Category Archives: Administration Guides

Using the Generic Text Filter in an event handler – FortiAnalyzer – FortiOS 6.2.3

Using the Generic Text Filter in an event handler

The Generic Text Filter uses the glibc regex library for values with operators (~,!~), using the POSIX standard. Filter string syntax is parsed by FortiAnalyzer, and both upper and lower case characters are supported (for example “and” is the same as “AND”). You must use an escape character when needed. For example, cfgpath=firewall.policy is the wrong syntax because it’s missing an escape character. The correct syntax is cfgpath=firewall\.policy.

To create an event handler using the Generic Text Filter to match raw log data:

  1. Go to Log View, and select a log type.
  2. In the toolbar, click Tools > Display Raw.

The easiest method is to copy the text string you want from the raw log and paste it into the Generic Text Filter field. Ensure you insert an escape character when necessary, for example, cfgpath=firewall\.policy.

  1. Locate and copy the text in the raw log.
  2. Go to Incidents & Events > Event Monitor> Event HandlerList and click Create New.
  3. In the Generic Text Filter box, paste the text you copied or type the text you want. Ensure you use the raw log field names, for example, mem (not memory) and setuprate (not setup-rate).

For information on text format and operators, hover the cursor over the help icon. The operator ~ means contains and !~ means does not contain.

  1. If you want to be notified of events, configure the Notifications
  2. Configure other settings as required and click OK.

Incident and Event Management – FortiAnalyzer – FortiOS 6.2.3

Incident and Event Management

Use Incidents & Events to generate, monitor, and manage alerts and events from logs. The live monitoring of security events is a powerful and enabling feature for security operations. Incidents can be created from events to track and respond to suspicious or malicious activities.

Incidents & Events displays all events generated by event handlers.

Event handlers

Event handlers determine what events are to be generated from logs. Enable an event handler to start generating events. To see which event handlers are enabled or disabled, see Enabling event handlers.

When ADOMs are enabled, each ADOM has its own event handlers and lists of events. Ensure you are in the correct ADOM when working in Incidents & Events.

You can use predefined event handlers to generate events. There are predefined event handlers for FortiGate,

FortiSandbox, FortiMail, and FortiWeb devices. In a Security Fabric ADOM, all predefined event handlers are displayed.

You can create custom event handlers. An easy way to create a custom event handler is to clone a predefined event handler and customize its settings. See Cloning event handlers.

Configure event handlers to generate events for all devices, a specific device, or for the local FortiAnalyzer unit. You can create event handlers for FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager, FortiWeb, FortiSandbox devices, and syslog servers. Incidents & Events supports local FortiAnalyzer event logs. To see event handlers, go to Incidents & Events > Event Monitor> Event HandlerList.

Event handlers generate events only from Analytics logs and not Archive logs. For more information, see Analytics and Archive logs.

In an Analyzer–Collector collaboration scenario, the Analyzer evaluates event handlers. For more information, see Analyzer–Collector collaboration.

You can also import and export event handlers, allowing you to develop custom event handlers and deploy them in bulk to other ADOMS or FortiAnalyzer units. For more information, see Importing and exporting event handlers.

Predefined event handlers

FortiAnalyzer includes many predefined event handlers that you can use to generate events. You can easily create a custom event handler by cloning a predefined event handler and customizing its settings. See Cloning event handlers on page 69.

The following are a small sample of FortiAnalyzer predefined event handlers. To see all predefined event handlers, go to Incidents & Events > Event Monitor> Event HandlerList and select Show Predefined.

Event Handler Description
Default-Compromised HostDetection-by IOC-By-Threat Disabled by default Filter 1:

l     Event Severity: Critical l Log Type: Traffic Log l Group by: dstip l Log messages that match all of the following conditions:

l     tdtype~infected

l     Tags: By_Endpoint, IP, C&C

Filter 2:

l     Event Severity: Critical l Log Type: Web Filter l Group by: Hostname URL l Log messages that match all of the following conditions:

l     tdtype~infected

l     Tags: By_Endpoint, C&C, URL

Filter 3:

l     Event Severity: Critical l Log Type: DNS Log l Group by: QNAME l Log messages that match all of the following conditions:

l     tdtype~infected l Tags: By_Endpoint, C&C, Domain

Default-Data-Leak-DetectionBy-Threat Disabled by deafult Filter 1:

l     Event Severity: Medium

l     Log Type: DLP

l     Group by: Filter Category, Source Endpoint

l     Tags: Signature, Leak

Filter 2:

l     Event Severity: Low

l     Log Type: DLP

l     Group by: Filter Category l Event Status: Mitigated l Tags: Signature, Leak

Default-Sandbox-DetectionsBy-Endpoint Disabled by default
Event Handler Description
  Filter 1:

l     Event Severity: Critical l Log Type: AntiVirus l Group by: Source Endpoint, Virus Name l Log messages that match all of the following conditions:

l     logid==0211009235 or logid==0211009237

l     Tags: By_Endpoint, Sandbox, Signature, Malware

Filter 2:

l     Event Severity: Critical l Log Type: AntiVirus l Group by: Source Endpoint, Virus Name l Log messages that match all of the following conditions:

l     logid==0211009234 or logid==0211009236

l     Tags: By_Endpoint, Sandbox, Signature, Malware

Filter 3:

l     Event Severity: Critical l Log Type: AntiVirus l Group by: Source Endpoint l Log messages that match all of the following conditions:

l     logid==0201009238 and fsaverdict==malicious l Tags: By_Endpoint, Sandbox, Malware

Local Device Event Available only in the Root ADOM. Enabled by default l Devices: Local Device l Event Severity: Medium l Log Type: Event Log l Event Type: Any l Group By: Device ID l Log messages that match the following conditions:

l Level Equal To Emergency l Tags: System, Local

FortiOS system events

FortiOS predefined system event handlers are consolidated into a single event handler with multiple filters called Default FOS System Events.

Events are organized by device in the Incidents & Events dashboards, which can be expanded to view all related events.

Default FOS System Event filters apply tags to each event, allowing you to identify which Deafult FOS System Event filter triggered the event.

If you are upgrading from a version before FortiAnalyzer 6.2.0, the existing legacy predefined handlers which are enabled or have been modified will be available as custom handlers. In the Event HandlerList, select the More dropdown and choose Show Custom.

FortiGate event handlers

All FortiGates added to FortiAnalyzer use a default event handler on the FortiAnalyzer side to receive high severity events such as Botnet Communication, IPS Attack Pass Through, and Virus Pass Through AntiVirus.

Events triggered from FortiGate Event Handler are not shown in the FortiAnalyzer GUI. The events are pushed to the FortiGate for further processing.

Custom FortiGate event handlers can also be created. See Creating a custom event handler on page 64.

Creating a custom event handler

You can create a custom event handler from scratch or clone a predefined event handler and customize its settings. See Cloning event handlers on page 69.

Configuring an event handler includes defining the following main sections:

Option Description
Event handler attributes Event handler attributes such as name, description, and devices.
Filters Filters are rules for event generation.

l  Select the log filters to limit the logs that trigger an event.

l  Group the logs by primary and secondary (optional) values to separate the events that are generated for different Group By values.

l  Set the number of occurrences within a time frame that triggers an event. l Configure event fields such as event status and severity.

Additional Info Specify what to show in the Additional Info column. You can use the system default information or configure a custom information message.
Notifications Configure notifications to be sent on event generation.

You can send alert notifications to a fabric connector, email address, SNMP community, or syslog server.

To create a new event handler:

  1. Go to Incidents & Events > Event Monitor> Event HandlerList.
  2. In the toolbar, click Create New.
  3. Configure the settings as required and click OK.
Field   Description
Status   Enable or disable the event handler.

Enabled event handlers have a Status of ON and show the  icon in the Event HandlerList. Disabled event handlers have a a Status of OFF and show the  icon in the Event HandlerList.

Name   Add a name for the handler.
Description   Type a description of the event handler.

 

Field   Description
Devices   Select the devices to include.

All Devices. l Specify: To add devices, click the Add icon.

Local Device: Select if the event handler is for local FortiAnalyzer event logs. This option is only available in the root ADOM and is used to query FortiAnalyzer event logs.

For Local Device, the Log Type must be Event Log and Log Subtype must be Any.

Subnets   Select All Subnets to include all subnets, or select Specify to choose which subnet(s) or subnet group(s) will be included or excluded from triggering events.
Filters   Configure one or more filters for the handler. You can add multiple filters each with its own set of filter settings. You can enable or disable specific filters in an event handler.
  Log Device Type If you are in a Security Fabric ADOM, select the log device type from the dropdown list. If you are not in a Security Fabric ADOM, you cannot change the Log Device Type.
  Log Type Select the log type from the dropdown list.

When Devices is set to Local Device, you cannot change the Log Type or Log Subtype.

  Log Subtype Select the category of event that this handler monitors. The available options depends on the platform type.

This option is only available when Log Type is set to Event Log or Traffic Log.

  Group By Select how to group the events. Some Group By selections allow a secondary Group By option. If available, click Add beside the Group By field to add a secondary Group By option.
  Logs match Select All or Any of the following conditions.
  Log Field Select a log field to filter from the dropdown list. The available options depends on the selected log type.
  Match Criteria Select a match criteria from the dropdown list. The available options depends on the selected log field.
  Value Either select a value from the dropdown list or enter a value in the text box. The available options depends on the selected log field.
  Add Add Log Field to the filter.
  Remove Delete the filter.
  Generic Text Filter Enter a generic text filter.

For information on text format, hover the cursor over the help icon. The operator ~ means contains and !~ means does not contain.

