Professional Documents
Culture Documents
Fortianalyzer Admin 40 Mr2
Fortianalyzer Admin 40 Mr2
Administration Guide
Caution: The Fortinet equipment is intended for installation in a Restricted Access Location.
Contents
Contents
Introduction ............................................................................................ 13
Registering your Fortinet product ............................................................................... 14
Customer service & technical support ....................................................................... 14
Training .......................................................................................................................... 15
Documentation .............................................................................................................. 15
Scope ............................................................................................................................. 15
Conventions ..................................................................................................................
IP addresses.............................................................................................................
Cautions, Notes and Tips .........................................................................................
Typographical conventions .......................................................................................
Command syntax conventions..................................................................................
16
16
16
16
17
19
19
20
20
System .................................................................................................... 35
Viewing the dashboard................................................................................................. 35
System Information widget ....................................................................................... 38
Configuring the time & date................................................................................ 38
Contents
39
40
41
41
43
44
47
47
49
50
50
51
53
54
56
57
58
59
61
62
63
63
66
66
69
69
70
71
72
73
75
76
77
77
79
80
81
82
Contents
Devices.................................................................................................. 123
Configuring connections with devices & their disk space quota........................... 123
Unregistered vs. registered devices ....................................................................... 126
Maximum number of devices.................................................................................. 126
Configuring IPSec secure connections between the FortiAnalyzer unit and a device or
an HA cluster .......................................................................................................... 128
Manually adding or deleting a device or HA cluster................................................ 129
Manually adding a FortiGate unit using the Fortinet Discovery Protocol (FDP) ..... 131
Configuring unregistered device options ................................................................ 133
Blocking unregistered device connection attempts................................................. 134
Configuring device groups ........................................................................................ 136
Classifying FortiGate network interfaces ................................................................. 137
139
142
143
144
145
146
Contents
Reports.................................................................................................. 167
Configuring reports from logs in the proprietary indexed file system ..................
Configuring a report layout .....................................................................................
Adding charts, sections, and texts ...................................................................
Editing charts in a report layout........................................................................
Configuring data filter templates .............................................................................
Configuring report schedules..................................................................................
Configuring language..............................................................................................
Example reports (file system-based) ......................................................................
Example: FortiGate report ................................................................................
Example: FortiClient report...............................................................................
Example: FortiMail report .................................................................................
167
168
171
173
178
181
184
188
188
191
194
197
197
201
203
204
207
208
208
223
224
224
224
Contents
224
225
225
225
226
226
231
234
235
239
239
239
241
Tools...................................................................................................... 257
Network Analyzer ........................................................................................................
Connecting the FortiAnalyzer unit to analyze network traffic..................................
Viewing network analyzer log messages................................................................
Viewing current network analyzer log messages .............................................
Viewing historical network analyzer log messages ..........................................
Browsing network analyzer log files........................................................................
Viewing network analyzer log file contents.......................................................
Downloading a network analyzer log file ..........................................................
Customizing the network analyzer log view............................................................
Displaying and arranging log columns .............................................................
Filtering logs .....................................................................................................
Filtering tips ......................................................................................................
Searching the network analyzer logs......................................................................
Search tips .......................................................................................................
Printing and downloading the search results....................................................
Rolling and uploading network analyzer logs .........................................................
257
257
259
259
261
262
263
263
264
265
266
267
268
269
270
270
276
276
276
276
Contents
279
279
280
281
Troubleshooting................................................................................... 285
285
285
285
286
286
286
287
287
287
287
287
287
288
288
289
289
290
291
292
292
293
293
293
293
294
294
294
294
295
295
295
296
Contents
Contents
309
310
310
312
314
314
315
316
317
318
319
320
321
321
322
324
326
327
327
327
328
328
328
329
329
329
10
Contents
338
341
341
341
343
345
346
351
352
353
363
367
369
371
372
Examples .....................................................................................................................
Example 1: Distribution of applications by type in the last 24 hours.......................
GUI procedure..................................................................................................
CLI procedure ..................................................................................................
Notes: ...............................................................................................................
Example 2: Top 100 applications by bandwidth in the last 24 hours ......................
GUI procedure..................................................................................................
CLI procedure ..................................................................................................
Notes: ...............................................................................................................
Example 3: Top 10 attacks in the past one hour ....................................................
GUI procedure..................................................................................................
CLI procedure ..................................................................................................
Notes: ...............................................................................................................
Example 4: Top WAN optimization applications in the past 24 hours ....................
GUI procedure..................................................................................................
CLI procedure ..................................................................................................
373
375
375
375
375
376
376
376
376
377
377
377
377
377
377
378
Contents
12
Introduction
Introduction
Welcome and thank you for selecting Fortinet products for your network protection.
FortiAnalyzer units are network appliances that provide integrated log collection and
reporting tools. Reports analyze logs for email, FTP, web browsing, security events, and
other network activity to help identify security issues and reduce network misuse and
abuse.
In addition to logging and reporting, FortiAnalyzer units also have several major features
that augment or enable certain FortiGate unit functionalities, such as DLP archiving and
quarantining, and improve your ability to stay informed about the state of your network.
Logging and reporting: A FortiAnalyzer unit can aggregate and analyze log data from
Fortinet and other Syslog-compatible devices. Using a comprehensive suite of easilycustomized reports, you can filter and review records, including traffic, event, virus,
attack, Web content, and email data, mining the data to determine your security stance
and ensure regulatory compliance. For information about the FortiAnalyzer logging,
analyzing, and reporting workflow, see Figure 1 on page 14.
DLP archiving: Both FortiGate DLP (Data Leak Prevention) archive logs and their
associated copies of files or messages can be stored on and viewed from a
FortiAnalyzer unit, leveraging its large storage capacity for large media files that can be
common with multimedia content. When DLP archives are received by the
FortiAnalyzer unit, you can use data filtering similar to with other log files to track and
locate specific email or instant messages, or to examine the contents of archived files.
Quarantine repository: A FortiAnalyzer unit can act as a central repository for files
that are suspicious or known to be infected by a virus, and have therefore been
quarantined by your FortiGate units.
Packet capture: FortiAnalyzer units can log observed packets to diagnose areas of
the network where firewall policies may require adjustment, or where traffic anomalies
occur.
File explorer: You can browse through the list of content archive/DLP, quarantine, log,
and report files on the FortiAnalyzer unit.
Network sharing: FortiAnalyzer units can use their hard disks as an NFS or Windowsstyle network share for FortiAnalyzer reports and logs, as well as users files.
13
Introduction
FortiAnalyzer data
receiving server
Log file
index/database
Report engine
The FortiAnalyzer unit generates reports
based on user configurations and requests.
Training
Documentation
Scope
Conventions
14
Introduction
Training
To learn about the technical support services that Fortinet provides, visit the Fortinet
Technical Support web site at https://support.fortinet.com.
You can dramatically improve the time that it takes to resolve your technical support ticket
by providing your configuration file, a network diagram, and other specific information. For
a list of required information, see the Fortinet Knowledge Base article Fortinet Technical
Support Requirements.
Training
Fortinet Training Services provides classes that orient you quickly to your new equipment,
and certifications to verify your knowledge level. Fortinet provides a variety of training
programs to serve the needs of our customers and partners world-wide.
To learn about the training services that Fortinet provides, visit the Fortinet Training
Services web site at http://campus.training.fortinet.com, or email them at
training@fortinet.com.
Documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the
most up-to-date versions of Fortinet publications, as well as additional technical
documentation such as technical notes.
In addition to the Fortinet Technical Documentation web site, you can find Fortinet
technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet
Knowledge Base.
Scope
This document describes how to use the web-based manager of the FortiAnalyzer unit. It
assumes you have already successfully installed the FortiAnalyzer unit by following the
instructions in the FortiAnalyzer Installation Guide.
At this stage:
15
Conventions
Introduction
The system time, DNS settings, administrator password, and network interfaces have
been configured.
Once that basic installation is complete, you can use this document. This document
explains how to use the web-based manager to:
This document does not cover commands for the command line interface (CLI). For
information on the CLI, see the FortiAnalyzer CLI Reference.
Conventions
Fortinet technical documentation uses the conventions described below.
IP addresses
To avoid publication of public IP addresses that belong to Fortinet or any other
organization, the IP addresses used in Fortinet technical documentation are fictional and
follow the documentation guidelines specific to Fortinet. The addresses used are from the
private IP address ranges defined in RFC 1918: Address Allocation for Private Internets,
available at http://ietf.org/rfc/rfc1918.txt?number-1918.
Note: Presents useful information, usually focused on an alternative, optional method, such
as a shortcut, to perform a step.
Tip: Highlights useful additional information, often tailored to your workplace activity.
Typographical conventions
Fortinet documentation uses the following typographical conventions:
16
Introduction
Conventions
Example
Button, menu, text box, From Minimum log level, select Notification.
field, or check box label
CLI input
CLI output
Emphasis
File content
<HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this
service.</H4>
Hyperlink
Keyboard entry
Navigation
Publication
Description
Square brackets [ ]
17
Conventions
Introduction
18
Curly braces { }
Introduction
19
Introduction
20
Whats new
Whats new
The list below contains key features which have changed since the previous release,
FortiAnalyzer v4.0 MR1. For upgrade information, see the Release Notes available with
the firmware, and Maintaining firmware on page 275.
SQL (Structured Query Language) reporting The SQL database option is added.
The logs received by the FortiAnalyzer unit will be inserted into the SQL database for
generating reports. Both local and remote SQL database options are supported. The
advantages of using the SQL database are:
Flexibility: Through the use of standard SQL queries, more flexible reporting
capabilities can be offered.
Scalability: Through the use of a remote SQL database, any upper bound on the
amount of available log storage is removed. Furthermore, the hardware of an
external SQL database server can be more easily upgraded to support growing
performance needs.
For more information, see Configuring SQL database storage on page 85 and
Example reports (SQL-based) on page 208.
The administrator provides user name and password to the FortiAnalyzer unit.
The FortiAnalyzer unit sends the user name and password to the RADIUS server
for authentication.
The RADIUS server returns "Access Accept" response and includes a VSA
containing the name of the administrator profile to the FortiAnalyzer unit.
The FortiAnalyzer unit looks for the returned administrator profile in its own
configuration.
If the administrator profile exists, the FortiAnalyzer unit assigns the returned profile
for the duration of the administrator session.
If the administrator profile does not exist, the FortiAnalyzer unit assigns the locally
configured admin profile for the duration of the administrator session.
Report charts A new menu item Charts is added to Reports on the web-based
manager to help you understand better how all of the different report elements are
related. Under Charts, you can view the existing pre-defined charts on items such as
pre-defined services, IPS database, or application database. You can also add your
own chart definitions.
For more information, see Configuring report chart templates on page 197 and
Configuring data sets on page 201.
21
Whats new
eDiscovery extension eDiscovery allows you to search through the bulk of stored
emails, extract the search results, and share them with a third-party in situations such
as a lawsuit or regulatory violation action. It is crucial to be able to prove that shared
data is an exact copy of the original. This is an extension of the FortiAnalyzers
archived email searching.
For more information, see Using eDiscovery on page 160.
Dashboard enhancements The interface for renaming and deleting tabs are
improved to simplify the user experience. For some widgets, you can add multiple
instances of the same widget. This helps if you need to do more than one thing with a
widget. Also, each ADOM administrator has a dashboard.
For more information, see Viewing the dashboard on page 35.
Web-based manager improvements When viewing logs and archived files, if you
select a log entry, a detailed view will be displayed on the left hand side. You can then
see the values for all indexed columns for a particular log type. Fields with no values
will be hidden, and can optionally be expanded by selecting "show" at the bottom of the
popup window.
For more information, seeLog & Archive on page 139.
22
System requirements
System requirements
Settings
System requirements
The management computer that you use to access the web-based manager must have a
compatible web browser, such as Microsoft Internet Explorer 6.0 or greater, or Mozilla
Firefox 3.0 or greater.
To minimize scrolling, the computers screen should have a resolution that is a minimum of
1280 x 1024 pixels.
23
Settings
Settings
Some settings for the web-based manager apply regardless of which administrator
account you use to log in. Global settings include the idle timeout, TCP port number on
which the web-based manager listens for connection attempts, the network interface(s) on
which it listens, and the language of its display.
For details, see Configuring the web-based managers global settings on page 84 and
Configuring the network interfaces on page 63.
24
Table 3: Characteristics of the CLI and web-based manager when ADOMs are enabled
admin administrator account
Other administrators
Yes
No
Yes
No
Yes
No
Yes
No
Enabling ADOMs alters the structure and available functionality of the web-based
manager and CLI according to whether you are logging in as the admin administrator,
and, if you are not logging in as the admin administrator, the administrator accounts
assigned access profile.
25
26
Configuring ADOMs
If ADOMs are enabled and you log in as admin, you first access the Global ADOM
where you have full access to the menus and can configure other ADOMs in System >
ADOM > ADOM. At the end of the menu list, the Current ADOM menu appears,
enabling you to enter into another ADOM or return to the Global ADOM.
Note: Be default, some menus are hidden. To make them visible, you can enable the
menus in System > Admin > Settings.
The Global ADOM contains settings used by the FortiAnalyzer unit itself and settings
shared by ADOMs, such as the device list, RAID, and administrator accounts. It does
not include ADOM-specific settings or data, such as logs and reports. When
configuring other administrator accounts, an additional option appears allowing you to
restrict other administrators to an ADOM. For more information, see Assigning
administrators to an ADOM on page 32. The admin administrator can further restrict
other administrators access to specific configuration areas within their ADOM by using
access profiles. For more information, see Configuring access profiles on page 80.
If ADOMs are enabled and you log in as any other administrator, you enter the ADOM
assigned to your account. You can only access the menu items assigned to you in your
access profile. You cannot access the Global ADOM, or enter other ADOMs.
By default, administrator accounts other than the admin account are assigned to the
root ADOM, which includes all devices in the device list. By creating ADOMs that
contain a subset of devices in the device list, and assigning them to administrator
accounts, you can restrict other administrator accounts to a subset of the FortiAnalyzer
units total devices or VDOMs.
The maximum number of ADOMs varies by FortiAnalyzer model. For details, see
Appendix C: Maximum values matrix on page 333.
This topic includes:
Configuring ADOMs
Configuring ADOMs
Administrative domains (ADOMs) are disabled by default. To use administrative domains,
the admin administrator must:
1 Enable the feature by going to System > Admin > Settings. See To enable ADOMs on
page 28.
27
Configuring ADOMs
2 Create ADOMs by going to System > ADOM > ADOM. See To add or edit an ADOM
on page 30.
3 Assign other FortiAnalyzer administrators to an ADOM by going to System > Admin >
Administrator. See To assign an administrator to an ADOM on page 33.
To enable ADOMs
Caution: Enabling ADOMs moves non-global configuration items to the root ADOM. Back
up the configuration before beginning the following procedure. For more information about
backing up your configuration, see Backing up the configuration & installing firmware on
page 114.
1 Log in as admin.
Other administrators cannot enable, disable, or configure ADOMs.
2 Go to System > Admin > Settings.
3 Enable (select) Admin Domain Configuration.
28
Configuring ADOMs
4 Click Apply.
A dialog appears:
Enabling/Disabling the admin domain configuration will require
you to re-login. Are you sure you want to continue?
5 Click OK.
The FortiAnalyzer unit logs you out.
Note: If other administrators are also logged in at the same time, they will not be
automatically logged out. Notify them that ADOMs have been enabled, and that they may
need to log out and log in again for display changes to take effect.
29
Configuring ADOMs
3 Click Create New, or, to modify an existing ADOM, mark its check box, then click Edit.
30
Configuring ADOMs
To disable ADOMs
Caution: Back up the configuration before beginning this procedure. Deleting ADOMs,
which can occur when disabling the ADOM feature, removes administrator accounts
assigned to ADOMs other than the root ADOM. For more information, see Backing up
the configuration & installing firmware on page 114.
If you do not wish to delete these administrator accounts, assign them to the root ADOM
before disabling ADOMs.
Note: You cannot delete an ADOM if an administrator is currently assigned to it. You must
first reassign the administrator to the root ADOM (see Assigning administrators to an
ADOM on page 32).
If any other ADOMs except the root ADOM remain, the option to disable ADOMs will
not appear.
4 Go to System > Admin > Settings.
5 Disable (deselect) Admin Domain Configuration.
31
6 Click Apply.
A dialog appears:
Enabling/Disabling the admin domain configuration will require
you to re-login. Are you sure you want to continue?
7 Click OK.
The FortiAnalyzer unit logs you out.
The ADOM-specific menu subset appears. While in this menu subset, any changes
you make affect this ADOM only, and do not affect devices in other ADOMs or global
FortiAnalyzer unit settings.
You can return to global settings by selecting Global from Current ADOM.
32
33
34
System
System
The System menu displays a dashboard with widgets that indicate statuses and do basic
functions such as rebooting the FortiAnalyzer unit.
This menu also contains submenus that enable you to make configuration backups, and
configure administrator accounts, system time, network and FortiGuard connectivity, and
other system-wide features such as RAID and log forwarding.
This topic includes:
35
System
The dashboard is customizable. You can select which widgets to display, where they are
located on the page, and whether they are minimized or maximized. You can also create
additional dashboards.
To add a dashboard, click Dashboard, then select Add Dashboard and type its name. The
dashboard is added to the lefthand navigation menu. (For example, for a dashboard
named Summary Reports, System > Dashboard > Summary Reports would be added to
the menu.) The new dashboard is empty until you add the widgets that you want to show
on that new dashboard.
To move a widget, position your mouse cursor on the widgets title bar, then click and drag
the widget to its new location.
To show a widget, in the upper left-hand corner, click Widget, then click the names of
widgets that you want to show. To hide a widget, in its title bar, click Close.
Figure 2: Adding a widget
36
System
To see the available options for a widget, position your mouse cursor over the icons in the
widgets title bar. Options vary slightly from widget to widget, but always include options to
close or show/hide the widget.
Figure 3: A minimized widget
Edit
Widget title
Show/Hide arrow
Refresh
Close
Show/Hide arrow
Edit
Refresh
Close
Click to hide the widget on the dashboard. You will be prompted to confirm
the action. To show the widget again, click Widget near the top of the
dashboard.
Statistics widget
37
System
The serial number of the FortiAnalyzer unit. The serial number is specific to
the FortiAnalyzer units hardware and does not change with firmware
upgrades. Use this number when registering the hardware with Fortinet
Technical Support.
Uptime
The time in days, hours, and minutes since the FortiAnalyzer unit was
started.
System Time
The current date and time according to the FortiAnalyzer units internal
clock.
Click Change to change the time or configure the FortiAnalyzer unit to get
the time from an NTP server. See Configuring the time & date on page 38.
Host Name
Firmware Version
38
System
3 Configure the following to either manually configure the system time, or automatically
synchronize the FortiAnalyzer units clock with an NTP server:
Description
System Time
Refresh
Click to update the System Time field with the current time
according to the FortiAnalyzer units clock.
Time Zone
Set Time
Select this option to manually set the date and time of the
FortiAnalyzer units clock, then select the Hour, Minute,
Second, Year, Month and Day fields before you click OK.
Synchronize with NTP Server Select this option to automatically synchronize the date and
time of the FortiAnalyzer units clock with an NTP server, then
configure the Server and Sync Interval fields before you click
OK.
Server
Sync Interval
4 Click OK.
It appears in the System Information widget on the Status tab. For more information
about the System Information widget, see System Information widget on page 38.
It is used as the SNMP system name. For information about SNMP, see Configuring
the SNMP agent on page 94.
The System Information widget and the get system status CLI command will display
the full host name. However, if the host name is longer than 16 characters, the CLI and
other places display the host name in a truncated form ending with a tilde ( ~ ) to indicate
that additional characters exist, but are not displayed.
For example, if the host name is FortiAnalyzer1234567890, the CLI prompt would be
FortiAnalyzer123456~#.
FortiAnalyzer Version 4.0 MR2 Administration Guide
Revision 13
http://docs.fortinet.com/ Feedback
39
System
Description
FortiGuard
Services
40
Vulnerability
Management
VM Plugins
The version of the vulnerability management plug-in, and the date of its last
update. Click Update to upload a new version of the plug-in. For more
information on vulnerability management, see Scheduling & uploading
vulnerability management updates on page 116.
System
VM Engine
The version of the vulnerability management engine, and the date of its last
update.
Device Registration A total of the number of each device type connecting or attempting to connect
to the FortiAnalyzer unit. For more information about the maximum numbers
Summary
of devices of each type and/or VDOMs that are permitted to connect to the
FortiAnalyzer unit, see Maximum number of devices on page 126 and
Appendix C: Maximum values matrix on page 333.
The Registered column is the number of devices that you have added to the
FortiAnalyzer units device list, either manually or automatically.
The Unregistered column is the number of devices attempting to connect to
the FortiAnalyzer unit that are not yet registered. To configure the
FortiAnalyzer unit to accept data from a device, see Manually adding or
deleting a device or HA cluster on page 129.
For more information about registered and unregistered device, see
Unregistered vs. registered devices on page 126.
Color indicates whether or not a port has detected a physical connection. If a ports color is
gray, there is no connectivity, but if a ports color is green, it is connected.
Additional system-wide operations, such as formatting the log disk or resetting the
configuration to the firmwares default values, are available from the CLI. For details, see
the FortiAnalyzer CLI Reference.
Figure 6: Unit Operation widget
Description
Reboot
Click to halt and restart the operating system of the FortiAnalyzer unit.
ShutDown
41
System
Edit
Description
CPU Usage
42
System
Memory Usage
Session
Network Utilization
To configure settings for the widget, in its title bar, click Edit to open the Edit System
Resources Settings window.
To view only the most current information about system resources, from View Type,
select Real Time.
To view historical information about system resources, from View Type, select History.
To change the time range, from Time Period, select one of the following: Last 10
Minutes, Last Hour, or Last Day.
Edit
43
System
Description
Logs Received
Data Received
To configure settings for the widget, in its title bar, click Edit to open the Edit Logs/Data
Received Settings window.
To view only the most current information about system resources, from View Type,
select Real Time.
To view historical information about system resources, from View Type, select History.
To change the time range, from Time Period, select one of the following: Last 10
Minutes, Last Hour, or Last Day.
For information on how much disk space is currently consumed, see Disk Monitor widget
on page 47.
Statistics widget
The Statistics widget displays the numbers of sessions, volume of log files, and number of
reports handled by the FortiAnalyzer unit.
Figure 9: Statistics widget
Reset
Description
The date and time when the statistics were last reset.
To rest the date and time, hover your mouse cursor over the widgets title bar
area, then click Reset.
Sessions
44
System
Logs
The number of new log files received from a number of devices since the
statistics were last reset. For more information, see To view log details on
page 46.
Log Volume
The average log file volume received per day over the past 7 days. Click
Details to view the log file volume received per day. For information on total
disk space consumption, see Disk Monitor widget on page 47.
Reports
The number of reports generated for a number of devices. Click Details for
more information on the reports. For more information, see Example reports
(SQL-based) on page 208.
When viewing sessions, you can search or filter to find specific content. For more
information about filtering information, see Filtering logs on page 144.
Search
45
System
Description
Refresh
Search
Enter a word or words to find specific information. Press Enter to initiate the
search process.
Protocol
Source
Source Port
Destination
Destination Port
Expires(secs)
46
Description
Display
Mark the check box of a log file whose messages you want to view, then click
this button. Only one log file can be selected each time. For more information
about viewing log details, see Viewing log messages on page 139.
Download
Mark the check box of a log file that you want to download, click this button,
then select one of the following.
Log file format: Downloads the log file in text (.txt), comma-separated
value (.csv), or standard .log (Native) file format.
Compress with gzip: Compress the downloaded log file with GZIP
compression. Downloading a log-formatted file with GZIP compression
results in a download with the file extension .log.gz.
System
Import
Click to import devices log files. This can be useful when restoring data or
loading log data for temporary use.
From the Device field, select the device to which the imported log file belongs,
or select Take From Imported File to read the device ID from the log file.
If you select Take From Imported File, your log file must contain a device_id
field in its log messages.
In Filename, click Browse to find the log file.
For more information, see Importing a log file on page 155.
Device Type
Select the type of devices whose log files you want to view.
Enable to show the log file names under each log type.
Log Files
Depending on the
From
The date and time when the FortiAnalyzer unit starts to generate the log file.
To
The date and time when the FortiAnalyzer unit completes generating the log
file when the file reaches its maximum size or the scheduled time. For more
information, see Configuring rolling and uploading of devices logs on
page 158.
Size (bytes)
47
System
RAID Settings
Rebuilding
icon
48
Description
RAID Status
Icons and text indicate one of the following RAID disk statuses:
green checkmark (OK): Indicates that the RAID disk has no
problems
warning symbol (Warning): Indicates that there is a problem with
the RAID disk, such as a failure, and needs replacing. The RAID
disk is also in reduced reliability mode when this status is indicated
in the widget.
wrench symbol (Rebuilding): Indicates that a drive has been
replaced and the RAID array is being rebuilt; it is also in reduced
reliability mode.
exclamation mark (Failure): Indicates that one or more drives
have failed, the RAID array is corrupted, and the drive must be
reinitialized. This is displayed by both a warning symbol and text.
The text appears when you hover your mouse over the warning
symbol; the text also indicates the amount of space in GB.
Rebuild Status
The time remaining to rebuild the RAID array, and the date and time
the rebuild is expected to end. This time period displays only when an
array is being rebuilt.
This time period will not display in hardware RAID, such as
FortiAnalyzer-2000/2000A/2000B, and FortiAnalyzer4000/4000A/4000B.
Rebuild Warning
Text reminding you the system has no redundancy protection until the
rebuilding process is complete. This text displays only when an array
is being rebuilt.
System
FortiAnalyzer units allocate most of their total disk space for both the FortiAnalyzer units
own logs as well as logs and quarantined files from connecting devices. Disk space quota
is assigned to each device and the FortiAnalyzer unit itself. If the quota is consumed, the
FortiAnalyzer unit will either overwrite the oldest files saved or stop collecting new logs,
depending on your preference. For devices disk space quota settings, see Manually
adding or deleting a device or HA cluster on page 129. For the FortiAnalyzer units local
log disk space quota settings, see the FortiAnalyzer CLI Reference.
Remaining disk space is reserved for devices, FortiAnalyzer reports, and any temporary
files, such as configuration backups and log files that are currently queued for upload to a
server. The size of the reserved space varies by the total RAID/hard disk capacity. For
more information, see Disk space usage on page 48.
For more information about RAID, see Configuring RAID on page 106. For more
information on the volume of logs being received, see Logs/Data Received widget on
page 43.
49
System
50
System
Edit
Type
Select either:
Log Type: Display the type of logs that are received from all registered
devices and separates them into categories, such as top 5 traffic logs or
antivirus logs.
Device: Display the logs that received by each registered device and
separates the devices into the top number of devices.
N0. Entries
Select the number of either log types or devices in the widgets graph,
depending on your selection in the Type field.
Time Period
Select one of the following time ranges over which to monitor the rate at
which log messages are received:
Hour
Day
Week
Refresh Interval To automatically refresh the widget at intervals, in Refresh Interval, type a
number between 10 and 240 seconds. To disable the refresh interval
feature, type 0.
51
System
Alert messages help you track system events on your FortiAnalyzer unit such as firmware
changes, and network events such as detected attacks. Each message shows the date
and time that the event occurred.
