Quantcast
Channel: FortiAnalyzer – Fortinet GURU
Viewing all 134 articles
Browse latest View live

Certificates – FortiAnalyzer – FortiOS 6.2.3

July 7, 2020, 10:05 pm
$
0
0

Certificates

The FortiAnalyzer generates a certificate request based on the information you entered to identify the FortiAnalyzer unit. After you generate a certificate request, you can download the request to a management computer and then forward the request to a CA.

Local certificates are issued for a specific server, or website. Generally they are very specific, and often for an internal enterprise network.

CA root certificates are similar to local certificates, however they apply to a broader range of addresses or to an entire company.

The CRL is a list of certificates that have been revoked and are no longer usable. This list includes expired, stolen, or otherwise compromised certificates. If your certificate is on this list, it will not be accepted. CRLs are maintained by the CA that issues the certificates and include the date and time when the next CRL will be issued, as well as a sequence number to help ensure you have the most current versions.

Local certificates

The FortiAnalyzer unit generates a certificate request based on the information you enter to identify the FortiAnalyzer unit. After you generate a certificate request, you can download the request to a computer that has management access to the FortiAnalyzer unit and then forward the request to a CA.

The certificate window also enables you to export certificates for authentication, importing, and viewing.

The FortiAnalyzer has one default local certificate: Fortinet_Local.

You can manage local certificates from the System Settings > Certificates > Local Certificates page. Some options are available in the toolbar and some are also available in the right-click menu.

Creating a local certificate

To create a certificate request:

  1. Go to System Settings > Certificates > Local Certificates.
  2. Click Create New in the toolbar. The Generate Certificate Signing Request pane opens.
  3. Enter the following information as required, then click OK to save the certificate request:
Certificate Name The name of the certificate.

 

Subject Information Select the ID type from the dropdown list: l Host IP: Select if the unit has a static IP address. Enter the public IP address of the unit in the Host IP field.

Domain Name: Select if the unit has a dynamic IP address and subscribes to a dynamic DNS service. Enter the domain name of the unit in the Domain Name field.

Email: Select to use an email address. Enter the email address in the Email Address field.
Optional Information  
Organization Unit (OU) The name of the department. You can enter a series of OUs up to a maximum of 5. To add or remove an OU, use the plus (+) or minus (-) icons.
Organization (O) Legal name of the company or organization.
Locality (L) Name of the city or town where the device is installed.
State/Province (ST) Name of the state or province where the FortiGate unit is installed.
Country (C) Select the country where the unit is installed from the dropdown list.
E-mail Address (EA) Contact email address.
Subject

Alternative Name

 Optionally, enter one or more alternative names for which the certificate is also valid. Separate names with a comma.

A name can be: l e-mail address l IP address l URI

l DNS name (alternatives to the Common Name) l directory name (alternatives to the Distinguished Name) You must precede the name with the name type. Examples: l IP:1.1.1.1 l email:test@fortinet.com l email:my@other.address l URI:http://my.url.here/
Key Type The key type can be RSA or Elliptic Curve.
Key Size Select the key size from the dropdown list: 512 Bit, 1024 Bit, 1536 Bit, or 2048 Bit. This option is only available when the key type is RSA.
Curve Name Select the curve name from the dropdown list: secp256r1 (default), secp384r1, or secp521r1. This option is only available when the key type is Elliptic Curve.
Enrollment Method The enrollment method is set to File Based.

Importing local certificates

To import a local certificate:

  1. Go to System Settings > Certificates > Local Certificates.
  2. Click Import in the toolbar or right-click and select Import. The Import dialog box opens.
  3. Enter the following information as required, then click OK to import the local certificate:
Type Select the certificate type from the dropdown list: Local Certificate, PKCS #12 Certificate, or Certificate.
Certificate File Click Browse… and locate the certificate file on the management computer, or drag and drop the file onto the dialog box.
Key File Click Browse… and locate the key file on the management computer, or drag and drop the file onto the dialog box.

This option is only available when Type is Certificate.
Password Enter the certificate password.

This option is only available when Type is PKCS #12 Certificate or

Certificate.
Certificate Name Enter the certificate name.

This option is only available when Type is PKCS #12 Certificate or

Certificate.

Deleting local certificates

To delete a local certificate or certificates:

  1. Go to System Settings > Certificates > Local Certificates.
  2. Select the certificate or certificates you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation dialog box to delete the selected certificate or certificates.

Viewing details of local certificates

To view details of a local certificate:

  1. Go to System Settings > Certificates > Local Certificates.
  2. Select the certificates that you would like to see details about, then click View Certificate Detail in the toolbar or right-click menu. The View Local Certificate page opens.
  3. Click OK to return to the local certificates list.

Downloading local certificates

To download a local certificate:

  1. Go to System Settings > Certificates > Local Certificates.
  2. Select the certificate that you need to download.
  3. Click Download in the toolbar, or right-click and select Download, and save the certificate to the management computer.

When an object is added to a policy package and assigned to an ADOM, the object is available in all devices that are part of the ADOM. If the object is renamed on a device locally, FortiManager automatically syncs the renamed object to the ADOM.

CA certificates

The FortiAnalyzer has one default CA certificate, Fortinet_CA. In this sub-menu you can delete, import, view, and download certificates.

Importing CA certificates

To import a CA certificate:

  1. Go to System Settings > Certificates > CA Certificates.
  2. Click Import in the toolbar, or right-click and select Import. The Import dialog box opens.
  3. Click .. and locate the certificate file on the management computer, or drag and drop the file onto the dialog box.
  4. Click OK to import the certificate. Viewing CA certificate details

To view a CA certificate’s details:

  1. Go to System Settings > Certificates > CA Certificates.
  2. Select the certificates you need to see details about.
  3. Click View Certificate Detail in the toolbar, or right-click and select View Certificate Detail. The View CA Certificate page opens.
  4. Click OK to return to the CA certificates list.

Downloading CA certificates

To download a CA certificate:

  1. Go to System Settings > Certificates > CA Certificates.
  2. Select the certificate you need to download.
  3. Click Download in the toolbar, or right-click and select Download, and save the certificate to the management computer.

Deleting CA certificates

To delete a CA certificate or certificates:

  1. Go to System Settings > Certificates > CA Certificates.
  2. Select the certificate or certificates you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation dialog box to delete the selected certificate or certificates.

Certificate revocation lists

When you apply for a signed personal or group certificate to install on remote clients, you can obtain the corresponding root certificate and Certificate Revocation List (CRL) from the issuing CA.

The CRL is a list of certificates that have been revoked and are no longer usable. This list includes expired, stolen, or otherwise compromised certificates. If your certificate is on this list, it will not be accepted. CRLs are maintained by the CA that issues the certificates and includes the date and time when the next CRL will be issued as well as a sequence number to help ensure you have the most current version of the CRL.

When you receive the signed personal or group certificate, install the signed certificate on the remote client(s) according

to the browser documentation. Install the corresponding root certificate (and CRL) from the issuing CA on the FortiAnalyzer unit according to the procedures given below.

Importing a CRL

To import a CRL:

  1. Go to System Settings > Certificates > CRL.
  2. Click Import in the toolbar, or right-click and select Import. The Import dialog box opens.
  3. Click .. and locate the CRL file on the management computer, or drag and drop the file onto the dialog box.
  4. Click OK to import the CRL.

Viewing a CRL

To view a CRL:

  1. Go to System Settings > Certificates > CRL.
  2. Select the CRL you need to see details about.
  3. Click View Certificate Detail in the toolbar, or right-click and select View Certificate Detail. The Result page opens.
  4. Click OK to return to the CRL list.

