Author Archives: Mike

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Synchronizing devices and ADOMs – FortiAnalyzer – FortiOS 6.2.3

Synchronizing devices and ADOMs

If this is the first time the fetching client is fetching logs from the device, or if any changes have been made the devices or ADOMs since the last fetch, then the devices and ADOMs must be synchronized with the server.

To synchronize devices and ADOMs:

  1. On the client, go to System Settings > FetcherManagement and select the Profiles tab
  2. Select the profile then click Sync Devices in the toolbar, or right-click and select Sync Devices from the menu. The Sync ServerADOM(s)& Device(s) dialog box opens and shows the progress of the process.

Once the synchronization is complete, you can verify the changes on the client. For example, newly added devices in the ADOM specified by the profile.

If a new ADOM is created, the new ADOM will mirror the disk space and data policy of the corresponding server ADOM. If there is not enough space on the client, the client will create an ADOM with the maximum allowed disk space and give a warning message. You can then adjust disk space allocation as required.

Request processing

After a fetching client has made a fetch request, the request will be listed on the fetch server in the Received Request section of the Sessions tab on the FetcherManagement pane. It will also be available from the notification center in the GUI banner.

Fetch requests can be approved or rejected.

To process the fetch request:

  1. Go to the notification center in the GUI banner and click the log fetcher request, or go to the Sessions tab on the System Settings > FetcherManagement
  2. Find the request in the Received Request You may have to expand the section, or select Expand All in the content pane toolbar. The status of the request will be Waiting forapproval.
  3. Click Review to review the request. The Review Request dialog box will open.
  4. Click Approve to approve the request, or click Reject to reject the request.

If you approve the request, the server will start to retrieve the requested logs in the background and send them to the client. If you reject the request, the request will be canceled and the request status will be listed as Rejected on both the client and the server.

Fetch monitoring

The progress of an approved fetch request can be monitored on both the fetching client and the fetch server.

Go to System Settings > FetcherManagement and select the Sessions tab to monitor the fetch progress. A fetch session can be paused by clicking Pause, and resumed by clicking Resume. It can also be canceled by clicking Cancel.

Once the log fetching is completed, the status changes to Done and the request record can be deleted by clicking Delete. The client will start to index the logs into the database.

It can take a long time for the client to finish indexing the fetched logs and make the analyzed data available. A progress bar is shown in the GUI banner; for more information, click on it to open the Rebuild Log Database dialog box.

Log and report features will not be fully available until the rebuilding process is complete.

Fetcher Management – FortiAnalyzer – FortiOS 6.2.3

Fetcher Management

Log fetching is used to retrieve archived logs from one FortiAnalyzer device to another. This allows administrators to run queries and reports against historic data, which can be useful for forensic analysis.

The fetching FortiAnalyzer can query the server FortiAnalyzer and retrieve the log data for a specified device and time period, based on specified filters. The retrieved data are then indexed, and can be used for data analysis and reports.

Log fetching can only be done on two FortiAnalyzer devices running the same firmware. A FortiAnalyzer device can be either the fetch server or the fetching client, and it can perform both roles at the same time with different FortiAnalyzer devices. Only one log fetching session can be established at a time between two FortiAnalyzer devices.

The basic steps for fetching logs are:

  1. On the client, create a fetching profile. See Fetching profiles on page 196.
  2. On the client, send the fetch request to the server. See Fetch requests on page 197.
  3. If this is the first time fetching logs with the selected profile, or if any changes have been made to the devices and/or ADOMs since the last fetch, on the client, sync devices and ADOMs with the server. See Synchronizing devices and ADOMs on page 199.
  4. On the server, review the request, then either approve or reject it. See Request processing on page 199.
  5. Monitor the fetch process on either FortiAnalyzer. See Fetch monitoring on page 200.
  6. On the client, wait until the database is rebuilt before using the fetched data for analysis.

Fetching profiles

Fetching profiles can be managed from the Profiles tab on the System Settings > FetcherManagement pane.

Profiles can be created, edited, and deleted as required. The profile list shows the name of the profile, as well as the IP address of the server it fetches from, the server and local ADOMs, and the administrator name on the fetch server.