Tip: Alert messages can also be delivered by email, Syslog or SNMP. For more
information, see Configuring alerts on page 87.
Figure 15: Alert Message Console widget
More alerts
The widget displays only the most current alerts. For a complete list of unacknowledged
alert messages, in the widgets title bar, click More alerts. To sort the columns by either
ascending or descending order, click the column headings.
Figure 16: List of all alert messages
Description
Acknowledge
Mark the check boxes of alert messages that you want to remove from
the list of alerts, then click Acknowledge.
Include...and higher
Remove
Select a number of days to remove the alert messages older than that
unacknowledged alerts number.
older than [n days]
52
formatted | raw
Select either:
formatted: Display the alert messages in columnar format.
raw: Display the information without formatting, as it actually
appears in the log messages.
Device
Event
The Message (msg=) field of the log message, which usually contains a
description of the event.
Level
System
Time
The date and time when the log message was generated. To sort in
ascending or descending order, click the arrow in the column heading.
Counter
To use the console, first click within the console area. Doing so will automatically log you
in using the same administrator account you used to access the web-based manager. You
can then enter commands by typing them. Alternatively, you can copy and paste
commands from or into the CLI Console.
Note: The prompt, by default the model number such as FortiAnalyzer-800B #,
contains the host name of the FortiAnalyzer unit. To change the host name, see
Configuring the FortiAnalyzer units host name on page 39.
Console Preferences
To configure settings for the widget, in its title bar, click Console Preferences.
53
System
Color palette
Description
Preview
Text
Click the current color swatch to the left of this label, then click a color
from the color palette to the right to change the color of the text in the
CLI Console.
Background
Click the current color swatch to the left of this label, then click a color
from the color palette to the right to change the color of the background
in the CLI Console.
Use external command Enable to display a command input field below the normal console
emulation area. When this option is enabled, you can enter commands
input box
by typing them into either the console emulation area or the external
command input field.
Console buffer length
Enter the number of lines the console buffer keeps in memory. The valid
range is from 20 to 9999.
Font
Select a font type from the list. There are only three font types to choose
from: Lucida Console, Courier New, and the default font.
Size
Select a font from the list to change the display font of the CLI Console.
Reset Defaults
Select the size in points of the font. The default size is 10 points.
54
System
Edit
To expand details for one of the widgets items, click its + button, then select which log
field you want to use to categorize its results.
For example, for one of the items, you might select Device to display and categorize that
items results by which devices recorded those log messages. To further subcategorize
one of the devices results by protocol, you could then click its + button, then select
Service. The resulting widget display would show reflect traffic volume for each service on
that one device, from that source IP address.
To collapse details and return to higher-level items, click a parent items X button.
To configure settings for the widget, in its title bar, click Edit.
Figure 20: Top Traffic widget settings
Type a name for the widget. It will appear in the widgets title bar.
Device
Select the name of either a device or device group for which you want to display
traffic volumes.
Display by
Filter Port
Select whether to include TCP or UDP protocols, then type the port number. The
valid range is from 1 to 65,535.
Time Scope
No. Entries
55
System
Edit
To expand details for one of the widgets items, click its + button, then select which log
field you want to use to categorize its results.
For example, for one of the items, you might select Device to display and categorize that
items results by which devices recorded those log messages. To further subcategorize
one of the devices results by protocol, you could then click its + button, then select
Service. The resulting widget display would show reflect web traffic volume for each
service on that one device, from that source IP address.
To collapse details and return to higher-level items, click a parent items X button.
To configure settings for the widget, in its title bar, click Edit.
Figure 22: Top Web Traffic widget settings
56
Description
Widget Name
Type a name for the widget. It will appear in the widgets title bar.
Device
Select the name of either a device or device group for which you
want to display traffic volumes.
Display by
System
By Volume
Select to gather the information for this widget from the traffic
logs.
By Requests
Select to gather the information for this widget from the Web Filter
logs.
Time Scope
No. Entries
Edit
To expand details for one of the widgets items, click its + button, then select which log
field you want to use to categorize its results.
For example, for one of the items, you might select Device to display and categorize that
items results by which devices recorded those log messages. To further subcategorize
one of the devices results by protocol, you could then click its + button, then select
Service. The resulting widget display would show reflect email traffic volume for each
service on that one device, from that source IP address.
To collapse details and return to higher-level items, click a parent items X button.
To configure settings for the widget, in its title bar, click Edit.
57
System
Type a name for the widget. It will appear in the widgets title bar.
Device
Select the name of either a device or device group for which you want to display
traffic volumes.
Display by
Filter Protocol
Filter Address
By Volume
Select to gather the total amount of email traffic for this widget from the traffic
logs.
By Requests
Select to gather the total amount of email traffic for this widget from the content
logs.
Time Scope
No. Entries
58
System
Edit
To expand details for one of the widgets items, click its + button, then select which log
field you want to use to categorize its results.
For example, for one of the items, you might select Device to display and categorize that
items results by which devices recorded those log messages. To further subcategorize
one of the devices results by protocol, you could then click its + button, then select
Service. The resulting widget display would show reflect FTP traffic volume for each
service on that one device, from that source IP address.
To collapse details and return to higher-level items, click a parent items X button.
To configure settings for the widget, in its title bar, click Edit.
Figure 26: Top FTP Traffic widget settings
Name of the
GUI item
Description
Widget Name
Type a name for the widget. It will appear in the widgets title bar.
Device
Select the name of either a device or device group for which you want to display
traffic volumes.
Display by
Time Scope
No. Entries
59
System
This widget displays a bar chart of, depending on your selection in the widgets settings,
either the total number of instant message (IM) or peer-to-peer (P2P) sessions handled by
FortiGate units, based upon their DLP logs.
Figure 27: Top IM/P2P Traffic widget
Edit
To expand details for one of the widgets items, click its + button, then select which log
field you want to use to categorize its results.
For example, for one of the items, you might select Device to display and categorize that
items results by which devices recorded those log messages. To further subcategorize
one of the devices results by protocol, you could then click its + button, then select
Service. The resulting widget display would show reflect IM/P2P traffic volume for each
service on that one device, from that source IP address.
To collapse details and return to higher-level items, click a parent items X button.
To configure settings for the widget, in its title bar, click Edit.
Figure 28: Top IM/P2P Traffic widget settings
60
Widget Name
Type a name for the widget. It will appear in the widgets title bar.
Type
Device
Select the name of either a device or device group for which you want to display
traffic volumes.
Display by
Protocol
Select a protocol for filtering the traffic. If you select All, all of the protocols will be
included.
System
Time Scope
No. Entries
Edit
To expand details for one of the widgets items, click its + button, then select which log
field you want to use to categorize its results.
For example, for one of the items, you might select Device to display and categorize that
items results by which devices recorded those log messages. To further subcategorize
one of the devices results by protocol, you could then click its + button, then select
Service. The resulting widget display would show reflect detected viruses for each service
on that one device, from that source IP address.
To collapse details and return to higher-level items, click a parent items X button.
To configure settings for the widget, in its title bar, click Edit.
Figure 30: Virus Activity widget settings
Name of the
GUI item
Description
Widget Name
Type a name for the widget. It will appear in the widgets title bar.
61
System
Device
Select the name of either a device or device group for which you want to
display traffic volumes.
Display by
Time Scope
No. Entries
Edit
To expand details for one of the widgets items, click its + button, then select which log
field you want to use to categorize its results.
For example, for one of the items, you might select Device to display and categorize that
items results by which devices recorded those log messages. To further subcategorize
one of the devices results by protocol, you could then click its + button, then select
Service. The resulting widget display would show reflect detected intrusion attempts for
each service on that one device, from that source IP address.
To collapse details and return to higher-level items, click a parent items X button.
To configure settings for the widget, in its title bar, click Edit.
62
System
Name of the
GUI item
Description
Widget Name Type a name for the widget. It will appear in the widgets title bar.
Device
Select the name of either a device or device group for which you want to display
traffic volumes.
Display by
Time Scope
No, Entries
63
System
Unlike other administrative protocols, SNMP access is not configured individually for each
network interface. Instead, see Configuring the SNMP agent on page 94.
Figure 33: Interface list
Description
Bring Up
Mark the check box of the network interface that you want to enable,
then click Bring Up. The new status appears in Status.
Bring Down
Mark the check box of the network interface that you want to disable,
then click Bring Down. The new status appears in Status.
Name
IP/Netmask
Access
FDP
Status
64
System
Description
Interface Name
IP/Netmask
Administrative Access
HTTPS
PING
HTTP
SSH
TELNET
65
System
4 Click OK.
If you were connected to the web-based manager through this network interface, you
are now disconnected from it.
5 To access the web-based manager again, in your web browser, modify the URL to
match the new IP address of the network interface. For example, if you configured the
network interface with the IP address 172.16.1.20, you would browse to
https://172.16.1.20.
If the new IP address is on a different subnet than the previous IP address, and your
computer is directly connected to the FortiAnalyzer unit, you may also need to modify
the IP address and subnet of your computer to match the FortiAnalyzer units new IP
address.
66
System
In addition to enabling web services, you must also register the devices with each other.
When registering the FortiAnalyzer with the FortiManager unit, to guarantee full access to
the FortiAnalyzer units entire configuration, you must provide the login for the
FortiAnalyzer units admin administrator account. When registering the FortiManager with
the FortiAnalyzer units device list, you must set connection permissions to allow remote
management.
Web services can also be used by third party tools to access logs and reports stored on
the FortiAnalyzer unit. For more information, see the FortiAnalyzer CLI Reference.
Web services are automatically encrypted with SSL (HTTPS). For information on the
certificate used to do so, see Importing a local server certificate on page 121.
To configure web services
1 On the FortiAnalyzer unit, log in as admin.
2 Go to System > Network > Interface.
3 Mark the check box of the network interface which will accept web services
connections, then click Edit.
4 In the Administrative Access area, enable WEBSERVICES.
8 In Trusted Host, include the FortiManager unit's IP address. For additional security,
restrict the Trusted Host entry to include only the FortiManager unit's IP address (that
is, a subnet mask of 255.255.255.255) and your computer's IP address.
9 Click OK.
10 Go to Devices > All Devices > Allowed.
67
System
11 If the FortiManager unit appears as an unregistered device, mark its check box, then
click Register to complete the device registration.
If the FortiManager unit does not appear in the device list, click Create New to add the
device registration.
12 Click OK.
13 Register the FortiAnalyzer unit with the FortiManager units device list. For details, see
the FortiManager Administration Guide.
To obtain the WSDL file
Download the WSDL file directly from the following URL:
https://<FortiAnalyzer_ip_address>:8080/FortiAnalyzerWS?wsdl
The following is a section of the WSDL file:
<definitions name="FortiAnalyzerWS"
targetNamespace="http://localhost:8080/FortiAnalyzerWS.wsdl">
<types>
<schema targetNamespace="urn:FortiAnalyzerWS"
elementFormDefault="qualified"
attributeFormDefault="qualified">
<import
namespace="http://schemas.xmlsoap.org/soap/encoding/
"/>
<element name="FortiRequestEl" type="ns:FortiRequest"/>
<element name="FortiResponseEl" type="ns:FortiResponse"/>
<!-- enumerations -->
<simpleType name="SearchContent">
<restriction base="xsd:string">
<enumeration value="Logs"/>
<enumeration value="ContentLogs"/>
<enumeration value="LocalLogs"/>
</restriction>
</simpleType>
<simpleType name="ReportType">
<restriction base="xsd:string">
<enumeration value="FortiGate"/>
<enumeration value="FortiClient"/>
<enumeration value="FortiMail"/>
</restriction>
</simpleType>
<service name="FortiAnalyzerWS">
<documentation>gSOAP 2.7.7 generated service
definition</documentation>
<port name="FortiAnalyzerWS" binding="tns:FortiAnalyzerWS">
<SOAP:address location="https://localhost:8080/
FortiAnalyzerWS"/>
68
System
</port>
</service>
</definitions>
Configuring DNS
System > Network > DNS enables you to configure the FortiAnalyzer unit with the IP
addresses of the domain name system (DNS) servers that the FortiAnalyzer unit will query
to resolve domain names such as www.example.com into IP addresses.
FortiAnalyzer units require connectivity to DNS servers for DNS lookups. Your Internet
service provider (ISP) may supply IP addresses of DNS servers, or you may want to use
the IP addresses of your own DNS servers.
Note: For improved performance, use DNS servers on your local network. Features such
as NFS shares can be impacted by poor DNS connectivity.
Description
Move
Insert
Destination IP/Netmask
Gateway
Interface
69
System
Description
Destination IP/Mask
Gateway
Enter the IP address of the gateway where the FortiAnalyzer unit will
forward intercepted packets.
Interface
70
System
When selecting a network share style, consider the access methods available to your
users:
network share user accounts and groups must be created (for Windows share only)
the share folder and its file permissions (user access) must be set
Edit
Delete
Username
UID
Description
71
System
3 Enter the appropriate information for the network share user account and select OK.
Password
Description
Enter a description of the user. For example, you might enter the users
name or a position such as IT Manager.
The name of the group. For example, Finance. The name cannot include
spaces.
GID
Members
72
System
3 Enter the information for the group account and select OK.
Available Users
The available users that you can add to the group. Select a user and then
select the right arrow to move that user to the Members area.
Members
The users that are included in the group. If you do not want a user included
as a member, select a user and then select the left arrow to move that user
back to the Available Users area.
73
System
Description
Enable Windows
Network Sharing
Workgroup
Enter the name of the work group and then select Apply.
Local Path
Share as
A list of users or groups that have read-only access to the folder or files.
A list of users or groups that have read-write access to the folder or files.
3 Enter the information for the Windows share and select OK.
Local path
button
74
Description
Local Path
Share Name
System
Available Users & The list of users and groups that are available for Windows network shares.
For information on adding users and groups, see Configuring share users on
Group
page 71.
Select a user and then select the right arrow that points to the permission list
that you want that user or group to be under, either Read-Only Access or
Read-Write Access.
Ready-Only
Access
Read-Write Access Users or groups that have permission to edit or change settings.
To remove a user or group from either access list, select the user or group and
then select the left arrow to move it back to the Available Users & Groups list.
Description
Enable NFS Exports Select the check box beside Enable NFS Exports and then select Apply to
enable NFS shares.
Local Path
Remote Clients
A list of users or groups that have read-only access to the folder or files.
A list of users or groups that have read-write access to the folder or files.
75
System
Local Path
button
Description
Local Path
Remote Client:
(Host, subnet,
FQDN)
Permissions
Add
Select to add the NFS client to either the Read-only Access list or the Read
Write Access list, depending on the permission selected.
Delete
Select the check box beside the NFS client in either the Read Only Access
list or the Read Write Access list, and then select Delete to remove it.
Read-only Access
Read-Write Access The list of remote clients that have both read and write access.
5 Select OK.
6 Configure the NFS client to connect to the FortiAnalyzer unit and mount the share.
read and execute for the Admin group and Others group.
You can set file permissions in the CLI. For more information, see the config nas
share command in the FortiAnalyzer CLI Reference.
76
System
Description
Change Password
Define log columns for an administrator account. You can revert the
column settings to the system default one if they have been
customized, or copy the settings from another administrator account.
For information about configuring column settings, see Displaying
and arranging log columns on page 143.
Name
Trusted Hosts
77
System
Profile
Type
78
Description
Administrator
Remote Auth
Wild Card
This option appears only if Remote Auth is enabled. Select if you dont
want to set a password for this account.
Auth Group
This option appears only if Remote Auth is enabled. You also need to
create an authentication group so that you can select it from the list.
For more information about creating an authentication group, see
Configuring authentication groups on page 81.
Select which RADIUS server group to use when authenticating this
administrator account.
System
Password
Confirm Password
Trusted Host
Access Profile
Admin Domain
79
System
Description
Profile Name
80
System
3 Enter the information for the new access profile, and select OK.
Name of the
GUI item
Description
Profile Name
Access Control Lists the FortiAnalyzer configuration components to which you can set
administrator access.
None
Read Only
The administrator can view pages, menus and information, but cannot modify any
settings.
Read-Write
The administrator can view pages, menus and information as well as change
configurations.
Note: Administrator accounts can also be restricted to specific devices or FortiGate units
with VDOMs in the FortiAnalyzer device list. For more information, see About
administrative domains (ADOMs) on page 25.
81
System
Description
Group Name
Members
To add a group
1 Go to System > Admin > Auth Group.
2 Select Create New.
82
System
Server Name/IP
2 Enter the appropriate information for the server and select OK.
Primary Server
Name/IP
Primary Server Secret Enter the password for the primary server.
Secondary Server
Name/IP
Enter the secondary IP address for the server. This is in case the primary
one goes out of service.
Secondary Server
Secret
Authentication
Protocol
Select which protocol the FortiAnalyzer unit will use to communicate with
the RADIUS server.
83
System
84
Idle Timeout
Set the idle timeout to control the amount of inactive time before the
administrator must log in again. For better security, keep the idle timeout to
a low value (for example, five minutes).
When viewing real-time logs, a pop-up window appears 60 seconds before
the set idle timeout value is reached, prompting you to keep or cancel the
value. If you choose to cancel the set idle timeout value, you will not be
logged out after the idle timeout value is reached.
Web Administration
[Language]
System
Monitoring administrators
GUI Menu
Customization
Be default, these menu items are hidden. Select one to make it appear in
the menu list.
Admin Domain
Configuration
Monitoring administrators
The Monitor page enables the admin administrator to view a list of other administrators
that are currently logged in to the FortiAnalyzer unit. The admin administrator can
disconnect other administrators sessions, should the need arise.
To monitor current administrators, go to System > Admin > Monitor.
Figure 44: Monitoring administrators
Flexibility: Through the use of standard SQL queries, more flexible reporting
capabilities can be offered.
Scalability: Through the use of a remote SQL database, any upper bound on the
amount of available log storage is removed. Furthermore, the hardware of an external
SQL database server can be more easily upgraded to support growing performance
needs.
The FortiAnalyzer unit inserts logs into a remote SQL database but is not responsible for
deleting logs from that database nor for enforcing any type of size quotas. These tasks are
the responsibility of the remote SQL database administrator.
85
System
The FortiAnalyzer unit stores the log data into the SQL database according to a predetermined structure called the SQL schema. The schema contains all the possible log
fields of every log type and allows the extraction of log data on a per-device and/or perVDOM basis for any continuous time period.
To configure the SQL database
1 Go to System > Config > SQL Database.
Name of the
GUI item
Description
Location
Select Disabled to save log data to the proprietary indexed file storage system
instead of the SQL database, Local Database to save log data into the local SQL
database, and Remote Database to save log data into the remote MySQL
database.
By default, the local SQL database is PostgreSQL.
The selection of location affects the way to configure reports. For more
information, see Reports on page 167.
Start Time
Select the time when the FortiAnalyzer unit can start to insert log data into the
SQL database.
This field activates when Local Database or Remote Database is selected.
Type
Select the remote SQL database from the supported list of databases.
This field only appears when Remote Database is selected.
Server
Enter the IP address or FQDN of the server on which the remote SQL database
is installed.
This field only appears when Remote Database is selected.
Database
Name
Enter the name for the database in which log tables will be stored. This
database should already exist on the MySQL server. If it does not, the
FortiAnalyzer unit will not be able to connect.
This field only appears when Remote Database is selected.
User Name
Password
Enter the login information for a user on the database that has permissions to
read and write data, and to create tables.
Log Type
Select the log type(s) that you want to save to the SQL database.
This field activates when Local Database or Remote Database is selected.
86
System
Configuring alerts
Log-based alerts define log message types, severities, and sources which trigger
administrator notification. For example, you could configure a trigger on the attack logs
with an SMTP server output if you want to receive an alert by email when your network
detects an attack attempt.
You can notify administrators by email, SNMP, or Syslog, as well as the Alert Message
Console widget. For information on viewing alerts through the web-based manager, see
Alert Message Console widget on page 51.
To view configured log-based alerts, go to System > Config > Log-based Alerts.
Figure 45: Alert events list
Name of the
GUI item
Description
Name
Devices
The devices the FortiAnalyzer unit is monitoring for the log-based alerts.
Triggers
The log message packets the FortiAnalyzer unit is monitoring for the log-based
alerts.
Destination
The location where the FortiAnalyzer unit sends the alert message. This can be an
email address, SNMP Trap or syslog server.
87
88
System
Description
Alert name
Device Selection
Select the devices the FortiAnalyzer unit monitors for the alert event.
Select from the Available Devices list and select the right arrow to
move the device name to the Selected Devices list. Hold the SHIFT or
CTRL keys while selecting to select multiple devices.
System
Trigger(s)
Select the triggers that the FortiAnalyzer unit uses to indicate when to
send an alert message. Select the following:
a log type to monitor, such as Event Log or Attack Log
the severity level to monitor for within the log messages, such as
>=
the severity of the log message to match, such as Critical
For example, selecting Event Log >= Warning, the FortiAnalyzer unit
will send alerts when an event log message has a level of Warning,
Error, Critical, Alert and Emergency.
These options are used in conjunction with Generic Text (located
under Log Filters) and Device Selection to specify which log
messages will trigger the FortiAnalyzer unit to send an alert message.
Log Filters
(Generic Text)
Select the check box Generic Text to enable log filters, and then enter
log message filter text.
This text is used in conjunction with Trigger(s) and Device Selection to
specify which log messages will trigger the FortiAnalyzer unit to send
an alert message.
Enter an entire word, which is delimited by spaces, as it appears in the
log messages that you want to match. Inexact or incomplete words or
phrases may not match. For example, entering log_i or log_it
may not match; entering log_id=0100000075 will match all log
messages containing that whole word.
Do not use special characters, such as quotes () or asterisks (*). If
the log message that you want to match contains special characters,
consider entering a substring of the log message that does not contain
special characters. For example, instead of entering, User 'admin'
deleted report 'Report_1', you might enter admin.
Threshold
Destination(s)
Send Alert To
Select an email address, SNMP trap or Syslog server from the list.
You must configure the SNMP traps or Syslog server, before you can
select them from the list.
For the FortiAnalyzer unit to send an email message, you must
configure a DNS server and mail server account. For information, see
Configuring an email server for alerts & reports on page 89.
For information on configuring SNMP traps, see Configuring the
SNMP agent on page 94.
For information on configuring Syslog servers, see Configuring
Syslog servers on page 98.
From
To
Add
Select to add the destination for the alert message. Add as many
recipients as required.
Delete
Select a recipient from the Destination list and select Delete to remove
a recipient.
Select the alert severity value to include in the outgoing alert message
information.
89
System
If the mail server is defined by a domain name, the FortiAnalyzer unit will query the DNS
server to resolve the IP address of that domain name. In this case, you must also define a
DNS server. For details, see Configuring DNS on page 69.
If sending an email by SMTP fails, the FortiAnalyzer unit will re-attempt to send the
message every ten seconds, and never stop until it succeeds in sending the message, or
the administrator reboots the FortiAnalyzer unit.
To view the mail server list, go to System > Config > Mail Server.
Figure 46: Mail server list
Description
Test
SMTP Server
E-Mail Account
The email address used for accessing the account on the email
server.
Password
90
System
Description
SMTP Server
Enable Authentication Select to enable SMTP authentication. When set, you must enter an
email user name and password for the FortiAnalyzer unit to send an
email with the account.
E-Mail Account
Enter the user name for logging on to the SMTP server to send alert
mails. You only need to do this if you have enabled the SMTP
authentication. The account name must be in the form of an email
address, such as user@example.com.
Password
Enter the password for logging on to the SMTP server to send alert email.
You only need to do this if you enabled the SMTP authentication.
Note: Mail servers that you have defined for the FortiAnalyzer unit to be able to send alerts
can also be selected when configuring report profiles and vulnerability scan jobs to email
report output. For more information, see Scheduling vulnerability scans on page 234
andConfiguring reports from logs in the proprietary indexed file system on page 167.
91
System
To view the list of output templates, go to System > Config > Remote Output.
Figure 47: Output templates
Description
Create New
Edit
Delete
Name
E-Mail Destination
The route the email will take when sent, in the format, <recipient_email
address> (from <sender_email address> through <email server>).
FTP/SFTP/SCP Server IP
The type of server that the report will be uploaded to in the format,
<ipv4>(typeofserver). For example, 10.10.20.15(FTP).
92
System
Description
Name
Enter a name for the report output. This name concerns only the
report output configuration that you are configuring for your report,
not the report itself.
Description
Output Format
Verify this check box is selected. If you do not want to send a report
by email, unselect the check box. If the check box is unselected,
the available options under Send Report by Mail are hidden.
Note: Only those file formats that are enabled in both output
template and schedule output types are sent by email. For
example, if PDF and Text formats are selected in the output
template, and then PDF and MHT are selected in the report
schedule, the reports file format in the email attachment is PDF.
93
System
Compress Report Files Select to compress the report files into a .zip file and attach that
.zip file to the email.
From
Server
Select which email server to use when the FortiAnalyzer unit sends
reports as an email, or select Create New to configure a new email
server connection.
Recipient
To
Attachment Name
Select Use Default if you want the attached report name to be the
name given of the report when configuring the layout in Layout.
Deselect Use Default to enter a specific name for the attached
report in the field. This name will appear as the attachments name,
and is not the reports actual name.
Subject
Enter a subject for the report email. If you do not enter a subject,
the subject line will be the name of the report.
Body
Server Type
IP Address
Username
Enter the user name the FortiAnalyzer unit will use when
connecting to the upload server.
Password
Enter the password the FortiAnalyzer unit will use when connecting
to the upload server.
Directory
Enter the directory path that the FortiAnalyzer unit will upload the
report to.
Select to delete the report files from the ForitAnalyzer hard disk
after the FortiAnalyzer unit has completed uploading the report files
to the server.
94
System
By using an SNMP manager, you can access SNMP traps and data from any
FortiAnalyzer interface configured for SNMP management access. Part of configuring an
SNMP manager is to list it as a host in a community on the FortiAnalyzer unit it will be
monitoring. Otherwise the SNMP monitor will not receive any traps from that FortiAnalyzer
unit, or be able to query that unit.
You can configure the FortiAnalyzer unit to respond to traps and send alert messages to
SNMP managers that were added to SNMP communities. When you are configuring
SNMP, you need to first download and install both the FORTINET-CORE-MIB.mib and
FORTINET-FORTIANALYZER-MIB.mib files so that you can view these alerts in a
readable format. The Fortinet MIB contains support for all Fortinet devices, and includes
some generic SNMP traps; information responses and traps that FortiAnalyzer units send
are a subset of the total number supported by the Fortinet proprietary MIB.
Your SNMP manager may already include standard and private MIBs in a compiled
database which is all ready to use; however, you still need to download both the
FORTINET-CORE-MIB.mib and FORTINET-FORTIANALYZER-MIB.mib files regardless.
FortiAnalyzer SNMP is read-only: SNMP v1 and v2 compliant SNMP managers have
read-only access to FortiAnalyzer system information and can receive FortiAnalyzer traps.
RFC support includes most of RFC 2665 (Ethernet-like MIB) and most of RFC 1213 (MIB
II). FortiAnalyzer units also use object identifiers from the Fortinet proprietary MIB.
For more information about the MIBs and traps that are available for the FortiAnalyzer
unit, see Appendix A: SNMP MIB support on page 307.
SNMP traps alert you to events that happen, such as an a log disk being full or a virus
being detected.
