Category Archives: FortiOS 6.2

Filtering events – FortiAnalyzer – FortiOS 6.2.3

Filtering events

You can filter events using the Add Filter box in the toolbar or by right-clicking an entry and selecting a context-sensitive filter.

Filter FortiView summaries using the Add Filter box in the toolbar or by right-clicking an entry and selecting a contextsensitive filter. You can also filter by specific devices or log groups and by time.

To filter events using filters in the toolbar:

  • Specify filters in the Add Filter
  • Regular Search: In the selected summary view, click Add Filter and select a filter from the dropdown list, then type a value. Click NOT to negate the filter value. You can add multiple filters and connect them with “and” or

“or”.

  • Advanced Search: Click the Switch to Advanced Search icon at the end of the Add Filter In Advanced Search mode, enter the search criteria (log field names and values). Click the Switch to RegularSearch icon  to go back to regular search.

To filter events using the right-click menu:

In the event list, right-click an entry and select a filter criterion (Search <filtervalue>).

Depending on the column in which your mouse is placed when you right-click, FortiView uses the column value as the filter criteria. This context-sensitive filter is only available for certain columns.

To launch Search in Logview from an event:

In the event list, right-click an entry and select Search in Logview.

Log View will launch with the filter automatically filled in with the following information:

  • Log type of the event
  • Time range (the first to the last occurrence of the event) l Event trigger and group by value

Default event views – FortiAnalyzer – FortiOS 6.2.3

Default event views

FortiAnalyzer event handlers apply one or more tags to events, allowing the events to be grouped into views in the Event Monitor. These views are visible in the left navigation tree. Default views are organized into three view categories, including:

  • By Endpoint: Provides security event views from an endpoint perspective.
  • By Threat: Provides security event views from a threat perspective. l System Events: Provides event views which cover device system events.

In order for events to be displayed in default views, the corresponding event handler(s) must be enabled. Refer to the chart below for a list of the predefined event handlers that must be enabled to support each default view:

View category           Default view Required predefined event handler
By Endpoint All Security Events Displays all events within category with enabled handlers
Compromised Hosts Default-Botnet-Communication-Detection-By-Endpoint

Default-Compromised Host-Detection-IOC-By-Endpoint

High Risk App Usage Default-Risky-App-Detection-By-Endpoint
Malicious Domain/URL Access Default-Risky-Destination-Detection-By-Endpoint
Malware Activity Default-Sandbox-Detections-By-Endpoint

Default-Malicious-File-Detection-By-Endpoint

Ongoing Intrusions Default-Malicious-Code-Detection-By-Endpoint
Sandbox Detections Default-Sandbox-Detections-By-Endpoint
By Threat All Security Events Displays all events within category with enabled handlers
C&C Call Backs Default-Botnet-Communication-Detection-By-Threat

Default-Compromised Host-Detection-IOC-By-Threat

High Risk App Usage Default-Risky-App-Detection-By-Threat
Malicious Domain/URL Access Default-Risky-Destination-Detection-By-Threat
Malware Activity Default-Sandbox-Detections-By-Threat

Default-Malicious-File-Detection-By-Threat

Ongoing Intrusions Default-Malicious-Code-Detection-By-Threat
Sandbox Detections Default-Sandbox-Detections-By-Threat
System Events All Displays all events within category with enabled handlers
FortiGate Default FOS System Events
Local Device Local Device Event

You can see the tags associated with each view by hovering your mouse over the view in Incidents & Events; a pop-up is displayed.

Default views can be hidden or disabled. For more information, see Managing default views.

Admins can copy existing views to create custom views. For more information, see Creating custom views.

Events – FortiAnalyzer – FortiOS 6.2.3

Events

After event handlers start generating events, view events and event details in Incidents & Events > Event Monitor.

When rebuilding the SQL database, you might not see a complete list of historical events. However, you can always see events in real-time logs. You can view the status of the SQL rebuild by checking the Rebuilding DB status in the Notification Center.

All Events

To view all the events, go to Incidents & Events > Event Monitor> All Events.

Double-click an event line to drill down for more details.

Hover your mouse over an entry to view the asset and identity information for that event.

Devices To view events for specific devices, click the devices dropdown and select a device.
Time Period To change the time period to display, click the time icon and specify a time period. Select Custom to specify a time period not in the dropdown list.
Collapse All/Expand All To view event summaries or details, click Collapse All or Expand All.
Show Acknowledged To include acknowledged events, click Show Acknowledged. See Acknowledging events on page 77.
Refresh To manually refresh the events data, click Refresh.

You can specify a refresh interval of Every 10 Seconds, Every 30 Seconds, Every 1 Minute, or Every 5 Minutes.

Export to CSV Download the events to a CSV file.
Custom View Save the current view including filter settings, device selection, and time period.
Column Settings Select which columns are displayed in the All Events pane. Columns not displayed by default include Acknowledged, Comment, Device ID, Device

Name, Device Type, Event ID, HandlerDescription, Last Occurrence, Tags, and VDOM Name.

Managing event handlers – FortiAnalyzer – FortiOS 6.2.3

Managing event handlers

To manage event handlers, go to Incidents & Events > Event Monitor> Event HandlerList.

FortiAnalyzer includes predefined event handlers that you can use to generate events.

This page lists both predefined and custom event handlers with a  icon for enabled event handlers and a  icon for disabled event handlers.

The following options are available:

Option   Description
Create New   Create a new event handler.
Edit   Edit the selected event handler.

Some fields in predefined event handlers cannot be modified, such as the name, description and filter settings. However, you can clone a predefined event handler and customize its settings. See Cloning event handlers on page 69.

Delete   Delete the selected event handler. You cannot delete predefined event handlers.
Clone   Clone the selected event handler. You can clone a predefined event handler and modify it to create a customized event handler.
Enable / Disable   Enable or disable the selected event handler to start or stop generating events on the Incidents & Events > Event Monitor> All Events page.
Option Description
Collapse All / Expand All Collapse or expand the Filters column.
Show Predefined Show or hide predefined handlers in the list.
Show Custom Show or hide custom handlers in the list.
Import / Export Export the selected event handlers or import an event handler you have exported. You can export one or more predefined or custom event handlers and import them into another ADOM or FortiAnalyzer.
Factory Reset If you have modified a predefined event handler, return the selected predefined event handler to its factory default settings.

