Tag Archives: integrated computer solutions

I really despise Sonic Wall

Sometimes, after a long day of work, the need to vent is so powerful that you can’t overcome it. Well, today is one of those days so I figured I would bless you guys with a little bit of information. If you use a Dell Sonic Wall…..I pity you for you know not what you do….These devices are horrible. Absolutely horrible. Go buy a FortiGate, or hell, a Palo Alto even just to stay away from these things. I seriously almost shot one today with a Springfield Armory XDS 45 ACP. It would have caused and incredibly warm feeling, like that of morphine flowing through your veins, to be experienced by myself. Speaking of which, I will be filming myself shooting AND blowing up some competitor hardware as I remove them from the client’s offices. I thought you guys might get a kick out of that and lets face it, as soon as I figure out the logistics with doing it legally, I too, will enjoy it. Keep your eyes open for some Fortinet GURU how to videos. Going to start with videos based on the Cook Book, but with better explanations than what Fortinet provided and then I will move on to tasks and encounters I have seen in the field.

Remember kids, friends don’t let friends buy SonicWall.

Web Security / Web Filter – FortiClient 5.4

Web Security/Web Filter

Web Security/Web Filter allows you to block, allow, warn, and monitor web traffic based on URL category or custom URL filters. URL categorization is handled by the FortiGuard Distribution Network (FDN). You can create a custom URL filter exclusion list which overrides the FDN category.

When FortiClient is not registered to FortiGate, you can enable or disable the Web Security feature. You can define what sites are allowed, blocked, or monitored and view violations.

Enable/Disable Web Security

To enable or disable FortiClient Web Security, toggle the Enable/Disable link in the FortiClient console. Web Security is enabled by default.

Enable/Disable Select to enable or disable Web Security.
X Violations (In the Last 7 Days) Select to view Web Security log entries of the violations that have occurred in the last 7 days.
Settings Select to configure the Web Security profile, exclusion list, and settings, and to view violations.

Web Security profile

You can configure a Web Security profile to allow, block, warn, or monitor web traffic based on website categories and sub-categories. Select the settings icon, then select the site category. Select the action icon, then select the action in the drop-down menu for each category or sub-category.

Web Security exclusion list

Allow Set the category or sub-category to Allow to allow access.
Block Set the category or sub-category to Block to block access. The user will receive a Web Page Blocked message in the web browser.
Warn Set the category or sub-category to Warn to block access. The user will receive a Web Page Blocked message in the web browser. The user can select to proceed or go back to the previous web page.
Monitor Set the category or sub-category to Monitor to allow access. The site will be logged.

You can select to enable or disable Site Categories in the Web Security settings page. When site categories are disabled, FortiClient is protected by the exclusion list.

Web Security exclusion list

To manage the exclusion list, select the settings icon then select Exclusion List from the menu. You can add websites to the exclusion list and set the permission to allow, block, monitor, or exempt. Use the add icon to add URLs to the exclusion list. If the website is part of a blocked category, an allow permission in the Exclusion List would allow the user to access the specific URL.

Web Security settings

Configure the following settings:

Exclusion List Select to exclude URLs that are explicitly blocked or allowed. Use the add icon to add URLs and the delete icon to delete URLs from the list. Select a URL and select the edit icon to edit the selection.
URL Enter a URL or IP address.
Type Select one of the following pattern types from the drop-down list:

l Simple l Wildcard l RegularExpression

Actions Select one of the following actions from the drop-down list:

Block: Block access to the web site regardless of the URL category or sub-category action.

Allow: Allow access to the web site regardless of the URL category or sub-category action.

Monitor: Allow access to the web site regardless of the URL category or sub-category action. A log message will be generated each time a matching traffic session is established.

Web Security settings

To configure web security settings, select the settings icon then select Settings from the menu.

View violations

Configure the following settings:

Enable Site Categories Select to enable Site Categories. When site categories are disabled, FortiClient is protected by the exclusion list.
Log all URLs Select to log all URLs.
Identify user initiated web browsing Select to identify web browser that is user initiated.

View violations

To view Web Security violations, either select the settings icon then select Violations from the menu, or select X Violations (In the Last 7 Days).