SNMP fields contain information about your FortiAnalyzer unit, such as percent CPU
usage or the number of sessions. This information is useful to monitor the condition of the
unit, both on an ongoing basis and to provide more information when a trap occurs.
To configure the SNMP agent, go to System > Config > SNMP.
Figure 48: SNMP Access List
Expand arrow
Description
SNMP Agent
Description
Location
95
System
Contact
Enter the contact information for the person responsible for this
FortiAnalyzer unit.
Trap Type
Trigger
Enter a number (percent) for the trap type usage that will trigger a
trap. The number can be between 1 to 100.
Threshold
Sample Period(s)
Sample Frequency(s)
Apply
Select to save the configured settings. Selecting Apply will not save
the SNMP communities because they are automatically saved after
being configured.
Communities
Create New
Edit
Delete
Test
Community Name
Queries
The status of SNMP queries for each SNMP community. The query
status can be enabled (green check mark) or disabled (gray cross).
Traps
The status of SNMP traps for each SNMP community. The trap status
can be enabled (green check mark) or disabled (gray cross)
Enable
96
System
Each community can have a different configuration for SNMP queries and traps. Each
community can be configured to monitor the FortiAnalyzer unit for a different set of events.
You can also add the IP addresses of up to 10 SNMP managers to each community.
To add an SNMP community
1 Go to System > Config > SNMP.
2 Under Communities, select Create New.
97
System
Description
Community Name
Hosts
Enter the IP address and Identify the SNMP managers that can use
the settings in this SNMP community to monitor the FortiAnalyzer unit.
Host Name
The IP address of an SNMP manager than can use the settings in this
SNMP community to monitor the FortiAnalyzer unit. You can also set
the IP address to 0.0.0.0 to so that any SNMP manager can use this
SNMP community.
Interface
Optionally select the name of the interface that this SNMP manager
uses to connect to the FortiAnalyzer unit. You only have to select the
interface if the SNMP manager is not on the same subnet as the
FortiAnalyzer unit. This can occur if the SNMP manager is on the
Internet or behind a router.
Delete
Add
Add a blank line to the Hosts list. You can add up to 10 SNMP
managers to a single community.
Queries
Enter the Port number (161 by default) that the SNMP managers in
this community use for SNMP v1 and SNMP v2c queries to receive
configuration information from the FortiAnalyzer unit. Select the
Enable check box to activate queries for each SNMP version.
Note: The SNMP client software and the FortiAnalyzer unit must use
the same port for queries.
Traps
Enter the Local and Remote port numbers (port 162 for each by
default) that the FortiAnalyzer unit uses to send SNMP v1 and SNMP
v2c traps to the SNMP managers in this community. Select the Enable
check box to activate traps for each SNMP version.
Note: The SNMP client software and the FortiAnalyzer unit must use
the same port for traps.
SNMP Events
Enable each SNMP event for which the FortiAnalyzer unit should send
traps to the SNMP managers in this community.
98
System
Description
Test
Name
IP or FQDN: Port
Description
Name
Enter the IP address or fully qualified domain name for the SNMP
server.
Port
Enter the Syslog server port number. The default Syslog port is 514.
99
System
4 In the Syslog Message field, enter a Syslog message such as This is a test.
5 Select Test.
This option only appears if the test Syslog message is successfully sent by the
FortiAnalyzer unit. You need to go to the Syslog server to check if the message has
been successfully received. If the test fails, reconfigure the Syslog server.
100
System
All FortiAnalyzer models can be configured as a log aggregation client, but log
aggregation server support varies by FortiAnalyzer model, due to storage and resource
requirements.
Table 1: FortiAnalyzer models that support either an aggregation client or server, or both
FortiAnalyzer Model
Aggregation Client
Aggregation Server
FortiAnalyzer-100A/100B/100C
Yes
No
FortiAnalyzer-400B
Yes
No
FortiAnalyzer-800/800B
Yes
Yes
FortiAnalyzer-1000B/1000C
Yes
Yes
FortiAnalyzer-2000/2000A/2000B
Yes
Yes
FortiAnalyzer-4000/4000A/4000B
Yes
Yes
A device logging to a log aggregator client cannot send its logs to the aggregation server
since the server will refuse them. This device will appear in the device list of the
aggregation server. You can easily identify these devices as they do not have Rx and Tx
permissions.
Note: On the aggregation server, configure the device quotas to be equal to or more than
those on the aggregation client to avoid log data loss.
When using log aggregation, all the FortiAnalyzer units must be running the same firmware
release and their system time must be synchronized.
101
System
To configure the aggregation client, go to System > Config > Log Aggregation, select
Enable log aggregation TO remote FortiAnalyzer and enter the appropriate information.
Select Apply.
Figure 51: Log aggregation client configuration
Password
Enter the password for the aggregation server. This password is set when
configuring the aggregation server. See Password on page 103.
Confirm Password Enter the password again for the aggregation server.
Aggregation daily
at [hh:mm]
Select the time of the day when the aggregation client uploads the logs to
the aggregation server.
Aggregation Now
102
System
103
System
Forward all
incoming logs
Forward only
authorized logs
Minimum Severity
Select the minimum severity threshold. All log events of equal or greater
severity will be transmitted. For example, if the selected minimum severity
is Critical, all Emergency, Alert and Critical log events will be forwarded;
other log events will not be forwarded.
Configuring IP aliases
By default, this option is not available. To make it appear, you need to enable it in
System > Admin > Settings.
Use IP Alias to assign meaningful names to IP addresses. When configuring reports, or
viewing logs and DLP archives, select Resolve Host Name to view the alias rather than
the IP address.
IP aliases can make logs and reports easier to read and interpret. For example, you could
create an IP alias to display the label mailserver1 instead of its IP address,
10.10.1.54.
When adding an IP alias, you can also include an IP address range. For example:
10.10.10.1 - 10.10.10.50
10.10.10.1 - 10.10.20.100
104
System
If you have a text file with IP addresses and aliases mapping, you can
import the file instead of mapping them one by one on the FortiAnalyzer
unit. See Importing IP aliases on page 105.
Alias
Host
To add an IP alias
1 Go to System > Config > IP Alias.
2 Select Create New.
Importing IP aliases
If you have a text file with IP addresses and aliases mapping, you can import the file
instead of mapping them one by one on the FortiAnalyzer unit. This is a quick way to add
the mappings to the FortiAnalyzer unit.
The contents of the text file should be in the following format:
<alias_ipv4> <alias_name>
For example:
105
System
10.10.10.1 User_1
There can be only one IP address and user name entry per line.
To import the alias file
1 Go to System > Config > IP Alias.
2 Click Import.
3 Enter the path and file name, or select Browse to locate the file.
4 Click OK.
Configuring RAID
RAID (Redundant Array of Independent Disks) helps to divide data storage over multiple
disks which provides increased data reliability. FortiAnalyzer units that contain multiple
hard disks can configure the RAID array for capacity, performance and availability.
From System > Dashboard > Status, you can view the status of the RAID array from the
Disk Monitor widget. The Disk Monitor widget displays the status of each disk in the RAID
array, including the disks RAID level. This widget also displays how much disk space is
being used. For more information, see Disk Monitor widget on page 47.
The Alert Message Console widget, located in System > Dashboard > Status provides
detailed information about RAID array failures. For more information see Alert Message
Console widget on page 51.
If you need to remove a disk from the FortiAnalyzer unit, you can hot swap it. Hot
swapping means that you can remove a failed hard disk and replace it with a new one
even while the FortiAnalyzer unit is still in operation. Hot swapping is a quick and efficient
way to replace hard disks. For more information about hot swapping, see Hot-swapping
hard disks on page 49.
System > Config > RAID allows you to change the RAID level of the RAID array. Changing
the RAID level will remove all log data from the disks, and the device disk quota may be
reduced to accommodate the available disk space in the new RAID array.
106
System
Disk #
The number identifying the disk. These numbers reflect what disks are
available on the FortiAnalyzer unit.For example, on a FortiAnalyzer4000/4000A, there would be 1-12, whereas on a FortiAnalyzer-2000A
there would be 1-6.
Size (GB)
Status
The current status of the hard disk. For example, OK indicates that the
hard disk is okay and working normally; Not Present indicates that the
hard disk is not being detected by the FortiAnalyzer unit or has been
removed and no disk is available; Failed indicates that the hard disk is not
working properly.
107
System
Supported
Levels
Recommended
Level
FortiAnalyzer100A/100B/100C
Note
RAID is not supported.
FortiAnalyzer-400B
0, 1
FortiAnalyzer800/800B
Linear, 0, 1,
5, 10
10
FortiAnalyzer-1000B
0, 1
FortiAnalyzer-1000C
Linear, 0, 1,
10
10
FortiAnalyzer2000/2000A/2000B
0, 5, 5 plus
50
spare, 10, 50
FortiAnalyzer4000/4000A
0, 5, 5 plus
50
spare, 10, 50
FortiAnalyzer-4000B
0, 5, 5 plus
50
spare, 10, 50,
6, 6 plus
spare, 60
When changing the RAID level, the available levels depend on the number of working
disks that are actually present in the unit. For example, RAID5 is not available on
FortiAnalyzer units with fewer than three disks. With a full complement of working disks,
the default level is the recommended level in the above table. The following sections
assume a full complement except where noted.
108
System
You can find out information about RAID from the get system status or diag raid
info commands in the CLI.
Note: Fortinet recommends having an Uninterruptible Power Supply (UPS) to reduce the
possibility of data inconsistencies when power failures occur.
Linear
A linear RAID level combines all hard disks into one large virtual disk. It is also known as
concatenation or JBOD (Just a Bunch of Disks). The total space available in this option is
the capacity of all disks used. There is very little performance change when using this
RAID format. If any of the drives fails, the entire set of drives is unusable until the faulty
drive is replaced. All data will be lost.
RAID 0
A RAID 0 array is also referred to as striping. The FortiAnalyzer unit writes information
evenly across all hard disks. The total space available is that of all the disks in the RAID
array. There is no redundancy available. If any of the drives fails, the data cannot be
recovered. This RAID level is beneficial because it provides better performance, since the
FortiAnalyzer unit can distribute disk writing across multiple disks.
RAID 1
A RAID 1 array is also referred to as mirroring. The FortiAnalyzer unit writes information to
one hard disk, and writes a copy (a mirror image) of all information to all other hard disks.
The total disk space available is that of only one hard disk, as the others are solely used
for mirroring. This provides redundant data storage with no single point of failure. Should
any of the hard disks fail, there are several backup hard disks available. With a
FortiAnalyzer-800 for example, if one disk fails, there are still three other hard disks the
FortiAnalyzer unit can access and continue functioning.
RAID 5
A RAID 5 array employs striping with a parity check. The FortiAnalyzer unit writes
information evenly across all drives. Additional parity blocks are written on the same
stripes. The parity block is staggered for each stripe. The total disk space is the total
number of disks in the array, minus one disk for parity storage. For example, on a
FortiAnalyzer-800 with four hard disks, the total capacity available is actually the total for
three hard disks. RAID 5 performance is typically better with reading than writing, although
performance is degraded when one disk has failed or is missing. With RAID 5, one disk
can fail without the loss of data. If a drive fails, it can be replaced and the FortiAnalyzer
unit will restore the data on the new disk using reference information from the parity
volume.
Note: RAID 5 appears in the web-based manager only for FortiAnalyzer units with
hardware RAID.
RAID 10
RAID 10 (or 1+0), includes nested RAID levels 1 and 0, or a stripe (RAID 0) of mirrors
(RAID 1). The total disk space available is the total number of disks in the array (a
minimum of 4) divided by 2. One drive from a RAID 1 array can fail without loss of data;
however, should the other drive in the RAID 1 array fail, all data will be lost. In this
situation, it is important to replace a failed drive as quickly as possible.
109
System
RAID 50
RAID 50 (or 5+0) includes nested RAID levels 5 and 0, or a stripe (RAID 0) and stripe with
parity (RAID 5). The total disk space available is the total number of disks minus the
number of RAID 5 sub-arrays. RAID 50 provides increased performance and also ensures
no data loss for the same reasons as RAID 5. One drive in each RAID 5 array can fail
without the loss of data. For the following FortiAnalyzer units, data is recoverable when:
110
System
Number
of Disks
Size per
RAID 0 RAID 1 RAID 5 RAID 5 RAID 10 RAID 50 RAID 6
Disk (GB)
+ Spare
400B
500
930
460
800B
500
1860
465
1000B
1000
1860
930
1000C
932
3668
917
250
1390
1160
930
695
930
400
2230
1863
1490
1110
1490
500
2790
2320
1860
1390
1860
932
5500
4582
3666
2750
3666
12
250
2790
2560
2320
1396
2320
12
400
4470
4090
3720
2330
3720
12
500
5580
5120
4650
2790
4650
24
932
15380
15380
15380
10990
14653
2000A
2000B
4000A
4000B
1390
RAID 6 + RAID 60
Spare
930
1834
15380
15380
10990
A directory is a set of objects with similar attributes organized in a logical and hierarchical
way. Generally, an LDAP directory tree reflects geographic or organizational boundaries,
with the Domain Name System (DNS) names at the top level of the hierarchy. The
common name identifier for most LDAP servers is cn; however some servers use other
common name identifiers such as uid.
For example, you could use the following base distinguished name:
ou=marketing,dc=fortinet,dc=com
where ou is organization unit and dc is a domain component.
You can also specify multiple instances of the same field in the distinguished name, for
example, to specify multiple organization units:
ou=accounts,ou=marketing,dc=fortinet,dc=com
111
System
Binding occurs when the LDAP server successfully authenticates the user and allows the
user access to the LDAP server based on his or her permissions.
You can configure the FortiAnalyzer unit to use one of two types of binding:
If the users are under more than one DN, use the anonymous or regular type, which can
search the entire LDAP database for the required user name.
If your LDAP server requires authentication to perform searches, use the regular type and
provide values for user name and password.
In System > Config > LDAP, you can define a query to retrieve a list of LDAP users from a
remote LDAP server. LDAP queries are used in FortiAnalyzer reports as an additional filter
for the user field, providing a convenient way for filtering log data without having to list the
user names manually. For example, you need to create a scope in a report that is
restricted to include only log messages whose user= field matches user names retrieved
from the networks main LDAP server.
For more information about LDAP queries in FortiAnalyzer reports, see Configuring
reports from logs in the proprietary indexed file system on page 167.
To view the LDAP server list, go to System > Config > LDAP.
Figure 55: LDAP server list
Description
Name
Server Name/IP
Port
The port with which the server is exchanging information. The default
port is 389.
The name of the attribute identifier that is used in the LDAP query filter.
112
System
LDAP
Distinguished
Name Query
Description
Name
Server Name/IP
Server Port
Server Type
Bind DN
Bind Password
Common Name Identifier Enter the attribute identifier used in the LDAP query filter. By default,
the identifier is cn.
For example, if the Base DN contains several objects, and you want to
include only objects whose cn=Admins, enter the Common Name
Identifier cn and enter the Group(s) value Admins when configuring
report profiles. For more information, see Configuring reports from
logs in the proprietary indexed file system on page 167.
Report scopes using this query require Common Name Identifier. If
this option is blank, the LDAP query for reports will fail.
113
Base DN
System
LDAP Distinguished Name View the LDAP server Distinguished Name Query tree for the LDAP
server that you are configuring so that you can cross-reference to the
Query
Distinguished Name.
Leave the Base DN filed empty for this option to work.
For more information, see Querying for the base DN on page 114.
Backed up copies of the FortiAnalyzer unit configuration file can be encrypted with a
password. When restoring encrypted configuration files, the password must be entered to
decrypt the file.
Caution: Do not forget the password to the backed up configuration file. A
password-encrypted backup configuration file cannot be restored without the password.
For additional information about backing up and restoring configuration, see Maintaining
firmware on page 275.
114
System
Description
System Configuration
Last Backup
Backup configuration Currently, the only option on the web-based manager is to back up to
your local PC. However, you can use the execute backup config
to:
command to back up the system configuration to a file on a FTP,
SFTP, SCP, or TFTP server. For more information, see the
FortiAnalyzer CLI Reference.
Encrypt configuration Select to encrypt the backup file. Enter a password in the Password
field and enter it again in the Confirm field. You will need this password
file
to restore the file.
You must encrypt the backup file if you are using a secure connection
to a FortiGate or FortiManager device.
Password
Confirm
Backup
Enter the configuration file name or use the Browse button if you are
restoring the configuration from a file on the management computer.
Password
Restore
Firmware
Partition
A partition can contain one version of the firmware and the system
configuration.
Active
Last Upgrade
Firmware Version
115
System
manually upload update packages to the FortiAnalyzer unit from your management
computer
configure the FortiAnalyzer unit to periodically request updates from the Fortinet
Distribution Network (FDN)
You must register and license the FortiAnalyzer unit and purchase and register
vulnerability management service with the Fortinet Technical Support web site,
https://support.fortinet.com/, to receive vulnerability management updates from the FDN.
See (Vulnerability Management) Subscribe on page 117. The FortiAnalyzer unit must
also have a valid Fortinet Technical Support contract, which includes VM update
subscriptions, and be able to connect to the FDN or the IP address that you have
configured to override the default FDN addresses. For port numbers required for license
validation and update connections, see the Fortinet Knowledge Base article FDN Services
and Ports.
For more information about configuring vulnerability scan jobs and viewing vulnerability
scan reports, see Vulnerability Management on page 213.
To manually upload vulnerability management updates or to configure scheduled
vulnerability management updates, go to System > Maintenance > FortiGuard.
Figure 58: FortiGuard Distribution Network
116
Description
FortiGuard Subscription
Services
System
(Vulnerability
Management)
Subscribe
Select to open the Fortinet Technical Support web site to register the
FortiAnalyzer unit and Vulnerability Management Service to receive
vulnerability management updates from the FDN.
Vulnerability
Management
Enable Use override server address and enter the IP address and port
number of an FDS in the format <IP>:<port>, such as
10.10.1.10:8889.
If you want to connect to a specific FDN server other than the one to
which the FortiAnalyzer unit would normally connect, you can override
the default IP addresses by configuring an override server.
If, after applying the override server address, the FDN status icon
changes to indicate availability (a green check mark), the
FortiAnalyzer unit has successfully connected to the override server. If
the icon still indicates that the FDN is not available, the FortiAnalyzer
unit cannot connect to the override server. Check the FortiAnalyzer
configuration and the network configuration to make sure you can
connect to the FDN override server from the FortiAnalyzer unit.
IP
Port
Name
If your web proxy requires a login, enter the user name that your
FortiAnalyzer unit should use when connecting to the FDN through the
web proxy.
Password
If your web proxy requires a login, enter the password that your
FortiAnalyzer unit should use when connecting to the FDN through the
web proxy.
Scheduled Update
[Request Update Now]
Every
Select to update once every n hours, then select the number of hours
in the interval.
Daily
Select to update once every day, then select the hour. The update
attempt occurs at a randomly determined time within the selected hour.
Weekly
Select to update once a week, then select the day of the week and the
hour of the day. The update attempt occurs at a randomly determined
time within the selected hour.
117
System
You can migrate configuration settings and log data from one FortiAnalyzer unit to another
from System > Maintenance > Migration. This is referred to as migrating data, and
provides an easy way to have the same information on multiple FortiAnalyzer units without
having to manually configure each one.
Caution: When migrating configuration settings and log data from one FortiAnalyzer unit to
another, the source FortiAnalyzer unit stops receiving logs from the managed devices as
soon as it enters into the migration mode. If you want to keep the logs from the devices
during the migration process, make sure that the managed devices send logs to the
destination FortiAnalyzer unit or another compatible log storage location. To send logs to
the destination FortiAnalyzer unit, simply swap the IP addresses of the source and
destination units by going to System > Network > Interface on each unit. You also need to
perform step 5 on the destination unit. You can swap the IP addresses back after the
migration completes.
The destination FortiAnalyzer unit will lose all of the data received prior to the migration
process starts. Back up the important data on the destination unit if necessary.
You can also test the connection between two FortiAnalyzer units before migrating the
configuration settings to verify that the connection is working properly.
Before you begin the migration process, you need to verify that each FortiAnalyzer unit is
upgraded to FortiAnalyzer 4.0 MR1 or higher. The migration feature is available only in
FortiAnalyzer 4.0 MR1 or higher. You also need to decide which FortiAnalyzer unit will be
the one used for migrating data to the other before proceeding. Migrating data should be
done during a low traffic time period, for example at night, because, depending on the
amount of data being transferred, it could take more than an hour to transfer.
Caution: To migrate data, the firmware release number and build number on the source
and destination FortiAnalyzer units must match. Otherwise the migration will fail.
You need to configure both the FortiAnalyzer unit that will be sending data (source
FortiAnalyzer unit) and the FortiAnalyzer unit that will be receiving data (destination
FortiAnalyzer unit) for migrating configuration settings.
To configure the source FortiAnalyzer unit
1 On the source FortiAnalyzer unit, log in to the web-based manager.
Remember the login password. You will need it for configuring the destination
FortiAnalyzer unit. See To configure the destination FortiAnalyzer unit for migrating
configuration settings on page 119.
2 Go to System > Maintenance > Migration.
3 Select Source to enable the FortiAnalyzer unit to send the configuration settings to the
other FortiAnalyzer unit.
4 In Peer IP, enter the IP address of the FortiAnalyzer unit that will be receiving the data.
118
System
119
System
120
System
Choose to pause the ongoing migration process from destination unit. You can
subsequently start again or cancel the migration by selecting the respective button.
<argument1_str> For FTP, SFTP or SCP, enter a user name. For TFTP, enter a
directory or file name.
<argument2_str> For FTP, SFTP or SCP, enter a password or -. For TFTP, enter
a file name or PKCS #12 file password or -.
<argument3_str> For FTP, SFTP or SCP, enter a directory or file name. For TFTP,
enter a PKCS #12 file password or -.
Web services are automatically encrypted with SSL (HTTPS). The FortiAnalyzer unit
automatically generates a self-signed public certificate. To view the public certificate, in
the CLI, enter the command:
get system ws-cert
You can use this auto-generated certificate, or you can replace it with your own certificate
using the associated set command. FortiManager units with which the FortiAnalyzer unit
is registered will automatically accept the new certificate.
For more information on HTTPS access to the web-based manager and web services, see
Configuring the network interfaces on page 63.
For more information about CLI commands, see the FortiAnalyzer CLI Reference.
121
122
System
Devices
Devices
The Devices menu controls connection attempt handling, permissions, disk space quota,
and other aspects of devices that are connected to the FortiAnalyzer unit for remote
logging, DLP archiving, quarantining, and/or remote management.
For a diagram of traffic types, ports and protocols that FortiAnalyzer units use to
communicate with other devices and services, see the Fortinet Knowledge Base article
Traffic Types and TCP/UDP Ports used by Fortinet Products.
This topic includes:
whether the maximum number of devices has been reached on the FortiAnalyzer unit
the device number maximum, see Maximum number of devices on page 126.
manually adding a device to the device list, see Manually adding or deleting a device
or HA cluster on page 129.
Adding a device to the device list configures connections from the device but does not
automatically establish a connection. You need to configure the device to send traffic to
the FortiAnalyzer unit to establish a connection. For more information, see the FortiGate
Administration Guide, FortiMail Administration Guide, FortiManager Administration Guide,
FortiClient Administrators Guide, or your Syslog servers documentation.
Due to the nature of connectivity for certain high availability (HA) modes, FortiGate units in
an HA cluster may not be able to send full DLP archives and quarantine data. For more
information, see the FortiGate HA Overview.
123
Devices
You may want to block connection attempts from devices that you do not want to add to
the device list since connection attempts must be reconsidered with each attempt. For
more information, see Blocking unregistered device connection attempts on page 134.
Devices may automatically appear on the device list when the FortiAnalyzer unit receives
a connection attempt, according to your configuration of Unregistered Options, but
devices may also automatically appear as a result of importing log files. For more
information, see Importing a log file on page 155.
To view the device list, go to Devices > All Devices > Allowed.
Note: Hover your cursor over an item to display more information.
Search
Current page
124
Description
Create New
Edit
Devices
Delete
Remove the selected devices from the list. You cannot delete a device
that is referenced elsewhere in the configuration, such as by being
assigned to a device group. To delete the device, first remove all
configuration references to that device.
If you use the default proprietary indexed file storage system for log
storage, once a device is removed from the device list, the associated
logs and other data, such as DLP archives and the default report
profile for the device (that is, the device summary report
Default_<device_name>) are deleted. Reports that may have
been already generated from the devices log data, however, are not
deleted.
If you use the local SQL file storage system for log storage, once a
device is removed from the device list, the associated logs are not
deleted. To delete the logs, use the command execute sql-local
remove-device. This command does not remove reports that may
have been already generated from the devices log data.
If the device is still configured to attempt to connect to the
FortiAnalyzer unit and you have configured Unregistered Device
Options to display connection attempts from unregistered devices, the
device may reappear in the device list.
Register
Block
Select to change the columns to view and the order they appear on
the page. For more information, see Displaying and arranging log
columns on page 143.
Search
Enter partial or the full name of a device and select the one you want
from the list to view or edit the device.
Name
The name of the device in the device list. This can be any descriptive
name that you want assigned to it, and does not need to be its host
name.
Select the arrow beside Name to list the devices in either ascending or
descending order.
An orange exclamation point (!) icon before a device name indicates
that the device is connecting to the FortiAnalyzer unit and the devices
time zone is not synchronized with the FortiAnalyzer units time zone.
Model
The model of the device. For example, the device list displays a
FortiGate-400A model as FGT400A.
IP Address
Log
DLP
Quar
IPS
Mouse over an icon to view when the last logs or data the
FortiAnalyzer unit received from the device, if there are any logs or
data the FortiAnalyzer unit received from the device, if logs are
disabled on the device, or, if its an unregistered device.
Only FortiGate units can send DLP archives, quarantine files, and IPS
files to the FortiAnalyzer unit.
Secure
Indicates whether IPSec VPN tunnelling has been enabled for secure
transmission of logs, content and quarantined files.
Caution: A locked icon indicates that secure connection is enabled,
but not necessarily fully configured, and the tunnel may not be up. For
more information, see Configuring IPSec secure connections
between the FortiAnalyzer unit and a device or an HA cluster on
page 128.
125
Devices
Quota Usage
The amount of the FortiAnalyzer disk space allocated for the device
and how much of that space is used. For information on configuring
disk space usage by quarantined files, see the FortiAnalyzer CLI
Reference.
Virtual Domains
Type
ADOM
Mode
Show
Select the type of devices to display in the list. You can select devices
by type, or select Unregistered to display devices that are attempting
to connect but that have not yet been registered or added.
Current Page
By default, the first page of the list of items is displayed. The total
number of pages displays after the current page number. For
example, if 2/10 appears, you are currently viewing page 2 of 10
pages.
To view pages, select the left and right arrows to display the first,
previous, next, or last page.
To view a specific page, enter the page number in the field and then
press Enter.
By default, all Fortinet devices (FortiGate, FortiManager, FortiClient, and FortiMail) are
discovered and listed as registered devices. All generic Syslog devices are discovered
and automatically listed as unregistered devices automatically. You can configure these
settings. For more information, see Configuring unregistered device options on
page 133.
You can also manually add/register a device. For more information, see Manually adding
or deleting a device or HA cluster on page 129.
