Setting up FortiAnalyzer – FortiOS 6.2.3

Setting up FortiAnalyzer

Connecting to the GUI

The FortiAnalyzer unit can be configured and managed using the GUI or the CLI. This section will step you through connecting to the unit via the GUI.

To connect to the GUI:

  1. Connect the FortiAnalyzer unit to a management computer using an Ethernet cable.
  2. Configure the management computer to be on the same subnet as the internal interface of the FortiAnalyzer unit:

l IP address: 192.168.1.X l Netmask: 255.255.255.0

  1. On the management computer, start a supported web browser and browse to https://192.168.1.99.
  2. Type admin in the Name field, leave the Password field blank, and click Login. The Change Password dialog box is displayed.
  3. Change the default password now, or click Later to change the password later:
    1. In the New Password box, type a new password.
    2. In the Confirm Password box, type the new password again, and click OK.
  4. If ADOMs are enabled, the Select an ADOM pane is displayed. Click an ADOM to select it. The FortiAnalyzer home page is displayed.
  5. Click a tile to go to that pane. For example, click the Device Manager tile to go to the Device Manager See also GUI overview on page 12.

If the network interfaces have been configured differently during installation, the URL and/or permitted administrative access protocols (such as HTTPS) may no longer be in their default state.

 

For information on enabling administrative access protocols and configuring IP addresses, see Configuring network interfaces on page 167.

After logging in for the first time, you should create an administrator account for yourself and assign the Super_User profile to it. Then you should log into the FortiAnalyzer unit by using the new administrator account. See Managing administrator accounts on page 223 for information.

Security considerations

You can take steps to prevent unauthorized access and restrict access to the GUI. This section includes the following information:

l Restricting GUI access by trusted host on page 11 l Other security considerations on page 11

Restricting GUI access by trusted host

To prevent unauthorized access to the GUI you can configure administrator accounts with trusted hosts. With trusted hosts configured, the administrator user can only log into the GUI when working on a computer with the trusted host as defined in the administrator account. You can configure up to ten trusted hosts per administrator account. See Administrators on page 222 for more details.

Other security considerations

Other security consideration for restricting access to the FortiAnalyzer GUI include the following:

l Configure administrator accounts using a complex passphrase for local accounts l Configure administrator accounts using RADIUS, LDAP, TACACS+, or PKI l Configure the administrator profile to only allow read/write permission as required and restrict access using readonly or no permission to settings which are not applicable to that administrator l Configure the administrator account to only allow access to specific ADOMs as required

When setting up FortiAnalyzer for the first time or after a factory reset, the password cannot be left blank. You are required to set a password when the admin user tries to log in to FortiManager from GUI or CLI for the first time. This is applicable to a hardware device as well as a VM. This is to ensure that administrators do not forget to set a password when setting up FortiAnalyzer for the first time.

After the initial setup, you can set a blank password from System Settings > Administrators.

GUI overview

When you log into the FortiAnalyzer GUI, the following home page of tiles is displayed:

Select one of the following tiles to display the respective pane. The available tiles vary depending on the privileges of the current user.

Device Manager Add and manage devices and VDOMs. See Device Manager on page 24.
Fabric View Configure fabric connectors. See Fabric View on page 32.
SOC Summarizes SOC information in FortiView and Monitors dashboards, which include widgets displaying log data in graphical formats, network security, WiFi security, and system performance in real-time.

This pane is not available when the unit is in Collector mode.

Log View View logs for managed devices. You can display, download, import, and delete logs on this page. You can also define custom views and create log groups. See Log View and Log Quota Management on page 42.
Incidents & Events Configure and view events for logging devices. See Incident and Event Management on page 61.

This pane is not available when the unit is in Collector mode.

Reports Generate reports. You can also configure report templates, schedules, and output profiles, and manage charts and datasets. See Reports on page 111.

This pane is not available when the unit is in Collector mode.

FortiRecorder Manage FortiCamera devices and view camera streams and recordings through the Monitors dashboard.