Enabling event handlers

For both predefined and custom event handlers, you must enable the event handler to generate events. The Event

HandlerList page displays a  icon besides enabled event handlers and a  icon besides disabled event handlers.

If you want to receive alerts for predefined events handlers, edit the predefined event handler to configure notifications.

To enable event handlers:

  1. Go to Incidents & Events > Event Monitor> Event HandlerList.
  2. Select one or more event handlers and click More > Enable or right-click an event handler and select Enable.

Cloning event handlers

Most predefined event handler attributes cannot be modified, such as the name, description and filter settings. You can clone a predefined event handler and customize its settings, and give it a meaningful name that shows its function.

To clone a predefined event handler:

  1. Select a predefined event handler and in the toolbar, click Clone or right-click a predefined event handler and select Clone.
  2. Configure the settings as required and click OK. For a description of the fields, see Creating a custom event handler on page 64.
  3. Click OK to clone the predefined event handler.

Resetting event handlers to factory defaults

You can change predefined event handlers as needed. If required, you can restore predefined event handlers to factory default settings. The Factory Reset option is only available for predefined event handlers that have been changed.

To reset predefined event handlers:

  1. Go to Incidents & Events > Event Monitor> Event HandlerList.
  2. In the More menu, ensure Show Predefined is selected.
  3. Right-click an event handler and select Factory Reset or select one or more predefined event handlers and click More > Factory Reset.

Using the Generic Text Filter in an event handler – FortiAnalyzer – FortiOS 6.2.3

Using the Generic Text Filter in an event handler

The Generic Text Filter uses the glibc regex library for values with operators (~,!~), using the POSIX standard. Filter string syntax is parsed by FortiAnalyzer, and both upper and lower case characters are supported (for example “and” is the same as “AND”). You must use an escape character when needed. For example, cfgpath=firewall.policy is the wrong syntax because it’s missing an escape character. The correct syntax is cfgpath=firewall\.policy.

To create an event handler using the Generic Text Filter to match raw log data:

  1. Go to Log View, and select a log type.
  2. In the toolbar, click Tools > Display Raw.

The easiest method is to copy the text string you want from the raw log and paste it into the Generic Text Filter field. Ensure you insert an escape character when necessary, for example, cfgpath=firewall\.policy.

  1. Locate and copy the text in the raw log.
  2. Go to Incidents & Events > Event Monitor> Event HandlerList and click Create New.
  3. In the Generic Text Filter box, paste the text you copied or type the text you want. Ensure you use the raw log field names, for example, mem (not memory) and setuprate (not setup-rate).

For information on text format and operators, hover the cursor over the help icon. The operator ~ means contains and !~ means does not contain.

  1. If you want to be notified of events, configure the Notifications
  2. Configure other settings as required and click OK.

Incident and Event Management – FortiAnalyzer – FortiOS 6.2.3

Incident and Event Management

Use Incidents & Events to generate, monitor, and manage alerts and events from logs. The live monitoring of security events is a powerful and enabling feature for security operations. Incidents can be created from events to track and respond to suspicious or malicious activities.

Incidents & Events displays all events generated by event handlers.

Event handlers

Event handlers determine what events are to be generated from logs. Enable an event handler to start generating events. To see which event handlers are enabled or disabled, see Enabling event handlers.

When ADOMs are enabled, each ADOM has its own event handlers and lists of events. Ensure you are in the correct ADOM when working in Incidents & Events.

You can use predefined event handlers to generate events. There are predefined event handlers for FortiGate,

FortiSandbox, FortiMail, and FortiWeb devices. In a Security Fabric ADOM, all predefined event handlers are displayed.

You can create custom event handlers. An easy way to create a custom event handler is to clone a predefined event handler and customize its settings. See Cloning event handlers.

Configure event handlers to generate events for all devices, a specific device, or for the local FortiAnalyzer unit. You can create event handlers for FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager, FortiWeb, FortiSandbox devices, and syslog servers. Incidents & Events supports local FortiAnalyzer event logs. To see event handlers, go to Incidents & Events > Event Monitor> Event HandlerList.

Event handlers generate events only from Analytics logs and not Archive logs. For more information, see Analytics and Archive logs.

In an Analyzer–Collector collaboration scenario, the Analyzer evaluates event handlers. For more information, see Analyzer–Collector collaboration.

You can also import and export event handlers, allowing you to develop custom event handlers and deploy them in bulk to other ADOMS or FortiAnalyzer units. For more information, see Importing and exporting event handlers.

Predefined event handlers

FortiAnalyzer includes many predefined event handlers that you can use to generate events. You can easily create a custom event handler by cloning a predefined event handler and customizing its settings. See Cloning event handlers on page 69.

The following are a small sample of FortiAnalyzer predefined event handlers. To see all predefined event handlers, go to Incidents & Events > Event Monitor> Event HandlerList and select Show Predefined.

Event Handler Description
Default-Compromised HostDetection-by IOC-By-Threat Disabled by default Filter 1:

l     Event Severity: Critical l Log Type: Traffic Log l Group by: dstip l Log messages that match all of the following conditions:

l     tdtype~infected

l     Tags: By_Endpoint, IP, C&C

Filter 2:

l     Event Severity: Critical l Log Type: Web Filter l Group by: Hostname URL l Log messages that match all of the following conditions:

l     tdtype~infected

l     Tags: By_Endpoint, C&C, URL

Filter 3:

l     Event Severity: Critical l Log Type: DNS Log l Group by: QNAME l Log messages that match all of the following conditions:

l     tdtype~infected l Tags: By_Endpoint, C&C, Domain

Default-Data-Leak-DetectionBy-Threat Disabled by deafult Filter 1:

l     Event Severity: Medium

l     Log Type: DLP

l     Group by: Filter Category, Source Endpoint

l     Tags: Signature, Leak

Filter 2:

l     Event Severity: Low

l     Log Type: DLP

l     Group by: Filter Category l Event Status: Mitigated l Tags: Signature, Leak