Deleting a CRL

To delete a CRL or CRLs:

  1. Go to System Settings > Certificates > CRL.
  2. Select the CRL or CRLs you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation dialog box to delete the selected CRL or CRLs.
Search

Log Forwarding – FortiAnalyzer – FortiOS 6.2.3

July 8, 2020, 10:05 pm
$
0
0

Log Forwarding

You can forward logs from a FortiAnalyzer unit to another FortiAnalyzer unit, a syslog server, or a Common Event Format (CEF) server when you use the default forwarding mode in log forwarding.

The client is the FortiAnalyzer unit that forwards logs to another device. The server is the FortiAnalyzer unit, syslog server, or CEF server that receives the logs.

In addition to forwarding logs to another unit or server, the client retains a local copy of the logs. The local copy of the logs is subject to the data policy settings for archived logs. See Log storage on page 21 for more information.

To see a graphical view of the log forwarding configuration, and to see details of the devices involved, go to System Settings > Logging Topology. For more information, see Logging Topology on page 166.

Modes

FortiAnalyzer supports two log forwarding modes: forwarding (default), and aggregation.

Forwarding

Logs are forwarded in real-time or near real-time as they are received. Forwarded content files include: DLP files, antivirus quarantine files, and IPS packet captures.

This mode can be configured in both the GUI and CLI.

Aggregation

As FortiAnalyzer receives logs from devices, it stores them, and then forwards the collected logs at a specified time every day.

FortiAnalyzer supports log forwarding in aggregation mode only between two FortiAnalyzer units. Syslog and CEF servers are not supported.

Aggregation mode can only be configured with the log-forward and log-forward-service CLI commands. See the FortiAnalyzerCLI Reference for more information.

Fetcher Management – FortiAnalyzer – FortiOS 6.2.3

July 9, 2020, 10:06 pm
$
0
0

Fetcher Management

Log fetching is used to retrieve archived logs from one FortiAnalyzer device to another. This allows administrators to run queries and reports against historic data, which can be useful for forensic analysis.

The fetching FortiAnalyzer can query the server FortiAnalyzer and retrieve the log data for a specified device and time period, based on specified filters. The retrieved data are then indexed, and can be used for data analysis and reports.

Log fetching can only be done on two FortiAnalyzer devices running the same firmware. A FortiAnalyzer device can be either the fetch server or the fetching client, and it can perform both roles at the same time with different FortiAnalyzer devices. Only one log fetching session can be established at a time between two FortiAnalyzer devices.

The basic steps for fetching logs are:

  1. On the client, create a fetching profile. See Fetching profiles on page 196.
  2. On the client, send the fetch request to the server. See Fetch requests on page 197.
  3. If this is the first time fetching logs with the selected profile, or if any changes have been made to the devices and/or ADOMs since the last fetch, on the client, sync devices and ADOMs with the server. See Synchronizing devices and ADOMs on page 199.
  4. On the server, review the request, then either approve or reject it. See Request processing on page 199.
  5. Monitor the fetch process on either FortiAnalyzer. See Fetch monitoring on page 200.
  6. On the client, wait until the database is rebuilt before using the fetched data for analysis.

Fetching profiles

Fetching profiles can be managed from the Profiles tab on the System Settings > FetcherManagement pane.

Profiles can be created, edited, and deleted as required. The profile list shows the name of the profile, as well as the IP address of the server it fetches from, the server and local ADOMs, and the administrator name on the fetch server.

To create a new fetching profile:

  1. On the client, go to System Settings > FetcherManagement.
  2. Select the Profiles tab, then click Create New in the toolbar, or right-click and select Create New from the menu. The Create New Profile dialog box opens.
  3. Configure the following settings, then click OK to create the profile.
Name   Enter a name for the profile.
Server IP   Enter the IP address of the fetch server.
User   Enter the username of an administrator on the fetch server, which, together with the password, authenticates the fetch client’s access to the fetch server.
Password   Enter the administrator’s password, which, together with the username, authenticates the fetch client’s access to the fetch server.

To edit a fetching profile:

  1. Go to System Settings > Fetching Management.
  2. Double-click on a profile, right-click on a profile then select Edit, or select a profile then click Edit in the toolbar. The Edit Profile pane opens.
  3. Edit the settings as required, then click OK to apply your changes.

To delete a fetching profile or profiles:

  1. Go to System Settings > Fetching Management.
  2. Select the profile or profiles you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation dialog box to delete the selected profile or profiles.

Fetch requests

A fetch request requests archived logs from the fetch server configured in the selected fetch profile. When making the request, the ADOM on the fetch server the logs are fetched from must be specified. An ADOM on the fetching client must be specified or, if needed, a new one can be created. If logs are being fetched to an existing local ADOM, you must ensure the ADOM has enough disk space for the incoming logs.

The data policy for the local ADOM on the client must also support fetching logs from the specified time period. It must keep both archive and analytics logs long enough so they will not be deleted in accordance with the policy. For example: Today is July 1, the ADOM’s data policy is configured to keep analytics logs for 30 days (June 1 – 30), and you need to fetch logs from the first week of May. The data policy of the ADOM must be adjusted to keep analytics and archive logs for at least 62 days to cover the entire time span. Otherwise, the fetched logs will be automatically deleted after they are fetched.

To send a fetch request:

  1. On the fetch client, go to System Settings > FetcherManagement and select the Profiles tab
  2. Select the profile then click Request Fetch in the toolbar, or right-click and select Request Fetch from the menu. The Fetch Logs dialog box opens.
  3. Configure the following settings, then click Request Fetch.

The request is sent to the fetch server. The status of the request can be viewed in the Sessions tab.

Name Displays the name of the fetch server you have specified.
Server IP Displays the IP address of the server you have specified.
User Displays the username of the server administrator you have provided.
Secure Connection Select to use SSL connection to transfer fetched logs from the server.
Server ADOM Select the ADOM on the server the logs will be fetched from. Only one ADOM can be fetched from at a time.
Local ADOM Select the ADOM on the client where the logs will be received.

Either select an existing ADOM from the dropdown list, or create a new ADOM by entering a name for it into the field.
Devices Add the devices and/or VDOMs that the logs will be fetched from. Up to 256 devices can be added.

Click Select Device, select devices from the list, then click OK.
Enable Filters Select to enable filters on the logs that will be fetched.

Select All or Any of the Following Conditions in the Log messages that match field to control how the filters are applied to the logs.

Add filters to the table by selecting the Log Field, Match Criteria, and Value for each filter.
Time Period Specify what date and time range of log messages to fetch.
Index Fetch Logs If selected, the fetched logs will be indexed in the SQL database of the client once they are received. Select this option unless you want to manually index the fetched logs.

Synchronizing devices and ADOMs – FortiAnalyzer – FortiOS 6.2.3

July 10, 2020, 10:07 pm
$
0
0

Synchronizing devices and ADOMs

If this is the first time the fetching client is fetching logs from the device, or if any changes have been made the devices or ADOMs since the last fetch, then the devices and ADOMs must be synchronized with the server.

To synchronize devices and ADOMs:

  1. On the client, go to System Settings > FetcherManagement and select the Profiles tab
  2. Select the profile then click Sync Devices in the toolbar, or right-click and select Sync Devices from the menu. The Sync ServerADOM(s)& Device(s) dialog box opens and shows the progress of the process.

Once the synchronization is complete, you can verify the changes on the client. For example, newly added devices in the ADOM specified by the profile.

If a new ADOM is created, the new ADOM will mirror the disk space and data policy of the corresponding server ADOM. If there is not enough space on the client, the client will create an ADOM with the maximum allowed disk space and give a warning message. You can then adjust disk space allocation as required.

