Category Archives: FortiAnalyzer

Log Forwarding – FortiAnalyzer – FortiOS 6.2.3

Log Forwarding

You can forward logs from a FortiAnalyzer unit to another FortiAnalyzer unit, a syslog server, or a Common Event Format (CEF) server when you use the default forwarding mode in log forwarding.

The client is the FortiAnalyzer unit that forwards logs to another device. The server is the FortiAnalyzer unit, syslog server, or CEF server that receives the logs.

In addition to forwarding logs to another unit or server, the client retains a local copy of the logs. The local copy of the logs is subject to the data policy settings for archived logs. See Log storage on page 21 for more information.

To see a graphical view of the log forwarding configuration, and to see details of the devices involved, go to System Settings > Logging Topology. For more information, see Logging Topology on page 166.

Modes

FortiAnalyzer supports two log forwarding modes: forwarding (default), and aggregation.

Forwarding

Logs are forwarded in real-time or near real-time as they are received. Forwarded content files include: DLP files, antivirus quarantine files, and IPS packet captures.

This mode can be configured in both the GUI and CLI.

Aggregation

As FortiAnalyzer receives logs from devices, it stores them, and then forwards the collected logs at a specified time every day.

FortiAnalyzer supports log forwarding in aggregation mode only between two FortiAnalyzer units. Syslog and CEF servers are not supported.

Aggregation mode can only be configured with the log-forward and log-forward-service CLI commands. See the FortiAnalyzerCLI Reference for more information.

Certificates – FortiAnalyzer – FortiOS 6.2.3

Certificates

The FortiAnalyzer generates a certificate request based on the information you entered to identify the FortiAnalyzer unit. After you generate a certificate request, you can download the request to a management computer and then forward the request to a CA.

Local certificates are issued for a specific server, or website. Generally they are very specific, and often for an internal enterprise network.

CA root certificates are similar to local certificates, however they apply to a broader range of addresses or to an entire company.

The CRL is a list of certificates that have been revoked and are no longer usable. This list includes expired, stolen, or otherwise compromised certificates. If your certificate is on this list, it will not be accepted. CRLs are maintained by the CA that issues the certificates and include the date and time when the next CRL will be issued, as well as a sequence number to help ensure you have the most current versions.

Local certificates

The FortiAnalyzer unit generates a certificate request based on the information you enter to identify the FortiAnalyzer unit. After you generate a certificate request, you can download the request to a computer that has management access to the FortiAnalyzer unit and then forward the request to a CA.

The certificate window also enables you to export certificates for authentication, importing, and viewing.

The FortiAnalyzer has one default local certificate: Fortinet_Local.

You can manage local certificates from the System Settings > Certificates > Local Certificates page. Some options are available in the toolbar and some are also available in the right-click menu.

Creating a local certificate

To create a certificate request:

  1. Go to System Settings > Certificates > Local Certificates.
  2. Click Create New in the toolbar. The Generate Certificate Signing Request pane opens.
  3. Enter the following information as required, then click OK to save the certificate request:
Certificate Name The name of the certificate.

 

Subject Information Select the ID type from the dropdown list: l Host IP: Select if the unit has a static IP address. Enter the public IP address of the unit in the Host IP field.

Domain Name: Select if the unit has a dynamic IP address and subscribes to a dynamic DNS service. Enter the domain name of the unit in the Domain Name field.

Email: Select to use an email address. Enter the email address in the Email Address field.

Optional Information  
Organization Unit (OU) The name of the department. You can enter a series of OUs up to a maximum of 5. To add or remove an OU, use the plus (+) or minus (-) icons.
Organization (O) Legal name of the company or organization.
Locality (L) Name of the city or town where the device is installed.
State/Province (ST) Name of the state or province where the FortiGate unit is installed.
Country (C) Select the country where the unit is installed from the dropdown list.
E-mail Address (EA) Contact email address.
Subject

Alternative Name

Optionally, enter one or more alternative names for which the certificate is also valid. Separate names with a comma.

A name can be: l e-mail address l IP address l URI

l DNS name (alternatives to the Common Name) l directory name (alternatives to the Distinguished Name) You must precede the name with the name type. Examples: l IP:1.1.1.1 l email:test@fortinet.com l email:my@other.address l URI:http://my.url.here/

Key Type The key type can be RSA or Elliptic Curve.
Key Size Select the key size from the dropdown list: 512 Bit, 1024 Bit, 1536 Bit, or 2048 Bit. This option is only available when the key type is RSA.
Curve Name Select the curve name from the dropdown list: secp256r1 (default), secp384r1, or secp521r1. This option is only available when the key type is Elliptic Curve.
Enrollment Method The enrollment method is set to File Based.

Importing local certificates

To import a local certificate:

  1. Go to System Settings > Certificates > Local Certificates.
  2. Click Import in the toolbar or right-click and select Import. The Import dialog box opens.
  3. Enter the following information as required, then click OK to import the local certificate:
Type Select the certificate type from the dropdown list: Local Certificate, PKCS #12 Certificate, or Certificate.
Certificate File Click Browse… and locate the certificate file on the management computer, or drag and drop the file onto the dialog box.
Key File Click Browse… and locate the key file on the management computer, or drag and drop the file onto the dialog box.