Default-Sandbox-DetectionsBy-Endpoint Disabled by default
Event Handler Description
  Filter 1:

l     Event Severity: Critical l Log Type: AntiVirus l Group by: Source Endpoint, Virus Name l Log messages that match all of the following conditions:

l     logid==0211009235 or logid==0211009237

l     Tags: By_Endpoint, Sandbox, Signature, Malware

Filter 2:

l     Event Severity: Critical l Log Type: AntiVirus l Group by: Source Endpoint, Virus Name l Log messages that match all of the following conditions:

l     logid==0211009234 or logid==0211009236

l     Tags: By_Endpoint, Sandbox, Signature, Malware

Filter 3:

l     Event Severity: Critical l Log Type: AntiVirus l Group by: Source Endpoint l Log messages that match all of the following conditions:

l     logid==0201009238 and fsaverdict==malicious l Tags: By_Endpoint, Sandbox, Malware

Local Device Event Available only in the Root ADOM. Enabled by default l Devices: Local Device l Event Severity: Medium l Log Type: Event Log l Event Type: Any l Group By: Device ID l Log messages that match the following conditions:

l Level Equal To Emergency l Tags: System, Local

FortiOS system events

FortiOS predefined system event handlers are consolidated into a single event handler with multiple filters called Default FOS System Events.

Events are organized by device in the Incidents & Events dashboards, which can be expanded to view all related events.

Default FOS System Event filters apply tags to each event, allowing you to identify which Deafult FOS System Event filter triggered the event.

If you are upgrading from a version before FortiAnalyzer 6.2.0, the existing legacy predefined handlers which are enabled or have been modified will be available as custom handlers. In the Event HandlerList, select the More dropdown and choose Show Custom.

FortiGate event handlers

All FortiGates added to FortiAnalyzer use a default event handler on the FortiAnalyzer side to receive high severity events such as Botnet Communication, IPS Attack Pass Through, and Virus Pass Through AntiVirus.

Events triggered from FortiGate Event Handler are not shown in the FortiAnalyzer GUI. The events are pushed to the FortiGate for further processing.

Custom FortiGate event handlers can also be created. See Creating a custom event handler on page 64.

Creating a custom event handler

You can create a custom event handler from scratch or clone a predefined event handler and customize its settings. See Cloning event handlers on page 69.

Configuring an event handler includes defining the following main sections:

Option Description
Event handler attributes Event handler attributes such as name, description, and devices.
Filters Filters are rules for event generation.

l  Select the log filters to limit the logs that trigger an event.

l  Group the logs by primary and secondary (optional) values to separate the events that are generated for different Group By values.

l  Set the number of occurrences within a time frame that triggers an event. l Configure event fields such as event status and severity.

Additional Info Specify what to show in the Additional Info column. You can use the system default information or configure a custom information message.
Notifications Configure notifications to be sent on event generation.

You can send alert notifications to a fabric connector, email address, SNMP community, or syslog server.

To create a new event handler:

  1. Go to Incidents & Events > Event Monitor> Event HandlerList.
  2. In the toolbar, click Create New.
  3. Configure the settings as required and click OK.
Field   Description
Status   Enable or disable the event handler.

Enabled event handlers have a Status of ON and show the  icon in the Event HandlerList. Disabled event handlers have a a Status of OFF and show the  icon in the Event HandlerList.

Name   Add a name for the handler.
Description   Type a description of the event handler.

 

Field   Description
Devices   Select the devices to include.

All Devices. l Specify: To add devices, click the Add icon.

Local Device: Select if the event handler is for local FortiAnalyzer event logs. This option is only available in the root ADOM and is used to query FortiAnalyzer event logs.

For Local Device, the Log Type must be Event Log and Log Subtype must be Any.

Subnets   Select All Subnets to include all subnets, or select Specify to choose which subnet(s) or subnet group(s) will be included or excluded from triggering events.
Filters   Configure one or more filters for the handler. You can add multiple filters each with its own set of filter settings. You can enable or disable specific filters in an event handler.
  Log Device Type If you are in a Security Fabric ADOM, select the log device type from the dropdown list. If you are not in a Security Fabric ADOM, you cannot change the Log Device Type.
  Log Type Select the log type from the dropdown list.

When Devices is set to Local Device, you cannot change the Log Type or Log Subtype.

  Log Subtype Select the category of event that this handler monitors. The available options depends on the platform type.

This option is only available when Log Type is set to Event Log or Traffic Log.

  Group By Select how to group the events. Some Group By selections allow a secondary Group By option. If available, click Add beside the Group By field to add a secondary Group By option.
  Logs match Select All or Any of the following conditions.
  Log Field Select a log field to filter from the dropdown list. The available options depends on the selected log type.
  Match Criteria Select a match criteria from the dropdown list. The available options depends on the selected log field.
  Value Either select a value from the dropdown list or enter a value in the text box. The available options depends on the selected log field.
  Add Add Log Field to the filter.
  Remove Delete the filter.
  Generic Text Filter Enter a generic text filter.

For information on text format, hover the cursor over the help icon. The operator ~ means contains and !~ means does not contain.

 

Field Description
  For more information on creating a generic text filter, see Using the Generic Text Filter in an event handler on page 68.
Generate alert when at least n matches occurred over a period of n minutes Enter threshold values to generate alerts. Enter the number of matching events that must occur in the number of minutes to generate an alert.
Event Message If you wish, enter a custom event message. The default message is the Group By value. You can use variables in the event message.
Event Status Select Allow FortiAnalyzerto choose or select a status from the dropdown list: Unhandled, Mitigated, Contained, or Blank.
Event Severity Select the severity from the dropdown list: Critical, High, Medium, or Low.
Tags If you wish, enter custom tags. Tags can be used as a filter when using default or custom views.
Additional Info Specify what to show in the Additional Info column. You can use the system default information or configure a custom information message.
Use system

default

Select to use the system default message in the Additional Info column.
Use custom message Type a custom message for the Additional Info column. A custom message can include variables and log field names. For more information, click the question mark icon.
Notifications Configure alerts for the handler.
Send Alert through Fabric Connectors Send an alert through one or more fabric connectors. Click the + button to add fabric connectors. For more information, see Fabric Connectors on page 32.
Send Alert Email Send an alert by email. Specify email parameters including the mail server. For more information, see Mail Server on page 212.
Send SNMP(…) Trap Select one or both checkboxes and specify an SNMP community or user from the dropdown list. Click the add icon to create a new SNMP community or user. For more information, see SNMP on page 203.
Send Alert to Syslog Server Send an alert to the syslog server. Select a syslog server from the dropdown list. Click the add icon to create a new syslog server. For more information, see Syslog Server on page 214.
Send Each Alert

Separately

Select to send each alert individually instead of in a group.

