Tag Archives: fortianalyzer

FortiView

Leave a reply

FortiView

The FortiView tab allows you to access both FortiView drill down and Log view menus. FortiView in FortiAnalyzer collects data from FortiView in FortiGate. In order for information to appear in the FortiView dashboards in FortiGate, disk logging must be selected for the FortiGate unit. Select the FortiView tab and select the ADOM from the drop-down list.

FortiView

Use FortiView to drill down real-time and historical traffic from log devices by sources, applications, destinations, web sites, threats, and cloud applications. Each FortiView can be filtered by a variety of attributes, as well as by device and time period. These attributes can be selected using the right-click context menu. Results can also be filtered using the various columns.

The following FortiViews are available:

  • Top sources
  • Top applications
  • Top destinations
  • Top web sites
  • Top threats
  • Top cloud applications

Top sources

The Top Sources dashboard displays information about the sources of traffic on your unit. You can drill down the displayed information, and also select the device and time period, and apply search filters.

Figure 88:Top sources

 

The following information is displayed:

Source Displays the source IP address and/or user name, if applicable. Select the column header to sort entries by source. You can apply a search filter to the source (srcip) column.
Device Displays the device IP address or FQDN. Select the column header to sort entries by device. You can apply a search filter to the device (dev_src) column.
Threat Weight Displays the threat weight value. Select the column header to sort entries by threat weight.
Sessions Displays the number of sessions. Select the column header to sort entries by sessions.
Bandwidth

(Sent/Received)

 Displays the bandwidth value for sent and received packets. Select the column header to sort entries by bandwidth.

The following options are available:

 Refresh Refresh the displayed information.
Search Click the search field to add a search filter for user (user), source IP (srcip), source device (dev_src), source interface (srcintf), destination interface (dstintf), policy ID (policyid), security action (utmaction), or virtual domain (vd). Select the GO button to apply the search filter. Alternatively, you can right-click the column entry to add the search filter. Select the clear icon, , to remove the search filter.
Devices Select the device from the drop-down list or select All Devices. Select the GO button to apply the device filter.
Time Period Select the time period from the drop-down list. Select Custom from the list to specify the start and end date and time. Select the GO button to apply the time period filter.
N When selecting a time period with last N in the entry, you can enter the value for N in this text field.
 Custom When Custom is selected the custom icon will be displayed. Select the icon to change the custom time period.
 Go Select the GO button to apply the filter.
Pagination Select the number of entries to display per page and browse pages.
Right-click menu  

 

 Application Select to drill down by application to view application related information including the application, number of sessions, and bandwidth (sent/received).

You can select to sort entries displayed by selecting the column header. You can apply a search filter in the application (app) column to further filter the information displayed. Select the GO button to apply the search filter.

Select the return icon, , to return to the Top Sources page.
 Destination Select to drill down by destination to view destination related information including the destination IP address and geographic region, the threat weight value, number of sessions, and bandwidth (sent/received).

You can select to sort entries displayed by selecting the column header. You can apply a search filter in the destination (dstip) column to further filter the information displayed. Select the GO button to apply the search filter.

Select the return icon, , to return to the Top Sources page.
 Threat Select to drill down by threat to view threat related information including the threat type, category, threat level, threat weight, and number of incidents.

You can select to sort entries displayed by selecting the column header. You can apply a search filter in the threat (threat) or category

(threattype) columns to further filter the information displayed. Select the GO button to apply the search filter.

Select the return icon, , to return to the Top Sources page.
 Domain Select to drill down by domain to view domain related information including domain, category, browsing time, threat weight, number of sessions, and bandwidth (sent/received).

You can select to sort entries displayed by selecting the column header. Select the GO button to apply the search filter.

Select the return icon, , to return to the Top Sources page.
 Category Select to drill down by category to view category related information including category, browsing time, threat weight, number of sessions, and bandwidth (sent/received).

You can select to sort entries displayed by selecting the column header. Select the GO button to apply the search filter.

Select the return icon, , to return to the Top Sources page.
 Sessions Select to drill down by sessions to view session related information including date/time, source/device, destination IP address and geographic region, service, bandwidth (sent/received), user, application, and security action.

You can select to sort entries displayed by selecting the column header. You can apply a search filter in the destination (dstip), service

(service), user (user), or application (app) columns to further filter the information displayed. Select the GO button to apply the search filter.

Select the return icon, , to return to the Top Sources page.
 Search Add a search filter by source IP (srcip) or source device (dev_src). Select the GO button to apply the filter. Select the clear icon,    , to remove the search filter.

Top applications

The Top Applications dashboard shows information about the applications being used on your network, including the application name, category, and risk level. You can drill down the displayed information, also select the device and time period, and apply search filters.