Request processing

After a fetching client has made a fetch request, the request will be listed on the fetch server in the Received Request section of the Sessions tab on the FetcherManagement pane. It will also be available from the notification center in the GUI banner.

Fetch requests can be approved or rejected.

To process the fetch request:

  1. Go to the notification center in the GUI banner and click the log fetcher request, or go to the Sessions tab on the System Settings > FetcherManagement
  2. Find the request in the Received Request You may have to expand the section, or select Expand All in the content pane toolbar. The status of the request will be Waiting forapproval.
  3. Click Review to review the request. The Review Request dialog box will open.
  4. Click Approve to approve the request, or click Reject to reject the request.

If you approve the request, the server will start to retrieve the requested logs in the background and send them to the client. If you reject the request, the request will be canceled and the request status will be listed as Rejected on both the client and the server.

Fetch monitoring

The progress of an approved fetch request can be monitored on both the fetching client and the fetch server.

Go to System Settings > FetcherManagement and select the Sessions tab to monitor the fetch progress. A fetch session can be paused by clicking Pause, and resumed by clicking Resume. It can also be canceled by clicking Cancel.

Once the log fetching is completed, the status changes to Done and the request record can be deleted by clicking Delete. The client will start to index the logs into the database.

It can take a long time for the client to finish indexing the fetched logs and make the analyzed data available. A progress bar is shown in the GUI banner; for more information, click on it to open the Rebuild Log Database dialog box.

Log and report features will not be fully available until the rebuilding process is complete.

Event Log – FortiAnalyzer – FortiOS 6.2.3

July 11, 2020, 10:08 pm
$
0
0

Event Log

The Event Log pane provides an audit log of actions made by users on FortiAnalyzer. It allows you to view log messages that are stored in memory or on the internal hard disk drive. You can use filters to search the messages and download the messages to the management computer.

See the FortiAnalyzerLog Message Reference, available from the Fortinet Document Library, for more information about the log messages.

Go to System Settings > Event Log to view the local log list.

The following options are available:

Add Filter   Filter the event log list based on the log level, user, sub type, or message. See Event log filtering on page 202.
Last…   Select the amount of time to show from the available options, or select a custom time span or any time.
Column Settings Select which columns are enabled or disabled in the Event Log table.
Tools  
Raw Log /

Formatted Log

 Click on Raw Log to view the logs in their raw state.

Click Formatted Log to view them in the formatted into a table.
Real-time Log / Historical Log Click to view the real-time or historical logs list.
Case Sensitive Search Enable or disable case sensitive searching.
Download Download the event logs in either CSV or the normal format to the management computer.
Pagination Browse the pages of logs and adjust the number of logs that are shown per page.

The following information is shown:

#                                                The log number.
Date/Time                                  The date and time that the log file was generated.
Device ID                                   The ID of the related device.
Sub Type                                   The log sub-type:
System manager event HA event
FG-FM protocol event Firmware manager event
Device configuration event FortiGuard service event
Global database event FortiClient manager event
Script manager event FortiMail manager event
Web portal event Debug I/O log event
Firewall objects event Configuration change event
Policy console event Device manager event
VPN console event Web service event
Endpoint manager event FortiAnalyzer event
Revision history event Log daemon event
Deployment manager event FIPS-CC event
Real-time monitor event Managered devices event

Log and report manager event
User                                          The user that the log message relates to.
Message                                   Log message details. A Session ID is added to each log message. The

username of the administrator is added to log messages wherever applicable for better traceability.

Event log filtering

The event log can be filtered using the Add Filter box in the toolbar.

To filter FortiView summaries using the toolbar:

  1. Specify filters in the Add Filter
    • Regular Search: In the selected summary view, click in the Add Filter box, select a filter from the dropdown list, then type a value. Click NOT to negate the filter value. You can add multiple filters at a time, and connect them with an “or”.
    • Advanced Search: Click the Switch to Advanced Search icon at the right end of the Add Filter box to switch to advanced search mode. In this mode, you type in the whole search criteria (log field names and values). Click the Switch to RegularSearch icon to return to regular search.
  2. Click Go to apply the filter.

Task Monitor – FortiAnalyzer – FortiOS 6.2.3

July 12, 2020, 10:10 pm
$
0
0

Task Monitor

Using the task monitor, you can view the status of the tasks you have performed.

Go to System Settings > Task Monitor to view the task monitor.

The following options are available:

Delete Remove the selected task or tasks from the list.

This changes to Cancel Running Task(s) when View is Running.
View Select which tasks to view from the dropdown list, based on their status. The available options are: Running, Pending, Done, Error, Cancelling, Cancelled, Aborting, Aborted, Warning, and All.
Expand Arrow In the Source column, select the expand arrow icon to display the specific actions taken under this task.

To filter the specific actions taken for a task, select one of the options on top of the action list. Select the history icon to view specific information on task progress. This can be useful when troubleshooting warnings and errors.
Group Error Devices Select Group ErrorDevices to create a group of the failed devices, allowing for re-installations to easily be done on only the failed devices.
History Click the history icon to view task details in a new window.
Pagination Browse the pages of tasks and adjust the number of tasks shown per page.

The following information is available:

ID The identification number for a task.
Source The platform from where the task is performed. Click the expand arrow to view details of the specific task and access the history button.
Description The nature of the task. Click the arrow to display the specific actions taken under this task.
User The user or users who performed the tasks.
Status The status of the task (hover over the icon to view the description): l Done: Completed with success. l Error: Completed without success. l Canceled: User canceled the task. l Canceling: User is canceling the task. l Aborted: The FortiAnalyzer system stopped performing this task. l Aborting: The FortiAnalyzer system is stopping performing this task.

Running: Being processed. In this status, a percentage bar appears in the Status column.

Pending l Warning
Start Time The time that the task was started.
ADOM The ADOM associated with the task.
History Click the history button to view task details.

SNMP – FortiAnalyzer – FortiOS 6.2.3

July 13, 2020, 10:10 pm
$
0
0

SNMP

Enable the SNMP agent on the FortiAnalyzer device so it can send traps to and receive queries from the computer that is designated as its SNMP manager. This allows for monitoring the FortiAnalyzer with an SNMP manager.

SNMP has two parts – the SNMP agent that is sending traps, and the SNMP manager that monitors those traps. The SNMP communities on monitored FortiGate devices are hard coded and configured by the FortiAnalyzer system – they are not user configurable.

The FortiAnalyzer SNMP implementation is read-only — SNMP v1, v2c, and v3 compliant SNMP manager applications, such as those on your local computer, have read-only access to FortiAnalyzer system information and can receive FortiAnalyzer system traps.

SNMP agent

The SNMP agent sends SNMP traps originating on the FortiAnalyzer system to an external monitoring SNMP manager defined in a SNMP community. Typically an SNMP manager is an application on a local computer that can read the SNMP traps and generate reports or graphs from them.

The SNMP manager can monitor the FortiAnalyzer system to determine if it is operating properly, or if there are any critical events occurring. The description, location, and contact information for this FortiAnalyzer system will be part of the information an SNMP manager will have — this information is useful if the SNMP manager is monitoring many devices, and it will enable faster responses when the FortiAnalyzer system requires attention.

Go to System Settings > Advanced > SNMP to configure the SNMP agent.

