Category Archives: FortiAnalyzer

Meta Fields – FortiAnalyzer – FortiOS 6.2.3

Meta Fields

Meta fields allow administrators to add extra information when configuring, adding, or maintaining FortiGate units or adding new administrators. You can make the fields mandatory or optional, and set the length of the field.

With the fields set as mandatory, administrators must supply additional information when they create a new FortiGate object, such as an administrator account or firewall policy. Fields for this new information are added to the FortiGate unit dialog boxes in the locations where you create these objects. You can also provide fields for optional additional information.

Go to System Settings > Advanced > Meta Fields to configure meta fields. Meta fields can be added, edited, and deleted.

  1. Go to System Settings > Advanced > Meta Fields.
  2. Click Create New in the toolbar. The Create New Meta Field pane opens.
  3. Configure the following settings and then select OK to create the meta field.
Object The object this metadata field applies to: Devices, Device Groups, or Administrative Domains.
Name Enter the label to use for the field.
Length Select the maximum number of characters allowed for the field from the dropdown list: 20, 50, or 255.
Importance Select Required to make the field compulsory, otherwise select Optional.
Status Select Disabled to disable this field. The default selection is Enabled.

To edit a meta field:

  1. Go to System Settings > Advanced > Meta Fields.
  2. Double-click on a field, right-click on a field and then select Edit from the menu, or select a field then click Edit in the toolbar. The Edit Meta Fields pane opens.
  3. Edit the settings as required, and then click OK to apply the changes.

To delete a meta field or fields:

  1. Go to System Settings > Advanced > Meta Fields.
  2. Select the field or fields you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation box to delete the field or fields.

Syslog Server – FortiAnalyzer – FortiOS 6.2.3

Syslog Server

Go to System Settings > Advanced > Syslog Server to configure syslog server settings. Syslog servers can be added, edited, deleted, and tested.

To add a syslog server:

  1. Go to System Settings > Advanced > Syslog Server.
  2. Click Create New in the toolbar. The Create New Syslog ServerSettings pane opens.
  3. Configure the following settings and then select OK to create the mail server.
Name Enter a name for the syslog server.
IP address (or FQDN) Enter the IP address or FQDN of the syslog server.
Syslog Server Port Enter the syslog server port number. The default port is 514.

To edit a syslog server:

  1. Go to System Settings > Advanced > Syslog Server.
  2. Double-click on a server, right-click on a server and then select Edit from the menu, or select a server then click Edit in the toolbar. The Edit Syslog ServerSettings pane opens.
  3. Edit the settings as required, and then click OK to apply the changes.

To test the syslog server:

  1. Go to System Settings > Advanced > Syslog Server.
  2. Select the server you need to test.
  3. Click Test from the toolbar, or right-click and select Test. A confirmation or failure message will be displayed.

To delete a syslog server or servers:

  1. Go to System Settings > Advanced > Syslog Server.
  2. Select the server or servers you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation box to delete the server or servers.

Mail Server – FortiAnalyzer – FortiOS 6.2.3

Mail Server

A mail server allows the FortiAnalyzer to sent email messages, such as notifications when reports are run or specific events occur. Mail servers can be added, edited, deleted, and tested.

Go to System Settings > Advanced > Mail Server to configure SMTP mail server settings.

To add a mail server:

  1. Go to System Settings > Advanced > Mail Server.
  2. Click Create New in the toolbar. The Create New Mail ServerSettings pane opens.
  3. Configure the following settings and then select OK to create the mail server.
SMTP Server Name Enter a name for the SMTP server.
Mail Server Enter the mail server information.
SMTP Server Port Enter the SMTP server port number. The default port is 25.
Enable Authentication Select to enable authentication.
Email Account Enter an email account. This option is only accessible when authentication is enabled.
Password Enter the email account password. This option is only accessible when authentication is enabled.

To edit a mail server:

  1. Go to System Settings > Advanced > Mail Server.
  2. Double-click on a server, right-click on a server and then select Edit from the menu, or select a server then click Edit in the toolbar. The Edit Mail ServerSettings pane opens.
  3. Edit the settings as required, and then click OK to apply the changes.