Figure 89:Top applications

The following information is displayed:

Application Displays the application port and service. Select the column header to sort entries by application. You can apply a search filter to the application (app) column.
Category Displays the application category. Select the column header to sort entries by category. You can apply a search filter to the category (appcat) column.
Risk Displays the application risk level. Hover the mouse cursor over the entry in the column for additional information. Select the column header to sort entries by category. Risk uses a new 5-point risk rating. The rating system is as follows:

•      Critical: Applications that are used to conceal activity to evade detection.

•      High: Applications that can cause data leakage, are prone to vulnerabilities, or downloading malware.

•      Medium: Applications that can be misused.

•      Elevated: Applications that are used for personal communications or can lower productivity.

•      Low: Business related applications or other harmless applications.
Sessions Displays the number of sessions. Select the column header to sort entries by sessions.
Bandwidth

(Sent/Received)

 Displays the bandwidth value for sent and received packets. Select the column header to sort entries by bandwidth.

The following options are available:

 Refresh Refresh the displayed information.
Search Click the search field to add a search filter by application (app), source interface (srcintf), destination interface (dstintf), policy ID

(policyid), security action (utmaction), or virtual domain (vd). Select the GO button to apply the search filter. Alternatively, you can right-click the column entry to add the search filter. Select the clear icon, , to remove the search filter.
Devices Select the device from the drop-down list or select All Devices. Select the GO button to apply the device filter.
Time Period Select the time period from the drop-down list. Select Custom from the list to specify the start and end date and time. Select the GO button to apply the time period filter.
N When selecting a time period with last N in the entry, you can enter the value for N in this text field.
 Custom When Custom is selected the custom icon will be displayed. Select the icon to change the custom time period.
 Go Select the GO button to apply the filter.
Pagination Select the number of entries to display per page and browse pages.
Right-click menu  

 

 Source Select to drill down by source to view source related information including the source IP address, device MAC address or FQDN, threat weight, number of sessions, and bandwidth (sent/received).

You can select to sort entries displayed by selecting the column header. You can apply a search filter in the source (srcip) and device

(dev_src) columns to further filter the information displayed. Select the GO button to apply the search filter.

Select the return icon, , to return to the Top Applications page.
 Destination Select to drill down by destination to view destination related information including the destination IP address and geographic region, the threat weight value, number of sessions, and bandwidth (sent/received).

You can select to sort entries displayed by selecting the column header. You can apply a search filter in the destination (dstip) column to further filter the information displayed. Select the GO button to apply the search filter.

Select the return icon, , to return to the Top Applications page.
 Threat Select to drill down by threat to view threat related information including the threat type, category, threat level, threat weight, and number of incidents.

You can select to sort entries displayed by selecting the column header. You can apply a search filter in the threat (threat) or category

(threattype) columns to further filter the information displayed. Select the GO button to apply the search filter.

Select the return icon, , to return to the Top Applications page.
 Sessions Select to drill down by sessions to view session related information including date/time, source/device, destination IP address and geographic region, service, bandwidth (sent/received), user, application, and security action.

You can select to sort entries displayed by selecting the column header. You can apply a search filter in the destination (dstip), service

(service), user (user), or application (app) columns to further filter the information displayed. Select the GO button to apply the search filter.

Select the return icon, , to return to the Top Applications page.
 Search Add a search filter by application or category. Select the GO button to apply the filter. Select the clear icon,    , to remove the search filter.
Pages: 1 2 3 4 5 6

Key Concepts

Leave a reply

Key Concepts

This chapter defines basic FortiAnalyzer concepts and terms.

If you are new to FortiAnalyzer, this chapter can help you to quickly understand this document and your FortiAnalyzer platform.

This topic includes:

  • Administrative domains
  • Operation modes
  • Log storage
  • Workflow

Administrative domains

Administrative domains (ADOMs) enable the admin administrator to constrain other

FortiAnalyzer unit administrators’ access privileges to a subset of devices in the device list. For Fortinet devices with virtual domains (VDOMs), ADOMs can further restrict access to only data from a specific device’s VDOM.

Enabling ADOMs alters the structure of and the available functions in the Web-based Manager and CLI, according to whether or not you are logging in as the admin administrator, and, if you are not logging in as the admin administrator, the administrator account’s assigned access profile. See “System Information widget” on page 46 for information on enabling and disabling

ADOMs.

For information on working with ADOMs, see “Administrative Domains” on page 27. For information on configuring administrators and administrator settings, see“Admin” on page 73.

Operation modes

The FortiAnalyzer unit has two operation modes:

  • Analyzer: The default mode that supports all FortiAnalyzer features. This mode used for aggregating logs from one or more log collectors. In this mode, the log aggregation configuration function is disabled.
  • Collector: The mode used for saving and uploading logs. For example, instead of writing logs to the database, the collector can retain the logs in their original (binary) format for uploading. In this mode, the report function and some functions under the System Settings tab are disabled.