 

Website The website name or IP address.
Category The website sub-category.
Time The date and time that the website was accessed.
User The name of the user generating the traffic. Hover the mouse cursor over the column to view the complete entry in the pop-up bubble message.

Web Filter

When FortiClient is registered to a FortiGate/EMS, the Web Security tab will become the Web Filter tab.

The FortiClient Endpoint Control feature enables the site administrator to distribute a Web Filter profile from a FortiGate or add web filtering to an endpoint profile on EMS.

On a FortiGate device, the overall process is as follows:

l Create a Web Filter profile on the FortiGate, l Add the Web Filter profile to the FortiClient Profile on the FortiGate.

On EMS, web filtering is part of the endpoint profile.

Filter

FortiGate

Step 1: Create a Web Filter Profile on the FortiGate

Use the following steps to create a custom Web Filter profile on the FortiGate:

  1. Go to Security Profiles > Web Filter.
  2. To create a new profile, click the create new icon in the toolbar. The New Web FilterProfile page opens.
  3. Configure the following settings:

 

Name Enter a name for the Web Filter profile.
Comments Enter a description in the comments field. (optional)
Inspection Mode This setting is not applicable to FortiClient.
FortiGuard Categories Select category and sub-category actions.

l  In FortiClient5.4.0, the Security Risk category is part of the AntiVirus module. The Local Categories category is not applicable to FortiClient. The Authenticate and Disable actions are not applicable to FortiClient.

l  When FortiGuard Categories is disabled, FortiClient will be protected by the Exclusion List configured in the URL in the

FortiClient profile.

Categories Usage Quota This setting is not applicable to FortiClient.
Allow users to override blocked categories This setting is not applicable to FortiClient.
Search Engines  
Enforce ‘Safe Search’ Select to enable search engine Safe Search on Google, Yahoo!, Bing, and Yandex.
YouTube

Education Filter

Select to enable the YouTube educational filter and enter your filter code. The filter blocks non-educational content as per your YouTube filter code.
Log all search keywords This setting is not applicable to FortiClient.
Static URL Filter  
Block invalid

URLs

This setting is not applicable to FortiClient.
URL Filter Select to enable URL filter. Select Create New to add a URL to the list. For Type, select one of Simple, Reg. Expression, or Wildcard. For Action, select one of Exempt, Block, Allow, or Monitor. For Status, select either Enable or Disable.

FortiClient does not support the Exempt action. Any URLs in the URL filter with an exempt action will be added to the FortiClient Exclusion List with an allow action.

Block malicious URLs discovered by FortiSandbox Select to block URLs that have been marked as malicious by FortiSandbox. A FortiSandbox device or cloud must be configured.

Filter

Web Content

Filter

This setting is not applicable to FortiClient.
Rating Options These settings are not applicable to FortiClient.
Proxy Options These settings are not applicable to FortiClient.
  1. Select OK to save the profile.

Step 2: Add the Web Filter profile to the FortiClient Profile

  1. Go to Security Profiles > FortiClient Profiles.
  2. Select the FortiClient Profile then select Edit. The Edit FortiClient Profile page is displayed.
  3. Enable Web Filter, then select the Web Filter profile from the drop-down list.
  4. Optionally, select to enable Client Side when On-Net.
  5. Select Apply to save the profile.

The FortiGate will send the FortiClient Profile configuration update to registered clients.

The Web Filtering module is now available in FortiClient.

EMS

To add web filtering to an endpoint profile:

  1. Go to Endpoint Profiles and either select a profile to edit, or create a new profile.
  2. Select the Web Filter
  3. Select the on/off button to add web filtering to the profile.
  4. Adjust the web filter settings as required, then select Save to save your changes.

 

FortiCache 4.0.1 Administration Guide

Introduction

FortiCache high performance web caching appliances address bandwidth saturation, high latency, and poor performance caused by caching popular internet content locally for carriers, service providers, enterprises, and educational networks. FortiCache appliances reduce the cost and impact of cached content on the network while increasing performance and the end-user experience by improving the speed of delivery of popular repeated content.

About this document

This document contains the following sections:

  • Introduction l Concepts l System Administration l Policy & Objects l Objects l Security Profiles l User Authentication l WAN Optimization and Web Caching
  • WCCP
  • Logging

Concepts

FortiCache web caching is a form of object caching that accelerates web applications and web servers by reducing bandwidth usage, server load, and perceived latency.