To test the mail server:

  1. Go to System Settings > Advanced > Mail Server.
  2. Select the server you need to test.
  3. Click Test from the toolbar, or right-click and select Test.
  4. Type the email address you would like to send a test email to and click OK. A confirmation or failure message will be displayed.
  5. Click OK to close the confirmation dialog box.

To delete a mail server or servers:

  1. Go to System Settings > Advanced > Mail Server.
  2. Select the server or servers you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation box to delete the server.

SNMP – FortiAnalyzer – FortiOS 6.2.3

SNMP

Enable the SNMP agent on the FortiAnalyzer device so it can send traps to and receive queries from the computer that is designated as its SNMP manager. This allows for monitoring the FortiAnalyzer with an SNMP manager.

SNMP has two parts – the SNMP agent that is sending traps, and the SNMP manager that monitors those traps. The SNMP communities on monitored FortiGate devices are hard coded and configured by the FortiAnalyzer system – they are not user configurable.

The FortiAnalyzer SNMP implementation is read-only — SNMP v1, v2c, and v3 compliant SNMP manager applications, such as those on your local computer, have read-only access to FortiAnalyzer system information and can receive FortiAnalyzer system traps.

SNMP agent

The SNMP agent sends SNMP traps originating on the FortiAnalyzer system to an external monitoring SNMP manager defined in a SNMP community. Typically an SNMP manager is an application on a local computer that can read the SNMP traps and generate reports or graphs from them.

The SNMP manager can monitor the FortiAnalyzer system to determine if it is operating properly, or if there are any critical events occurring. The description, location, and contact information for this FortiAnalyzer system will be part of the information an SNMP manager will have — this information is useful if the SNMP manager is monitoring many devices, and it will enable faster responses when the FortiAnalyzer system requires attention.

Go to System Settings > Advanced > SNMP to configure the SNMP agent.

The following information and options are available:

SNMP Agent Select to enable the SNMP agent. When this is enabled, it sends FortiAnalyzer SNMP traps.
Description Optionally, type a description of this FortiAnalyzer system to help uniquely identify this unit.
Location Optionally, type the location of this FortiAnalyzer system to help find it in the event it requires attention.
Contact Optionally, type the contact information for the person in charge of this FortiAnalyzer system.
SNMP v1/2c The list of SNMP v1/v2c communities added to the FortiAnalyzer configuration.
  Create New Select Create New to add a new SNMP community. If SNMP agent is not selected, this control will not be visible.

For more information, see SNMP v1/v2c communities on page 205.

  Edit Edit the selected SNMP community.
  Delete Delete the selected SNMP community or communities.
  Community Name The name of the SNMP community.
  Queries The status of SNMP queries for each SNMP community. The enabled icon indicates that at least one query is enabled. The disabled icon indicates that all queries are disabled.
  Traps The status of SNMP traps for each SNMP community. The enabled icon indicates that at least one trap is enabled. The disabled icon indicates that all traps are disabled.
  Enable Enable or disable the SNMP community.
SNMP v3   The list of SNMPv3 users added to the configuration.
  Create New Select Create New to add a new SNMP user. If SNMP agent is not selected, this control will not be visible.

For more information, see SNMP v3 users on page 208.

  Edit Edit the selected SNMP user.
  Delete Delete the selected SNMP user or users.
  User Name The user name for the SNMPv3 user.
  Security Level The security level assigned to the SNMPv3 user.
  Notification Hosts The notification host or hosts assigned to the SNMPv3 user.
  Queries The status of SNMP queries for each SNMP user. The enabled icon indicates queries are enabled. The disabled icon indicates they are disabled.

SNMP v1/v2c communities

An SNMP community is a grouping of equipment for network administration purposes. You must configure your FortiAnalyzer to belong to at least one SNMP community so that community’s SNMP managers can query the FortiAnalyzer system information and receive SNMP traps from it.

Each community can have a different configuration for SNMP traps and can be configured to monitor different events. You can add the IP addresses of up to eight hosts to each community. Hosts can receive SNMP device traps and information.

To create a new SNMP community:

  1. Go to System Settings > Advanced > SNMP and ensure the SNMP agent is enabled.
  2. In the SNMP v1/v2c section, click Create New in the toolbar. The New SNMP Community pane opens.
  3. Configure the following options, then click OK to create the community.
Name   Enter a name to identify the SNMP community. This name cannot be edited later.
Hosts   The list of hosts that can use the settings in this SNMP community to monitor the FortiAnalyzer system.

