Fortinet Managing Unregistered Device Connections in FortiAnalyzer 4000A

Configuring unregistered device connection attempt handling

You can configure the FortiAnalyzer unit to accept and handles connection attempts automatically, or to allow connections only from devices that you have manually added.

Allowing the connection and registering the device enables certain FortiAnalyzer features. For example, registering known-type devices, either manually or automatically, configures the FortiAnalyzer unit for features such as device- specific reports and remote browsing of log messages. Manually adding unknown- type devices allows you to browse their logs.

Device connection attempt handling and other FortiAnalyzer features vary by device type. There are two types of devices:

•known device types (FortiGate, FortiManager, FortiClient, FortiMail)

•unknown device type (generic Syslog devices)

Connection attempt handling options for known and unknown device types are separate.

Depending on your settings in Unregistered Device Options, and whether the device type is known or unknown, the FortiAnalyzer unit handles connection attempts in one of these ways:

•ignore the connection (only allow connections from manually added devices)

•allow the connection, add as an unregistered device, but do not keep the device’s log data (add devices automatically, but do not keep data until you manually register them)

•if the device is an unknown type, allow the connection, add as an unregistered device, and keep a specified amount of the device’s log data

•if the device is a known type, allow the connection, add as a registered device, and keep a specified amount of the device’s log data

If you have specified that connections from unregistered devices will not be allowed until you manually add them, you must manually configure the connection before the device will be allowed to connect to the FortiAnalyzer unit.

When devices attempt to connect to a FortiAnalyzer unit that has reached its number of maximum number of allowed devices, the FortiAnalyzer unit will reject connection attempts by excess devices, and automatically add those excess devices to the list of blocked devices. For more information about on blocked devices, see “Blocking device connection attempts” on page 86.

To view the current connection handling settings, go to Device > All > Device and select Unregistered Device Options.

Note: Many FortiAnalyzer features are not available for unregistered devices of unknown types. For more information about on the differences between unregistered and registered devices, see “Unregistered vs. registered devices” on page 77.

Both registered and unregistered devices count towards the maximum number of devices available for a FortiAnalyzer unit. Too many unregistered devices will prevent you from adding a device. For more information, see “Maximum number of devices” on page 76.