 

Field Description
  For more information on creating a generic text filter, see Using the Generic Text Filter in an event handler on page 68.
Generate alert when at least n matches occurred over a period of n minutes Enter threshold values to generate alerts. Enter the number of matching events that must occur in the number of minutes to generate an alert.
Event Message If you wish, enter a custom event message. The default message is the Group By value. You can use variables in the event message.
Event Status Select Allow FortiAnalyzerto choose or select a status from the dropdown list: Unhandled, Mitigated, Contained, or Blank.
Event Severity Select the severity from the dropdown list: Critical, High, Medium, or Low.
Tags If you wish, enter custom tags. Tags can be used as a filter when using default or custom views.
Additional Info Specify what to show in the Additional Info column. You can use the system default information or configure a custom information message.
Use system

default

Select to use the system default message in the Additional Info column.
Use custom message Type a custom message for the Additional Info column. A custom message can include variables and log field names. For more information, click the question mark icon.
Notifications Configure alerts for the handler.
Send Alert through Fabric Connectors Send an alert through one or more fabric connectors. Click the + button to add fabric connectors. For more information, see Fabric Connectors on page 32.
Send Alert Email Send an alert by email. Specify email parameters including the mail server. For more information, see Mail Server on page 212.
Send SNMP(…) Trap Select one or both checkboxes and specify an SNMP community or user from the dropdown list. Click the add icon to create a new SNMP community or user. For more information, see SNMP on page 203.
Send Alert to Syslog Server Send an alert to the syslog server. Select a syslog server from the dropdown list. Click the add icon to create a new syslog server. For more information, see Syslog Server on page 214.
Send Each Alert

Separately

Select to send each alert individually instead of in a group.

Log View and Log Quota Management – FortiAnalyzer – FortiOS 6.2.3

Log View and Log Quota Management

You can view log information by device or by log group.

When ADOMs are enabled, each ADOM has its own information displayed in Log View.

Log View can display the real-time log or historical (Analytics) logs.

Log Browse can display logs from both the current, active log file and any compressed log files.

Types of logs collected for each device

FortiAnalyzer can collect logs from managed FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager, FortiSandbox, FortiWeb, FortiClient, and syslog servers. Following is a description of the types of logs FortiAnalyzer collects from each type of device:

Device Type              Log Type
FortiAnalyzer             Event
FortiAuthenticator      Event
FortiGate                   Traffic

Security: Antivirus, Intrusion Prevention, Application Control, Web Filter, File Filter, DNS, Data Leak Prevention, Email Filter, Web Application Firewall, Vulnerability Scan, VoIP, FortiClient

Event: Endpoint, HA, Compliance, System, Router, VPN, User, WAN Opt. & Cache, WiFi

File Filter logs are sent when the File Filter sensor is enabled in the FortiOS Web Filter profile. You can enable the File Filter sensor in FortiOS at Security Profiles > Web Filters.

FortiCarrier                Traffic, Event, GTP
FortiCache                 Traffic, Event, Antivirus, Web Filter
FortiClient                 Traffic, Event, Vulnerability Scan
FortiDDoS                 Event, Intrusion Prevention
FortiMail                    History, Event, Antivirus, Email Filter.
Device Type              Log Type
FortiMail logs support cross-log functionality. When viewing History, Event, Antivirus, or Email Filter logs from FortiMail, you can click on the Session ID to see correlated logs.
FortiManager             Event
FortiSandbox            Malware, Network Alerts
FortiWeb                   Event, Intrusion Prevention, Traffic
Syslog                       Generic

Traffic logs

Traffic logs record the traffic flowing through your FortiGate unit. Since traffic needs firewall policies to properly flow through FortiGate, this type of logging is also called firewall policy logging. Firewall policies control all traffic attempting to pass through the FortiGate unit, between FortiGate interfaces, zones, and VLAN sub-interfaces.

Security logs

Security logs (FortiGate) record all antivirus, web filtering, file filtering, application control, intrusion prevention, email filtering, data leak prevention, vulnerability scan, and VoIP activity on your managed devices.

DNS logs

DNS logs (FortiGate) record the DNS activity on your managed devices.

Event logs

Event logs record administration management and Fortinet device system activity, such as when a configuration changes, or admin login or HA events occur. Event logs are important because they record Fortinet device system activity which provides valuable information about how your Fortinet unit is performing. FortiGate event logs includes System, Router, VPN, User, and WiFi menu objects to provide you with more granularity when viewing and searching log data.

The logs displayed on your FortiAnalyzer depends on the device type logging to it and the enabled features. FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager, FortiWeb, FortiSandbox, FortiClient, and Syslog logging is supported. ADOMs must be enabled to support non-FortiGate logging.

In a Security Fabric ADOM, all device logs are displayed.

Log messages

You can view log information by device or by log group.

Viewing the log message list of a specific log type

You can find FortiMail and FortiWeb logs in their default ADOMs.

To view the log message list:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Log View, and select a log type from the tree menu.

The corresponding log messages list is displayed.

Viewing message details

To view message details:

  1. Double-click a message in the message list.

The details pane is displayed to the right of the message list, with the fields categorized in tree view.

You can display the log details pane below the message list by clicking the Bottom icon in the log details pane. When the log details pane is displayed below the message list, you can move it to the right of the log message list by clicking the Right icon. This is sometimes referred to as docking the pane to the bottom or right of the screen.

The log details pane provides shortcuts for adding filters and for showing or hiding a column. Right-click a log field to select an option.

Customizing displayed columns

The columns displayed in the log message list can be customized and reordered as needed.

To customize what columns to display:

  1. In the toolbar of the log message list view, click Column Settings and select a column to hide or display. The available columns vary depending on the device and log type.
  2. To add other columns, click More Columns. In the Column Settings dialog box, select the columns to show or hide.
  3. To reset to the default columns, click Reset to Default.
  4. Click OK.

To change the order of the displayed columns:

Place the cursor in the column title and move a column by drag and drop.

Customizing default columns

In Log View, you can select the columns that are displayed as the default by clicking Save as Default in the Column Settings menu when customizing columns. See Customizing displayed columns on page 45.

Customizing the default column view can only be done on a Super_User administrator profile.

Default column customization is applied per devtype/logtype across all ADOMs.

The GUI displays columns based on the following order of priority:

  1. Displays the user’s column customizations (if defined).
  2. Displays the default columns set by the Super_User administrator (if defined).
  3. Displays the system default columns.

Customized default column configuration is preserved during upgrades.

Filtering messages

You can apply filters to the message list. Filters are not case-sensitive by default. If available, select Tools > Case Sensitive Search to create case-sensitive filters.

Filtering messages using filters in the toolbar

  1. Go to the view you want.
Regular search Click Add Filter and select a filter from the dropdown list, then type a value. Only displayed columns are available in the dropdown list. You can use search operators in regular search.
Switching between regular search and advanced search At the right end of the Add Filter box, click the Switch to Advanced Search icon  or click the Switch to RegularSearch icon .
Advanced search In Advanced Search mode, enter the search criteria (log field names and values).
Search operators and syntax If available, click  at the right end of the Add Filter box to view search operators and syntax. See also Filter search operators and syntax on page 48.
CLI string “freestyle” search Searches the string within the indexed fields configured using the CLI command: config ts-index-field.

For example, if the indexed fields have been configured using these CLI commands:

config system sql config ts-index-field edit “FGT-traffic”

set value “app,dstip,proto,service,srcip,user,utmaction” next end

end

Then if you type “Skype” in the Add Filter box, FortiAnalyzer searches for “Skype” within these indexed fields: app,dstip,proto,service,srcip,user and utmaction.

You can combine freestyle search with other search methods, for example:

Skype user=David.

  1. In the toolbar, make other selections such as devices, time period, which columns to display, etc.

Filtering messages using the right-click menu

In a log message list, right-click an entry and select a filter criterion. The search criterion with a  icon returns entries matching the filter values, while the search criterion with a  icon returns entries that do not match the filter values.

Depending on the column in which your cursor is placed when you right-click, Log View uses the column value as the filter criteria. This context-sensitive filter is only available for certain columns.

To see log field name of a filter/column, right-click the column of a log entry and select a context-sensitive filter. The Add Filter box shows log field name.

Context-sensitive filters are available for each log field in the log details pane. See Viewing message details on page 44.

Filtering messages using smart action filters

For Log View windows that have an Action column, the Action column displays smart information according to policy (log field action) and utmaction (UTM profile action).

The Action column displays a green checkmark Accept icon when both policy and UTM profile allow the traffic to pass through, that is, both the log field action and UTM profile action specify allow to this traffic.

The Action column displays a red X Deny icon and the reason when either the log field action or UTM profile action deny the traffic.

If the traffic is denied due to policy, the deny reason is based on the policy log field action.

If the traffic is denied due to UTM profile, the deny reason is based on the FortiView threattype from craction. craction shows which type of threat triggered the UTM action. The threattype, craction, and crscore fields are configured in FortiGate in Log & Report. For more information, see the FortiOS -Log Message Reference in the Fortinet Document Library.

A filter applied to the Action column is always a smart action filter.

The smart action filter uses the FortiGate UTM profile to determine what the Action column displays. If the FortiGate UTM profile has set an action to allow, then the Action column will display that line with a green Accept icon, even if the craction field defines that traffic as a threat. The green Accept icon does not display any explanation.

In the scenario where the craction field defines the traffic as a threat but the FortiGate UTM profile has set an action to allow, that line in the Log View Action column displays a green Accept icon. The green Accept icon does not display any explanation.

