Category Archives: FortiOS

Configuring Network Interfaces – FortiAnalyzer – FortiOS 6.2.3

Network

Configuring network interfaces

Fortinet devices can be connected to any of the FortiAnalyzer unit’s interfaces. The DNS servers must be on the networks to which the FortiAnalyzer unit connects, and should have two different IP addresses.

The following port configuration is recommended:

  • Use port 1 for device log traffic, and disable unneeded services on it, such as SSH, Web Service, and so on.
  • Use a second port for administrator access, and enable HTTPS, Web Service, and SSH for this port. Leave other services disabled.

To configure port 1:

  1. Go to System Settings > Network. The System Network Management Interface pane is displayed.
  2. Configure the following settings for port1, then click Apply to apply your changes.
Name Displays the name of the interface.
IP Address/Netmask The IP address and netmask associated with this interface.
IPv6 Address The IPv6 address associated with this interface.
Administrative Access Select the allowed administrative service protocols from: HTTPS, HTTP, PING, SSH, SNMP, Web Service, and FortiManager.
IPv6 Administrative Access Select the allowed IPv6 administrative service protocols from: HTTPS, HTTP, PING, SSH, SNMP, Web Service, and FortiManager.
Default Gateway The default gateway associated with this interface.
Primary DNS Server The primary DNS server IP address.
Secondary DNS Server The secondary DNS server IP address.

To configure additional ports:

  1. Go to System Settings > Network and click All Interfaces. The interface list opens.
  2. Double-click on a port, right-click on a port then select Edit from the pop-up menu, or select a port then click Edit in the toolbar. The Edit System Interface pane is displayed.
  3. Configure the settings as required.
  4. Click OK to apply your changes.

Logging Topology – FortiAnalyzer – FortiOS 6.2.3

Logging Topology

The Logging Topology pane shows the physical topology of devices in the Security Fabric. Click, hold, and drag to adjust the view in the content pane, and double-click or use the scroll wheel to change the zoom.

The visualization can be filtered to show only FortiAnalyzer devices or all devices by device count or traffic.

Hovering the cursor over a device in the visualization will show information about the device, such as the IP address and device name. Right-click on a device and select View Related Logs to go to the Log View pane, filtered for that device.

Widgets – FortiAnalyzer – FortiOS 6.2.3

System Settings

System Resources widget

The System Resources widget displays the usage status of the CPUs, memory, and hard disk. You can view system resource information in real-time or historical format, as well as average or individual CPU usage.

On VMs, warning messages are displayed if the amount of memory or the number of CPUs assigned are too low, or if the allocated hard drive space is less than the licensed amount. These warnings are also shown in the notification list (see GUI overview on page 12). Clicking on a warning opens the FortiAnalyzerVM Install Guide.

To toggle between real-time and historical data, click Edit in the widget toolbar, select Historical or Real-time, edit the other settings as required, then click OK.

To view individual CPU usage, from the Real-Time display, click on the CPU chart. To go back to the standard view, click the chart again.

License Information widget

The License Information widget displays the number of devices connected to the FortiAnalyzer.

VM License VM license information and status.

Click the upload license button to upload a new VM license file.

This field is only visible for FortiAnalyzer VM.

The Duplicate status appears when users try to upload a license that is already in use. Additionally, the following message will be displayed in the Notifications: Duplicate License has been found! YourVM license will expire in XX hours (Grace time: 24 hours)

Users will have 24 hours to upload a valid license before the duplicate license is blocked.

Logging  
Device/VDOMs The total number of devices and VDOMs connected to the FortiAnalyzer and the total number of device and VDOM licenses.
GB/Day The gigabytes per day of logs allowed and used for this FortiAnalyzer. Click the show details button to view the GB per day of logs used for the previous 6 days. The GB/Day log volume can be viewed per ADOM through the CLI using: diagnose fortilogd logvol-adom <name>.
VM Storage The amount of VM storage used and remaining. This field is only visible for FortiAnalyzer VM.
Storage Connector Service The cloud storage license status.

Displays usage statistics as well as the license expiration date when a valid license is present.

