Author Archives: Mike

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

File Management – FortiAnalyzer – FortiOS 6.2.3

File Management

FortiAnalyzer allows you to configure automatic deletion of device log files, quarantined files, reports, and content archive files after a set period of time.

Go to System Settings > Advanced > File Management to configure file management settings.

Configure the following settings, and then select Apply:

Device log files older than Select to enable automatic deletion of compressed log files.

Enter a value in the text field, select the time period (Days, Weeks, or Months), and choose a time of day.

Reports older than Select to enable automatic deletion of reports of data from compressed log files. Enter a value in the text field, select the time period, and choose a time of day.
Content archive files older than Select to enable automatic deletion of IPS and DP archives from Archive logs.

Enter a value in the text field, select the time period, and choose a time of day.

Quarantined files older than Select to enable automatic deletion of compressed log files of quarantined files. Enter a value in the text field, select the time period, and choose a time of day.

The time period you select determines how often the item is checked. If you select Months, then the item is checked once per month. If you select Weeks, then the item is checked once per week, and so on. For example, if you specify Device log files olderthan 3 Months, then on July 1, the logs for April, May, and June are kept and the logs for March and older are deleted.

Device logs – FortiAnalyzer – FortiOS 6.2.3

Device logs

The FortiAnalyzer allows you to log system events to disk. You can control device log file size and the use of the FortiAnalyzer unit’s disk space by configuring log rolling and scheduled uploads to a server.

As the FortiAnalyzer unit receives new log items, it performs the following tasks: l Verifies whether the log file has exceeded its file size limit. l Checks to see if it is time to roll the log file if the file size is not exceeded.

When a current log file (tlog.log) reaches its maximum size, or reaches the scheduled time, the FortiAnalyzer unit rolls the active log file by renaming the file. The file name will be in the form of xlog.N.log (for example, tlog.1252929496.log), where x is a letter indicating the log type and N is a unique number corresponding to the time the first log entry was received. The file modification time will match the time when the last log was received in the log file.

Once the current log file is rolled into a numbered log file, it will not be changed. New logs will be stored in the new current log called tlog.log. If log uploading is enabled, once logs are uploaded to the remote server or downloaded via the GUI, they are in the following format:

FG3K6A3406600001-tlog.1252929496.log-2017-09-29-08-03-54.gz

If you have enabled log uploading, you can choose to automatically delete the rolled log file after uploading, thereby freeing the amount of disk space used by rolled log files. If the log upload fails, such as when the FTP server is unavailable, the logs are uploaded during the next scheduled upload.

Log rolling and uploading can be enabled and configured using the GUI or CLI.

Configuring rolling and uploading of logs using the GUI

Go to System Settings > Advanced > Device Log Setting to configure device log settings.

Configure the following settings, and then select Apply:

Registered Device Logs  
Roll log file when size exceeds Enter the log file size, from 10 to 500MB. Default: 200MB.
Roll log files at scheduled time Select to roll logs daily or weekly.

Daily: select the hour and minute value in the dropdown lists.

Weekly: select the day, hour, and minute value in the dropdown lists.

Upload logs using a standard file transfer protocol Select to upload logs and configure the following settings.
Upload Server Type Select one of FTP, SFTP, or SCP.
Upload Server IP Enter the IP address of the upload server.
User Name Enter the username used to connect to the upload server.
Password Enter the password used to connect to the upload server.
Remote Directory Enter the remote directory on the upload server where the log will be uploaded.
Upload Log Files Select to upload log files when they are rolled according to settings selected under Roll Logs, or daily at a specific hour.
Upload rolled files in gzip file format Select to gzip the logs before uploading. This will result in smaller logs and faster upload times.
Delete files after uploading Select to remove device log files from the FortiAnalyzer system after they have been uploaded to the Upload Server.
Local Device Log  
Send the local event logs to FortiAnalyzer / FortiManager Select to send local event logs to another FortiAnalyzer or FortiManager device.
IP Address Enter the IP address of the FortiAnalyzer or FortiManager.
Upload Option Select to upload logs in real time or at a scheduled time.