Filter search operators and syntax

Operators or symbols Syntax
And Find log entries containing all the search terms. Connect the terms with a space character, or “and”. Examples:

1.    user=henry group=sales

2.    user=henry and group=sales

Or Find log entries containing any of the search terms. Separate the terms with “or” or a comma “,”. Examples:

1.    user=henry or srcip=10.1.0.15

2.    user=henry,linda

Not Find log entries that do NOT contain the search terms. Add “-” before the field name. Example: -user=henry
>, < Find log entries greater than or less than a value, or within a range. This operator only applies to integer fields. Example:

policyid>1 and policyid<10

IP subnet/range search Find log entries within a certain IP subnet or range. Examples:
Operators or symbols Syntax
  1.    srcip=192.168.1.0/24

2.    srcip=10.1.0.1-10.1.0.254

Wildcard search You can use wildcard searches for all field types. Examples:

1.    srcip=192.168.1.*

2.    policyid=1*

3.    user=*

Filtering FortiClient log messages in FortiGate traffic logs

For FortiClient endpoints registered to FortiGate devices, you can filter log messages in FortiGate traffic log files that are triggered by FortiClient.

To Filter FortiClient log messages:

  1. Go to Log View > Traffic.
  2. In the Add Filter box, type fct_devid=*. A list of FortiGate traffic logs triggered by FortiClient is displayed.
  3. In the message log list, select a FortiGate traffic log to view the details in the bottom pane.
  4. Click the FortiClient tab, and double-click a FortiClient traffic log to see details.

The FortiClient tab is available only when the FortiGate traffic logs reference FortiClient traffic logs.

Viewing historical and real-time logs

By default, Log View displays historical logs. Custom View and Chart Builder are only available in historical log view.

To view real-time logs, in the log message list view toolbar, click Tools > Real-time Log.

To switch back to historical log view, click Tools > Historical Log.

Viewing raw and formatted logs

By default, Log View displays formatted logs. The log view you select affects available view options. You cannot customize columns when viewing raw logs.

To view raw logs, in the log message list view toolbar, click Tools > Display Raw.

To switch back to formatted log view, click Tools > Formatted Log.

For more information about FortiGate raw logs, see the FortiGate Log Message Reference in the Fortinet Document Library. For more information about raw logs of other devices, see the Log Message Reference for the platform type.

Custom views

Use Custom View to save the filter setting, device selection, and the time period you have specified.

To create a new custom view:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Log View, and select a log type.
  3. In the content pane, customize the log view as needed by adding filters, specifying devices, and/or specifying a time period.
  4. In the toolbar, click Custom View.
  5. In the Name field, type a name for the new custom view.
  6. Click OK. The custom view is now displayed under Log View > Custom View.

To edit a custom view:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to the Log View > Custom View.
  3. In the toolbar, edit the filter settings, and click GO.
  4. In the toolbar, click Custom View.
  5. Click Save to save the changes to the existing custom view or click Save as to save the changes to a new custom view.
  6. Click OK.

To view the traffic log of a custom view:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to the Log View > Custom View.
  3. Right-click the name of a custom view and select View Traffic.

Downloading log messages

You can download historical log messages to the management computer as a text or CSV file. You cannot download real-time log messages.

To download log messages:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Log View, and select a log type.
  3. In the toolbar, click Tools > Download.
  4. In the Download Logs dialog box, configure download options: l In the Log file format dropdown list, select Text or CSV. l To compress the downloaded file, select Compress with gzip.

l To download only the current log message page, select Current Page. To download all the pages in the log message list, select All Pages.

  1. Click Download.

Creating charts

Log View includes a Chart Builder for you to build custom charts for each type of log messages.

To create charts with Chart Builder:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Log View, and select a log type.
  3. In the toolbar, click Tools > Chart Builder.
  4. In the Chart Builder dialog box, configure the chart and click Save.
Name Type a name for the chart.
Columns Select which columns of data to include in the chart based on the log messages that are displayed on the Log View page.
Group By Select how to group data in the chart.
Order By Select how to order data in the chart.
Sort Select a sort order for data in the chart.
Show Limit Show Limit
Device Displays the device(s) selected on the Log View page.
Time Frame Displays the time frame selected on the Log View page.
Query Displays the query being built.
Preview Displays a preview of the chart.

Log groups

You can group devices into log groups. You can view FortiView summaries, display logs, generate reports, or create handlers for a log group. Log groups are virtual so they do not have SQL databases or occupy additional disk space.

When you add a device with VDOMs to a log group, all VDOMs are automatically added.

To create a new log group:

  1. Go to Log View > Log Group.
  2. In the content pane toolbar, click Create New.
  3. In the Create New Log Group dialog box, type a log group name and add devices to the log group.
  4. Click OK.

Log browse

When a log file reaches its maximum size or a scheduled time, FortiAnalyzer rolls the active log file by renaming the file. The file name is in the form of xlog.N.log, where x is a letter indicating the log type, and N is a unique number corresponding to the time the first log entry was received. For information about setting the maximum file size and log rolling options, see Device logs on page 216.

Log Browse displays log files stored for both devices and the FortiAnalyzer itself, and you can log in the compressed phase of the log workflow.

To view log files:

  1. Go to Log View > Log Browse
  2. Select a log file, and click Display to open the log file and display the log messages in formatted view.

You can perform all the same actions as with the log message list. See Viewing message details on page 44.

Importing a log file

Imported log files can be useful when restoring data or loading log data for temporary use. For example, if you have older log files from a device, you can import these logs to the FortiAnalyzer unit so that you can generate reports containing older data.

Log files can also be imported into a different FortiAnalyzer unit. Before importing the log file you must add all devices included in the log file to the importing FortiAnalyzer.

To insert imported logs into the SQL database, the config system sqlstart-time and rebuild-eventstart-time must be older than the date of the logs that are imported and the storage policy for analytic data (the Keep Logs forAnalytics field) must also extend back far enough.

To set the SQL start time and rebuild event start time using CLI commands:

config system sql set start-time <start-time-and-date>

set rebuild-event-start-time <start-time-and-date>

end

Where <start-time-and-date> is in the format hh:mm yyyy/mm/dd.

To import a log file:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Log View > Log Browse and click Import in the toolbar.
  3. In the Device dropdown list, select the device the imported log file belongs to or select [Take From Imported File] to read the device ID from the log file.

If you select [Take From Imported File], the log file must contain a device_id field in its log messages.

  1. Drag and drop the log file onto the dialog box, or click Add Files and locate the file to be imported on your local computer.
  2. Click OK. A message appears, stating that the upload is beginning, but will be canceled if you leave the page.
  3. Click OK. The upload time varies depending on the size of the file and the speed of the connection. After the log file is successfully uploaded, FortiAnalyzer inspects the file:
    • If the device_id field in the uploaded log file does not match the device, the import fails. Click Return to try again.
    • If you selected [Take From Imported File] and the FortiAnalyzer unit’s device list does not currently contain that device, an error is displayed stating Invalid Device ID.

Downloading a log file

You can download a log file to save it as a backup or to use outside the FortiAnalyzer unit. The download consists of either the entire log file, or a partial log file, as selected by your current log view filter settings and, if downloading a raw file, the time span specified.

To download a log file:

  1. Go to Log View > Log Browse and select the log file that you want to download.
  2. In the toolbar, click Download.
  3. In the Download Log File(s) dialog box, configure download options:
    • In the Log file format dropdown list, select Native, Text, or CSV.
    • If you want to compress the downloaded file, select Compress with gzip.
  4. Click Download.

Deleting log files

To delete log files:

  1. Go to Log View > Log Browse.
  2. Select one or more files and click Delete.
  3. Click OK to confirm.

Log and file storage

Logs and files are stored on the FortiAnalyzer hard disks. Logs are also temporarily stored in the SQL database.

When ADOMs are enabled, settings can be specified for each ADOM that apply only to the devices in it. When ADOMs are disabled, the settings apply to all managed devices.

Data policy and disk utilization settings for devices are collectively called log storage settings. Global log and file storage settings apply to all logs and files, regardless of log storage settings (see File Management on page 220). Both the global and log storage settings are always active.

Disk space allocation

On the FortiAnalyzer, the system reserves 5% to 20% of the disk space for system usage and unexpected quota overflow. The remaining 80% to 95% of the disk space is available for allocation to devices.

Reports are stored in the reserved space.

Total Available Disk Size Reserved Disk Quota
Small Disk (up to 500GB) The system reserves either 20% or 50GB of disk space, whichever is smaller.
Medium Disk (up to 1TB) The system reserves either 15% or 100GB of disk space, whichever is smaller.
Large Disk (up to 3TB) The system reserves either 10% or 200GB of disk space, whichever is smaller.
Very Large Disk (5TB and higher) The system reserves either 5% or 300GB of disk space, whichever is smaller.

The RAID level you select determines the disk size and the reserved disk quota level. For example, a FortiAnalyzer 1000C with four 1TB disks configured in RAID 10 is considered a large disk, so 10%, or 100GB, of disk space is reserved.

Log and file workflow

When devices send logs to a FortiAnalyzer unit, the logs enter the following workflow automatically:

  1. Compressed logs are received and saved in a log file on the FortiAnalyzer disks.

When a log file reaches a specified size, FortiAnalyzer rolls it over and archives it, and creates a new log file to receive incoming logs. You can specify the size at which the log file rolls over. See Device logs on page 216.

  1. Logs are indexed in the SQL database to support analysis.

You can specify how long to keep logs indexed using a data policy. See Log storage information on page 57.

  1. Logs are purged from the SQL database, but remain compressed in a log file on the FortiAnalyzer disks.
  2. Logs are deleted from the FortiAnalyzer disks.

You can specify how long to keep logs using a data policy. See Log storage information on page 57.

In the indexed phase, logs are indexed in the SQL database for a specified length of time so they can be used for analysis. Indexed, or Analytics, logs are considered online, and details about them can be used viewed in the SOC, Log View, and Incidents & Events panes. You can also generate reports about the logs in the Reports pane.