Log View and Log Quota Management – FortiAnalyzer – FortiOS 6.2.3

Log View and Log Quota Management

You can view log information by device or by log group.

When ADOMs are enabled, each ADOM has its own information displayed in Log View.

Log View can display the real-time log or historical (Analytics) logs.

Log Browse can display logs from both the current, active log file and any compressed log files.

Types of logs collected for each device

FortiAnalyzer can collect logs from managed FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager, FortiSandbox, FortiWeb, FortiClient, and syslog servers. Following is a description of the types of logs FortiAnalyzer collects from each type of device:

Device Type              Log Type
FortiAnalyzer             Event
FortiAuthenticator      Event
FortiGate                   Traffic

Security: Antivirus, Intrusion Prevention, Application Control, Web Filter, File Filter, DNS, Data Leak Prevention, Email Filter, Web Application Firewall, Vulnerability Scan, VoIP, FortiClient

Event: Endpoint, HA, Compliance, System, Router, VPN, User, WAN Opt. & Cache, WiFi

File Filter logs are sent when the File Filter sensor is enabled in the FortiOS Web Filter profile. You can enable the File Filter sensor in FortiOS at Security Profiles > Web Filters.

FortiCarrier                Traffic, Event, GTP
FortiCache                 Traffic, Event, Antivirus, Web Filter
FortiClient                 Traffic, Event, Vulnerability Scan
FortiDDoS                 Event, Intrusion Prevention
FortiMail                    History, Event, Antivirus, Email Filter.
Device Type              Log Type
FortiMail logs support cross-log functionality. When viewing History, Event, Antivirus, or Email Filter logs from FortiMail, you can click on the Session ID to see correlated logs.
FortiManager             Event
FortiSandbox            Malware, Network Alerts
FortiWeb                   Event, Intrusion Prevention, Traffic
Syslog                       Generic

Traffic logs

Traffic logs record the traffic flowing through your FortiGate unit. Since traffic needs firewall policies to properly flow through FortiGate, this type of logging is also called firewall policy logging. Firewall policies control all traffic attempting to pass through the FortiGate unit, between FortiGate interfaces, zones, and VLAN sub-interfaces.

Security logs

Security logs (FortiGate) record all antivirus, web filtering, file filtering, application control, intrusion prevention, email filtering, data leak prevention, vulnerability scan, and VoIP activity on your managed devices.

DNS logs

DNS logs (FortiGate) record the DNS activity on your managed devices.

Event logs

Event logs record administration management and Fortinet device system activity, such as when a configuration changes, or admin login or HA events occur. Event logs are important because they record Fortinet device system activity which provides valuable information about how your Fortinet unit is performing. FortiGate event logs includes System, Router, VPN, User, and WiFi menu objects to provide you with more granularity when viewing and searching log data.

The logs displayed on your FortiAnalyzer depends on the device type logging to it and the enabled features. FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager, FortiWeb, FortiSandbox, FortiClient, and Syslog logging is supported. ADOMs must be enabled to support non-FortiGate logging.

In a Security Fabric ADOM, all device logs are displayed.

Log messages

You can view log information by device or by log group.

Viewing the log message list of a specific log type

You can find FortiMail and FortiWeb logs in their default ADOMs.

To view the log message list:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Log View, and select a log type from the tree menu.

The corresponding log messages list is displayed.

Viewing message details

To view message details:

  1. Double-click a message in the message list.

The details pane is displayed to the right of the message list, with the fields categorized in tree view.

You can display the log details pane below the message list by clicking the Bottom icon in the log details pane. When the log details pane is displayed below the message list, you can move it to the right of the log message list by clicking the Right icon. This is sometimes referred to as docking the pane to the bottom or right of the screen.

The log details pane provides shortcuts for adding filters and for showing or hiding a column. Right-click a log field to select an option.

Customizing displayed columns

The columns displayed in the log message list can be customized and reordered as needed.

To customize what columns to display:

  1. In the toolbar of the log message list view, click Column Settings and select a column to hide or display. The available columns vary depending on the device and log type.
  2. To add other columns, click More Columns. In the Column Settings dialog box, select the columns to show or hide.
  3. To reset to the default columns, click Reset to Default.
  4. Click OK.

To change the order of the displayed columns:

Place the cursor in the column title and move a column by drag and drop.

Customizing default columns

In Log View, you can select the columns that are displayed as the default by clicking Save as Default in the Column Settings menu when customizing columns. See Customizing displayed columns on page 45.

Customizing the default column view can only be done on a Super_User administrator profile.

Default column customization is applied per devtype/logtype across all ADOMs.

The GUI displays columns based on the following order of priority:

  1. Displays the user’s column customizations (if defined).
  2. Displays the default columns set by the Super_User administrator (if defined).
  3. Displays the system default columns.

Customized default column configuration is preserved during upgrades.

Filtering messages

You can apply filters to the message list. Filters are not case-sensitive by default. If available, select Tools > Case Sensitive Search to create case-sensitive filters.

Filtering messages using filters in the toolbar

  1. Go to the view you want.
Regular search Click Add Filter and select a filter from the dropdown list, then type a value. Only displayed columns are available in the dropdown list. You can use search operators in regular search.
Switching between regular search and advanced search At the right end of the Add Filter box, click the Switch to Advanced Search icon  or click the Switch to RegularSearch icon .
Advanced search In Advanced Search mode, enter the search criteria (log field names and values).
Search operators and syntax If available, click  at the right end of the Add Filter box to view search operators and syntax. See also Filter search operators and syntax on page 48.
CLI string “freestyle” search Searches the string within the indexed fields configured using the CLI command: config ts-index-field.

For example, if the indexed fields have been configured using these CLI commands:

config system sql config ts-index-field edit “FGT-traffic”

set value “app,dstip,proto,service,srcip,user,utmaction” next end

end

Then if you type “Skype” in the Add Filter box, FortiAnalyzer searches for “Skype” within these indexed fields: app,dstip,proto,service,srcip,user and utmaction.

You can combine freestyle search with other search methods, for example:

Skype user=David.

