Category Archives: FortiAnalyzer

Privacy Masking – FortiAnalyzer – FortiOS 6.2.3

Privacy Masking

Use Privacy Masking to help protect user privacy by masking or anonymizing user information. You can select which fields to mask. Masked fields show anonymous data. You can unmask and see the original data by entering the Data Mask Key that you specify in the administrator profile.

When Privacy Masking is enabled in an administrator profile, accounts using that profile have a See Original Data button in the banner.

To turn privacy masking on:

  1. In System Settings > Profile, create or edit a profile.
  2. In the Privacy Masking section, set the toggle to ON
  3. In the Masked Data Fields section, select the fields you want to mask.

The fields you select are masked in all modules that display those fields.

  1. In the Data Mask Key field, type the key that will allow users to unmask the data.
  2. In the Data Unmasked Time field, type the number of days the data is unmasked.

You can enter a number between 0-365. Logs that are older than the number of days appear masked.

To see the original, unmasked data:

  1. In any list showing masked data, click See Original Data in the banner and select Screen Picker or Manual Input.
  2. If you select Screen Picker, click a masked field, for example, 75.196.35.21.

The Unmask Protected Data dialog box displays with the field you clicked already entered. If you select Manual Input, enter the masked text, for example, 75.196.35.21.

  1. Enter the Data Mask Key that was set up in the administrator profile and click OK.

Administrator profiles – FortiAnalyzer – FortiOS 6.2.3

Administrator profiles

Administrator profiles are used to control administrator access privileges to devices or system features. Profiles are assigned to administrator accounts when an administrator is created. The profile controls access to both the FortiAnalyzer GUI and CLI.

There are three predefined system profiles:

Restricted_User Restricted user profiles have no system privileges enabled, and have read-only access for all device privileges.
Standard_User Standard user profiles have no system privileges enabled, and have read/write access for all device privileges.
Super_User Super user profiles have all system and device privileges enabled. It cannot be edited.

These profiles cannot be deleted, but standard and restricted profiles can be edited. New profiles can also be created as required. Only super user administrators can manage administrator profiles.

Go to System Settings > Admin > Profile to view and manage administrator profiles.

The following options are available:

Create New Create a new administrator profile. See Creating administrator profiles on page 231.
Edit Edit the selected profile. See Editing administrator profiles on page 233.
Clone Clone the selected profile. See Cloning administrator profiles on page 233.
Delete Delete the selected profile or profiles. See Deleting administrator profiles on page 233.
Search Search the administrator profiles list.

The following information is shown:

Name The name the administrator uses to log in.
Type The profile type.
Description A description of the system and device access permissions allowed for the selected profile.

Permissions

The below table lists the default permissions for the predefined administrator profiles.

When Read-Write is selected, the user can view and make changes to the FortiAnalyzer system. When Read-Only is selected, the user can only view information. When None is selected, the user can neither view or make changes to the FortiAnalyzer system.

Setting   Predefined Administrator Profile
  Super User Standard User Restricted User
System Settings system-setting Read-Write None None
Administrative Domain adom-switch Read-Write Read-Write None
Device Manager device-manager Read-Write Read-Write Read-Only
Add/Delete/Edit

Devices/Groups device-op

Read-Write Read-Write None
Log View/FortiView/SOC log-viewer Read-Write Read-Write Read-Only
Incidents & Events event-management Read-Write Read-Write Read-Only
Reports report-viewer Read-Write Read-Write Read-Only
FortiRecorder Read-Write Read-Write None
CLI only settings      
device-wan-link-load-balance Read-Write Read-Write Read-Only
device-ap Read-Write Read-Write Read-Only
device-forticlient Read-Write Read-Write Read-Only
device-fortiswitch Read-Write Read-Write Read-Only
realtime-monitor Read-Write Read-Write Read-Only

Managing administrator accounts – FortiAnalyzer – FortiOS 6.2.3

Managing administrator accounts

Go to System Settings > Admin > Administrator to view the list of administrators and manage administrator accounts.

Only administrators with the Super_User profile can see the complete administrators list. If you do not have certain viewing permissions, you will not see the administrator list. When ADOMs are enabled, administrators can only access the ADOMs they have permission to access.

The following options are available:

Create New Create a new administrator. See Creating administrators on page 224.
Edit Edit the selected administrator. See Editing administrators on page 227.
Clone Clone the selected administrator.
Delete Delete the selected administrator or administrators. See Deleting administrators on page 228.
Table View/Tile View Change the view of the administrator list.

Table view shows a list of the administrators in a table format. Tile view shows a separate card for each administrator in a grid pattern.

Column Settings Change the displayed columns.
Search Search the administrators.
Change Password Change the selected administrator’s password. This option is only available from the right-click menu. See Editing administrators on page 227.