126
Devices
Maximum
number of
FortiClient
installations
allowed
FortiGate
models
supported
FortiManager FortiMail
models
models
supported
supported
FortiAnalyzer100A/100B/
100C
100
100
FortiGate-30B to All
FortiGate224B/C
(If the
FortiAnalyzer unit
has only one
FortiGate unit
registered, then
all models are
supported.)
All
FortiAnalyzer400B
200
2000
All
All
All
FortiAnalyzer800/800B
500
5000
All
All
All
FortiAnalyzer1000B
2000
No restrictions All
All
All
FortiAnalyzer1000C
2000
No restrictions All
All
All
FortiAnalyzer2000/2000A
2000
No restrictions All
All
All
FortiAnalyzer2000B
2000
No restrictions All
All
All
FortiAnalyzer4000/4000A
2000
No restrictions All
All
All
FortiAnalyzer4000B
2000
No restrictions All
All
All
To view the number of devices currently attempting to connect, see License Information
widget on page 40.
For networks with more demanding logging scenarios, an appropriate device ratio may be
less than the allowed maximum. Performance will vary according to your network size,
device types, logging thresholds, and many other factors. When choosing a FortiAnalyzer
model, consider your networks log frequency, and not only your number of devices.
A VDOM or high availability (HA) cluster counts as a single device towards the maximum
number of allowed devices. Multiple FortiClient installations (which can number up to the
limit of allowed FortiClient installations) also count as a single device.
For example, a FortiAnalyzer-100B could register up to either:
100 devices
When devices attempt to connect to a FortiAnalyzer unit that has reached its number of
maximum number of allowed devices, the FortiAnalyzer unit will reject connection
attempts by excess devices, and automatically add those excess devices to the list of
blocked devices. For more information about on blocked devices, see Configuring device
groups on page 136.
FortiAnalyzer Version 4.0 MR2 Administration Guide
Revision 13
http://docs.fortinet.com/ Feedback
127
Devices
When the FortiAnalyzer unit has exceeded its maximum number of allowed devices, you
will not be able to add devices to the device list. To resume adding devices, you must first
block a device that is currently on your device list, then unblock the device you want to add
and add it to the device list.
For more information on the CLI commands, see the FortiAnalyzer CLI Reference,
FortiGate CLI Reference, and FortiManager CLI Reference.
Note: Changing a devices FortiAnalyzer settings clears sessions to that IP address. If the
FortiAnalyzer unit is behind a NAT device, such as a FortiGate unit, this also resets
sessions to other hosts behind that same NAT.
To prevent disruption of other devices traffic, on the NAT device, create a separate virtual
IP for the FortiAnalyzer unit.
128
Devices
end
You must add the FortiManager system to the FortiAnalyzer device list for the
FortiAnalyzer unit to be remotely administered by the FortiManager system. Additionally,
you must also:
enable web services on the FortiAnalyzer network interface that will be connected to
the FortiManager system (see Configuring and using FortiAnalyzer web services on
page 66)
register the FortiAnalyzer unit with the FortiManager system (see the FortiManager
Administration Guide)
be able to connect from your computer to the web-based manager of both the
FortiManager system and the FortiAnalyzer unit.
129
Devices
130
Devices
Device Name
IP Address
Device ID
Enter the device ID. Device IDs are usually the serial number of the device,
and usually appear on the dashboard of the devices web-based manager.
The device ID is automatically pre-entered if you are adding an
unregistered device from the device list, or if you are editing an existing
device.
This option does not appear if Device Type is Syslog or FortiClient.
Cluster ID (primary
member)
Disk Allocation (MB) Enter the amount of hard disk space allocated to the devices log and
content messages, including quarantined files.
The allocated space should be at least 10 times the log rolling size for the
Log and DLP archive. For example, if you set the log and DLP archive log
file roll size to 50 MB, allocate at least 500 MB of disk space for the device.
Amounts following the disk space allocation field indicate the amount of disk
space currently being used by the device, and the total amount of disk
space currently available on the FortiAnalyzer unit.
When Allocated Disk Select to either Overwrite Oldest Files or Stop Logging to indicate what the
FortiAnalyzer unit should do when the allocated disk space has been used.
Space is All Used
For more information about disk space allocation, see System Resources
widget on page 41.
Device Privileges
Select the connection privileges of the device, such as for sending and
viewing log files, DLP archives and quarantined files. Available permissions
vary by device type.
Note: Remotely accessing logs, DLP archive logs and quarantined files is
available on FortiGate units running firmware version 4.0 or later.
Description
Mode
4 Select OK.
The device appears in the device list. After registration, some device types can be
configured for secure connection. For more information, see Secure on page 125.
Manually adding a FortiGate unit using the Fortinet Discovery Protocol (FDP)
If you configure the FortiAnalyzer unit to respond to Fortinet Discovery Protocol (FDP)
packets, FortiGate units running FortiOS version 4.0 or higher can use FDP to locate a
FortiAnalyzer unit. Both units must be on the same subnet to use FDP, and they also must
be able to connect using UDP. For more information, see About Fortinet Discovery
Protocol on page 66.
131
Devices
When a FortiGate administrator selects Automatic Discovery, the FortiGate unit sends
FDP packets to locate FortiAnalyzer units on the same subnet. If FDP has been enabled
for its interface to that subnet, the FortiAnalyzer unit will respond. Upon receiving an FDP
response, the FortiGate unit knows the IP address of the FortiAnalyzer unit, and the
administrator can configure the FortiGate unit to begin sending log, DLP archive, and/or
quarantine data to that IP address. When the FortiGate unit attempts to send data to the
FortiAnalyzer unit, the FortiAnalyzer unit detects the connection attempt.
Connection attempts from devices not registered with the FortiAnalyzer units device list
may not be automatically accepted. In this case, you may need to manually add the device
to the device list. For more information, see Configuring unregistered device options on
page 133.
For a diagram of traffic types, ports and protocols that FortiAnalyzer units use to
communicate with other devices and services, see the Knowledge Base article Traffic
Types and TCP/UDP Ports used by Fortinet Products.
To enable the FortiAnalyzer unit to reply to FDP packets
1 Go to System > Network > Interface.
2 Select Edit for the network interface that should reply to FDP packets.
4 Select OK.
The FortiAnalyzer unit is now configured to respond to FDP packets on that network
interface, including those from FortiGate units Automatic Discovery feature. For more
information about connecting the FortiGate unit using FDP, see To connect a
FortiGate unit to a FortiAnalyzer unit using FDP on page 132.
To connect a FortiGate unit to a FortiAnalyzer unit using FDP
This procedure is based on the FortiOS v4.0 MR2 release and may change in future
releases.
On the FortiGate unit CLI, enter
config log fortianalyzer setting
132
Devices
Description
133
Devices
Allow connection, register Select to allow the connection and automatically register the devices.
automatically, and store The FortiAnalyzer unit will store a specified amount of log data from
the devices.
up to n MB data
(<sequential_number> MB
available)
Unknown Device Type (Generic Syslog Devices)
Ignore all unknown
unregistered devices
Add unknown
unregistered devices to
unregistered table, but
ignore data
Add unknown
unregistered devices to
unregistered table, and
store up to n MB data
(<sequential_number> MB
available)
Note: Many FortiAnalyzer features are not available for unregistered devices of unknown
types. For more information about the differences between unregistered and registered
devices, see Unregistered vs. registered devices on page 126.
Both registered and unregistered devices count towards the maximum number of devices
available for a FortiAnalyzer unit. Too many unregistered devices will prevent you from
adding a device. For more information, see Manually adding or deleting a device or HA
cluster on page 129.
When devices attempt to connect to a FortiAnalyzer unit that has reached its maximum
number of allowed devices, the FortiAnalyzer unit will reject connection attempts by excess
devices, and automatically add those excess devices to the list of blocked devices. For
more information about blocked devices, see Blocking unregistered device connection
attempts on page 134.
134
Devices
Delete
Remove a selected device from the list of blocked devices. If the device
attempts to connect to the FortiAnalyzer unit, it may appear in the device list
as an unregistered device, according to your configuration of Unregistered
Device Options. For more information, see Configuring unregistered device
options on page 133.
Device ID
Hardware Model
IP Address
To block a device
1 Go to Devices > All Devices > Allowed.
2 At the bottom of the page, from Show, select Unregistered.
3 Mark the check box of the unregistered device that you want to block, then click Block.
The device appears in the blocked devices list (Devices > All Devices > Blocked).
135
Devices
Description
Show
Group Name
Members
136
Devices
Description
Group Name
Group Type
Select the device group type that you want to create. You can choose FortiGate
Group, FortiMail Group, FortiManager Group, and Syslog Group. When you
select a group type, the devices that are available to that group appear in the
Available Devices field.
FortiClient installations are treated as a single device, and so cannot be
configured as a device group.
Available Devices The available devices for the group type you select in Group Type. Select a
device and then use the -> arrow to move it to the Members field.
Members
The devices that are available in the group you are creating. If you want to
remove a device from the Members field, select the device and then select the
<- arrow to remove it.
3 Select OK.
Traffic direction
None
All types
Unclassified
All types
None
Unclassified
WAN
LAN, DMZ
Incoming
WAN
WAN
External
LAN, DMZ
LAN, DMZ
Internal
LAN, DMZ
WAN
Outgoing
Example:
137
Devices
Your FortiGate unit has four interfaces: port 1 to 4. Port 1 is connected to WAN; Port 2 and
Port 3 are connected to LAN; and Port 4 is connected to DMZ.
In this case, traffic from Port 1 (WAN) to Port 2 (LAN) is considered as incoming, while
traffic from Port 2 to Port 1 is considered outgoing.
138
Using eDiscovery
You can view log messages from all devices or a particular device in real-time or within a
specified time frame.
For more information about log messages from FortiGate units, see the FortiGate Log
Message Reference.
To view all log messages, go to Log & Archive > Log Access > All Logs.
Note: The columns that appear reflect the content found in the log file. You can select an
item in a column to display more information.
139
Current page
140
Show
Select the type of device you want to view logs from. You can select
multiple devices.
Timeframe
Select the time frame during which you want to display the logs.
Realtime Log
Column Settings
Click to change the columns to view and the order they appear on the page.
For more information, see Displaying and arranging log columns on
page 143.
Printable Version
Click to download a HTML file containing all log messages that match the
current filters. The HTML file is formatted to be printable.
Time required to generate and download large reports varies by the total
amount of log messages, the complexity of any search criteria, the
specificity of your column filters, and the speed of your network connection.
Download Current
View
Search
Advanced Search
Select to search the device logs for matching text using two search types:
Quick Search and Full Search. For more information, see Searching the
logs on page 146.
Last Activity
The date and time the log was received by the FortiAnalyzer unit.
Device ID
Type
Level
Timestamp
The date and time when events occurred on the devices that sent the logs.
Details
Select the number of rows of log entries to display per page. You can
choose up to 1000 entries.
Current Page
Change Display
Options
Select a view of the log file. Selecting Formatted (the default) displays the
log files in columnar format. Selecting Raw displays the log information as it
actually appears in the log file.
Note: Log messages that are received from a log aggregation device are scheduled
transfers, and not real-time messages, because log aggregation devices do not appear in
the Real-time log page. Individual high availability (HA) cluster members also do not appear
in the Real-time log page because HA members are treated as a single device. For more
information about log aggregation, see Configuring log aggregation on page 100.
To view a type of log, go to Log & Archive > Log Access and select a log type:
Note: The columns that appear reflect the content found in the log file. You can select an
item in a column to display more information.
Event: record all event activities such as an administrator adding a firewall policy on a
FortiGate unit.
IPS (Attack): record all attacks that occur against your network. These log messages
also contain links to the Fortinet Vulnerability Encyclopedia where you can better
assess the attack.
Application Control: record the application traffic generated by the applications on the
device.
Web Filter: record HTTP device log rating errors, including web content blocking
actions that the device performs.
141
Data Leak (DLP): provide information concerning files, such as email messages and
web pages, that are archived on the FortiAnalyzer unit by the device.
History: record all mail traffic going through the FortiMail unit.
By default, this option is not available. To make it appear, you need to enable it in
System > Admin > Settings.
IM: record instant message text, audio communications, and file transfers attempted by
users.
By default, this option is not available. To make it appear, you need to enable it in
System > Admin > Settings.
Raw view displays log messages exactly as they appear in the log file.
Formatted view displays log messages in a columnar format. Each log field in a log
message appears in its own column, aligned with the same field in other log messages,
for rapid visual comparison. When displaying log messages in Formatted view, you can
customize the log view by hiding, displaying and arranging columns and/or by filtering
columns, refining your view to include only those log messages and fields that you
want to see.
To display logs in Raw or Formatted view, go to a page that displays log messages, such
as Log & Archive > Log Access > All Logs, and select Change Display Options >
Raw/Formatted at the bottom of the page. By default, log messages appear in Formatted
view.
142
If you select Formatted, options appear that enable you to display and arrange log
columns and/or filter log columns.
Lists of available and displayed columns for the log type appear.
143
Filtering logs
When viewing log messages in Formatted view, you can filter columns to display only
those log messages that do or do not contain your specified content in that column. By
default, most column headings contain a gray filter icon, which becomes green when a
filter is configured and enabled.
Filters do not appear when viewing logs in Raw view, or for unindexed log fields in
Formatted view. When you are viewing real-time logs, filtering by time is not supported; by
definition of the real-time aspect, only current logs are displayed.
You can download filtered logs when you select Download Current View.
144
Filter in use
2 Select Enable.
3 If you want to exclude log messages with matching content in this column, select NOT.
If you want to include log messages with matching content in this column, deselect
NOT.
4 Enter the text that matching log messages must contain.
Matching log messages will be excluded or included in your view based upon whether
you have selected or deselected NOT.
5 Select OK.
A columns filter icon is green when the filter is currently enabled. You can select
Download Current View to download only log messages which meet the current filter
criteria.
To disable a filter
1 In the heading of the column whose filter you want to disable, select the filter icon.
A columns filter icon is green when the filter is currently enabled.
2 To disable the filter on this column, deselect Enable.
Alternatively, to disable the filters on all columns, select Clear All Filters. This disables
the filter; it does not delete any filter text you might have configured.
3 Select OK.
A columns filter icon is gray when the filter is currently disabled.
Filtering tips
When filtering by source or destination IP, you can use the following in the filtering criteria:
145
You can also use a Boolean operator (or) to indicate mutually exclusive choices:
1.1.1.1 or 2.2.2.2
1.1.1.1 or 2.2.2.*
1.1.1.1 or 2.2.2.1-2.2.2.10
Most column filters require that you enter the columns entire contents to successfully
match and filter contents; partial entries do not match the entire contents, and so will not
create the intended column filter.
For example, if the column contains a source or destination IP address (such as
192.168.2.5), to create a column filter, enter the entire IP address to be matched. If you
enter only one octet of the IP address, (such as 192) the filter will not completely match
any of the full IP addresses, and so the resulting filter would omit all logs, rather than
including those logs whose IP address contains that octet.
Exceptions to this rule include columns that contain multiple words or long strings of text,
such as messages or URLs. In those cases, you may be able to filter the column using a
substring of the text contained by the column, rather than the entire text contained by the
column.
You can use Quick Search to find results more quickly if your search terms are relatively
simple and you only need to search indexed log fields. Indexed log fields are those that
appear with a filter icon when browsing the logs in column view; unindexed log fields do
not contain a filter icon for the column or do not appear in column view but do appear in
the raw log view. Quick Search keywords cannot contain:
146
special characters such as single or double quotes ( or ") or question marks (?)
wild card characters (*), or only contain a wild card as the last character of a keyword
(logi*)
You can use Full Search if your search terms are more complex, and require the use of
special characters or log fields not supported by Quick Search. Full Search performs an
exhaustive search of all log fields, both indexed and unindexed, but is often slower than
Quick Search.
You can stop any search before the search is complete by selecting Stop Search beside
Full Search.
Figure 66: Log search
Select to search logs from the FortiAnalyzer unit (Local Logs), a device, or a
device group.
Time Period
Select to search logs from a time frame, or select Specify and define a custom
time frame by selecting the From and To date times.
From
Enter the date (or use the calendar icon) and time of the beginning of the
custom time range.
This option appears only when you select Specify.
To
Enter the date (or use the calendar icon) and time of the end of the custom time
range.
This option appears only when you select Specify.
Keyword(s)
Enter search terms which will match to yield log message search results. To
specify that results must include all, any, or none of the keywords, select these
options in Match.
Quick Search
Select to perform a quick search. Keywords for a quick search cannot contain
special characters. Quick Search examines only indexed fields.
Full Search
Select to perform a full search. Keywords for a full search may contain special
characters. Full Search examines all log message fields.
Stop Search
Select to stop the search before it is completed. This option is grayed out unless
there is a search in progress.
More Options
Match
Select how keywords are used to match log messages which comprise search
results.
All Words: Select to require that matching log messages must contain all
search keywords. If a log message does not contain one or more
keywords, it will not be included in the search results.
Any Words: Select to require that matching log messages must contain
at least one of the search keywords. Any log message containing one or
more keyword matches will be included in the search results.
Does Not Contain the Words: Select to require that matching log
messages must not contain the search keywords. If a log message
contains any of the search keywords, it will be excluded from the search
results.
147
Other Filters
Specify additional criteria, if any, that can be used to further restrict the search
criteria.
Log Type: Select to include only log messages of the specified type. For
example, selecting Traffic would cause search results to include only log
messages containing type=traffic.
Log Level: Select to include only log messages of the specified severity
level. For example, selecting Notice would cause search results to include
only log messages containing pri=notice.
Source IP: Enter an IP address to include only log messages containing
a matching source IP address. For example, entering 192.168.2.1
would cause search results to include only log messages containing
src=192.168.2.1 and/or content log messages containing a client IP
address of 192.168.2.1.
Destination IP: Enter an IP address to include only log messages
containing a matching destination IP address. For example, entering
192.168.2.1 would cause search results to include only log messages
containing dst=192.168.2.1 and/or content log messages containing a
server IP address of 192.168.2.1.
User Name: Enter a user name to include only log messages containing
a matching authenticated firewall user name. For example, entering
userA would cause search results to include only log messages
containing user=userA.
Group Name: Enter a group name to include only log messages
containing a matching authenticated firewall group name. For example,
entering groupA would cause search results to include only log
messages containing group=groupA.
Search tips
If your search does not return the results you expect, but log messages exist that should
contain matching text, examine your keywords and filter criteria using the following search
characteristics and recommendations.
148
Keywords must literally match log message text, with the exception of case insensitivity
and wild cards; resolved names and IP aliases will not match.
Some keywords will not match unless you include both the log field name and its value
(type=webfilter).
Remove unnecessary keywords and search filters which can exclude results. In More
Options, if All Words is selected, for a log message to be included in the search results,
all keywords must match; if any of your keywords do not exist in the message, the
match will fail and the message will not appear in search results. If you cannot remove
some keywords, select Any Words.
You can use the asterisk (*) character as a wild card (192.168.2.*). For example,
you could enter any partial term or IP address, then enter * to match all terms that
have identical beginning characters or numbers.
You can search for URLs in multiple ways, using part or all of the URL. Searching for
the full URL may not return enough results if the URL contains random substrings,
such as session IDs. If your search keywords do not return enough results, try one of
the following:
Full Search
shortening your keyword to a substring of the URL delimited by slash (/) characters
The search returns results that match all, any, or none of the search terms, according
to the option you select in Match.
For example, if you enter into Keyword(s):
192.168.* action=login
and if from Match you select All Words, log messages for attacks on 192.168.* by
W32/Stration.DU@mm do not appear in the search results, since although the first
keyword (the IP address) appears in attack log messages, the second keyword (the
name of the attack) does not appear, and so the match fails. If the match fails, the log
message is not included in the search results.
IPS Packet
Quarantine
Web
FTP
IM
VoIP Log
MMS (By default, this option is not available. To make it appear, you need to enable it
in System > Admin > Settings.)
149
You can view full and/or summary DLP archives. Summary DLP archives are those which
contain only a log message consisting of summary metadata. Full DLP archives are those
which contain both the summary and a hyperlink to the associated archived file or
message. For example, if the FortiAnalyzer unit has a full DLP archive for an email
message, the subject log field of email DLP archives contains a link that enables you to
view that email message. If the FortiAnalyzer unit has only a DLP archive summary, the
subject field does not contain a link.
Whether or not each DLP archive will be full or summary varies by:
whether the FortiAnalyzer unit has the file or message associated with the summary
log message (that is, full DLP archives do not appear if you have deleted the
associated file or message)
For more information about requirements and configuration of DLP archiving, see the
FortiGate Administration Guide.
To view DLP archives, go to Log & Archive > Archive Access. Select a DLP archive type.
Each type has similar controls.
Note: The columns that appear reflect the content found in the archive file. You can select
an item in a column to display more information.
Figure 67: Email archive
Download Current View
Printable Version
Column Settings
Delete associated
DLP archive files
Search
Current Page
150
Description
Show
To view the archives from a single FortiGate unit, select the FortiGate
unit from the list. Select All FortiGates to view a combined list of
archives from all the configured FortiGate units.
Timeframe
Select a time frame to display only the archived files from the specified
period. Select Any time to display all the archived files.
Column Settings
Select to change the columns to view and the order they appear on
the page. For more information, see Displaying and arranging log
columns on page 143.
Note: This option is not available for the Quarantine type.
Printable Version
Select to download a copy of the archived file with the current filters
applied. For example, if you have a filter applied to display only the
entries with a particular URL, selecting Download Current View will
allow you to download a log file with only the entries related to the
URL configured in the filter.
Note: This option is not available for the Quarantine type.
Select to delete the links of all DLP archive files to the currently
selected device, not the file records.
Note: This option is not available for IPS Packet, Quarantine, and
VoIP archive.
Search
Current Page
Select a view of the archive file. This option is not available for the
Quarantine type.
Resolve Host Name: Select to view the IP alias instead of the clients
IP address. You must configure the IP aliases on the FortiAnalyzer
unit for this setting to take effect. For more information, see
Configuring IP aliases on page 104. This option is not available for
the Email type.
Resolve Services: Select to display the network service names rather
than the port numbers, such as HTTP rather than port 80. This option
is only available for the IPS Packet type.
Formatted (the default): Select to display the log files in columnar
format.
Raw: Select to display the log information as it actually appears in the
log file.
Note: DLP Archive allows you to both view logged details and to download the archived
files. If you want to display only the DLP archive log file, instead go to Log & Archive > Log
Browse > Log Browse and select the devices dlog.log file. For more information, see
Browsing log files on page 154.
151
If a secure connection has been established with the FortiGate and FortiAnalyzer units,
the communication between them is the same IPSec tunnel that the FortiGate unit uses
when sending log files.
For more information about configuring the FortiGate unit to send quarantined files to the
FortiAnalyzer unit, see the FortiGate Administration Guide.
Note: Sending quarantine files to a FortiAnalyzer unit is available only on FortiGate units
running FortiOS 3.0 or later.
FortiAnalyzer units do not accept quarantine files from devices that are not registered with
the FortiAnalyzer units device list. For more information about adding devices, see
Manually adding or deleting a device or HA cluster on page 129.
To view the quarantine summary, go to Log & Archive > Archive Access > Quarantine.
Figure 68: Quarantine summary
Description
Delete
Details
Select to view the quarantined files for this device. For more
information, see To view the details of a quarantined file on
page 152.
Show
Select a device from the list of available devices to display the list of
quarantined files for a specific device.
Timeframe
From Device
The FortiGate unit from which the file originated. Select the expand
arrow next to a FortiGate unit to view the files sent from that unit.
Type
Reason
The date and time the FortiGate unit quarantined the first instance of
this file, in the format yyyy/mm/dd hh:mm:ss.
The date and time the FortiGate unit quarantined the last instance of
this file, in the format yyyy/mm/dd hh:mm:ss, if multiple copies of
this file are quarantined.
Unique
Count
152
Current Page
Name of the GUI item Description
Delete
Download
Select to save the file to another location when it is deemed safe for the
recipient to collect. You can enter a password to protect the file.
Caution: Quarantined files are suspected or known to contain a virus or
other network threat. Inspecting quarantine files involves a significant
security risk. Use caution when downloading quarantined files.
Details
Select to view the log for this quarantined file. For information on viewing
logs, see Viewing log messages on page 139.
Analyze
Refresh
From Device
File Name
The date and time the FortiGate unit quarantined the first instance of this
file, in the format yyyy/mm/dd hh:mm:ss.
The date and time the FortiGate unit quarantined the last instance of this
file, in the format yyyy/mm/dd hh:mm:ss, if multiple copies of this file are
quarantined.
Service
Checksum
Type
Reason
DC
Duplicate count. A count of how many duplicates of the same file were
quarantined. A rapidly increasing number can indicate a virus outbreak.
153
Current Page
By default, the first page of the list of items is displayed. The total number
of pages displays after the current page number. For example, if 2/10
appears, you are currently viewing page 2 of 10 pages.
To view pages, select the left and right arrows to display the first, previous,
next, or last page.
To view a specific page, enter the page number in the field and then press
Enter.
154
Display
Mark the check box of the file whose log messages you want to view, then
click this button. For more information, see Viewing log messages on
page 139.
Import
Click to import log files. You can only import log files in Native format. For
more information about importing log files, see Importing a log file on
page 155.
Download
Mark the check box of the log file that you want to download, click this
button, then select a format for saving the log files: text (.txt), commaseparated value (.csv), or standard .log (Native).
You can also select to compress the log files before saving them.
For more information, see Downloading a log file on page 156
Device Type
Enable to display the file names of log files in the Log Files column when
their log type is expanded.
Log Files
A list of available log files for each device or device group. Click the group
name to expand the list of devices within the group, and to view their log
files.
The current, or active, log file appears as well as rolled log files. Rolled log
files include a number in the file name, such as vlog.1267852112.log.
If you configure the FortiAnalyzer unit to delete the original log files after
uploading rolled logs to an FTP server, only the current log will exist.
The number of devices in a group, and the number of log files for a device.
From
To
Size (bytes)
155
5 Select from Device to which device in the device list the imported log file belongs, or
select Take From Imported File to read the device ID from the log file.
If you select Take From Imported File, your log file must contain a device_id field in
its log messages.
6 In Filename, enter the path and file name of the log file, or select Browse.
7 Select OK.
A message appears, stating that the upload is beginning, but will be cancelled if you
leave the page.
8 Select OK.
Upload time varies by the size of the file and the speed of the connection.
After the log file successfully uploads, the FortiAnalyzer unit inspects the log file.
If the device_id field in the uploaded log file does not match the device, the import
will fail. Select Return to attempt another import.
If you selected Take From Imported File, and the FortiAnalyzer units device list
does not currently contain that device, a message appears after the upload. Select
OK to import the log file and automatically add the device to the device list, or select
Cancel.
156
7 Select OK.
8 If prompted by your web browser, select a location to save the file, or open it without
saving.
To download a partial log file
1 Go to Log & Archive > Log Browse > Log Browse.
2 Select the Device Type.
3 Expand the group name or device name to view the list of available log files under each
log type.
4 Select the specific log file (wlog.log, elog.log, etc.) that you want to download.
5 Select Display.
6 Select a filter icon to restrict the current view to only items which match your criteria,
then select OK.
Filtered columns have a green filter icon, and Download Current View appears next to
Printable Version. For more information about filtering log views, see Filtering logs on
page 144.