The following information and options are available:

SNMP Agent Select to enable the SNMP agent. When this is enabled, it sends FortiAnalyzer SNMP traps.
Description Optionally, type a description of this FortiAnalyzer system to help uniquely identify this unit.
Location Optionally, type the location of this FortiAnalyzer system to help find it in the event it requires attention.
Contact Optionally, type the contact information for the person in charge of this FortiAnalyzer system.
SNMP v1/2c The list of SNMP v1/v2c communities added to the FortiAnalyzer configuration.
  Create New Select Create New to add a new SNMP community. If SNMP agent is not selected, this control will not be visible.

For more information, see SNMP v1/v2c communities on page 205.
  Edit Edit the selected SNMP community.
  Delete Delete the selected SNMP community or communities.
  Community Name The name of the SNMP community.
  Queries The status of SNMP queries for each SNMP community. The enabled icon indicates that at least one query is enabled. The disabled icon indicates that all queries are disabled.
  Traps The status of SNMP traps for each SNMP community. The enabled icon indicates that at least one trap is enabled. The disabled icon indicates that all traps are disabled.
  Enable Enable or disable the SNMP community.
SNMP v3   The list of SNMPv3 users added to the configuration.
  Create New Select Create New to add a new SNMP user. If SNMP agent is not selected, this control will not be visible.

For more information, see SNMP v3 users on page 208.
  Edit Edit the selected SNMP user.
  Delete Delete the selected SNMP user or users.
  User Name The user name for the SNMPv3 user.
  Security Level The security level assigned to the SNMPv3 user.
  Notification Hosts The notification host or hosts assigned to the SNMPv3 user.
  Queries The status of SNMP queries for each SNMP user. The enabled icon indicates queries are enabled. The disabled icon indicates they are disabled.

SNMP v1/v2c communities

An SNMP community is a grouping of equipment for network administration purposes. You must configure your FortiAnalyzer to belong to at least one SNMP community so that community’s SNMP managers can query the FortiAnalyzer system information and receive SNMP traps from it.

Each community can have a different configuration for SNMP traps and can be configured to monitor different events. You can add the IP addresses of up to eight hosts to each community. Hosts can receive SNMP device traps and information.

To create a new SNMP community:

  1. Go to System Settings > Advanced > SNMP and ensure the SNMP agent is enabled.
  2. In the SNMP v1/v2c section, click Create New in the toolbar. The New SNMP Community pane opens.
  3. Configure the following options, then click OK to create the community.
Name   Enter a name to identify the SNMP community. This name cannot be edited later.
Hosts   The list of hosts that can use the settings in this SNMP community to monitor the FortiAnalyzer system.

When you create a new SNMP community, there are no host entries. Select Add to create a new entry that broadcasts the SNMP traps and information to the network connected to the specified interface.
  IP

Address/Netmask

 Enter the IP address and netmask of an SNMP manager.

By default, the IP address is 0.0.0.0 so that any SNMP manager can use this SNMP community.
  Interface Select the interface that connects to the network where this SNMP manager is located from the dropdown list. This must be done if the SNMP manager is on the Internet or behind a router.
  Delete Click the delete icon to remove this SNMP manager entry.
Add Select to add another entry to the Hosts list. Up to eight SNMP manager entries can be added for a single community.
Queries Enter the port number (161 by default) the FortiAnalyzer system uses to send v1 and v2c queries to the FortiAnalyzer in this community. Enable queries for each SNMP version that the FortiAnalyzer system uses.
Traps Enter the Remote port number (162 by default) the FortiAnalyzer system uses to send v1 and v2c traps to the FortiAnalyzer in this community. Enable traps for each SNMP version that the FortiAnalyzer system uses.
SNMP Event Enable the events that will cause SNMP traps to be sent to the community.

l     Interface IP changed l Log disk space low l CPU Overuse l Memory Low l System Restart

l     CPU usage exclude NICE threshold

l     RAID Event (only available for devices that support RAID) l PowerSupply Failed (only available on supported hardware devices) l Fan Speed Out of Range

l     Temperature Out of Range l Voltage Out of Range

l     High licensed device quota l High licensed log GB/day l Log Alert l Log Rate l Data Rate

FortiAnalyzer feature set SNMP events:

To edit an SNMP community:

  1. Go to System Settings > Advanced > SNMP.
  2. In the SNMP v1/v2c section, double-click on a community, right-click on a community then select Edit, or select a community then click Edit in the toolbar. The Edit SNMP Community pane opens.
  3. Edit the settings as required, then click OK to apply your changes.

To delete an SNMP community or communities:

  1. Go to System Settings > Advanced > SNMP.
  2. In the SNMP v1/v2c section, select the community or communities you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation dialog box to delete the selected community or communities.

SNMP v3 users

The FortiAnalyzer SNMP v3 implementation includes support for queries, traps, authentication, and privacy. SNMP v3 users can be created, edited, and deleted as required.

To create a new SNMP user:

  1. Go to System Settings > Advanced > SNMP and ensure the SNMP agent is enabled.
  2. In the SNMP v3 section, click Create New in the toolbar. The New SNMP User pane opens.
  3. Configure the following options, then click OK to create the community.
User Name   The name of the SNMP v3 user.
Security Level   The security level of the user. Select one of the following:

No Authentication, No Privacy l Authentication, No Privacy: Select the Authentication Algorithm (SHA1, MD5) and enter the password.

Authentication, Privacy: Select the Authentication Algorithm (SHA1, MD5), the Private Algorithm (AES, DES), and enter the passwords.
Queries   Select to enable queries then enter the port number. The default port is 161.
Notification Hosts   The IP address or addresses of the host. Click the add icon to add multiple IP addresses.
SNMP Event Enable the events that will cause SNMP traps to be sent to the SNMP manager.

l     Interface IP changed l Log disk space low l CPU Overuse l Memory Low l System Restart

l     CPU usage exclude NICE threshold

l     RAID Event (only available for devices that support RAID) l PowerSupply Failed (only available on supported hardware devices) l High licensed device quota l High licensed log GB/day l Log Alert l Log Rate l Data Rate l Fan Speed Out of Range l Temperature Out of Range l Voltage Out of Range

FortiAnalyzer feature set SNMP events:

To edit an SNMP user:

  1. Go to System Settings > Advanced > SNMP.
  2. In the SNMP v3 section, double-click on a user, right-click on a user then select Edit, or select a user then click Edit in the toolbar. The Edit SNMP User pane opens.
  3. Edit the settings as required, then click OK to apply your changes.

To delete an SNMP user or users:

  1. Go to System Settings > Advanced > SNMP.
  2. In the SNMP v3 section, select the user or users you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation dialog box to delete the selected user or users.

SNMP MIBs

The Fortinet and FortiAnalyzer MIBs, along with the two RFC MIBs, can be obtained from Customer Service & Support

(https://support.fortinet.com). You can download the FORTINET-FORTIMANAGER-FORTIANALYZER-MIB.mib

MIB file in the firmware image file folder. The FORTINET-CORE-MIB.mib file is located in the main FortiAnalyzer 5.00 file folder.

RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411), and partial support of User-based Security Model (RFC 3414).

To be able to communicate with the SNMP agent, you must include all of these MIBs into your SNMP manager.

Generally your SNMP manager will be an application on your local computer. Your SNMP manager might already

include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet and FortiAnalyzer proprietary MIBs to this database.

MIB file name or RFC Description
FORTINET-CORE-MIB.mib The proprietary Fortinet MIB includes all system configuration information and trap information that is common to all Fortinet products.