This option is only available when Type is Certificate.

Password Enter the certificate password.

This option is only available when Type is PKCS #12 Certificate or

Certificate.

Certificate Name Enter the certificate name.

This option is only available when Type is PKCS #12 Certificate or

Certificate.

Deleting local certificates

To delete a local certificate or certificates:

  1. Go to System Settings > Certificates > Local Certificates.
  2. Select the certificate or certificates you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation dialog box to delete the selected certificate or certificates.

Viewing details of local certificates

To view details of a local certificate:

  1. Go to System Settings > Certificates > Local Certificates.
  2. Select the certificates that you would like to see details about, then click View Certificate Detail in the toolbar or right-click menu. The View Local Certificate page opens.
  3. Click OK to return to the local certificates list.

Downloading local certificates

To download a local certificate:

  1. Go to System Settings > Certificates > Local Certificates.
  2. Select the certificate that you need to download.
  3. Click Download in the toolbar, or right-click and select Download, and save the certificate to the management computer.

When an object is added to a policy package and assigned to an ADOM, the object is available in all devices that are part of the ADOM. If the object is renamed on a device locally, FortiManager automatically syncs the renamed object to the ADOM.

CA certificates

The FortiAnalyzer has one default CA certificate, Fortinet_CA. In this sub-menu you can delete, import, view, and download certificates.

Importing CA certificates

To import a CA certificate:

  1. Go to System Settings > Certificates > CA Certificates.
  2. Click Import in the toolbar, or right-click and select Import. The Import dialog box opens.
  3. Click .. and locate the certificate file on the management computer, or drag and drop the file onto the dialog box.
  4. Click OK to import the certificate. Viewing CA certificate details

To view a CA certificate’s details:

  1. Go to System Settings > Certificates > CA Certificates.
  2. Select the certificates you need to see details about.
  3. Click View Certificate Detail in the toolbar, or right-click and select View Certificate Detail. The View CA Certificate page opens.
  4. Click OK to return to the CA certificates list.

Downloading CA certificates

To download a CA certificate:

  1. Go to System Settings > Certificates > CA Certificates.
  2. Select the certificate you need to download.
  3. Click Download in the toolbar, or right-click and select Download, and save the certificate to the management computer.

Deleting CA certificates

To delete a CA certificate or certificates:

  1. Go to System Settings > Certificates > CA Certificates.
  2. Select the certificate or certificates you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation dialog box to delete the selected certificate or certificates.

Certificate revocation lists

When you apply for a signed personal or group certificate to install on remote clients, you can obtain the corresponding root certificate and Certificate Revocation List (CRL) from the issuing CA.

The CRL is a list of certificates that have been revoked and are no longer usable. This list includes expired, stolen, or otherwise compromised certificates. If your certificate is on this list, it will not be accepted. CRLs are maintained by the CA that issues the certificates and includes the date and time when the next CRL will be issued as well as a sequence number to help ensure you have the most current version of the CRL.

When you receive the signed personal or group certificate, install the signed certificate on the remote client(s) according

to the browser documentation. Install the corresponding root certificate (and CRL) from the issuing CA on the FortiAnalyzer unit according to the procedures given below.

Importing a CRL

To import a CRL:

  1. Go to System Settings > Certificates > CRL.
  2. Click Import in the toolbar, or right-click and select Import. The Import dialog box opens.
  3. Click .. and locate the CRL file on the management computer, or drag and drop the file onto the dialog box.
  4. Click OK to import the CRL.

Viewing a CRL

To view a CRL:

  1. Go to System Settings > Certificates > CRL.
  2. Select the CRL you need to see details about.
  3. Click View Certificate Detail in the toolbar, or right-click and select View Certificate Detail. The Result page opens.
  4. Click OK to return to the CRL list.

Deleting a CRL

To delete a CRL or CRLs:

  1. Go to System Settings > Certificates > CRL.
  2. Select the CRL or CRLs you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation dialog box to delete the selected CRL or CRLs.

Administrative Domains – FortiAnalyzer – FortiOS 6.2.3

Administrative Domains

Administrative domains (ADOMs) enable administrators to manage only those devices that they are specifically assigned, based on the ADOMs to which they have access. When the ADOM mode is advanced, FortiGate devices with multiple VDOMs can be divided among multiple ADOMs.

Administrator accounts can be tied to one or more ADOMs, or denied access to specific ADOMs. When a particular administrator logs in, they see only those devices or VDOMs that have been enabled for their account. Super user administrator accounts, such as the admin account, can see and maintain all ADOMs and the devices within them.

Each ADOM specifies how long to store and how much disk space to use for its logs. You can monitor disk utilization for each ADOM and adjust storage settings for logs as needed.

The maximum number of ADOMs you can add depends on the FortiAnalyzer system model. Please refer to the FortiAnalyzer data sheet for more information.

When the maximum number of ADOMs has been reached, you will be unable to create a new ADOM.