7 Select Download Current View.
157
9 Select OK.
10 If prompted by your web browser, select a location to save the file, or open it without
saving.
As the FortiAnalyzer unit receives new log items, it performs the following tasks:
verifies whether the log file has exceeded its file size limit
if the file size is not exceeded, checks to see if it is time to roll the log file. You configure
the time to be either a daily or weekly occurrence, and when the roll occurs.
When a current log file (tlog.log) reaches its maximum size, or reaches the scheduled
time, the FortiAnalyzer unit rolls the active log file by renaming the file. The file name will
be in the form of xlog.N.log (for example, tlog,1252929496.log), where x is a
letter indicating the log type and N is a unique number corresponding to the time the first
log entry was received. The file modification time will match the time when the last log was
received in the log file.
Once the current log file is rolled into a numbered log file, it will not be changed. New logs
will be stored in the new current log called tlog.log.
If log uploading is enabled, once logs are uploaded to the remote server or downloaded
via the web-based manager, they are in the following format:
FG3K6A3406600001-tlog.1252929496.log-2009-09-14-14-00-14.gz
158
If you have enabled log uploading, you can choose to automatically delete the rolled log
file after uploading, thereby freeing the amount of disk space used by rolled log files. If the
log upload fails, such as when the FTP server is unavailable, the logs are uploaded during
the next scheduled upload.
To enable and configure log rolling or uploading, go to Log & Archive > Options > Log File
Options.
Figure 70: Device log settings
Description
Server type
Server IP address
Username
Password
Confirm Password
Directory
Enter a location on the upload server where the log file should be saved.
Upload Files
Select when the FortiAnalyzer unit should upload files to the server.
When rolled: Uploads logs whenever the log file is rolled, based upon
Log file should be rolled.
Daily at [hh:mm]: Uploads logs at the configured time, regardless of
when or what size it rolls at according to Log file should be rolled.
Select a format for uploading the log files. The format is in text (.txt),
comma-separated value (.csv), or standard .log (Native) file.
159
Using eDiscovery
Compress uploaded
log files
Select to remove the log file from the FortiAnalyzer hard disk after the
FortiAnalyzer unit completes the upload.
Using eDiscovery
eDiscovery allows you to search through the bulk of stored email from the FortiGate units,
extract and download the search results, and share them with a third-party if required in
situations such as a lawsuit or regulatory violation action.
To prove that shared data is an exact copy of the original, the FortiAnalyzer unit produces
local logs indicating when each search was executed, when the search results were
downloaded, and when they were deleted. In addition, the FortiAnalyzer unit generates
SHA1 and MD5 digests for every search result. When a search result is downloaded to an
external device, the SHA1 or MD5 digest calculated on the downloaded file must match
the same digest generated by the FortiAnalyzer unit in order to prove that the search
result has not been tampered with since leaving the FortiAnalyzer unit.
Log & Archive > eDiscovery > Folders displays the list of eDiscovery folders containing
search results.
Figure 71: eDiscovery folders list
Name of the
GUI item
Description
Download
Click to save the selected folder and the contained search results.
The saved information can be shared with a third party.
Run Now
Click to refresh the search tasks in a selected folder. This will update the email
lists in the search tasks.
Clone
Folder Name The names of the eDiscovery folders that you create. For more information, see
To create eDiscovery folders on page 162.
Select the arrow beside a folder name to display the task names of the search
results saved in the folder. For more information, see Task Name on page 163.
Select a task name to view the email list. See To view a search task on
page 163.
Creation Date The date and time when the folder and search tasks were created.
160
Using eDiscovery
Search
Results
Each eDiscovery folder displays the number of search results contained in it.
Each search task displays the number of email extracted based on the search
criteria. See To search email on page 162.
Size (bytes)
Set the disk quota for eDiscovery results out of the current disk space reserved for the
system (that is, space not allocated to the devices), since the search results may take
considerable amount of disk space. See To set the eDiscovery disk quota on
page 161.
Create folders to store search results. Typically, you store search results that are part
of a single investigation under one folder. See To create eDiscovery folders on
page 162.
Search email based on the search criteria and save the results to a folder where you
will view, download, delete, or clone the results. See To search email on page 162.
161
Using eDiscovery
2 Enter the maximum size of disk space for storing eDiscovery search results.
The used and available disk spaces also display. The size of the reserved space for
eDiscovery varies by the total disk space. You cannot adjust the disk quota below the
size of the existing eDiscovery results. eDiscovery results will not be saved if they
exceed the disk quota.
3 Click Apply.
To create eDiscovery folders
1 Go to Log & Archive > eDiscovery > Folders.
162
Using eDiscovery
Name of the
GUI item
Description
Device
Select the FortiGate unit of which you want to search the archived email.
Timeframe
Select the time period for the email that you want to search. If you click Specify,
enter the start and end time.
From
Enter the senders email address that you want to search. This can be a full or
partial email address.
To
Enter all or part of the recipients email address. For multiple recipients, enter
any one of the recipients, or enter multiple recipient addresses in the order that
they appear in the email address field, separated by a comma (,) and a space,
such as:
user1@example.com, user2@example.com
Subject
Message
Contains
Save to
Folder
Task Name
Enter a unique name for this search task. Such a name will help you identify a
particular search result in a folder. For more information, see Folder Name on
page 160.
This field appears only if you selected to save the search results to a folder in
the Save to Folder field.
Description
Enter a note to describe the task name. For more information, see Description
on page 164.
This field appears only if you selected to save the search results to a folder in
the Save to Folder field.
163
Using eDiscovery
The tasks email list displays. Selecting an item displays its detailed information.
Attachment
Column Settings
164
Name of the
GUI item
Description
Task name
The name of this search task. For more information, see Task Name on
page 163.
Description
The note for this task. For more information, see Description on page 163.
Device
The serial number(s) of the FortiGate unit(s) of which you have searched the
archived email. For more information, see Device on page 163.
Timeframe
The date and time when the search task was created.
SHAR1
MD5
Column
Settings
Click to change the columns to view and the order they appear on the page. For
more information, see Displaying and arranging log columns on page 143.
Last Activity
The date and time that the FortiAnalyzer unit received the email from the
FortiGate unit.
From
The senders email address that was searched. This can be a full or partial email
address.
To
The recipients email address that was searched. This can be a full or partial
email address.
Using eDiscovery
Subject
Size
Attachment
icon
165
Using eDiscovery
166
Reports
Reports
FortiAnalyzer units can collate information collected from FortiGate log files and present
the information in tabular and graphical reports, which provides quick analysis of what is
occurring on the network.
You can create reports based on logs from the proprietary indexed file system or SQL
database, depending on your SQL database configuration in System > Config >
SQL Database. For more information on selecting the storage method, see Configuring
SQL database storage on page 85.
By using reports, you can:
minimize the effort required to identify attack patterns when customizing policies to
prevent attacks
FortiAnalyzer reports are also flexible, offering administrators a choice to compile a report
layout based on variables (which can be reused) or based on specific information. Fortinet
recommends a report layout based on variables and then reuse them.
This topic includes:
Browsing reports
Note: Reports can only be created for registered devices and device groups. For more
information about registering devices, see Unregistered vs. registered devices on
page 126.
Note: If you want to configure custom charts, or configure a chart containing criteria for web
clicks vs. web hits, see the FortiAnalyzer CLI Reference because these are only configured
in the CLI. For information about new and changed reports, see Appendix B: Report
templates on page 309.
167
Reports
Logs must be collected or uploaded before you can generate a report. Logs are the basis
of all FortiAnalyzer reports. After logs are collected or uploaded, you can then define the
three basic components that make up a report based on logs from the proprietary indexed
file system:
report layout (the report template and the contents)
You need to configure a report layout and data filter before configuring the report
schedule, because the report schedule requires a report layout. You also need to
configure remote report output (see Configuring report output templates on page 91) if
you want to upload completed report files to a server accepting FTP, SFTP, or SCP when
scheduling a report. The layout configurations are referred to as templates because they
can be applied to any report schedules that you want.
If you are using data filter or output templates with a report schedule, these templates
cannot be deleted. Data filter or output templates can be deleted when they are not being
used by a report schedule.
168
Reports
When configuring a report layout, you can choose and specify each individual chart. The
charts include default and customized ones. You can configure customized charts in the
CLI. For more information, see the FortiAnalyzer CLI Reference.
You can edit charts either during or after they are included in the report layout.
Figure 73: Report layout list
Description
Clone
Run
Run a report layout immediately (on demand), instead of waiting for the
report layouts scheduled time.
Name
The name of the report layout given when configuring a report layout.
Description
Company Name
The name of the company, if given, when configuring the report layout.
Number of Charts
169
Reports
Browse
logo files
Name of the
GUI item
Description
Name
Description
Company
Name
Report Title
Header
Title Page
Logo
Select the Browse logo files icon to choose a logo that will appear on the title
page of the report. You need to select a logo file format that is compatible with
your selected file format outputs. The logo will not appear if it is incompatible
with the chosen file format.
You can choose JPG, PNG, and GIF logo formats for PDFs and HTMLS; WMF
are also supported for RTF.
Header Logo Select the Browse logo files icon to choose a logo that will appear only in the
header of the report. Logo formats for headers also need to be compatible with
the chosen file format. The same logo formats for the title page also apply to
headers.
Add Chart(s) Select to add default or user-defined charts to your report. See To add a chart
on page 171.
170
Device
Type
Select one of the device types from the drop-down list. The available types are
FortiGate, FortiClient and FortiMail. The reports log information will come from
the selected device type. For example, if you selected FortiMail, the log
information used is only FortiMail logs.
Category
Chart
Name
The names of the charts in each category. The category name is in bold, and the
charts associated within that category name and data source are displayed
beneath.
Action
Select the plus (+) symbol in the row containing the main chart name to add all
charts of the category to the report.
Select the plus (+) symbol in each row to add charts individually.
When the plus (+) symbol is selected, a minus (-) symbol appears. Select the
minus (-) symbol in each row to remove the selected chart or charts.
Reports
Add Section
Select to add a section to a report that keeps charts separate from each other.
Title Enter a name to describe the charts and information.
Description Enter a description, if applicable, to describe the charts.
See To add a section on page 172.
Add Text
4 Click OK.
Note: Report layouts cannot be deleted if they are associated with a report schedule; if you
want to delete a report layout, remove that layout from the schedule it is associated with,
and then delete it.
171
Reports
4 Select one of the device types from the Device Type drop-down list.
The available types are FortiGate, FortiClient and FortiMail. The reports log
information will come from the selected device type. For example, if you selected
FortiMail, the log information used is only FortiMail logs.
5 Select a category or all categories of charts from the Category drop-down list.
Customized charts (Custom Charts) are under Others category.
6 In Chart Name, select the plus (+) symbol in the row containing the main chart name,
such as Network Analysis, to add all charts of the category to the report. Select the
plus (+) symbol in each row, such as Top Sources by Volume, to add charts
individually.
When the plus (+) symbol is selected, a minus (-) symbol appears. Select the minus (-)
symbol in each row to remove the selected chart or charts.
7 Select OK.
To add a section
1 Go to Report > Config > Layout.
2 Click Create New.
3 Click Add Section.
172
Reports
4 Add a note or comment about a section or to include additional information about the
charts that are in the report.
5 Select OK.
173
Reports
When editing charts in a report layout, certain options are available when other options are
selected. For example, if you select a bar chart style, Time Scale will appear. Options such
as User and Group disappear when an LDAP query is selected.
To edit a chart
1 Go to Report > Config > Layout.
2 Click the Edit icon of a report layout.
You cannot edit the charts of the default report layouts.
3 Go to Chart List and click the Edit Chart icon beside the chart name.
174
Reports
4 Enter the appropriate information for the selected chart. The following is a sample chart
for Total IM Events per Protocol.
Description
Chart Output
Chart Style
Select a style for the chart. You can choose a bar style, column style
or pie style.
If you select a Bar chart style, Time Scale appears. This is available
only to the Bar chart style.
Enter a number for the top ranked log information, such as top number
of viruses, and if applicable, select the check box List All Results.
If you select List All Results, it means that the FortiAnalyzer unit will
need to list all logs for this chart, which will hang or delay report
generation. Select this check box only when it is necessary.
When entering a number for the maximum top entries (with pie chart
style selected), any item whose percentage is less than one percent
will not appear in the pie diagram; also, if no items percentage is
greater than one percent, Other occupies the pie diagram, or 100
percent of the pie diagram. For example, if you enter the number five,
any of the five items that have less than one percent are considered
under Other and only Other displays on the pie diagram.
This issue occurs only when the pie chart style is selected. The bar
chart style is not affected.
Time Scale
Select what type of time period you want the focus of the report to be
on.
Source ID
(certain charts only)
Select from the drop-down list whether to have the user name or IP
address (or both) as the identification of the source. This option does
not appear for all charts.
Advanced
Resolve Service
Names
175
Reports
Max. number of rows Enter the number of rows that you want for each variable. This is
available only to certain chart types.
for 2nd parameter
(appears when Bar or
Line chart style is
selected)
Include Other
Category (in graphs)
Select to include the other results that are not included in the top
entries, that display in a graph.
Consolidate URLs by
root domain
Select to group together the URLs under the same root domain.
Override Run-time
Variables
Select to specify the following that will be associated with this chart.
Device/Group Select to specify a device or device group from the
drop-down list. You can also select all devices, if applicable.
Virtual Domain (FortiGate charts only) Enter to specify a virtual
domain.
User Enter the users name that you want to use in the report. You
can enter multiple names in the field, using commas to separate the
user names.
This option disappears when an LDAP query is selected.
Group Enter a groups name that you want to use in the report. You
can enter multiple names in the field, using commas to separate the
group names.
This option disappears when an LDAP query is selected.
LDAP Query Select an LDAP directory from the drop-down list to
restrict report scope using a list of user names from the LDAP
directory, instead of a group name configured on a device.
For information on configuring LDAP servers, see Configuring LDAP
queries for reports on page 111.
LDAP Group Enter an LDAP group. This option appears only when
LDAP Query is selected.
5 Click OK.
If you want to rearrange the charts so that they are presented in a different order, click
and drag a chart to a position above or below another chart. The order is reflected in
the generated report.
To edit a section
1 Go to Report > Config > Layout.
2 Click the Edit icon of a report layout.
3 Go to Chart List and click the Edit Section icon beside the section name.
176
Reports
4 Clear the appropriate information that appears in either Title or Description fields, or
both fields.
5 Enter the new information in either Title or Description fields, or both fields.
6 Click OK.
To edit text
1 Go to Report > Config > Layout.
2 Click the Edit icon of a report layout.
3 Go to Chart List and click the Edit Text icon beside the text name.
177
Reports
Description
Name
Description
178
Reports
Description
Name
Enter a name for the new data filter configuration. This name concerns
only this particular data filter configuration, not the report itself.
Description
Filter logic
Select all to include only logs in the report that match all filter criteria. If
any aspect of a log message does not match all criteria, the
FortiAnalyze unit will exclude the log message from the report.
Select any to include logs in the report that match any of the filter
criteria. If any aspect of a log message matches any of the filter
criteria, the FortiAnalyzer unit will include the log in the report.
Source(s)
Alias
Select the appropriate alias from the drop-down list. For more
information about configuring IP aliases, see Configuring IP aliases
on page 104.
not
Select to instead include only log messages that do not match this
criterion. For example, you might include logs except those matching
a specific source IP address.
179
Destination(s)
Alias
Select the appropriate alias. Select the appropriate alias from the
drop-down list. See Configuring IP aliases on page 104 for more
information about configuring IP aliases.
not
Select to instead include only log messages that do not match this
criterion. For example, you might include logs except those matching
a specific destination IP address.
Interface(s)
not
Policy ID(s)
not
Service(s)
not
Email Domain(s)
(only FortiMail reports)
not
Email Direction(s)
(only FortiMail reports)
not
Email Sender(s)
not
Email Recipient(s)
180
Reports
Reports
not
Select to instead include only log messages that do not match this
criterion. For example, you might include logs except those matching
a specific email recipient.
Web Category
Category List
Priority
Select a severity level from the Available Levels column and then use
the -> arrow to move the level to the Selected Levels column.
If you want to remove a severity level from the Selected Levels
column, select the level first and then use the <- arrow to move the
level back to the Available Levels column.
Generic Filter(s)
Key
Value
Enter a number for the value. Select the not check box to instead
include only log messages that do not match the generic filter criteria.
not
Select to instead include only log messages that do not match this
criterion. For example, you might include logs except those matching
a specific generic filter.
Add
Select Add to add the keyword and value number to the generic filter
list. The generic filter list displays all configured generic filters in the
field beside both Add and Delete.
Delete
Select to delete the generic filter. Select the generic filter first, and
then select Delete.
4 Click OK.
Report schedules are configured after you have configured report layouts. If you do not
have a report layout, you cannot configure a report schedule.
Report schedules provide a way to schedule a daily, monthly or weekly report so that the
report will generate at a specific time period. You can configure multiple report schedules.
To view the report schedule list, go to Report > Schedule > Schedule.
181
Reports
Description
Run
Schedule Name
The name given to the report schedule when configuring the report
schedule.
Layout Name
The name of the report layout that is associated with the report
schedule.
Device
Schedule
The time period or range for the report, in the following formats:
Daily: hh:mm
Weekly: hh:mm at [days of week]
Monthly: hh:mm at [dates of month]
Effective Period
The start and end date, including the start and end time, of the
schedule.
182
Reports
Description
Name
Description
Layout
Select a configured report layout from the drop-down list. You must
apply a report layout to a report schedule.
Language
Select a language from the drop-down list or choose Default to use the
default language.
Schedule
Select one of the following to have the report generated only once,
daily, weekly, or monthly at a specified date or time period.
Daily
Select to generate the report every day at the same time. Enter the
hour and minute time period for the report. The format is hh:mm.
Weekly
Select to generate the report on specified days of the week. Select the
days of the week check boxes.
Monthly
Once
On Demand
Time
Select the hour and minute (from the drop-down lists) of the time of
day when you want to generate the report.
Start Date
Select the calendar beside Start Date to select a date when the report
will generate on. Select the time as well and then select OK.
You can select the month and year if you need a different month or
year for the report.
183
End Date
Reports
Select the calendar beside End Date to select a date when the report
will stop generating on. Select the time as well and then select OK.
You can select the month and year if you need a different month or
year for the report.
You can specify the variables that were selected in the charts when
configuring the report layout.
If you did not specify any variables in the charts added to report
layout, proceed to Data Filter.
Device/Group
Virtual Domain
User
Group
LDAP Query
LDAP Group
Enter an LDAP group. This option appears only when LDAP Query is
selected.
Data Filter
Select a data filter template from the drop-down list to the report
schedule. For more information on data filter, see Configuring data
filter templates on page 178.
Time Period
Local Time for Select to base the time period on the local time of
the FortiAnalyzer unit or the selected devices.
Log time stamps reflect when the FortiAnalyzer unit received the
message, not when the device generated the log message. If you
have devices located in different time zones, and are creating a report
layout based on a span of time, ensure that the time span is relative to
the device, not the FortiAnalyzer unit.
For example, if you have a device and a FortiAnalyzer unit located
three time zones apart, a report for the time frame from 9 AM to 11 AM
will yield different results depending on whether the report time frame
is relative to the devices local time, or to the FortiAnalyzer units local
time.
From Select the beginning date and time of the log time range.
To Select the ending date and time of the log time range.
Output
Select the type of output you want the report to be in and if you want to
apply an output template as well.
Output Types
Select the type of file format you want the generated report to be. You
can choose from PDF, XML, HTML (default), MS Word, Text, and
MHT.
Note: Only those file formats that are enabled in both output template
and schedule output types are sent by email. For example, if PDF and
Text formats are selected in the output template, and then PDF and
MHT are selected in the report schedule, the reports file format in the
email attachment is PDF.
Email/Upload
Select the check box if you want to apply a report output template from
the drop-down list. For more information on configuring report output,
see Configuring report output templates on page 91.
4 Click OK.
Configuring language
When creating a report layout, you can select which language the report will be written in.
If your preferred languages require modification, you can create your own report language
customization, which then becomes available for selection in the report layout.
Report language components include:
184
Reports
a string file, also known as a language resource file, containing report text
a format file specifying the language encoding, as well as file format specific settings
The font file is used to render graph titles and Y-axis labels in a font of your choice. Some
fonts, particularly for double-byte languages, do not support character rotation, which is
required by the Y-axis label. Compatible fonts must be a TrueType (.ttf) font, and must
support character rotation. Examples of known compatible fonts include Arial, AR PL
Mingti2L Big5, AR PL SungtiL GB, DFPHSGothic-W5, and Verdana.
The string file specifies pieces of text that may be used in various places throughout the
report. Each string line consists of a key followed by an equal symbol (=) and its value.
You can add comments to the string file by preceding them with a number symbol (#).
For example, in these lines:
# Printed in place of report when zero log messages matched
report filter.
no_match=No matching log data for this report
the comment is:
# Printed in place of report when zero log messages matched
report filter.
the key is no_match, and the string value for that key is No matching log data for
this report.
Keys are required and must not be removed or changed. Keys map a string to a location in
the report, and are the same in each language file. If you change or remove keys, the
FortiAnalyzer unit cannot associate your string with a location in the report, string file
validation will fail, and the string file upload will not succeed.
String values may be changed to customize report text. If your custom string values use a
different encoding or character set than the default language file, customize your format
file to reflect your new character set and/or encoding.
Comment lines are optional; you can add them throughout the file to provide notes on your
work.
The format file contains settings for the file format renderers, including encodings. The
format file contains sections that are preceded by an output type label, consisting of the
file format name followed by a colon character (:). Within each output types section, one
or more settings exist, consisting of a variable name followed by an equal symbol (=) and
its value, contained by quote characters (). You can add comments to the format file by
preceding them with a number symbol (#).
For example, in these lines:
# Localization uses a Latin character set.
html:
html_charset="iso-8859-1"
The comment is:
# Localization uses a Latin character set.
The output type label is html:, the variable name is html_charset, and the variables
value is iso-8859-1.
Variables are required and must not be removed or changed. If you change or remove
variables, the FortiAnalyzer unit may not be able to properly format your reports.
185
Reports
If your custom string values use a different encoding or character set than the default
language file, you must customize your format file to reflect your new character set and/or
encoding. If your string file requires double-byte encoding, also set doublebytes="1".
Otherwise, set doublebytes="0". The variables value must be in a pattern acceptable
by the output type. If variable value syntax is not correct, format file validation will fail, and
the format file upload will not succeed.
Supported encodings used by the string file and referenced in the format file include those
specified by the PDF, RTF, and HTML standards. For character set and encoding syntax
and other specifications, see:
Microsoft Word 2003 Rich Text Format (RTF) Specification, version 1.8
Comment lines are optional; you can add them throughout the file to provide notes on your
work.
If you require further format file customization, including adjustments to PDF objects,
contact Fortinet Technical Support.
Note: Both format and string files use Unix-style line endings (LF characters, not CR-LF).
Description
Remove the font file from the selected report language customization.
Download
Language
Description
Font
If you uploaded a font file with your report language customization, the
name of the font.
This does not appear if the report language uses a default font.
186
Reports
4 Open the string file using a plain text editor that supports Unix-style line endings and
the string files encoding, such as jEdit. Verify that the correct encoding has been
detected or selected.
5 Locate and edit text that you want to customize.
Do not change or remove keys. Modifiable text is located to the right of the equal
symbol (=) in each line.
6 Save the string file.
7 If you changed the encoding of the string file, go to Download > Download Format File
and open the format file using a plain text editor that supports Unix-style line endings,
such as jEdit, and edit the encoding and character set values for each file format. If you
have switched between a single-byte and a double-byte encoding, also set the
doublebytes value to true (1) or false (0).
For specifications on how to indicate encoding and character set, refer to each file
formats specifications:
Microsoft Word 2003 Rich Text Format (RTF) Specification, version 1.8
3 If you are creating a new report language, enter the language of the report.
The language name cannot contain spaces.
4 Enter a Description for the language.
5 For the Format File, click Browse and locate your customized format file.
187
Reports
6 For the String File, click Browse and locate your customized string file.
7 If you want to customize the font of report graph titles and Y-axis labels, for Font File,
click Browse and locate your font.
If your font is located in the system font folder, you may need to first copy the font from
the system font folder to another location, such as a temporary folder or your desktop,
to be able to select the font for upload.
Note: Some font licenses prohibit copying or simultaneous use on multiple hosts or by
multiple users. Verify your fonts license.
8 Click OK.
Time required to upload the language customization files varies by the size of the files
and the speed of your connection. If there are any errors with your files, correct the
errors, then repeat this procedure.
Table 6: Language file error messages
Error message
Description
Specified font file is not a standard Your font file is not a TrueType font. Only TrueType
TrueType font (*.ttf).
fonts are supported.
After successfully uploading and verifying, your custom language becomes available
as a report output language.
Note: The string file contains many keys, and each report type uses a subset of those keys.
If your language modification does not appear in your report, verify that you have modified
the string of a key used by that report type.
188
Reports
The log types that are necessary to configure this type of report are traffic, DLP archive
and web filter logs.
Creating the report Most web sites visited by an individual employee
1 To configure the output template that will be used in the report, go to System >
Config > Remote Output, click Create New.
2 Configure as follows:
In Output Format, select PDF and then deselect the defaulted HTML.
Select Compress Report Files to compress the report for attachment to the email
message.
For Recipient, enter the individuals email address and then select Add; repeat for
the other email addresses (IT manager and headquarters).
In the Subject field, enter Web activity for .125 computer user.
Select Upload Report to Server then enter the companys FTP server information in
the fields.
Select OK.
3 To configure the report layout that will be used in the report, go to Report > Config >
Layout, click Create New.
4 Configure as follows:
189
Reports
In the Report Title field, enter Most visited web sites by an individual
employee.
In the Title Page Logo field, select the Browse logo files icon to locate the
companys title page logo.
In the Header Logo field, select the Browse logo files icon to locate the companys
header logo.
Select Add Chart(s) and then select the following charts under Web Activity:
Web Volume by Time Period
Top Web Clients by Volume
Top Web Servers by Connection
Top Web Servers by Volume and Hits
Top Web Servers by Connections for Most Active Clients
For the Web Volume by Time Period chart, select Edit and then from the Time Scale
list, select Hour of Day. Select OK.
For the Web Clients by Volume chart, select Edit and then from the Source ID list,
select IP Address. Select OK.
For the Top Web Servers by Connections for Most Active Clients, select Edit and
then from the Source ID list, select IP Address. Select OK.
Select OK.
5 To configure the report data filter that will be used in the report, go to Report > Config >
Data Filter, click Create New.
6 Configure as follows:
190
In Day of Week, select the check boxes next to the days of the work week.
Expand Web Category, and then select the check boxes beside:
Potentially Liable
Objectionable or Controversial
Potentially Non-productive
Potentially Bandwidth Consuming
Potentially Security Violating.
Reports
In Priority, select the level Notification in Available Levels and then use the left arrow
to move it to Select Levels.
Select OK.
7 To configure the report schedule for generating the report, go to Report > Schedule >
Schedule, click Create New.
8 Configure as follows:
In Layout, select the report layout, Most visited web sites by an individual employee
from the list.
In Schedule, select Once and then select the Calendar icon to configure todays
date and time.