The analyzer and collector modes are used together to increase the analyzer’s performance. The collector provides a buffer to the FortiAnalyzer by off-loading the log receiving task from the analyzer. Since log collection from the connected devices is the dedicated task of the collector, its log receiving rate and speed are maximized.

The mode of operation that you choose will depend on your network topology and individual requirements. For information on how to select an operation mode, see “Changing the operation mode” on page 50.

Feature comparison between analyzer and collector mode

The operation mode options have been simplified to two modes, Analyzer and Collector. Standalone mode has been removed.

Table 2: Feature comparison between Analyzer and Collector modes

  Analyzer Mode Collector Mode
Event Management Yes No
Monitoring (drill-down/charts) Yes No
Reporting Yes No
FortiView/Log View Yes Yes
Device Manager Yes Yes
System Settings Yes Yes
Log Forwarding No Yes

Analyzer mode

The analyzer mode is the default mode that supports all FortiAnalyzer features. If your network log volume does not compromise the performance of your FortiAnalyzer unit, you can choose this mode.

Figure 1 illustrates the network topology of the FortiAnalyzer unit in analyzer mode.

Figure 1: Topology of the FortiAnalyzer unit in analyzer mode

 

Analyzer and collector mode

The analyzer and collector modes are used together to increase the analyzer’s performance. The collector provides a buffer to the analyzer by off-loading the log receiving task from the analyzer. Since log collection from the connected devices is the dedicated task of the collector, its log receiving rate and speed are maximized.

In most cases, the volume of logs fluctuates dramatically during a day or week. You can deploy a collector to receive and store logs during the high traffic periods and transfer them to the analyzer during the low traffic periods. As a result, the performance of the analyzer is guaranteed as it will only deal with log insertion and reporting when the log transfer process is over.

As illustrated in Figure 2: company A has two remote branch networks protected by multiple FortiGate units. The networks generate large volumes of logs which fluctuate significantly during a day. It used to have a FortiAnalyzer 4000B in analyzer mode to collect logs from the FortiGate units and generate reports. To further boost the performance of the FortiAnalyzer 4000B, the company deploys a FortiAnalyzer 400C in collector mode in each branch to receive logs from the FortiGate units during the high traffic period and transfer bulk logs to the FortiAnalyzer 4000B during the low traffic period.

Figure 2: Topology of the FortiAnalyzer units in analyzer/collector mode

FortiAnalyzer v5.2.0 Administration Guide

To set up the analyzer/collector configuration:

  1. On the FortiAnalyzer unit, go to System Settings > Dashboard.
  2. In the System Information widget, in the Operation Mode field, select Change.
  3. Select Analyzer in the Change Operation Mode dialog box.
  4. Select OK.
  5. On the first collector unit, go to System Settings > Dashboard.
  6. In the System Information widget, in the Operation Mode field, select Change.
  7. Select Collector the Change Operation Mode dialog box.
  8. Select OK.

For more information on configuring log forwarding, see “Log forwarding” on page 40.

Log storage

The FortiAnalyzer unit supports Structured Query Language (SQL) logging and reporting. The log data is inserted into the SQL database for generating reports. Both local and remote SQL database options are supported.

For more information, see “Reports” on page 165.

Workflow

Once you have successfully deployed the FortiAnalyzer platform in your network, using and maintaining your FortiAnalyzer unit involves the following:

  • Configuration of optional features, and re-configuration of required features if required by changes to your network
  • Backups
  • Updates
  • Monitoring reports, logs, and alerts

What’s New in FortiAnalyzer V5.2

Leave a reply

What’s New in FortiAnalyzer v5.2

FortiAnalyzer v5.2 includes the following new features and enhancements.

FortiAnalyzer v5.2.0

FortiAnalyzer v5.2.0 includes the following new features and enhancements.

Event Management

  • Event Handler for local FortiAnalyzer event logs
  • FortiOS v4.0 MR3 logs are now supported.
  • Support subject customization of alert email.

FortiView

  • New FortiView module

Logging

  • Updated compact log v3 format from FortiGate • Explicit proxy traffic logging support
  • Improved FortiAnalyzer insert rate performance
  • Log filter improvements
  • FortiSandbox logging support
  • Syslog server logging support

Reports

  • Improvements to report configuration
  • Improvements to the Admin and System Events Report template
  • Improvements to the VPN Report template
  • Improvements to the Wireless PCI Compliance Report template
  • Improvements to the Security Analysis Report template
  • New Intrusion Prevention System (IPS) Report template
  • New Detailed Application Usage and Risk Report template
  • New FortiMail Analysis Report template
  • New pre-defined Application and Websites report templates
  • Macro library support
  • Option to display or upload reports in HTML format
  • FortiCache reporting support

 

Other