Web caching involves storing HTML pages, images, videos, servlet responses, and other web-based objects for later retrieval. These objects are stored in the web cache storage location defined by the config wanopt storage command. You can also go to System > Config > Disk to view the storage locations on the FortiCache unit hard disks.

There are three significant advantages to using web caching to improve HTTP performance:

  • reduced bandwidth consumption because fewer requests and responses go over the WAN or Internet l reduced web server load because there are fewer requests for web servers to handle l reduced latency because responses for cached requests are available from a local FortiCache unit instead of from across the WAN or Internet.

When enabled in a web caching policy, the FortiCache unit caches HTTP traffic processed by that policy. A web caching policy specifies the source and destination addresses and destination ports of the traffic to be cached.

Web caching caches compressed and non-compressed versions of the same file separately. If the HTTP protocol considers the compressed and uncompressed versions of a file the same object, only the compressed or uncompressed file will be cached.

You can also configure a FortiCache unit to operate as a Web Cache Communication Protocol (WCCP) client. WCCP provides the ability to offload web caching to one or more redundant web caching servers.

This chapter describes:

  • Web caching topologies l WCCP topologies l Content Analysis Service

Web caching topologies

FortiCache web caching involves one or more FortiCache units installed between users and web servers. The FortiCache unit can operate in both Network Address Translator (NAT) and transparent modes. The FortiCache unit intercepts web page requests accepted by web cache policies, requests web pages from the web servers, caches the web page contents, and returns the web page contents to the users. When the FortiCache unit intercepts subsequent requests for cached web pages, the FortiGate unit contacts the destination web server just to check for changes.

Most commonly the topology uses a router to route HTTP and HTTPS traffic to be cached to one or more FortiCache units. Traffic that should not be cached bypasses the FortiCache units. This is a scalable topology that allows you to add more FortiCache units if usage increases.

Web caching topologies                                                                                                                      Concepts

Web caching topology with web traffic routed to FortiCache units

You can also configure reverse proxy web-caching. In this configuration, users on the Internet browse to a web server installed behind a FortiCache unit. The FortiCache unit intercepts the web traffic (HTTP and HTTPS) and caches pages from the web server. Reverse proxy web caching on the FortiGate unit reduces the number of requests that the web server must handle, leaving it free to process new requests that it has not serviced before. Since all traffic is to be cached the FortiCache unit can be installed in Transparent mode directly between the web server and the Internet.

Reverse proxy web caching topology

The reverse proxy configuration can also include a router to route web traffic to a group of FortiCache units operating in Transparent Mode. This is also a scalable solution for reverse proxy web caching.

Reverse proxy web caching topology with web traffic routed to FortiCache unit

When web objects and video are cached on the FortiCache hard disk, the FortiCache unit returns traffic back to client using cached object from cache storage. The clients do not connect directly to the server.

When web objects and video are not available in the FortiCache hard disk, the FortiCache unit forwards the request to original server. If the HTTP response indicates it is a cacheable object, the object is forwarded to cache storage and the HTTP request is served from cache storage. Any other HTTP request for the same object will be served from cache storage as well.

The FortiCache unit forwards HTTP responses that cannot be cached from the server back to the client that originated the HTTP request.

 

Concepts                                                                                                                                 WCCP topologies

All non-HTTP traffic and HTTP traffic that is not cached by FortiCache will pass through the unit. HTTP traffic is not cached by the FortiCache unit if a web cache policy has not been added for it.

WCCP topologies

You can operate a FortiCache unit as a WCCP cache engine. As a cache engine, the FortiCache unit returns the required cached content to the client web browser. If the cache server does not have the required content, it accesses the content, caches it, and returns the content to the client web browser.

WCCP topology

WCCP is transparent to client web browsers. The web browsers do not have to be configured to use a web proxy.

Content Analysis Service

FortiGuard Content Analysis Service is a licensed feature for the real-time analysis of images in order to detect adult content. Detection of adult content in images uses various patented techniques (not just color-based), including limb and body part detection, body position, etc.

Once detected, such content can be optionally blocked or reported.

Please contact your Fortinet Account Manager should you require a trial of this service. You can purchase this service from support.fortinet.com.