Under Log Data Filtering, select the FortiGate-50B unit in the Device/Group list,
which logged the information needed to complete the report.
In Time Period, select Devices and then select Past Month from the Time Period
list.
In Output, select the check box beside PDF and then select the check box beside
Email/Upload. In the Email/Upload list, select the output template.
Select OK.
191
Reports
2 Configure as follows:
In Output Format, select PDF and then deselect the defaulted HTML.
Select Compress Report Files to compress the report for attachment to the email
message.
For Recipient, enter the IT departments email address and then select Add.
Select Upload Report to Server then enter the companys FTP server information in
the fields.
Select OK.
3 To configure the report layout that will be used in the report, go to Report > Config >
Layout, click Create New.
4 Configure as follows:
192
In the Title Page Logo field, select the Browse logo files icon to locate the
companys title page logo.
In the Header Logo field, select the Browse logo files icon to locate the companys
header logo.
Select FortiClient in the Device Type list, and then select the plus sign beside
FortiClient Antivirus Activity to include all charts that are in that report group.
FortiAnalyzer Version 4.0 MR2 Administration Guide
Revision 13
http://docs.fortinet.com/ Feedback
Reports
Select OK.
Select the Edit icon within the Top Viruses (from Antivirus log) chart to change the
default settings.
In the edit chart window, select Graph Only from the Chart Output list so that only a
graph displays.
Expand Advanced, and select the check boxes beside Resolve Host Names and
Resolve Service Names.
Select OK.
Select the Edit icon within the Top Files (from Antivirus Log) chart to change the
default settings.
In the edit chart window, select Table Only from the Chart Output list so that only a
table displays.
In Maximum Entries (TopN), select the check box beside List All Results.
When you select the check box, a warning symbol appears beside Maximum
Entries (TopN) which, if you hover your mouse over the symbol, explains that if you
have a large number for this setting, the FortiAnalyzer units performance may be
degraded.
Expand Advanced, and select the check boxes beside Resolve Host Names and
Resolve Service Names.
Select OK.
Select OK.
Select OK.
5 To configure the report data filter that will be used in the report, go to Report > Config >
Data Filter, click Create New.
6 Configure as follows:
In Day of Week, select the check boxes beside all the days of the work week.
193
Reports
In Priority, select Information in the Available Levels and move it to the Selected
Levels list.
Select OK.
7 To configure the report schedule for generating the report, go to Report > Schedule >
Schedule, click Create New.
8 Configure as follows:
In Schedule, select Once and then select the Calendar icon to configure todays
date and time.
In Log Data Filtering, select the configured data filter in the Data Filter list.
In Time Period, select Selected Devices, select Past N Week from the Time Period
list, and then enter the number 2 in the field that appears.
In Output, select the check box beside PDF, and then select the check box beside
Email/Upload.
Select OK.
2 Configure as follows:
194
Reports
In Output Format, select XML and then deselect the defaulted HTML.
Select Compress Report Files to compress the report for attachment to the email
message.
Enter the CEOs email address and then select Add; repeat for the other email
addresses.
Select Upload Report to Server then enter the companys FTP server information in
the fields.
Select OK.
3 To configure the report layout that will be used in the report, go to Report > Config >
Layout, click Create New.
4 Configure as follows:
In the Title page logo field, select the Browse logo files icon to locate the companys
title page logo.
In the Header Logo field, select the Browse logo files icon to locate the companys
header logo.
Select FortiMail in the Device Type list, and then select the plus sign beside Spam
Activity to include all charts under this group.
195
Reports
Select the Edit icon for each chart and change the Time Scale setting to Hour of
Day.
Select OK.
5 To configure the report data filter that will be used in the report, go to Report > Config >
Data Filter, click Create New.
6 Configure as follows:
In Day of Week, select the check boxes for the days of the work week.
In Priority, select Information in the Available Levels and move it to the Selected
Levels list.
Select OK.
7 To configure the report schedule for generating the report, go to Report > Schedule >
Schedule, click Create New.
8 Configure as follows:
196
In Schedule, select Weekly, and then select On Demand so that the report can be
run at any time.
In Log Data Filtering, select the companys FortiMail-400 unit in the Device/Group
list.
In Log Data Filtering, select the data filter configured for the report in the Data Filter
list.
FortiAnalyzer Version 4.0 MR2 Administration Guide
Revision 13
http://docs.fortinet.com/ Feedback
Reports
In Time Period, select Devices and then select This Month from the Time Period list.
In Output, select the check box beside XML and then select the check box beside
Email/Upload.
Click OK.
Logs must be collected or uploaded before you can generate a report. Logs are the basis
of all FortiAnalyzer reports. After logs are collected or uploaded, you can then configure
reports based on the default or customized chart templates.
In most cases, the default chart templates are sufficient for report configuration. However,
you can create customized chart templates by configuring the data sets to get the exact
chart data you want. FortiAnalyzer data sets are a collection of the log files from the
devices monitored by the FortiAnalyzer unit. Reports are generated based on the data
sets. For more information, see Configuring data sets on page 201 and Configuring
report chart templates on page 197.
A report for logs from the SQL database has three basic components:
report chart template (the report template and the data set)
You need to configure a chart template before configuring a report, because the report
requires a chart template. You also need to configure remote report output (see
Configuring report output templates on page 91) if you want to upload completed report
files to a server accepting FTP, SFTP, or SCP when configuring a report. The report chart
templates can be applied to any reports.
197
Reports
Description
Clone
Favorite
A grey star means that this report chart template is not in the favorite
list. An orange star means that this report chart template is in the
favorite list.
Selecting the star toggles between adding a template into the favorite
list or removing a template from the favorite list.
Output Capacity
Name
The name of the report chart template. The name of a default template
is composed of the report category and the name of the data set.
Category
Title
The description about the chart. For example, if the name of the chart
is vpn-ipsec-usr-dur, the title can be Top VPN IPsec User by
Duration.
Data Set
198
Reports
Field Output
Field Output
Description
Category
Data Set
Select the data set for the selected category. For example, data set names
for the AntiVirus category start with av.
FortiAnalyzer data sets are a collection of the log files from the devices
monitored by the FortiAnalyzer unit. Reports are generated based on the
data sets. For information about data set configuration, see Configuring
data sets on page 201.
Depending on the selection of data set, values in the Field Output and Data
Bindings fields vary.
Field Output
Depending on the selection of data set, the values of this option vary. These
values are used for marking the report graphs, such as X or Y axis in a bar
graph, or column or row title in a table.
Resolve Host
Name
Enable this option to display the devices host name from an IP alias or
reverse DNS lookup, rather than an IP address. For more information about
configuring IP aliases, see Configuring IP aliases on page 104.
199
Reports
Favorite
Enable to add this chart template to the favorite list. See Favorite on
page 198.
Data Bindings
Depending on your selection in the Graph Type field, the values in this
section vary.
Data Binding: Select a value for the X-Axis of the bar graph. The values in
this field change depending on your selection of the data set.
Only Show First n Items: Select the check box and enter a number to
show the top ranked log information, such as top number of viruses, in the
report chart. The default is 6. The rest of the log information will be marked
as Others in the chart.
Overwrite Label: Mark the check box to modify the default value for the XAxis, if required.
Y-Axis
Data Binding: Select a value for the Y-Axis of the bar graph. The values in
this field change depending on your selection of the data set.
Overwrite Label: Mark the check box to modify the default value for the YAxis, if required.
Group By: Mark the check box to group the log information according to the
data set field output. This option appears only when a data sets field output
contains more than 3 fields.
Only Show First n Items: Select the check box and enter a number to
show the top ranked log information, such as top number of viruses, in the
report chart. The default is 3. The rest of the log information will be marked
as Others in the chart. This option appears only when a data sets field
output contains more than 3 fields.
Select a value to show the size of each segment of log information in the pie
chart. The values in this field change depending on your selection of the
data set.
For example, in a pie chart called Top Services by Volume, one of the top
services is SMTP and its percentage in the pie is 8.81. This percentage is
generated by the selection in this field.
Enable Only Show First n Items (Bundle rest into "Others") and enter a
number to show the top ranked log information, such as top number of
viruses, in the report chart. The default is 6. The rest of the log information
will be marked as Others in the chart.
Label
Binding
Select a value to label each segment of log information in the pie chart. The
values in this field change depending on your selection of the data set.
For example, in a pie chart called Top Services by Volume, one of the top
services is labeled as SMTP. This label is generated by the selection in this
field.
Select Ranked to show the log information in ranked format, such as top x,
or top y of top x, in the table.
Select Raw to show the log information as an audit report which displays the
results only, such as all blocked sites and all sites visited.
Add
Column
Select to add a column to the table. This option only appears after you
select the Remove the column icon.
The data display in the table will be in raw format after selecting the Remove
the column icon.
Field
Output
Select a value to show the column title for the log information in the table.
The values in these fields change depending on your selection of the data
set.
Overwrite Mark the check box to modify the Field Output value, if required.
Header
Only Show Mark the check box and enter a number to show the top ranked log
information, such as top number of viruses, in the table. The default is 3.
First n
The rest of the log information will be marked as Others in the table.
Items
This option is only available if you select to display data in ranked format.
200
Reports
Description
Name
Log Type
201
Reports
Name of the
GUI item
Description
Name
Log Type
($log)
Time Period
Select to use logs from a time frame, or select Specified and define a custom
time frame by selecting the Begin Time and End Time.
Past N
If you selected Past N Hours/Days/Weeks for Time Period, enter the number.
Hours/Days
/Weeks
Begin Time Enter the date (or use the calendar icon) and time of the beginning of the
custom time range.
This option appears only when you select Specified in the Time Period ($time)
field.
End Time
Enter the date (or use the calendar icon) and time of the end of the custom time
range.
This option appears only when you select Specified in the Time Period ($time)
field.
SQL Query
Enter the SQL query syntax to retrieve the log data you want from the SQL
database. For details about how to write the SQL statement, see Appendix D:
Querying FortiAnalyzer SQL log databases on page 335.
Test
Click to test whether or not the SQL query is successful. See To test a SQL
query on page 202.
202
Name of the
GUI item
Description
Device
Select a FortiGate unit, FortiMail unit, or FortiClient installation to apply the SQL
query.
VDom
If you want to apply the SQL query to a FortiGate VDOM, enter the name of the
VDOM.
Time Period
Select to query the logs from a time frame, or select Specified and define a
custom time frame by selecting the Begin Time and End Time.
Reports
Past N
If you selected Past N Hours/Days/Weeks for Time Period, enter the number.
Hours/Days
/Weeks
Begin Time Enter the date (or use the calendar icon) and time of the beginning of the
custom time range.
This option appears only when you select Specified in the Time Period ($time)
field.
End Time
SQL Query
Enter the date (or use the calendar icon) and time of the end of the custom time
range.
This option appears only when you select Specified in the Time Period ($time)
field.
If necessary, modify the SQL query to retrieve the log data you want from the
SQL database.
Run
Clear
Save
Options
Select to save the SQL query console configuration to the data set
configuration.
The Device and VDOM configurations are not used by the data set
configuration.
Close
Description
Upload
Graphic Name
Thumbnail
203
Reports
Report are configured after you have configured report chart templates and optional
graphics. If you do not have a report chart template, you cannot configure a report.
Reports provide a way to schedule a daily or weekly report so that the report will generate
at a specific time period.
To view the report list, go to Report > Config > Report.
Figure 80: Report list
Description
Clone
Run
Name
Title
Description
Number of Charts
To configure a report
1 Go to Report > Config > Report.
2 Click Create New.
204
Reports
Description
Name
Enter a name for the report. This name is for the FortiAnalyzer unit to
record the report in its report list.
Title
Sub Title
Enter a sub title name for the report, for example, Report_1_AV.
Description
Options
Select Display Table of Contents if you want a table of contents for the
report.
Schedule
Daily
Select to generate the report every day at the same time. Enter the
hour and minute time period for the report. The format is hh:mm.
Weekly
Select to generate the report on specified days of the week. Select the
day of the week and the hour on that day.
On Demand
Output Format
Select the type of file format you want the generated report to be. You
can choose from HTML (default), PDF, MS Word, Text, MHT, and
XML.
Note: Only those file formats that are enabled in both remote output
template (see Configuring report output templates on page 91) and
the report configuration are sent by email. For example, if PDF and
Text formats are selected in the output template, and then PDF and
MHT are selected in the report schedule, the reports file format in the
email attachment is PDF.
Email/Upload
Mark the check box if you want to apply a report output template from
the drop-down list. For more information on configuring report output,
see Configuring report output templates on page 91.
Report content
205
Reports
Header
Enter a header for the report and select to use normal text or graphic
for the header.
If you select Graphic, click Browse to find and add a graphic you have
imported. For more information, see Uploading graphics for reports
on page 203.
Click Add to add a header and Delete to remove a header.
Footer
Components
Click Add to add the components for the report. For more information,
see To add a report component on page 206.
Type
Component
The name of the report component. This information appears after you
have added a report component.
Action
206
Reports
Search
Description
Search
Enter partial, one or more key words to search the components for this report.
If you search before selecting a component type, all types of components
containing the key word appear.
If you search after selecting a component type, all components containing the
key word of the selected type appear.
Text
Select to add a heading or text to a report that keeps charts separate from each
other.
If you select a heading, enter the heading content in the Heading field.
If you select Normal Text, enter the content in the Text field.
Charts
Graphics
Misc
207
Reports
Dashboard name
3 Click Dashboard, then select Add Dashboard. Enter the name for the dashboard and
click OK.
4 Select the name of the new dashboard and click Widget to add report components to
the dashboard. For details, see To add a report component on page 206.
5 Click Add.
2 Configure as follows:
208
In Output Format, select PDF and then deselect the default, HTML.
Reports
Select Compress Report Files to compress the report for attachment to the email
message.
For Recipient, enter the email address provided by the headquarters and then
select Add.
Select Upload Report to Server then enter the companys FTP server information in
the fields.
Select OK.
3 To configure the report chart template that will be used in the report, go to Report >
Chart > Template, click Create New.
4 Configure as follows:
In the Data Set field, select the default data set appctrl-top-web-users-last24hours.
You can also create a data set. See To create a data set on page 201.
Select OK.
5 To configure the report, go to Report > Config > Report, click Create New.
209
Browsing reports
Reports
6 Configure as follows:
In Schedule, select Daily and then enter the hour to generate the report.
Select the check box beside Email/Upload. In the Email/Upload list, select the
output template.
In the Device field, select the FortiGate-50B which logged the information needed to
complete the report.
Select Add.
Browsing reports
After reports are generated by the FortiAnalyzer unit using log data from either a SQL
database or proprietary indexed file storage system, you can view them in Report >
Access > Scheduled Report. This page displays all generated reports, including
generated scheduled reports.
Figure 81: Viewing reports
Current page
210
Description
Delete
Reports
Browsing reports
Rename
Refresh
Device Type
Select the device type for which you want to see the reports. For example, if
you select FortiGate, all reports for FortiGate units appear.
Report Files
Select the report name to view the entire report in HTML format.
Select the Expand Arrow to view the individual reports in HTML format.
Device Type
The type of device that was selected for collecting logs from.
Started
The date and time when the FortiAnalyzer unit generated the report.
Finished
The date and time when the FortiAnalyzer unit completed the report. If the
FortiAnalyzer unit is in the process of generating a report, a progress bar will
appear in this column. If the FortiAnalyzer unit has not yet started generating
the report, which can occur when another report is not yet finished, Pending
appears in this column.
Size (bytes)
Other Formats
Select a file format, if any, to view the generated report in that format.
In addition to HTML, if any, the generated reports may also be available in
PDF, RTF, XML/XSL, and ASCII text formats, depending on the output
configuration. For more information about setting output options, see
Configuring report output templates on page 91.
Current Page
By default, the first page of the list of items is displayed. The total number of
pages displays after the current page number. For example, if 2/10 appears,
you are currently viewing page 2 of 10 pages.
To view pages, select the left and right arrows to display the first, previous,
next, or last page.
To view a specific page, enter the page number in the field and then press
Enter.
211
Browsing reports
212
Reports
Vulnerability Management
Vulnerability Management
The Vulnerability Management menu configures vulnerability scans and their resulting
reports.
New vulnerabilities appear in any organization's network due to problems such as flaws in
software or faulty application configuration. The vulnerability management feature can
determine whether your organizations computers are vulnerable to attacks. With this
feature, you can define your host assets or discover hosts in the network, configure
vulnerability management scans, generate reports, and interpret the results.
FortiAnalyzer units come with a default database of more than 2,500 vulnerabilities. For
FortiGuard Vulnerability Management Service subscribers, this database can be
periodically updated via the FortiGuard Distribution Network (FDN) to receive definitions of
the most recently discovered vulnerabilities. For details, see Scheduling & uploading
vulnerability management updates on page 116.
The vulnerability scan is suitable for scanning many types of hosts, including those
running Microsoft Windows or Unix variants such as Linux and Apple Mac OS X, as well
as a variety of applications and services/daemons.
The workflow of vulnerability scan is as following:
Parsing Scan Settings
Scanning Ports if
Required
Performing Service
Scan
Performing Vulnerability
Scan with Specified
FIDs
Scanning OS if
Required
213
Vulnerability Management
Summary report: Identifies overall network host vulnerabilities discovered by all scans
(see Viewing host vulnerability statuses on page 239)
Scan report: Identifies network host vulnerabilities discovered by a specific scan (see
Viewing vulnerability scan reports on page 235)
Compliance report: Reports on hosts compliance to the PCI data security standard
(see Viewing compliance reports on page 245)
214
Description
Name
IP/Range
Authentication
Location
Vulnerability Management
Function
Description
Name
Type
IP Address
Location
Function
Asset Tag
Comments
215
Vulnerability Management
Authentication
Windows
UNIX
For UNIX authentication, enter the user name, password, and the
PEM-encoded private RSA and DSA keys in text format. You may also
give the FortiAnalyzer unit superuser privileges by selecting
Enable Sudo.
For more information, see Preparing for authenticated scanning on
page 223.
SNMP
Description
Name
Host
Business Impact
Number of Vulnerabilities The number of vulnerabilities found on the hosts of this group.
To add a group
1 Go to Vulnerability Management > Asset > Group.
2 Click Create New.
216
Vulnerability Management
Include
Exclude
Description
Name
Host
Select the available host assets and select the include icon to add
them to the asset group.
Business Impact
Comments
If you have selected an asset group or entered an IP range, the FortiAnalyzer unit will
attempt to detect the live hosts directly within the asset group or IP range. The host
numbers may vary at different times because not all hosts may be reachable at all
times.
217
Vulnerability Management
If you have entered a domain name, the FortiAnalyzer unit will attempt to find the hosts
under the domain by identifying the authoritative name server for the domain, and
sending a request to list all the hosts under the domain managed by the name server.
However, this request is not always permitted and may be forbidden by the Name
Server administrator. If this is the case, the FortiAnalyzer unit will use brute force to
query the name server to find out the IP address assigned to each FQDN. The
FortiAnalyzer unit uses a proprietary list of roughly 100 common names, such as www
or ftp, to form a list of FQDNs. Once it finds the IP address for the target domain, it will
access the domain to discover its hosts.
ICMP
TCP ports
UDP ports
DNS
Reverse DNS
TCP RST
Traceroute
Description
Run
Select to run a network map scan immediately. This may take a while
depending on the targets selected, number of hosts in the network,
and network speed.
Cancel
Name
Target
Scan Ports
The host ports to be checked by the network map scan. Select TCP,
UDP, or TCP & UDP.
Schedule
Effective Period
The first time a repeating schedule occurs will be listed here. For
example, From 2009-02-12.
218
Vulnerability Management
Description
Name
Target
This section defines what part of your network will be examined by the
network map scan.
Scan Ports
The host ports to be checked. Select TCP, UDP, or TCP & UDP.
Asset Group
The asset group on which the network map scan will be run.
Maintain Asset Group Select to have the network map scan automatically update the
selected asset group if new hosts are discovered through domain or
IP address range scan. No hosts will be removed even if they are
unreachable. A domain or IP range must be entered if this option is
selected.
Domain
IP Range
Schedule
Run Now
219
Vulnerability Management
Run Later
Specify the date the first scheduled report is generated. From then on,
it will be generated at daily, weekly, or monthly intervals.
Time
Output Option
File output
Select the formats in which the network map report will be generated.
HTML is the default format. Any or all other available formats may be
selected.
Email/Upload
Current page
220
Description
Rename
Import
Select to import the hosts discovered by the network map scan into an
asset group to ensure that they are covered by the vulnerability scans.
The hosts you select can be added to an existing asset group or a new
group.
The host import page lists the following information on each host
discovered:
IP Address: The IP address of the host.
DNS Hostname: The hostname indicated when querying the DNS
server.
NetBIOS Hostname: The NetBIOS name of the host, if any.
OS: The operating system running on the host.
Note that the network map scan may discover more hosts than those
specified in a target asset group because the scan can discover hosts
via a specified domain. For more information, see Discovering
network host assets on page 217.
Vulnerability Management
Name
Started
Finished
The date and time the report generation was completed. Based on the
Started and Finished times, you can calculate how long the
FortiAnalyzer unit took to generate the report.
Size (bytes)
Formats
The formats in which the report was generated. HTML is the default
format and any others are listed here.
Current page
To view a report
1 Go to Vulnerability Management > Network Map > Report.
221
Vulnerability Management
Name of the
GUI item
Description
222
Date
The date and time the network map report was generated.
Asset Group
The asset group on which the network map scan was run.
Domain
IP Range
Total Hosts
Found
Vulnerability Management
VM Engine
Version
The Vulnerability Management engine version number and date of last update.
This is updated via the FortiGuard distribution network if you are a FortiGuard
Vulnerability Management Service subscriber.
VM Plugin
Version
The Vulnerability Management module version number and date of last update.
This is updated via the FortiGuard distribution network if you are a FortiGuard
Vulnerability Management Service subscriber.
(TCPor UDP)
Ports
Live Host
Sweep
The status of netblock live host discovery. Live host sweep discovers live hosts
in the IP address range specified.
This option is enabled and disabled through the CLI command. For more
information, see the command config vm in the FortiAnalyzer CLI Reference.
By default, this option is enabled. If you disable it, the FortiAnalyzer unit will
treat all hosts in the IP range as alive, even if some are not accessible.
Exclude Hosts If this option is On, the network map scan will exclude hosts discovered by
querying the DNS server.
Discovered
Only By DNS This option is enabled and disabled through the CLI. For more information, see
the command config vm in the FortiAnalyzer CLI Reference.
By default, this option is disabled.
Scan target
Under each scan target (asset group, domain, or IP range) specified, the
discovered hosts and their respective services are listed.
Hosts
Host
DNS
NetBIOS
Router
OS
Active
Identifies whether the host was alive at the time of the discovery. A host is alive
if it replies to the host discovery methods.
X means alive and an empty field means dead.
Registered Identifies whether the host is registered as an host asset with the FortiAnalyzer
unit.
X means registered and an empty field means unregistered.
Approved Identifies whether the host in the approved host list. The approved hosts can be
configured for the map scan via CLI. For more information, see the command
config vm in the FortiAnalyzer CLI Reference.
Host Services
Discovery The method used to discover a host.
Method
Port
Service
223
Vulnerability Management
Value
Classic
Disabled
Disabled
Value
Remote registry
Automatic
Server
Automatic
Windows Firewall
Automatic
224
Vulnerability Management
Setting
Value
Disabled
or
Setting
Value
Enabled
Enabled
*
Enabled
*
Enabled
*
Windows prompts you for a range of IP addresses. Enter either * or the IP address of
the FortiAnalyzer unit that is performing the vulnerability scan.
be a local account
Allow File and Print sharing and Remote Administration traffic to pass through the
firewall. Specify the IP address or subnet of the FortiAnalyzer unit that is performing
the vulnerability scan. (Windows Vista, 2008)
For each of the active Inbound Rules in the File and Printer Sharing group, set the
Remote IP address under Scope to either Any IP address or to the IP address or
subnet of the FortiAnalyzer unit that is performing the vulnerability scan. (Windows 7)
Unix hosts
The user account provided for authentication must be able at a minimum to execute these
commands:
The account must be able to execute "uname" in order to detect the platform for
packages.
If the target is running Red Hat, the account must be able to read /etc/redhat-release
and execute "rpm".
225
Vulnerability Management
If the target is running Debian, the account must be able to read /etc/debian-version
and execute "dpkg".
Description
View Vulnerability Details View all of the vulnerabilities included in the sensor. This is updated
via the FortiGuard service.
226
Name
# Entries
Vulnerability Management
Profiles
The name of the vulnerability scan profile in which the sensor is used.
Comment
To add a sensor
1 Go to Vulnerability Management > Scan > Sensor.
2 Click Create New.
Name of the
GUI item
Description
Filters
Insert
Select a filter and then Insert to place a new filter above the selection.
Move To
Select a filter and then Move To to move the filter to a new position.
View
Select a filter and then View Vulnerability Details to view all of the vulnerability
Vulnerability signatures included in the filter.
Details
#
Name
Type
Severity
Category
227
Vulnerability Management
Authentica- The specified host type(s) to be scanned for vulnerabilities. The scan requires
host authentication credentials. For information on host authentication
tion
credentials configuration, see Configuring host assets on page 214.
Existent
The attributes identified for the signatures. Only the signatures that have these
attributes are used for this filter.
Non-existent The attributes identified for the signatures. Only the signatures that do not
have these attributes are used for this filter.
Last Update The time period during which the updated signatures were used for the
vulnerability scan. This is useful if you only want to use some signatures for a
Time
scan.
Overrides
Overrides are configured and work mainly in the same way as filters. Unlike
filters, each override defines the behavior of one or more signatures.
Overrides can be used in two ways:
To change the behavior of a signature already included in a filter. For
example, to scan application vulnerabilities, you could create a filter that
includes all signatures related to applications. If you wanted to disable one
of those signatures, the simplest way would be to create an override and
mark the signature as excluded.
To add an individual signature, not included in any filters, to a sensor. This
is the only way to add custom signatures to the sensors.
Name
Type
FID
To configure a filter
1 Go to Vulnerability Management > Scan > Sensor.
2 Either:
Click Create New to add a sensor. See To add a sensor on page 227.
Select an existing sensor and click Edit.
3 Under Filters, click Create New.
228
Vulnerability Management
Right Arrow
Left Arrow
Name of the
GUI item
Description
Name
Type
Select whether the filter includes or excludes the matching vulnerability scan
signature.
Severity
The severity level of the vulnerabilities in the filter. Select all or specify any
particular levels.
Severity defines the relative importance of each signature. Signatures rated
critical detect the most dangerous vulnerabilities while those rated as
information pose a much smaller vulnerability.
Authentication Specify the host type(s) to be scanned for vulnerabilities. The scan requires
host authentication credentials. For information on host authentication
credentials configuration, see Configuring host assets on page 214.
229
Vulnerability Management
Category
Last Update
Time
The time period during which the updated signatures will be used for the
vulnerability scan. This is useful if you only want to use some signatures for a
scan to save time.
Top20 Group
Other Options
Ignore
Ignore this attribute in the signature. All signatures with or without this attribute
will be used for this filter.
Existent
Only use the signatures that have this attribute for this filter.
Non-existent Only use the signatures that do not have this attribute for this filter.
To configure an override
1 Go to Vulnerability Management > Scan > Sensor.
2 Either:
Click Create New to add a sensor. See To add a sensor on page 227.