This pane is only available in physical appliances and is disabled by default. See

FortiRecorder on page 143

This pane is not available when the unit is in Collector mode.

System Settings Configure system settings such as network interfaces, administrators, system time, server settings, and others. You can also perform maintenance and firmware operations. See System Settings on page 154.

The top-right corner of the home page includes a variety of possible selections:

ADOM If ADOMs are enabled, the required ADOM can be selected from the dropdown list. The ADOMs available from the ADOM menu will vary depending on the privileges of the current user.
Full Screen Click to view only the content pane in the browser window. See Full-screen mode on page 15.
Help Click to open the FortiAnalyzer online help, or view the About information for your device (Product, Version, and Build Number).

You can also open the FortiAnalyzer basic setup video

(https://video.fortinet.com/video/208/fortianalyzer-basic-setup).

CLI Console Click the CLI Console icon on the right side of the banner on any page.

The CLI console is a terminal window that enables you to configure the FortiAnalyzer unit using CLI commands directly from the GUI, without making a separate SSH, or local console connection to access the CLI.

When using the CLI console, you are logged in with the same administrator account that you used to access the GUI. You can enter commands by typing them, or you can copy and paste commands into or out of the console.

Click Detach in the CLI Console toolbar to open the console in a separate window.

Note: The CLI Console requires that your web browser support JavaScript.

Notification Click to display a list of notifications. Select a notification from the list to take action on the issue.
admin Click to change the password or log out of the GUI.

Panes

In general, panes have four primary parts: the banner, toolbar, tree menu, and content pane.

Banner   Along the top of the page; includes the home button (Fortinet logo), tile menu, ADOM menu (when enabled), admin menu, notifications, help button, and CLI console button.
Tree menu   On the left side of the screen; includes the menus for the selected pane. Not available in Device Manager.
Content pane Contains widgets, lists, configuration options, or other information, depending on the pane, menu, or options that are selected. Most management tasks are handled in the content pane.
Toolbar Directly above the content pane; includes options for managing content in the content pane, such as Create New and Delete.

To switch between panes, either select the home button to return to the home page, or select the tile menu then select a new tile.

Color themes

You can choose a color theme for the FortiAnalyzer GUI. For example, you can choose a color, such as blue or plum, or you can choose an image, such as summer or autumn. See Global administration settings on page 243.

Full-screen mode

You can view several panes in full-screen mode. When a pane is in full-screen mode, the tree menu on the left side of the screen is hidden.

Click the Full Screen button in the toolbar to enter full-screen mode, and press the Esc key on your keyboard to exit fullscreen mode.

Switching between ADOMs

When ADOMs are enabled, you can move between ADOMs by selecting an ADOM from the ADOM menu in the banner.

ADOM access is controlled by administrator accounts and the profile assigned to the administrator account. Depending on your account privileges, you might not have access to all ADOMs. See Managing administrator accounts on page 223 for more information.

Using the right-click menu

Options are sometimes available using the right-click menu. Right-click an item in the content pane, or within some of the tree menus, to display the menu that includes various options similar to those available in the toolbar.

In the following example on the Reports pane, you can right-click a template, and select Create New, View, Clone, or Create Report.

Avatars

When FortiClient sends logs to FortiAnalyzer, an avatar for each user can be displayed in the Source column in the

SOC > FortiView and Log View panes. FortiAnalyzer can display an avatar when the following requirements are met:

l FortiClient is managed by FortiGate or FortiClient EMS with logging to FortiAnalyzer enabled. l FortiClient sends logs and a picture of each user to FortiAnalyzer.

If FortiAnalyzer cannot find the defined picture, a generic, gray avatar is displayed.

Showing and hiding passwords

In some cases you can show and hide passwords by using the toggle icon. When you can view the password, the Toggle show password icon is displayed:

When you can hide the password, the Toggle hide password icon is displayed:

Target audience and access level

This guide is intended for administrators with full privileges, who can access all panes in the FortiAnalyzer GUI, including the System Settings pane.

