Insert Rate vs Receive Rate widget – FortiAnalyzer – FortiOS 6.2.3

Insert Rate vs Receive Rate widget

The Insert Rate vs Receive Rate widget displays the log insert and log receive rates over time.

l Log receive rate: how many logs are being received. l Log insert rate: how many logs are being actively inserted into the database.

If the log insert rate is higher than the log receive rate, then the database is rebuilding. The lag is the number of logs waiting to be inserted.

Hover the cursor over a point on the graph to see the exact number of logs that were received and inserted at a specific time. Click Receive Rate or Insert Rate to remove those data from the graph. Click the edit icon in the widget toolbar to adjust the time interval shown on the graph and the refresh interval.

Log Receive Monitor widget – FortiAnalyzer – FortiOS 6.2.3

Log Receive Monitor widget

The Log Receive Monitor widget displays the rate at which the FortiAnalyzer unit receives logs over time. Log data can be displayed by either log type or device.

Hover the cursor over a point on the graph to see the exact number of logs that were received at a specific time. Click the name of a device or log type to add or remove it from the graph. Click Edit in the widget toolbar to modify the widget’s settings.

Alert Messages Console widget – FortiAnalyzer – FortiOS 6.2.3

Alert Messages Console widget

The Alert Message Console widget displays log-based alert messages for both the FortiAnalyzer unit itself and connected devices.

Alert messages help you track system events on your FortiAnalyzer unit such as firmware changes, and network events such as detected attacks. Each message shows the date and time the event occurred.

Click Edit from the widget toolbar to view the Alert Message Console Settings, where you can adjust the number of entries that are visible in the widget, and the refresh interval.

To view a complete list of alert messages, click Show More from the widget toolbar. The widget will show the complete list of alerts. To clear the list, click Delete All Messages. Click Show Less to return to the previous view.

License Information widget – FortiAnalyzer – FortiOS 6.2.3

License Information widget

The License Information widget displays the number of devices connected to the FortiAnalyzer.

VM License VM license information and status.

Click the upload license button to upload a new VM license file.

This field is only visible for FortiAnalyzer VM.

The Duplicate status appears when users try to upload a license that is already in use. Additionally, the following message will be displayed in the Notifications: Duplicate License has been found! YourVM license will expire in XX hours (Grace time: 24 hours)

Users will have 24 hours to upload a valid license before the duplicate license is blocked.

Logging  
Device/VDOMs The total number of devices and VDOMs connected to the FortiAnalyzer and the total number of device and VDOM licenses.
GB/Day The gigabytes per day of logs allowed and used for this FortiAnalyzer. Click the show details button to view the GB per day of logs used for the previous 6 days. The GB/Day log volume can be viewed per ADOM through the CLI using: diagnose fortilogd logvol-adom <name>.
VM Storage The amount of VM storage used and remaining. This field is only visible for FortiAnalyzer VM.
Storage Connector Service The cloud storage license status.

Displays usage statistics as well as the license expiration date when a valid license is present.

Click the purchase button to go to the Fortinet Customer Service & Support website, where you can purchase a license.

FortiGuard  
Indicators of

Compromise

Service

The license status.

Click the purchase button to go to the Fortinet Customer Service & Support website, where you can purchase a license.

Secure DNS Server The SDNS server license status.

Click the upload image button to upload a license key.

Server Location The locations of the FortiGuard servers, either global or US only.

Click the edit icon to adjust the location. Changing the server location will cause the FortiAnalyzer to reboot.

Update Server  
AntiVirus and IPS The IP address and physical location of the Antivirus and IPS update server.
Web and Email

Filter

The IP address and physical location of the web and email filter update server.
FortiClient Update The IP address and physical location of the FortiClient update server.

System Resources widget – FortiAnalyzer – FortiOS 6.2.3

System Resources widget

The System Resources widget displays the usage status of the CPUs, memory, and hard disk. You can view system resource information in real-time or historical format, as well as average or individual CPU usage.