Select an existing sensor and click Edit.
3 Under Overrides, click Create New.
230
Vulnerability Management
Select Vulnerability ID
Name of the
GUI item
Description
Name
Type
FID
231
Vulnerability Management
Description
Run
Select to run the profile on an asset group to scan the hosts in the
group. A vulnerability report will be generated. See Viewing
vulnerability scan reports on page 235.
Name
Sensor
To create a profile
1 Go to Vulnerability Management > Scan > Profile.
2 Click Create New.
232
Vulnerability Management
Description
Name
vulnerability Scan
If you want to use this profile for a vulnerability scan, select this
option and a sensor.
Port Scan
TCP Ports
None
Full
Standard
The profile will scan about 2000 commonly used TCP ports.
Light
The profile will scan about 160 commonly used TCP ports.
Additional
Enable and enter any TCP ports or port ranges you wish to scan in
addition to the previous selection. To scan only the entered ports,
select None for the previous setting. Port ranges are defined with
the start and and values separated by a hyphen, and ports and
ranges are separated by commas. For example, a valid entry is
6000-7000,9725,11000.
UDP Ports
None
Full
Standard
The profile will scan about 180 commonly used UDP ports.
Light
Additional
Enable and enter any UDP ports or port ranges you wish to scan in
addition to the previous selection. To scan only the entered ports,
select None for the previous setting. Port ranges are defined with
the start and and values separated by a hyphen, and ports and
ranges are separated by commas. For example, a valid entry is
6000-7000,9725,11000.
Other Options
233
Vulnerability Management
Description
Run
Cancel
Name
Target
Profile
The profile to be used for the schedule. For information about profile,
see Configuring vulnerability scan profiles on page 231.
Schedule
Effective Period
To create a schedule
1 Go to Vulnerability Management > Scan > Schedule.
2 Click Create New.
234
Vulnerability Management
Description
Name
Profile
Enable PCI
Compliance
Select to ensure that the scheduled vulnerability scan uses the predefined PCI scan profile.
Selecting this option automatically populates the Profile field with the
pre-defined PCI scan profile - vcm_pci_profile and the field
becomes read-only.
For more information about PCI compliance, see About PCI DSS
compliance reports on page 247.
Asset Group
Schedule
Run Now
Run Later
Specify the date the first scheduled report is generated. From then on,
it will be generated at daily, weekly, or monthly intervals.
Time
Output Option
File output
Select the formats in which the report will be generated. HTML is the
default format. Any or all other available formats may be selected.
Email/Upload
235
Vulnerability Management
Current Page
Name of the GUI item
Description
Rename
Name
The name of the report. The name is made up of the VM scan profile
name and the date and time the report was generated. Select the
name to view the HTML version of the report.
Started
Finished
The date and time the report was completed. Looking at the Started
and Finished times, you can calculate how long the FortiAnalyzer unit
took to generate the report.
Size (bytes)
Formats
The formats in which the report was generated. HTML is the default
format and any others are listed here.
Current page
236
Vulnerability Management
Name of the
GUI item
Description
Report Summary
Created
Total Hosts
Active Hosts
The number of reachable hosts found during the scan on the targets. A host is
reachable if it replies to the host discovery methods.
237
Vulnerability Management
Inactive Hosts The number of unreachable hosts found during the scan on the targets.
PCI
Compliance
The status PCI compliance in the scan schedule. For more information, see
Enable PCI Compliance on page 235.
Start Time
End Time
VM Engine
Version
The Vulnerability Management engine version number and date of last update.
This is updated via the FortiGuard distribution network if you are a FortiGuard
Vulnerability Management Service subscriber.
VM Plugin
Version
The Vulnerability Management module version number and date of last update.
This is updated via the FortiGuard distribution network if you are a FortiGuard
Vulnerability Management Service subscriber.
Scan Profile
The name of the profile used by this scan schedule. It links to the Profile section
of this report.
PCI Status
If you enabled PCI compliance for the profile used for the scan, this information
appears. For more information about PCI compliance, see About PCI DSS
compliance reports on page 247.
Live IP
The active hosts scanned for PCI compliance.
Addresses
Scanned
Security
Risk
Rating
The vulnerability level rated for the host. There are 5 ratings with 5 being the
highest risk.
PCI Status Indicates whether the host passed the PCI compliance scan.
A PCI compliance status of PASSED for a single host/IP indicates that no
vulnerabilities or potential vulnerabilities, as defined by the PCI DSS
compliance standards set by the PCI Council, were detected on the host.
A PCI compliance status of FAILED for a single host/IP indicates that at least
one vulnerability or potential vulnerability, as defined by the PCI DSS
compliance standards set by the PCI Council, was detected on the host.
Vulnerability Scan Summary
Vulnerabili- The total number of vulnerabilities detected are presented in a table and chart
by severity level.
ties by
Severity
Vulnerabili- The total number of vulnerabilities detected are presented in a table and chart
ties by Cat- by category.
egory
Top 10
The top 10 vulnerable hosts discovered with their IP addresses, total
Vulnerable vulnerabilities of each host, and number of vulnerabilities under each severity
level.
Hosts
238
OS and
Services
Detected
List the top 10 operating systems detected, top 10 services detected, top 10
TCP services detected, and top 10 UDP services detected in table and chart
format.
Hosts
Profile
The information of the profile used by this scan schedule. For more information,
see Configuring vulnerability scan profiles on page 231.
Vulnerability Management
In addition, the page displays a list of the top ten vulnerabilities that is kept updated by the
FortiGuard Vulnerability Management subscription service. For information on scheduling
FortiGuard service updates, see Scheduling & uploading vulnerability management
updates on page 116.
Description
Vulnerabilities By Severity The number of all detected vulnerabilities are displayed in a bar graph,
broken down by severity level.
Level
Top 10 Vulnerability
Categories
239
Vulnerability Management
Description
IP Address
DNS Name
NetBIOS Name
Business Impact
The business impact rating assigned to the group the host belongs to.
Business Risk
Number of Vulnerabilities The number of vulnerabilities detected by the scan run on the host.
Last Scan Date
Column Settings
Current Page
240
Description
Column Settings
IP Address
DNS Hostname
NetBIOS Hostname
Vulnerability Management
Business Impact
The business impact rating assigned to the group the host belongs to.
Business Risk
Number of Vulnerabilities The number of vulnerabilities detected by the scan run on the host.
Last Scan Date
Router
OS
Mapping Status
Asset Group
Current page
Top 10 vulnerabilities
With a FortiGuard Vulnerability Management Service subscription, the vulnerability
database is automatically updated as new vulnerabilities are discovered. The 10 most
common vulnerabilities are listed in the Top 10 Vulnerabilities table.
The table lists only the vulnerability name, severity, and Fortinet ID. To see additional
information about a vulnerability, select the vulnerability name.
Figure 92: Top 10 Vulnerabilities list
Vulnerability Indicator
Name of the GUI item
Description
Vulnerability Indicator
241
Vulnerability Management
FID
Severity
Title
The name of the vulnerability. Select the name for additional details.
Affected Hosts
Column Settings
Current Page
242
Description
Enable
Disable
Column Settings
Filter icon
FID
Vulnerability Management
Title
The name of the vulnerability. Select the name for additional details.
Authentication
Category
Severity
Affected Hosts
Status
Patch Availability
CVE ID
Bug Traq ID
FortiGuard IPS Signature The name of the FortiGuard IPS signature for this vulnerability.
Compliance
Vendor Reference
Top20 Group
x Per Page
Current page
243
Vulnerability Management
Note: The compliance report template uses existing vulnerability scan reports to create a
compliance report, you must have scan results for the period and assets you specify when
running a template. For more information, see To run a template to generate a compliance
report on page 244.
Figure 94: Compliance report template list
Description
View
Select to view a sample of the template report. The data does not
represent your network, but you can view the report format.
Run now
Cancel
Name
Last Update
The date and time the report was last updated through the
vulnerability management engine and plug-in releases.
Status
244
Vulnerability Management
Name of the
GUI item
Description
Report Name Enter the report name the FortiAnalyzer unit will display in the compliance
report list. The date and time will be appended to the end of the name each time
a compliance report is generated.
Report Title
This field is auto-populated depending on the type of template you choose. You
can change it.
Asset Group
Choose an asset group. The compliance report results will be limited to the
hosts defined in the specified asset group.
Period Scope Choose a start and end time. The compliance report results will be limited to the
time period you specify.
Output Option
File Output Select the formats in which the report will be generated. HTML is the default
format. Any or all other available formats may be selected.
Email/
Upload
To have the report delivered to an email address or FTP server, select this
option and select the output template or create a new one. For more information
about output templates, see Configuring report output templates on page 91.
245
Vulnerability Management
Current Page
Name of the GUI item
Description
Name
The name of the report. The name includes the date and time the
report was generated. Select the name to view the HTML version of
the report. For more information, see To view a compliance report on
page 246.
Started
Finished
The date and time the report was completed. Looking at the Started
and Finished times, you can calculate how long the FortiAnalyzer unit
took to generate the report.
Size (bytes)
Formats
The formats in which the report was generated. The HTML report is
accessed by selecting the report name. Other formats are listed here.
Current page
By default, the first page of the list of reports is displayed. The total
number of pages appears after the current page number. For
example, if 2 of 10 appears, you are currently viewing page 2 of 10
pages.
To view pages, select the left and right arrows to display the first,
previous, next, or last page.
To view a specific page, enter the page number in the field and then
press Enter.
2 Click the report name to view the HTML version of the report. If the report was
generated in any additional formats, click the link in the Format column corresponding
to the format you want to view.
The following is a sample PCI Technical Report.
246
Vulnerability Management
Name of the
GUI item
Description
Report Summary
Created
Total Hosts
The IP addresses or IP range of the hosts found during the scan on the targets.
Summary
From Date
Summary To
Date
VM Engine
Version
The Vulnerability Management engine version number and date of last update.
This is updated via the FortiGuard distribution network if you are a FortiGuard
Vulnerability Management Service subscriber.
VM Plugins
Version
The Vulnerability Management module version number and date of last update.
This is updated via the FortiGuard distribution network if you are a FortiGuard
Vulnerability Management Service subscriber.
PCI Status
IP
The IP address of the host scanned.
Addresses
Failed
Times
The number of times the host failed the PCI compliance scan.
Passed
Times
The number of times the host passed the PCI compliance scan.
Total
Scanned
Times
Vulnerability
Detail
Host
All services and vulnerabilities found for each host. The vulnerabilities that
cause the host to fail compliance are highlighted.
This option is only available for PCI Technical report.
Appendix
Information about the Payment Card Industry (PCI) status and vulnerability
levels.
247
Vulnerability Management
Quarterly conduct vulnerability scans on the entire Internet facing networks and
systems. These scans must be performed by an approved scanning vendor to detect
and eliminate security threats associated with electronic commerce, and provide the
acquiring bank with a report demonstrating compliance status.
You can generate a PCI compliance report that provides a pass or failure status of your
network.
248
Vulnerability Management
It is recommended that you create a dedicated Windows user account with Administrator
rights (such as "vcm_account") to be used solely by the scan engine for authentication
purposes. We provide instructions showing how to setup a domain account for
authentication and how to add this account to the Domain Administrators group. If
possible, configure the user account so that the password does not expire.
An account with Administrator rights allows the scan engine to collect information based
on:
?Registry keys
?Administrative file shares (such as C$)
?Running services
Using an account with Administrator rights is recommended. It's possible to use an
account with less than Administrator rights, however this limits scan to fewer vulnerability
checks and scans will return less accurate, less complete results.
3.1 Windows Domain Account Setup
Follow the sections below to learn how to create a domain account for authentication, add
this account to the Domain Administrators Group, and set group policy settings. It is
recommended that you verify the functionality of the account before using it for
authenticated scan.
3.1.1 Windows Domain Account: Create an Administrator Account
These steps describe how to create a domain account for authentication and add the
account to the Domain Administrators Group. After completing these steps, you must set
group policy settings and then verify the functionality of the account before using it for
authenticated scan.
To create an administrator account:
1.Log into the Domain Controller with an account that has administrator rights.
2.Open the Active Directory Users and Computers MMC snap-in.
3.Create a new user called "vcm_scan". Set scope to "Global" and type to "Security".
4.Select the "vcm_scan" user and go to Properties (Action > Properties).
5.In the Properties window, go to the "Member Of" tab. Click Add to add the "vcm_scan"
user to the "Domain Admins" group. Click OK to save the change.
3.1.2 Windows Domain Account: Group Policy Settings
Best practice Group Policy settings for authenticated scan of Windows 2003, XP, Vista, 7,
and 2008 systems are described below. Please consult your network administrator before
making changes to Group Policy as changes may have an adverse impact on your
network operations, depending on your network configuration and security policies in
place. Note that detailed documentation for many Group Policy settings listed below is
available online when using the Group Policy Editor.
Important! We highly recommended that you discuss making changes to Group Policy
with your network administrator before implementation, as your local network
configuration may depend on certain settings being in place. The scan engine does not
verify that these settings are appropriate for your network. If you do make any Group
Policy changes, it may take several hours before the changes take effect on the client.
Please refer to your Microsoft documentation on Group Policy deployment for
information.?
Group Policy: Security Options
The Security Options settings are located here in Group Policy Management Editor :
249
Vulnerability Management
Computer Configuration > Windows Settings > Security Settings > Local Policies >
Security Options
?
Setting
Value
Description
Network access: Sharing and security model for local accounts
Classic
(Required) ?Local users authenticate as themselves. (This is the equivalent of turning off
simple file sharing.)
Accounts: Guest account status
Disabled
(Optional) ?These settings ensure that systems are configured correctly. In many
environments, it's likely this behavior is the default for a domain joined system.
Network access: Let Everyone permissions apply to anonymous users
Disabled
?Group Policy: System Services
The System Services settings are located here:
Computer Configuration > Windows Settings > Security Settings > System Services
?
Setting
Value
Description
Remote registry
Automatic
(Required) ?This ensures that the Remote Registry service is running on the target
machines in the domain.
Server
Automatic
(Required)
Windows Firewall
Automatic
(Required) ?This setting must be set to Automatic in the System Services settings in order
for the operating system to accept incoming connections. In the Windows Firewall section
(in the Computer Configuration section), it may be set to Permissive or Blocking.
?
Group Policy: Administrative Templates
The Administrative Template settings are located here:
Computer Configuration > Administrative Templates > Network > Network Connections >
Windows Firewall > Domain Profile
250
Vulnerability Management
For the setting "Windows Firewall: Protect all network connections" the value can be
Disabled or Enabled. Your network administrator should decide on the best option for your
networking environment. Choosing Disabled is the only way to ensure that every open
port on your system is scanned. By choosing Enabled, if the firewall blocks a port, the port
is not vulnerable unless the port is later opened. As best practice you should re-scan
anytime you open a port that was previously not open.
Setting
Value
Description
Windows Firewall: Protect all network connections
Disabled
(Recommended) ?This is the only way to ensure every open port on your system is
scanned.
Windows Firewall: Protect all network connections
Enabled
When set to Enabled, set the additional Windows Firewall settings below.
?
Additional Windows Firewall settings are required when "Windows Firewall: Protect all
network connections" is Enabled, as indicated below.
Setting
Value
Description
Windows Firewall: Allow remote administration exception
Enabled
(Required) ?See below about entering IPs in the field "Allow unsolicited messages from".*
Windows Firewall: Allow file and printer sharing exception
Enabled
(Required) ?See below about entering IPs in the field "Allow unsolicited messages from".*
Windows Firewall: Allow ICMP exceptions
Enabled
This must be set with the option "Allow inbound echo request".
?
*When configuring these firewall options, you are prompted to enter a range of IPs to allow
in the field labeled "Allow unsolicited messages from". In this field, you can simply type "*"
(do not include the quotes) or enter your FortiScan appliances IP addresses.
3.1.3 Windows Domain Account: Verify Functionality of New Account
The scan engine requires access to the administrative share and the registry to perform
authenticated scan of Windows hosts. It is recommended that you verify the functionality
of the new account from a remote host in the domain before using the account for
Windows authenticated scan.
Testing the New Account
Use one domain member to map the administrative share of another domain member:
Select Run from the Start menu.
251
Vulnerability Management
252
Vulnerability Management
http://groups.google.com/group/microsoft.public.scripting.vbscript/msg/bc2ef5a6df39fdad
Compiled versions of snetcfg are available for Windows 2000 and Windows XP.
Also, if Windows firewall is on locally, File and Printer Sharing service should be added
Exceptions list in Windows Firewall setting in Control Panel.
Disable Simple File Sharing (SFS): Windows XP
Simple File Sharing (SFS) must be disabled on Windows XP systems to be scanned. SFS
is disabled by default when a Windows XP Pro system joins a domain, so no configuration
should be necessary to support authenticated scan on Windows XP Pro systems in an
enterprise network. It's possible for users to enable SFS so there may be a need to use a
Group Policy or other means to ensure that this is disabled.
If you wish to scan a Windows XP Home system or a Windows XP Pro system, which has
not been added to a domain, then SFS must be disabled on these systems.
It's possible to disable this option manually per machine. To do this on the local machine,
open Windows Explorer (not IE) and go to Tools > Folder Options > View. Under
Advanced settings, uncheck the setting "Use simple file sharing (Recommended)" and
then click OK.
Enable Remote Registry Service
The scan engine must access the system registry to perform Windows authenticated
scan. To allow the scan engine access to the system registry, the Remote Registry service
must be enabled. To check this, go to Control Panel > Administrative Tools > Services and
verify that the service is running and set to start automatically.
Allow Remote Administration on Windows Firewall: ?Windows 2003, XP
To allow access through Windows Firewall (if used), be sure to set the Remote
Administration Exception within the Windows Firewall. Using Group Policy, this setting can
be found under:
Computer Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall\Standard Profile (Or replace Standard Profile with Domain
Profile if your computer is a member of a Windows domain.)
If you manage your firewall through the Control Panel, you must enable TCP ports 135
and 445.
3.2.2 Target Host Requirements: Windows Vista, 2008
Note: These requirements apply to non-domain (local) scan only.
When preparing to run authenticated scans on Windows Vista and 2008 systems, there
are certain system settings that must be enabled to allow the FortiScans through the
firewall to reach target hosts on your network. If your system is not joined to a domain,
then follow the steps below to set system settings.
Windows Firewall Settings
For each target host, there are certain Windows Firewall settings that must be enabled.
First activate firewall rules that are relevant to non-domain profiles in order to allow traffic
for File and Print Sharing and Remote Administration. Then for each activated rule, add
the FortiScan appliance IP address so that the FortiScan appliance traffic can reach the
host.
253
Vulnerability Management
254
Vulnerability Management
255
Vulnerability Management
256
Tools
Network Analyzer
Tools
The Tools menu provides the ability to view the files that are on your FortiAnalyzer unit
using the File Explorer, and to view packets on your network using the Network Analyzer.
By default, the Tools menu is hidden. To make it visible, go to System > Admin > Settings
and enable Show Network Analyzer. For details, see Configuring the web-based
managers global settings on page 84.
This topic includes:
Network Analyzer
File Explorer
Network Analyzer
Network Analyzer can be used as an enhanced local network traffic sniffer to diagnose
areas of the network where firewall policies may require adjustment, or where traffic
anomalies occur.
Network analyzer logs all traffic seen by the interface for which it is enabled. If that
network interface is connected to the span port of a switch, observed traffic will include all
traffic sent through the switch by other hosts. You can then locate traffic which should be
blocked, or which contains other anomalies.
All captured traffic information is saved to the FortiAnalyzer hard disk. You can then
display this traffic information directly, search it, or generate reports from it.
This section describes how to enable and view traffic captured by the network analyzer. It
also describes network analyzer log storage configuration options.
Network analyzer is not visible under the Tools menu until it is enabled in System >
Admin > Settings. For more information, see Configuring the web-based managers
global settings on page 84.
257
Network Analyzer
Tools
Internal
network
Hub
or switch
Internet
Span/mirror
port is connected
to Network
Analyzer port
258
Tools
Network Analyzer
Real-time displays the network analyzer log messages of traffic most recently
observed by the network interface for which network analyzer is enabled. The display
refreshes every few seconds, and contains only the most current activity.
Historical displays all network analyzer log messages whose time stamps are within
your specified time frame.
259
Network Analyzer
Tools
Historical Log
Search
Current Page
Description
Type
Historical Log
Select to view the historical network analyzer log messages. For more
information, see Viewing historical network analyzer log messages
on page 261.
Pause
Column Settings
Select to change the columns to view and the order they appear on
the page. For more information, see Displaying and arranging log
columns on page 265.
Search
Last Activity
Source
Destination
Source Port
Destination Port
Protocol
Message
Current page
260
Resolve Service
Select to display the network service names rather than the port
numbers, such as HTTP rather than port 80.
Tools
Network Analyzer
Formatted
Raw
Realtime Log
Current Page
Description
Type
Timeframe
Select the time frame during which you want to view the logs.
Realtime Log
Select to view the real-time network analyzer log messages. For more
information, see Viewing current network analyzer log messages on
page 259.
Column Settings
Select to change the columns to view and the order they appear on the
page. For more information, see Displaying and arranging log
columns on page 265.
Printable Version
Search
Advanced Search
Select to search the network analyzer log files for matching text using
two search types: Quick Search and Full Search. For more
information, see Searching the network analyzer logs on page 268.
Last Activity
261
Network Analyzer
Tools
Source
Destination
Source Port
Destination port
Protocol
Message
Current page
Resolve Service
Select to display the network service names rather than the port
numbers, such as HTTP rather than port 80.
Formatted
Raw
262
Description
Display
Tools
Network Analyzer
Download
Select to save the selected log file to your local hard disk.
From
The date and time when the FortiAnalyzer unit starts to generate the
log file.
To
The date and time when the FortiAnalyzer unit completes generating
the log file when the file reaches its maximum size or the scheduled
time.
Size (bytes)
The log files contents appear. For more information on understanding the log file
contents, see Viewing network analyzer log messages on page 259.
4 Select any of the following download options you want and click OK.
263
Network Analyzer
Tools
Description
5 If prompted by your web browser, select a location to save the file, or open it without
saving.
To download a partial (filtered) log file
1 Go to Tools > Network Analyzer > Browse.
2 Select a log file.
3 Click Display.
4 Select a filter icon to restrict the current view to only items which match your criteria,
then select OK. For more information about filtering information, see Filtering logs on
page 144.
5 Select Download Current View.
6 Select any of the download options you want and click OK.
Name of the GUI item
Description
7 If prompted by your web browser, select a location to save the file, or open it without
saving.
264
Tools
Network Analyzer
Raw view displays log messages exactly as they appear in the log file.
Formatted view displays log messages in a columnar format. Each log field in a log
message appears in its own column, aligned with the same field in other log messages,
for rapid visual comparison. When displaying log messages in formatted view, you can
customize the log view by hiding, displaying and arranging columns and/or by filtering
columns, refining your view to include only those log messages and fields that you
want to see.
265
Network Analyzer
Tools
Lists of available and displayed columns for the log type appear.
3 Select which columns to hide or display.
In the Available Fields area, select the names of individual columns you want to
display, then select the single right arrow to move them to the Display Fields area.
Alternatively, to display all columns, select the double right arrow.
In the Display Fields area, select the names of individual columns you want to hide,
then select the single left arrow to move them to the Available Fields area.
Alternatively, to hide all columns, select the double left arrow.
To return all columns to their default displayed/hidden status, select Default.
4 Select OK.
To change the order of the columns
1 Go to a page which displays log messages, such as Tools > Network Analyzer >
Historical.
2 Select Column Settings.
Lists of available and displayed columns for the log type appear.
3 In the Display Fields area, select a column name whose order of appearance you want
to change.
4 Select the up or down arrow to move the column in the ordered list.
Placing a column name towards the top of the Display Fields list will move the column
toward the left side of the formatted log view.
5 Select OK.
Filtering logs
When viewing log messages in formatted view, you can filter columns to display only
those log messages that do or do not contain your specified content in that column. By
default, most column headings contain a gray filter icon, which becomes green when a
filter is configured and enabled.
Note: Filters do not appear in raw view, or for unindexed log fields in formatted view.
When viewing real-time logs, you cannot filter on the time column: by definition of the realtime aspect, only current logs are displayed.
266
Tools
Network Analyzer
Filter icon
Filtering tips
When filtering by source or destination IP, you can use the following in the filtering criteria:
You can also use a Boolean operator (or) to define mutually exclusive choices:
1.1.1.1 or 2.2.2.2
1.1.1.1 or 2.2.2.*
1.1.1.1 or 2.2.2.1-2.2.2.10
Most column filters require that you enter the columns entire contents to successfully
match and filter contents; partial entries do not match the entire contents, and so will not
create the intended column filter.
For example, if the column contains a source or destination IP address (such as
192.168.2.5), to create a column filter, enter the entire IP address to be matched. If you
enter only one octet of the IP address, (such as 192) the filter will not completely match
any of the full IP addresses, and so the resulting filter would omit all logs, rather than
including those logs whose IP address contains that octet.
267
Network Analyzer
Tools
Exceptions to this rule include columns that contain multiple words or long strings of text,
such as messages or URLs. In those cases, you may be able to filter the column using a
substring of the text contained by the column, rather than the entire text contained by the
column.
special characters such as single or double quotes (' or ") or question marks (?)
wild card characters (*), or only contain a wild card as the last character of a keyword
(logi*)
You can use Full Search if your search terms are more complex, and require the use of
special characters or log fields not supported by Quick Search. Full Search performs an
exhaustive search of all log fields, both indexed and unindexed, but is often slower than
Quick Search.
To search the logs, go to Tools > Network Analyzer > Historical. Select Advanced Search.
268
Description
Time Period
Select to search logs from a time frame, or select Specify and define a
custom time frame by selecting the From and To date and times.
From
Enter the date and select the time of the beginning of the custom time
range.
This option appears only when Date is Specify.
Tools
Network Analyzer
To
Enter the date and select the time of the end of the custom time range.
This option appears only when Date is Specify.
Keyword(s)
Enter search terms which will be matched to yield log message search
results. To specify that results must include all, any, or none of the
keywords, select from Match.
Quick Search
Full Search
Stop Search
More Options
Other Filters
Specify additional criteria, if any, that can be used to further restrict the
search criteria.
Source IP: Enter an IP address to include only log messages
containing a matching source IP address. For example, entering
192.168.2.1 would cause search results to include only log
messages containing src=192.168.2.1.
Destination IP: Enter an IP address to include only log messages
containing a matching destination IP address. For example,
entering 192.168.2.1 would cause search results to include only
log messages containing dst=192.168.2.1.
Search tips
If your search does not return the results you expect, but log messages exist that should
contain matching text, examine your keywords and filter criteria using the following search
characteristics and recommendations.
Keywords must literally match log message text, with the exception of case insensitivity
and wild cards; resolved names and IP aliases will not match.
Some keywords will not match unless you include both the log field name and its value,
surrounded by quotes (Ack=2959769124).
Remove unnecessary keywords and search filters which can exclude results. For a log
message to be included in the search results, all keywords must match; if any of your
keywords does not exist in the message, the match will fail and the message will not
appear in search results.
You can use the asterisk (*) character as a wild card (192.168.2.*). For example,
you could enter any partial term or IP address, and then enter * to match all terms that
have identical beginning characters or numbers.
269
Network Analyzer
Tools
The search returns results that match all of the search terms.
