Tag Archives: fortinet tricks

Global Server Load Balancing – FortiBalancer

Chapter 14 Global Server Load Balancing (GSLB)

14.1 Overview

GSLB (Global Server Load Balance) is also known as Smart DNS (SDNS). This function allows you to distribute Web traffic among a collection of servers deployed in multiple geographic locations. We will cover introduction of GSLB and the examples of GSLB configuration in this chapter.

14.2 Understanding Global Server Load Balance

In GSLB solution, the FortiBalancer appliance works as a complementary DNS server which is able to resolve a set of defined domain names based on load balancing methods. When DNS queries (typically forwarded by corporate DNS server or ISP DNS server) for the domain name are received, GSLB function will resolve the domain name with IP addresses selected from its Domain Name and IP Service Database with configured load balancing method.

SDNS maintains a local Domain Name and IP Service Database by continuously exchanging their local load (Hello message) and domain name/IP address information (Report message) with other members (also FortiBalancer appliances) in the GSLB network. For example, when an FortiBalancer appliance joins the SDNS network, the FortiBalancer appliance will continuously send its local domain name/IP address information to all other participating members (see LLB configuration). For each message transmitted, a confirmation message is expected in return. If a confirmation message is missed or a message is not updated for a period of time (3 tries), GSLB will mark the non-responsive member as down and all the domain name/IP addresses that are hosted by that FortiBalancer appliance will be removed from its local Domain Name and IP Service Database.

The SDNS process works as follows:

 

Figure 14-1 SDNS Working Mechanism

As shown in the above figure, the SDNS module will process a normal DNS request from the client as follows:

  1. The client’s browser generates a DNS request for the domain name of the Web site he wants to visit, and sends the request to its local DNS server.
  2. The local DNS server receives the request and searches in its local cache. If no cache entry hits, it will forward the request to the upper-level SDNS device. In the above example figure, the request is sent to an SDNS server at Beijing according to configurations on the local DNS server.
  3. The SDNS server at Beijing continuously collects the status information of all the application servers in its local Domain Name and IP Service Database, and then forwards the request to a proper application server based on pre-configured load balancing algorithms. In the above example, the application server at New York is selected.
  4. The SDNS server at Beijing returns back the IP addresses of the application server at New York to the local application server of the client.
  5. Upon receiving the response, the local application server forwards IP address to the client directly.
  6. The client’s browser uses the IP address in the response to open an HTTP connection with the corresponding FortiBalancer appliance and proceeds to download the Web page.

In this process, the response is cached on both the client’s local DNS server and the client’s browser.

Note: In this chapter, we will use the term “member” or “SDNS member” frequently. Either

“member” or “SDNS member” is an FortiBalancer appliance which participates in the GSLB management.

14.2.1 SDNS Member Reporter-Receiver Hierarchy

All SDNS members can be divided into two groups: SDNS server and HTTP proxy cache server. They are all FortiBalancer appliances, while HTTP proxy cache servers serve as the “reporter” and SDNS servers serve as the “receiver”.

 

Figure 14-2 SDNS Reporter-Receiver Hierarchy

SDNS Servers

SDNS servers are responsible for DNS resolving. Every HTTP proxy cache server will report its status information to SDNS servers. The status information includes:

  • The domain name configured on proxy cache servers
  • The IPs which are configured for a domain name and their status (“UP” or “DOWN”)
  • The domain name traffic on proxy servers, IP traffic and proxy traffic
  • The status of proxy cache servers (“UP” or “DOWN”)

HTTP Proxy Cache Servers

HTTP proxy cache servers are responsible for HTTP services. All kinds of HTTP requests will be directed to HTTP proxy cache servers, mostly by the SDNS servers. The HTTP proxy cache servers will collect the local status information and send it to SDNS servers at specified frequency. If an FortiBalancer appliance is a DNS server and a proxy cache server at the same time, it will report its local status information to all the SDNS servers (including itself) and collect the status information from all the proxy cache servers.

Logging – FortiAuthenticator 4.0

Logging

Accounting is an important part of FortiAuthenticator. The Logging menu tree provides a record of the events that have taken place on the FortiAuthenticator unit.

Log access

To view the log events table, go to Logging > Log Access > Logs.