In the compressed phase, logs are compressed and archived in FortiAnalyzer disks for a specified length of time for the purpose of retention. Compressed, or Archived, logs are considered offline, and their details cannot be immediately viewed or used to generate reports.

The following table summarizes the differences between indexed and compressed log phases:

Log Phase Location Immediate Analytic Support
Indexed Compressed in log file and indexed in SQL database Yes. Logs are available for analytic use in SOC, Incidents & Events, and Reports.
Compressed Compressed in log file No.

Automatic deletion

Logs and files are automatically deleted from the FortiAnalyzer unit according to the following settings:

  • Global automatic file deletion

File management settings specify when to delete the oldest Archive logs, quarantined files, reports, and archived files from disks, regardless of the log storage settings. For more information, see File Management on page 220. l Data policy

Data policies specify how long to store Analytics and Archive logs for each device. When the specified length of time expires, Archive logs for the device are automatically deleted from the FortiAnalyzer device’s disks.

  • Disk utilization

Disk utilization settings delete the oldest Archive logs for each device when the allotted disk space is filled. The allotted disk space is defined by the log storage settings. Alerts warn you when the disk space usage reaches a configured percentage.

All deletion policies are active on the FortiAnalyzer unit at all times, and you should carefully configure each policy. For example, if the disk fullness policy for a device hits its threshold before the global automatic file deletion policy for the FortiAnalyzer unit, Archive logs for the affected device are automatically deleted. Conversely, if the global automatic file deletion policy hits its threshold first, the oldest Archive logs on the FortiAnalyzer unit are automatically deleted regardless of the log storage settings associated with the device.

The following table summarizes the automatic deletion polices:

Policy Scope Trigger
Global automatic file deletion All logs, files, and reports on the system When the specified length of time expires, old files are automatically deleted. This policy applies to all files in the system regardless of the data policy settings associated with devices.
Data policy Logs for the device with which the data policy is associated When the specified length of retention time expires, old Archive logs for the device are deleted. This policy affects only Archive logs for the device with which the data policy is associated.
Disk utilization Logs for the device with which the log storage settings are associated When the specified threshold is reached for the allotted amount of disk space for the device, the oldest Archive logs are deleted for the device. This policy affects only Archive logs for the device with which the log storage settings are associated.

Logs for deleted devices

When you delete one or more devices from FortiAnalyzer, the raw log files and archive packets are deleted, and the action is recorded in the local event log. However, the logs that have been inserted into the SQL database are not deleted from the SQL database. As a result, logs for the deleted devices might display in the Log View and SOC > FortiView panes, and any reports based on the logs might include results.

The following are ways you can remove logs from the SQL database for deleted devices.

  • Rebuild the SQL database for the ADOM to which deleted devices belonged or rebuild the entire SQL database.
  • Configure the log storage policy. When the deleted device logs are older than the Keep Logs forAnalytics setting, they are deleted. Also, when analytic logs exceed their disk quota, the SQL database is trimmed starting with the oldest database tables. For more information, see Configuring log storage policy on page 59.
  • Configure global automatic file deletion settings in System Settings > Advanced > File Management. When the deleted device logs are older than the configured setting, they are deleted. For more information, see File Management on page 220.

Log storage information

To view log storage information and to configure log storage policies, go to System Settings > Storage Info.

If ADOMs are enabled, you can view and configure the data policies and disk usage for each ADOM.

The log storage policy affects only the logs and SQL database of the devices associated with the log storage policy. Reports are not affected. See Disk space allocation on page 54.

The following information and options are available:

Edit Edit the selected ADOM’s log storage policy.
Refresh Refresh the page.
Search Enter a search term to search the list.
Name The name of the ADOM.

ADOMs are listed in two groups: FortiGates and OtherDevice Types.

Analytics

(Actual/Config Days)

The age, in days, of the oldest Analytics logs (Actual Days), and the number of days Analytics logs will be kept according to the data policy (Config Days).
Archive

(Actual/Config Days)

The age, in days, of the oldest Archive logs (Actual Days) and the number of days Archive logs will be kept according to the data policy (Config Days).
Max Storage The maximum disk space allotted to the ADOM (for both Analytics and Archive logs). See Disk space allocation on page 54 for more information.
Analytics Usage (Used/Max) How much disk space Analytics logs have used, and the maximum disk space allotted for them.
Archive Usage (Used/Max) How much disk space Archive logs have used and the maximum disk space allotted for them.

Storage information

To view log storage policy and statistics, go to System Settings > Storage Info.

The top part of Storage Info shows visualizations of disk space usage for Analytic and Archive logs where the policy diagrams show an overview and the graphs show disk space usage details. The bottom part shows the log storage policy.

The policy diagram shows the percentage of the disk space quota that is used. Hover your cursor over the diagram to view the used, free, and total allotted disk space. The configured length of time that logs are stored is also shown.

The graphs show the amount disk space used over time. Click Max Line to show a line on the graph for the total space allotted. Hover over a spot in the graph to view the used and available disk space at that specific date and time. Click the graph to view a breakdown of the disk space usage by device.

When the used quota approaches 100 percent, a warning message displays when accessing the Storage Statistics pane.

Click Configure Now to open the Edit Log Storage Policy dialog box where you can adjust log storage policies to prevent running out of allocated space (see Configuring log storage policy on page 59), or click Remind Me Later to resolve the issue another time.

Configuring log storage policy

The log storage policy affects the logs and SQL database of the device associated with the log storage policy.

If you change log storage settings, the new date ranges affect Analytics and Archive logs currently in the FortiAnalyzer device. Depending on the date change, Analytics logs might be purged from the database, Archive logs might be added back to the database, and Archive logs outside the date range might be deleted.

To configure log storage settings:

  1. Go to System Settings > Storage Info.
  2. Double-click on an ADOM, right-click on an ADOM and then select Edit from the menu, or select the ADOM then click Edit in the toolbar. Scroll to the log storage policy sections at the bottom of the Edit Log Storage Policy
  3. Configure the following settings, then click OK.
Data Policy  
Keep Logs for

Analytics

Specify how long to keep Analytics logs.
Keep Logs for

Archive

Specify how long to keep Archive logs.

Make sure your setting meets your organization’s regulatory requirements.

 

Disk Utilization  
Maximum Allowed Specify the amount of disk space allotted. See also Disk space allocation on page 54.
Analytics : Archive Specify the disk space ratio between Analytics and Archive logs. Analytics logs require more space than Archive logs. Click the Modify checkbox to change the setting.
Alert and Delete

When Usage

Reaches

Specify the percentage of allotted disk space usage that will trigger an alert messages and start automatically deleting logs. The oldest Archive log files or Analytics database tables are deleted first.

 

FortiAnalyzer – Fortinet Security Fabric – FortiOS 6.2.3

Fortinet Security Fabric

FortiAnalyzer can recognize a Security Fabric group of devices and display all units in the group on the Device Manager pane. See Adding a Security Fabric group on page 37. FortiAnalyzer supports the Security Fabric by storing and analyzing the logs from the units in a Security Fabric group as if the logs are from a single device. You can also view the logging topology of all units in the Security Fabric group for additional visibility. See Displaying Security Fabric topology on page 38.

FortiAnalyzer provides dynamic data and metadata exchange with the Security Fabric and uses the data in FortiView and Reports for additional visibility. A default report template lets you monitor new users, devices, applications, vulnerabilities, threats and so on from the Security Fabric.

A set of dashboard widgets lets you review audit scores for a FortiGate Security Fabric group with recommended best practices and historical audit scores and trends.

If FortiClient is installed on endpoints for endpoint control with FortiGate, you can use the endpoint telemetry data collected by the Security Fabric agent to display user profile photos in reports and FortiView.

Adding a Security Fabric group

Before you can add a Security Fabric group to FortiAnalyzer, you need to create the Security Fabric group in FortiGate.

Fortinet recommends using a dedicated Super_User administrator account on the FortiGate for FortiAnalyzer access. This ensures that associated log messages are identified as originating from FortiAnalyzer activity. This dedicated Super_User administrator account only needs Read Only access to System Configuration; all other access can be set to None.

To add a Security Fabric group:

  1. Go to Device Manager> Unauthorized Devices.
  2. Select all the devices corresponding to the Security Fabric group created in FortiGate.
  3. Authenticate the Security Fabric group by clicking the Warning icon (yellow triangle) beside the corresponding FortiGate root.
  4. Enter the Authentication Credentials. The authentication credentials are the ones you specified in FortiGate. Once the FortiGate root has been authenticated, the Warning icon will disappear.
  5. After authentication, it takes a few minutes for FortiAnalyzer to automatically populate the devices under the FortiGate root which creates the Security Fabric group.

Displaying Security Fabric topology

For Security Fabric devices, you can display the Security Fabric topology.

To display the Security Fabric topology:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Device Manager and click the Devices Total tab in the quick status bar.
  3. Right-click a Security Fabric device and select Fabric Topology.

A pop-up window displays the Security Fabric topology for that device.

If you selected Fabric Topology by right-clicking a device within the Security Fabric group, the device is highlighted in the topology. If you selected Fabric Topology by right-clicking the name of the Security Fabric group, no device is highlighted in the topology.

Security Fabric traffic log to UTM log correlation

FortiAnalyzer correlates traffic logs to corresponding UTM logs so that it can report sessions/bandwidth together with its UTM threats. Within a single FortiGate, the correlation is performed by grouping logs with the same session IDs, source and destination IP addresses, and source and destination ports.