For configuration information, see Content Analysis on page 101.

FortiBridge 4.0 Administration Guide

Introduction

FortiBridge enables you to add traffic monitoring and security devices to your network, without any loss in network integrity.

FortiBridge supports two normal modes of operation: inline mode and TAP mode. Inline mode supports network

configurations that require in-line monitoring/security devices. TAP mode supports various traffic TAP configurations, where the main network path is mirrored to the monitoring devices.

The FortiBridge product provides monitoring features to ensure that any inline or TAP devices do not impact network integrity and availability. For example, FortiBridge runs a heartbeat probe for in-line configurations, and automatically switches to Bypass mode if the heartbeat fails.

Bypass mode provides active and passive bypass circuitry. Active bypass restores the traffic path between network ports, if the monitoring path fails. If the FortiBridge suffers a catastrophic failure such as power loss, it automatically reverts to Passive Bypass mode, so that traffic flow is not interrupted.

Hardware Configurations

The FortiBridge consists of a host system (a 1U chassis), which houses up to three bypass modules.

A bypass module supports one or more network segments. A network segment provides one inline or bypass traffic path. Each segment provides two network ports (NET0 and NET1) and two monitoring ports (MON1 and MON2).

The following bypass modules are available:

  • 40G bypass module l Supports one bypass segment.
  • Supports 40G Single mode fiber (40GBase-SR4) network standards l Provides MPO/LC ports for the network ports.
  • Provides QSFP+ ports for the monitor ports.
  • Dual-rate 1/10G bypass module l Supports two bypass segments l Supports dual rate 1/10G Multimode Fiber (10GBase-SR , 1000Base-SX) network standards l Supports dual rate 1/10G Single mode fiber (10GBase-LR, 1000Base-LX) network standards l Provides MPO/LC Duplex ports for the network ports. l Provides SFP+ ports for the monitor ports.

The network ports have built-in transceivers. The monitor ports require plug-in optical transceivers. The correct transceivers are delivered (pre-installed) with your FortiBridge product.

Product Overview

Modes of Operation

Each FortiBridge segment operates in one of the following modes:

  • Inline mode l The system diverts all incoming network traffic to the monitoring ports. No traffic flows directly between the network ports.
  • The inline network element must bridge the traffic between the monitoring ports. l The system monitors the inline traffic path using a heartbeat probe.
  • In the event of a fault, the segment transitions to one of the bypass modes (Bypass, TAP or Fail-cutoff mode, depending on configuration values).
  • When the fault condition clears, the segment can automatically transition back to Inline mode (the exact behavior is defined by configuration values). The segment transitions to Inline mode only after it detects that the heartbeat probe is working again
  • TAP mode l The system sends traffic between the network ports, and incoming traffic is mirrored to the monitoring ports.
  • The system does not provide a heartbeat probe on the mirrored path (because the network path is the primary traffic path).
  • If the system loses power, the traffic path is maintained between the network ports (the segment transitions to passive bypass mode).
  • Bypass mode l The system sends traffic only between the network ports, and not to the monitoring ports.
  • Fail-cutoff mode l The system disables the links on the network ports, to simulate cable disconnection between the network devices.

FortiAuthenticator 4.0 System

System

The System tab enables you to manage and configure the basic system options for the FortiAuthenticator unit. This includes the basic network settings to connect the device to the corporate network, the configuration of administrators and their access privileges, managing and updating firmware for the device, and managing messaging servers and services.

The System tab provides access to the following menus and sub-menus:

Dashboard Select this menu to monitor, and troubleshoot your FortiAuthenticator device. Dashboard widgets include: l System Information widget l System Resources widget l Authentication Activity widget l User Inventory widget l HA Status l License Information widget l Disk Monitor l Top User Lockouts widget
Network Select this menu to configure your FortiAuthenticator interfaces and network settings. l Interfaces

l   DNS

l   Static routing l Packet capture

Administration Select this menu to configure administrative settings for the FortiAuthenticator device. l GUI access

l   High availability l Firmware l Automatic backup

l   SNMP

l   Licensing l FortiGuard l FTP servers l Administration

Messaging Select this menu to configure messaging servers and services for the FortiAuthenticator device. l SMTP servers l E-mail services l SMS gateways

Dashboard

When you select the System tab, it automatically opens at the System > Dashboard page.