When upgrading to FortiAnalyzer 6.2.1 or later, you will continue to have access to any ADOMs exceeding the limit, however, no additional ADOMs can be created, and an alert will be issued in the Alert Message Console in System Settings > Dashboard.

By default, ADOMs are disabled. Enabling and configuring ADOMs can only be done by administrators with the Super_ User profile. See Administrators on page 222.

The root ADOM and Security Fabric ADOMs are available for visibility into all Fabric devices. See Creating a Security Fabric ADOM on page 40.

Default ADOMs

FortiAnalyzer includes default ADOMs for specific types of devices. When you add one or more of these devices to the FortiAnalyzer, the devices are automatically added to the appropriate ADOM, and the ADOM becomes selectable. When a default ADOM contains no devices, the ADOM is not selectable.

For example, when you add a FortiClient EMS device to the FortiAnalyzer, the FortiClient EMS device is automatically added to the default FortiClient ADOM. After the FortiClient ADOM contains a FortiClient EMS device, the FortiClient ADOM is selectable when you log into FortiAnalyzer or when you switch between ADOMs.

You can view all of the ADOMs, including default ADOMs without devices, on the System Settings > All ADOMs pane.

Root ADOM

When ADOMs are enabled, the default root ADOM type is Fabric. Fabric ADOMs show combined results from all Security Fabric devices in the Device Manager, Log View, SOC, Incidents & Events and Reports panes. For more information on Fabric ADOMs, see Creating a Security Fabric ADOM on page 40.

In FortiAnalyzer 6.2.0 and earlier, the root ADOM is a FortiGate ADOM. When upgrading to FortiAnalyzer 6.2.1 and later, the root ADOM type will not be changed to Fabric. Resetting the FortiAnalyzer settings through a factory reset will cause the root ADOM to become a Fabric ADOM.

Organizing devices into ADOMs

You can organize devices into ADOMs to allow you to better manage these devices. Devices can be organized by whatever method you deem appropriate, for example:

  • Firmware version: group all devices with the same firmware version into an ADOM.
  • Geographic regions: group all devices for a specific geographic region into an ADOM, and devices for a different region into another ADOM.
  • Administrative users: group devices into separate ADOMs based for specific administrators responsible for the group of devices.
  • Customers: group all devices for one customer into an ADOM, and devices for another customer into another ADOM.

FortiClient support and ADOMs

FortiClient logs are stored in the device that the FortiClient endpoint is registered to.

For example, when endpoints are registered to a FortiGate device, FortiClient logs are viewed on the FortiGate device. When endpoints are registered to a FortiClient EMS, FortiClient logs are viewed in the FortiClient ADOM that the FortiClient EMS device is added to.

ADOMs must be enabled to support FortiClient EMS devices.

Merge FortiAnalyzer Logging Support for FortiClient EMS for Chromebooks

  1. Add https-logging to the allowaccess list using the following CLI command:

config system interface edit “port1” set allowaccess https ssh https-logging

next

end

  1. Add SSL certificate to enable communication.

An SSL certificate is required to support communication and send logs between FortiClient Web Filter extension and FortiAnalyzer. If you use a public SSL certificate, you only need to add the public SSL certificate to FortiAnalyzer.

However, if you prefer to use a certificate that is not from a common CA, you must add the SSL certificate to

FortiAnalyzer, and you must push the root CA of your certificate to the Google Chromebooks. Otherwise, the HTTPS connection between the FortiClient EMS Chromebook Web Filter extension and FortiAnalyzer will not work. The common name of the certificate must be the FortiAnalyzer IP address.

  1. In FortiAnalyzer, go to System Settings > Certificates > Local Certificates.
  2. Click Import. The Import Local Certificate dialog box appears.
  3. In the Type list, select Certificate. Or,

In the Type list, select PKCS#12 Certificate to upload the certificate in PK12 format.

  1. Beside the Certificate File field, click Browse to select the certificate.
  2. Enter the password and certificate name.
  3. Click OK.
  1. Select certificates for HTTPS connections:
    1. In FortiAnalyzer, go to System Settings > Admin > Admin Settings.
    2. In the HTTPS & Web Service Certificate box, select the certificate you want to use for HTTPS connections, and click Apply.
  2. Enable the FortiClient ADOM using the following CLI command:

conf sys global set adom-status enable

end

  1. Add FortiClient EMS for Chromebooks as a device to the FortiClient ADOM:

Go to Device Manager> click the + Add Device button to add FortiClient EMS for Chromebooks as a FortiClient ADOM device.

  1. Enable logging in FortiClient EMS for Chromebooks:

You will need to enable logging in FortiClient EMS for Chromebooks, see the FortiClient EMS forChromebooks Administration Guide for more information.

Enabling and disabling the ADOM feature

By default, ADOMs are disabled. Enabling and configuring ADOMs can only be done by super user administrators.

When ADOMs are enabled, the Device Manager, SOC, Log View, Incidents & Events, and Reports panes are displayed per ADOM. You select the ADOM you need to work in when you log into the FortiAnalyzer unit. See Switching between ADOMs on page 15.

To enable the ADOM feature:

  1. Log in to the FortiAnalyzer as a super user administrator.
  2. Go to System Settings > Dashboard.
  3. In the System Information widget, toggle the Administrative Domain switch to ON.

