M I N I S T R a T I O N G U I D E
Trademarks
Regulatory compliance
FCC Class a Part 15 CSA/CUS
Contents
Adding a route
Radius Server Administrator Settings
Viewing session information Filtering session information
Log Receive Monitor Intrusion Activity
Content Archive 107
Device
Log
Network Analyzer 141
Reports 113
Quarantine 131
Alert 133
Managing firmware versions 169
Tools 157
Index 213
Appendix FortiAnalyzer reports in 3.0 MR7 185
About this document
Introduction
Fortinet documentation
Describes how to install and set up the FortiAnalyzer unit
Comments on Fortinet technical documentation
Customer service and technical support
Fortinet Tools and Documentation CD
Fortinet Knowledge Center
Customer service and technical support
High-end FortiAnalyzer units support additional
What’s new for 3.0 MR7
FortiAnalyzerVersion 3.0 MR7 Administration Guide
CLI displays the tasks in the upload queue
MR7 new features and changes
Power supply monitoring for FortiAnlayzer-2000A and 4000A
Registered devices’ hard limits
Reports
Report configuration enhancements
Config log settings Set custom-field1-5
Custom fields for log messages
VoIP reports
All other reports, for example
ReportHeadquarters-2008-05-26-1030
Alert email configuration changes
About administrative domains ADOMs
Administrative Domains ADOMs
About administrative domains ADOMs
FortiAnalyzer Model Number of Administrative Domains
Enable Admin Domain Configuration Select OK Message appears
Configuring ADOMs
To enable ADOMs
Go to System Admin Settings
Select OK FortiAnalyzer unit logs you out
To disable ADOMs
Go to Global Configuration System Admin Settings
To add or edit an Adom
To assign an administrator to an Adom
Accessing ADOMs as the admin administrator
Assigning administrators to an Adom
To access an Adom
System
Dashboard
System Information
To refresh a Dashboard widget Go to System Dashboard
To rearrange a Dashboard widget Go to System Dashboard
To add a tab Go to System Dashboard
Tabs
To include a Dashboard widget Go to System Dashboard
To omit a Dashboard widget Go to System Dashboard
To delete a tab Go to System Dashboard
Double-click on the name of the tab and select the X symbol
RAID Monitor
Enter a new name and press Enter
Rebuilding icon
System Information
05-30007-0082-20080908
Setting the time
To change the host name Go to System Dashboard
Changing the host name
Changing the firmware
License Information
Memory Usage
System Resources
Viewing operational history
RVS Plug-ins Device License
Systems Operations area, select Format Log Disks Select OK
System Operation
Formatting the log disks
To format the log disks Go to System Dashboard
To view alert console messages Go to System Dashboard
Resetting to the default configuration
Alert Message Console
Viewing alert console messages
Connections
Statistics
Viewing session information
Select the delete icon
Statistics area, next to Connections, select Details
Filtering session information
Report Engine
To view the session information Go to System Dashboard
Period
Log Receive Monitor
Type
Top N
Intrusion Activity
Virus Activity
Display by
Virus Activity widget
Top FTP Traffic
Top Email Traffic, select Edit
Top Email Traffic
Top IM/P2P Traffic, select Edit in the title bar area
Top IM/P2P Traffic
Top Traffic
To edit information for Top Traffic Go to System Dashboard
Top Traffic, select Edit in the title bar area
Top Web Traffic, select Edit
Top Web Traffic
Interface
Network
Modify
Changing interface settings
Administrative
Status
Enter an IP address for a primary and secondary DNS server
To configure DNS settings Go to System Network DNS
About Fortinet Discovery Protocol
Routing
To add a static route Go to System Network Routing
Admin
Select Create New Configure the following options
Adding a route
Adding or editing an administrator account
Admin Domain
Changing an administrator’s password
Access Profile
Access Profile
Read Only
To add a group Go to System Admin Auth Group
Auth Group
None
Radius Server
Administrator Settings
To add a Radius server Go to System Admin Radius Server
Select Create New Configure the following and select OK
To add a user account Go to System Network Sharing User
Network Sharing
Monitor
Adding share users
Configuring Windows shares
Adding share groups
To add a user group Go to System Network Sharing Group
Permissions
Assigning user permissions
Remote Clients
Configuring NFS shares
Config
Default file permissions on NFS shares
Automatic file deletion and local log settings
Log Level Allocated Disk Space MB
FortiAnalyzer unit log settings Log Locally
Configuring log aggregation
FortiAnalyzer-4000/4000A
FortiAnalyzer-400
FortiAnalyzer-800/800B
FortiAnalyzer-2000/2000A
To forward log events Go to System Config Log Forwarding
Configuring an aggregation client
Configuring an aggregation server
Configuring log forwarding
To import the alias file Go to System Config IP Alias
Configuring IP aliases
To add an IP alias Go to System Config IP Alias
To edit an IP alias Go to System Config IP Alias
Configuring RAID
IP alias ranges