The following options and information are available:

Refresh Refresh the log list.
Download Raw Log Export the FortiAuthenticator log to your computer as a text file named fac.log.
Log Type Reference Select to view the log type reference dialog box. See Log type reference on page 155.
Debug Report Select to download the debug report to your computer as a file named report.dbg.
Search Enter a search term in the search field, then select Search to search the log message list.

The search string must appear in the Message portion of the log entry to result in a match. To prevent each term in a phrase from being matched separately, multiple keywords must be in quotes and be an exact match. After the search is complete the number of positive matches will be displayed next to the Search button, with the total number of log entries in brackets following. Select the total number of log entries to return to the full list. Subsequent searches will search all the log entries, and not just the previous search’s results.

ID The log message’s ID.
Timestamp The time the message was received.

Log access                                                                                                                                              Logging

Level The log severity level:

Emergency: The system has become unstable. l Alert: Immediate action is required. l Critical: Functionality is affected.

Error: An erroneous condition exists, and functionality is probably affected.

Warning: Functionality could be affected. l Notification: Information about normal events. l Information: General information about system operations. l Debug: Detailed information useful for debugging purposes.

Category The log category, which is always Event. See Log type reference on page 155.
Sub category The log subcategory. See Log type reference on page 155.
Type id The log type ID.
Action The action which created the log message, if applicable.
Status The status of the action that created the log message, if applicable.
NAS name/IP The NAS name or IP address of the relevant device if an authentication action fails.
Short message The log message itself, sometimes slightly shortened.
User The user to whom the log message pertains.

To view log details:

From the log list, select the log whose details you need to view by clicking anywhere within the log’s row. The Log Details pane will open on the right side of the window.

After viewing the log details, select the close icon in the top right corner of the pane to close the details pane. Log type reference

Select Log Type Reference in the log list toolbar to open the log type reference dialog box.

The following information and options are available:

Search   Enter a search term in the search field, then select Search to search the log type reference.
Type id   The log type ID.
>Name   The name of the log type.

155

Logging                                                                                                                                               Log access

Sub category The log type subcategory, one of: Admin Configuration, Authentication, System, High Availability, UserPortal, or Web Service.
Category The log type category, which is always Event.
Description A brief description of the log type.

To close the Log Type Reference dialog box, select close above the top right corner of the box, or simply click anywhere outside of the box within the log list.

Log configuration                                                                                                                                    Logging

Sort the log messages

The log message table can be sorted by any column. To sort the log entries by a particular column, select the title for that column. The log entries will now be displayed based on data in that column in ascending order. Select the column heading again to sort the entries in descending order. Ascending or descending is displayed with an arrow next to the column title, an up arrow for ascending and down arrow for descending.

Log configuration

Logs can be remotely backed up to an FTP server, automatically deleted, and sent to a remote syslog server in lieu of storing them locally.

Log settings

To configure log backups, automatic deletion, and remote storage, go to Logging > Log Config > Log Setting.

To configure log backups:

  1. In the log settings window, select Enable remote backup in the Log Backup
  2. Select the frequency of the backups in the Frequency field as either Daily, Weekly, or Monthly.
  3. Configure the time of day that the backup will occur in one of the following ways:

l Enter a time in the Time field l Select Now to enter the current time l Select the clock icon and choose a time from the pop-up menu: Now, Midnight, 6 a.m., or Noon.

  1. Select an FTP server from the drop-down list in the FTP server For information on configuring an FTP server, see FTP servers on page 44.
  2. Select OK to save your settings.

To configure automatic log deletion:

  1. In the log settings window, select Enable log auto-deletion in the Log Auto-Deletion
  2. In the Auto-delete logs older than field, select day(s), week(s), or month(s) from the drop-down list, then enter the number of days, weeks, or months after which a log will be deleted.
  3. Select OK to save your settings.

157

Logging                                                                                                                                    Log configuration

To configure logging to a remote syslog server:

  1. In the log settings window, select Send logs to remote Syslog servers in the Remote Syslog
  2. Move the syslog servers to which the logs will be sent from the Available syslog servers box to the Chosen syslog servers

For information on adding syslog servers, see Syslog servers on page 158.

  1. Select OK to save your settings.

Syslog servers

Syslog servers can be used to store remote logs. To view the syslog server list, go to Logging > Log Config > Syslog Servers.

Create New   Add a new syslog server.
Delete   Delete the selected syslog server or servers.
Edit   Edit the selected syslog server.
Name   The syslog server name on the FortiAuthenticator unit.
Server name/IP   The server name or IP address, and port number.