You will be automatically logged out of the FortiAnalyzer and returned to the log in screen.

To disable the ADOM feature:

  1. Remove all the devices from all non-root ADOMs. That is, add all devices to the root ADOM.
  2. Delete all non-root ADOMs. See Deleting ADOMs on page 184.

Only after removing all the non-root ADOMs can ADOMs be disabled.

  1. Go to System Settings > Dashboard.
  2. In the System Information widget, toggle the Administrative Domain switch to OFF.

You will be automatically logged out of the FortiAnalyzer and returned to the log in screen.

ADOM device modes

An ADOM has two device modes: Normal (default) and Advanced.

In Normal mode, you cannot assign different FortiGate VDOMs to different ADOMs. The FortiGate unit can only be added to a single ADOM.

In Advanced mode, you can assign a VDOM from a single device to a different ADOM. This allows you to analyze data for individual VDOMs, but will result in more complicated management scenarios. It is recommended only for advanced users.

To change from Advanced mode back to Normal mode, you must ensure no FortiGate VDOMs are assigned to an ADOM.

To change the ADOM device mode:

  1. Go to System Settings > Advanced > Advanced Settings.
  2. In the ADOM Mode field, select either Normal or Advanced.
  3. Select Apply to apply your changes.

Managing ADOMs

The ADOMs feature must be enabled before ADOMs can be created or configured. See Enabling and disabling the ADOM feature on page 179.

To create and manage ADOMs, go to System Settings > All ADOMs.

Create New Create a new ADOM. See Creating ADOMs on page 181.
Edit Edit the selected ADOM. This option is also available from the right-click menu. See Editing an ADOM on page 184.
Delete Delete the selected ADOM or ADOMs. You cannot delete default ADOMs. This option is also available from the right-click menu. See Deleting ADOMs on page 184.
Enter ADOM Switch to the selected ADOM. This option is also available from the right-click menu.
More Select Expand Devices to expand all of the ADOMs to show the devices in each ADOM. Select Collapse Devices to collapses the device lists. These options are also available from the right-click menu.
Search Enter a search term to search the ADOM list.
Name The name of the ADOM.

ADOMs are listed in the following groups: FortiGates and OtherDevice Types.

A group can be collapsed or expanded by clicking the triangle next to its name.

Firmware Version The firmware version of the ADOM. Devices in the ADOM should have the same firmware version.
Allocated Storage The amount of hard drive storage space allocated to the ADOM.
Devices The number of devices and VDOMs that the ADOM contains. The device list can be expanded or by clicking the triangle.

Creating ADOMs

To create a new ADOM, you must be logged in as a super user administrator.

Consider the following when creating ADOMs:

  • The maximum number of ADOMs that can be created depends on the FortiAnalyzer model. For more information, see the FortiAnalyzer data sheet at https://www.fortinet.com/products/management/fortianalyzer.html. When the maximum number of ADOMs has been exceeded, an alert will be issued in the Alert Message Console in System Settings > Dashboard.
  • You must use an administrator account that is assigned the Super_User administrative profile. l You can add a device to only one ADOM. You cannot add a device to multiple ADOMs.
  • You cannot add FortiGate and FortiCarrier devices to the same ADOM. FortiCarrier devices are added to a specific, default FortiCarrier ADOM.
  • You can add one or more VDOMs from a FortiGate device to one ADOM. If you want to add individual VDOMs from a FortiGate device to different ADOMs, you must first enable advanced device mode. See ADOM device modes on page 180.
  • You can configure how an ADOM handles log files from its devices. For example, you can configure how much disk space an ADOM can use for logs, and then monitor how much of the allotted disk space is used. You can also specify how long to keep logs in the SQL database and how long to keep logs stored in compressed format.

To create an ADOM

  1. Ensure that ADOMs are enabled. See Enabling and disabling the ADOM feature on page 179.
  2. Go to System Settings > All ADOMs.
  3. Click Create New in the toolbar. The Create New ADOM pane is displayed.
  4. Configure the following settings, then click OK to create the ADOM.
Name Type a name that allows you to distinguish this ADOM from your other ADOMs. ADOM names must be unique.
Type Select the type of device that you are creating an ADOM for. The ADOM type cannot be edited.

For Security Fabric ADOMs, select Fabric.

Although you can create a different ADOM for each type of device, FortiAnalyzer does not enforce this setting.

Devices Add a device or devices with the selected versions to the ADOM. The search field can be used to find specific devices. See Assigning devices to an ADOM on page 183.
Data Policy Specify how long to keep logs in the indexed and compressed states.
Keep Logs for

Analytics

Specify how long to keep logs in the indexed state.

During the indexed state, logs are indexed in the SQL database for the specified amount of time. Information about the logs can be viewed in the SOC > FortiView, Incidents & Events, and Reports modules. After the specified length of time expires, Analytics logs are automatically purged from the SQL database.

Keep Logs for

Archive

Specify how long to keep logs in the compressed state.