The Dashboard page displays widgets that provide performance and status information and enable you to configure some basic system settings. These widgets appear on a single dashboard.

The following widgets are available:

System Information Displays basic information about the FortiAuthenticator system including host name, DNS domain name, serial number, system time, firmware version, architecture, system configuration, current administrator, and up time.

From this widget you can manually update the FortiAuthenticator firmware to a different release. For more information, see System Information widget on page 25.

System Resources Displays the usage status of the CPU and memory. For more information, see System Resources widget on page 29.
Authentication Activity Displays a customizable graph of the number of logins to the device. For more information, see Authentication Activity widget on page 29.
User Inventory Displays the numbers of users, groups, FortiTokens, FSSO users, and FortiClient users currently used or logged in, as well as the maximum allowed number, the number still available, and the number that are disabled.

For more information, see User Inventory widget on page 29.

HA Status Displays whether or not HA is enabled.
License Information Displays the device’s license information, as well as SMS information. For more information, see License Information widget on page 29.
Disk Monitor Displays if RAID is enabled, and the current disk usage in GB.
Top User Lockouts Displays the top user lockouts. For more information, see Top User Lockouts widget on page 30.

Customizing the dashboard

The FortiAuthenticator system settings dashboard is customizable. You can select which widgets to display, where they are located on the page, and whether they are minimized or maximized.

To move a widget

Position your mouse cursor on the widget’s title bar, then click and drag the widget to its new location.

To add a widget

In the dashboard toolbar, select Add Widget, then select the name of widget that you want to show. Multiple widgets of the same type can be added. To hide a widget, in its title bar, select the Close icon.

To see the available options for a widget

Position your mouse cursor over the icons in the widget’s title bar. Options include show/hide the widget, edit the widget, refresh the widget content, and close the widget.

The following table lists the widget options.

Show/Hide arrow Display or minimize the widget.
Widget Title The name of the widget.
Edit Select to change settings for the widget.

This option appears only in certain widgets.

Refresh Select to update the displayed information.
Close Select to remove the widget from the dashboard. You will be prompted to confirm the action. To add the widget, select Widget in the toolbar and then select the name of the widget you want to show.
To change the widget title

Widget titles can be customized by selecting the edit button in the title bar and entering a new title in the widget settings dialog box. Some widgets have more options in their respective settings dialog box.

To reset a widget title to its default name, simply leave the Custom widget title field blank.

The widget refresh interval can also be manually adjusted from this dialog box.

System Information widget

The system dashboard includes a System Information widget, which displays the current status of the FortiAuthenticator unit and enables you to configure basic system settings.

The following information is available on this widget:

Host Name The identifying name assigned to this FortiAuthenticator unit. For more information, see Changing the host name on page 26.
DNS Domain Name The DNS domain name. For more information, see Changing the DNS domain name on page 27.
Serial Number The serial number of the FortiAuthenticator unit. The serial number is unique to the FortiAuthenticator unit and does not change with firmware upgrades. The serial number is used for identification when connecting to the FortiGuard server.
System Time The current date, time, and time zone on the FortiAuthenticator internal clock or NTP server. For more information, see Configuring the system time, time zone, and date on page 27.
Firmware Version The version number and build number of the firmware installed on the FortiAuthenticator unit. To update the firmware, you must download the latest version from the Customer Service & Support portal at https://support.fortinet.com. Select Update and select the firmware image to load from your management computer.
Architecture The architecture of the device, such as 32-bit.
System Configuration The date of the last system configuration backup. Select Backup/Restore to backup or restore the system configuration. For more information, see Backing up and restoring the configuration on page 28.
Current Administrator The name of the currently logged on administrator.
Uptime The duration of time the FortiAuthenticator unit has been running since it was last started or restarted.
Shutdown/Reboot Options to shutdown or reboot the device. When rebooting or shutting down the system, you have the option to enter a message that will be added to the event log explaining the reason for the shutdown or reboot.
Changing the host name

The System Information widget will display the full host name.

To change the host name:

  1. Go to System > Dashboard.
  2. In the System Information widget, in the Host Name field, select Change. The Edit Host Name page opens.
  3. In the Host name field, type a new host name.