Click the purchase button to go to the Fortinet Customer Service & Support website, where you can purchase a license.

FortiGuard  
Indicators of

Compromise

Service

The license status.

Click the purchase button to go to the Fortinet Customer Service & Support website, where you can purchase a license.

Secure DNS Server The SDNS server license status.

Click the upload image button to upload a license key.

Server Location The locations of the FortiGuard servers, either global or US only.

Click the edit icon to adjust the location. Changing the server location will cause the FortiAnalyzer to reboot.

Update Server  
AntiVirus and IPS The IP address and physical location of the Antivirus and IPS update server.
Web and Email

Filter

The IP address and physical location of the web and email filter update server.
FortiClient Update The IP address and physical location of the FortiClient update server.

Unit Operation widget

The Unit Operation widget graphically displays the status of each port. The port name indicates its status by its color. Green indicates the port is connected. Grey indicates there is no connection.

Hover the cursor over the ports to view a pop-up that displays the full name of the interface, the IP address and netmask, the link status, the speed of the interface, and the amounts of sent and received data.

Alert Messages Console widget

The Alert Message Console widget displays log-based alert messages for both the FortiAnalyzer unit itself and connected devices.

Alert messages help you track system events on your FortiAnalyzer unit such as firmware changes, and network events such as detected attacks. Each message shows the date and time the event occurred.

Click Edit from the widget toolbar to view the Alert Message Console Settings, where you can adjust the number of entries that are visible in the widget, and the refresh interval.

To view a complete list of alert messages, click Show More from the widget toolbar. The widget will show the complete list of alerts. To clear the list, click Delete All Messages. Click Show Less to return to the previous view.

Log Receive Monitor widget

The Log Receive Monitor widget displays the rate at which the FortiAnalyzer unit receives logs over time. Log data can be displayed by either log type or device.

Hover the cursor over a point on the graph to see the exact number of logs that were received at a specific time. Click the name of a device or log type to add or remove it from the graph. Click Edit in the widget toolbar to modify the widget’s settings.

Insert Rate vs Receive Rate widget

The Insert Rate vs Receive Rate widget displays the log insert and log receive rates over time.

l Log receive rate: how many logs are being received. l Log insert rate: how many logs are being actively inserted into the database.

If the log insert rate is higher than the log receive rate, then the database is rebuilding. The lag is the number of logs waiting to be inserted.

Hover the cursor over a point on the graph to see the exact number of logs that were received and inserted at a specific time. Click Receive Rate or Insert Rate to remove those data from the graph. Click the edit icon in the widget toolbar to adjust the time interval shown on the graph and the refresh interval.

Log Insert Lag Time widget

The Log Insert Lag Time widget displays how many seconds the database is behind in processing the logs.

Click the edit icon in the widget toolbar to adjust the time interval shown on the graph and the refresh interval (0 to disable) of the widget.

Receive Rate vs Forwarding Rate widget

The Receive Rate vs Forwarding Rate widget displays the rate at which the FortiAnalyzer is receiving logs. When log forwarding is configured, the widget also displays the log forwarding rate for each configured server.

Click the edit icon in the widget toolbar to adjust the time period shown on the graph and the refresh interval, if any, of the widget.

Disk I/O widget

The Disk I/O widget shows the disk utilization (%), transaction rate (requests/s), or throughput (KB/s), versus time.

Click the edit icon in the widget toolbar to select which chart is displayed, the time period shown on the graph, and the refresh interval (if any) of the chart.

System Settings – FortiAnalyzer – FortiOS 6.2.3 – Configuring the Operation Mode

Configuring the operation mode

The FortiAnalyzer unit has two operation modes: Analyzer and Collector.

When FortiAnalyzer is operating in Collector mode, the SQL database is disabled by default so logs that require the SQL database are not available in Collector mode unless the SQL database is enabled.

To change the operation mode:

  1. Go to System Settings > Dashboard.
  2. In the System Information widget, select Analyzer or Collector in the Operation Mode field
  3. Click OK in the confirmation dialog box to change the operation mode.