The following information is shown:

Seq.# The sequence number.
Name The name the administrator uses to log in.
Type The user type, as well as if the administrator uses a wildcard.
Profile The profile applied to the administrator. See Administrator profiles on page 228
ADOMs The ADOMs the administrator has access to or is excluded from.
Comments Comments about the administrator account. This column is hidden by default.
Trusted IPv4 Hosts The IPv4 trusted host(s) associated with the administrator. See Trusted hosts on page 222.
Trusted IPv6 Hosts The IPv6 trusted host(s) associated with the administrator. See Trusted hosts on page 222. This column is hidden by default.
Contact Email The contact email associated with the administrator. This column is hidden by default.
Contact Phone The contact phone number associated with the administrator. This column is hidden by default.

Creating administrators

To create a new administrator account, you must be logged in to an account with sufficient privileges, or as a super user administrator.

You need the following information to create an account:

  • Which authentication method the administrator will use to log in to the FortiAnalyzer unit. Local, remote, and Public Key Infrastructure (PKI) authentication methods are supported.
  • What administrator profile the account will be assigned, or what system privileges the account requires. l If ADOMs are enabled, which ADOMs the administrator will require access to. l If using trusted hosts, the trusted host addresses and network masks.

To create a new administrator:

  1. Go to System Settings > Admin > Administrators.
  2. In the toolbar, click Create New to display the New Administrator
  3. Configure the following settings, and then click OK to create the new administrator.
User Name Enter the name of the administrator will use to log in.
Avatar Apply a custom image to the administrator.

Click Add Photo to select an image already loaded to the FortiAnalyzer, or to load an new image from the management computer.

If no image is selected, the avatar will use the first letter of the user name.

Comments Optionally, enter a description of the administrator, such as their role, location, or the reason for their account.
Admin Type Select the type of authentication the administrator will use when logging into the FortiAnalyzer unit. One of: LOCAL, RADIUS, LDAP, TACACS+, PKI, or Group. See Authentication on page 234 for more information.
Server or Group Select the RADIUS server, LDAP server, TACACS+ server, or group, as required.

The server must be configured prior to creating the new administrator.

This option is not available if the Admin Type is LOCAL or PKI.

 

Match all users on remote server Select this option to automatically add all users from a LDAP server specified in Admin>Remote Authentication Server. All users specified in the Distinguished Name field in the LDAP server will be added as FortiManager users with the selected Admin Profile.

If this option is not selected, the UserName specified must exactly match the LDAP user specified on the LDAP server.

This option is not available if the Admin Type is LOCAL or PKI.

Subject Enter a comment for the PKI administrator.

This option is only available if the Admin Type is PKI.

CA Select the CA certificate from the dropdown list.

This option is only available if the Admin Type is PKI.

Required two-factor authentication Select to enable two-factor authentication.

This option is only available if the Admin Type is PKI.

New Password Enter the password.

This option is not available if Wildcard is selected.

If the Admin Type is PKI, this option is only available when Require twofactorauthentication is selected.

If the Admin Type is RADIUS, LDAP, or TACACS+, the password is only used when the remote server is unreachable.

Confirm Password Enter the password again to confirm it.

This option is not available if Wildcard is selected.

If the Admin Type is PKI, this option is only available when Require twofactorauthentication is selected.

Force this administrator to change password upon next log on. Force the administrator to change their password the next time that they log in to the FortiAnalyzer.

This option is only available if Password Policy is enabled in Admin Settings.

See Password policy on page 244.

Admin Profile Select an administrator profile from the list. The profile selected determines

the administrator’s access to the FortiAnalyzer unit’s features. See Administrator profiles on page 228.

JSON API Access Select the permission for JSON API Access. Select Read-Write, Read, or None. The default is None.
Administrative Domain Choose the ADOMs this administrator will be able to access. l All ADOMs: The administrator can access all the ADOMs.

All ADOMs except specified ones: The administrator cannot access the selected ADOMs.

Specify: The administrator can access the selected ADOMs. Specifying the ADOM shows the Specify Device Group to Access check box. Select the Specify Device Group to Access check box and select the Device Group this administrator is allowed to access. The newly created administrator will only be able to access the devices within the Device Group and sub-groups.

  If the Admin Profile is Super_User, then this setting is All ADOMs.

This field is available only if ADOMs are enabled. See Administrative Domains on page 176.

Trusted Hosts Optionally, turn on trusted hosts, then enter their IP addresses and netmasks. Up to ten IPv4 and ten IPv6 hosts can be added.

See Trusted hosts on page 222 for more information.

Meta Fields Optionally, enter the new administrator’s email address and phone number.
Advanced Options Configure advanced options, see Advanced options below.

For more information on advanced options, see the FortiAnalyzerCLI Reference.

