Category Archives: FortiAnalyzer

Operation Modes – FortiAnalyzer 5.2

Operation modes

The FortiAnalyzer unit has two operation modes:

  • Analyzer: The default mode that supports all FortiAnalyzer features. This mode used for aggregating logs from one or more log collectors. In this mode, the log aggregation configuration function is disabled.
  • Collector: The mode used for saving and uploading logs. For example, instead of writing logs to the database, the collector can retain the logs in their original (binary) format for uploading. In this mode, the report function and some functions under the System Settings tab are disabled.

The analyzer and collector modes are used together to increase the analyzer’s performance. The collector provides a buffer to the FortiAnalyzer by off-loading the log receiving task from the analyzer. Since log collection from the connected devices is the dedicated task of the collector, its log receiving rate and speed are maximized.

The mode of operation that you choose will depend on your network topology and individual requirements.

Administrative Domains – FortiAnalyzer 5.2

Administrative domains

Administrative domains (ADOMs) enable the admin administrator to constrain other

FortiAnalyzer unit administrators’ access privileges to a subset of devices in the device list. For Fortinet devices with virtual domains (VDOMs), ADOMs can further restrict access to only data from a specific device’s VDOM.

Enabling ADOMs alters the structure of and the available functions in the Web-based Manager and CLI, according to whether or not you are logging in as the admin administrator, and, if you are not logging in as the admin administrator, the administrator account’s assigned access profile. See “System Information widget” on page 46 for information on enabling and disabling

ADOMs.

For information on working with ADOMs, see “Administrative Domains” on page 27 of the Fortinet Documentation. For information on configuring administrators and administrator settings, see“Admin” on page 73 of the Fortinet Documentation.

Known Issues – FortiAnalyzer 5.4

Known Issues

The following issues have been identified in FortiAnalyzer version 5.4.0. For inquires about a particular bug or to report a bug, please contact Fortinet Customer Service & Support.

Reporting

Bug ID Description
295199 Percentage on Storage Statistics can be over 100%.

System Settings

Bug ID Description
299318 The Actual day for Archive should not be longer than the Config day.

Resolved Issues – FortiAnalyzer 5.4

Resolved Issues

The following issues have been fixed in FortiAnalyzer version 5.4.0. For inquires about a particular bug, please contact Customer Service & Support.

Device Manager

Bug ID Description
298415 FortiAnalyzer cannot add FortiController 5103B as a syslog device.
292606 FortiAnalyzer cannot accept logs from FortiADC.
279319 Non-existing VDOMs with strange characters are displayed.
Bug ID Description
307732 F3K2D-DC logs are recognized as Syslogs.

Event Management

Bug ID Description
299664 The RPI field is missing from Syslog alert.
287216 Event Handlers returns SQL error: duplicated key (Alert ID) when inserting alert_logs.
284440 There is an invalid Ref Field in the FortiGate Logs.
270264 Change Device ID to Device Name in an Email subject line subject line.

FortiView

Bug ID Description
298726 Top Threats may not show any results that reflect the corresponding threat logs.
291597 The Application icons are not displayed in FortiView and Log View.
280309 FortiView Resource Usage does not display peak values.
280181 FortiAnalyzer does not display IP/MAC information in DHCP logs.

Logging

Bug ID Description
300877 Users are unable to choose columns when creating a table chart from dataset.

Resolved Issues

Bug ID Description
299509 IPv6 logs that are sent to Syslog server via log forwarding are different from IPv6 logs that are sent directly from FortiGate.
291652 Fortilogd may be blocked by slow TCP log forwarding and stop receiving incoming logs.
286804 Search takes longer than expected and may return unexpected results.
286190 The “Last 5 min” interval option is missing from the FortiLog Time Interval List .
284658 FortiAnalyzer does not refresh the list of logs with the Go button.
281953 Advanced ADOM mixes up logs from different VDOMs.
280891 Several fields are missing when viewing FortiSandbox logs.
280873 String value in the Extension Field that is formatted using CEF is surrounded by quotes.
280578 When the Language setting is set to Japanese, FortiAnalyzer shows columns with the same heading.
280192 Base64 encoded “log-attack-context” log is not readable.
280192 Base64 encoded log-attack-context events are not readable on FortiAnalyzer.
280053 Attack Context ID for Intrusion Prevention logs are not parsed properly.
278804 FortiAnalyzer does not restrict the number for Last N days in Log View.
278453 FortiAnalyzer returns an error and stops a query when the Source IP is an invalid IP address.
278077 Traffic log table still displays the Date/Time column even though it has been disabled via Column Settings.
276989 Scan Start and End times should be displayed in a readable format instead of in epoch mode.
276491 GTP specific fields are missing in Event Log Viewer after an upgrade.