To create a new fetching profile:

  1. On the client, go to System Settings > FetcherManagement.
  2. Select the Profiles tab, then click Create New in the toolbar, or right-click and select Create New from the menu. The Create New Profile dialog box opens.
  3. Configure the following settings, then click OK to create the profile.
Name   Enter a name for the profile.
Server IP   Enter the IP address of the fetch server.
User   Enter the username of an administrator on the fetch server, which, together with the password, authenticates the fetch client’s access to the fetch server.
Password   Enter the administrator’s password, which, together with the username, authenticates the fetch client’s access to the fetch server.

To edit a fetching profile:

  1. Go to System Settings > Fetching Management.
  2. Double-click on a profile, right-click on a profile then select Edit, or select a profile then click Edit in the toolbar. The Edit Profile pane opens.
  3. Edit the settings as required, then click OK to apply your changes.

To delete a fetching profile or profiles:

  1. Go to System Settings > Fetching Management.
  2. Select the profile or profiles you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation dialog box to delete the selected profile or profiles.

Fetch requests

A fetch request requests archived logs from the fetch server configured in the selected fetch profile. When making the request, the ADOM on the fetch server the logs are fetched from must be specified. An ADOM on the fetching client must be specified or, if needed, a new one can be created. If logs are being fetched to an existing local ADOM, you must ensure the ADOM has enough disk space for the incoming logs.

The data policy for the local ADOM on the client must also support fetching logs from the specified time period. It must keep both archive and analytics logs long enough so they will not be deleted in accordance with the policy. For example: Today is July 1, the ADOM’s data policy is configured to keep analytics logs for 30 days (June 1 – 30), and you need to fetch logs from the first week of May. The data policy of the ADOM must be adjusted to keep analytics and archive logs for at least 62 days to cover the entire time span. Otherwise, the fetched logs will be automatically deleted after they are fetched.

To send a fetch request:

  1. On the fetch client, go to System Settings > FetcherManagement and select the Profiles tab
  2. Select the profile then click Request Fetch in the toolbar, or right-click and select Request Fetch from the menu. The Fetch Logs dialog box opens.
  3. Configure the following settings, then click Request Fetch.

The request is sent to the fetch server. The status of the request can be viewed in the Sessions tab.

Name Displays the name of the fetch server you have specified.
Server IP Displays the IP address of the server you have specified.
User Displays the username of the server administrator you have provided.
Secure Connection Select to use SSL connection to transfer fetched logs from the server.
Server ADOM Select the ADOM on the server the logs will be fetched from. Only one ADOM can be fetched from at a time.
Local ADOM Select the ADOM on the client where the logs will be received.

Either select an existing ADOM from the dropdown list, or create a new ADOM by entering a name for it into the field.

Devices Add the devices and/or VDOMs that the logs will be fetched from. Up to 256 devices can be added.

Click Select Device, select devices from the list, then click OK.

Enable Filters Select to enable filters on the logs that will be fetched.

Select All or Any of the Following Conditions in the Log messages that match field to control how the filters are applied to the logs.

Add filters to the table by selecting the Log Field, Match Criteria, and Value for each filter.

Time Period Specify what date and time range of log messages to fetch.
Index Fetch Logs If selected, the fetched logs will be indexed in the SQL database of the client once they are received. Select this option unless you want to manually index the fetched logs.

Log Forwarding – FortiAnalyzer – FortiOS 6.2.3

Log Forwarding

You can forward logs from a FortiAnalyzer unit to another FortiAnalyzer unit, a syslog server, or a Common Event Format (CEF) server when you use the default forwarding mode in log forwarding.

The client is the FortiAnalyzer unit that forwards logs to another device. The server is the FortiAnalyzer unit, syslog server, or CEF server that receives the logs.

In addition to forwarding logs to another unit or server, the client retains a local copy of the logs. The local copy of the logs is subject to the data policy settings for archived logs. See Log storage on page 21 for more information.

To see a graphical view of the log forwarding configuration, and to see details of the devices involved, go to System Settings > Logging Topology. For more information, see Logging Topology on page 166.

Modes

FortiAnalyzer supports two log forwarding modes: forwarding (default), and aggregation.