To add a syslog server:

  1. From the syslog servers list, select Create New. The Create New Syslog Server window opens.
  2. Enter the following information:
Name Enter a name for the syslog server on the FortiAuthenticator unit.
Server name/IP Enter the syslog server name or IP address.
Port Enter the syslog server port number. The default port is 514.
Level Select a log level to store on the remote server from the drop-down list. See Level on page 155.
Facility Select a facility from the drop-down list.
  1. Select OK to add the syslog server.

 

 

Certificate Management – FortiAuthenticator 4.0

Certificate Management

This section describes managing certificates with the FortiAuthenticator device.

FortiAuthenticator can act as a CA for the creation and signing of X.509 certificates, such as server certificates for HTTPS and SSH, and client certificates for HTTPS, SSL, and IPSEC VPN.

The FortiAuthenticator unit has several roles that involve certificates:

Certificate authority The administrator generates CA certificates that can validate the user certificates generated on this FortiAuthenticator unit.

The administrator can import other authorities’ CA certificates and Certificate Revocation Lists (CRLs), as well as generate, sign, and revoke user certificates. See End entities on page 133 for more information.

SCEP server A SCEP client can retrieve any of the local CA certificates (Local CAs on

page 140), and can have its own user certificate signed by the FortiAuthenticator unit CA.

Remote LDAP

Authentication

Acting as an LDAP client, the FortiAuthenticator unit authenticates users against an external LDAP server. It verifies the identity of the external LDAP server by using a trusted CA certificate, see Trusted CAs on page 147.
EAP Authentication The FortiAuthenticator unit checks that the client’s certificate is signed by one of the configured authorized CA certificates, see Certificate authorities on page 140. The client certificate must also match one of the user certificates, see End entities on page 133.

Any changes made to certificates generate log entries that can be viewed at Logging > Log Access > Logs. See Logging on page 154.

This chapter includes the following sections:

l Policies l End entities l Certificate authorities l SCEP

Policies

The policies section includes global configuration settings which are applied across all certificate authorities and end-entity certificates created on the FortiAuthenticator device.

Certificate expiry

Certificate expiration settings can be configured in Certificate Management > Policies > Certificate Expiry.

 

The following settings can be configured:

Warn when a certificate is about to expire Enable sending a warning message to an administrator before a certificate expires.
Send a warning e-mail Enter the number of days before the certificate expires that the email will be sent.
Administrator’s e-mail Enter the email address to which the expiry warning message will be sent.

Select OK to apply any configuration changes.

End entities

User and server certificates are required for mutual authentication on many HTTPS, SSL, and IPsec VPN network resources. You can create a user certificate on the FortiAuthenticator device, or import and sign a CSR. User certificates, client certificates, or local computer certificates are all the same type of certificate.

To view the user certificate list, go to Certificate Management > End Entities > Users. To view the server certificate list, go to Certificate Management > End Entities > Local Services.

The following information is available:

Create New   Create a new certificate.
Import   Select to import a certificate signed by a third-party CA for a previously generated CSR (see To import a local user certificate: on page 138 and To import a server certificate: on page 138) or to import a CSR to sign (see To import a CSR to sign: on page 138).
Revoke   Revoke the selected certificate. See To revoke a certificate: on page 139.
Delete   Delete the selected certificate.
Export Certificate   Save the selected certificate to your computer.
Export PKCS#12   Export the PKCS#12. This is only available for user certificates.
Search   Enter a search term in the search field, then press Enter to search the certificate list.
Filter   Select to filter the displayed certificates by status. The available selections are: All, Pending, Expired, Revoked, and Active.
Certificate ID   The certificate ID.
Subject   The certificate’s subject.
Issuer The issuer of the certificate.
Status The status of the certificate, either active, pending, or revoked.

Certificates can be created, imported, exported, revoked, and deleted as required. CSRs can be imported to sign, and the certificate detail information can also be viewed, see To view certificate details: on page 140.