In a Cooperative Security Fabric (CSF), the traffic log is generated by the ingress FortiGate, while UTM inspection (and subsequent logs) can occur on any of the FortiGates. This means that the traffic logs did not have UTM related log fields, as they would on a single FortiGate. Different CSF members also have different session IDs, and NAT can hide or change the original source and destination IP addresses. Consequently, without a proper UTM reference, the FortiAnalyzer will fail to report UTM threats associated with the traffic.

This feature adds extensions to traffic and UTM logs so that they can be correlated across different FortiGates within the same security fabric. It creates a UTM reference across CSF members and generates the missing UTM related log fields in the traffic logs as if the UTM was inspected on a single FortiGate.

NAT translation is also considered when searching sources and destinations in both traffic and UTM logs. The FortiGate will generate a special traffic log to indicate the NAT IP addresses to the FortiAnalyzer within the CSF.

Traffic logs to DNS and SSH UTM references are also implement – the DNS and SSH counts in Log View can now be clicked on to open the related DNS and SSH UTM log. IPS logs in the UTM reference are processed for both their sources and destinations in the same order, and in the reverse order as the traffic log. The FortiGate log version indicator is expanded and used to make a correct search for related IPS logs for a traffic log.

This feature requires no special configuration. The FortiAnalyzer will check the traffic and UTM logs for all FortiGates that are in the same CSF cluster and create the UTM references between them.

To view the logs:

  1. On the FortiAnalyzer, go to Log View > Traffic.

The UTM security event list, showing all related UTM events that can happen in another CSF member, is shown.

  1. Click the count beside a UTM event to open the related UTM event log window. In this example, the traffic log is from the CSF child FortiGate, and the UTM log is from the CSF root FortiGate.

Like other UTM logs, newly added DNS and SSH UTM references can also be shown in the FortiAnalyzer Log View. Clicking the count next to the DNS or SSH event opens the respective UTM log.

  1. Go to SOC > FortiView > Threats > Top Threats. All threats detected by any CSF member are shown.
  2. The created UTM reference is also transparent to the FortiGate when it gets its logs from the FortiAnalyzer. On the

FortiGate, the traffic log shows UTM events and referred UTM logs from other CSF members, even though the FortiGate does not generate those UTM log fields in its traffic log. In this example, the CSF child FortiGate shows the referred UTM logs from the CSF root FortiGate.

Creating a Security Fabric ADOM

All Fortinet devices included in a Security Fabric can be placed into a Security Fabric ADOM, allowing for fast data processing and log correlation. Fabric ADOMs enable combined results to be presented in the Device Manager, Log View, SOC, Incidents & Events and Reports panes.

In a Fabric ADOM:

  • Device Manager: View and add all Fortinet devices in the Security Fabric to the Fabric ADOM, including FortiGate, FortiSandbox, FortiMail, FortiDDoS, and FortiClient EMS.
  • Log View: View logs from all Security Fabric devices.
  • SOC: FortiDDoS and FortiClient EMS widgets are available.
  • Incidents & Events: Predefined event handlers for FortiGate, FortiSandbox, FortiMail, and FortiWeb ADOMs are available, and triggered events are displayed for all device types.
  • Reports: View predefined reports, templates, datasets, and charts for all device types. Charts from all device types can be inserted into a single report.

To create a Fabric ADOM:

  1. In FortiAnalyzer, go to System Settings > All ADOMs.
  2. Select Create New.
  3. Configure the settings for the new Fabric ADOM and select Fabric as the type.

See Creating ADOMs on page 181 for more information on the individual settings.

  1. Select OK to create the ADOM.

The Fabric ADOM is listed under the Security Fabric section of All ADOMs.

 

Fabric View – FortiAnalyzer – FortiOS 6.2.3

Fabric View

Fabric Connectors

You can use FortiAnalyzer to create the following types of fabric connectors:

ITSM

You can use the Fabric Connectors tab to create the following types of ITSM connectors:

l ServiceNow l Webhook, a generic connector

Creating or editing ITSM connectors

You can create ITSM connectors for ServiceNow and Webhook.

To create or edit ITSM connectors:

  1. Go to Fabric View > Fabric Connectors.
  2. To create an ITSM connector, click Create New. In the Create New Fabric Connector wizard, select ServiceNow or Webhook, and click Next.

To edit an ITSM connector, click the ITSM connector. The connector options are displayed.

  1. Configure the following options, and then click OK:
Property   Description
Name   Type a name for the fabric connector.
Description   (Optional) Type a description for the fabric connector.
Protocol   Select HTTPS.
Property Description
Port Specify the port FortiAnalyzer uses to communicate with the external platform.
Method Select POST.
Title Type a title for the fabric connector.
URL Type the URL of the external platform.

Using ServiceNow as an example, copy and paste the URL from ServiceNow API URL in the Connection to ServiceNow API section in ServiceNow > FortiAnalyzerSystem Properties.

Enable HTTP Authentication Set HTTP authentication to ON or OFF.

Using ServiceNow as an example, enter the username and password from the Connection to ServiceNow API section in ServiceNow > FortiAnalyzer System Properties.

Status Toggle ON to enable the fabric connector. Toggle OFF to disable the fabric connector.

Storage

You can use the Fabric Connectors tab to create the following types of storage connectors: l Amazon S3

l Microsoft Azure l Google Cloud

Creating or editing storage connectors

You can create storage connectors for Amazon S3, Microsoft Azure, and Google Cloud. Once you have created a storage connector, you can upload FortiAnalyzer logs to cloud storage. See Upload logs to cloud storage on page 219

To create a storage connector:

  1. Go to Fabric View > Fabric Connectors.
  2. Select Create New. In the Create New Fabric Connector wizard, choose Amazon S3, Azure Blob, or Google and select Next.
  3. Configure the following options and select OK.
Property   Description
Name   Type a name for the fabric connector.
Comments   (Optional) Add comments about the connector.
Title   Type a title for the fabric connector.
Status   Toggle On to enable the fabric connector. Toggle Off to disable the fabric connector.
Amazon S3

Azure Blob

Google

Provider Type AWS.
Region Select a region.
Access Key ID Paste the access key from the IAM user account.
Secret Access Key Paste the secret access key from the IAM user account. Click the eye icon to Show or Hide the key.
Storage Account

Name

Paste the storage account name from the Microsoft Azure account.
Account Key Paste the account key from the Microsoft Azure account.
Cloud

Project Number

Paste the project number from the Google account.
Service Account Credentials Paste the entire Google account JSON key into the field. Click the eye icon to Show or Hide the key.
Cloud Location Select a Google Cloud location. For information about Google locations, visit the product help.
  1. Advanced options will differ between the various types of storage connectors.

To edit a storage connector:

  1. Go to Fabric View > Fabric Connectors.
  2. Select an existing storage connector to edit.
  3. In the dropdown menu that appears below the connector name, modify the connector settings.
  4. Select OK.

Identity Center

The Fabric View > Identity Center pane displays a list of users and endpoints in the network from relevant logs, and correlates them with FortiAnalyzer modules.

The Identity Center is useful for user and endpoint mapping. Some users might use multiple endpoints in the network, endpoints might use multiple different interfaces to connect, network interfaces might have multiple IP addresses, and so on. A map of users and their endpoints gives you better visibility when you analyze logs, events, and incidents. This also helps with your reporting.

To view relevant identity logs directly from the SOC, Log View, and Incidents & Events panes, click the user or endpoint log, then click the Topography link in the pop-up that appears.

This Identity pane lists all endpoints and users from relevant logs and correlates them with FortiAnalyzer modules.

Column Description
User Name The name of the user.
User Group The group of user identities. An identity can be a: l Local user account (username/password stored on the FortiGate unit) l Remote user account (password stored on a RADIUS, LDAP, or TACACS+ server) l PKI user account with digital client authentication certificate stored on the FortiGate unit l RADIUS, LDAP, or TACACS+ server, optionally specifying particular user groups on that server l User group defined on an FSSO server.
Endpoints Endpoint host name, IP address, or MAC address. A user may be connected to multiple endpoints.

Click the endpoint to display the corresponding user information in the Assets pane.

Social The user’s Name, Picture, Email, Phone Number, and Social if it is available.
Source The name of device that created the log.
Last Update The date and time the log was updated.

Use the toolbar to select a Security Fabric, time period, and columns.

End user information is limited if there is no FortiClient in your installation.

  • Endpoints are detected based on MAC address and displayed by IP address instead of host name.
  • User related information might not be available.
  • Detailed information such as OS version, avatar, and social ID information are not available.

To provide a unified experience, you can customize how identity information is displayed, including which fields are displayed, the order, and the priority.

To configure the display settings in the Social column:

  1. Go to Log View >Tools > UserDisplay Preferences.
  2. Select the order preference tab you want to configure.

Tabs include Name, Picture, Email, Phone Number, and Social.

  1. Rearrange the order preference as per your needs by drag-and-dropping an entry. For names, pictures, emails, and phone numbers, only the top entry will appear in the identity pop-up window.
  2. User information can be disabled by moving the Show toggle to the Off position in the respective tabs.

Assets

The Fabric View > Assets pane is the central location for security analysts to view endpoint and user information to make sure they are compliant. Endpoints are important assets in a network as they are the main entry points in a cybersecurity breach.

The Assets pane is useful for the following:

  • Incident response. Check assets that are infected or vulnerable as part of your SOC analysis and incident response process. l Identify unknown and non-compliant users and endpoints.

To view relevant asset logs directly from the SOC, Log View, and Incidents & Events panes, click the user or endpoint log, then click the Topography link in the pop-up that appears.

The Assets pane lists all endpoints and users from relevant logs and correlates them with FortiAnalyzer modules. Sort by the Vulnerabilities column to see which endpoints and users have the highest vulnerabilities.

