Tag Archives: fortimanager information

Event Management – FortiManager 5.2

Event Management

In the Event Management tab you can configure events handlers based on log type and logging filters. You can select to send the event to an email address, SNMP community, or syslog server. Events can be configured per device, for all devices, or for the local FortiManager. You can create event handlers for FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager, FortiWeb, FortiSandbox devices, and syslog servers. In v5.2.0 or later, Event Management supports local FortiManager event logs.

Events can also be monitored, and the logs associated with a given event can be viewed.

When rebuilding the SQL database, Event Management will not be available until after the rebuild is completed. Select the Show Progress link in the message to view the status of the SQL rebuild.

Events

The events page provides a list of the generated events. Right-clicking on an event in the table gives you the option of viewing event details including the raw log entries associated with that event, adding review notes, and acknowledging the event.

To view events, go to the Event Management tab and select Event Management > All Events. You can also view events by severity and by handler. When ADOMs are enabled, select the ADOM, and then select All Events.

Events page

The following information is displayed:

Events

Count The number of log entries associated with the event. Click the heading to sort events by count.
Event Name The name of the event. Click the heading to sort events by event name.
Severity The severity level of the event. Event severity level is a user configured variable. The severity can be Critical, High, Medium, or Low. Click the heading to sort events by severity.
Event Type The event type. For example, Traffic orEvent. Click the heading to sort events by event type. IPS and Application Control event names are links. Select the link to view additional information.
Additional Info Additional information about the event. Click the heading to sort events by additional information.
Last Occurrence The date and time that the event was created and added to the events page. Click the heading to sort events by last occurrence.
Pagination Adjust the number of logs that are listed per page and browse through the pages.

Log View – FortiManager 5.2

Log view

Logging and reporting can help you determine what is happening on your network, as well as informing you of certain network activity, such as the detection of a virus, or IPsec VPN tunnel errors. Logging and reporting go hand in hand, and can become a valuable tool for information gathering, as well as displaying the activity that is happening on the network.

Your FortiManager device collects logs from managed FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager, FortiSandbox, FortiWeb, FortiClient, and syslog servers.

Collected logs

Device Type Log Type
FortiGate Traffic

Event: Endpoint, HA, System, Router, VPN, User, WAN Opt. & Cache, and Wireless

Security: Vulnerability Scan, AntiVirus, Web Filter, Application Control, Intrusion Prevention, Email Filter, Data Leak Prevention FortiClient

VoIP

Content logs are also collected for FortiOS 4.3 devices.

FortiCarrier Traffic, Event
FortiCache Traffic, Event, Antivirus, Web Filter
FortiClient Traffic , Event
FortiMail History, Event, Antivirus, Email Filter
FortiManager Event
FortiSandbox Malware, Network Alerts
FortiWeb Event, Intrusion Prevention, Traffic
Syslog Generic

Administrative Domains – FortiManager 5.2

Administrative Domains

FortiManager appliances scale to manage thousands of Fortinet devices. Administrative domains (ADOMs) enable administrators to manage only those devices that are specific to their geographic location or business division. FortiGate devices with multiple VDOMs can be divided among multiple ADOMs.

If ADOMs are enabled, each administrator account is tied to an ADOM. When a particular administrator logs in, they see only those devices or VDOMs that have been enabled for their account. Administrator accounts that have special permissions, such as the admin account, can see and maintain all ADOMs and the devices within those domains.

ADOMs are not enabled by default, and enabling and configuring the domains can only be performed by the admin administrator. For more information, see Enabling and disabling the ADOM feature.

The maximum number of ADOMs you can add depends on the FortiManager system model. Please refer to the FortiManager data sheet for information on the maximum number of devices that your model supports.

This section includes the following topics:

  • Enabling and disabling the ADOM feature
  • ADOM modes
  • ADOM versions
  • Managing ADOMs

What is the best way to organize my devices using ADOMs?

You can organize devices into ADOMs to allow you to better manage these devices. You can organize these devices by:

  • Firmware version: group all devices with the same firmware version into an ADOM.
  • Geographic regions: group all devices for a specific geographic region into an ADOM, and devices for a different region into another ADOM.
  • Administrative users: group devices into separate ADOMs based for specific administrators responsible for the group of devices.
  • Customers: group all devices for one customer into an ADOM, and devices for another customer into another ADOM.