To create a new certificate:

  1. To create a new user certificate, go to Certificate Management > End Entities > Users. To create a new server certificate, go to Certificate Management > End Entities > Local Services.
  2. Select Create New to open the Create New UserCertificate or Create New ServerCertificate
  3. Configure the following settings:

 

Certificate ID Enter a unique ID for the certificate.
Certificate Signing Options  
Issuer Select the issuer of the certificate, either Local CA or Third-party CA. Selecting Third-party CA generates a CSR that is to be signed by a third-party CA.
Local User (Optional) If Local CA is selected as the issuer, you may select a local user from the drop-down list to whom the certificate will apply.This option is only available when creating a new user certificate.
Certificate authority If Local CA is selected as the issuer, select one of the available CAs configured on the FortiAuthenticator unit from the drop-down list. The CA must be valid and current. If it is not you will have to create or import a CA certificate before continuing. See Certificate authorities on page 140.
Subject Information  
Subject input method Select the subject input method, either Fully distinguished name or

Field-by-field.

Fully distinguished name If the subject input method is Fully distinguished name, enter the full distinguished name of the subject. There should be no spaces between attributes.Valid DN attributes are DC, C, ST, L, O, OU, CN, and emailAddress. They are case-sensitive.
Field-by-field If the subject input method is Field-by-field, enter the subject name in the Name (CN) field, and optionally enter the following fields:

Department (OU) l Company (O) l City (L) l State/Province (ST)

Country (C) (select from drop-down list) l E-mail address

Key and Signing Options  
Validity period Select the amount of time before this certificate expires. This option is only available when Issuer is set to Local CA.

Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires.

Key type The key type is set to RSA.
Key size Select the key size from the drop-down list: 1024, 2048, or 4096 bits.
Hash algorithm Select the hash algorithm from the drop-down list, either SHA-1 or SHA-256.

 

Subject Alternative Name Subject Alternative Names (SAN) allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard.

For example, SANs are used to protect multiple domain names such as www.example.com and www.example.net, in contrast to wildcard certificates that can only protect all first-level subdomains on one domain, such as *.example.com.

Email Enter the email address of a user to map to this certificate.
User Principal Name (UPN) Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping.
Other Extensions This option is only available when creating a new user certificate, and when Issuer is set to Local CA.
Add CRL Distribution Points extension Select to add CRL distribution points extension to the certificate. Note: Once a certificate is issued with this extension, the server must be able to handle the CRL request at the specified location.

A DNS domain name must be configured. If it has not been, select Edit DNS name to configure one. See DNS on page 31.

Use certificate for Smart Card logon Select to use the certificate for smart card logon.
Advanced Options: Key Usages Some certificates require the explicit presence of key usage attributes before the certificate can be accepted for use.
Digital Signature a high-integrity signature that assures the recipient that a message was not altered in transit
Non Repudiation an authentication that is deemed as genuine with high assurance
Key Encipherment uses the public key to encrypt private or secret keys
Data Encipherment uses the public key to encrypt data
Key Agreement an interactive method for multiple parties to establish a cryptographic key, based on prior knowledge of a password
Certificate Sign a message from an applicant to a certificate authority in order to apply for a digital identity certificate
CRL Sign a Certificate Revocation List (CRL) Sign states a validity period for an issued certificate
Encipher Only information will be converted into code only
Decipher Only code will be converted into information only
Advanced Options: Extended Key Usages Some certificates require the explicit presence of extended key usage attributes before the certificate can be accepted for use.

 

Server Authentication authentication will only be granted when the user submits their credentials to the server
Client Authentication authentication will be granted to the server by exchanging a client certificate
Code Signing used to confirm the software author, and guarantees that the code has not been altered or corrupted through use of a cryptographic hash
Secure Email a secure email sent over SSL encryption
OCSP Signing Online Certificate Status Protocol (OCSP) Signing sends a request to the server for certificate status information. The server will send back a response of “current”, “expired”, or “unknown”. OCSP permits a grace period to users or are expired, allowing them a limited time period to renew. This is usually used over CRL.
IPSec End System  
IPSec Tunnel Termination IPSec SAs (Security Associations) are terminated through deletion or by timing out
IPSec User  
IPSec IKE

Intermediate (end entity)