When you create a new SNMP community, there are no host entries. Select Add to create a new entry that broadcasts the SNMP traps and information to the network connected to the specified interface.

  IP

Address/Netmask

Enter the IP address and netmask of an SNMP manager.

By default, the IP address is 0.0.0.0 so that any SNMP manager can use this SNMP community.

  Interface Select the interface that connects to the network where this SNMP manager is located from the dropdown list. This must be done if the SNMP manager is on the Internet or behind a router.
  Delete Click the delete icon to remove this SNMP manager entry.
Add Select to add another entry to the Hosts list. Up to eight SNMP manager entries can be added for a single community.
Queries Enter the port number (161 by default) the FortiAnalyzer system uses to send v1 and v2c queries to the FortiAnalyzer in this community. Enable queries for each SNMP version that the FortiAnalyzer system uses.
Traps Enter the Remote port number (162 by default) the FortiAnalyzer system uses to send v1 and v2c traps to the FortiAnalyzer in this community. Enable traps for each SNMP version that the FortiAnalyzer system uses.
SNMP Event Enable the events that will cause SNMP traps to be sent to the community.

l     Interface IP changed l Log disk space low l CPU Overuse l Memory Low l System Restart

l     CPU usage exclude NICE threshold

l     RAID Event (only available for devices that support RAID) l PowerSupply Failed (only available on supported hardware devices) l Fan Speed Out of Range

l     Temperature Out of Range l Voltage Out of Range

l     High licensed device quota l High licensed log GB/day l Log Alert l Log Rate l Data Rate

FortiAnalyzer feature set SNMP events:

To edit an SNMP community:

  1. Go to System Settings > Advanced > SNMP.
  2. In the SNMP v1/v2c section, double-click on a community, right-click on a community then select Edit, or select a community then click Edit in the toolbar. The Edit SNMP Community pane opens.
  3. Edit the settings as required, then click OK to apply your changes.

To delete an SNMP community or communities:

  1. Go to System Settings > Advanced > SNMP.
  2. In the SNMP v1/v2c section, select the community or communities you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation dialog box to delete the selected community or communities.

SNMP v3 users

The FortiAnalyzer SNMP v3 implementation includes support for queries, traps, authentication, and privacy. SNMP v3 users can be created, edited, and deleted as required.

To create a new SNMP user:

  1. Go to System Settings > Advanced > SNMP and ensure the SNMP agent is enabled.
  2. In the SNMP v3 section, click Create New in the toolbar. The New SNMP User pane opens.
  3. Configure the following options, then click OK to create the community.
User Name   The name of the SNMP v3 user.
Security Level   The security level of the user. Select one of the following:

No Authentication, No Privacy l Authentication, No Privacy: Select the Authentication Algorithm (SHA1, MD5) and enter the password.

Authentication, Privacy: Select the Authentication Algorithm (SHA1, MD5), the Private Algorithm (AES, DES), and enter the passwords.

Queries   Select to enable queries then enter the port number. The default port is 161.
Notification Hosts   The IP address or addresses of the host. Click the add icon to add multiple IP addresses.
SNMP Event Enable the events that will cause SNMP traps to be sent to the SNMP manager.

l     Interface IP changed l Log disk space low l CPU Overuse l Memory Low l System Restart

l     CPU usage exclude NICE threshold

l     RAID Event (only available for devices that support RAID) l PowerSupply Failed (only available on supported hardware devices) l High licensed device quota l High licensed log GB/day l Log Alert l Log Rate l Data Rate l Fan Speed Out of Range l Temperature Out of Range l Voltage Out of Range

FortiAnalyzer feature set SNMP events:

To edit an SNMP user:

  1. Go to System Settings > Advanced > SNMP.
  2. In the SNMP v3 section, double-click on a user, right-click on a user then select Edit, or select a user then click Edit in the toolbar. The Edit SNMP User pane opens.
  3. Edit the settings as required, then click OK to apply your changes.

To delete an SNMP user or users:

  1. Go to System Settings > Advanced > SNMP.
  2. In the SNMP v3 section, select the user or users you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation dialog box to delete the selected user or users.