In FortiAnalyzer, administrator privileges are controlled by administrator profiles. Administrators who are assigned profiles with limited privileges might be unable to view some panes in the GUI and might be unable to perform some tasks described in this guide. For more information about administrator profiles, see Administrator profiles on page 228.

If you logged in by using the admin administrator account, you have the Super_User administrator profile, which is assigned to the admin account by default and gives the admin administrator full privileges.

Initial setup

This topic provides an overview of the tasks that you need to do to get your FortiAnalyzer unit up and running.

To set up FortiAnalyzer:

  1. Connect to the GUI. See Connecting to the GUI on page 10.
  2. Configure the RAID level, if the FortiAnalyzer unit supports RAID. See Configuring the RAID level on page 174.
  3. Configure network settings. See Configuring network interfaces on page 167.

Once the IP address of the administrative port of FortiAnalyzer is changed, you will lose connection to FortiAnalyzer. You will have to reconfigure the IP address of the management computer to connect again to FortiAnalyzer and continue.

  1. (Optional) Configure administrative domains. See Managing ADOMs on page 180.
  2. Configure administrator accounts. See Managing administrator accounts on page 223.
  3. Add devices to the FortiAnalyzer unit so that the devices can send logs to the FortiAnalyzer unit. See Adding devices on page 25.
  4. Configure the operation mode. See Configuring the operation mode on page 161 and Two operation modes on page 19.

FortiManager features

FortiManager features are not available in FortiAnalyzer 6.2.0 and up.

For information about FortiManager, see the FortiManagerAdministration Guide.

If FortiManager features are enabled in FortiAnalyzer before upgrading to 6.2.0 and later, the existing feature configurations will continue to be available after the upgrade. FortiManager features carried over during an upgrade can be disabled through the CLI console.

Next steps

Now that you have set up your FortiAnalyzer units and they have started receiving logs from the devices, you can start monitoring and interpreting data. You can:

  • View log messages collected by the FortiAnalyzer unit in Log View. See Types of logs collected for each device on page 42.
  • View multiple panes of network activity in SOC (Security Operations Center). See SOC Monitoring on page 87.
  • View summaries of threats, traffic, and more in SOC > FortiView. See FortiView on page 98 l Generate and view events in Incidents & Events. See Incident and Event Management on page 61. l Generate and view reports in Reports. See Reports on page 111.

Restarting and shutting down

Always use the operation options in the GUI or the CLI commands to reboot and shut down the FortiAnalyzer system to avoid potential configuration problems.

To restart the FortiAnalyzer unit from the GUI:

  1. Go to System Settings > Dashboard.
  2. In the Unit Operation widget, click the Restart
  3. Enter a message for the event log, then click OK to restart the system.

To restart the FortiAnalyzer unit from the CLI:

  1. From the CLI, or in the CLI Console menu, enter the following command:

execute reboot The system will be rebooted.

Do you want to continue? (y/n)

  1. Enter y to continue. The FortiAnalyzer system will restart.

To shutdown the FortiAnalyzer unit from the GUI:

  1. Go to System Settings > Dashboard.
  2. In the Unit Operation widget, click the Shutdown
  3. Enter a message for the event log, then click OK to shutdown the system.

To shutdown the FortiAnalyzer unit from the CLI:

  1. From the CLI, or in the CLI Console menu, enter the following command:

execute shutdown The system will be halted.

Do you want to continue? (y/n)

  1. Enter y to continue. The FortiAnalyzer system will shutdown.

To reset the FortiAnalyzer unit:

  1. From the CLI, or in the CLI Console menu, enter the following command: execute reset all-settings

This operation will reset all settings to factory defaults

Do you want to continue? (y/n)

  1. Enter y to continue. The device will reset to factory default settings and restart.

To reset logs and re-transfer all SQL logs to the database:

  1. From the CLI, or in the CLI Console menu, enter the following command: execute reset-sqllog-transfer

WARNING: This operation will re-transfer all logs into database. Do you want to continue? (y/n)

  1. Enter y to continue. All SQL logs will be resent to the database.

 

This entry was posted in Administration Guides, FortiAnalyzer, FortiOS, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.