On VMs, warning messages are displayed if the amount of memory or the number of CPUs assigned are too low, or if the allocated hard drive space is less than the licensed amount. These warnings are also shown in the notification list (see GUI overview on page 12). Clicking on a warning opens the FortiAnalyzerVM Install Guide.

To toggle between real-time and historical data, click Edit in the widget toolbar, select Historical or Real-time, edit the other settings as required, then click OK.

To view individual CPU usage, from the Real-Time display, click on the CPU chart. To go back to the standard view, click the chart again.

RAID Management – FortiAnalyzer – FortiOS 6.2.3

RAID Management

RAID helps to divide data storage over multiple disks, providing increased data reliability. For FortiAnalyzer devices containing multiple hard disks, you can configure the RAID array for capacity, performance, and/or availability.

Supported RAID levels

FortiAnalyzer units with multiple hard drives can support the following RAID levels:

Linear RAID

A Linear RAID array combines all hard disks into one large virtual disk. The total space available in this option is the capacity of all disks used. There is very little performance change when using this RAID format. If any of the drives fails, the entire set of drives is unusable until the faulty drive is replaced. All data will be lost.

RAID 0

A RAID 0 array is also referred to as striping. The FortiAnalyzer unit writes information evenly across all hard disks. The total space available is that of all the disks in the RAID array. There is no redundancy available. If any single drive fails, the data on that drive cannot be recovered. This RAID level is beneficial because it provides better performance, since the FortiAnalyzer unit can distribute disk writing across multiple disks. l Minimum number of drives: 2

RAID 1

A RAID 1 array is also referred to as mirroring. The FortiAnalyzer unit writes information to one hard disk, and writes a copy (a mirror image) of all information to all other hard disks. The total disk space available is that of only one hard disk, as the others are solely used for mirroring. This provides redundant data storage with no single point of failure. Should any of the hard disks fail, there are backup hard disks available.

  • Minimum number of drives: 2
  • Data protection: Single-drive failure

One write or two reads are possible per mirrored pair. RAID 1 offers redundancy of data. A rebuild is not required in the event of a drive failure. This is the simplest RAID storage design with the highest disk overhead.

RAID 1s

A RAID 1 with hot spare array uses one of the hard disks as a hot spare (a stand-by disk for the RAID). If a hard disk fails, within a minute of the failure the hot spare is substituted for the failed drive, integrating it into the RAID array and rebuilding the RAID’s data. When you replace the failed hard disk, the new hard disk is used as the new hot spare. The total disk space available is the total number of disks minus two.

RAID 5

A RAID 5 array employs striping with a parity check. Similar to RAID 0, the FortiAnalyzer unit writes information evenly across all drives but additional parity blocks are written on the same stripes. The parity block is staggered for each stripe. The total disk space is the total number of disks in the array, minus one disk for parity storage. For example, with four hard disks, the total capacity available is actually the total for three hard disks. RAID 5 performance is typically better with reading than with writing, although performance is degraded when one disk has failed or is missing. With RAID 5, one disk can fail without the loss of data. If a drive fails, it can be replaced and the FortiAnalyzer unit will restore the data on the new disk by using reference information from the parity volume.

  • Minimum number of drives: 3
  • Data protection: Single-drive failure

RAID 5s

A RAID 5 with hot spare array uses one of the hard disks as a hot spare (a stand-by disk for the RAID). If a hard disk fails, within a minute of the failure, the hot spare is substituted for the failed drive, integrating it into the RAID array, and rebuilding the RAID’s data. When you replace the failed hard disk, the new hard disk is used as the new hot spare. The total disk space available is the total number of disks minus two.

RAID 6

A RAID 6 array is the same as a RAID 5 array with an additional parity block. It uses block-level striping with two parity blocks distributed across all member disks.

l Minimum number of drives: 4 l Data protection: Up to two disk failures.

RAID 6s

A RAID 6 with hot spare array is the same as a RAID 5 with hot spare array with an additional parity block.