SNMP MIBs

The Fortinet and FortiAnalyzer MIBs, along with the two RFC MIBs, can be obtained from Customer Service & Support

(https://support.fortinet.com). You can download the FORTINET-FORTIMANAGER-FORTIANALYZER-MIB.mib

MIB file in the firmware image file folder. The FORTINET-CORE-MIB.mib file is located in the main FortiAnalyzer 5.00 file folder.

RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411), and partial support of User-based Security Model (RFC 3414).

To be able to communicate with the SNMP agent, you must include all of these MIBs into your SNMP manager.

Generally your SNMP manager will be an application on your local computer. Your SNMP manager might already

include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet and FortiAnalyzer proprietary MIBs to this database.

MIB file name or RFC Description
FORTINET-CORE-MIB.mib The proprietary Fortinet MIB includes all system configuration information and trap information that is common to all Fortinet products.

Your SNMP manager requires this information to monitor Fortinet unit configuration settings and receive traps from the Fortinet SNMP agent.

FORTINET-FORTIMANAGERMIB.mib The proprietary FortiAnalyzer MIB includes system information and trap information for FortiAnalyzer units.
RFC-1213 (MIB II) The Fortinet SNMP agent supports MIB II groups with the following exceptions.

l  No support for the EGP group from MIB II (RFC 1213, section 3.11 and

6.10).

l  Protocol statistics returned for MIB II groups (IP/ICMP/TCP/UDP/etc.) do not accurately capture all Fortinet traffic activity. More accurate information can be obtained from the information reported by the Fortinet MIB.

RFC-2665 (Ethernet-like MIB) The Fortinet SNMP agent supports Ethernet-like MIB information with the following exception.

No support for the dot3Tests and dot3Errors groups.

SNMP traps

Fortinet devices share SNMP traps, but each type of device also has traps specific to that device type. For example FortiAnalyzer units have FortiAnalyzer specific SNMP traps. To receive Fortinet device SNMP traps, you must load and compile the FORTINET-CORE-MIB into your SNMP manager.

Traps sent include the trap message as well as the unit serial number (fnSysSerial) and host name (sysName). The Trap Message column includes the message that is included with the trap, as well as the SNMP MIB field name to help locate the information about the trap.

Trap message Description
ColdStart, WarmStart, LinkUp, LinkDown Standard traps as described in RFC 1215.
CPU usage high

(fnTrapCpuThreshold)

CPU usage exceeds the set percent. This threshold can be set in the CLI using the following commands:

config system snmp sysinfo set trap-high-cpu-threshold <percentage value> end

CPU usage excluding NICE processes

(fmSysCpuUsageExcludedNice)

CPU usage excluding NICE processes exceeds the set percentage. This threshold can be set in the CLI using the following commands:

config system snmp sysinfo set trap-cpu-high-exclude-nice-threshold <percentage value> end

Trap message Description
Memory low

(fnTrapMemThreshold)

Memory usage exceeds 90 percent. This threshold can be set in the CLI using the following commands:

config system snmp sysinfo set trap-low-memory-threshold <percentage value> end

Log disk too full

(fnTrapLogDiskThreshold)

Log disk usage has exceeded the configured threshold. Only available on devices with log disks.
Temperature too high

(fnTrapTempHigh)

A temperature sensor on the device has exceeded its threshold. Not all devices have thermal sensors. See manual for specifications.
Voltage outside acceptable range

(fnTrapVoltageOutOfRange)

Power levels have fluctuated outside of normal levels. Not all devices have voltage monitoring instrumentation.
Power supply failure

(fnTrapPowerSupplyFailure)

Power supply failure detected. Available on some devices that support redundant power supplies.
Interface IP change

(fnTrapIpChange)

The IP address for an interface has changed. The trap message includes the name of the interface, the new IP address and the serial number of the Fortinet unit. You can use this trap to track interface IP address changes for interfaces with dynamic IP addresses set using DHCP or PPPoE.
Log rate too high

(fmTrapLogRateThreshold)

The incoming log rate has exceeded the peak log rate threshold.

To determine the peak log rate, use the following CLI command: get system loglimits

Data rate too high

(fmTrapLogDataRateThreshold)

The incoming data rate has exceeded the peak data rate threshold.