During the compressed state, logs are stored in a compressed format on the FortiAnalyzer unit. When logs are in the compressed state, information about the log messages cannot be viewed in the SOC > FortiView, Incidents & Events, or Reports modules. After the specified length of time expires, Archive logs are automatically deleted from the FortiAnalyzer unit.

Disk Utilization Specify how much disk space to use for logs.
Maximum Allowed Specify the maximum amount of FortiAnalyzer disk space to use for logs, and select the unit of measure.

The total available space on the FortiAnalyzer unit is shown.

  For more information about the maximum available space for each FortiAnalyzer unit, see Disk space allocation on page 54.
Analytics : Archive Specify the percentage of the allotted space to use for Analytics and Archive logs.

Analytics logs require more space than Archive logs. For example, a setting of 70% and 30% indicates that 70% of the allotted disk space will be used for Analytics logs, and 30% of the allotted space will be used for Archive logs.

Select the Modify checkbox to change the setting.

Alert and Delete

When Usage

Reaches

Specify at what data usage percentage an alert messages will be generated and logs will be automatically deleted. The oldest Archive log files or Analytics database tables are deleted first.

Assigning devices to an ADOM

To assign devices to an ADOM you must be logged in as a super user administrator. Devices cannot be assigned to multiple ADOMs.

To assign devices to an ADOM:

  1. Go to System Settings > All ADOMs.
  2. Double-click on an ADOM, right-click on an ADOM and then select the Edit from the menu, or select the ADOM then click Edit in the toolbar. The Edit ADOM pane opens.
  3. Click Select Device. The Select Device list opens on the right side of the screen.
  4. Select the devices that you want to add to the ADOM. Only devices with the same version as the ADOM can be added. The selected devices are displayed in the Devices

If the ADOM mode is Advanced you can add separate VDOMs to the ADOM as well as units.

  1. When done selecting devices, click Close to close the Select Device
  2. Click OK.

The selected devices are removed from their previous ADOM and added to this one.

Assigning administrators to an ADOM

Super user administrators can create other administrators and either assign ADOMs to their account or exclude them from specific ADOMs, constraining them to configurations and data that apply only to devices in the ADOMs they can access.

By default, when ADOMs are enabled, existing administrator accounts other than admin are assigned to the root domain, which contains all devices in the device list. For more information about creating other ADOMs, see Creating ADOMs on page 181.

To assign an administrator to specific ADOMs:

  1. Log in as a super user administrator. Other types of administrators cannot configure administrator accounts when ADOMs are enabled.
  2. Go to System Settings > Admin > Administrator.
  3. Double-click on an administrator, right-click on an administrator and then select the Edit from the menu, or select the administrator then click Edit in the toolbar. The Edit Administrator pane opens.
  4. Edit the Administrative Domain field as required, either assigning or excluding specific ADOMs.
  5. Select OK to apply your changes.

Editing an ADOM

To edit an ADOM you must be logged in as a super user administrator. The ADOM type and version cannot be edited. For the default ADOMs, the name cannot be edited.

To edit an ADOM:

  1. Go to System Settings > All ADOMs.
  2. Double-click on an ADOM, right-click on an ADOM and then select Edit from the menu, or select the ADOM then click Edit in the toolbar. The Edit ADOM pane opens.
  3. Edit the settings as required, and then select OK to apply the changes.

Deleting ADOMs

To delete an ADOM, you must be logged in as a super-user administrator (see Administrator profiles on page 228), such as the admin administrator.

Prior to deleting an ADOM:

l All devices must be removed from the ADOM. Devices can be moved to another ADOM, or to the root ADOM. See Assigning devices to an ADOM on page 183.

To delete an ADOM:

  1. Go to System Settings > All ADOMs.
  2. Ensure that the ADOM or ADOMs being deleted have no devices in them.
  3. Select the ADOM or ADOMs you need to delete.
  4. Click Delete in the toolbar, or right-click and select Delete.
  5. Click OK in the confirmation box to delete the ADOM or ADOMs.
  6. If there are users or policy packages referring to the ADOM, they are displayed in the ADOM References Detected Click Delete Anyway to delete the ADOM or ADOMs. The references to the ADOMs are also deleted.

RAID Management – FortiAnalyzer – FortiOS 6.2.3

RAID Management

RAID helps to divide data storage over multiple disks, providing increased data reliability. For FortiAnalyzer devices containing multiple hard disks, you can configure the RAID array for capacity, performance, and/or availability.

Supported RAID levels

FortiAnalyzer units with multiple hard drives can support the following RAID levels:

Linear RAID

A Linear RAID array combines all hard disks into one large virtual disk. The total space available in this option is the capacity of all disks used. There is very little performance change when using this RAID format. If any of the drives fails, the entire set of drives is unusable until the faulty drive is replaced. All data will be lost.

RAID 0

A RAID 0 array is also referred to as striping. The FortiAnalyzer unit writes information evenly across all hard disks. The total space available is that of all the disks in the RAID array. There is no redundancy available. If any single drive fails, the data on that drive cannot be recovered. This RAID level is beneficial because it provides better performance, since the FortiAnalyzer unit can distribute disk writing across multiple disks. l Minimum number of drives: 2

RAID 1

A RAID 1 array is also referred to as mirroring. The FortiAnalyzer unit writes information to one hard disk, and writes a copy (a mirror image) of all information to all other hard disks. The total disk space available is that of only one hard disk, as the others are solely used for mirroring. This provides redundant data storage with no single point of failure. Should any of the hard disks fail, there are backup hard disks available.