Your SNMP manager requires this information to monitor Fortinet unit configuration settings and receive traps from the Fortinet SNMP agent.
FORTINET-FORTIMANAGERMIB.mib The proprietary FortiAnalyzer MIB includes system information and trap information for FortiAnalyzer units.
RFC-1213 (MIB II) The Fortinet SNMP agent supports MIB II groups with the following exceptions.

l  No support for the EGP group from MIB II (RFC 1213, section 3.11 and

6.10).

l  Protocol statistics returned for MIB II groups (IP/ICMP/TCP/UDP/etc.) do not accurately capture all Fortinet traffic activity. More accurate information can be obtained from the information reported by the Fortinet MIB.
RFC-2665 (Ethernet-like MIB) The Fortinet SNMP agent supports Ethernet-like MIB information with the following exception.

No support for the dot3Tests and dot3Errors groups.

SNMP traps

Fortinet devices share SNMP traps, but each type of device also has traps specific to that device type. For example FortiAnalyzer units have FortiAnalyzer specific SNMP traps. To receive Fortinet device SNMP traps, you must load and compile the FORTINET-CORE-MIB into your SNMP manager.

Traps sent include the trap message as well as the unit serial number (fnSysSerial) and host name (sysName). The Trap Message column includes the message that is included with the trap, as well as the SNMP MIB field name to help locate the information about the trap.

Trap message Description
ColdStart, WarmStart, LinkUp, LinkDown Standard traps as described in RFC 1215.
CPU usage high

(fnTrapCpuThreshold)

 CPU usage exceeds the set percent. This threshold can be set in the CLI using the following commands:

config system snmp sysinfo set trap-high-cpu-threshold <percentage value> end
CPU usage excluding NICE processes

(fmSysCpuUsageExcludedNice)

 CPU usage excluding NICE processes exceeds the set percentage. This threshold can be set in the CLI using the following commands:

config system snmp sysinfo set trap-cpu-high-exclude-nice-threshold <percentage value> end
Trap message Description
Memory low

(fnTrapMemThreshold)

 Memory usage exceeds 90 percent. This threshold can be set in the CLI using the following commands:

config system snmp sysinfo set trap-low-memory-threshold <percentage value> end
Log disk too full

(fnTrapLogDiskThreshold)

 Log disk usage has exceeded the configured threshold. Only available on devices with log disks.
Temperature too high

(fnTrapTempHigh)

 A temperature sensor on the device has exceeded its threshold. Not all devices have thermal sensors. See manual for specifications.
Voltage outside acceptable range

(fnTrapVoltageOutOfRange)

 Power levels have fluctuated outside of normal levels. Not all devices have voltage monitoring instrumentation.
Power supply failure

(fnTrapPowerSupplyFailure)

 Power supply failure detected. Available on some devices that support redundant power supplies.
Interface IP change

(fnTrapIpChange)

 The IP address for an interface has changed. The trap message includes the name of the interface, the new IP address and the serial number of the Fortinet unit. You can use this trap to track interface IP address changes for interfaces with dynamic IP addresses set using DHCP or PPPoE.
Log rate too high

(fmTrapLogRateThreshold)

 The incoming log rate has exceeded the peak log rate threshold.

To determine the peak log rate, use the following CLI command: get system loglimits
Data rate too high

(fmTrapLogDataRateThreshold)

 The incoming data rate has exceeded the peak data rate threshold.

The peak data rate is calculated using the peak log rate x 512 bytes (average log size).

Fortinet & FortiAnalyzer MIB fields

The Fortinet MIB contains fields reporting current Fortinet unit status information. The below tables list the names of the MIB fields and describe the status information available for each one. You can view more details about the information available from all Fortinet MIB fields by compiling the fortinet.3.00.mib file into your SNMP manager and browsing the Fortinet MIB fields.

System MIB fields:

MIB field Description
fnSysSerial Fortinet unit serial number.

Administrator accounts:

MIB field Description
fnAdminNumber The number of administrators on the Fortinet unit.
fnAdminTable Table of administrators.  
fnAdminIndex Administrator account index number.
fnAdminName The user name of the administrator account.
fnAdminAddr An address of a trusted host or subnet from which this administrator account can be used.
fnAdminMask The netmask for fnAdminAddr.

Custom messages:

MIB field Description
fnMessages The number of custom messages on the Fortinet unit.
MIB fields and traps  
MIB field Description
fmModel A table of all FortiAnalyzer models.

Mail Server – FortiAnalyzer – FortiOS 6.2.3

July 14, 2020, 10:14 pm
$
0
0

Mail Server

A mail server allows the FortiAnalyzer to sent email messages, such as notifications when reports are run or specific events occur. Mail servers can be added, edited, deleted, and tested.

Go to System Settings > Advanced > Mail Server to configure SMTP mail server settings.

To add a mail server:

  1. Go to System Settings > Advanced > Mail Server.
  2. Click Create New in the toolbar. The Create New Mail ServerSettings pane opens.
  3. Configure the following settings and then select OK to create the mail server.
SMTP Server Name Enter a name for the SMTP server.
Mail Server Enter the mail server information.
SMTP Server Port Enter the SMTP server port number. The default port is 25.
Enable Authentication Select to enable authentication.
Email Account Enter an email account. This option is only accessible when authentication is enabled.
Password Enter the email account password. This option is only accessible when authentication is enabled.

To edit a mail server:

  1. Go to System Settings > Advanced > Mail Server.
  2. Double-click on a server, right-click on a server and then select Edit from the menu, or select a server then click Edit in the toolbar. The Edit Mail ServerSettings pane opens.
  3. Edit the settings as required, and then click OK to apply the changes.

To test the mail server:

  1. Go to System Settings > Advanced > Mail Server.
  2. Select the server you need to test.
  3. Click Test from the toolbar, or right-click and select Test.
  4. Type the email address you would like to send a test email to and click OK. A confirmation or failure message will be displayed.
  5. Click OK to close the confirmation dialog box.

To delete a mail server or servers:

  1. Go to System Settings > Advanced > Mail Server.
  2. Select the server or servers you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation box to delete the server.
Search

Syslog Server – FortiAnalyzer – FortiOS 6.2.3

July 15, 2020, 10:14 pm
$
0
0

Syslog Server

Go to System Settings > Advanced > Syslog Server to configure syslog server settings. Syslog servers can be added, edited, deleted, and tested.

To add a syslog server:

  1. Go to System Settings > Advanced > Syslog Server.
  2. Click Create New in the toolbar. The Create New Syslog ServerSettings pane opens.
  3. Configure the following settings and then select OK to create the mail server.
Name Enter a name for the syslog server.
IP address (or FQDN) Enter the IP address or FQDN of the syslog server.
Syslog Server Port Enter the syslog server port number. The default port is 514.

To edit a syslog server:

  1. Go to System Settings > Advanced > Syslog Server.
  2. Double-click on a server, right-click on a server and then select Edit from the menu, or select a server then click Edit in the toolbar. The Edit Syslog ServerSettings pane opens.
  3. Edit the settings as required, and then click OK to apply the changes.

To test the syslog server:

  1. Go to System Settings > Advanced > Syslog Server.
  2. Select the server you need to test.
  3. Click Test from the toolbar, or right-click and select Test. A confirmation or failure message will be displayed.

To delete a syslog server or servers:

  1. Go to System Settings > Advanced > Syslog Server.
  2. Select the server or servers you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation box to delete the server or servers.

Meta Fields – FortiAnalyzer – FortiOS 6.2.3

July 16, 2020, 10:15 pm
$
0
0

Meta Fields

Meta fields allow administrators to add extra information when configuring, adding, or maintaining FortiGate units or adding new administrators. You can make the fields mandatory or optional, and set the length of the field.

With the fields set as mandatory, administrators must supply additional information when they create a new FortiGate object, such as an administrator account or firewall policy. Fields for this new information are added to the FortiGate unit dialog boxes in the locations where you create these objects. You can also provide fields for optional additional information.