The peak data rate is calculated using the peak log rate x 512 bytes (average log size).

Fortinet & FortiAnalyzer MIB fields

The Fortinet MIB contains fields reporting current Fortinet unit status information. The below tables list the names of the MIB fields and describe the status information available for each one. You can view more details about the information available from all Fortinet MIB fields by compiling the fortinet.3.00.mib file into your SNMP manager and browsing the Fortinet MIB fields.

System MIB fields:

MIB field Description
fnSysSerial Fortinet unit serial number.

Administrator accounts:

MIB field Description
fnAdminNumber The number of administrators on the Fortinet unit.
fnAdminTable Table of administrators.  
fnAdminIndex Administrator account index number.
fnAdminName The user name of the administrator account.
fnAdminAddr An address of a trusted host or subnet from which this administrator account can be used.
fnAdminMask The netmask for fnAdminAddr.

Custom messages:

MIB field Description
fnMessages The number of custom messages on the Fortinet unit.
MIB fields and traps  
MIB field Description
fmModel A table of all FortiAnalyzer models.

Task Monitor – FortiAnalyzer – FortiOS 6.2.3

Task Monitor

Using the task monitor, you can view the status of the tasks you have performed.

Go to System Settings > Task Monitor to view the task monitor.

The following options are available:

Delete Remove the selected task or tasks from the list.

This changes to Cancel Running Task(s) when View is Running.

View Select which tasks to view from the dropdown list, based on their status. The available options are: Running, Pending, Done, Error, Cancelling, Cancelled, Aborting, Aborted, Warning, and All.
Expand Arrow In the Source column, select the expand arrow icon to display the specific actions taken under this task.

To filter the specific actions taken for a task, select one of the options on top of the action list. Select the history icon to view specific information on task progress. This can be useful when troubleshooting warnings and errors.

Group Error Devices Select Group ErrorDevices to create a group of the failed devices, allowing for re-installations to easily be done on only the failed devices.
History Click the history icon to view task details in a new window.
Pagination Browse the pages of tasks and adjust the number of tasks shown per page.

The following information is available:

ID The identification number for a task.
Source The platform from where the task is performed. Click the expand arrow to view details of the specific task and access the history button.
Description The nature of the task. Click the arrow to display the specific actions taken under this task.
User The user or users who performed the tasks.
Status The status of the task (hover over the icon to view the description): l Done: Completed with success. l Error: Completed without success. l Canceled: User canceled the task. l Canceling: User is canceling the task. l Aborted: The FortiAnalyzer system stopped performing this task. l Aborting: The FortiAnalyzer system is stopping performing this task.

Running: Being processed. In this status, a percentage bar appears in the Status column.

Pending l Warning

Start Time The time that the task was started.
ADOM The ADOM associated with the task.
History Click the history button to view task details.

Event Log – FortiAnalyzer – FortiOS 6.2.3

Event Log

The Event Log pane provides an audit log of actions made by users on FortiAnalyzer. It allows you to view log messages that are stored in memory or on the internal hard disk drive. You can use filters to search the messages and download the messages to the management computer.

See the FortiAnalyzerLog Message Reference, available from the Fortinet Document Library, for more information about the log messages.

Go to System Settings > Event Log to view the local log list.

The following options are available:

Add Filter   Filter the event log list based on the log level, user, sub type, or message. See Event log filtering on page 202.
Last…   Select the amount of time to show from the available options, or select a custom time span or any time.
Column Settings Select which columns are enabled or disabled in the Event Log table.
Tools  
Raw Log /

Formatted Log

Click on Raw Log to view the logs in their raw state.

Click Formatted Log to view them in the formatted into a table.

Real-time Log / Historical Log Click to view the real-time or historical logs list.
Case Sensitive Search Enable or disable case sensitive searching.
Download Download the event logs in either CSV or the normal format to the management computer.
Pagination Browse the pages of logs and adjust the number of logs that are shown per page.

