FortiAnalyzer – Device Manager – FortiOS 6.2.3

Device Manager

Use the Device Manager pane to add, configure, and manage devices and VDOMs.

After you add and authorize a device or VDOM, the FortiAnalyzer unit starts collecting logs from that device or VDOM. You can configure the FortiAnalyzer unit to forward logs to another device. See Log Forwarding on page 190.

ADOMs

You can organize connected devices into ADOMs to better manage the devices. ADOMs can be organized by:

  • Firmware version: group all 6.0 devices into one ADOM, and all 6.2 devices into another.
  • Geographic regions: group all devices for a specific geographic region into an ADOM, and devices for a separate region into another ADOM.
  • Administrator users: group devices into separate ADOMs based for specific administrators responsible for the group of devices.
  • Customers: group all devices for one customer into an ADOM, and devices for another customer into another ADOM.

FortiAnalyzer, FortiCache, FortiClient, FortiDDos, FortiMail, FortiManager, FortiSandbox, FortiWeb, Chassis, and FortiCarrier devices are automatically placed in their own ADOMs. l Security Fabric: group all devices that are within the Security Fabric.

Each administrator profile can be customized to provide read-only, read/write, or restrict access to various ADOM settings. When creating new administrator accounts, you can restrict which ADOMs the administrator can access, for enhanced control of your administrator users. For more information on ADOM configuration and settings, see Administrative Domains on page 176.

FortiClient EMS devices

You can add FortiClient EMS servers to FortiAnalyzer. Authorized FortiClient EMS servers are added to the default

FortiClient ADOM. You must enable ADOMs to work with FortiClient EMS servers in FortiAnalyzer. When you select the FortiClient ADOM and go to the Device Manager pane, the FortiClient EMS servers are displayed. See also FortiClient support and ADOMs on page 178.

Unauthorized devices

When a device is configured to send logs to FortiAnalyzer, the unauthorized device is displayed in the Device Manager > Devices Unauthorized pane. You can then add devices to specific ADOMs or delete devices by using the toolbar buttons or the right-click menu.

Using FortiManager to manage FortiAnalyzer devices

You can add FortiAnalyzer devices to FortiManager and manage them. When you add a FortiAnalyzer device to FortiManager, FortiManager automatically enables FortiAnalyzer features. FortiAnalyzer and FortiManager must be running the same OS version, at least 5.6 or later.

In the Device Manager pane, a message informs you the device is managed by FortiManager and all changes should be performed on FortiManager to avoid conflict. The top right of this pane displays a lock icon. If ADOMs are enabled, the System Settings > All ADOMs pane displays a lock icon beside the ADOM managed by FortiManager.

Logs are stored on the FortiAnalyzer device, not the FortiManager device. You configure log storage settings on the FortiAnalyzer device; you cannot change log storage settings using FortiManager.

For more information, see Adding FortiAnalyzer devices in the FortiManagerAdministration Guide.

Adding devices

You must add and authorize devices and VDOMs to FortiAnalyzer to enable the device or VDOM to send logs to FortiAnalyzer. Authorized devices are also known as devices that have been promoted to the DVM table.

You must configure devices to send logs to FortiAnalyzer. For example, after you add and authorize a FortiGate device with FortiAnalyzer, you must also configure the FortiGate device to send logs to FortiAnalyzer. In the FortiGate GUI, go to Log & Report > Log Settings, and enable Send Logs to FortiAnalyzer/FortiManager.

Adding devices using the wizard

You can add devices and VDOMs to FortiAnalyzer using the Add Device wizard. When the wizard finishes, the device is added to the FortiAnalyzer unit, authorized, and is ready to start sending logs.

To add devices using the wizard:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Device Manager and click Add Device.
  3. Configure the following settings:
IP Address Type the IP address for the device.
SN Type the serial number for the device.
Device Name Type a name for the device.
Device Model Select the model of the device.
Firmware Version Select the firmware version of the device.
Description Type a description of the device (optional).
  1. Click Next.

The device is added to the ADOM and, if successful, is ready to begin sending logs to the FortiAnalyzer unit.

  1. Click Finish to finish adding the device and close the wizard.

Authorizing devices

You can configure supported devices to send logs to the FortiAnalyzer device. These devices are displayed in the root ADOM as unauthorized devices. You can quickly view unauthorized devices by clicking Unauthorized Devices in the quick status bar. You must authorize the devices before FortiAnalyzer can start receiving logs from the devices.

When ADOMs are enabled, you can assign the device to an ADOM. When authorizing multiple devices at one time, they are all added to the same ADOM.

When you delete a device or VDOM from the FortiAnalyzer unit, its raw log files are also deleted. SQL database logs are not deleted.

To authorize devices:

  1. In the root ADOM, go to Device Manager and click Unauthorized Devices in the quick status bar. The content pane displays the unauthorized devices.
  2. If necessary, select the Display Hidden Devices check box to display hidden unauthorized devices.
  3. Select the unauthorized device or devices, then click Authorize. The Authorize Device dialog box opens.
  4. If ADOMs are enabled, select the ADOM in the Add the following device(s)to ADOM If ADOMs are disabled, select root.
  5. Click OK to authorize the device or devices.

The device or devices are authorized and FortiAnalyzer can start receiving logs from the device or devices.

Hiding unauthorized devices

You can hide unauthorized devices from view, and choose when to view hidden devices. You can authorize or delete hidden devices.

To hide and display unauthorized devices:

  1. In the root ADOM, go to Device Manager and click Unauthorized Devices in the quick status bar. The content pane displays the unauthorized devices.
  2. Select the unauthorized device or devices, then click Hide. The unauthorized devices are hidden from view.