  • Minimum number of drives: 2
  • Data protection: Single-drive failure

One write or two reads are possible per mirrored pair. RAID 1 offers redundancy of data. A rebuild is not required in the event of a drive failure. This is the simplest RAID storage design with the highest disk overhead.

RAID 1s

A RAID 1 with hot spare array uses one of the hard disks as a hot spare (a stand-by disk for the RAID). If a hard disk fails, within a minute of the failure the hot spare is substituted for the failed drive, integrating it into the RAID array and rebuilding the RAID’s data. When you replace the failed hard disk, the new hard disk is used as the new hot spare. The total disk space available is the total number of disks minus two.

RAID 5

A RAID 5 array employs striping with a parity check. Similar to RAID 0, the FortiAnalyzer unit writes information evenly across all drives but additional parity blocks are written on the same stripes. The parity block is staggered for each stripe. The total disk space is the total number of disks in the array, minus one disk for parity storage. For example, with four hard disks, the total capacity available is actually the total for three hard disks. RAID 5 performance is typically better with reading than with writing, although performance is degraded when one disk has failed or is missing. With RAID 5, one disk can fail without the loss of data. If a drive fails, it can be replaced and the FortiAnalyzer unit will restore the data on the new disk by using reference information from the parity volume.

  • Minimum number of drives: 3
  • Data protection: Single-drive failure

RAID 5s

A RAID 5 with hot spare array uses one of the hard disks as a hot spare (a stand-by disk for the RAID). If a hard disk fails, within a minute of the failure, the hot spare is substituted for the failed drive, integrating it into the RAID array, and rebuilding the RAID’s data. When you replace the failed hard disk, the new hard disk is used as the new hot spare. The total disk space available is the total number of disks minus two.

RAID 6

A RAID 6 array is the same as a RAID 5 array with an additional parity block. It uses block-level striping with two parity blocks distributed across all member disks.

l Minimum number of drives: 4 l Data protection: Up to two disk failures.

RAID 6s

A RAID 6 with hot spare array is the same as a RAID 5 with hot spare array with an additional parity block.

RAID 10

RAID 10 (or 1+0), includes nested RAID levels 1 and 0, or a stripe (RAID 0) of mirrors (RAID 1). The total disk space available is the total number of disks in the array (a minimum of 4) divided by 2, for example:

  • 2 RAID 1 arrays of two disks each, l 3 RAID 1 arrays of two disks each, l 6 RAID1 arrays of two disks each.

One drive from a RAID 1 array can fail without the loss of data; however, should the other drive in the RAID 1 array fail, all data will be lost. In this situation, it is important to replace a failed drive as quickly as possible.

  • Minimum number of drives: 4 l Data protection: Up to two disk failures in each sub-array.

RAID 50

RAID 50 (or 5+0) includes nested RAID levels 5 and 0, or a stripe (RAID 0) and stripe with parity (RAID 5). The total disk space available is the total number of disks minus the number of RAID 5 sub-arrays. RAID 50 provides increased performance and also ensures no data loss for the same reasons as RAID 5. One drive in each RAID 5 array can fail without the loss of data.

  • Minimum number of drives: 6

RAID 60

A RAID 60 (6+ 0) array combines the straight, block-level striping of RAID 0 with the distributed double parity of RAID 6.

  • Minimum number of drives: 8 l Data protection: Up to two disk failures in each sub-array.

Configuring the RAID level

To configure the RAID level:

  1. Go to System Settings > RAID Management.
  2. Click Change in the RAID Level The RAID Settings dialog box is displayed.
  3. From the RAID Level list, select a new RAID level, then click OK.

The FortiAnalyzer unit reboots. Depending on the selected RAID level, it may take a significant amount of time to generate the RAID array.

Monitoring RAID status

To view the RAID status, go to System Settings > RAID Management. The RAID Management pane displays the RAID level, status, and disk space usage. It also shows the status, size, and model of each disk in the RAID array.

Summary Shows summary information about the RAID array.
Graphic Displays the position and status of each disk in the RAID array. Hover the cursor over each disk to view details.
RAID Level Displays the selected RAID level.

Click Change to change the selected RAID level. When you change the RAID settings, all data is deleted.

Status Displays the overall status of the RAID array.
Disk Space Usage Displays the total size of the disk space, how much disk space is used, and how much disk space is free.
Disk Management Shows information about each disk in the RAID array.
Disk Number Identifies the disk number for each disk.
Disk Status Displays the status of each disk in the RAID array. l Ready: The hard drive is functioning normally.

Rebuilding: The FortiAnalyzer unit is writing data to a newly added hard drive in order to restore the hard drive to an optimal state. The FortiAnalyzer unit is not fully fault tolerant until rebuilding is complete.

