Category Archives: Administration Guides

FortiGate Cloud – Logs

Logs

Logs offers more detailed log information, access to individual log data, and downloadable log files. You can select a category of logs to view from the list on the left.

You can select a time period to view data for:

l Last 60 minutes l Last 24 hours l Last 7 days l Last 30 days l Specified time period

You can set the chart’s refresh rate by selecting the Change Refresh Period icon. By using the Add Filter dropdown list, you can filter the log list by various factors. Selecting Column Setting allows you to customize the default log view. By selecting Log Files, you can see the raw log data files and manually download them. The box in the lower right allows you to move through pages of log data by clicking the arrows or entering a page number.

You can download various types of raw logs from FortiGate Cloud. The log filename format is as follows:

<FortiGate serial number>_<log type>_<beginning of log date range>-<time of first log>-<end of log date range>-<time of last log>.log.gz

The log filename format uses a shortened identifier for each log type:

Log type   Identifier
Traffic   tlog
Web Filter   wlog
Application Control   rlog
AntiSpam   slog
AntiVirus   vlog
Log type Identifier
DLP dlog
Attack alog
Anomaly mlog
DNS olog
Event (including all subtypes) elog

For example, consider an Application Control log that is generated for the period between October 23, 2019 and November 2, 2019 for a FortiGate with the serial number “FGT123”. The first log in the file has a timestamp of 6:09 PM, while the last log in the file has a timestamp of 9:32 AM. The log file name is as follows: FGT123_rlog_20191023-1809-20191101-0932.log.gz

FortiGate Cloud – FortiView

FortiView

The default FortiView page is the summary view, which uses widgets to show a general overview of what is happening with your device. You can add new widgets by selecting Add Widget.

Each widget is a customizable box, showing certain information about the device. You can do the following with widgets:

  • Click a widget title and drag it to move it around. l Delete a widget by selecting the X icon. l Set the refresh rate of widgets by selecting the dropdown list beside the refresh icon.

The following lists all widget types, grouped according to function:

Threats

Widget Description Feature required to be enabled on device
Top Threats Displays which threats trigger the most detection events on the network. At least one of the following: IPS,

AV, AntiSpam, DLP, or Anomaly

Detection.

Top Spam Displays which sources send the most spam email into the network. AntiSpam
Top Viruses Counts the viruses that the device’s AV most frequently finds. AV
Top Applications by Threat Score Compares which applications have the most traffic compared to their threat score, based on the device’s Application Control settings. Application Control
Top Attacks Counts the attacks that the device’s IPS most frequently prevents. IPS
Top DLP By Rules Counts the DLP events that the device detects, sorted by DLP rule. DLP

Traffic Analysis

Widget Description Feature required to be enabled on device
Top Applications Compares which applications are most frequently used, based on the device’s Application Control settings. Application Control
Top Application Categories Compares which application categories are most frequently used, based on the device’s Application Control settings. Application Control
Top Sources Displays which sources have the most traffic from or to the device.  
Top Destinations Displays which destinations have the most traffic from or to the device.  
Widget Description Feature required to be enabled on device
Top Protocols Compares the traffic volume that has passed through a certain interface, based on which protocol it uses (HTTP, HTTPS, DNS, TCP, UDP, other).  
Top Countries Displays which countries have the most traffic from or to the device.  
Traffic History Displays volume of incoming and outgoing traffic over time.  

Websites

Widget Description Feature required to be enabled on device
Top Websites Compares which websites are most frequently visited. You can click a category to see which websites in that category are being visited. Web Filtering
Top Web Categories Compares which web filtering categories are most frequently used, based on the device’s Web Filtering settings. Web Filtering
Top Users/IP by Browsing Time in Seconds Compares which users visit which IP addresses most frequently in the greatest ratio. You can click a user to see which IP addresses they visit. Web Filtering

FortiView offers log information, reformatted into easily navigable charts, in a style similar to FortiView in FortiOS.

You can select a time period to view data for:

  • Last 60 minutes l Last 24 hours l Last 7 days
  • Last 30 days l Specified time period

You can set the chart’s refresh rate by clicking the Refresh icon. By using the Add Filter dropdown list, you can filter the chart by various factors. Individual chart entries may also allow you to filter by that entry’s data by selecting a filter icon on the right, or drill down to see all related log data, such as all log data through that interface.