  1. In the toolbar, make other selections such as devices, time period, which columns to display, etc.

Filtering messages using the right-click menu

In a log message list, right-click an entry and select a filter criterion. The search criterion with a  icon returns entries matching the filter values, while the search criterion with a  icon returns entries that do not match the filter values.

Depending on the column in which your cursor is placed when you right-click, Log View uses the column value as the filter criteria. This context-sensitive filter is only available for certain columns.

To see log field name of a filter/column, right-click the column of a log entry and select a context-sensitive filter. The Add Filter box shows log field name.

Context-sensitive filters are available for each log field in the log details pane. See Viewing message details on page 44.

Filtering messages using smart action filters

For Log View windows that have an Action column, the Action column displays smart information according to policy (log field action) and utmaction (UTM profile action).

The Action column displays a green checkmark Accept icon when both policy and UTM profile allow the traffic to pass through, that is, both the log field action and UTM profile action specify allow to this traffic.

The Action column displays a red X Deny icon and the reason when either the log field action or UTM profile action deny the traffic.

If the traffic is denied due to policy, the deny reason is based on the policy log field action.

If the traffic is denied due to UTM profile, the deny reason is based on the FortiView threattype from craction. craction shows which type of threat triggered the UTM action. The threattype, craction, and crscore fields are configured in FortiGate in Log & Report. For more information, see the FortiOS -Log Message Reference in the Fortinet Document Library.

A filter applied to the Action column is always a smart action filter.

The smart action filter uses the FortiGate UTM profile to determine what the Action column displays. If the FortiGate UTM profile has set an action to allow, then the Action column will display that line with a green Accept icon, even if the craction field defines that traffic as a threat. The green Accept icon does not display any explanation.

In the scenario where the craction field defines the traffic as a threat but the FortiGate UTM profile has set an action to allow, that line in the Log View Action column displays a green Accept icon. The green Accept icon does not display any explanation.

Filter search operators and syntax

Operators or symbols Syntax
And Find log entries containing all the search terms. Connect the terms with a space character, or “and”. Examples:

1.    user=henry group=sales

2.    user=henry and group=sales

Or Find log entries containing any of the search terms. Separate the terms with “or” or a comma “,”. Examples:

1.    user=henry or srcip=10.1.0.15

2.    user=henry,linda

Not Find log entries that do NOT contain the search terms. Add “-” before the field name. Example: -user=henry
>, < Find log entries greater than or less than a value, or within a range. This operator only applies to integer fields. Example:

policyid>1 and policyid<10

IP subnet/range search Find log entries within a certain IP subnet or range. Examples:
Operators or symbols Syntax
  1.    srcip=192.168.1.0/24

2.    srcip=10.1.0.1-10.1.0.254

Wildcard search You can use wildcard searches for all field types. Examples:

1.    srcip=192.168.1.*

2.    policyid=1*

3.    user=*

Filtering FortiClient log messages in FortiGate traffic logs

For FortiClient endpoints registered to FortiGate devices, you can filter log messages in FortiGate traffic log files that are triggered by FortiClient.

To Filter FortiClient log messages:

  1. Go to Log View > Traffic.
  2. In the Add Filter box, type fct_devid=*. A list of FortiGate traffic logs triggered by FortiClient is displayed.
  3. In the message log list, select a FortiGate traffic log to view the details in the bottom pane.
  4. Click the FortiClient tab, and double-click a FortiClient traffic log to see details.

The FortiClient tab is available only when the FortiGate traffic logs reference FortiClient traffic logs.

Viewing historical and real-time logs

By default, Log View displays historical logs. Custom View and Chart Builder are only available in historical log view.

To view real-time logs, in the log message list view toolbar, click Tools > Real-time Log.

To switch back to historical log view, click Tools > Historical Log.

Viewing raw and formatted logs

By default, Log View displays formatted logs. The log view you select affects available view options. You cannot customize columns when viewing raw logs.

To view raw logs, in the log message list view toolbar, click Tools > Display Raw.

To switch back to formatted log view, click Tools > Formatted Log.

For more information about FortiGate raw logs, see the FortiGate Log Message Reference in the Fortinet Document Library. For more information about raw logs of other devices, see the Log Message Reference for the platform type.

Custom views

Use Custom View to save the filter setting, device selection, and the time period you have specified.

To create a new custom view:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Log View, and select a log type.
  3. In the content pane, customize the log view as needed by adding filters, specifying devices, and/or specifying a time period.
  4. In the toolbar, click Custom View.
  5. In the Name field, type a name for the new custom view.
  6. Click OK. The custom view is now displayed under Log View > Custom View.

To edit a custom view:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to the Log View > Custom View.
  3. In the toolbar, edit the filter settings, and click GO.
  4. In the toolbar, click Custom View.
  5. Click Save to save the changes to the existing custom view or click Save as to save the changes to a new custom view.
  6. Click OK.

To view the traffic log of a custom view:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to the Log View > Custom View.
  3. Right-click the name of a custom view and select View Traffic.

Downloading log messages

You can download historical log messages to the management computer as a text or CSV file. You cannot download real-time log messages.

To download log messages:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Log View, and select a log type.
  3. In the toolbar, click Tools > Download.
  4. In the Download Logs dialog box, configure download options: l In the Log file format dropdown list, select Text or CSV. l To compress the downloaded file, select Compress with gzip.

l To download only the current log message page, select Current Page. To download all the pages in the log message list, select All Pages.

  1. Click Download.

Creating charts

Log View includes a Chart Builder for you to build custom charts for each type of log messages.

To create charts with Chart Builder:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Log View, and select a log type.
  3. In the toolbar, click Tools > Chart Builder.
  4. In the Chart Builder dialog box, configure the chart and click Save.
Name Type a name for the chart.
Columns Select which columns of data to include in the chart based on the log messages that are displayed on the Log View page.
Group By Select how to group data in the chart.
Order By Select how to order data in the chart.
Sort Select a sort order for data in the chart.
Show Limit Show Limit
Device Displays the device(s) selected on the Log View page.
Time Frame Displays the time frame selected on the Log View page.
Query Displays the query being built.
Preview Displays a preview of the chart.

Log groups

You can group devices into log groups. You can view FortiView summaries, display logs, generate reports, or create handlers for a log group. Log groups are virtual so they do not have SQL databases or occupy additional disk space.