The host name may be up to 35 characters in length. It may include US-ASCII letters, numbers, hyphens, and underscores. Spaces and special characters are not allowed.

  1. Select OK to save the setting.

FortiAuthenticator 4.0 Setup

Setup

For information about installing the FortiAuthenticator unit and accessing the CLI or GUI, refer to the Quick Start Guide provided with your unit.

This chapter provides basic setup information for getting started with your FortiAuthenticator device. For more detailed information about specific system options, see System on page 23.

The following topics are included in this section:

  • Initial setup l Adding a FortiAuthenticator unit to your network l Maintenance l CLI commands
  • Troubleshooting

Initial setup

The following section provides information about setting up the Virtual Machine (VM) version of the product.

FortiAuthenticator VM setup

Before using FortiAuthenticator-VM, you need to install the VMware application to host the FortiAuthenticator-VM device. The installation instructions for FortiAuthenticator-VM assume you are familiar with VMware products and terminology.

System requirements

For information on the FortiAuthenticator-VM system requirements, please see the product datasheet available at http://www.fortinet.com/products/fortiauthenticator.

FortiAuthenticator-VM has kernel support for more than 4GB of RAM in VM images. However, this support also depends on the VM player version. For more information, see: http://kb.vmware.com/selfservice/microsites/search.do?language=en_

US&cmd=displayKC&externalId=1014006

The default Hardware Version is 4 to support the widest base of VM players. However you can modify the VM Hardware Version by editing the following line in the FortiAuthenticator-VM.vmx file:

virtualHW.version = “4”

FortiAuthenticator-VM image installation and initial setup

The following procedure describes setup on VMware Fusion.

 

Initial setup

To set up the FortiAuthenticator VM image:

  1. Download the VM image ZIP file to the local computer where VMware is installed.
  2. Extract the files from the zip file into a folder.
  3. In your VMware software, go to File > Open.
  4. Navigate to the expanded VM image folder, select the FortiAuthenticator-VM.vmx file, and select Open. VMware will install and start FortiAuthenticator-VM. This process can take a minute or two to complete.
  5. At the FortiAuthenticator login prompt, enter admin and press Enter.
  6. At the password prompt, press Enter. By default, there is no password.
  7. At the CLI prompt enter the following commands:

set port1-ip 192.168.1.99/24 set default-gw 192.168.1.2

Substitute your own desired FortiAuthenticator IP address and default gateway.

You can now connect to the GUI at the IP address you set for port 1.

Suspending the FortiAuthenticator-VM can have unintended consequences. Fortinet recommends that you do not use the suspend feature of VMware. Instead, shut down the virtual FortiAuthenticator system using the GUI or CLI, and then shut down the virtual machine using the VMware console.

Administrative access

Administrative access is enabled by default on port 1. Using the GUI, you can enable administrative access on other ports if necessary.

To add administrative access to an interface:

  1. Go to System > Network > Interfaces and select the interface you need to add administrative access to. See Interfaces on page 30.
  2. In Admin access, select the types of access to allow.
  3. Select OK.
GUI access

To use the GUI, point your browser to the IP address of port 1 (192.168.1.99 by default). For example, enter the following in the URL box:

https://192.168.1.99

Enter admin as the UserName and leave the Password field blank.

HTTP access is not enabled by default. To enable access, use the set ha-mgmtaccess command in the CLI (see CLI commands on page 19), or enable HTTP access on the interface in the GUI (see Interfaces on page 30).

For security reasons, the host or domain names that the GUI responds to are restricted. The list of trusted hosts is automatically generated from the following:

Adding a FortiAuthenticator unit to your network

l Configured hostname l Configured DNS domain name l Network interface IP addresses that have HTTP or HTTPS enabled l HA management IP addresses

Additional IP addresses and host or domain names that the GUI responded to can be defined in the GUI Access settings. See GUI access on page 34

Telnet

CLI access is available using telnet to the port1 interface IP address (192.168.1.99 by default). Use the telnet -K option so that telnet does not attempt to log on using your user ID. For example:

$ telnet -K 192.168.1.99

At the FortiAuthenticator login prompt, enter admin. When prompted for password press Enter. By default there is no password. When you are finished, use the exit command to end the telnet session.