FortiView charts reference

The following provides descriptions of all FortiView charts.

User Dashboard

The User Dashboard displays the number of users/entities that fit into the following security categories:

l Visited high risk websites l Infected by malware l Targeted by malware l Targeted by spam l Violated data leak rules l Used high-risk applications l Targeted by attacks l Attacked by protocol intrusion

You can click each category to view the list of users/entities affected. You can drill down further to view the list of incidents for each user/entity and the logs for each incident.

FSBP Dashboard

The FSBP Dashboard displays security rating results for the device, in the following categories:

  • Overall Score l Maturity Milestones l Top Achievement
  • Top Todo
  • History Trend

The FSBP Dashboard is only available for devices that support the Security Rating feature.

Threats

Chart Description
Top Threats Lists the top threats to your network.

The following incidents are considered threats:

l Risk applications detected by application control. l Intrusion incidents detected by IPS.

Chart Description
  l  Malicious web sites detected by web filtering.

l  Malware/botnets detected by antivirus.

IPS Lists intrusion incidents detected by IPS.
AntiVirus Lists the malware/botnets detected by AV.
AntiSpam Lists the spam detected by AntiSpam.
DLP & Archives Lists the DLP and archives incidents.
Anomaly Lists network anomalies.

Traffic Analysis

Chart Description
Application Displays the top applications used on the network including the application name, category, bandwidth (sent/received), sessions, and risk level.
Cloud Application Displays the top cloud applications used on the network.
Source Displays the highest network traffic by source IP address and name, bandwidth (sent/received), sessions, and risk level.
User Displays the highest network traffic by user in terms of bandwidth sent/received, sessions, and risk level.
Destination Displays the highest network traffic by destination IP addresses, the applications used to access the destination, bandwith sent/received, sessions, and risk level.
Interface Displays the highest network traffic by interface in terms of bandwidth sent/received, traffic sessions. and risk level. You can view by source or destination interface.
Country Displays the highest network traffic by country in terms of bandwidth sent/received, traffic sessions, and risk level. You can view by source or destination country.
Policy Hits Lists the policy hits by policy, device name, VDOM, number of hits, bytes, and last used time and date.

Website

Chart Description
Website Displays the top allowed and blocked website domains on the network. You can also view by source. You can filter by threat level.
Web Category Displays the top website categories. You can filter by threat level.
Chart Description
Browsing User/IP Displays the top web-browsing users and their IP addresses by total browsing time duration. You can also view by category or domain. You can filter by threat level.

System Events

Chart Description
System Activity Displays events on the managed devices, their severity, and number of incidents. You can filter by user or severity level.
Admin Session Displays the users who logged into managed devices, the number of configuration changes they performed, number of admin sessions, and their total duration of logged-in time. You can also view by login interface. You can filter by severity level.
Failed Login Displays the users who failed to log into managed devices. You can also view by login interface. You can filter by severity level.
Wireless Displays wireless events. You can filter by severity level.

VPN Events

Chart Description
Site to Site Displays the names of VPN tunnels with IPsec that are accessing the network.
SSL and Dialup Displays the users who are accessing the network by using an SSL or IPsec VPN tunnel.
Failed VPN Login Displays the users who failed to log in successfully via VPN.

FortiGate Cloud – Analysis

Analysis

The Analysis tab provide tools for monitoring and logging your device’s traffic, providing you centralized oversight of traffic and security events.

The Analysis homepage provides the following information about devices. You can select a device’s serial number or name to access analysis tools for that device:

  • Model/serial number l Fortinet product type l Firmware version
  • Status (If the device is connected through a management tunnel) l Last compiled report and last log uploaded l Subscription expiry date

You can use the gear icon to access additional functions:

To undeploy the FortiGate:

  1. Click the Config icon for the desired device.
  2. Click Undeploy.
  3. In the confirmation dialog, click YES.
  4. You have the option to place a unit where the FortiGate was deployed. The unit contains historical data and a serial number that starts with U.