Enabling and disabling the ADOM feature

To enable or disable the ADOM feature, you must be logged in as the admin administrator. Only this user has the ability to enable or disable this feature.

Enabling and disabling the ADOM feature

To enable the ADOM feature:

  1. Log in as admin.
  2. Go to System Settings > Dashboard.
  3. In the system information widget, select Enable next to Administrative Domain Enabling ADOMs

To disable the ADOM feature:

  1. Remove all the managed devices from all ADOMs.
  2. Delete all non-root ADOMs, by right-clicking on the ADOM in the tree menu in the Device Manager tab and selecting Delete from the pop-up menu.

After removing the ADOMs, you can now disable the ADOM feature.

  1. Go to System Settings > Dashboard.
  2. In the system information widget, select Disable next to Administrative Domain.

ADOM modes

ADOM modes

When the ADOMs feature is enabled and you log in as the admin user, all the available ADOMs will be listed in the tree menus on different tabs.

In the Policy & Objects tab, a menu bar is available that allows to select either Global, or a specific ADOM from the drop-down list. Selecting Global or a specific ADOM will then display the policy packages and objects appropriate for your selection.

Switching between ADOMs

As an admin administrator, you are able to move between all the ADOMs created on the FortiManager system. This enables you to view, configure and manage the various domains.

Other administrators are only able to move between the ADOMs to which they have been given permission. They are able to view and administer the domains based on their account‘s permission settings.

To access a specific ADOM, simply select that ADOM in the tree menu. The FortiManager system presents you with the available options for that domain, depending on what tab you are currently using.

Normal mode ADOMs

When creating an ADOM in Normal Mode, the ADOM is considered Read/Write, where you are able to make changes to the ADOM and managed devices from the FortiManager. FortiGate units in the ADOM will query their own configuration every 5 seconds. If there has been a configuration change, the FortiGate unit will send a diff revision on the change to the FortiManager using the FGFM protocol.

Backup mode ADOMs

When creating an ADOM in Backup Mode, the ADOM is consider Read Only, where you are not able to make changes to the ADOM and managed devices from the FortiManager. Changes are made via scripts which are run on the managed device, or through the device’s Web-based Manager or CLI directly. Revisions are sent to the FortiManager when specific conditions are met:

l Configuration change and session timeout l Configuration change and logout l Configuration change and reboot l Manual configuration backup from the managed device.

Backup mode enables you to configure an ADOM where all the devices that are added to the ADOM will only have their configuration backed up. Configuration changes cannot be made to the devices in backup ADOM. You can push any existing revisions to managed devices. You can still monitor and review the revision history for these devices, and scripting is still allowed for pushing scripts directly to FortiGate units.

ADOM versions

ADOM versions

ADOMs can concurrently manage FortiGate units running both FortiOS v4.3 and v5.0, or v5.0 and v5.2, allowing devices running these versions to share a common database. This allows you to continue to manage an ADOM as normal while upgrading the devices within that ADOM.

Each ADOM is associated with a specific FortiOS version, based on the firmware version of the devices that are in that ADOM. This version is selected when creating a new ADOM (see Adding an ADOM), and can be updated after the all of the devices within the ADOM have been updated to the latest FortiOS firmware version.

The general steps for upgrading an ADOM that contains multiple devices running FortiOS v4.3 from v4.3 to v5.0 are as follows:

  1. Make sure that the FortiManager unit is upgraded to a version that supports this feature.
  2. In the ADOM, upgrade one of the FortiGate units to FortiOS v5.0, and then resynchronize the device.
  3. All the ADOM objects, including Policy Packages, remain as v4.3.
  4. Upgrade the rest of the FortiGate units in the ADOM to version 5.0 firmware.
  5. Upgrade the ADOM to v5.0. See “Administrative Domains” on page 40 for more information.

All of the database objects will be converted the v5.0 format, and the Web-based Manager content for the ADOM will change to reflect the v5.0 features and behavior.