When selecting a scheduled time, you can specify the hour and minute to upload logs each day.

Severity Level Select the minimum log severity level from the dropdown list. This option is only available when Upload Option is Realtime.
Reliable log transmission Select to use reliable log transmission.
Secure connection Select to use a secure connection for log transmission. This option is only available when Reliable log transmission is selected.

Configuring rolling and uploading of logs using the CLI

Log rolling and uploading can be enabled and configured using the CLI. For more information, see the FortiAnalyzer CLI Reference.

Enable or disable log file uploads

Use the following CLI commands to enable or disable log file uploads.

To enable log uploads:

config system log settings config rolling-regular set upload enable

end

To disable log uploads:

config system log settings config rolling-regular set upload disable

end

Roll logs when they reach a specific size

Use the following CLI commands to specify the size, in MB, at which a log file is rolled.

To roll logs when they reach a specific size:

config system log settings config rolling-regular set file-size <integer>

end

Roll logs on a schedule

Use the following CLI commands to configure rolling logs on a set schedule, or never.

To disable log rolling:

config system log settings config rolling-regular set when none

end

To enable daily log rolling:

config system log settings config rolling-regular set upload enable set when daily set hour <integer> set min <integer>

end

To enable weekly log rolling:

config system log settings config rolling-regular set when weekly

set days {mon | tue | wed | thu | fri | sat | sun} set hour <integer> set min <integer>

end

Upload logs to cloud storage

The FortiAnalyzer can be set to upload logs to cloud storage. Before enabling this feature, you must have a valid Storage Connector Service license. See License Information widget on page 162.

For information on setting up a storage fabric connector, see Creating or editing storage connectors on page 33.

To upload logs to cloud storage:

  1. Go to System Settings > Advanced > Device Log Settings.
  2. Select Create New.
  3. Complete the following options, and click OK.

l Enter a name for the cloud storage. l In the Cloud Storage Connector list, select a Fabric Connector. l In the Remote Path box, type the bucket or container name from the storage account.

Meta Fields – FortiAnalyzer – FortiOS 6.2.3

Meta Fields

Meta fields allow administrators to add extra information when configuring, adding, or maintaining FortiGate units or adding new administrators. You can make the fields mandatory or optional, and set the length of the field.

With the fields set as mandatory, administrators must supply additional information when they create a new FortiGate object, such as an administrator account or firewall policy. Fields for this new information are added to the FortiGate unit dialog boxes in the locations where you create these objects. You can also provide fields for optional additional information.

Go to System Settings > Advanced > Meta Fields to configure meta fields. Meta fields can be added, edited, and deleted.

  1. Go to System Settings > Advanced > Meta Fields.
  2. Click Create New in the toolbar. The Create New Meta Field pane opens.
  3. Configure the following settings and then select OK to create the meta field.
Object The object this metadata field applies to: Devices, Device Groups, or Administrative Domains.
Name Enter the label to use for the field.
Length Select the maximum number of characters allowed for the field from the dropdown list: 20, 50, or 255.
Importance Select Required to make the field compulsory, otherwise select Optional.
Status Select Disabled to disable this field. The default selection is Enabled.

To edit a meta field:

  1. Go to System Settings > Advanced > Meta Fields.
  2. Double-click on a field, right-click on a field and then select Edit from the menu, or select a field then click Edit in the toolbar. The Edit Meta Fields pane opens.
  3. Edit the settings as required, and then click OK to apply the changes.

To delete a meta field or fields:

  1. Go to System Settings > Advanced > Meta Fields.
  2. Select the field or fields you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation box to delete the field or fields.

Syslog Server – FortiAnalyzer – FortiOS 6.2.3

Syslog Server

Go to System Settings > Advanced > Syslog Server to configure syslog server settings. Syslog servers can be added, edited, deleted, and tested.

To add a syslog server:

  1. Go to System Settings > Advanced > Syslog Server.
  2. Click Create New in the toolbar. The Create New Syslog ServerSettings pane opens.
  3. Configure the following settings and then select OK to create the mail server.
Name Enter a name for the syslog server.
IP address (or FQDN) Enter the IP address or FQDN of the syslog server.
Syslog Server Port Enter the syslog server port number. The default port is 514.