RAID levels
RAID
Linear
RAID 5 with hot spare
Hot swapping hard disks
FortiAnalyzer-800/800B disk drive configuration
FortiAnalyzer-400 disk drive configuration
To swap a hard disk Go to System Config RAID
FortiAnalyzer-2000/2000A disk drive configuration
FortiAnalyzer-4000 disk drive configuration
Level 1
Configuring RAID on the FortiAnalyzer-400
As well as from System Config RAID
FortiAnalyzer-800/800B
Size GB
Configuring Ldap connections
Select Create New. Complete the following
To define an Ldap server query Go to System Config Ldap
Maintenance
Backup & Restore
Backup Back up the current configuration
FortiGuard Center
10.10.1.108889
Daily
Update
Scheduled
Every
Maintenance
Viewing the device list
Device
Hardware
Add Device
Show
Unregistered Device Options
Action
Secure Connection Disk Space MB Used/Allocated
To delete a device Go to Device All Device
Maximum number of devices
Unregistered vs. registered devices
Configuring unregistered device connection attempt handling
Or the following options for unknown device types
Manually adding a device
Member IDs
Device Name
Device ID
Mode
Group Membership FortiGate Interface Specification
When Allocated Disk Space is All Used Devices Privileges
Classifying FortiGate network interfaces
For more information, see Manually adding a device on
Configure the FortiGate device
To enable the FortiAnalyzer unit to reply to FDP packets
On the FortiAnalyzer unit, go to Device All
Go to System Network
Hardware Model
Blocking device connection attempts
Configuring device groups
To block a device Go to Device All Device
To unblock a device Go to Device All Blocked Device
Members
To configure a device group Go to Device Group Device Group
To delete a device group Go to Device Group Device Group
Group Name
Log
Viewing log messages
Viewing current log messages
Viewing historical log messages
Column
Settings
Browsing log files
To view historical logs Go to Log Log Viewer Historical
Import
Viewing log file contents
To import a log file Go to Log Browse
Importing a log file
Convert to CSV format Compress with gzip
Downloading a log file
To download a whole log file Go to Log Browse
To download a partial log file Go to Log Browse
To display logs in Raw or Formatted view
Select Download Current View Configure the following
Customizing the log view
Displaying and arranging log columns
Filtering logs
To display or hide columns
To change the order of the columns
To filter log messages by column contents
To disable a filter
Filtering tips
101
Searching the logs
From
Searching the logs
Search tips
To search the logs Go to Log Search
103
192.168.* action=login
Printing the search results
Downloading the search results
Rolling and uploading logs
To download log search results Go to Log Search
105
Username
Exceed
Not exceeded
Server IP address
107
108
Viewing content archives
Content Archive
View per page Page n of n Column Settings
Printable Version Delete associated content archive files
Timeframe
109
Customizing the content archive view
Filter icons in the content logs
111
Searching full email content archives
113
Last activity
114
Reports
Configuring reports
Configuring report layout
To configure a report layout Go to Report Config Layout
Name Enter a name for the report Description
115
Title Page Logo
Header Logo
Category
117
Editing charts in a report layout
Maximum Entries Top N Time Scale Advanced
To edit a chart
119
Configuring report schedules
To edit text
To edit section
Schedule
To configure a report schedule Go to Report Schedule
Schedule Name
Report layout Name
121
Log Data Filtering
Data Filter
Time Period
Data filter templates
Configuring data filter templates
Filter logic
Sources
123
Day of the Week
Destinations
Interfaces
Policy IDs
125
Configuring report output templates
Output template
FTP/SFTP/SCP Server Action
127
Nomatch=No matching log data for this report
Configuring language
Comment is
# Localization uses a Latin character set
129
Font
Languages
Language file error messages Error message Description
Save the format file
131
Browsing reports
133
134
See
Quarantine
Viewing quarantined files
Quarantined files for a specific device
Status Description
Service
Date & Time
Checksum
Alert
Alert Events
Triggers
To add a new alert event Go to Alert Alert Event
Adding an alert event
Add
Configuring alerts by email server
Output
To Email Address
Smtp Server
Testing the mail server configuration
Configuring Snmp traps and alerts
Enable
137
FortiAnalyzer Snmp support
Adding an Snmp server
Fortinet MIB VPN Traps
Fortinet MIB Administrator Accounts
Fortinet MIB System Traps
Fortinet MIB Logging Traps
RFC-2665 Ethernet-like MIB
Configuring alerts by Syslog server
Adding a Syslog server
RFC-1213 MIB
141
Configure the following options, and select OK
142
Network Analyzer
Config log settings Set enableanalyzer yes End
Example network topology for Network Analyzer use
Viewing Network Analyzer log messages
Viewing current Network Analyzer log messages
143
Viewing historical Network Analyzer log messages