To set the display timezone for the FortiGate:

The display timezone only affects log data view for the FortiGate and does not affect the FortiGate’s configured timezone. You can modify the FortiGate’s display timezone after it has already been set.

  1. Go to Analysis.
  2. Click the Config icon beside the desired device, then click Display Timezone.
  3. From the Display Timezone forDevice dropdown list, select the desired timezone. Click Submit. The FortiGate Cloud GUI shows the FortiGate’s display timezone in the upper right corner.

To rename the FortiGate:

  1. Click the Config icon for the desired device, then click Rename.
  2. In the Device Name field, enter the desired name. Click Submit.

 

To delete data from the FortiGate:

  1. Go to Analysis.
  2. Click the Config icon beside the desired device, then click Options.
  3. In the Delete Data before field, selected the desired date. Click Apply. FortiGate Cloud deletes the data on the FortiGate from before the selected date.

To go to the device list:

You can return to the device list from the Analysis, Management, or Sandbox page for an individual device.

  1. In the upper left corner, click Show Device List.

FortiGate Cloud – Homepage

Homepage

You see the homepage when you first open the FortiGate Cloud interface. From the homepage, you can add a FortiGate as described in To deploy a FortiGate/FortiWifi to FortiGate Cloud using the key: on page 11. You can also go to the Analysis on page 16, Management on page 29, SandBox on page 35, and Inventory on page 40 pages.

To view Fortinet devices that you have deployed using the same FortiCloud account under a different service, you can click # device(s)in othersite. This does not display if you have not deployed any devices under a different service. This displays a dropdown list of devices deployed using the same FortiCloud account under a different service. For example, if you are currently logged in to the Europe service, this link displays a dropdown list of devices deployed under the global service. If there are more than 20 devices deployed to the other service, the dropdown list only displays 20. You can go to the other service homepage by clicking Switch Site.

The homepage also displays currently active devices that you previously deployed to the current service, but later deployed to another service. For example, if you deployed a FortiGate to the global service, then deployed it to the Europe service, it shows up in the homepage for both services. The Active in column in the Analysis, Management, and SandBox homepages displays which service the device is currently connected to.

To add more administrators/users:

  1. In the upper right of the FortiGate Cloud interface, select the My Account
  2. Select Add User in the window.
  3. Enter the new admin/user’s email address and name.
  4. Select whether they are an admin (total control over the FortiGate Cloud interface) or a regular user (limited control, monitoring only).
  5. From the Language dropdown list, select the desired language.
  6. From the Default Entry Point dropdown list, select the desired default page. This is the default page the user sees when they log in to FortiGate Cloud.
  7. Select Submit. The admin/user receives an email prompting them to set their account password and log in.

To replace an account ID with a new email address:

  1. Log in to FortiGate Cloud using the account that you want to replace. In the upper right of the FortiGate Cloud interface, select the My Account In the list of users, ensure that the new email address is not already in use.
  2. Add a new admin user, using the desired new email address. Follow the instructions in To add more administrators/users: on page 14 to add the new admin user.
  3. Select Set as primary.
  4. Log out of FortiGate Cloud.
  5. Log in to FortiGate Cloud as the admin user added in step 2.
  6. Click the My Account
  7. In the list of users, click the Delete icon beside the old account to remove it from FortiGate Cloud.

You can move a FortiGate from the global service to the Europe service, or vice-versa. The example illustrates moving a FortiGate Cloud from the global service to the Europe service.

Homepage

To move a FortiGate from the global service to the Europe service:

  1. Log in to the FortiGate Cloud global service.
  2. On the Analysis, Management, or SandBox page, undeploy the FortiGate:
    1. Click the Config icon for the desired device.
    2. Click Undeploy.
    3. In the confirmation dialog, click YES.
    4. You have the option to place a unit where the FortiGate was deployed. The unit contains historical data and a serial number that starts with U.
  3. Go to Inventory and confirm that the FortiGate is now listed under inventory.
  4. Log in to the FortiGate Cloud Europe service.
  5. Go to Inventory. Select the desired FortiGate, then click Deploy to FortiGate Cloud.