An intermediate certificate is a subordinate certificate issued by a trusted root specifically to issue end-entity certificates. The result is a certificate chain that begins at the trusted root CA, through the intermediate CA (or CAs) and ending with the SSL certificate issued to you.
Time Stamping  
Microsoft Individual Code Signing user submits information that is compared to an independent consumer database to validate their credentials
Microsoft Commercial Code Signing user submits information that proves their identity as corporate representatives
Microsoft Trust List Signing uses a Certificate Trust List (CTL), a list of hashes of certificates. The list is comprised of pre-authenticated items that were approved by a trusted signing entity
Microsoft/Netscape Server Gated Crypto a defunct mechanism that stepped up 40-bit and 50-bit to 128-bit cipher suites with SSL
Microsoft Encrypted File System the Encrypted File System (EFS) enables files to be transparently encrypted to protect confidential data
Microsoft EFS File Recovery the certificate will be granted on the condition it has an EFS file recovery agent prepared
Smart Card Logon the certificate will be granted on the condition that the user logs on to the network with a smart card
EAP over PPP/LAN Extensible Authentication Protocol (EAP) will operate within either a Point-to-Point Protocol (PPP) or Local Area Network (LAN) framework
KDC Authentication an Authentication Server (AS) forwards usernames to a key distribution center (KDC), which issues an encrypted, time stamped ticket back to the user
  1. Select OK to create the new certificate.

To import a local user certificate:

  1. Go to Certificate Management > End Entities > Users and select Import.
  2. In the Import Signing Request orCertificate window, in the Type field, select Local certificate.
  3. Select .. to locate the certificate file on your computer.
  4. Select OK to import the certificate.

To import a server certificate:

  1. to Certificate Management > End Entities > Local Services and select Import.
  2. In the Import Certificate window, select .. to locate the certificate file on your computer.
  3. Select OK to import the certificate.

To import a CSR to sign:

  1. Go to Certificate Management > End Entities > Users and select Import.
  2. In the Import Signing Request orCertificate window, in the Type field, select CSR to sign.
  3. Configure the following settings:
Certificate ID Enter a unique ID for the certificate.
CSR file (.csr, .req) Select Browse… then locate the CSR file on your computer.
Certificate Signing Options  
Certificate authority Select one of the available CAs configured on the FortiAuthenticator from the         drop-      down     list.

The CA must be valid and current. If it is not you will have to create or import a CA certificate before continuing. See Certificate authorities on page 140.

Validity period Select the amount of time before this certificate expires. Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires
Hash algorithm Select the hash algorithm from the drop-down list, either SHA-1 or SHA256.
Subject Alternative Name  
Email Enter the email address of a user to map to this certificate.
User Principal Name (UPN) Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique the Windows Server domain. This is a form of one-to-one mapping.
Other Extensions  
                     Add            CRL

Distribution

Points extension

Select to add CRL distribution points extension to the certificate. Note: Once a certificate is issued with this extension, the server must be able to handle the CRL request at the specified location. A DNS domain name must be configured. If it has not been, select Edit DNS name to configure one. See DNS on page 31.
Use certificate for

Smart Card logon

Select to use the certificate for smart card logon. This option can only be selected concurrently with Add CRL Distribution Points extension.
  1. Select OK to import the CSR.

To revoke a certificate:

  1. Go to Certificate Management > End Entities > Users or to Certificate Management > End Entities > Local Services.
  2. Select the certificate the will be revoked, then select Revoke. The Revoke UserCertificate or Revoke Server Certificate window opens.
  3. Select a reason for revoking the certificate from the Reason code drop-down list. The reasons available are:

l Unspecified l Key has been compromised l CA has been compromised l Changes in affiliation l Superseded l Operation ceased l On Hold

 

Some of these reasons are security related (such as the key or CA being compromised), while others are more business related; a change in affiliation could be an employee leaving the company; Operation ceased could be a project that was cancelled.

  1. Select OK to revoke the certificate.

To view certificate details:

From the certificate list, select a certificate ID to open the Certificate Detail Information window.

Select Edit next to the Certificate ID field to change the certificate ID. If any of this information is out of date or incorrect, you will not be able to use this certificate. If this is the case, delete the certificate and re-enter the information in a new certificate, see To create a new certificate: on page 134. Select Close to return to the certificate list.

Key Concepts

Key Concepts

This chapter defines basic FortiAnalyzer concepts and terms.

If you are new to FortiAnalyzer, this chapter can help you to quickly understand this document and your FortiAnalyzer platform.

This topic includes:

  • Administrative domains
  • Operation modes
  • Log storage
  • Workflow

Administrative domains

Administrative domains (ADOMs) enable the admin administrator to constrain other

FortiAnalyzer unit administrators’ access privileges to a subset of devices in the device list. For Fortinet devices with virtual domains (VDOMs), ADOMs can further restrict access to only data from a specific device’s VDOM.

