Manuals / Fortinet / Computer Equipment / Network Card

Fortinet FortiLog-400, FortiLog-100, FortiLog-800 manual Event correlation Active mode

Models: FortiLog-100 FortiLog-400 FortiLog-800

1 124

Page 80

Event correlation (Active mode)	Using Logs

Show me Select Show me to view the selection from the sort list.

#The number of entries for the attack report.

Log time	The date and time of the attack.
Device ID	The name of the device subjected to the attack.
Source	The source IP address of the attack.
Destination	The IP address of the device subjected to the attack.
Message	The attack message logged for the device. The message also includes a
	link to the FortiProtect web site for further details on the type of attack.

05-16000-0082-20050115

Fortinet Inc.

Page 80

Image 80

Fortinet FortiLog-400, FortiLog-100, FortiLog-800 manual Event correlation Active mode

Contents

FortiLog-100 FortiLog-400 FortiLog-800 January 15, 2004Regulatory Compliance Version 1.6 January 15 05-16000-0082-20050115Trademarks Table of Contents Config Network Managing the FortiLog unitReports Setting folder and file properties 103104 110Introduction FortiLog-400 FortiLog-100 FortiLog-800Active Mode Operational ModesPassive Mode IntroductionFortiLog documentation Explains how to install and set up the FortiLog unitAbout this guide FortiGate documentation Explains how to configure VPNs using the web-based managerRelated documentation FortiManager documentation FortiClient documentationFortiMail documentation Fortinet Knowledge CenterCustomer service and technical support Customer service and technical support Setting up the FortiLog unit Checking the package contentsFortiLog-100 2.5 kg FortiLog-400 11 kg FortiLog-80014 kg Hardware specifications DimensionsWeight Planning the installation Power requirementsEnvironmental specifications Air flowConnecting the FortiLog unit Connecting the FortiLog unitFortiLog unit Management PC To connect the FortiLog unit to the networkConfiguring the FortiLog unit Using the web-based managerFactory defaults Administrator To connect to the web-based managerUsing the command line interface To configure the FortiLog unit using the web-based managerTo configure the FortiLog unit using the CLI Set system interface port1 mode static ip IPaddress netmaskSet system dns primary IPaddress Using the front panel buttons and LCDSet the primary DNS server IP address Configuring the FortiLog unit Connecting to the FortiLog Unit Configuring FortiGate unit running FortiOSGo to Log&Report Log Config Sending device logs to the FortiLog unitConfiguring FortiGate devices running FortiOS FortiGate 2.8 log settingsConfiguring FortiMail devices FortiGate 2.5 Log settingsAdding a device To add a deviceGroups from this tab UnregisteredDefining device port interfaces Creating Device Groups To create a device group Go to System Devices GroupsStatus Managing the FortiLog unitStatus Operating Mode IntervalRefresh AlertsTo change the operating mode in the CLI Changing the FortiLog host nameChanging operating modes Set system opmode activepassiveChanging the firmware To change the firmware using the web-based managerViewing system resources information Installing firmware from a system reboot To change the firmware using the CLIExecute restore image namestr tftpip Execute restore image FortiLog400-v120.outTo install firmware from a system reboot Press any key to enter configuration menuImmediately press any key to interrupt the system startup Enter Local AddressTesting a new firmware image To test a new firmware image before installing itFollowing message appears Enter File Name image.outInstalling a backup firmware image Save as Default firmware/Run image without savingD/RGet system status You can test the new firmware image as requiredTo install a backup firmware image Type BTo switch to the backup firmware image Switching to a backup firmware imageSwitching to the default firmware image Backing up system settings To switch back to the default firmware imageExecute reboot To backup up system settings Go to System Status StatusRestoring system settings Restore factory default system settingsTo restore system settings Go to System Status Status Restoring a FortiLog unitTo upload the firmware image to the FortiLog unit Press any key to begin downloadConfig NetworkConfig RAID Log settings Config PolicyLog to Host PortConfig Policy Log policyCSV format Levels Description Generated byAdmin TimeOptions LanguageConfigure Administrator access Administrator account levels Administrator optionsTo add an administrator account Go to System Config Admin Devices Active modeChanging the Administrator password Editing device information Device listAdding and registering a device To edit a device Go to System Devices Alert EmailServer