Log in to the FortiOS GUI. Reactivate FortiGate Cloud by following To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: on page 12.

Deploying a FortiGate/FortiWifi to FortiGate Cloud

Deploying a FortiGate/FortiWifi to FortiGate Cloud

You can deploy FortiGate Cloud using one of the following methods:

l FortiGate key l Bulk key l Zero-touch deployment l FortiOS GUI

After deploying FortiGate Cloud using one of the methods described, complete basic configuration by doing the following:

  1. Create a firewall policy with logging enabled. Configure log uploading if necessary.
  2. Log in to FortiGate Cloud using your FortiCloud account.

To deploy a FortiGate/FortiWifi to FortiGate Cloud using the key:

  1. Log in to the FortiGate Cloud portal, then click Add FortiGate.
  2. In the Add FortiGate dialog, enter the key printed on your FortiGate.
  3. From the Select Display Timezone forDevice dropdown list, select the desired time zone.
  4. Under Select Sub Account, select the desired subaccount.
  5. Click Submit.

To deploy multiple FortiGate/FortiWifi devices to FortiGate Cloud using a bulk key:

  1. Log in to the FortiGate Cloud portal, then click Inventory.
  2. Click Import Bulk Key.
  3. In the Please input the Bulk Key: field, enter the bulk key.
  4. Click Submit. The portal displays a list of the FortiGate/FortiWifi serial numbers associated with the bulk key.

To deploy multiple FortiGate/FortiWifi devices to FortiGate Cloud using zero-touch deployment:

See FortiDeploy on page 50.

To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI:

  1. In the FortiCloud portal, ensure that you have a product entitlement for FortiGate Cloud for the desired FortiGate or FortiWifi.
  2. In FortiOS, do one of the following:
    1. Go to Security Fabric > Settings, and enable Central Management. Click FortiGate Cloud.
    2. In the Dashboard, in the FortiGate Cloud widget, the Status displays as Not Activated. Click Not Activated.
  3. Click the Activate
  4. In the Activate FortiGate Cloud panel, for Account, select FortinetOne.
  5. In the Email and Password fields, enter the email address and password associated with the FortiCloud account.
  6. Enable Send logs to FortiGate Cloud. Click OK.
  7. This should have automatically enabled Cloud Logging. Ensure that Cloud Logging was enabled. If it was not enabled, enable it, then set Type to FortiGate Cloud.

 

Deploying a FortiGate/FortiWifi to FortiGate Cloud

  1. At this point, in FortiGate Cloud, you can access Analysis and SandBox features for this device. To access Management features, you must authorize the FortiGate in FortiGate Cloud by entering the a local superadministrator username and password when prompted. After authorization, you can manage that FortiGate from FortiGate Cloud.

To unsubscribe from FortiGate Cloud:

You can disconnect your account from the dashboard in your FortiGate/FortiWifi.

  1. In the FortiOS Dashboard FortiGate Cloud widget, the Status appears as Activated. Click Activated, then click the Logout
  2. In the confirmation dialog, click OK. This detaches the FortiGate/FortiWifi from the account and stops uploading logs.

FortiGate Cloud – Requirements

Requirements

The following items are required before you can initialize FortiGate Cloud:

Requirement Description
FortiCloud account Create a FortiCloud account if you do not have one. A FortiCloud account is required to launch FortiGate Cloud. A primary FortiCloud account can invite other users to launch FortiGate Cloud as secondary administrator/regular users. Some customers may be using their FortiCare account. It is strongly recommended to merge these accounts to your FortiCloud account.
FortiGate/FortiWifi license You must register all FortiGate/FortiWifi devices on FortiCloud.
FortiGate Cloud entitlement Purchase FortiGate Cloud licenses from Fortinet.
Internet access You must have Internet access to create a FortiGate Cloud instance and to enable devices to communicate with and periodically send logs to FortiGate Cloud.
Browser FortiGate Cloud supports Firefox, Chrome, and Edge.

For Management, FortiGate Cloud supports FortiOS 5.0.0 through 6.2.1. For devices that are running unsupported FortiOS versions, you can use the Remote Access feature.