To edit a syslog server:

  1. Go to System Settings > Advanced > Syslog Server.
  2. Double-click on a server, right-click on a server and then select Edit from the menu, or select a server then click Edit in the toolbar. The Edit Syslog ServerSettings pane opens.
  3. Edit the settings as required, and then click OK to apply the changes.

To test the syslog server:

  1. Go to System Settings > Advanced > Syslog Server.
  2. Select the server you need to test.
  3. Click Test from the toolbar, or right-click and select Test. A confirmation or failure message will be displayed.

To delete a syslog server or servers:

  1. Go to System Settings > Advanced > Syslog Server.
  2. Select the server or servers you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation box to delete the server or servers.

Mail Server – FortiAnalyzer – FortiOS 6.2.3

Mail Server

A mail server allows the FortiAnalyzer to sent email messages, such as notifications when reports are run or specific events occur. Mail servers can be added, edited, deleted, and tested.

Go to System Settings > Advanced > Mail Server to configure SMTP mail server settings.

To add a mail server:

  1. Go to System Settings > Advanced > Mail Server.
  2. Click Create New in the toolbar. The Create New Mail ServerSettings pane opens.
  3. Configure the following settings and then select OK to create the mail server.
SMTP Server Name Enter a name for the SMTP server.
Mail Server Enter the mail server information.
SMTP Server Port Enter the SMTP server port number. The default port is 25.
Enable Authentication Select to enable authentication.
Email Account Enter an email account. This option is only accessible when authentication is enabled.
Password Enter the email account password. This option is only accessible when authentication is enabled.

To edit a mail server:

  1. Go to System Settings > Advanced > Mail Server.
  2. Double-click on a server, right-click on a server and then select Edit from the menu, or select a server then click Edit in the toolbar. The Edit Mail ServerSettings pane opens.
  3. Edit the settings as required, and then click OK to apply the changes.

To test the mail server:

  1. Go to System Settings > Advanced > Mail Server.
  2. Select the server you need to test.
  3. Click Test from the toolbar, or right-click and select Test.
  4. Type the email address you would like to send a test email to and click OK. A confirmation or failure message will be displayed.
  5. Click OK to close the confirmation dialog box.

To delete a mail server or servers:

  1. Go to System Settings > Advanced > Mail Server.
  2. Select the server or servers you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation box to delete the server.

SNMP – FortiAnalyzer – FortiOS 6.2.3

SNMP

Enable the SNMP agent on the FortiAnalyzer device so it can send traps to and receive queries from the computer that is designated as its SNMP manager. This allows for monitoring the FortiAnalyzer with an SNMP manager.

SNMP has two parts – the SNMP agent that is sending traps, and the SNMP manager that monitors those traps. The SNMP communities on monitored FortiGate devices are hard coded and configured by the FortiAnalyzer system – they are not user configurable.

The FortiAnalyzer SNMP implementation is read-only — SNMP v1, v2c, and v3 compliant SNMP manager applications, such as those on your local computer, have read-only access to FortiAnalyzer system information and can receive FortiAnalyzer system traps.

SNMP agent

The SNMP agent sends SNMP traps originating on the FortiAnalyzer system to an external monitoring SNMP manager defined in a SNMP community. Typically an SNMP manager is an application on a local computer that can read the SNMP traps and generate reports or graphs from them.

The SNMP manager can monitor the FortiAnalyzer system to determine if it is operating properly, or if there are any critical events occurring. The description, location, and contact information for this FortiAnalyzer system will be part of the information an SNMP manager will have — this information is useful if the SNMP manager is monitoring many devices, and it will enable faster responses when the FortiAnalyzer system requires attention.

Go to System Settings > Advanced > SNMP to configure the SNMP agent.