CLI access using Telnet is not enabled by default. To enable access, use the set ha-mgmt-access command in the CLI (see CLI commands on page 19), or enable Telnet access on the interface in the GUI (see Interfaces on page 30)

SSH

SSH provides secure access to the CLI. Connect to the port1 interface IP address (192.168.1.99 by default). Specify the user name admin or SSH will attempt to log on with your user name. For example:

$ ssh admin@192.168.1.99

At the password prompt press Enter. By default there is no password. When you are finished, use the exit command to end the session.

Reports

Reports

FortiAnalyzer units can analyze information collected from the log files of managed log devices. It then presents the information in tabular and graphical reports that provide a quick and detailed analysis of activity on your networks.

To reduce the number of reports needed, reports are independent from devices, and contain layout information in the form of a report template. The devices, and any other required information, can be added as parameters to the report at the time of report generation.

The Reports tab allows you to configure reports using the predefined report templates, configure report schedules, view report history and the report calendar, and configure and view charts, macros, datasets, and output profiles.

If ADOMs are enabled, each ADOM will have its own report settings including chart library, macro library, dataset library, and output profiles.

FortiCache, FortiMail and FortiWeb reports are available when ADOMs are enabled. Reports for these devices are configured within their respective default ADOM. These devices also have device specific charts and datasets.

This chapter contains the following sections:

  • Reports
  • Report layouts
  • Chart library
  • Macro library
  • Report calendar
  • Advanced

Reports

FortiAnalyzer includes preconfigured reports and report templates for FortiGate, FortiMail, and FortiWeb log devices. These report templates can be used as is, or you can clone and edit the templates. You can also create new reports and report templates that can be customized to your requirements. For a list of preconfigured reports see “Report Templates” on page 207.

Predefined report templates are identified by a blue report icon,             , and custom report templates are identified by a green report icon,    . When a schedule has been enabled, the schedule icon,            , will appear to the left of the report template name.

 

In the Reports tab, go to Reports > [report] to view and configure the report configuration, advanced settings, and layout, and to view completed reports. The currently running reports and completed reports are shown in the View Report tab, see “View report tab” on page 173.

Figure 118:Report page

Right-clicking on a template in the tree menu opens a pop-up menu with the following options:

Report  
 Create New Create a new report. See “To create a new report:” on page 167.

Custom report templates are identified by the custom report icon,             , beside the report name. Predefined report templates are identified by the predefined report icon,           .

Rename              Rename a report.

 Clone Clone the selected report. See “To clone a report:” on page 167.
 Delete Delete the report. The default reports cannot be deleted. See “To delete a report:” on page 167.
 Import Import a report. See “Import and export” on page 167.

Export                Export a report. See “Import and export” on page 167.

Folder  
 Create New Create a new report folder. See “To create a new report folder:” on page 168.

Rename    Rename a report folder. See “To rename a report folder:” on page 168.

Delete                  Delete a report folder. Any report templates in the folder will be deleted. See “To delete a report folder:” on page 168.

Reports and report templates can be created, edited, cloned, and deleted. You can also import and export report templates. New content can be added to and organized on a template, including: new sections, three levels of headings, text boxes, images, charts, and line and page breaks.

To create a new report:

  1. In the Reports tab, right-click on Reports in the tree menu.
  2. Under the Report heading, select Create New.

The Create New Report dialog box opens.

  1. Enter a name for the new report and select OK.
  2. Configure report settings in the Configuration tab. The configuration tab includes time period, device selection, report type, schedule, and notifications.
  3. Select the Report layouts to configure the report template.
  4. Select the Advanced settings tab to configure report filters and other advanced settings.
  5. Select Apply to save the report template.

To clone a report:

  1. Right-click on the report you would like to clone in the tree menu and select Clone.

The Clone Report Template dialog box opens.

  1. Enter a name for the new template, then select OK.

A new template with the same information as the original template is created with the given name. You can then modify the cloned report as required.

To delete a report:

  1. Right-click on the report template that you would like to delete in the tree menu, and select Delete under the Report
  2. In the confirmation dialog box, select OK to delete the report template.

Import and export

Report templates can be imported from and exported to the management computer.

To import a report template:

  1. Right-click on Reports, and select Import.

The Import Report Template dialog box opens.

  1. Select Browse, locate the report template (.dat) file on your management computer, and select OK.

The report template will be loaded into the FortiAnalyzer unit.