Go to System Settings > Advanced > Meta Fields to configure meta fields. Meta fields can be added, edited, and deleted.

  1. Go to System Settings > Advanced > Meta Fields.
  2. Click Create New in the toolbar. The Create New Meta Field pane opens.
  3. Configure the following settings and then select OK to create the meta field.
Object The object this metadata field applies to: Devices, Device Groups, or Administrative Domains.
Name Enter the label to use for the field.
Length Select the maximum number of characters allowed for the field from the dropdown list: 20, 50, or 255.
Importance Select Required to make the field compulsory, otherwise select Optional.
Status Select Disabled to disable this field. The default selection is Enabled.

To edit a meta field:

  1. Go to System Settings > Advanced > Meta Fields.
  2. Double-click on a field, right-click on a field and then select Edit from the menu, or select a field then click Edit in the toolbar. The Edit Meta Fields pane opens.
  3. Edit the settings as required, and then click OK to apply the changes.

To delete a meta field or fields:

  1. Go to System Settings > Advanced > Meta Fields.
  2. Select the field or fields you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Click OK in the confirmation box to delete the field or fields.

Device logs – FortiAnalyzer – FortiOS 6.2.3

July 17, 2020, 10:18 pm
$
0
0

Device logs

The FortiAnalyzer allows you to log system events to disk. You can control device log file size and the use of the FortiAnalyzer unit’s disk space by configuring log rolling and scheduled uploads to a server.

As the FortiAnalyzer unit receives new log items, it performs the following tasks: l Verifies whether the log file has exceeded its file size limit. l Checks to see if it is time to roll the log file if the file size is not exceeded.

When a current log file (tlog.log) reaches its maximum size, or reaches the scheduled time, the FortiAnalyzer unit rolls the active log file by renaming the file. The file name will be in the form of xlog.N.log (for example, tlog.1252929496.log), where x is a letter indicating the log type and N is a unique number corresponding to the time the first log entry was received. The file modification time will match the time when the last log was received in the log file.

Once the current log file is rolled into a numbered log file, it will not be changed. New logs will be stored in the new current log called tlog.log. If log uploading is enabled, once logs are uploaded to the remote server or downloaded via the GUI, they are in the following format:

FG3K6A3406600001-tlog.1252929496.log-2017-09-29-08-03-54.gz

If you have enabled log uploading, you can choose to automatically delete the rolled log file after uploading, thereby freeing the amount of disk space used by rolled log files. If the log upload fails, such as when the FTP server is unavailable, the logs are uploaded during the next scheduled upload.

Log rolling and uploading can be enabled and configured using the GUI or CLI.

Configuring rolling and uploading of logs using the GUI

Go to System Settings > Advanced > Device Log Setting to configure device log settings.

Configure the following settings, and then select Apply:

Registered Device Logs  
Roll log file when size exceeds Enter the log file size, from 10 to 500MB. Default: 200MB.
Roll log files at scheduled time Select to roll logs daily or weekly.

Daily: select the hour and minute value in the dropdown lists.

Weekly: select the day, hour, and minute value in the dropdown lists.
Upload logs using a standard file transfer protocol Select to upload logs and configure the following settings.
Upload Server Type Select one of FTP, SFTP, or SCP.
Upload Server IP Enter the IP address of the upload server.
User Name Enter the username used to connect to the upload server.
Password Enter the password used to connect to the upload server.
Remote Directory Enter the remote directory on the upload server where the log will be uploaded.
Upload Log Files Select to upload log files when they are rolled according to settings selected under Roll Logs, or daily at a specific hour.
Upload rolled files in gzip file format Select to gzip the logs before uploading. This will result in smaller logs and faster upload times.
Delete files after uploading Select to remove device log files from the FortiAnalyzer system after they have been uploaded to the Upload Server.
Local Device Log  
Send the local event logs to FortiAnalyzer / FortiManager Select to send local event logs to another FortiAnalyzer or FortiManager device.
IP Address Enter the IP address of the FortiAnalyzer or FortiManager.
Upload Option Select to upload logs in real time or at a scheduled time.

When selecting a scheduled time, you can specify the hour and minute to upload logs each day.
Severity Level Select the minimum log severity level from the dropdown list. This option is only available when Upload Option is Realtime.
Reliable log transmission Select to use reliable log transmission.
Secure connection Select to use a secure connection for log transmission. This option is only available when Reliable log transmission is selected.

Configuring rolling and uploading of logs using the CLI

Log rolling and uploading can be enabled and configured using the CLI. For more information, see the FortiAnalyzer CLI Reference.

Enable or disable log file uploads

Use the following CLI commands to enable or disable log file uploads.

To enable log uploads:

config system log settings config rolling-regular set upload enable

end

To disable log uploads:

config system log settings config rolling-regular set upload disable

end

Roll logs when they reach a specific size

Use the following CLI commands to specify the size, in MB, at which a log file is rolled.

To roll logs when they reach a specific size:

config system log settings config rolling-regular set file-size <integer>

end

Roll logs on a schedule

Use the following CLI commands to configure rolling logs on a set schedule, or never.

To disable log rolling:

config system log settings config rolling-regular set when none

end

To enable daily log rolling:

config system log settings config rolling-regular set upload enable set when daily set hour <integer> set min <integer>

end

To enable weekly log rolling:

config system log settings config rolling-regular set when weekly

set days {mon | tue | wed | thu | fri | sat | sun} set hour <integer> set min <integer>

end

Upload logs to cloud storage

The FortiAnalyzer can be set to upload logs to cloud storage. Before enabling this feature, you must have a valid Storage Connector Service license. See License Information widget on page 162.

For information on setting up a storage fabric connector, see Creating or editing storage connectors on page 33.

To upload logs to cloud storage:

  1. Go to System Settings > Advanced > Device Log Settings.
  2. Select Create New.
  3. Complete the following options, and click OK.

l Enter a name for the cloud storage. l In the Cloud Storage Connector list, select a Fabric Connector. l In the Remote Path box, type the bucket or container name from the storage account.

File Management – FortiAnalyzer – FortiOS 6.2.3

July 18, 2020, 10:18 pm
$
0
0

File Management

FortiAnalyzer allows you to configure automatic deletion of device log files, quarantined files, reports, and content archive files after a set period of time.

Go to System Settings > Advanced > File Management to configure file management settings.

Configure the following settings, and then select Apply:

Device log files older than Select to enable automatic deletion of compressed log files.

Enter a value in the text field, select the time period (Days, Weeks, or Months), and choose a time of day.
Reports older than Select to enable automatic deletion of reports of data from compressed log files. Enter a value in the text field, select the time period, and choose a time of day.
Content archive files older than Select to enable automatic deletion of IPS and DP archives from Archive logs.

Enter a value in the text field, select the time period, and choose a time of day.
Quarantined files older than Select to enable automatic deletion of compressed log files of quarantined files. Enter a value in the text field, select the time period, and choose a time of day.

The time period you select determines how often the item is checked. If you select Months, then the item is checked once per month. If you select Weeks, then the item is checked once per week, and so on. For example, if you specify Device log files olderthan 3 Months, then on July 1, the logs for April, May, and June are kept and the logs for March and older are deleted.

Advanced Settings – FortiAnalyzer – FortiOS 6.2.3

July 19, 2020, 10:18 pm
$
0
0

Advanced Settings

Go to System Settings > Advanced > Advanced Settings to view and configure advanced settings and download WSDL files.

Configure the following settings and then select Apply:

ADOM Mode Select the ADOM mode, either Normal or Advanced.