Forwarding

Logs are forwarded in real-time or near real-time as they are received. Forwarded content files include: DLP files, antivirus quarantine files, and IPS packet captures.

This mode can be configured in both the GUI and CLI.

Aggregation

As FortiAnalyzer receives logs from devices, it stores them, and then forwards the collected logs at a specified time every day.

FortiAnalyzer supports log forwarding in aggregation mode only between two FortiAnalyzer units. Syslog and CEF servers are not supported.

Aggregation mode can only be configured with the log-forward and log-forward-service CLI commands. See the FortiAnalyzerCLI Reference for more information.

Certificates – FortiAnalyzer – FortiOS 6.2.3

Certificates

The FortiAnalyzer generates a certificate request based on the information you entered to identify the FortiAnalyzer unit. After you generate a certificate request, you can download the request to a management computer and then forward the request to a CA.

Local certificates are issued for a specific server, or website. Generally they are very specific, and often for an internal enterprise network.

CA root certificates are similar to local certificates, however they apply to a broader range of addresses or to an entire company.

The CRL is a list of certificates that have been revoked and are no longer usable. This list includes expired, stolen, or otherwise compromised certificates. If your certificate is on this list, it will not be accepted. CRLs are maintained by the CA that issues the certificates and include the date and time when the next CRL will be issued, as well as a sequence number to help ensure you have the most current versions.

Local certificates

The FortiAnalyzer unit generates a certificate request based on the information you enter to identify the FortiAnalyzer unit. After you generate a certificate request, you can download the request to a computer that has management access to the FortiAnalyzer unit and then forward the request to a CA.

The certificate window also enables you to export certificates for authentication, importing, and viewing.

The FortiAnalyzer has one default local certificate: Fortinet_Local.

You can manage local certificates from the System Settings > Certificates > Local Certificates page. Some options are available in the toolbar and some are also available in the right-click menu.

Creating a local certificate

To create a certificate request:

  1. Go to System Settings > Certificates > Local Certificates.
  2. Click Create New in the toolbar. The Generate Certificate Signing Request pane opens.
  3. Enter the following information as required, then click OK to save the certificate request:
Certificate Name The name of the certificate.

 

Subject Information Select the ID type from the dropdown list: l Host IP: Select if the unit has a static IP address. Enter the public IP address of the unit in the Host IP field.

Domain Name: Select if the unit has a dynamic IP address and subscribes to a dynamic DNS service. Enter the domain name of the unit in the Domain Name field.

Email: Select to use an email address. Enter the email address in the Email Address field.

Optional Information  
Organization Unit (OU) The name of the department. You can enter a series of OUs up to a maximum of 5. To add or remove an OU, use the plus (+) or minus (-) icons.
Organization (O) Legal name of the company or organization.
Locality (L) Name of the city or town where the device is installed.
State/Province (ST) Name of the state or province where the FortiGate unit is installed.
Country (C) Select the country where the unit is installed from the dropdown list.
E-mail Address (EA) Contact email address.
Subject

Alternative Name

Optionally, enter one or more alternative names for which the certificate is also valid. Separate names with a comma.

A name can be: l e-mail address l IP address l URI

l DNS name (alternatives to the Common Name) l directory name (alternatives to the Distinguished Name) You must precede the name with the name type. Examples: l IP:1.1.1.1 l email:test@fortinet.com l email:my@other.address l URI:http://my.url.here/

Key Type The key type can be RSA or Elliptic Curve.
Key Size Select the key size from the dropdown list: 512 Bit, 1024 Bit, 1536 Bit, or 2048 Bit. This option is only available when the key type is RSA.
Curve Name Select the curve name from the dropdown list: secp256r1 (default), secp384r1, or secp521r1. This option is only available when the key type is Elliptic Curve.
Enrollment Method The enrollment method is set to File Based.

Importing local certificates

To import a local certificate:

  1. Go to System Settings > Certificates > Local Certificates.
  2. Click Import in the toolbar or right-click and select Import. The Import dialog box opens.
  3. Enter the following information as required, then click OK to import the local certificate:
Type Select the certificate type from the dropdown list: Local Certificate, PKCS #12 Certificate, or Certificate.
Certificate File Click Browse… and locate the certificate file on the management computer, or drag and drop the file onto the dialog box.
Key File Click Browse… and locate the key file on the management computer, or drag and drop the file onto the dialog box.