To export a report template:

  1. Right-click on the report you would like to export in the tree menu and select Export.
  2. If a dialog box opens, select to save the file (.dat) to your management computer, and select OK.

The report template can now be imported to another FortiAnalyzer device.

Report folders

Report folders can be used to help organize your reports.

To create a new report folder:

  1. In the Reports tab, right-click on Reports in the tree menu.
  2. Under the Folder heading, select Create New.
  3. In the Create New Folder dialog box, enter a name for the folder, and select OK.

A new folder is created with the given name.

To rename a report folder:

  1. Right-click on the report folder that you need to rename in the tree menu.
  2. Under the Folder heading, select Rename.
  3. In the Rename Folder dialog box, enter a new name for the folder, and select OK.

To delete a report folder:

  1. Right-click on the report folder that you would like to delete in the tree menu, and select Delete under the Folder
  2. In the confirmation dialog box, select OK to delete the report folder.

Configuration tab

In FortiAnalyzer v5.2.0 and later, the Reports tab layout has changed. When creating a new report, the Configuration tab is the first tab that is displayed. In this tab you can configure the time period, select devices, enable schedules, and enable notification.

Report schedules provide a way to schedule an hourly, daily, weekly, or monthly report so that the report will be generated at a specific time. You can also manually run a report schedule at any time, and enable or disable report schedules. Report schedules can also be edited and disabled from the Report Calendar. See “Report calendar” on page 198 for more information.

Figure 119:Configuration tab

The following settings are available in the Configuration tab:

Time Period The time period that the report will cover. Select a time period, or select Other to manually specify the start and end date and time.
Devices The devices that the report will include. Select either All Devices or Specify to add specific devices. Select the add icon,        , to select devices.
User or IP Enter the user name or the IP address of the user on whom the report will be based.

This field is only available for the three predefined report templates in the Detailed User Report folder.

Type Select either Single Report (Group Report) or Multiple Reports (Per-Device).

This option is only available if multiple devices are selected.

Enable Schedule Select to enable report template schedules.
Generate PDF

Report Every

Select when the report is generated.

Enter a number for the frequency of the report based on the time period selected from the drop-down list.

Starts On Enter a starting date and time for the file generation.
Ends Enter an ending date and time for the file generation, or set it for never ending.
Enable Notification Select to enable report notification.
Output Profile Select the output profile from the drop-down list, or select Create New, , to create a new output profile. See “Output profile” on page 203.

Logs, Reports, and Alerts

Logs, reports and alerts

The Log and Report menu lets you configure logging, reports, and alert email.

FortiMail units provide extensive logging capabilities for virus incidents, spam incidents and system events. Detailed log information and reports provide analysis of network activity to help you identify security issues and reduce network misuse and abuse.

Logs are useful when diagnosing problems or when you want to track actions the FortiMail unit performs as it receives and processes traffic.

This section includes:

  • About FortiMail logging
  • Configuring logging
  • Configuring report profiles and generating reports
  • Configuring alert email
  • Viewing log messages
  • Viewing generated reports

About FortiMail logging

FortiMail units can log many different email activities and traffic including:

  • system-related events, such as system restarts and HA activity
  • virus detections
  • spam filtering results
  • POP3, SMTP, IMAP and webmail events

You can select which severity level an activity or event must meet in order to be recorded in the logs. For more information, see “Log message severity levels” on page 668.

A FortiMail unit can save log messages to its hard disk or a remote location, such as a Syslog server or a Fortinet FortiAnalyzer unit. For more information, see “Configuring logging” on page 671. It can also use log messages as the basis for reports. For more information, see “Configuring report profiles and generating reports” on page 676.

Accessing FortiMail log messages

There are several ways you can access FortiMail log messages:

  • On the FortiMail web UI, you can view log messages by going to Monitor > Log. For details, see the FortiMail Administration Guide.
  • On the FortiMail web UI, under Monitor > Log, you can download log messages to your local PC and view them later.
  • You can send log messages to a FortiAnalyzer unit by going to Log and Report > Log Settings > Remote Log Settings and view them on FortiAnalyzer.
  • You can send log messages to any Syslog server by going to Log and Report > Log Settings > Remote Log Settings.