Reporting

Resolved

Bug ID Description
300569 When there are many hcache tables, the SQL query for report generation may fail.
298217 The report generated for “Active Traffic Users” has data inconsistent with the dataset output.
295987 The “Top 20 Bandwidth Users” report that runs with the “Webfilter-Top-Web-Users-ByBandwidth” data set may not return correct data.
292983 The apprisk-ctrl-Common-Virus-Botnet-Spyware dataset may filter out botnet applications.
291808 Some VDOMs are missing under the Configuration tab of a report.
286653 When selecting a background image, the footer background color does not apply to the cover page.
286588 Creating hcache does not work after enabling the Report Group.
284133 When using the $flex_timescale, the Start time and End time are not correct in the SQL.
283433 User filter does not work when the username contains the \ character.
275394 FortiAnalyzer loses auto column update in chart when the dataset is changed.
272777 When query results contain the # character, it cannot be displayed in the table chart.
262593 Japanese characters in a PDF formatted report are displayed in an unexpected front style.
257691 Report line chart limits the number of items depending on the period specified for the report.
231536 A Group Report should not be generated when the Multiple Reports (Per-Device) option is selected.

System Settings

Bug ID Description
278334 FortiAnalyzer displays inconsistent behavior for read-only admin profiles.
270785 When the license count is exceeded, the alert message does not appear.

Resolved Issues

Others

Bug ID Description
306160 Syslog is trimmed when being forwarded to a syslog server.
296481 The getFazGeneratedReport XML call should include macro data in the report_ data.txt file.
296228 FortiAnalyzer should support TLS v1.1 and v1.2.
295051 Within a XML response, the report name always has prefix “S-{layout-id}_t{layout-id}-

“.

294453 Some SOAP API calls may not close connections.
291013 Oftpd may crash in some situations.
286512 Device version is not set in the CEF message header field.
286498 FortiAnalyzer does not back up logs to FTP when using log-file-archive-name extended .
283832 Oftp keeps updating the address from multiple VDOMs when the FortiAnalyzer override is enabled in each of the VDOMs.
279760 FortiAnalyzer returns an error when running searchFazLog using duration or sentbyte as searchCriteria with the XML API.
277478 Several ERROR: extra data after last expected column messages appear in the pgsvr.log.
275008 The fazmaild daemon stops working.
241924 The Drilldown to UTM tabs of FortiGate do not show the correct UTM log entry when the device is FortiAnalyzer.

Required Changes to Dataset – FortiAnalyzer 5.4

Required changes to dataset

The following rules must be followed by any existing or new datasets:

If your dataset references any IP related data, such as srcip or dstip, please use the ipstr(‘…’) function to convert an IP address for proper display. For example, ipstr(‘srcip’) returns the source IP in a string.

The column, status, has been changed to action. Please replace status with action in dataset query for proper status.

Special Characters In Report Name

Special characters in report name

FortiAnalyzer version 5.4 does not support the following special characters in report’s name:

\ / ‘ “ > < & , | # ? % $ +

If you wish to import a report, please make sure the above special characters are not used. Otherwise, FortiAnalyzer may not display the name properly.

Report Grouping – FortiAnalyzer 5.4

Report grouping

If you are running a large number of reports which are very similar, you can significantly improve report generation time by grouping the reports. Report grouping can reduce the number of hcache tables and improve auto-hcache completion time and report completion time.

Step 1: Configure report grouping

To group reports whose titles contain the string Security_Report and are grouped by device ID and VDOM, enter the following CLI commands:

config system report group
edit 0
set adom root
config group-by
edit devid next edit
vd next

end

set report-like Security_Report

next

end Notes:

  1. The report-like field is the name pattern of the report that will utilize the report-group This string is case-sensitive.
  2. The group-by value controls how cache tables are grouped.
  3. To see a listing of reports and which ones have been included in the grouping, enter the following CLI command:

execute sql-report list-schedule <ADOM>

Step 2: Initiate a rebuild of hcache tables

To initiate a rebuild of hcache tables, enter the following CLI command:

diagnose sql rebuild-report-hcache <start-time> <end-time>

Where <start-time> and <end-time> are in the format: <yyyy-mm-dd hh:mm:ss>.

Step 3: Perform an hcache-check for a given report

Perform an hcache-check for a given report to ensure that the hcache tables exactly match the start and end time frame for the report time period. Enter the following CLI command:

execute sql-report hcache-check <adom> <report_id> <start-time> <end-time>

If you do not run this command, the first report in the report group will take a little longer to run. All subsequent reports in that group will run optimally.