Creating a new device alert Device Active modeLocal Attack Type Attack Type Entry and listing Level of wait intervalVirus Type AlertsTo add a device alert Go to System Alert Email Device Window Network SharingDefining IP aliases To set host alias names Go to Reports IP Aliases IP aliasesTo create a report Go to Reports Config ReportsCreating and generating a report Select New and enter a name for the reportConfiguring report parameters To define report parameters Go to Reports ConfigSet the following Select Run nowConfiguring a report query To set the report queries Go to Reports ConfigResolve Service Names Ranked Reports show top Select a report from the list Select QueriesTo select the devices Go to Reports Config Creating a query profileSelecting the devices for the report To create a query profileTo set the filtering on a log report Go to Reports Config Creating a device profileSelect filtering options To create a device profileSetting a report schedule To create a scheduled report Go to Reports ConfigCreating a filter profile To create a report filter profileCreating a report schedule profile Choosing the report destination and formatSelect Schedule Select a day from the following To create a report schedule profileTo generate a report on demand Go to Reports Config Creating a report destination and format profileReports on demand To create a pre-defined output selectionViewing reports To view a generated report Go to File Browse ReportsRoll up report Individual reportsCreating and generating a report To create a report Go to Reports Config VulnerabilityVulnerability reports Selecting plug-ins Per device Resolve Host Names Resolve Service NamesSelecting report result parameters To select the plug-ins Go to Reports Config Vulnerabilities Creating a plug-in profileSelecting the scan targets for the report To create a plug-in profileTo create a scan target profile Creating a scan target profileTo add additional devices File Browse/Reports hard diskEmail list As an email attachmentViewing the vulnerability report Select the report name from the list of completed reportsUsing Logs Log view interface Viewing logsFinding log information To view the device log files Go to File Browse LogsSelect the column header to change the sort order between Ascending and descending orderBasic log filter Importing log files Alert levelTo import a log file Go to File Browse Logs Match Up and Down arrowsLog watch Active mode Log SearchTo set log watching Go to File Browse Logs Show Up and Down arrowsEvent correlation Active mode Sort listEvent correlation Active mode Using the FortiLog unit as a NAS Connecting to the FortiLog file systemProviding access to the FortiLog hard disk Select Enable for a file sharing protocolSelecting a file sharing protocol Adding and modifying user accountsAssigning access to folders Adding and modifying group accountsTo add a user group Go to Network Sharing Groups Select Create NewWindows sharing configuration Modifying the user or group folder access NFS share configurationOwner Setting folder and file propertiesTo set file and folder permissions Go to File Browse Files FortiLog CLI reference CLI documentation conventionsConnecting to the CLI Connecting to the FortiLog-800 consoleFortiLog-800 login To connect to the FortiLog-800 consoleWelcome Setting administrative access for SSH or TelnetTo use the CLI to configure SSH or Telnet access Connecting to the FortiLog CLI using SSH Connecting to the FortiLog CLI using TelnetTo connect to the CLI using SSH To connect to the CLI using TelnetExecute branch CLI commandsFortiLog CLI commands include Get branch Use get to display settings, logs, or system informationGet command architecture Get log logsetting Get system adminGet report resolve Get report aliasesUse set to configure settings, logs, or system information Use set alertemail to configure alert mailsSet alertemail command architecture Set branchString is the password Namestr is the user nameBelow Set alertmail local time 0.5 1.0 3.0 6.0Settings originate from a singe source IP CLI commandsSet alertmail device enable add leveltime Use set console to set console configuration Set consoleSet log Use set log to configure log settingsSet log command architecture YY-MM-DD 100 101 102 Set NAS 103Set report command architecture Set reportSet system 104105 106 107 108 0.0Trusthoststr is trusted host IP address Netmaskstr is the netmask109 Unset branch 111 112 Appendix a Log Report Types Network ActivityWeb Activity 113FTP Activity Terminal Activity Mail Activity115 Mail activity reports record Email traffic and connectionsWeb Filter Activity Intrusion ActivityAntivirus Activity Mail Filter Activity 117Content Activity VPN Activity119 120 Index 121122 Index123 124

Event correlation (Active mode)