 

System Settings – FortiAnalyzer – FortiOS 6.2.3 – Migrating the Configuration

Migrating the configuration

You can back up the system of one FortiAnalyzer model, and then use the CLI and the FTP, SCP, or SFTP protocol to migrate the settings to another FortiAnalyzer model.

If you encrypted the FortiAnalyzer configuration file when you created it, you need the password to decrypt the configuration file when you migrate the file to another FortiAnalyzer model.

To migrate the FortiAnalyzer configuration:

  1. In one FortiAnalyzer model, go to System Settings > Dashboard.
  2. Back up the system. See Backing up the system on page 160.
  3. In the other FortiAnalyzer model, go to System Settings > Dashboard.
  4. In the CLI Console widget, type the following command:

execute migrate all-settings <ftp | scp | sftp> <server> <filepath> <user> <password> [cryptpasswd]

System Settings – FortiAnalyzer – FortiOS 6.2.3 – Restoring The Configuration

Restoring the configuration

You can use the following procedure to restore your FortiAnalyzer configuration from a backup file on your management computer.

To restore the FortiAnalyzer configuration:

  1. Go to System Settings > Dashboard.
  2. In the System Information widget, click the restore button next to System Configuration. The Restore System dialog box opens.
  3. Configure the following settings then select OK.
Choose Backup File Select Browse to find the configuration backup file you want to restore, or drag and drop the file onto the dialog box.
Password Type the encryption password, if applicable.
Overwrite current IP and routing settings Select the checkbox to overwrite the current IP and routing settings.

System Settings – FortiAnalyzer – FortiOS 6.2.3 – Backing up the system

Backing up the system

Fortinet recommends that you back up your FortiAnalyzer configuration to your management computer on a regular basis to ensure that, should the system fail, you can quickly get the system back to its original state with minimal affect to the network. You should also perform a back up after making any changes to the FortiAnalyzer configuration or settings that affect the connected devices.

Fortinet recommends backing up all configuration settings from your FortiAnalyzer unit before upgrading the FortiAnalyzer firmware.

To back up the FortiAnalyzer configuration:

  1. Go to System Settings > Dashboard.
  2. In the System Information widget, click the backup button next to System Configuration. The Backup System dialog box opens
  3. If you want to encrypt the backup file, select the Encryption box, then type and confirm the password you want to use. The password can be a maximum of 63 characters.
  4. Select OK and save the backup file on your management computer.

System Settings – FortiAnalyzer – Updating The System Firmware – FortiOS 6.2.3

Updating the system firmware

To take advantage of the latest features and fixes, the FortiAnalyzer firmware can be updated. For information about upgrading your FortiAnalyzer device, see the FortiAnalyzerUpgrade Guide or contact Fortinet Customer Service & Support.

Backup the configuration and database before changing the firmware of your FortiAnalyzer unit. Changing the firmware to an older or incompatible version may reset the configuration and database to the default values for that firmware version, resulting in data loss.

Before you can download firmware updates for your FortiAnalyzer unit, you must first register your FortiAnalyzer unit with Customer Service & Support. For details, go to https://support.fortinet.com/ or contact Customer Service & Support.

To update the FortiAnalyzer firmware:

  1. Download the firmware (the .out file) from the Customer Service & Support website, https://support.fortinet.com/.
  2. Go to System Settings > Dashboard.
  3. In the System Information widget, in the Firmware Version field, click Upgrade Firmware. The Firmware Upload dialog box opens.
  4. Drag and drop the file onto the dialog box, or click Browse to locate the firmware package (.out file) that you downloaded from the Customer Service & Support portal and then click Open.
  5. Click OK. Your device will upload the firmware image and you will receive a confirmation message noting that the upgrade was successful.

Optionally, you can upgrade firmware stored on an FTP or TFTP server using the following CLI command:

execute restore image {ftp | tftp} <file path to server> <IP of server> <username on server> <password>

For more information, see the FortiAnalyzerCLI Reference.

  1. Refresh the browser and log back into the device.
  2. Launch the Device Manager module and make sure that all formerly added devices are still listed.
  3. Launch other functional modules and make sure they work properly.