This option is only available when Type is Certificate.

Password Enter the certificate password.

This option is only available when Type is PKCS #12 Certificate or

Certificate.

Certificate Name Enter the certificate name.

This option is only available when Type is PKCS #12 Certificate or

Certificate.

Deleting local certificates

To delete a local certificate or certificates:

  1. Go to System Settings > Certificates > Local Certificates.
  2. Select the certificate or certificates you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation dialog box to delete the selected certificate or certificates.

Viewing details of local certificates

To view details of a local certificate:

  1. Go to System Settings > Certificates > Local Certificates.
  2. Select the certificates that you would like to see details about, then click View Certificate Detail in the toolbar or right-click menu. The View Local Certificate page opens.
  3. Click OK to return to the local certificates list.

Downloading local certificates

To download a local certificate:

  1. Go to System Settings > Certificates > Local Certificates.
  2. Select the certificate that you need to download.
  3. Click Download in the toolbar, or right-click and select Download, and save the certificate to the management computer.

When an object is added to a policy package and assigned to an ADOM, the object is available in all devices that are part of the ADOM. If the object is renamed on a device locally, FortiManager automatically syncs the renamed object to the ADOM.

CA certificates

The FortiAnalyzer has one default CA certificate, Fortinet_CA. In this sub-menu you can delete, import, view, and download certificates.

Importing CA certificates

To import a CA certificate:

  1. Go to System Settings > Certificates > CA Certificates.
  2. Click Import in the toolbar, or right-click and select Import. The Import dialog box opens.
  3. Click .. and locate the certificate file on the management computer, or drag and drop the file onto the dialog box.
  4. Click OK to import the certificate. Viewing CA certificate details

To view a CA certificate’s details:

  1. Go to System Settings > Certificates > CA Certificates.
  2. Select the certificates you need to see details about.
  3. Click View Certificate Detail in the toolbar, or right-click and select View Certificate Detail. The View CA Certificate page opens.
  4. Click OK to return to the CA certificates list.

Downloading CA certificates

To download a CA certificate:

  1. Go to System Settings > Certificates > CA Certificates.
  2. Select the certificate you need to download.
  3. Click Download in the toolbar, or right-click and select Download, and save the certificate to the management computer.

Deleting CA certificates

To delete a CA certificate or certificates:

  1. Go to System Settings > Certificates > CA Certificates.
  2. Select the certificate or certificates you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation dialog box to delete the selected certificate or certificates.

Certificate revocation lists

When you apply for a signed personal or group certificate to install on remote clients, you can obtain the corresponding root certificate and Certificate Revocation List (CRL) from the issuing CA.

The CRL is a list of certificates that have been revoked and are no longer usable. This list includes expired, stolen, or otherwise compromised certificates. If your certificate is on this list, it will not be accepted. CRLs are maintained by the CA that issues the certificates and includes the date and time when the next CRL will be issued as well as a sequence number to help ensure you have the most current version of the CRL.

When you receive the signed personal or group certificate, install the signed certificate on the remote client(s) according

to the browser documentation. Install the corresponding root certificate (and CRL) from the issuing CA on the FortiAnalyzer unit according to the procedures given below.

Importing a CRL

To import a CRL:

  1. Go to System Settings > Certificates > CRL.
  2. Click Import in the toolbar, or right-click and select Import. The Import dialog box opens.
  3. Click .. and locate the CRL file on the management computer, or drag and drop the file onto the dialog box.
  4. Click OK to import the CRL.

Viewing a CRL

To view a CRL:

  1. Go to System Settings > Certificates > CRL.
  2. Select the CRL you need to see details about.
  3. Click View Certificate Detail in the toolbar, or right-click and select View Certificate Detail. The Result page opens.
  4. Click OK to return to the CRL list.

Deleting a CRL

To delete a CRL or CRLs:

  1. Go to System Settings > Certificates > CRL.
  2. Select the CRL or CRLs you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation dialog box to delete the selected CRL or CRLs.