Enabling ADOMs alters the structure of and the available functions in the Web-based Manager and CLI, according to whether or not you are logging in as the admin administrator, and, if you are not logging in as the admin administrator, the administrator account’s assigned access profile. See “System Information widget” on page 46 for information on enabling and disabling

ADOMs.

For information on working with ADOMs, see “Administrative Domains” on page 27. For information on configuring administrators and administrator settings, see“Admin” on page 73.

Operation modes

The FortiAnalyzer unit has two operation modes:

  • Analyzer: The default mode that supports all FortiAnalyzer features. This mode used for aggregating logs from one or more log collectors. In this mode, the log aggregation configuration function is disabled.
  • Collector: The mode used for saving and uploading logs. For example, instead of writing logs to the database, the collector can retain the logs in their original (binary) format for uploading. In this mode, the report function and some functions under the System Settings tab are disabled.

The analyzer and collector modes are used together to increase the analyzer’s performance. The collector provides a buffer to the FortiAnalyzer by off-loading the log receiving task from the analyzer. Since log collection from the connected devices is the dedicated task of the collector, its log receiving rate and speed are maximized.

The mode of operation that you choose will depend on your network topology and individual requirements. For information on how to select an operation mode, see “Changing the operation mode” on page 50.

Feature comparison between analyzer and collector mode

The operation mode options have been simplified to two modes, Analyzer and Collector. Standalone mode has been removed.

Table 2: Feature comparison between Analyzer and Collector modes

  Analyzer Mode Collector Mode
Event Management Yes No
Monitoring (drill-down/charts) Yes No
Reporting Yes No
FortiView/Log View Yes Yes
Device Manager Yes Yes
System Settings Yes Yes
Log Forwarding No Yes

Analyzer mode

The analyzer mode is the default mode that supports all FortiAnalyzer features. If your network log volume does not compromise the performance of your FortiAnalyzer unit, you can choose this mode.

Figure 1 illustrates the network topology of the FortiAnalyzer unit in analyzer mode.

Figure 1: Topology of the FortiAnalyzer unit in analyzer mode

 

Analyzer and collector mode

The analyzer and collector modes are used together to increase the analyzer’s performance. The collector provides a buffer to the analyzer by off-loading the log receiving task from the analyzer. Since log collection from the connected devices is the dedicated task of the collector, its log receiving rate and speed are maximized.

In most cases, the volume of logs fluctuates dramatically during a day or week. You can deploy a collector to receive and store logs during the high traffic periods and transfer them to the analyzer during the low traffic periods. As a result, the performance of the analyzer is guaranteed as it will only deal with log insertion and reporting when the log transfer process is over.

As illustrated in Figure 2: company A has two remote branch networks protected by multiple FortiGate units. The networks generate large volumes of logs which fluctuate significantly during a day. It used to have a FortiAnalyzer 4000B in analyzer mode to collect logs from the FortiGate units and generate reports. To further boost the performance of the FortiAnalyzer 4000B, the company deploys a FortiAnalyzer 400C in collector mode in each branch to receive logs from the FortiGate units during the high traffic period and transfer bulk logs to the FortiAnalyzer 4000B during the low traffic period.

Figure 2: Topology of the FortiAnalyzer units in analyzer/collector mode

FortiAnalyzer v5.2.0 Administration Guide

To set up the analyzer/collector configuration:

  1. On the FortiAnalyzer unit, go to System Settings > Dashboard.
  2. In the System Information widget, in the Operation Mode field, select Change.
  3. Select Analyzer in the Change Operation Mode dialog box.
  4. Select OK.
  5. On the first collector unit, go to System Settings > Dashboard.
  6. In the System Information widget, in the Operation Mode field, select Change.
  7. Select Collector the Change Operation Mode dialog box.
  8. Select OK.

For more information on configuring log forwarding, see “Log forwarding” on page 40.

Log storage

The FortiAnalyzer unit supports Structured Query Language (SQL) logging and reporting. The log data is inserted into the SQL database for generating reports. Both local and remote SQL database options are supported.

For more information, see “Reports” on page 165.

Workflow

Once you have successfully deployed the FortiAnalyzer platform in your network, using and maintaining your FortiAnalyzer unit involves the following:

  • Configuration of optional features, and re-configuration of required features if required by changes to your network
  • Backups
  • Updates
  • Monitoring reports, logs, and alerts