RAID 10

RAID 10 (or 1+0), includes nested RAID levels 1 and 0, or a stripe (RAID 0) of mirrors (RAID 1). The total disk space available is the total number of disks in the array (a minimum of 4) divided by 2, for example:

  • 2 RAID 1 arrays of two disks each, l 3 RAID 1 arrays of two disks each, l 6 RAID1 arrays of two disks each.

One drive from a RAID 1 array can fail without the loss of data; however, should the other drive in the RAID 1 array fail, all data will be lost. In this situation, it is important to replace a failed drive as quickly as possible.

  • Minimum number of drives: 4 l Data protection: Up to two disk failures in each sub-array.

RAID 50

RAID 50 (or 5+0) includes nested RAID levels 5 and 0, or a stripe (RAID 0) and stripe with parity (RAID 5). The total disk space available is the total number of disks minus the number of RAID 5 sub-arrays. RAID 50 provides increased performance and also ensures no data loss for the same reasons as RAID 5. One drive in each RAID 5 array can fail without the loss of data.

  • Minimum number of drives: 6

RAID 60

A RAID 60 (6+ 0) array combines the straight, block-level striping of RAID 0 with the distributed double parity of RAID 6.

  • Minimum number of drives: 8 l Data protection: Up to two disk failures in each sub-array.

Packet capture – FortiAnalyzer – Packet Capture

Packet capture

Packets can be captured on configured interfaces by going to System > Network > Packet Capture.

The following information is available:

Interface The name of the configured interface for which packets can be captured. For information on configuring an interface, see Configuring network interfaces on page 167.
Filter Criteria The values used to filter the packet.
# Packets The number of packets.
Maximum Packet Count The maximum number of packets that can be captured on a sniffer.
Progress The status of the packet capture process.
Actions Allows you to start and stop the capturing process, and download the most recently captured packets.

To start capturing packets on an interface, select the Start capturing button in the Actions column for that interface. The Progress column changes to Running, and the Stop capturing and Download buttons become available in the Actions column.

To add a packet sniffer:

  1. From the Packet Capture table, click Create New in the toolbar. The Create New Sniffer pane opens.
  2. Configure the following options:
Interface The interface name (non-changeable).
Max. Packets to Save Enter the maximum number of packets to capture, between 1-10000. The default is 4000 packets.
Include IPv6 Packets Select to include IPv6 packets when capturing packets.
Include Non-IP Packets Select to include non-IP packets when capturing packets.
Enable Filters You can filter the packet by Host(s), Port(s), VLAN(s), and Protocol.
  1. Click OK.

To download captured packets:

  1. In the Actions column, click the Download button for the interface whose captured packets you want to download. If no packets have been captured for that interface, click the Start capturing
  2. When prompted, save the packet file (sniffer_[interface].pcap) to your management computer. The file can then be opened using packet analyzer software.

To edit a packet sniffer:

  1. From the Packet Capture table, click Edit in the toolbar. The Edit Sniffer pane opens. 2. Configure the packet sniffer options
  2. Click OK.

Static routes – FortiAnalyzer – FortiOS 6.2.3

Static routes

Static routes can be managed from the routing tables for IPv4 and IPv6 routes.

The routing tables can be accessed by going to System Settings > Network and clicking Routing Table and IPv6 Routing Table.

To add a static route:

  1. From the IPv4 or IPv6 routing table, click Create New in the toolbar. The Create New Network Route pane opens.
  2. Enter the destination IP address and netmask, or IPv6 prefix, and gateway in the requisite fields.
  3. Select the network interface that connects to the gateway from the dropdown list.
  4. Click OK to create the new static route.

To edit a static route:

  1. From the IPv4 or IPv6 routing table: double-click on a route, right-click on a route then select Edit from the pop-up menu, or select a route then click Edit in the toolbar. The Edit Network Route pane opens.
  2. Edit the configuration as required. The route ID cannot be changed.
  3. Click OK to apply your changes.

To delete a static route or routes:

  1. From the IPv4 or IPv6 routing table, right-click on a route then select Delete from the pop-up menu, or select a route or routes then click Delete in the toolbar.
  2. Click OK in the confirmation dialog box to delete the selected route or routes.