The following information and options are available:

SNMP Agent Select to enable the SNMP agent. When this is enabled, it sends FortiAnalyzer SNMP traps.
Description Optionally, type a description of this FortiAnalyzer system to help uniquely identify this unit.
Location Optionally, type the location of this FortiAnalyzer system to help find it in the event it requires attention.
Contact Optionally, type the contact information for the person in charge of this FortiAnalyzer system.
SNMP v1/2c The list of SNMP v1/v2c communities added to the FortiAnalyzer configuration.
  Create New Select Create New to add a new SNMP community. If SNMP agent is not selected, this control will not be visible.

For more information, see SNMP v1/v2c communities on page 205.

  Edit Edit the selected SNMP community.
  Delete Delete the selected SNMP community or communities.
  Community Name The name of the SNMP community.
  Queries The status of SNMP queries for each SNMP community. The enabled icon indicates that at least one query is enabled. The disabled icon indicates that all queries are disabled.
  Traps The status of SNMP traps for each SNMP community. The enabled icon indicates that at least one trap is enabled. The disabled icon indicates that all traps are disabled.
  Enable Enable or disable the SNMP community.
SNMP v3   The list of SNMPv3 users added to the configuration.
  Create New Select Create New to add a new SNMP user. If SNMP agent is not selected, this control will not be visible.

For more information, see SNMP v3 users on page 208.

  Edit Edit the selected SNMP user.
  Delete Delete the selected SNMP user or users.
  User Name The user name for the SNMPv3 user.
  Security Level The security level assigned to the SNMPv3 user.
  Notification Hosts The notification host or hosts assigned to the SNMPv3 user.
  Queries The status of SNMP queries for each SNMP user. The enabled icon indicates queries are enabled. The disabled icon indicates they are disabled.

SNMP v1/v2c communities

An SNMP community is a grouping of equipment for network administration purposes. You must configure your FortiAnalyzer to belong to at least one SNMP community so that community’s SNMP managers can query the FortiAnalyzer system information and receive SNMP traps from it.

Each community can have a different configuration for SNMP traps and can be configured to monitor different events. You can add the IP addresses of up to eight hosts to each community. Hosts can receive SNMP device traps and information.

To create a new SNMP community:

  1. Go to System Settings > Advanced > SNMP and ensure the SNMP agent is enabled.
  2. In the SNMP v1/v2c section, click Create New in the toolbar. The New SNMP Community pane opens.
  3. Configure the following options, then click OK to create the community.
Name   Enter a name to identify the SNMP community. This name cannot be edited later.
Hosts   The list of hosts that can use the settings in this SNMP community to monitor the FortiAnalyzer system.

When you create a new SNMP community, there are no host entries. Select Add to create a new entry that broadcasts the SNMP traps and information to the network connected to the specified interface.

  IP

Address/Netmask

Enter the IP address and netmask of an SNMP manager.

By default, the IP address is 0.0.0.0 so that any SNMP manager can use this SNMP community.

  Interface Select the interface that connects to the network where this SNMP manager is located from the dropdown list. This must be done if the SNMP manager is on the Internet or behind a router.
  Delete Click the delete icon to remove this SNMP manager entry.
Add Select to add another entry to the Hosts list. Up to eight SNMP manager entries can be added for a single community.
Queries Enter the port number (161 by default) the FortiAnalyzer system uses to send v1 and v2c queries to the FortiAnalyzer in this community. Enable queries for each SNMP version that the FortiAnalyzer system uses.
Traps Enter the Remote port number (162 by default) the FortiAnalyzer system uses to send v1 and v2c traps to the FortiAnalyzer in this community. Enable traps for each SNMP version that the FortiAnalyzer system uses.
SNMP Event Enable the events that will cause SNMP traps to be sent to the community.

l     Interface IP changed l Log disk space low l CPU Overuse l Memory Low l System Restart

l     CPU usage exclude NICE threshold

l     RAID Event (only available for devices that support RAID) l PowerSupply Failed (only available on supported hardware devices) l Fan Speed Out of Range

l     Temperature Out of Range l Voltage Out of Range

l     High licensed device quota l High licensed log GB/day l Log Alert l Log Rate l Data Rate

FortiAnalyzer feature set SNMP events:

To edit an SNMP community:

  1. Go to System Settings > Advanced > SNMP.
  2. In the SNMP v1/v2c section, double-click on a community, right-click on a community then select Edit, or select a community then click Edit in the toolbar. The Edit SNMP Community pane opens.
  3. Edit the settings as required, then click OK to apply your changes.

