Tag Archives: fortianalyzer guides

Key Concepts

Leave a reply

Key Concepts

This chapter defines basic FortiAnalyzer concepts and terms.

If you are new to FortiAnalyzer, this chapter can help you to quickly understand this document and your FortiAnalyzer platform.

This topic includes:

  • Administrative domains
  • Operation modes
  • Log storage
  • Workflow

Administrative domains

Administrative domains (ADOMs) enable the admin administrator to constrain other

FortiAnalyzer unit administrators’ access privileges to a subset of devices in the device list. For Fortinet devices with virtual domains (VDOMs), ADOMs can further restrict access to only data from a specific device’s VDOM.

Enabling ADOMs alters the structure of and the available functions in the Web-based Manager and CLI, according to whether or not you are logging in as the admin administrator, and, if you are not logging in as the admin administrator, the administrator account’s assigned access profile. See “System Information widget” on page 46 for information on enabling and disabling

ADOMs.

For information on working with ADOMs, see “Administrative Domains” on page 27. For information on configuring administrators and administrator settings, see“Admin” on page 73.

Operation modes

The FortiAnalyzer unit has two operation modes:

  • Analyzer: The default mode that supports all FortiAnalyzer features. This mode used for aggregating logs from one or more log collectors. In this mode, the log aggregation configuration function is disabled.
  • Collector: The mode used for saving and uploading logs. For example, instead of writing logs to the database, the collector can retain the logs in their original (binary) format for uploading. In this mode, the report function and some functions under the System Settings tab are disabled.

The analyzer and collector modes are used together to increase the analyzer’s performance. The collector provides a buffer to the FortiAnalyzer by off-loading the log receiving task from the analyzer. Since log collection from the connected devices is the dedicated task of the collector, its log receiving rate and speed are maximized.

The mode of operation that you choose will depend on your network topology and individual requirements. For information on how to select an operation mode, see “Changing the operation mode” on page 50.

Feature comparison between analyzer and collector mode

The operation mode options have been simplified to two modes, Analyzer and Collector. Standalone mode has been removed.

Table 2: Feature comparison between Analyzer and Collector modes

  Analyzer Mode Collector Mode
Event Management Yes No
Monitoring (drill-down/charts) Yes No
Reporting Yes No
FortiView/Log View Yes Yes
Device Manager Yes Yes
System Settings Yes Yes
Log Forwarding No Yes

Analyzer mode

The analyzer mode is the default mode that supports all FortiAnalyzer features. If your network log volume does not compromise the performance of your FortiAnalyzer unit, you can choose this mode.

Figure 1 illustrates the network topology of the FortiAnalyzer unit in analyzer mode.

Figure 1: Topology of the FortiAnalyzer unit in analyzer mode

 

Analyzer and collector mode

The analyzer and collector modes are used together to increase the analyzer’s performance. The collector provides a buffer to the analyzer by off-loading the log receiving task from the analyzer. Since log collection from the connected devices is the dedicated task of the collector, its log receiving rate and speed are maximized.

In most cases, the volume of logs fluctuates dramatically during a day or week. You can deploy a collector to receive and store logs during the high traffic periods and transfer them to the analyzer during the low traffic periods. As a result, the performance of the analyzer is guaranteed as it will only deal with log insertion and reporting when the log transfer process is over.

As illustrated in Figure 2: company A has two remote branch networks protected by multiple FortiGate units. The networks generate large volumes of logs which fluctuate significantly during a day. It used to have a FortiAnalyzer 4000B in analyzer mode to collect logs from the FortiGate units and generate reports. To further boost the performance of the FortiAnalyzer 4000B, the company deploys a FortiAnalyzer 400C in collector mode in each branch to receive logs from the FortiGate units during the high traffic period and transfer bulk logs to the FortiAnalyzer 4000B during the low traffic period.

Figure 2: Topology of the FortiAnalyzer units in analyzer/collector mode

FortiAnalyzer v5.2.0 Administration Guide

To set up the analyzer/collector configuration:

  1. On the FortiAnalyzer unit, go to System Settings > Dashboard.
  2. In the System Information widget, in the Operation Mode field, select Change.
  3. Select Analyzer in the Change Operation Mode dialog box.
  4. Select OK.
  5. On the first collector unit, go to System Settings > Dashboard.
  6. In the System Information widget, in the Operation Mode field, select Change.
  7. Select Collector the Change Operation Mode dialog box.
  8. Select OK.

For more information on configuring log forwarding, see “Log forwarding” on page 40.

Log storage

The FortiAnalyzer unit supports Structured Query Language (SQL) logging and reporting. The log data is inserted into the SQL database for generating reports. Both local and remote SQL database options are supported.

For more information, see “Reports” on page 165.

Workflow

Once you have successfully deployed the FortiAnalyzer platform in your network, using and maintaining your FortiAnalyzer unit involves the following:

  • Configuration of optional features, and re-configuration of required features if required by changes to your network
  • Backups
  • Updates
  • Monitoring reports, logs, and alerts