When you add a device with VDOMs to a log group, all VDOMs are automatically added.

To create a new log group:

  1. Go to Log View > Log Group.
  2. In the content pane toolbar, click Create New.
  3. In the Create New Log Group dialog box, type a log group name and add devices to the log group.
  4. Click OK.

Log browse

When a log file reaches its maximum size or a scheduled time, FortiAnalyzer rolls the active log file by renaming the file. The file name is in the form of xlog.N.log, where x is a letter indicating the log type, and N is a unique number corresponding to the time the first log entry was received. For information about setting the maximum file size and log rolling options, see Device logs on page 216.

Log Browse displays log files stored for both devices and the FortiAnalyzer itself, and you can log in the compressed phase of the log workflow.

To view log files:

  1. Go to Log View > Log Browse
  2. Select a log file, and click Display to open the log file and display the log messages in formatted view.

You can perform all the same actions as with the log message list. See Viewing message details on page 44.

Importing a log file

Imported log files can be useful when restoring data or loading log data for temporary use. For example, if you have older log files from a device, you can import these logs to the FortiAnalyzer unit so that you can generate reports containing older data.

Log files can also be imported into a different FortiAnalyzer unit. Before importing the log file you must add all devices included in the log file to the importing FortiAnalyzer.

To insert imported logs into the SQL database, the config system sqlstart-time and rebuild-eventstart-time must be older than the date of the logs that are imported and the storage policy for analytic data (the Keep Logs forAnalytics field) must also extend back far enough.

To set the SQL start time and rebuild event start time using CLI commands:

config system sql set start-time <start-time-and-date>

set rebuild-event-start-time <start-time-and-date>

end

Where <start-time-and-date> is in the format hh:mm yyyy/mm/dd.

To import a log file:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Log View > Log Browse and click Import in the toolbar.
  3. In the Device dropdown list, select the device the imported log file belongs to or select [Take From Imported File] to read the device ID from the log file.

If you select [Take From Imported File], the log file must contain a device_id field in its log messages.

  1. Drag and drop the log file onto the dialog box, or click Add Files and locate the file to be imported on your local computer.
  2. Click OK. A message appears, stating that the upload is beginning, but will be canceled if you leave the page.
  3. Click OK. The upload time varies depending on the size of the file and the speed of the connection. After the log file is successfully uploaded, FortiAnalyzer inspects the file:
    • If the device_id field in the uploaded log file does not match the device, the import fails. Click Return to try again.
    • If you selected [Take From Imported File] and the FortiAnalyzer unit’s device list does not currently contain that device, an error is displayed stating Invalid Device ID.

Downloading a log file

You can download a log file to save it as a backup or to use outside the FortiAnalyzer unit. The download consists of either the entire log file, or a partial log file, as selected by your current log view filter settings and, if downloading a raw file, the time span specified.

To download a log file:

  1. Go to Log View > Log Browse and select the log file that you want to download.
  2. In the toolbar, click Download.
  3. In the Download Log File(s) dialog box, configure download options:
    • In the Log file format dropdown list, select Native, Text, or CSV.
    • If you want to compress the downloaded file, select Compress with gzip.
  4. Click Download.

Deleting log files

To delete log files:

  1. Go to Log View > Log Browse.
  2. Select one or more files and click Delete.
  3. Click OK to confirm.

Log and file storage

Logs and files are stored on the FortiAnalyzer hard disks. Logs are also temporarily stored in the SQL database.

When ADOMs are enabled, settings can be specified for each ADOM that apply only to the devices in it. When ADOMs are disabled, the settings apply to all managed devices.

Data policy and disk utilization settings for devices are collectively called log storage settings. Global log and file storage settings apply to all logs and files, regardless of log storage settings (see File Management on page 220). Both the global and log storage settings are always active.

Disk space allocation

On the FortiAnalyzer, the system reserves 5% to 20% of the disk space for system usage and unexpected quota overflow. The remaining 80% to 95% of the disk space is available for allocation to devices.

Reports are stored in the reserved space.

Total Available Disk Size Reserved Disk Quota
Small Disk (up to 500GB) The system reserves either 20% or 50GB of disk space, whichever is smaller.
Medium Disk (up to 1TB) The system reserves either 15% or 100GB of disk space, whichever is smaller.
Large Disk (up to 3TB) The system reserves either 10% or 200GB of disk space, whichever is smaller.
Very Large Disk (5TB and higher) The system reserves either 5% or 300GB of disk space, whichever is smaller.

The RAID level you select determines the disk size and the reserved disk quota level. For example, a FortiAnalyzer 1000C with four 1TB disks configured in RAID 10 is considered a large disk, so 10%, or 100GB, of disk space is reserved.

Log and file workflow

When devices send logs to a FortiAnalyzer unit, the logs enter the following workflow automatically:

  1. Compressed logs are received and saved in a log file on the FortiAnalyzer disks.

When a log file reaches a specified size, FortiAnalyzer rolls it over and archives it, and creates a new log file to receive incoming logs. You can specify the size at which the log file rolls over. See Device logs on page 216.

  1. Logs are indexed in the SQL database to support analysis.

You can specify how long to keep logs indexed using a data policy. See Log storage information on page 57.

  1. Logs are purged from the SQL database, but remain compressed in a log file on the FortiAnalyzer disks.
  2. Logs are deleted from the FortiAnalyzer disks.

You can specify how long to keep logs using a data policy. See Log storage information on page 57.

In the indexed phase, logs are indexed in the SQL database for a specified length of time so they can be used for analysis. Indexed, or Analytics, logs are considered online, and details about them can be used viewed in the SOC, Log View, and Incidents & Events panes. You can also generate reports about the logs in the Reports pane.

In the compressed phase, logs are compressed and archived in FortiAnalyzer disks for a specified length of time for the purpose of retention. Compressed, or Archived, logs are considered offline, and their details cannot be immediately viewed or used to generate reports.

The following table summarizes the differences between indexed and compressed log phases:

Log Phase Location Immediate Analytic Support
Indexed Compressed in log file and indexed in SQL database Yes. Logs are available for analytic use in SOC, Incidents & Events, and Reports.
Compressed Compressed in log file No.