Advanced mode will allow you to assign a VDOM from a single device to a different ADOM, but will result in more complicated management scenarios. It is recommended only for advanced users.
Download WSDL file Select the required WSDL functions then click the Download button to download the WSDL file to your management computer.

When selecting Legacy Operations, no other options can be selected.

Web services is a standards-based, platform independent, access method for other hardware and software APIs. The file itself defines the format of commands the FortiAnalyzer will accept as well as the responses to expect. Using the WSDL file, third-party or custom applications can communicate with the FortiAnalyzer unit and operate it or retrieve information, just as an administrator can from the GUI or CLI.
Task List Size Set a limit on the size of the task list. Default: 2000.

 

Trusted hosts – FortiAnalyzer – FortiOS 6.2.3

July 20, 2020, 10:18 pm
$
0
0

Trusted hosts

Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative permissions. In addition to knowing the password, an administrator must connect only through the subnet or subnets you specify. You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255.255.255.255.

When you set trusted hosts for all administrators, the FortiAnalyzer unit does not respond to administrative access attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access.

The trusted hosts you define apply to both the GUI and to the CLI when accessed through SSH. CLI access through the console connector is not affected.

Disconnecting administrators – FortiAnalyzer – FortiOS 6.2.3

July 21, 2020, 10:21 pm
$
0
0

Disconnecting administrators

Administrators can be disconnected from the FortiAnalyzer unit from the Admin Session List.

To disconnect administrators:

  1. Go to System Settings > Dashboard.
  2. In the System Information widget, in the Current Administrators field, click the Current Session List The Admin Session List opens in the widget.
  3. Select the administrator or administrators you need to disconnect.
  4. Click Delete in the toolbar, or right-click and select Delete.

The selected administrators will be automatically disconnected from the FortiAnalyzer device.

Search

Managing administrator accounts – FortiAnalyzer – FortiOS 6.2.3

July 22, 2020, 10:23 pm
$
0
0

Managing administrator accounts

Go to System Settings > Admin > Administrator to view the list of administrators and manage administrator accounts.

Only administrators with the Super_User profile can see the complete administrators list. If you do not have certain viewing permissions, you will not see the administrator list. When ADOMs are enabled, administrators can only access the ADOMs they have permission to access.

The following options are available:

Create New Create a new administrator. See Creating administrators on page 224.
Edit Edit the selected administrator. See Editing administrators on page 227.
Clone Clone the selected administrator.
Delete Delete the selected administrator or administrators. See Deleting administrators on page 228.
Table View/Tile View Change the view of the administrator list.

Table view shows a list of the administrators in a table format. Tile view shows a separate card for each administrator in a grid pattern.
Column Settings Change the displayed columns.
Search Search the administrators.
Change Password Change the selected administrator’s password. This option is only available from the right-click menu. See Editing administrators on page 227.

The following information is shown:

Seq.# The sequence number.
Name The name the administrator uses to log in.
Type The user type, as well as if the administrator uses a wildcard.
Profile The profile applied to the administrator. See Administrator profiles on page 228
ADOMs The ADOMs the administrator has access to or is excluded from.
Comments Comments about the administrator account. This column is hidden by default.
Trusted IPv4 Hosts The IPv4 trusted host(s) associated with the administrator. See Trusted hosts on page 222.
Trusted IPv6 Hosts The IPv6 trusted host(s) associated with the administrator. See Trusted hosts on page 222. This column is hidden by default.
Contact Email The contact email associated with the administrator. This column is hidden by default.
Contact Phone The contact phone number associated with the administrator. This column is hidden by default.

Creating administrators

To create a new administrator account, you must be logged in to an account with sufficient privileges, or as a super user administrator.

You need the following information to create an account:

  • Which authentication method the administrator will use to log in to the FortiAnalyzer unit. Local, remote, and Public Key Infrastructure (PKI) authentication methods are supported.
  • What administrator profile the account will be assigned, or what system privileges the account requires. l If ADOMs are enabled, which ADOMs the administrator will require access to. l If using trusted hosts, the trusted host addresses and network masks.

To create a new administrator:

  1. Go to System Settings > Admin > Administrators.
  2. In the toolbar, click Create New to display the New Administrator
  3. Configure the following settings, and then click OK to create the new administrator.
User Name Enter the name of the administrator will use to log in.
Avatar Apply a custom image to the administrator.

Click Add Photo to select an image already loaded to the FortiAnalyzer, or to load an new image from the management computer.

If no image is selected, the avatar will use the first letter of the user name.
Comments Optionally, enter a description of the administrator, such as their role, location, or the reason for their account.
Admin Type Select the type of authentication the administrator will use when logging into the FortiAnalyzer unit. One of: LOCAL, RADIUS, LDAP, TACACS+, PKI, or Group. See Authentication on page 234 for more information.
Server or Group Select the RADIUS server, LDAP server, TACACS+ server, or group, as required.

The server must be configured prior to creating the new administrator.

This option is not available if the Admin Type is LOCAL or PKI.

 

Match all users on remote server Select this option to automatically add all users from a LDAP server specified in Admin>Remote Authentication Server. All users specified in the Distinguished Name field in the LDAP server will be added as FortiManager users with the selected Admin Profile.

If this option is not selected, the UserName specified must exactly match the LDAP user specified on the LDAP server.

This option is not available if the Admin Type is LOCAL or PKI.
Subject Enter a comment for the PKI administrator.

This option is only available if the Admin Type is PKI.
CA Select the CA certificate from the dropdown list.

This option is only available if the Admin Type is PKI.
Required two-factor authentication Select to enable two-factor authentication.

This option is only available if the Admin Type is PKI.
New Password Enter the password.

This option is not available if Wildcard is selected.

If the Admin Type is PKI, this option is only available when Require twofactorauthentication is selected.

If the Admin Type is RADIUS, LDAP, or TACACS+, the password is only used when the remote server is unreachable.
Confirm Password Enter the password again to confirm it.

This option is not available if Wildcard is selected.

If the Admin Type is PKI, this option is only available when Require twofactorauthentication is selected.
Force this administrator to change password upon next log on. Force the administrator to change their password the next time that they log in to the FortiAnalyzer.

This option is only available if Password Policy is enabled in Admin Settings.

See Password policy on page 244.
Admin Profile Select an administrator profile from the list. The profile selected determines

the administrator’s access to the FortiAnalyzer unit’s features. See Administrator profiles on page 228.
JSON API Access Select the permission for JSON API Access. Select Read-Write, Read, or None. The default is None.
Administrative Domain Choose the ADOMs this administrator will be able to access. l All ADOMs: The administrator can access all the ADOMs.

All ADOMs except specified ones: The administrator cannot access the selected ADOMs.

Specify: The administrator can access the selected ADOMs. Specifying the ADOM shows the Specify Device Group to Access check box. Select the Specify Device Group to Access check box and select the Device Group this administrator is allowed to access. The newly created administrator will only be able to access the devices within the Device Group and sub-groups.
  If the Admin Profile is Super_User, then this setting is All ADOMs.

This field is available only if ADOMs are enabled. See Administrative Domains on page 176.
Trusted Hosts Optionally, turn on trusted hosts, then enter their IP addresses and netmasks. Up to ten IPv4 and ten IPv6 hosts can be added.

See Trusted hosts on page 222 for more information.
Meta Fields Optionally, enter the new administrator’s email address and phone number.
Advanced Options Configure advanced options, see Advanced options below.

For more information on advanced options, see the FortiAnalyzerCLI Reference.