Protocol Protocol used when sending the traffic Message
Browsing Network Analyzer log files
Viewing Network Analyzer log file contents
Printable Version Download Current View
Resolve Service View n per page Page n of n Column Settings
147
Downloading a Network Analyzer log file
Displaying and arranging Network Analyzer log columns
Customizing the Network Analyzer log view
149
Filter icons in Network Analyzer
150
Full Search
Searching the Network Analyzer logs
Keywords
Quick Search
Other
To search the logs Go to Tools Network Analyzer Search
153
172.20.120.127 tcp
Select the download options that you want, then select OK
Rolling and uploading Network Analyzer logs
155
Log file should be rolled... even if size is not exceeded
Select the protocol to use when uploading to the server
Tools
Preparing for the vulnerability scan job
157
Preparing Windows target hosts
159
To enable NetBIOS Go to Start Control Panel
Viewing vulnerability scan modules
Preparing Unix target hosts
161
Vulnerability Scan modules View modules with severity
Configuring vulnerability scan jobs
Details
163
Target
Job Name
Quick Scan
Remote Authentication User Name
Select Create New Complete the following
Scan Targets
File output
Email Attachment
Email Body
167
Viewing vulnerability scan reports
File Explorer
End Time
Formats
169
File Explorer with Storage directory expanded
170
Managing firmware versions
Backing up your configuration
Execute backup config filename addressip passwd
Backing up your configuration using the web-based manager
Backing up your configuration using the CLI
To back up your configuration file using the CLI
171
Testing firmware before upgrading
Press any key to display configuration menu…
To test the firmware image before upgrading
173
Enter Tftp server address
Enter Local Address
Enter firmware image file name image.out
Only
Upgrading using the web-based manager
Upgrading your FortiAnalyzer unit
Upgrading to FortiAnalyzer
Execute restore image namestr tftpip4
Upgrading using the CLI
To upgrade to FortiAnalyzer 3.0 using the web-based manager
To upgrade to FortiAnalyzer 3.0 using the CLI
Get system status
Verifying the upgrade
177
Reverting to a previous firmware version
Downgrading to FortiLog
Select OK Following message appears
Execute restore image tftp image.out
Downgrading to FortiLog 1.6 using the CLI
To downgrade using the CLI
Execute restore image tftp namestr tftpipv4
179
Execute reboot
Restoring your configuration
Restoring configuration settings on a FortiAnalyzer unit
To restore a firmware image to the FortiAnalyzer unit
181
When this message appears
Press any key to display configuration menu
Enter File Name image.out
Execute restore config confall 192.168.1.168 ghrffdt123
Restoring your configuration settings using the CLI
To restore configuration settings using the CLI
Execute restore config namestr tftpipv4 passwrd
183
184
Appendix FortiAnalyzer reports in 3.0 MR7
FortiGate reports
185
Antivirus Activity
Intrusion Activity reports MR6 reports MR7 reports
Antivirus Activity reports MR6 reports MR7 reports
187
Antivirus Activity reports
Top Virus Destinations over POP3
Webfilter Activity
WebFilter Activity reports MR6 reports MR7 reports
189
Antispam Activity
WebFilter Activity reports
Antispam Activity reports MR6 reports MR7 reports
191
IM Activity
Antispam Activity reports
IM reports MR6 reports MR7 reports
VoIP reports MR7 reports
IM reports
Content Activity
VoIP reports
193
Content Activity reports MR6 reports MR7 reports
Network Activity
Network Activity reports MR6 reports MR7 reports
Web Activity
Network Activity reports
195
Mail Activity
FTP Activity
Report, Top Mail Servers Connections remains unchanged
Terminal Activity reports MR6 reports MR7 reports
Terminal Activity
VPN Activity
FTP Activity reports
Event Activity
VPN Activity reports MR6 reports MR7 reports
Event Activity reports MR6 reports MR7 reports
P2P Activity reports MR6 reports MR7 reports
P2P Activity
Report, Top Event Categories by Status, was removed
Event Activity reports
P2P Activity reports
Audit Activity
201
Summary Reports
Report, Top Client Requests to Permitted Sites, was removed
Forensic Reports
Audit
Detailed
203
FortiMail Reports
Summary
Mail High Level
Mail High Level reports
Mail Sender
Mail Sender reports MR6 reports MR7 reports
205
Mail Recipient Activity reports MR6 reports MR7 reports
Mail Recipient Activity
Mail Destination IP
Mail Sender reports
207
Spam Sender
Mail Destination IP reports MR6 reports MR7 reports
Spam Sender reports MR6 reports MR7 reports
Spam Recipient
Spam Sender reports
Spam Recipient reports MR6 reports MR7 reports
Spam Destination IP reports MR6 reports MR7 reports
Spam Destination IP
Virus Sender
Spam Recipient reports
Virus Sender reports MR6 reports MR7 reports
211
Virus Recipient
Virus Sender reports
Virus Recipient reports MR6 reports MR7 reports
Virus Destination IP
FortiClient Reports
213
Index
FDN
215
FTP
Mail server 135 Main Menu 20 managing firmware
217
RFC
See also protocol test
219
Index FortiAnalyzer Version 3.0 MR7 Administration Guide