You can view hidden devices by selecting the Display Hidden Devices check box.

Adding an HA cluster

You can use a HA cluster to synchronize logs and data securely among multiple FortiGate devices.

An HA cluster can have a maximum of four devices: one primary or master device with up to three backup or slave devices. All the devices in the cluster must be of the same FortiGate series and must be visible on the network.

You can use auto-grouping in FortiAnalyzer to group devices in a cluster based on the group name specified in Fortigate’s HA cluster configuration. For auto-grouping to work properly, each FortiGate cluster requires a unique group name.

If a unique group name is not used, auto-grouping should be disabled.

FAZ # config system global

(global)# set ha-member-auto-grouping disable

To create a HA cluster:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Add the devices to the Device Manager.
  3. Choose a master device, and click Edit.
  4. In the Edit Device pane, select HA Cluster.
  5. From the Add Existing Device list, select a device, and click Add.
  6. Optionally, you can use the Add OtherDevice field to add a new device.
  7. Add more devices as necessary, and click OK. The maximum is three slave devices.

To view the HA in the Device Manager, click Column Settings > HA Status.

Managing devices

Use the tools and commands in the Device Manager pane to manage devices and VDOMs.

Using the quick status bar

You can see the quick status bar at the top of the Device Manager pane. The quick status bar contains the following tabs:

  • Devices Total: Displays the authorized devices. l Devices Unauthorized: Displays the unauthorized devices.
  • Devices Log Status Down: Displays the authorized devices with a log status of down. l Storage Used: Displays the Log View > Storage Statistics

The Devices Total, Devices Unauthorized, and the Devices Log Status Down tabs include the following default columns:

Column Description
Device Name Displays the name of the device.
Column Description
IP Address Displays the IP address for the device.
Platform Displays the platform for the device.
Logs Identifies whether the device is successfully sending logs to the FortiAnalyzer unit. A green circle indicates that logs are being sent. A red circle indicates that logs are not being sent.

A lock icon displays when a secure tunnel is being used to transfer logs from the device to the FortiAnalyzer unit.

Average Log Rate (Logs/Sec) Displays the average rate at which the device is sending logs to the FortiAnalyzer unit in log rate per second. Click the number to display a graph of historical average log rates.
Device Storage Displays how much of the allotted disk space has been consumed by logs.
Description Displays a description of the device (not displayed in Devices Unauthorized tab).

Using the toolbar

The following buttons and menus are available for selection on the toolbar:

Button Description
Add Device Opens the Add Device Wizard to add a device to the FortiAnalyzer unit. The device is added, but not authorized. Unauthorized devices are displayed in the Unauthorized Devices tree menu.
Edit Edits the selected device.
Delete Deletes the selected devices or VDOMs from the FortiAnalyzer unit.

When you delete a device, its raw log files are also deleted. SQL database logs are not deleted.

Column Settings Click to select which columns to display or select Reset to Default to display the default columns.
More Displays more menu items including Import Device List and Export Device List.
Search Type the name of a device. The content pane displays the results. Clear the search box to display all devices in the content pane.

Editing device information

Use the Edit Device page to edit information about a device. The information and options available on the Edit Device page depend on the device type, firmware version, and which features are enabled.

To edit information for a device or model device:

  1. Go to Device Manager and click the Devices Total tab in the quick status bar.
  2. In the content pane, select the device or model device and click Edit, or right-click on the device and select Edit. The Edit Device pane displays.
  3. Edit the device settings and click OK.
Name The name of the device.
Description Descriptive information about the device.
IP Address Enter the IP address of the device.
Serial Number The serial number of the device.
Firmware Version The firmware version.
Admin User Enter the administrator user name.
Password Enter the administrator user password.
HA Cluster Select to identify the device as part of an HA cluster, and to identify the other device in the cluster by selecting them from the drop-down list, or by inputting their serial numbers.
Geographic Coordinates Identifies the latitude and longitude of the device location to support the interactive maps.

Click Show Map to open a map showing the location of the device based on the coordinates. Click and drag the map marker to adjust the device’s location.

Company/Organization Optionally, enter the company or organization information.
Country Optionally, enter the country where the device is located.
Province/State Optionally, enter the province or state.
City Optionally, enter the city.
Contact Optionally, enter the contact information.

Displaying historical average log rates

You can display a graph of the historical, average log rates for each device.

To display historical average logs rates:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Device Manager and click the Devices Total tab in the quick status bar.
  3. In the Average Log Rate (Logs/Sec) column, click the number to display the graph.
  4. Hover the cursor over the graph to display more details.

Connecting to an authorized device GUI

You can connect to the GUI of an authorized device from Device Manager.

To connect to an authorized device GUI:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Device Manager and click the Devices Total tab in the quick status bar.
  3. Right-click the device that you want to access, and select Connect to Device.
  4. If necessary, change the port number and click OK.

You are directed to the Login page of the device GUI.

 

This entry was posted in Administration Guides, FortiAnalyzer, FortiOS, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “FortiAnalyzer – Device Manager – FortiOS 6.2.3

  1. Richard Lopez

    You’ve always had great content. Thank you. May I ask a question? I have a problem with my FAZ running 6.0.9 I recently upgraded it 5.2 -> 5.4.7 -> 5.6.10 -> 6.0.9 all seems to be working okay except the “Device Manager” view in GUI. It shows I have no device yet while in system settings it recognizes that there are devices in the ADOM and can expand the tree and see the device names but when editing the adom there are no devices. Its very strange. Any advice would be greatly appreciated. Thank you.

    5_2 FortiGate 315.7 GB 90 Devices (including 0 VDOM)

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.