The following information is shown:

#                                                The log number.
Date/Time                                  The date and time that the log file was generated.
Device ID                                   The ID of the related device.
Sub Type                                   The log sub-type:

System manager event HA event
FG-FM protocol event Firmware manager event
Device configuration event FortiGuard service event
Global database event FortiClient manager event
Script manager event FortiMail manager event
Web portal event Debug I/O log event
Firewall objects event Configuration change event
Policy console event Device manager event
VPN console event Web service event
Endpoint manager event FortiAnalyzer event
Revision history event Log daemon event
Deployment manager event FIPS-CC event
Real-time monitor event Managered devices event

Log and report manager event

User                                          The user that the log message relates to.
Message                                   Log message details. A Session ID is added to each log message. The

username of the administrator is added to log messages wherever applicable for better traceability.

Event log filtering

The event log can be filtered using the Add Filter box in the toolbar.

To filter FortiView summaries using the toolbar:

  1. Specify filters in the Add Filter
    • Regular Search: In the selected summary view, click in the Add Filter box, select a filter from the dropdown list, then type a value. Click NOT to negate the filter value. You can add multiple filters at a time, and connect them with an “or”.
    • Advanced Search: Click the Switch to Advanced Search icon at the right end of the Add Filter box to switch to advanced search mode. In this mode, you type in the whole search criteria (log field names and values). Click the Switch to RegularSearch icon to return to regular search.
  2. Click Go to apply the filter.

Synchronizing devices and ADOMs – FortiAnalyzer – FortiOS 6.2.3

Synchronizing devices and ADOMs

If this is the first time the fetching client is fetching logs from the device, or if any changes have been made the devices or ADOMs since the last fetch, then the devices and ADOMs must be synchronized with the server.

To synchronize devices and ADOMs:

  1. On the client, go to System Settings > FetcherManagement and select the Profiles tab
  2. Select the profile then click Sync Devices in the toolbar, or right-click and select Sync Devices from the menu. The Sync ServerADOM(s)& Device(s) dialog box opens and shows the progress of the process.

Once the synchronization is complete, you can verify the changes on the client. For example, newly added devices in the ADOM specified by the profile.

If a new ADOM is created, the new ADOM will mirror the disk space and data policy of the corresponding server ADOM. If there is not enough space on the client, the client will create an ADOM with the maximum allowed disk space and give a warning message. You can then adjust disk space allocation as required.

Request processing

After a fetching client has made a fetch request, the request will be listed on the fetch server in the Received Request section of the Sessions tab on the FetcherManagement pane. It will also be available from the notification center in the GUI banner.

Fetch requests can be approved or rejected.

To process the fetch request:

  1. Go to the notification center in the GUI banner and click the log fetcher request, or go to the Sessions tab on the System Settings > FetcherManagement
  2. Find the request in the Received Request You may have to expand the section, or select Expand All in the content pane toolbar. The status of the request will be Waiting forapproval.
  3. Click Review to review the request. The Review Request dialog box will open.
  4. Click Approve to approve the request, or click Reject to reject the request.

If you approve the request, the server will start to retrieve the requested logs in the background and send them to the client. If you reject the request, the request will be canceled and the request status will be listed as Rejected on both the client and the server.

Fetch monitoring

The progress of an approved fetch request can be monitored on both the fetching client and the fetch server.

Go to System Settings > FetcherManagement and select the Sessions tab to monitor the fetch progress. A fetch session can be paused by clicking Pause, and resumed by clicking Resume. It can also be canceled by clicking Cancel.

Once the log fetching is completed, the status changes to Done and the request record can be deleted by clicking Delete. The client will start to index the logs into the database.

It can take a long time for the client to finish indexing the fetched logs and make the analyzed data available. A progress bar is shown in the GUI banner; for more information, click on it to open the Rebuild Log Database dialog box.

Log and report features will not be fully available until the rebuilding process is complete.

Fetcher Management – FortiAnalyzer – FortiOS 6.2.3

Fetcher Management

Log fetching is used to retrieve archived logs from one FortiAnalyzer device to another. This allows administrators to run queries and reports against historic data, which can be useful for forensic analysis.

The fetching FortiAnalyzer can query the server FortiAnalyzer and retrieve the log data for a specified device and time period, based on specified filters. The retrieved data are then indexed, and can be used for data analysis and reports.

Log fetching can only be done on two FortiAnalyzer devices running the same firmware. A FortiAnalyzer device can be either the fetch server or the fetching client, and it can perform both roles at the same time with different FortiAnalyzer devices. Only one log fetching session can be established at a time between two FortiAnalyzer devices.