Column Description
Endpoint Endpoint host name or IP address.
User The name of the user. Click the name to view the corresponding user information in the Identity Center pane.
MAC Address Endpoint MAC address.
IP Address IP address the endpoint is connected to. A user might be connected to multiple endpoints.
FortiClient UUID Unique ID of the FortiClient.
Hardware / OS OS name and version.
Vulnerabilities The number of vulnerabilities for critical, high, medium, and low vulnerabilities. Click the vulnerability to view the name and category.
Network Location The location of the FortiAnalyzer device.
Last Update The date and time the log was updated.

Use the toolbar to select a Security Fabric, time period, and columns.

If there is no FortiClient in your installation, then endpoint and end user information is limited.

  • Endpoints are detected based on MAC address and displayed by IP address instead of host name.
  • User related information might not be available.
  • Detailed information such as OS version, avatar, and social ID information are not available.

 

FortiAnalyzer – Device Manager – FortiOS 6.2.3

Device Manager

Use the Device Manager pane to add, configure, and manage devices and VDOMs.

After you add and authorize a device or VDOM, the FortiAnalyzer unit starts collecting logs from that device or VDOM. You can configure the FortiAnalyzer unit to forward logs to another device. See Log Forwarding on page 190.

ADOMs

You can organize connected devices into ADOMs to better manage the devices. ADOMs can be organized by:

  • Firmware version: group all 6.0 devices into one ADOM, and all 6.2 devices into another.
  • Geographic regions: group all devices for a specific geographic region into an ADOM, and devices for a separate region into another ADOM.
  • Administrator users: group devices into separate ADOMs based for specific administrators responsible for the group of devices.
  • Customers: group all devices for one customer into an ADOM, and devices for another customer into another ADOM.

FortiAnalyzer, FortiCache, FortiClient, FortiDDos, FortiMail, FortiManager, FortiSandbox, FortiWeb, Chassis, and FortiCarrier devices are automatically placed in their own ADOMs. l Security Fabric: group all devices that are within the Security Fabric.

Each administrator profile can be customized to provide read-only, read/write, or restrict access to various ADOM settings. When creating new administrator accounts, you can restrict which ADOMs the administrator can access, for enhanced control of your administrator users. For more information on ADOM configuration and settings, see Administrative Domains on page 176.

FortiClient EMS devices

You can add FortiClient EMS servers to FortiAnalyzer. Authorized FortiClient EMS servers are added to the default

FortiClient ADOM. You must enable ADOMs to work with FortiClient EMS servers in FortiAnalyzer. When you select the FortiClient ADOM and go to the Device Manager pane, the FortiClient EMS servers are displayed. See also FortiClient support and ADOMs on page 178.

Unauthorized devices

When a device is configured to send logs to FortiAnalyzer, the unauthorized device is displayed in the Device Manager > Devices Unauthorized pane. You can then add devices to specific ADOMs or delete devices by using the toolbar buttons or the right-click menu.

Using FortiManager to manage FortiAnalyzer devices

You can add FortiAnalyzer devices to FortiManager and manage them. When you add a FortiAnalyzer device to FortiManager, FortiManager automatically enables FortiAnalyzer features. FortiAnalyzer and FortiManager must be running the same OS version, at least 5.6 or later.

In the Device Manager pane, a message informs you the device is managed by FortiManager and all changes should be performed on FortiManager to avoid conflict. The top right of this pane displays a lock icon. If ADOMs are enabled, the System Settings > All ADOMs pane displays a lock icon beside the ADOM managed by FortiManager.

Logs are stored on the FortiAnalyzer device, not the FortiManager device. You configure log storage settings on the FortiAnalyzer device; you cannot change log storage settings using FortiManager.

For more information, see Adding FortiAnalyzer devices in the FortiManagerAdministration Guide.

Adding devices

You must add and authorize devices and VDOMs to FortiAnalyzer to enable the device or VDOM to send logs to FortiAnalyzer. Authorized devices are also known as devices that have been promoted to the DVM table.

You must configure devices to send logs to FortiAnalyzer. For example, after you add and authorize a FortiGate device with FortiAnalyzer, you must also configure the FortiGate device to send logs to FortiAnalyzer. In the FortiGate GUI, go to Log & Report > Log Settings, and enable Send Logs to FortiAnalyzer/FortiManager.

Adding devices using the wizard

You can add devices and VDOMs to FortiAnalyzer using the Add Device wizard. When the wizard finishes, the device is added to the FortiAnalyzer unit, authorized, and is ready to start sending logs.

To add devices using the wizard:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Device Manager and click Add Device.
  3. Configure the following settings:
IP Address Type the IP address for the device.
SN Type the serial number for the device.
Device Name Type a name for the device.
Device Model Select the model of the device.
Firmware Version Select the firmware version of the device.
Description Type a description of the device (optional).
  1. Click Next.

The device is added to the ADOM and, if successful, is ready to begin sending logs to the FortiAnalyzer unit.

  1. Click Finish to finish adding the device and close the wizard.

Authorizing devices

You can configure supported devices to send logs to the FortiAnalyzer device. These devices are displayed in the root ADOM as unauthorized devices. You can quickly view unauthorized devices by clicking Unauthorized Devices in the quick status bar. You must authorize the devices before FortiAnalyzer can start receiving logs from the devices.

When ADOMs are enabled, you can assign the device to an ADOM. When authorizing multiple devices at one time, they are all added to the same ADOM.

When you delete a device or VDOM from the FortiAnalyzer unit, its raw log files are also deleted. SQL database logs are not deleted.

To authorize devices:

  1. In the root ADOM, go to Device Manager and click Unauthorized Devices in the quick status bar. The content pane displays the unauthorized devices.
  2. If necessary, select the Display Hidden Devices check box to display hidden unauthorized devices.
  3. Select the unauthorized device or devices, then click Authorize. The Authorize Device dialog box opens.
  4. If ADOMs are enabled, select the ADOM in the Add the following device(s)to ADOM If ADOMs are disabled, select root.
  5. Click OK to authorize the device or devices.

The device or devices are authorized and FortiAnalyzer can start receiving logs from the device or devices.

Hiding unauthorized devices

You can hide unauthorized devices from view, and choose when to view hidden devices. You can authorize or delete hidden devices.

To hide and display unauthorized devices:

  1. In the root ADOM, go to Device Manager and click Unauthorized Devices in the quick status bar. The content pane displays the unauthorized devices.
  2. Select the unauthorized device or devices, then click Hide. The unauthorized devices are hidden from view.

You can view hidden devices by selecting the Display Hidden Devices check box.

Adding an HA cluster

You can use a HA cluster to synchronize logs and data securely among multiple FortiGate devices.

An HA cluster can have a maximum of four devices: one primary or master device with up to three backup or slave devices. All the devices in the cluster must be of the same FortiGate series and must be visible on the network.

You can use auto-grouping in FortiAnalyzer to group devices in a cluster based on the group name specified in Fortigate’s HA cluster configuration. For auto-grouping to work properly, each FortiGate cluster requires a unique group name.

If a unique group name is not used, auto-grouping should be disabled.

FAZ # config system global

(global)# set ha-member-auto-grouping disable

To create a HA cluster:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Add the devices to the Device Manager.
  3. Choose a master device, and click Edit.
  4. In the Edit Device pane, select HA Cluster.
  5. From the Add Existing Device list, select a device, and click Add.
  6. Optionally, you can use the Add OtherDevice field to add a new device.
  7. Add more devices as necessary, and click OK. The maximum is three slave devices.

To view the HA in the Device Manager, click Column Settings > HA Status.

Managing devices

Use the tools and commands in the Device Manager pane to manage devices and VDOMs.

Using the quick status bar

You can see the quick status bar at the top of the Device Manager pane. The quick status bar contains the following tabs:

  • Devices Total: Displays the authorized devices. l Devices Unauthorized: Displays the unauthorized devices.
  • Devices Log Status Down: Displays the authorized devices with a log status of down. l Storage Used: Displays the Log View > Storage Statistics

The Devices Total, Devices Unauthorized, and the Devices Log Status Down tabs include the following default columns:

Column Description
Device Name Displays the name of the device.
Column Description
IP Address Displays the IP address for the device.
Platform Displays the platform for the device.
Logs Identifies whether the device is successfully sending logs to the FortiAnalyzer unit. A green circle indicates that logs are being sent. A red circle indicates that logs are not being sent.

A lock icon displays when a secure tunnel is being used to transfer logs from the device to the FortiAnalyzer unit.

Average Log Rate (Logs/Sec) Displays the average rate at which the device is sending logs to the FortiAnalyzer unit in log rate per second. Click the number to display a graph of historical average log rates.
Device Storage Displays how much of the allotted disk space has been consumed by logs.
Description Displays a description of the device (not displayed in Devices Unauthorized tab).

Using the toolbar

The following buttons and menus are available for selection on the toolbar:

Button Description
Add Device Opens the Add Device Wizard to add a device to the FortiAnalyzer unit. The device is added, but not authorized. Unauthorized devices are displayed in the Unauthorized Devices tree menu.
Edit Edits the selected device.
Delete Deletes the selected devices or VDOMs from the FortiAnalyzer unit.

When you delete a device, its raw log files are also deleted. SQL database logs are not deleted.

Column Settings Click to select which columns to display or select Reset to Default to display the default columns.
More Displays more menu items including Import Device List and Export Device List.
Search Type the name of a device. The content pane displays the results. Clear the search box to display all devices in the content pane.

Editing device information

Use the Edit Device page to edit information about a device. The information and options available on the Edit Device page depend on the device type, firmware version, and which features are enabled.