Initializing: The FortiAnalyzer unit is writing to all the hard drives in the device in order to make the array fault tolerant.

Verifying: The FortiAnalyzer unit is ensuring that the parity data of a redundant drive is valid.

Degraded: The hard drive is no longer being used by the RAID controller.

Inoperable: One or more drives are missing from the FortiAnalyzer unit. The drive is no longer available to the operating system. Data on an inoperable drive cannot be accessed.

Size (GB) Displays the size, in GB, of each disk.
Disk Model Displays the model number of each disk.

Swapping hard disks

If a hard disk on a FortiAnalyzer unit fails, it must be replaced. On FortiAnalyzer devices that support hardware RAID, the hard disk can be replaced while the unit is still running – known as hot swapping. On FortiAnalyzer units with software RAID, the device must be shutdown prior to exchanging the hard disk.

To identify which hard disk failed, read the relevant log message in the Alert Message Console widget. See Alert Messages Console widget on page 163.

Electrostatic discharge (ESD) can damage FortiAnalyzer equipment. Only perform the procedures described in this document from an ESD workstation. If no such station is available, you can provide some ESD protection by wearing an anti-static wrist or ankle strap and attaching it to an ESD connector or to a metal part of a FortiAnalyzer chassis.

When replacing a hard disk, you need to first verify that the new disk is the same size as those supplied by Fortinet and has at least the same capacity as the old one in the FortiAnalyzer unit. Installing a smaller hard disk will affect the RAID setup and may cause data loss. Due to possible differences in sector layout between disks, the only way to guarantee that two disks have the same size is to use the same brand and model.

The size provided by the hard drive manufacturer for a given disk model is only an approximation. The exact size is determined by the number of sectors present on the disk.

To hot swap a hard disk on a device that supports hardware RAID:

  1. Remove the faulty hard disk.
  2. Install a new disk.

The FortiAnalyzer unit automatically adds the new disk to the current RAID array. The status appears on the console. The RAID Management pane displays a green checkmark icon for all disks and the RAID Status area displays the progress of the RAID re-synchronization/rebuild.

Adding hard disks

Some FortiAnalyzer units have space to add more hard disks to increase your storage capacity.

Fortinet recommends you use the same disks as those supplied by Fortinet. Disks of other brands will not be supported by Fortinet. For information on purchasing extra hard disks, contact your Fortinet reseller.

To add more hard disks:

  1. Obtain the same disks as those supplied by Fortinet.
  2. Back up the log data on the FortiAnalyzer unit.

You can also migrate the data to another FortiAnalyzer unit, if you have one. Data migration reduces system down time and the risk of data loss.

  1. Install the disks in the FortiAnalyzer unit.

If your unit supports hot swapping, you can do so while the unit is running. Otherwise the unit must be shut down first. See Unit Operation widget on page 163 for information.

  1. Configure the RAID level. See Configuring the RAID level on page 174.
  2. If you backed up the log data, restore it.

Configuring Network Interfaces – FortiAnalyzer – FortiOS 6.2.3

Configuring network interfaces

Fortinet devices can be connected to any of the FortiAnalyzer unit’s interfaces. The DNS servers must be on the networks to which the FortiAnalyzer unit connects, and should have two different IP addresses.

The following port configuration is recommended:

  • Use port 1 for device log traffic, and disable unneeded services on it, such as SSH, Web Service, and so on.
  • Use a second port for administrator access, and enable HTTPS, Web Service, and SSH for this port. Leave other services disabled.

To configure port 1:

  1. Go to System Settings > Network. The System Network Management Interface pane is displayed.
  2. Configure the following settings for port1, then click Apply to apply your changes.
Name Displays the name of the interface.
IP Address/Netmask The IP address and netmask associated with this interface.
IPv6 Address The IPv6 address associated with this interface.
Administrative Access Select the allowed administrative service protocols from: HTTPS, HTTP, PING, SSH, SNMP, Web Service, and FortiManager.
IPv6 Administrative Access Select the allowed IPv6 administrative service protocols from: HTTPS, HTTP, PING, SSH, SNMP, Web Service, and FortiManager.
Default Gateway The default gateway associated with this interface.
Primary DNS Server The primary DNS server IP address.
Secondary DNS Server The secondary DNS server IP address.

To configure additional ports:

  1. Go to System Settings > Network and click All Interfaces. The interface list opens.
  2. Double-click on a port, right-click on a port then select Edit from the pop-up menu, or select a port then click Edit in the toolbar. The Edit System Interface pane is displayed.
  3. Configure the settings as required.
  4. Click OK to apply your changes.

Disabling ports

Ports can be disabled to prevent them from accepting network traffic

To disable a port:

  1. Go to System Settings > Network and click All Interfaces. The interface list opens.
  2. Double-click on a port, right-click on a port then select Edit from the pop-up menu, or select a port then click Edit in the toolbar. The Edit System Interface pane is displayed. In the Status field, click Disable
  3. Click OK to disable the port.

Changing administrative access

Administrative access defines the protocols that can be used to connect to the FortiAnalyzer through an interface. The available options are: HTTPS, HTTP, PING, SSH, SNMP, Web Service, and FortiManager.

