the web-based manager
Upgrading your FortiAnalyzer unit
Only
To upgrade to FortiAnalyzer 3.0 using the CLI
Upgrading using the CLI
To upgrade to FortiAnalyzer 3.0 using the web-based manager
Execute restore image namestr tftpip4
Verifying the upgrade
Get system status
Select OK Following message appears
Reverting to a previous firmware version
Downgrading to FortiLog
177
Execute restore image tftp namestr tftpipv4
Downgrading to FortiLog 1.6 using the CLI
To downgrade using the CLI
Execute restore image tftp image.out
179
To restore a firmware image to the FortiAnalyzer unit
Restoring your configuration
Restoring configuration settings on a FortiAnalyzer unit
Execute reboot
Enter File Name image.out
When this message appears
Press any key to display configuration menu
181
Execute restore config namestr tftpipv4 passwrd
Restoring your configuration settings using the CLI
To restore configuration settings using the CLI
Execute restore config confall 192.168.1.168 ghrffdt123
183
184
Appendix FortiAnalyzer reports in 3.0 MR7
FortiGate reports
185
Antivirus Activity
Intrusion Activity reports MR6 reports MR7 reports
Antivirus Activity reports MR6 reports MR7 reports
Antivirus Activity reports
187
Top Virus Destinations over POP3
Webfilter Activity
WebFilter Activity reports MR6 reports MR7 reports
189
Antispam Activity
WebFilter Activity reports
Antispam Activity reports MR6 reports MR7 reports
IM reports MR6 reports MR7 reports
IM Activity
Antispam Activity reports
191
IM reports
VoIP reports MR7 reports
Content Activity
VoIP reports
193
Content Activity reports MR6 reports MR7 reports
Network Activity
Network Activity reports MR6 reports MR7 reports
Web Activity
Network Activity reports
195
Mail Activity
FTP Activity
Report, Top Mail Servers Connections remains unchanged
FTP Activity reports
Terminal Activity
VPN Activity
Terminal Activity reports MR6 reports MR7 reports
Event Activity
VPN Activity reports MR6 reports MR7 reports
Event Activity reports MR6 reports MR7 reports
Event Activity reports
P2P Activity
Report, Top Event Categories by Status, was removed
P2P Activity reports MR6 reports MR7 reports
Audit Activity
P2P Activity reports
Summary Reports
201
Detailed
Forensic Reports
Audit
Report, Top Client Requests to Permitted Sites, was removed
Mail High Level
FortiMail Reports
Summary
203
Mail High Level reports
Mail Sender
Mail Sender reports MR6 reports MR7 reports
205
Mail Sender reports
Mail Recipient Activity
Mail Destination IP
Mail Recipient Activity reports MR6 reports MR7 reports
Spam Sender reports MR6 reports MR7 reports
Spam Sender
Mail Destination IP reports MR6 reports MR7 reports
207
Spam Recipient
Spam Sender reports
Spam Recipient reports MR6 reports MR7 reports
Spam Recipient reports
Spam Destination IP
Virus Sender
Spam Destination IP reports MR6 reports MR7 reports
Virus Sender reports MR6 reports MR7 reports
Virus Recipient reports MR6 reports MR7 reports
Virus Recipient
Virus Sender reports
211
FortiClient Reports
Virus Destination IP
Index
213
FDN
FTP
215
Mail server 135 Main Menu 20 managing firmware
RFC
217
See also protocol test
219
Index FortiAnalyzer Version 3.0 MR7 Administration Guide