To edit information for a device or model device:

  1. Go to Device Manager and click the Devices Total tab in the quick status bar.
  2. In the content pane, select the device or model device and click Edit, or right-click on the device and select Edit. The Edit Device pane displays.
  3. Edit the device settings and click OK.
Name The name of the device.
Description Descriptive information about the device.
IP Address Enter the IP address of the device.
Serial Number The serial number of the device.
Firmware Version The firmware version.
Admin User Enter the administrator user name.
Password Enter the administrator user password.
HA Cluster Select to identify the device as part of an HA cluster, and to identify the other device in the cluster by selecting them from the drop-down list, or by inputting their serial numbers.
Geographic Coordinates Identifies the latitude and longitude of the device location to support the interactive maps.

Click Show Map to open a map showing the location of the device based on the coordinates. Click and drag the map marker to adjust the device’s location.

Company/Organization Optionally, enter the company or organization information.
Country Optionally, enter the country where the device is located.
Province/State Optionally, enter the province or state.
City Optionally, enter the city.
Contact Optionally, enter the contact information.

Displaying historical average log rates

You can display a graph of the historical, average log rates for each device.

To display historical average logs rates:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Device Manager and click the Devices Total tab in the quick status bar.
  3. In the Average Log Rate (Logs/Sec) column, click the number to display the graph.
  4. Hover the cursor over the graph to display more details.

Connecting to an authorized device GUI

You can connect to the GUI of an authorized device from Device Manager.

To connect to an authorized device GUI:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Device Manager and click the Devices Total tab in the quick status bar.
  3. Right-click the device that you want to access, and select Connect to Device.
  4. If necessary, change the port number and click OK.

You are directed to the Login page of the device GUI.

 

FortiAnalyzer Key Concepts – FortiOS 6.2.3

FortiAnalyzer Key Concepts

Two operation modes

FortiAnalyzer can run in two operation modes: Analyzer and Collector. Choose the operation mode for your FortiAnalyzer units based on your network topology and requirements.

Analyzer mode

Analyzer mode is the default mode that supports all FortiAnalyzer features. Use this mode to aggregate logs from one or more Collectors.

The following diagram shows an example of deploying FortiAnalyzer in Analyzer mode.

Collector mode

When FortiAnalyzer is in Collector mode, its primary task is forwarding logs of the connected devices to an Analyzer and archiving the logs. Instead of writing logs to the database, the Collector retains logs in their original binary format for uploading. In this mode, most features are disabled.

Analyzer and Collector feature comparison

Feature Analyzer Mode Collector Mode
Device Manager Yes Yes
FortiView Yes No
Feature Analyzer Mode Collector Mode
Log View Yes Raw archive logs only
Incidents & Events Yes No
Monitoring devices Yes No
Reporting Yes No
System Settings Yes Yes
Log Forwarding Yes Yes

Analyzer–Collector collaboration

You can deploy Analyzer mode and Collector mode on different FortiAnalyzer units and make the units work together to improve the overall performance of log receiving, analysis, and reporting. The Analyzer offloads the log receiving task to the Collector so that the Analyzer can focus on data analysis and report generation. This maximizes the Collector’s log receiving performance.

For an example of setting up Analyzer–Collector collaboration, see Collectors and Analyzers on page 256.

Administrative domains

Administrative domains (ADOMs) enable the admin administrator to constrain the access privileges of other FortiAnalyzer unit administrators to a subset of devices in the device list. For Fortinet devices with virtual domains (VDOMs), ADOMs can further restrict access to only data from a specific VDOM for a device.

Enabling ADOMs alters the available functions in the GUI and CLI. Access to the functions depends on whether you are logged in as the admin administrator. If you are logged in as the admin administrator, you can access all ADOMs. If you are not logged in as the admin administrator, the settings in your administrator account determines access to ADOMs.

For information on enabling and disabling ADOMs, see Enabling and disabling the ADOM feature on page 179. For information on working with ADOMs, see Administrative Domains on page 176. For information on configuring administrator accounts, see Managing administrator accounts on page 223.

Log storage

Logs and files are stored on the FortiAnalyzer disks. Logs are also temporarily stored in the SQL database.

You can configure data policy and disk utilization settings for devices. These are collectively called log storage settings.

You can configure global log and file storage settings. These apply to all logs and files in the FortiAnalyzer system regardless of log storage settings.

SQL database

FortiAnalyzer supports Structured Query Language (SQL) for logging and reporting. The log data is inserted into the SQL database to support data analysis in SOC > FortiView, Log View, and Reports. Remote SQL databases are not supported.

For more information, see FortiView on page 98, Types of logs collected for each device on page 42, and Reports on page 111.

The log storage settings define how much FortiAnalyzer disk space to use for the SQL database.

When FortiAnalyzer is in Collector mode, the SQL database is disabled by default. If you want to use logs that require SQL when FortiAnalyzer is in Collector mode, you must enable the SQL database. See Two operation modes on page 19.

Analytics and Archive logs

Logs in FortiAnalyzer are in one of the following phases. Use a data policy to control how long to retain Analytics and Archive logs.

l Real-time log: Log entries that have just arrived and have not been added to the SQL database, i.e., have not been rolled. l Analytics logs or historical logs: Indexed in the SQL database and online. l Archive logs: Compressed on hard disks and offline.

In the indexed phase, logs are indexed in the SQL database for a specified length of time for the purpose of analysis.

Logs in the indexed phase in the SQL database are considered online and you can view details about these logs in SOC > FortiView, Log View, and Incidents & Events panes. You can also generate reports about the logs in the Reports pane.

In the compressed phase, logs are compressed and archived in FortiAnalyzer disks for a specified length of time for the purpose of retention. Logs in the compressed phase are considered offline and you cannot immediately view details about these logs in the SOC > FortiView, Log View, and Incidents & Events panes. You also cannot generate reports about the logs in the Reports pane.

Data policy and automatic deletion

Use a data policy to control how long to keep compressed and indexed logs. When ADOMs are enabled, you can specify settings for each ADOM and the settings apply to all devices in that ADOM. When ADOMs are disabled, settings apply to all managed devices.

A data policy specifies:

  • How long to keep Analytics logs indexed in the database

When the specified length of time in the data policy expires, logs are automatically purged from the database but remain compressed in a log file on the FortiAnalyzer disks.

  • How long to keep Archive logs on the FortiAnalyzer disks

When the specified length of time in the data policy expires, Archive logs are deleted from the FortiAnalyzer disks.

See also Log storage information on page 57.

Disk utilization for Archive and Analytic logs

You can specify how much of the total available FortiAnalyzer disk space to use for log storage. You can specify what ratio of the allotted storage space to use for logs that are indexed in the SQL database and for logs that are stored in a compressed format on the FortiAnalyzer disks. Then you can monitor how quickly device logs are filling up the allotted disk space.

Analytic logs indexed in the SQL database require more disk space than Archive logs (purged from the SQL database but remain compressed on the FortiAnalyzer disks). An average indexed log is 400 bytes and an average compressed log is 50 bytes. Keep this difference in mind when specifying the storage ratio for Analytics and Archive logs.

When ADOMs are enabled, you can specify settings for each ADOM and the settings apply to all devices in that ADOM. When ADOMs are disabled, settings apply to all managed devices. See Log storage information on page 57.

SOC dashboard

FortiAnalyzer provides dashboard for Security Operations Center (SOC) administrators. SOC includes monitors which enhance visualization for real-time activities and historical trends for analysts to effectively monitor network activities and security alerts. See SOC Monitoring on page 87.

In high capacity environments, the SOC module can be disabled to improve performance. See Enabling and disabling SOC on page 109.

 

Setting up FortiAnalyzer – FortiOS 6.2.3

Setting up FortiAnalyzer

Connecting to the GUI

The FortiAnalyzer unit can be configured and managed using the GUI or the CLI. This section will step you through connecting to the unit via the GUI.

To connect to the GUI:

  1. Connect the FortiAnalyzer unit to a management computer using an Ethernet cable.
  2. Configure the management computer to be on the same subnet as the internal interface of the FortiAnalyzer unit:

l IP address: 192.168.1.X l Netmask: 255.255.255.0

  1. On the management computer, start a supported web browser and browse to https://192.168.1.99.
  2. Type admin in the Name field, leave the Password field blank, and click Login. The Change Password dialog box is displayed.
  3. Change the default password now, or click Later to change the password later:
    1. In the New Password box, type a new password.
    2. In the Confirm Password box, type the new password again, and click OK.
  4. If ADOMs are enabled, the Select an ADOM pane is displayed. Click an ADOM to select it. The FortiAnalyzer home page is displayed.
  5. Click a tile to go to that pane. For example, click the Device Manager tile to go to the Device Manager See also GUI overview on page 12.

If the network interfaces have been configured differently during installation, the URL and/or permitted administrative access protocols (such as HTTPS) may no longer be in their default state.

 

For information on enabling administrative access protocols and configuring IP addresses, see Configuring network interfaces on page 167.

After logging in for the first time, you should create an administrator account for yourself and assign the Super_User profile to it. Then you should log into the FortiAnalyzer unit by using the new administrator account. See Managing administrator accounts on page 223 for information.

Security considerations

You can take steps to prevent unauthorized access and restrict access to the GUI. This section includes the following information:

l Restricting GUI access by trusted host on page 11 l Other security considerations on page 11

Restricting GUI access by trusted host

To prevent unauthorized access to the GUI you can configure administrator accounts with trusted hosts. With trusted hosts configured, the administrator user can only log into the GUI when working on a computer with the trusted host as defined in the administrator account. You can configure up to ten trusted hosts per administrator account. See Administrators on page 222 for more details.