To delete an SNMP community or communities:

  1. Go to System Settings > Advanced > SNMP.
  2. In the SNMP v1/v2c section, select the community or communities you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation dialog box to delete the selected community or communities.

SNMP v3 users

The FortiAnalyzer SNMP v3 implementation includes support for queries, traps, authentication, and privacy. SNMP v3 users can be created, edited, and deleted as required.

To create a new SNMP user:

  1. Go to System Settings > Advanced > SNMP and ensure the SNMP agent is enabled.
  2. In the SNMP v3 section, click Create New in the toolbar. The New SNMP User pane opens.
  3. Configure the following options, then click OK to create the community.
User Name   The name of the SNMP v3 user.
Security Level   The security level of the user. Select one of the following:

No Authentication, No Privacy l Authentication, No Privacy: Select the Authentication Algorithm (SHA1, MD5) and enter the password.

Authentication, Privacy: Select the Authentication Algorithm (SHA1, MD5), the Private Algorithm (AES, DES), and enter the passwords.

Queries   Select to enable queries then enter the port number. The default port is 161.
Notification Hosts   The IP address or addresses of the host. Click the add icon to add multiple IP addresses.
SNMP Event Enable the events that will cause SNMP traps to be sent to the SNMP manager.

l     Interface IP changed l Log disk space low l CPU Overuse l Memory Low l System Restart

l     CPU usage exclude NICE threshold

l     RAID Event (only available for devices that support RAID) l PowerSupply Failed (only available on supported hardware devices) l High licensed device quota l High licensed log GB/day l Log Alert l Log Rate l Data Rate l Fan Speed Out of Range l Temperature Out of Range l Voltage Out of Range

FortiAnalyzer feature set SNMP events:

To edit an SNMP user:

  1. Go to System Settings > Advanced > SNMP.
  2. In the SNMP v3 section, double-click on a user, right-click on a user then select Edit, or select a user then click Edit in the toolbar. The Edit SNMP User pane opens.
  3. Edit the settings as required, then click OK to apply your changes.

To delete an SNMP user or users:

  1. Go to System Settings > Advanced > SNMP.
  2. In the SNMP v3 section, select the user or users you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation dialog box to delete the selected user or users.

SNMP MIBs

The Fortinet and FortiAnalyzer MIBs, along with the two RFC MIBs, can be obtained from Customer Service & Support

(https://support.fortinet.com). You can download the FORTINET-FORTIMANAGER-FORTIANALYZER-MIB.mib

MIB file in the firmware image file folder. The FORTINET-CORE-MIB.mib file is located in the main FortiAnalyzer 5.00 file folder.

RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411), and partial support of User-based Security Model (RFC 3414).

To be able to communicate with the SNMP agent, you must include all of these MIBs into your SNMP manager.

Generally your SNMP manager will be an application on your local computer. Your SNMP manager might already

include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet and FortiAnalyzer proprietary MIBs to this database.

MIB file name or RFC Description
FORTINET-CORE-MIB.mib The proprietary Fortinet MIB includes all system configuration information and trap information that is common to all Fortinet products.

Your SNMP manager requires this information to monitor Fortinet unit configuration settings and receive traps from the Fortinet SNMP agent.

FORTINET-FORTIMANAGERMIB.mib The proprietary FortiAnalyzer MIB includes system information and trap information for FortiAnalyzer units.
RFC-1213 (MIB II) The Fortinet SNMP agent supports MIB II groups with the following exceptions.

l  No support for the EGP group from MIB II (RFC 1213, section 3.11 and

6.10).

l  Protocol statistics returned for MIB II groups (IP/ICMP/TCP/UDP/etc.) do not accurately capture all Fortinet traffic activity. More accurate information can be obtained from the information reported by the Fortinet MIB.