Automatic deletion

Logs and files are automatically deleted from the FortiAnalyzer unit according to the following settings:

  • Global automatic file deletion

File management settings specify when to delete the oldest Archive logs, quarantined files, reports, and archived files from disks, regardless of the log storage settings. For more information, see File Management on page 220. l Data policy

Data policies specify how long to store Analytics and Archive logs for each device. When the specified length of time expires, Archive logs for the device are automatically deleted from the FortiAnalyzer device’s disks.

  • Disk utilization

Disk utilization settings delete the oldest Archive logs for each device when the allotted disk space is filled. The allotted disk space is defined by the log storage settings. Alerts warn you when the disk space usage reaches a configured percentage.

All deletion policies are active on the FortiAnalyzer unit at all times, and you should carefully configure each policy. For example, if the disk fullness policy for a device hits its threshold before the global automatic file deletion policy for the FortiAnalyzer unit, Archive logs for the affected device are automatically deleted. Conversely, if the global automatic file deletion policy hits its threshold first, the oldest Archive logs on the FortiAnalyzer unit are automatically deleted regardless of the log storage settings associated with the device.

The following table summarizes the automatic deletion polices:

Policy Scope Trigger
Global automatic file deletion All logs, files, and reports on the system When the specified length of time expires, old files are automatically deleted. This policy applies to all files in the system regardless of the data policy settings associated with devices.
Data policy Logs for the device with which the data policy is associated When the specified length of retention time expires, old Archive logs for the device are deleted. This policy affects only Archive logs for the device with which the data policy is associated.
Disk utilization Logs for the device with which the log storage settings are associated When the specified threshold is reached for the allotted amount of disk space for the device, the oldest Archive logs are deleted for the device. This policy affects only Archive logs for the device with which the log storage settings are associated.

Logs for deleted devices

When you delete one or more devices from FortiAnalyzer, the raw log files and archive packets are deleted, and the action is recorded in the local event log. However, the logs that have been inserted into the SQL database are not deleted from the SQL database. As a result, logs for the deleted devices might display in the Log View and SOC > FortiView panes, and any reports based on the logs might include results.

The following are ways you can remove logs from the SQL database for deleted devices.

  • Rebuild the SQL database for the ADOM to which deleted devices belonged or rebuild the entire SQL database.
  • Configure the log storage policy. When the deleted device logs are older than the Keep Logs forAnalytics setting, they are deleted. Also, when analytic logs exceed their disk quota, the SQL database is trimmed starting with the oldest database tables. For more information, see Configuring log storage policy on page 59.
  • Configure global automatic file deletion settings in System Settings > Advanced > File Management. When the deleted device logs are older than the configured setting, they are deleted. For more information, see File Management on page 220.

Log storage information

To view log storage information and to configure log storage policies, go to System Settings > Storage Info.

If ADOMs are enabled, you can view and configure the data policies and disk usage for each ADOM.

The log storage policy affects only the logs and SQL database of the devices associated with the log storage policy. Reports are not affected. See Disk space allocation on page 54.

The following information and options are available:

Edit Edit the selected ADOM’s log storage policy.
Refresh Refresh the page.
Search Enter a search term to search the list.
Name The name of the ADOM.

ADOMs are listed in two groups: FortiGates and OtherDevice Types.

Analytics

(Actual/Config Days)

The age, in days, of the oldest Analytics logs (Actual Days), and the number of days Analytics logs will be kept according to the data policy (Config Days).
Archive

(Actual/Config Days)

The age, in days, of the oldest Archive logs (Actual Days) and the number of days Archive logs will be kept according to the data policy (Config Days).
Max Storage The maximum disk space allotted to the ADOM (for both Analytics and Archive logs). See Disk space allocation on page 54 for more information.
Analytics Usage (Used/Max) How much disk space Analytics logs have used, and the maximum disk space allotted for them.
Archive Usage (Used/Max) How much disk space Archive logs have used and the maximum disk space allotted for them.

Storage information

To view log storage policy and statistics, go to System Settings > Storage Info.

The top part of Storage Info shows visualizations of disk space usage for Analytic and Archive logs where the policy diagrams show an overview and the graphs show disk space usage details. The bottom part shows the log storage policy.

The policy diagram shows the percentage of the disk space quota that is used. Hover your cursor over the diagram to view the used, free, and total allotted disk space. The configured length of time that logs are stored is also shown.

The graphs show the amount disk space used over time. Click Max Line to show a line on the graph for the total space allotted. Hover over a spot in the graph to view the used and available disk space at that specific date and time. Click the graph to view a breakdown of the disk space usage by device.

When the used quota approaches 100 percent, a warning message displays when accessing the Storage Statistics pane.

Click Configure Now to open the Edit Log Storage Policy dialog box where you can adjust log storage policies to prevent running out of allocated space (see Configuring log storage policy on page 59), or click Remind Me Later to resolve the issue another time.

Configuring log storage policy

The log storage policy affects the logs and SQL database of the device associated with the log storage policy.

If you change log storage settings, the new date ranges affect Analytics and Archive logs currently in the FortiAnalyzer device. Depending on the date change, Analytics logs might be purged from the database, Archive logs might be added back to the database, and Archive logs outside the date range might be deleted.

To configure log storage settings:

  1. Go to System Settings > Storage Info.
  2. Double-click on an ADOM, right-click on an ADOM and then select Edit from the menu, or select the ADOM then click Edit in the toolbar. Scroll to the log storage policy sections at the bottom of the Edit Log Storage Policy
  3. Configure the following settings, then click OK.
Data Policy  
Keep Logs for

Analytics

Specify how long to keep Analytics logs.
Keep Logs for

Archive

Specify how long to keep Archive logs.

Make sure your setting meets your organization’s regulatory requirements.

 

Disk Utilization  
Maximum Allowed Specify the amount of disk space allotted. See also Disk space allocation on page 54.
Analytics : Archive Specify the disk space ratio between Analytics and Archive logs. Analytics logs require more space than Archive logs. Click the Modify checkbox to change the setting.
Alert and Delete

When Usage

Reaches

Specify the percentage of allotted disk space usage that will trigger an alert messages and start automatically deleting logs. The oldest Archive log files or Analytics database tables are deleted first.