Advanced options

Option Description Default
change-password Enable or Disable changing password. disable
ext-auth-accprofileoverride Enable or Disable overriding the account profile by administrators configured on a Remote Authentication Server. disable
ext-auth-adom-override Enable or Disable overriding the ADOM by administrators configured on a Remote Authentication Server. disable
ext-auth-group-match Specify the group configured on a Remote Authentication Server.
first-name Specify the first name.
last-name Specify the last name.
mobile-number Specify the mobile number.
pager-number Specify the pager number.
restrict-access Enable or Disable restricted access. disable

Editing administrators

To edit an administrator, you must be logged in as a super user administrator. The administrator’s name cannot be edited. An administrator’s password can be changed using the right-click menu, if the password is not a wildcard.

To edit an administrator:

  1. Go to System Settings > Admin > Administrators.
  2. Double-click on an administrator, right-click on an administrator and then select Edit from the menu, or select the administrator then click Edit in the toolbar. The Edit Administrator pane opens.
  3. Edit the settings as required, and then select OK to apply the changes.

To change an administrator’s password:

  1. Go to System Settings > Admin > Administrators.
  2. Right-click on an administrator and select Change Password from the menu. The Change Password dialog box opens.
  3. If you are editing the admin administrator’s password, enter the old password in the Old Password
  4. Enter the new password for the administrator in the New Password and Confirm Password
  5. Select OK to change the administrator’s password.

Deleting administrators

To delete an administrator or administrators, you must be logged in as a super user administrator.

  1. Go to System Settings > Admin > Administrators.
  2. Select the administrator or administrators you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Select OK in the confirmation box to delete the administrator or administrators.

To delete an administrator using the CLI:

  1. Open a CLI console and enter the following command:

config system admin user delete <username>

end

Disconnecting administrators – FortiAnalyzer – FortiOS 6.2.3

Disconnecting administrators

Administrators can be disconnected from the FortiAnalyzer unit from the Admin Session List.

To disconnect administrators:

  1. Go to System Settings > Dashboard.
  2. In the System Information widget, in the Current Administrators field, click the Current Session List The Admin Session List opens in the widget.
  3. Select the administrator or administrators you need to disconnect.
  4. Click Delete in the toolbar, or right-click and select Delete.

The selected administrators will be automatically disconnected from the FortiAnalyzer device.

Trusted hosts – FortiAnalyzer – FortiOS 6.2.3

Trusted hosts

Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative permissions. In addition to knowing the password, an administrator must connect only through the subnet or subnets you specify. You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255.255.255.255.

When you set trusted hosts for all administrators, the FortiAnalyzer unit does not respond to administrative access attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access.

The trusted hosts you define apply to both the GUI and to the CLI when accessed through SSH. CLI access through the console connector is not affected.

Advanced Settings – FortiAnalyzer – FortiOS 6.2.3

Advanced Settings

Go to System Settings > Advanced > Advanced Settings to view and configure advanced settings and download WSDL files.

Configure the following settings and then select Apply:

ADOM Mode Select the ADOM mode, either Normal or Advanced.

Advanced mode will allow you to assign a VDOM from a single device to a different ADOM, but will result in more complicated management scenarios. It is recommended only for advanced users.

Download WSDL file Select the required WSDL functions then click the Download button to download the WSDL file to your management computer.

When selecting Legacy Operations, no other options can be selected.

Web services is a standards-based, platform independent, access method for other hardware and software APIs. The file itself defines the format of commands the FortiAnalyzer will accept as well as the responses to expect. Using the WSDL file, third-party or custom applications can communicate with the FortiAnalyzer unit and operate it or retrieve information, just as an administrator can from the GUI or CLI.

Task List Size Set a limit on the size of the task list. Default: 2000.

 

File Management – FortiAnalyzer – FortiOS 6.2.3

File Management

FortiAnalyzer allows you to configure automatic deletion of device log files, quarantined files, reports, and content archive files after a set period of time.

Go to System Settings > Advanced > File Management to configure file management settings.

Configure the following settings, and then select Apply:

Device log files older than Select to enable automatic deletion of compressed log files.

Enter a value in the text field, select the time period (Days, Weeks, or Months), and choose a time of day.

Reports older than Select to enable automatic deletion of reports of data from compressed log files. Enter a value in the text field, select the time period, and choose a time of day.
Content archive files older than Select to enable automatic deletion of IPS and DP archives from Archive logs.

Enter a value in the text field, select the time period, and choose a time of day.

Quarantined files older than Select to enable automatic deletion of compressed log files of quarantined files. Enter a value in the text field, select the time period, and choose a time of day.

The time period you select determines how often the item is checked. If you select Months, then the item is checked once per month. If you select Weeks, then the item is checked once per week, and so on. For example, if you specify Device log files olderthan 3 Months, then on July 1, the logs for April, May, and June are kept and the logs for March and older are deleted.