RFC-2665 (Ethernet-like MIB) The Fortinet SNMP agent supports Ethernet-like MIB information with the following exception.

No support for the dot3Tests and dot3Errors groups.

SNMP traps

Fortinet devices share SNMP traps, but each type of device also has traps specific to that device type. For example FortiAnalyzer units have FortiAnalyzer specific SNMP traps. To receive Fortinet device SNMP traps, you must load and compile the FORTINET-CORE-MIB into your SNMP manager.

Traps sent include the trap message as well as the unit serial number (fnSysSerial) and host name (sysName). The Trap Message column includes the message that is included with the trap, as well as the SNMP MIB field name to help locate the information about the trap.

Trap message Description
ColdStart, WarmStart, LinkUp, LinkDown Standard traps as described in RFC 1215.
CPU usage high

(fnTrapCpuThreshold)

CPU usage exceeds the set percent. This threshold can be set in the CLI using the following commands:

config system snmp sysinfo set trap-high-cpu-threshold <percentage value> end

CPU usage excluding NICE processes

(fmSysCpuUsageExcludedNice)

CPU usage excluding NICE processes exceeds the set percentage. This threshold can be set in the CLI using the following commands:

config system snmp sysinfo set trap-cpu-high-exclude-nice-threshold <percentage value> end

Trap message Description
Memory low

(fnTrapMemThreshold)

Memory usage exceeds 90 percent. This threshold can be set in the CLI using the following commands:

config system snmp sysinfo set trap-low-memory-threshold <percentage value> end

Log disk too full

(fnTrapLogDiskThreshold)

Log disk usage has exceeded the configured threshold. Only available on devices with log disks.
Temperature too high

(fnTrapTempHigh)

A temperature sensor on the device has exceeded its threshold. Not all devices have thermal sensors. See manual for specifications.
Voltage outside acceptable range

(fnTrapVoltageOutOfRange)

Power levels have fluctuated outside of normal levels. Not all devices have voltage monitoring instrumentation.
Power supply failure

(fnTrapPowerSupplyFailure)

Power supply failure detected. Available on some devices that support redundant power supplies.
Interface IP change

(fnTrapIpChange)

The IP address for an interface has changed. The trap message includes the name of the interface, the new IP address and the serial number of the Fortinet unit. You can use this trap to track interface IP address changes for interfaces with dynamic IP addresses set using DHCP or PPPoE.
Log rate too high

(fmTrapLogRateThreshold)

The incoming log rate has exceeded the peak log rate threshold.

To determine the peak log rate, use the following CLI command: get system loglimits

Data rate too high

(fmTrapLogDataRateThreshold)

The incoming data rate has exceeded the peak data rate threshold.

The peak data rate is calculated using the peak log rate x 512 bytes (average log size).

Fortinet & FortiAnalyzer MIB fields

The Fortinet MIB contains fields reporting current Fortinet unit status information. The below tables list the names of the MIB fields and describe the status information available for each one. You can view more details about the information available from all Fortinet MIB fields by compiling the fortinet.3.00.mib file into your SNMP manager and browsing the Fortinet MIB fields.

System MIB fields:

MIB field Description
fnSysSerial Fortinet unit serial number.

Administrator accounts:

MIB field Description
fnAdminNumber The number of administrators on the Fortinet unit.
fnAdminTable Table of administrators.  
fnAdminIndex Administrator account index number.
fnAdminName The user name of the administrator account.
fnAdminAddr An address of a trusted host or subnet from which this administrator account can be used.
fnAdminMask The netmask for fnAdminAddr.

Custom messages:

MIB field Description
fnMessages The number of custom messages on the Fortinet unit.
MIB fields and traps  
MIB field Description
fmModel A table of all FortiAnalyzer models.

Task Monitor – FortiAnalyzer – FortiOS 6.2.3

Task Monitor

Using the task monitor, you can view the status of the tasks you have performed.

Go to System Settings > Task Monitor to view the task monitor.

The following options are available:

Delete Remove the selected task or tasks from the list.