To change administrative access:

  1. Go to System Settings > Network and click All Interfaces. The interface list opens.
  2. Double-click on a port, right-click on a port then select Edit from the pop-up menu, or select a port then click Edit in the toolbar. The Edit System Interface pane is displayed.
  3. Select one or more access protocols for the interface for IPv4 and IPv6, if applicable.
  4. Click OK to apply your changes.

Static routes

Static routes can be managed from the routing tables for IPv4 and IPv6 routes.

The routing tables can be accessed by going to System Settings > Network and clicking Routing Table and IPv6 Routing Table.

To add a static route:

  1. From the IPv4 or IPv6 routing table, click Create New in the toolbar. The Create New Network Route pane opens.
  2. Enter the destination IP address and netmask, or IPv6 prefix, and gateway in the requisite fields.
  3. Select the network interface that connects to the gateway from the dropdown list.
  4. Click OK to create the new static route.

To edit a static route:

  1. From the IPv4 or IPv6 routing table: double-click on a route, right-click on a route then select Edit from the pop-up menu, or select a route then click Edit in the toolbar. The Edit Network Route pane opens.
  2. Edit the configuration as required. The route ID cannot be changed.
  3. Click OK to apply your changes.

To delete a static route or routes:

  1. From the IPv4 or IPv6 routing table, right-click on a route then select Delete from the pop-up menu, or select a route or routes then click Delete in the toolbar.
  2. Click OK in the confirmation dialog box to delete the selected route or routes.

Packet capture

Packets can be captured on configured interfaces by going to System > Network > Packet Capture.

The following information is available:

Interface The name of the configured interface for which packets can be captured. For information on configuring an interface, see Configuring network interfaces on page 167.
Filter Criteria The values used to filter the packet.
# Packets The number of packets.
Maximum Packet Count The maximum number of packets that can be captured on a sniffer.
Progress The status of the packet capture process.
Actions Allows you to start and stop the capturing process, and download the most recently captured packets.

To start capturing packets on an interface, select the Start capturing button in the Actions column for that interface. The Progress column changes to Running, and the Stop capturing and Download buttons become available in the Actions column.

To add a packet sniffer:

  1. From the Packet Capture table, click Create New in the toolbar. The Create New Sniffer pane opens.
  2. Configure the following options:
Interface The interface name (non-changeable).
Max. Packets to Save Enter the maximum number of packets to capture, between 1-10000. The default is 4000 packets.
Include IPv6 Packets Select to include IPv6 packets when capturing packets.
Include Non-IP Packets Select to include non-IP packets when capturing packets.
Enable Filters You can filter the packet by Host(s), Port(s), VLAN(s), and Protocol.
  1. Click OK.

To download captured packets:

  1. In the Actions column, click the Download button for the interface whose captured packets you want to download. If no packets have been captured for that interface, click the Start capturing
  2. When prompted, save the packet file (sniffer_[interface].pcap) to your management computer. The file can then be opened using packet analyzer software.

To edit a packet sniffer:

  1. From the Packet Capture table, click Edit in the toolbar. The Edit Sniffer pane opens. 2. Configure the packet sniffer options
  2. Click OK.

Network Settings – FortiAnalyzer – FortiOS 6.2.3

Network

The network settings are used to configure ports for the FortiAnalyzer unit. You should also specify what port and methods that an administrators can use to access the FortiAnalyzer unit. If required, static routes can be configured.

The default port for FortiAnalyzer units is port 1. It can be used to configure one IP address for the FortiAnalyzer unit, or multiple ports can be configured with multiple IP addresses for improved security.

You can configure administrative access in IPv4 or IPv6 and include settings for HTTPS, HTTP, PING, SSH, SNMP, Web Service, and FortiManager.

You can prevent unauthorized access to the GUI by creating administrator accounts with trusted hosts. With trusted hosts configured, the administrator can only log in to the GUI when working on a computer with the trusted host as defined in the administrator account.

Logging Topology – FortiAnalyzer – FortiOS 6.2.3

Logging Topology

The Logging Topology pane shows the physical topology of devices in the Security Fabric. Click, hold, and drag to adjust the view in the content pane, and double-click or use the scroll wheel to change the zoom.

The visualization can be filtered to show only FortiAnalyzer devices or all devices by device count or traffic.

Hovering the cursor over a device in the visualization will show information about the device, such as the IP address and device name. Right-click on a device and select View Related Logs to go to the Log View pane, filtered for that device.

Log Insert / Receive Rate Widgets – FortiAnalyzer – FortiOS 6.2.3

Log Insert Lag Time widget

The Log Insert Lag Time widget displays how many seconds the database is behind in processing the logs.

Click the edit icon in the widget toolbar to adjust the time interval shown on the graph and the refresh interval (0 to disable) of the widget.

Receive Rate vs Forwarding Rate widget

The Receive Rate vs Forwarding Rate widget displays the rate at which the FortiAnalyzer is receiving logs. When log forwarding is configured, the widget also displays the log forwarding rate for each configured server.

Click the edit icon in the widget toolbar to adjust the time period shown on the graph and the refresh interval, if any, of the widget.