Advanced options

Option Description Default
change-password Enable or Disable changing password. disable
ext-auth-accprofileoverride Enable or Disable overriding the account profile by administrators configured on a Remote Authentication Server. disable
ext-auth-adom-override Enable or Disable overriding the ADOM by administrators configured on a Remote Authentication Server. disable
ext-auth-group-match Specify the group configured on a Remote Authentication Server.
first-name Specify the first name.
last-name Specify the last name.
mobile-number Specify the mobile number.
pager-number Specify the pager number.
restrict-access Enable or Disable restricted access. disable

Editing administrators

To edit an administrator, you must be logged in as a super user administrator. The administrator’s name cannot be edited. An administrator’s password can be changed using the right-click menu, if the password is not a wildcard.

To edit an administrator:

  1. Go to System Settings > Admin > Administrators.
  2. Double-click on an administrator, right-click on an administrator and then select Edit from the menu, or select the administrator then click Edit in the toolbar. The Edit Administrator pane opens.
  3. Edit the settings as required, and then select OK to apply the changes.

To change an administrator’s password:

  1. Go to System Settings > Admin > Administrators.
  2. Right-click on an administrator and select Change Password from the menu. The Change Password dialog box opens.
  3. If you are editing the admin administrator’s password, enter the old password in the Old Password
  4. Enter the new password for the administrator in the New Password and Confirm Password
  5. Select OK to change the administrator’s password.

Deleting administrators

To delete an administrator or administrators, you must be logged in as a super user administrator.

  1. Go to System Settings > Admin > Administrators.
  2. Select the administrator or administrators you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Select OK in the confirmation box to delete the administrator or administrators.

To delete an administrator using the CLI:

  1. Open a CLI console and enter the following command:

config system admin user delete <username>

end

Administrator profiles – FortiAnalyzer – FortiOS 6.2.3

July 24, 2020, 6:49 pm
$
0
0

Administrator profiles

Administrator profiles are used to control administrator access privileges to devices or system features. Profiles are assigned to administrator accounts when an administrator is created. The profile controls access to both the FortiAnalyzer GUI and CLI.

There are three predefined system profiles:

Restricted_User Restricted user profiles have no system privileges enabled, and have read-only access for all device privileges.
Standard_User Standard user profiles have no system privileges enabled, and have read/write access for all device privileges.
Super_User Super user profiles have all system and device privileges enabled. It cannot be edited.

These profiles cannot be deleted, but standard and restricted profiles can be edited. New profiles can also be created as required. Only super user administrators can manage administrator profiles.

Go to System Settings > Admin > Profile to view and manage administrator profiles.

The following options are available:

Create New Create a new administrator profile. See Creating administrator profiles on page 231.
Edit Edit the selected profile. See Editing administrator profiles on page 233.
Clone Clone the selected profile. See Cloning administrator profiles on page 233.
Delete Delete the selected profile or profiles. See Deleting administrator profiles on page 233.
Search Search the administrator profiles list.

The following information is shown:

Name The name the administrator uses to log in.
Type The profile type.
Description A description of the system and device access permissions allowed for the selected profile.

Permissions

The below table lists the default permissions for the predefined administrator profiles.

When Read-Write is selected, the user can view and make changes to the FortiAnalyzer system. When Read-Only is selected, the user can only view information. When None is selected, the user can neither view or make changes to the FortiAnalyzer system.

Setting   Predefined Administrator Profile
  Super User Standard User Restricted User
System Settings system-setting Read-Write None None
Administrative Domain adom-switch Read-Write Read-Write None
Device Manager device-manager Read-Write Read-Write Read-Only
Add/Delete/Edit

Devices/Groups device-op

 Read-Write Read-Write None
Log View/FortiView/SOC log-viewer Read-Write Read-Write Read-Only
Incidents & Events event-management Read-Write Read-Write Read-Only
Reports report-viewer Read-Write Read-Write Read-Only
FortiRecorder Read-Write Read-Write None
CLI only settings      
device-wan-link-load-balance Read-Write Read-Write Read-Only
device-ap Read-Write Read-Write Read-Only
device-forticlient Read-Write Read-Write Read-Only
device-fortiswitch Read-Write Read-Write Read-Only
realtime-monitor Read-Write Read-Write Read-Only

Privacy Masking – FortiAnalyzer – FortiOS 6.2.3

July 25, 2020, 7:00 pm
$
0
0

Privacy Masking

Use Privacy Masking to help protect user privacy by masking or anonymizing user information. You can select which fields to mask. Masked fields show anonymous data. You can unmask and see the original data by entering the Data Mask Key that you specify in the administrator profile.

When Privacy Masking is enabled in an administrator profile, accounts using that profile have a See Original Data button in the banner.

To turn privacy masking on:

  1. In System Settings > Profile, create or edit a profile.
  2. In the Privacy Masking section, set the toggle to ON
  3. In the Masked Data Fields section, select the fields you want to mask.

The fields you select are masked in all modules that display those fields.

  1. In the Data Mask Key field, type the key that will allow users to unmask the data.
  2. In the Data Unmasked Time field, type the number of days the data is unmasked.

You can enter a number between 0-365. Logs that are older than the number of days appear masked.

To see the original, unmasked data:

  1. In any list showing masked data, click See Original Data in the banner and select Screen Picker or Manual Input.
  2. If you select Screen Picker, click a masked field, for example, 75.196.35.21.

The Unmask Protected Data dialog box displays with the field you clicked already entered. If you select Manual Input, enter the masked text, for example, 75.196.35.21.

  1. Enter the Data Mask Key that was set up in the administrator profile and click OK.

Creating administrator profiles – FortiAnalyzer – FortiOS 6.2.3

July 26, 2020, 7:00 pm
$
0
0

Creating administrator profiles

To create a new administrator profile, you must be logged in to an account with sufficient privileges, or as a super user administrator.

To create a custom administrator profile:

  1. Go to System Settings > Admin > Profile.
  2. Click Create New in the toolbar. The New Profile pane is displayed.
  3. Configure the following settings:
Profile Name                                            Enter a name for this profile.
Description                                              Optionally, enter a description for this profile. While not a

requirement, a description can help to know what the profiles is for, or the levels it is set to.
Permissions Select None, Read Only, or Read-Write access for the categories as required.
Privacy Masking                                      Enable/disable privacy masking.
Masked Data Fields Select the fields to mask: Destination Name, Source IP, Destination IP, User, Source Name, Email, Message, and/or Source MAC.
                          Data Mask Key                       Enter the data masking encryption key. You need the Data Mask

Key to see the original data.
                          Data Unmasked Time(0-        Enter the number of days the user assigned to this profile can see

365 Days)                             all logs without masking.

The logs are masked if the time period in the Log View toolbar is greater than the number of days in the Data Masked Time field.

l  Only integers between 0-365 are supported.

l  Time frame masking does not apply to real time logs.

l  Time frame masking applies to custom view and drill-down data.
  1. Click OK to create the new administrator profile.

To apply a profile to an administrator:

  1. Go to System Settings > Administrators.
  2. Create a new administrator or edit an existing administrator. The Edit Administrator pane is displayed.
  3. From the Admin Profile list, select a profile.

Editing administrator profiles – FortiAnalyzer – FortiOS 6.2.3

July 27, 2020, 7:02 pm
$
0
0

Editing administrator profiles

To edit an administrator profile, you must be logged in to an account with sufficient privileges, or as a super user administrator. The profile’s name cannot be edited. The Super_User profile cannot be edited, and the predefined profiles cannot be deleted.

To edit an administrator:

  1. Go to System Settings > Admin > Profile.
  2. Double-click on a profile, right-click on a profile and then select Edit from the menu, or select the profile then click Edit in the toolbar. The Edit Profile pane opens.
  3. Edit the settings as required, and then select OK to apply the changes.
Viewing all 134 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>