Other security considerations

Other security consideration for restricting access to the FortiAnalyzer GUI include the following:

l Configure administrator accounts using a complex passphrase for local accounts l Configure administrator accounts using RADIUS, LDAP, TACACS+, or PKI l Configure the administrator profile to only allow read/write permission as required and restrict access using readonly or no permission to settings which are not applicable to that administrator l Configure the administrator account to only allow access to specific ADOMs as required

When setting up FortiAnalyzer for the first time or after a factory reset, the password cannot be left blank. You are required to set a password when the admin user tries to log in to FortiManager from GUI or CLI for the first time. This is applicable to a hardware device as well as a VM. This is to ensure that administrators do not forget to set a password when setting up FortiAnalyzer for the first time.

After the initial setup, you can set a blank password from System Settings > Administrators.

GUI overview

When you log into the FortiAnalyzer GUI, the following home page of tiles is displayed:

Select one of the following tiles to display the respective pane. The available tiles vary depending on the privileges of the current user.

Device Manager Add and manage devices and VDOMs. See Device Manager on page 24.
Fabric View Configure fabric connectors. See Fabric View on page 32.
SOC Summarizes SOC information in FortiView and Monitors dashboards, which include widgets displaying log data in graphical formats, network security, WiFi security, and system performance in real-time.

This pane is not available when the unit is in Collector mode.

Log View View logs for managed devices. You can display, download, import, and delete logs on this page. You can also define custom views and create log groups. See Log View and Log Quota Management on page 42.
Incidents & Events Configure and view events for logging devices. See Incident and Event Management on page 61.

This pane is not available when the unit is in Collector mode.

Reports Generate reports. You can also configure report templates, schedules, and output profiles, and manage charts and datasets. See Reports on page 111.

This pane is not available when the unit is in Collector mode.

FortiRecorder Manage FortiCamera devices and view camera streams and recordings through the Monitors dashboard.

This pane is only available in physical appliances and is disabled by default. See

FortiRecorder on page 143

This pane is not available when the unit is in Collector mode.

System Settings Configure system settings such as network interfaces, administrators, system time, server settings, and others. You can also perform maintenance and firmware operations. See System Settings on page 154.

The top-right corner of the home page includes a variety of possible selections:

ADOM If ADOMs are enabled, the required ADOM can be selected from the dropdown list. The ADOMs available from the ADOM menu will vary depending on the privileges of the current user.
Full Screen Click to view only the content pane in the browser window. See Full-screen mode on page 15.
Help Click to open the FortiAnalyzer online help, or view the About information for your device (Product, Version, and Build Number).

You can also open the FortiAnalyzer basic setup video

(https://video.fortinet.com/video/208/fortianalyzer-basic-setup).

CLI Console Click the CLI Console icon on the right side of the banner on any page.

The CLI console is a terminal window that enables you to configure the FortiAnalyzer unit using CLI commands directly from the GUI, without making a separate SSH, or local console connection to access the CLI.

When using the CLI console, you are logged in with the same administrator account that you used to access the GUI. You can enter commands by typing them, or you can copy and paste commands into or out of the console.

Click Detach in the CLI Console toolbar to open the console in a separate window.

Note: The CLI Console requires that your web browser support JavaScript.

Notification Click to display a list of notifications. Select a notification from the list to take action on the issue.
admin Click to change the password or log out of the GUI.

Panes

In general, panes have four primary parts: the banner, toolbar, tree menu, and content pane.

Banner   Along the top of the page; includes the home button (Fortinet logo), tile menu, ADOM menu (when enabled), admin menu, notifications, help button, and CLI console button.
Tree menu   On the left side of the screen; includes the menus for the selected pane. Not available in Device Manager.
Content pane Contains widgets, lists, configuration options, or other information, depending on the pane, menu, or options that are selected. Most management tasks are handled in the content pane.
Toolbar Directly above the content pane; includes options for managing content in the content pane, such as Create New and Delete.

To switch between panes, either select the home button to return to the home page, or select the tile menu then select a new tile.

Color themes

You can choose a color theme for the FortiAnalyzer GUI. For example, you can choose a color, such as blue or plum, or you can choose an image, such as summer or autumn. See Global administration settings on page 243.

Full-screen mode

You can view several panes in full-screen mode. When a pane is in full-screen mode, the tree menu on the left side of the screen is hidden.

Click the Full Screen button in the toolbar to enter full-screen mode, and press the Esc key on your keyboard to exit fullscreen mode.

Switching between ADOMs

When ADOMs are enabled, you can move between ADOMs by selecting an ADOM from the ADOM menu in the banner.

ADOM access is controlled by administrator accounts and the profile assigned to the administrator account. Depending on your account privileges, you might not have access to all ADOMs. See Managing administrator accounts on page 223 for more information.

Using the right-click menu

Options are sometimes available using the right-click menu. Right-click an item in the content pane, or within some of the tree menus, to display the menu that includes various options similar to those available in the toolbar.

In the following example on the Reports pane, you can right-click a template, and select Create New, View, Clone, or Create Report.

Avatars

When FortiClient sends logs to FortiAnalyzer, an avatar for each user can be displayed in the Source column in the

SOC > FortiView and Log View panes. FortiAnalyzer can display an avatar when the following requirements are met:

l FortiClient is managed by FortiGate or FortiClient EMS with logging to FortiAnalyzer enabled. l FortiClient sends logs and a picture of each user to FortiAnalyzer.

If FortiAnalyzer cannot find the defined picture, a generic, gray avatar is displayed.

Showing and hiding passwords

In some cases you can show and hide passwords by using the toggle icon. When you can view the password, the Toggle show password icon is displayed:

When you can hide the password, the Toggle hide password icon is displayed:

Target audience and access level

This guide is intended for administrators with full privileges, who can access all panes in the FortiAnalyzer GUI, including the System Settings pane.

In FortiAnalyzer, administrator privileges are controlled by administrator profiles. Administrators who are assigned profiles with limited privileges might be unable to view some panes in the GUI and might be unable to perform some tasks described in this guide. For more information about administrator profiles, see Administrator profiles on page 228.

If you logged in by using the admin administrator account, you have the Super_User administrator profile, which is assigned to the admin account by default and gives the admin administrator full privileges.

Initial setup

This topic provides an overview of the tasks that you need to do to get your FortiAnalyzer unit up and running.

To set up FortiAnalyzer:

  1. Connect to the GUI. See Connecting to the GUI on page 10.
  2. Configure the RAID level, if the FortiAnalyzer unit supports RAID. See Configuring the RAID level on page 174.
  3. Configure network settings. See Configuring network interfaces on page 167.

Once the IP address of the administrative port of FortiAnalyzer is changed, you will lose connection to FortiAnalyzer. You will have to reconfigure the IP address of the management computer to connect again to FortiAnalyzer and continue.

  1. (Optional) Configure administrative domains. See Managing ADOMs on page 180.
  2. Configure administrator accounts. See Managing administrator accounts on page 223.
  3. Add devices to the FortiAnalyzer unit so that the devices can send logs to the FortiAnalyzer unit. See Adding devices on page 25.
  4. Configure the operation mode. See Configuring the operation mode on page 161 and Two operation modes on page 19.

FortiManager features

FortiManager features are not available in FortiAnalyzer 6.2.0 and up.

For information about FortiManager, see the FortiManagerAdministration Guide.

If FortiManager features are enabled in FortiAnalyzer before upgrading to 6.2.0 and later, the existing feature configurations will continue to be available after the upgrade. FortiManager features carried over during an upgrade can be disabled through the CLI console.

Next steps

Now that you have set up your FortiAnalyzer units and they have started receiving logs from the devices, you can start monitoring and interpreting data. You can:

  • View log messages collected by the FortiAnalyzer unit in Log View. See Types of logs collected for each device on page 42.
  • View multiple panes of network activity in SOC (Security Operations Center). See SOC Monitoring on page 87.
  • View summaries of threats, traffic, and more in SOC > FortiView. See FortiView on page 98 l Generate and view events in Incidents & Events. See Incident and Event Management on page 61. l Generate and view reports in Reports. See Reports on page 111.

Restarting and shutting down

Always use the operation options in the GUI or the CLI commands to reboot and shut down the FortiAnalyzer system to avoid potential configuration problems.

To restart the FortiAnalyzer unit from the GUI:

  1. Go to System Settings > Dashboard.
  2. In the Unit Operation widget, click the Restart
  3. Enter a message for the event log, then click OK to restart the system.

To restart the FortiAnalyzer unit from the CLI:

  1. From the CLI, or in the CLI Console menu, enter the following command:

execute reboot The system will be rebooted.

Do you want to continue? (y/n)

  1. Enter y to continue. The FortiAnalyzer system will restart.

To shutdown the FortiAnalyzer unit from the GUI:

  1. Go to System Settings > Dashboard.
  2. In the Unit Operation widget, click the Shutdown
  3. Enter a message for the event log, then click OK to shutdown the system.

To shutdown the FortiAnalyzer unit from the CLI:

  1. From the CLI, or in the CLI Console menu, enter the following command:

execute shutdown The system will be halted.

Do you want to continue? (y/n)

  1. Enter y to continue. The FortiAnalyzer system will shutdown.

To reset the FortiAnalyzer unit:

  1. From the CLI, or in the CLI Console menu, enter the following command: execute reset all-settings

This operation will reset all settings to factory defaults

Do you want to continue? (y/n)

  1. Enter y to continue. The device will reset to factory default settings and restart.

To reset logs and re-transfer all SQL logs to the database:

  1. From the CLI, or in the CLI Console menu, enter the following command: execute reset-sqllog-transfer

WARNING: This operation will re-transfer all logs into database. Do you want to continue? (y/n)

  1. Enter y to continue. All SQL logs will be resent to the database.