For Analysis, FortiGate Cloud supports all FortiOS versions.

FortiGate Cloud supports all high-end, mid-range, and entry-level FortiGate models. You can find more information about FortiGate models and specifications on the Fortinet website. All FortiWifi models support FortiGate Cloud.

The FortiGate does not require a hard drive if it uploads logs to FortiGate Cloud in real-time, which you can enable under Log Settings in FortiOS.

The following table lists port numbers that outbound traffic requires. On request, Fortinet can supply the destination IP addresses to add to an outbound policy, if required.

Purpose Protocol Port
Syslog, registration, quarantine, log, and report TCP 443
OFTP TCP 514
Management TCP 541
Contract validation TCP 443

FortiGate Cloud – How FortiGate Cloud works

How FortiGate Cloud works

You can register one or multiple devices with FortiGate Cloud under a single account on the FortiGate Cloud portal.

Each device periodically sends logs to FortiGate Cloud for storage. You can configure log settings. For example, you can configure devices to send only traffic and event logs, or include security logs such as AV, application control, and IPS.

From the recorded logs, you can generate reports to identify trends in network traffic, individual user activity, and security threats across different applications. Drilldown capability and real-time alerting are also available.

FortiGate Cloud also creates copies of configurations that you can use for backup, restoration, or provisioning new devices. You can use a VPN tunnel to bring up the console of a device behind a firewall to perform configuration or policy changes remotely.

FortiGate Cloud is integrated with FortiCloud single sign on. After you create a FortiCloud SSO account, you can enable the FortiGate Cloud global or European service. You can also enable both services. You can deploy FortiGate devices to the global or Europe cloud service from the unified device inventory in the FortiGate Cloud portal. See Inventory on page 40. You can migrate historical data such as logs, reports, and backups between accounts under the same service (global or Europe), but you cannot migrate such data from one service to another. To migrate a FortiGate device from one service to the other, you must undeploy the device, then deploy the device again from Inventory on the desired service portal.

When you initially create your account in FortiGate Cloud, you choose the data center to use. You cannot transfer data and accounts between data centers, so migration requires a new account.

To confirm which version of FortiGate Cloud is currently in use, on the Fortinet website, use your FortiCloud account to access FortiGate Cloud. The version details are at the bottom of the FortiGate Cloud homepage.

FortiGate Cloud currently supports two languages: English and Japanese. You can select a language from the web portal login page. Other languages may be available in other regions.

You can provide feedback or request improvements to FortiGate Cloud using the envelope icon on the top-right of every screen. Fortinet cannot guarantee individual responses to requests.

FortiGate Cloud – Functions

Functions

FortiGate Cloud has the following functions:

Function Description
Centralized dashboard System and log widgets plus real-time monitors.
FortiView log viewer Real-time log viewing with filters and download capability.
Drilldown analysis Real-time location, user, and network activity analysis, and alert profiles.
Report generator Create custom report templates and schedule reports in different formats to display location-based analytics or illustrate network usage platforms.
Device management Scheduled configuration backup and history and script management. If using multitenancy license, includes group management.
Antivirus (AV) submission Shows the status of suspicious files undergoing cloud-based sandbox analysis.
AP and FortiSwitch management via FortiGate l  Wireless configuration:

l  View, add, and remove APs managed by FortiGates l Create and edit SSID settings l Create and edit FortiAP profiles l Create and edit WIDS profiles

l  Guest management: Add guests and notify them of credentials via SMS or email.

Zero-touch deployment Automatic connection of FortiGate devices for FortiGate Cloud management using FortiDeploy.
Multitenancy templates Create templates and push to multiple devices.

 

Function Description
Remote access Import local configuration to web browser and push changes to device through network.
FortiGate virtual domain (VDOM) support Support for VDOMs configured in FortiGate devices.
Active Directory (AD) management Integration with AD.
Firmware upgrade Remotely upgrade FortiOS on FortiGate devices.
Event management Set up email alerts for specific network structure emergencies, such as FortiGate Cloud losing connection to the device, or the device’s power supply failing.
Regional datacenters Datacenters located in Canada and Germany for better performance and GDPR compliance for international customers.