 

FortiAnalyzer – Fortinet Security Fabric – FortiOS 6.2.3

Fortinet Security Fabric

FortiAnalyzer can recognize a Security Fabric group of devices and display all units in the group on the Device Manager pane. See Adding a Security Fabric group on page 37. FortiAnalyzer supports the Security Fabric by storing and analyzing the logs from the units in a Security Fabric group as if the logs are from a single device. You can also view the logging topology of all units in the Security Fabric group for additional visibility. See Displaying Security Fabric topology on page 38.

FortiAnalyzer provides dynamic data and metadata exchange with the Security Fabric and uses the data in FortiView and Reports for additional visibility. A default report template lets you monitor new users, devices, applications, vulnerabilities, threats and so on from the Security Fabric.

A set of dashboard widgets lets you review audit scores for a FortiGate Security Fabric group with recommended best practices and historical audit scores and trends.

If FortiClient is installed on endpoints for endpoint control with FortiGate, you can use the endpoint telemetry data collected by the Security Fabric agent to display user profile photos in reports and FortiView.

Adding a Security Fabric group

Before you can add a Security Fabric group to FortiAnalyzer, you need to create the Security Fabric group in FortiGate.

Fortinet recommends using a dedicated Super_User administrator account on the FortiGate for FortiAnalyzer access. This ensures that associated log messages are identified as originating from FortiAnalyzer activity. This dedicated Super_User administrator account only needs Read Only access to System Configuration; all other access can be set to None.

To add a Security Fabric group:

  1. Go to Device Manager> Unauthorized Devices.
  2. Select all the devices corresponding to the Security Fabric group created in FortiGate.
  3. Authenticate the Security Fabric group by clicking the Warning icon (yellow triangle) beside the corresponding FortiGate root.
  4. Enter the Authentication Credentials. The authentication credentials are the ones you specified in FortiGate. Once the FortiGate root has been authenticated, the Warning icon will disappear.
  5. After authentication, it takes a few minutes for FortiAnalyzer to automatically populate the devices under the FortiGate root which creates the Security Fabric group.

Displaying Security Fabric topology

For Security Fabric devices, you can display the Security Fabric topology.

To display the Security Fabric topology:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Device Manager and click the Devices Total tab in the quick status bar.
  3. Right-click a Security Fabric device and select Fabric Topology.

A pop-up window displays the Security Fabric topology for that device.

If you selected Fabric Topology by right-clicking a device within the Security Fabric group, the device is highlighted in the topology. If you selected Fabric Topology by right-clicking the name of the Security Fabric group, no device is highlighted in the topology.

Security Fabric traffic log to UTM log correlation

FortiAnalyzer correlates traffic logs to corresponding UTM logs so that it can report sessions/bandwidth together with its UTM threats. Within a single FortiGate, the correlation is performed by grouping logs with the same session IDs, source and destination IP addresses, and source and destination ports.

In a Cooperative Security Fabric (CSF), the traffic log is generated by the ingress FortiGate, while UTM inspection (and subsequent logs) can occur on any of the FortiGates. This means that the traffic logs did not have UTM related log fields, as they would on a single FortiGate. Different CSF members also have different session IDs, and NAT can hide or change the original source and destination IP addresses. Consequently, without a proper UTM reference, the FortiAnalyzer will fail to report UTM threats associated with the traffic.

This feature adds extensions to traffic and UTM logs so that they can be correlated across different FortiGates within the same security fabric. It creates a UTM reference across CSF members and generates the missing UTM related log fields in the traffic logs as if the UTM was inspected on a single FortiGate.

NAT translation is also considered when searching sources and destinations in both traffic and UTM logs. The FortiGate will generate a special traffic log to indicate the NAT IP addresses to the FortiAnalyzer within the CSF.

Traffic logs to DNS and SSH UTM references are also implement – the DNS and SSH counts in Log View can now be clicked on to open the related DNS and SSH UTM log. IPS logs in the UTM reference are processed for both their sources and destinations in the same order, and in the reverse order as the traffic log. The FortiGate log version indicator is expanded and used to make a correct search for related IPS logs for a traffic log.

This feature requires no special configuration. The FortiAnalyzer will check the traffic and UTM logs for all FortiGates that are in the same CSF cluster and create the UTM references between them.

To view the logs:

  1. On the FortiAnalyzer, go to Log View > Traffic.

The UTM security event list, showing all related UTM events that can happen in another CSF member, is shown.

  1. Click the count beside a UTM event to open the related UTM event log window. In this example, the traffic log is from the CSF child FortiGate, and the UTM log is from the CSF root FortiGate.

Like other UTM logs, newly added DNS and SSH UTM references can also be shown in the FortiAnalyzer Log View. Clicking the count next to the DNS or SSH event opens the respective UTM log.

  1. Go to SOC > FortiView > Threats > Top Threats. All threats detected by any CSF member are shown.
  2. The created UTM reference is also transparent to the FortiGate when it gets its logs from the FortiAnalyzer. On the

FortiGate, the traffic log shows UTM events and referred UTM logs from other CSF members, even though the FortiGate does not generate those UTM log fields in its traffic log. In this example, the CSF child FortiGate shows the referred UTM logs from the CSF root FortiGate.

Creating a Security Fabric ADOM

All Fortinet devices included in a Security Fabric can be placed into a Security Fabric ADOM, allowing for fast data processing and log correlation. Fabric ADOMs enable combined results to be presented in the Device Manager, Log View, SOC, Incidents & Events and Reports panes.

In a Fabric ADOM:

  • Device Manager: View and add all Fortinet devices in the Security Fabric to the Fabric ADOM, including FortiGate, FortiSandbox, FortiMail, FortiDDoS, and FortiClient EMS.
  • Log View: View logs from all Security Fabric devices.
  • SOC: FortiDDoS and FortiClient EMS widgets are available.
  • Incidents & Events: Predefined event handlers for FortiGate, FortiSandbox, FortiMail, and FortiWeb ADOMs are available, and triggered events are displayed for all device types.
  • Reports: View predefined reports, templates, datasets, and charts for all device types. Charts from all device types can be inserted into a single report.

To create a Fabric ADOM:

  1. In FortiAnalyzer, go to System Settings > All ADOMs.
  2. Select Create New.
  3. Configure the settings for the new Fabric ADOM and select Fabric as the type.

See Creating ADOMs on page 181 for more information on the individual settings.

  1. Select OK to create the ADOM.

The Fabric ADOM is listed under the Security Fabric section of All ADOMs.