This changes to Cancel Running Task(s) when View is Running.

View Select which tasks to view from the dropdown list, based on their status. The available options are: Running, Pending, Done, Error, Cancelling, Cancelled, Aborting, Aborted, Warning, and All.
Expand Arrow In the Source column, select the expand arrow icon to display the specific actions taken under this task.

To filter the specific actions taken for a task, select one of the options on top of the action list. Select the history icon to view specific information on task progress. This can be useful when troubleshooting warnings and errors.

Group Error Devices Select Group ErrorDevices to create a group of the failed devices, allowing for re-installations to easily be done on only the failed devices.
History Click the history icon to view task details in a new window.
Pagination Browse the pages of tasks and adjust the number of tasks shown per page.

The following information is available:

ID The identification number for a task.
Source The platform from where the task is performed. Click the expand arrow to view details of the specific task and access the history button.
Description The nature of the task. Click the arrow to display the specific actions taken under this task.
User The user or users who performed the tasks.
Status The status of the task (hover over the icon to view the description): l Done: Completed with success. l Error: Completed without success. l Canceled: User canceled the task. l Canceling: User is canceling the task. l Aborted: The FortiAnalyzer system stopped performing this task. l Aborting: The FortiAnalyzer system is stopping performing this task.

Running: Being processed. In this status, a percentage bar appears in the Status column.

Pending l Warning

Start Time The time that the task was started.
ADOM The ADOM associated with the task.
History Click the history button to view task details.

Event Log – FortiAnalyzer – FortiOS 6.2.3

Event Log

The Event Log pane provides an audit log of actions made by users on FortiAnalyzer. It allows you to view log messages that are stored in memory or on the internal hard disk drive. You can use filters to search the messages and download the messages to the management computer.

See the FortiAnalyzerLog Message Reference, available from the Fortinet Document Library, for more information about the log messages.

Go to System Settings > Event Log to view the local log list.

The following options are available:

Add Filter   Filter the event log list based on the log level, user, sub type, or message. See Event log filtering on page 202.
Last…   Select the amount of time to show from the available options, or select a custom time span or any time.
Column Settings Select which columns are enabled or disabled in the Event Log table.
Tools  
Raw Log /

Formatted Log

Click on Raw Log to view the logs in their raw state.

Click Formatted Log to view them in the formatted into a table.

Real-time Log / Historical Log Click to view the real-time or historical logs list.
Case Sensitive Search Enable or disable case sensitive searching.
Download Download the event logs in either CSV or the normal format to the management computer.
Pagination Browse the pages of logs and adjust the number of logs that are shown per page.

The following information is shown:

#                                                The log number.
Date/Time                                  The date and time that the log file was generated.
Device ID                                   The ID of the related device.
Sub Type                                   The log sub-type:

System manager event HA event
FG-FM protocol event Firmware manager event
Device configuration event FortiGuard service event
Global database event FortiClient manager event
Script manager event FortiMail manager event
Web portal event Debug I/O log event
Firewall objects event Configuration change event
Policy console event Device manager event
VPN console event Web service event
Endpoint manager event FortiAnalyzer event
Revision history event Log daemon event
Deployment manager event FIPS-CC event
Real-time monitor event Managered devices event

Log and report manager event

User                                          The user that the log message relates to.
Message                                   Log message details. A Session ID is added to each log message. The

username of the administrator is added to log messages wherever applicable for better traceability.

Event log filtering

The event log can be filtered using the Add Filter box in the toolbar.

To filter FortiView summaries using the toolbar:

  1. Specify filters in the Add Filter
    • Regular Search: In the selected summary view, click in the Add Filter box, select a filter from the dropdown list, then type a value. Click NOT to negate the filter value. You can add multiple filters at a time, and connect them with an “or”.
    • Advanced Search: Click the Switch to Advanced Search icon at the right end of the Add Filter box to switch to advanced search mode. In this mode, you type in the whole search criteria (log field names and values). Click the Switch to RegularSearch icon to return to regular search.
  2. Click Go to apply the filter.