The basic steps for fetching logs are:

  1. On the client, create a fetching profile. See Fetching profiles on page 196.
  2. On the client, send the fetch request to the server. See Fetch requests on page 197.
  3. If this is the first time fetching logs with the selected profile, or if any changes have been made to the devices and/or ADOMs since the last fetch, on the client, sync devices and ADOMs with the server. See Synchronizing devices and ADOMs on page 199.
  4. On the server, review the request, then either approve or reject it. See Request processing on page 199.
  5. Monitor the fetch process on either FortiAnalyzer. See Fetch monitoring on page 200.
  6. On the client, wait until the database is rebuilt before using the fetched data for analysis.

Fetching profiles

Fetching profiles can be managed from the Profiles tab on the System Settings > FetcherManagement pane.

Profiles can be created, edited, and deleted as required. The profile list shows the name of the profile, as well as the IP address of the server it fetches from, the server and local ADOMs, and the administrator name on the fetch server.

To create a new fetching profile:

  1. On the client, go to System Settings > FetcherManagement.
  2. Select the Profiles tab, then click Create New in the toolbar, or right-click and select Create New from the menu. The Create New Profile dialog box opens.
  3. Configure the following settings, then click OK to create the profile.
Name   Enter a name for the profile.
Server IP   Enter the IP address of the fetch server.
User   Enter the username of an administrator on the fetch server, which, together with the password, authenticates the fetch client’s access to the fetch server.
Password   Enter the administrator’s password, which, together with the username, authenticates the fetch client’s access to the fetch server.

To edit a fetching profile:

  1. Go to System Settings > Fetching Management.
  2. Double-click on a profile, right-click on a profile then select Edit, or select a profile then click Edit in the toolbar. The Edit Profile pane opens.
  3. Edit the settings as required, then click OK to apply your changes.

To delete a fetching profile or profiles:

  1. Go to System Settings > Fetching Management.
  2. Select the profile or profiles you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation dialog box to delete the selected profile or profiles.

Fetch requests

A fetch request requests archived logs from the fetch server configured in the selected fetch profile. When making the request, the ADOM on the fetch server the logs are fetched from must be specified. An ADOM on the fetching client must be specified or, if needed, a new one can be created. If logs are being fetched to an existing local ADOM, you must ensure the ADOM has enough disk space for the incoming logs.

The data policy for the local ADOM on the client must also support fetching logs from the specified time period. It must keep both archive and analytics logs long enough so they will not be deleted in accordance with the policy. For example: Today is July 1, the ADOM’s data policy is configured to keep analytics logs for 30 days (June 1 – 30), and you need to fetch logs from the first week of May. The data policy of the ADOM must be adjusted to keep analytics and archive logs for at least 62 days to cover the entire time span. Otherwise, the fetched logs will be automatically deleted after they are fetched.

To send a fetch request:

  1. On the fetch client, go to System Settings > FetcherManagement and select the Profiles tab
  2. Select the profile then click Request Fetch in the toolbar, or right-click and select Request Fetch from the menu. The Fetch Logs dialog box opens.
  3. Configure the following settings, then click Request Fetch.

The request is sent to the fetch server. The status of the request can be viewed in the Sessions tab.

Name Displays the name of the fetch server you have specified.
Server IP Displays the IP address of the server you have specified.
User Displays the username of the server administrator you have provided.
Secure Connection Select to use SSL connection to transfer fetched logs from the server.
Server ADOM Select the ADOM on the server the logs will be fetched from. Only one ADOM can be fetched from at a time.
Local ADOM Select the ADOM on the client where the logs will be received.

Either select an existing ADOM from the dropdown list, or create a new ADOM by entering a name for it into the field.

Devices Add the devices and/or VDOMs that the logs will be fetched from. Up to 256 devices can be added.

Click Select Device, select devices from the list, then click OK.

Enable Filters Select to enable filters on the logs that will be fetched.

Select All or Any of the Following Conditions in the Log messages that match field to control how the filters are applied to the logs.

Add filters to the table by selecting the Log Field, Match Criteria, and Value for each filter.

Time Period Specify what date and time range of log messages to fetch.
Index Fetch Logs If selected, the fetched logs will be indexed in the SQL database of the client once they are received. Select this option unless you want to manually index the fetched logs.