Device logs – FortiAnalyzer – FortiOS 6.2.3

Device logs

The FortiAnalyzer allows you to log system events to disk. You can control device log file size and the use of the FortiAnalyzer unit’s disk space by configuring log rolling and scheduled uploads to a server.

As the FortiAnalyzer unit receives new log items, it performs the following tasks: l Verifies whether the log file has exceeded its file size limit. l Checks to see if it is time to roll the log file if the file size is not exceeded.

When a current log file (tlog.log) reaches its maximum size, or reaches the scheduled time, the FortiAnalyzer unit rolls the active log file by renaming the file. The file name will be in the form of xlog.N.log (for example, tlog.1252929496.log), where x is a letter indicating the log type and N is a unique number corresponding to the time the first log entry was received. The file modification time will match the time when the last log was received in the log file.

Once the current log file is rolled into a numbered log file, it will not be changed. New logs will be stored in the new current log called tlog.log. If log uploading is enabled, once logs are uploaded to the remote server or downloaded via the GUI, they are in the following format:

FG3K6A3406600001-tlog.1252929496.log-2017-09-29-08-03-54.gz

If you have enabled log uploading, you can choose to automatically delete the rolled log file after uploading, thereby freeing the amount of disk space used by rolled log files. If the log upload fails, such as when the FTP server is unavailable, the logs are uploaded during the next scheduled upload.

Log rolling and uploading can be enabled and configured using the GUI or CLI.

Configuring rolling and uploading of logs using the GUI

Go to System Settings > Advanced > Device Log Setting to configure device log settings.

Configure the following settings, and then select Apply:

Registered Device Logs  
Roll log file when size exceeds Enter the log file size, from 10 to 500MB. Default: 200MB.
Roll log files at scheduled time Select to roll logs daily or weekly.

Daily: select the hour and minute value in the dropdown lists.

Weekly: select the day, hour, and minute value in the dropdown lists.

Upload logs using a standard file transfer protocol Select to upload logs and configure the following settings.
Upload Server Type Select one of FTP, SFTP, or SCP.
Upload Server IP Enter the IP address of the upload server.
User Name Enter the username used to connect to the upload server.
Password Enter the password used to connect to the upload server.
Remote Directory Enter the remote directory on the upload server where the log will be uploaded.
Upload Log Files Select to upload log files when they are rolled according to settings selected under Roll Logs, or daily at a specific hour.
Upload rolled files in gzip file format Select to gzip the logs before uploading. This will result in smaller logs and faster upload times.
Delete files after uploading Select to remove device log files from the FortiAnalyzer system after they have been uploaded to the Upload Server.
Local Device Log  
Send the local event logs to FortiAnalyzer / FortiManager Select to send local event logs to another FortiAnalyzer or FortiManager device.
IP Address Enter the IP address of the FortiAnalyzer or FortiManager.
Upload Option Select to upload logs in real time or at a scheduled time.

When selecting a scheduled time, you can specify the hour and minute to upload logs each day.

Severity Level Select the minimum log severity level from the dropdown list. This option is only available when Upload Option is Realtime.
Reliable log transmission Select to use reliable log transmission.
Secure connection Select to use a secure connection for log transmission. This option is only available when Reliable log transmission is selected.

Configuring rolling and uploading of logs using the CLI

Log rolling and uploading can be enabled and configured using the CLI. For more information, see the FortiAnalyzer CLI Reference.

Enable or disable log file uploads

Use the following CLI commands to enable or disable log file uploads.

To enable log uploads:

config system log settings config rolling-regular set upload enable

end

To disable log uploads:

config system log settings config rolling-regular set upload disable

end

Roll logs when they reach a specific size

Use the following CLI commands to specify the size, in MB, at which a log file is rolled.

To roll logs when they reach a specific size:

config system log settings config rolling-regular set file-size <integer>

end

Roll logs on a schedule

Use the following CLI commands to configure rolling logs on a set schedule, or never.

To disable log rolling:

config system log settings config rolling-regular set when none

end

To enable daily log rolling:

config system log settings config rolling-regular set upload enable set when daily set hour <integer> set min <integer>

end

To enable weekly log rolling:

config system log settings config rolling-regular set when weekly

set days {mon | tue | wed | thu | fri | sat | sun} set hour <integer> set min <integer>

end

Upload logs to cloud storage

The FortiAnalyzer can be set to upload logs to cloud storage. Before enabling this feature, you must have a valid Storage Connector Service license. See License Information widget on page 162.

For information on setting up a storage fabric connector, see Creating or editing storage connectors on page 33.

To upload logs to cloud storage:

  1. Go to System Settings > Advanced > Device Log Settings.
  2. Select Create New.
  3. Complete the following options, and click OK.

l Enter a name for the cloud storage. l In the Cloud Storage Connector list, select a Fabric Connector. l In the Remote Path box, type the bucket or container name from the storage account.