For example, consider two similar keyword entries: 172.20.120.127 tcp and
172.20.120.127 udp. If you enter the keywords 172.20.120.127 tcp, UDP
traffic would not be included in the search results, since although the first keyword (the
IP address) matches, the second keyword, tcp, does not match.
The search returns results that match all, any, or none of the search terms, according
to the option you select in Match.
For example, if you enter into Keyword(s):
172.20.120.127 tcp
and if from Match you select All Words, log messages for UDP traffic to
172.20.120.127 do not appear in the search results, since although the first keyword
(the IP address) appears in log messages, the second keyword (the protocol) does not
match UDP log messages, and so the match fails for UDP log messages. If the match
fails, the log message is not included in the search results.
Description
5 If prompted by your web browser, select a location to save the file, or open it without
saving.
270
Tools
Network Analyzer
The network analyzer captures a very detailed network traffic information, and its log
volume can consume the FortiAnalyzer units hard disk space more rapidly than standard
logs. Rolling and uploading logs frees hard disk space to collect further data.
As the FortiAnalyzer unit receives new log items, it performs the following tasks:
verifies whether the log file has exceeded its file size limit
if the file size is not exceeded, checks to see if it is time to roll the log file. You configure
the time to be either a daily or weekly occurrence, and when the roll occurs
When a current log file (tlog.log) reaches its maximum size, or reaches the scheduled
time, the FortiAnalyzer unit rolls the active log file by renaming the file. The file name will
be in the form of xlog.N.log (for example, tlog,1252929496.log), where x is a
letter indicating the log type and N is a unique number corresponding to the time the first
log entry was received. The file modification time will match the time when the last log was
received in the log file.
Once the current log file is rolled into a numbered log file, it will not be changed. New logs
will be stored in the new current log called tlog.log.
If log uploading is enabled, once logs are uploaded to the remote server or downloaded
via the web-based manager, they are in the following format:
FG3K6A3406600001-tlog.1252929496.log-2009-09-14-14-00-14.gz
If you have enabled log uploading, you can choose to automatically delete the rolled log
file after uploading, thereby limiting the amount of disk space used by rolled log files.
To enable log rolling, or to disable network analyzer, go to Tools > Network Analyzer >
Config.
Figure 104: Traffic Log Settings
Description
Enable Network Analyzer Select the port on which network analyzer observes traffic.
on
If you disable this option and log out, network analyzer will be hidden
in the web-based manager menu. For more information about on reenabling network analyzer and making it visible again, see
Connecting the FortiAnalyzer unit to analyze network traffic on
page 257.
271
Network Analyzer
Tools
Allocated Disk Space (MB) Enter the amount of disk space reserved for network analyzer logs.
The dialog also displays the amount used of the allocated space.
When Allocated Disk
Space is All Used
Select what the FortiAnalyzer unit does when the allocated disk space
is filled up. Select to either overwrite the older log file or stop logging
until you can clear some room.
To avoid completely filling the hard disk space, use the log rolling and
uploading options.
Select to use the same log rolling and uploading settings that you set
for standard logs files in Logs > Config.
This option is selected by default.
Define when the FortiAnalyzer unit should roll its network analyzer log
files. This option becomes active only if you deselect Reuse Settings
from Standard Logs.
272
Server type
Server IP address
Username
Password
Confirm Password
Directory
Enter a location on the upload server where the log file should be
saved.
Upload Files
Select when the FortiAnalyzer unit should upload files to the server.
When rolled: Uploads logs whenever the log file is rolled, based
upon Log file should be rolled.
Daily at hh:mm: Uploads logs at the configured time, regardless
of when or what size it rolls at according to Log file should be
rolled.
Compress uploaded
log files
Select to compress the log files in GZIP format before uploading to the
server.
Select to remove the log file from the FortiAnalyzer hard disk once the
FortiAnalyzer unit completes the upload.
Tools
File Explorer
File Explorer
Tools > File Explorer > File Explorer displays the FortiAnalyzer units directories and files.
There are two main directories:
Archive: Contains files associated with eDiscovery, full DLP archiving, and the
quarantine.
Storage: Contains information unlikely to change once written, like logs and reports.
Note: The file explorer lists log files stored using the Proprietary Index file system only. If
you have enabled SQL database storage, logs stored using that method will not appear in
the file explorer.
To expand or hide the two main directories or their sub-directories, click the plus or minus
icon located beside each directory name.
File Explorer is not visible under the Tools menu until enabled in System > Admin >
Settings. For details, see Configuring the web-based managers global settings on
page 84.
Figure 105: File Explorer
273
File Explorer
274
Tools
Maintaining firmware
Maintaining firmware
Fortinet recommends reviewing this section before upgrading or downgrading the
FortiAnalyzer firmware because it contains important information about how to properly
back up your current configuration settings and log data, including what to do if the
upgrade or downgrade is unsuccessful.
In addition to firmware images, Fortinet releases patch releases maintenance release
builds that resolve important issues. Fortinet strongly recommends reviewing the release
notes for the patch release before upgrading the firmware. Installing a patch release
without reviewing release notes or testing the firmware may result in changes to settings
or unexpected issues.
Note: Fortinet recommends upgrading the FortiAnalyzer unit during a low traffic period, for
example at night, to re-index log data. During the upgrade process, the FortiAnalyzer unit
re-indexes log data, which takes time to complete if there is a large amount of log data. You
can verify that the indexing of log data is complete by viewing the Alert Message console on
the Dashboard.
Downgrading from FortiAnalyzer 4.0 to FortiAnalyzer 3.0 MR7 is not supported.
V3.0 MR6
V3.0 MR7
V4.0
V4.0 MR1
V4.0 MR2
Download and review the release notes for the firmware release.
Back up the current configuration. See Backing up your configuration on page 276.
275
Maintaining firmware
Upgrade the firmware. See Upgrading your FortiAnalyzer unit on page 279.
Fortinet recommends backing up all configuration settings from your FortiAnalyzer unit
before upgrading. This ensures all configuration settings are not lost if you later want to
downgrade and want to restore those configuration settings.
276
Maintaining firmware
Compress the .log or .csv file with gzip compression. For example,
downloading a log-formatted file with gzip compression would result in
a download with the file extension .log.gz.
6 Select OK.
7 Select a location when prompted by your web browser to save the file.
To back up log files through the CLI
Enter the following to back up all log files:
execute backup logs all {ftp | sftp | scp} <server_ipv4>
<username_str> <password_str> <directory_str>
After successfully backing up your configuration file, either from the CLI or the web-based
manager, proceed with upgrading.
277
Maintaining firmware
6 As the FortiAnalyzer unit reboots, a series of system startup messages appears. When
the following message appears,
Press any key to display configuration menu
7 Immediately press any key to interrupt the system startup.
You have only three seconds to press any key. If you do not press a key soon enough,
the FortiAnalyzer unit reboots and you must log in and repeat steps 3 to 7 again.
If you successfully interrupt the startup process, the following message appears:
[G]:
[F]:
[B]:
[C]:
[Q]:
[H]:
8 Type G to get the new firmware image from the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
9 Type the address of the TFTP server and press Enter.
The following message appears:
Enter Local Address [192.168.1.188]:
10 Type the internal IP address of the FortiAnalyzer unit.
This IP address connects the FortiAnalyzer unit to the TFTP server. This IP address
must be on the same network as the TFTP server, but make sure you do not use an IP
address of another device on the network.
The following message appears:
Enter firmware image file name [image.out]:
11 Enter the firmware image file name and press Enter.
The TFTP server uploads the firmware image file to the FortiAnalyzer unit and the
following appears:
Save as Default firmware/Backup firmware/Run image without
saving: [D/B/R]
12 Type R.
The FortiAnalyzer firmware image installs and saves to system memory. The
FortiAnalyzer unit starts running the new firmware image with the current configuration.
When you are done testing the firmware, you can reboot the FortiAnalyzer unit and
resume using the original firmware. You will need to restore the original configuration file
after the testing.
278
Maintaining firmware
If you encounter access problems to the web-based manager after upgrading the
firmware, you can re-install the previous firmware image from the BIOS menu in the CLI.
During some upgrades, the firmware image may not successfully install on the
FortiAnalyzer unit, which may be caused by the corrupted firmware image.
To install firmware from the BIOS menu, use the procedure in Testing firmware before
upgrading/downgrading on page 277. At step 12 in the procedure, enter D instead of R.
The option D installs the firmware permanently on the FortiAnalyzer unit, as the default
firmware.
The following procedure uses the web-based manager for upgrading the FortiAnalyzer
unit from version 4.0 MR1 to MR2. The following procedure assumes that you have
already downloaded the firmware image to your management computer.
To upgrade through the web-based manager
1 Copy the firmware image file to your management computer.
2 Log in to the web-based manager as the administrative user.
3 Go to System > Dashboard > Status.
4 In the System Information area, select Update for Firmware Version.
279
Maintaining firmware
5 Enter the path and filename of the firmware image file, or select Browse and locate the
file.
6 Select OK.
7 The FortiAnalyzer unit uploads the firmware image file, upgrades to the new firmware
version, restarts, and displays the FortiAnalyzer login. This process may take a few
minutes.
When the upgrade is successfully installed:
After logging back in to the web-based manager, you should save the configuration
settings that are carried forward. Go to System > Maintenance > Backup & Restore to
save the configuration settings that carried forward.
The following procedure uses the CLI and a TFTP server to upgrade the FortiAnalyzer unit
from 4.0 MR1 to MR2. The CLI upgrade procedure reverts all current firewall
configurations to factory default settings.
The following procedure assumes that you have already downloaded the firmware image
to your management computer.
The procedures may vary depending on the firmware versions you use for the upgrade.
To upgrade to FortiAnalyzer 4.0 MR2 through the CLI
1 Copy the new firmware image file to the root directory of the TFTP server.
2 Start the TFTP server.
3 Log in to the CLI.
4 Enter the following command to ping the computer running the TFTP server:
execute ping <server_ipaddress>
Pinging the computer running the TFTP server verifies that the FortiAnalyzer unit and
TFTP server are successfully connected.
280
Maintaining firmware
5 Enter the following command to copy the firmware image from the TFTP server to the
FortiAnalyzer unit:
execute restore image tftp <name_str> <tftp_ip4>
Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP
address of the TFTP server. For example, if the firmware image file name is
image.out and the IP address of the TFTP server er is 192.168.1.168, enter:
execute restore image tftp image.out 192.168.1.168
The FortiAnalyzer unit responds with a message similar to the following:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
6 Type y.
The FortiAnalyzer unit uploads the firmware image file, upgrades to the new firmware
version, and restarts. This process takes a few minutes.
7 Reconnect to the CLI.
8 Enter the following command syntax to confirm the firmware image installed
successfully:
get system status
281
282
Maintaining firmware
Performance tuning
As soon as possible during initial FortiAnalyzer setup, give the default administrator,
admin, a password. This administrator has the highest level of permissions available
and access to this administrator should be limited to as few people as possible.
Change all administrator passwords regularly. Set a policysuch as every 60 days
and follow it. For more information, see Changing an administrators password on
page 79.
Do not use the default administrator access profile for all new administrators. Create
one or more access profiles with limited permissions tailored to the responsibilities of
the new administrator accounts. For more information, see Configuring access
profiles on page 80.
By default, an administrator login that is idle for more than five minutes times out. You
can change this to a longer period, but Fortinet does not recommend it. A web-based
manager GUI or CLI session left unattended lets anyone change your settings. For
more information, see Configuring administrator-related settings on page 77.
Instead of allowing administrative access to the FortiAnalyzer unit from any source,
restrict it to trusted internal hosts. For more information, see Configuring administrator
accounts on page 77.
Restrict the interface used for administrative access (usually port1) to just the access
protocols administrators need. For best results, use only the most secure protocols.
Disable telnet. Disable ping except during troubleshooting. Use HTTP only if the
network interface connects to a trusted private network. For more information, see
Configuring the network interfaces on page 63.
Verify that the system time and time zone are correct. Many features, including
FortiGuard updates, log timestamps, and scheduled reports, rely on a correct system
time. For more information, see System Information widget on page 38.
Before upgrading or downgrading the firmware and running CLI commands that can
change your settings, such as execute factoryreset and execute restore,
always perform a complete configuration backup. For information on backing up
configuration, see Backing up the configuration & installing firmware on page 114.
283
Performance tuning
Upgrade to the latest available firmware. After downloading the firmware file from
Fortinet Technical Support (https://support.fortinet.com/), back up the configuration and
other data, then go to Monitor > System Status > Status, and, in the Firmware Version
row, select the Update link.
Configure the FortiAnalyzer unit to accept both scheduled and push updates of
antivirus and attack definitions. FortiGuard updates are configured in
Maintenance > FortiGuard > Update.
Allow the FortiAnalyzer unit access to a valid DNS server. DNS services are required
for many FortiMail features, including scheduled updates and FortiGuard Antispam
rating queries. The DNS server used by the FortiAnalyzer unit is configured in
System > Network > DNS.
Performance tuning
Verify that the system time and time zone are correct. Many features rely on a correct
system time. See Configuring the time & date on page 38.
To reduce latency associated with DNS queries, use a DNS server on your local
network as your primary DNS. See Configuring DNS on page 69.
When editing a network interface (System > Network > Interface), you can enable
Override default MTU value (1500) to change the maximum transmission unit (MTU)
value, then enter the maximum packet size in bytes.
To improve network performance, adjust the MTU so that it equals the smallest MTU of
all devices between this interface and traffics final destinations.
If the MTU is larger than other devices MTU, other devices through which the traffic
travels must spend time and processing resources to break apart large packets to meet
their smaller MTU, which slows down transmission.
The default value is 1500 bytes. The MTU size must be between 576 and 1500 bytes
284
When choosing a FortiAnalyzer model, consider your networks log frequency, and the
number of devices to support. For networks with more demanding logging scenarios,
an appropriate device ratio may be less than the allowed maximum. Performance will
vary according to your network size, device types, logging thresholds, and many other
factors. See Maximum number of devices on page 126.
Avoid recording log messages using low severity thresholds, such as information or
notification, to the local hard disk for an extended period of time. Excessive logging
frequency saps system resources and can cause undue wear on the hard disk and
may cause premature failure. See Alert Message Console widget on page 51.
Regularly delete or backup old reports to reduce the number of reports on the local
disk.
Troubleshooting
Troubleshooting process
Troubleshooting
This chapter provides troubleshooting techniques for some frequently encountered
problems. It includes general troubleshooting methods and specific troubleshooting tips
using both the command line interface (CLI) and the web-based manager.
Some CLI commands provide troubleshooting information not available through the webbased manager. The web-based manager is better suited for viewing large amounts of
information on screen, reading logs and archives, and viewing status through the
dashboard.
For late-breaking troubleshooting information, see the Fortinet Knowledge Base.
This topic includes:
Troubleshooting process
Troubleshooting process
Before you begin troubleshooting anything but the most minor issues, you need to
prepare. Doing so will shorten the time to solve your issue.
Establish a baseline
Note that many of these questions are some form of comparing the current situation to
normal operation. For this reason it is recommended that you know what your normal
operating status is. This can easily be accomplished through logs, or regularly running
information gathering commands and saving the output. Then when there is a problem,
this regular operation data will enable you to determine what is different.
It is a good idea to back up the FortiAnalyzer configuration for your unit on a regular basis.
Apart from troubleshooting, if you accidently change something the backup can help you
restore normal operation quickly and easily.
285
Troubleshooting process
Troubleshooting
After you have isolated the problem, what applications, users, devices, and
operating systems does it effect?
Before you can solve a problem, you need to understand it. Often this step can be the
longest in this process.
Ask questions such as:
Is it a connectivity issue for the whole device, or is there an application that isnt
reaching the Internet?
Be as specific as possible with your answers, even if it takes awhile to find the answers.
These questions will help you define the problem. Once the problem is defined, you can
search for a solution and then create a plan on how to solve it.
Gathering Facts
Fact gathering is an important part of defining the problem.
Consider the following:
Answers to these questions will help you narrow down the problem, and what you have to
check during your troubleshooting. The more things you can eliminate, the fewer things
you need to check during troubleshooting.
Technical Documentation
Installation Guides, Administration Guides, Quick Start Guides, and other technical
documents are available online at the following URL:
http://docs.fortinet.com
286
Troubleshooting
Troubleshooting process
Release Notes
Issues that are uncovered after the technical documentation has been published will often
be listed in the Release Notes that accompany the device.
Knowledge Center
The Fortinet Knowledge Center provides access to a variety of articles, white papers, and
other documentation providing technical insight into a range of Fortinet products. The
Knowledge Center is available online at the following URL:
http://kc.fortinet.com
The firmware build version (use the get system status command)
287
Troubleshooting process
Troubleshooting
Tell the support team what troubleshooting steps have already been performed and the
results.
diagnose fortiguard status Displays the running status of the FortiGuard daemon.
diagnose netlink
diagnose sys
diagnose test
execute ping
execute traceroute
The above CLI commands explain how to display data. Many of these commands also
have options for modifying data. For CLI command syntax details for these and other
commands, see the FortiAnalyzer CLI Reference.
288
Troubleshooting
Troubleshooting process
Are there routes in the routing table for default and static routes? Do all connected
subnets have a route in the routing table?
See Verify the contents of the routing table on page 292.
Are the ARP table entries correct for the next-hop destination?
See Verify the contents of the ARP table on page 292.
Is traffic entering the FortiAnalyzer unit and, if so, does it arrive on the expected
interface? Is the traffic exiting the FortiAnalyzer unit to the expected destination? Is the
traffic being sent back to the originator?
Perform a sniffer trace. See Perform a sniffer trace on page 293.
Ensure the network cables are properly plugged in to the interfaces on the
FortiAnalyzer unit.
Ensure there are connection lights for the network cables on the unit.
Change the cable if the cable or its connector are damaged or you are unsure about
the cables type or quality.
Connect the FortiAnalyzer unit to different hardware to see if that makes a difference.
In the web-based manager, select System > Network > Interface and ensure the link
status is up (up arrow on green circle) for the interface.
If the status is down (down arrow on red circle), click Bring Up next to it in the Status
column.
You can also enable an interface in CLI, for example:
config system interface
edit port2
set status up
end
If any of these checks solve the problem, it was a hardware connection issue. You should
still perform some basic software tests to ensure complete connectivity.
FortiAnalyzer Version 4.0 MR2 Administration Guide
Revision 13
http://docs.fortinet.com/ Feedback
289
Troubleshooting process
Troubleshooting
If the hardware connections are correct and the unit is powered on but you cannot connect
using the CLI or web-based manager, you may be experiencing bootup problems. See
Bootup issues on page 302.
Both ping and traceroute require particular ports to be open on firewalls to function. Since
you typically use these tools to troubleshoot, you can allow them in the firewall policies
and on interfaces only when you need them, and otherwise keep the ports disabled for
added security.
290
all equipment between the two locations to determine they are properly connected
addresses and routes to ensure all IP addresses and routing information along the
route is configured as expected
Troubleshooting
Troubleshooting process
In Windows XP, select Start > Run, enter cmd, and select OK.
In Windows 7, select the Start icon, enter cmd in the search box, and select
cmd.exe from the list.
2 In the command window, enter the ping command and an IP address, for example:
ping 172.20.120.169
Ping options include:
-t, to send packets until you press Control-C
-a, to resolve addresses to domain names where possible
-n x, where x is an integer stating the number of packets to send
To ping a device from a Linux PC
1 Go to a command line prompt.
2 Enter:
/bin/etc/ping 172.20.120.169
291
Troubleshooting process
Troubleshooting
In Windows XP, select Start > Run, enter cmd, and select OK.
In Windows 7, select the Start icon, enter cmd in the search box, and select
cmd.exe from the list.
2 Enter the tracert command to trace the route from the host PC to the destination web
site, for example:
tracert fortinet.com
In the tracert output, the first, or left column, is the hop count, which cannot go over 30
hops. The second, third, and fourth columns are how long each of the three packets takes
to reach this stage of the route. These values are in milliseconds and normally vary quite a
bit. Typically a value of <1ms indicates a local connection.
The fifth, or far right column, is the domain name of that device and its IP address or
possibly just the IP address.
To use traceroute on a Linux PC
1 Go to a command line prompt.
2 Enter:
/bin/etc/traceroute fortinet.com
The Linux traceroute output is very similar to the MS Windows tracert output.
292
Troubleshooting
Troubleshooting process
To sniff packets
The general form of the internal FortiAnalyzer packet sniffer command is:
diagnose sniffer packet <interface_name> <filter_str> <verboselevel> <count_int>
This example checks network traffic on port1, with no filter, and captures 10 packets:
diagnose network sniffer packet port1 none 1 10
See the FortiAnalyzer CLI Reference for an explanation of the command and its
parameters.
293
Troubleshooting
2 Document the problem and the steps you took to define the problem.
3 Open a support ticket.
For details on using the Fortinet support portal and providing the best information, see the
Knowledge Base article, "Fortinet Support Portal for Product Registration, Contract
Registration, Ticket Management, and Account Management" at:
http://kb.fortinet.com
Report issue
FortiAnalyzer reports show the same users twice (name in upper case and lower case).
Solution
When a FortiGate unit is set to require authentication, it may use two methods to
authenticate: LDAP and FSAE.
The behavior is different depending on the method used and this will cause the
FortiAnalyzer unit to have two different log entries for the same user: one with upper case
name and one with lower case name).
The FortiAnalyzer reports will show the same user twice. This is because the
FortiAnalyzer filter is case-sensitive.
This issue was resolved in FortiOS 4.0 MR1 with the addition of a new CLI command to
allow ALL user names logged to be in upper case. This is useful when the same servers
are shared by LDAP and FSAE.
294
Troubleshooting
Solution
The binary files indicated in the message are used by the FortiAnalyzer report engine to
generate reports. During a firmware upgrade, the binary files may have changed due to
some new features. In such a case, the affected binary files are regenerated. This
message means that some of the binary file have not yet regenerated.
The speed of regeneration (how long it takes to complete) depends on the activity of the
FortiAnalyzer unit, such as the logging rate and number of reports running.
The number displayed in the message will steadily decrease. It may briefly increase when
log files are manually imported, or in some cases during log rolling on a non-processed
file.
This is a normal process, and will resolve itself once the regeneration is complete.
Solution
There are three key CPU-intensive operations on a FortiAnalyzer unit:
Log indexing
A FortiAnalyzer unit deployed in a network can receive hundreds of log messages per
second throughout the day. The FortiAnalyzer unit indexes nearly all fields in a log
message to include it in the database. This process can be very CPU intensive, as the
indexing component is continually running to keep up with the incoming log messages.
network sniffing
vulnerability scan.
295
Troubleshooting
Intrusion Activity
Virus Activity
Top Traffic
HA log issue
When sending FortiGate logs to the FortiAnalyzer unit with a secure connection, only the
primary unit's logs are successfully received by the FortiAnalyzer unit.
Solution
When configuring a secure connection to send log information, you need to set the secure
connection for all units in an HA cluster on the FortiAnalyzer unit. For more information,
see Secure on page 125.
If the FortiAnalyzer unit will still not accept log information from the FortiGate unit for which
you have enabled secure connection, check if you entered the preshared key and the
device information correctly.
296
Troubleshooting
Solution
The FortiAnalyzer unit uses the DNS settings to enable connections for network file
sharing. If the DNS settings are not configured correctly, or have incorrect DNS entries,
the FortiAnalyzer unit will not be able to perform reverse lookups for users attempting to
connect. If the FortiAnalyzer unit cannot perform this check, the operation times out,
appearing to the user as being unable to connect.
To verify your DNS configuration, go to System > Network > DNS. For more information,
see Configuring DNS on page 69.
Note that the FortiAnalyzer unit uses the DNS settings for a number of network functions.
The DNS settings must be valid to ensure the system functions correctly.
Solution
Vulnerability Management is an additional service which, similar to FortiGuard Services,
must be purchased and registered.
Even if the FortiAnalyzer unit has been registered and licensed, Vulnerability Management
Service will show as Not Registered if it has not been purchased and registered.
Problem
Vulnerability management updates are not working.
Solution
1 Make sure you have a valid license
Vulnerability management is a separate subscription that must be purchased. Make
sure that there is a valid VM subscription before starting to troubleshoot. For more
information, see Scheduling & uploading vulnerability management updates on
page 116.
2 Check the default gateway.
The FortiAnalyzer unit needs a default gateway to be able to access the Internet and
download updates. Go to System > Network > Routing and make sure the default
gateway is configured correctly.
If the default gateway is configured correctly, it should be possible to ping IP addresses
on the Internet (assuming that nothing is blocking the pings). This can be tested by
using the command:
exec ping <IP address on the Internet>
3 Make sure nothing is blocking port 443 from the FortiAnalyzer unit.
The FortiAnalyzer unit will contact the update servers on port 443. If something
(usually a firewall) is blocking port 443 from the FortiAnalyzer unit, it will not be able to
receive updates. Check if something is blocking port 443 by sniffing the traffic using the
command:
diag sniff packet any 'port 443' 4
If something is blocking port 443, TCP SYNs will be seen going out but with no TCP
SYN/ACKs coming back in.
FortiAnalyzer Version 4.0 MR2 Administration Guide
Revision 13
http://docs.fortinet.com/ Feedback
297
Troubleshooting
4 Enable Debug.
There are a number of other issues that may be causing a problem with VM updates.
The easiest way to check all of them is to enable debugging and check the output for
errors. Run the commands below:
diag debug output enable
diag debug application fortiguard 8
exec update-vm
The output will show any errors that are happening with the update process. Once the
update is complete, it is important to disable debug using the commands:
diag debug application fortiguard 0
diag debug output disable
Upgrade issue
The message "Upload file is too big or invalid" may be seen when
upgrading a FortiAnalyzer unit from the web-based manager.
Solution
Assuming that the correct firmware image has been downloaded from
support.fortinet.com, a possible cause of this problem is related to the free memory on a
FortiAnalyzer unit that has had a long uptime. In order to load the required firmware
image, it is necessary to reboot the FortiAnalyzer unit so that more system resources
become available. Once the device has been rebooted, the upgrade will proceed as
required.
Solution
Enable cookies and JavaScript in your browser. Make sure that cookies are not erased
when you close your browser.
Cookies store preferences for the browser you use to access the web-based manager. If
the cookies are erased when you close the browser (session cookies), the preferences
are not saved, and will not be available the next time you open the browser.
JavaScript is used for navigation of the menus and tabs in the web-based manager.
The following procedures describe how to enable cookies and JavaScript in Internet
Explorer and Firefox.
In Internet Explorer 6 and 7:
1 Go to Tools > Internet Options.
2 Select the Privacy Tab.
3 Select a level of Medium or lower for the Privacy level.
4 Select OK.
5 Select the Security Tab.
6 Select Custom Level.
298
Troubleshooting
7 In Settings, under Scripting, enable Active Scripting and Scripting of Java Applets.
8 Select OK.
In Firefox:
1 Go to Tools > Options.
2 Select Privacy.
3 Select Allow sites to set cookies.
4 Select Keep cookies until they expire.
5 Select Content.
6 Select Enable JavaScript.
7 Select OK.
Solution
The disk usage on a FortiGate unit shows the usage of the allocated space for that
particular FortiGate unit configured on the FortiAnalyzer unit. While the disk usage on the
FortiAnalyzer unit represents the total disk usage on the FortiAnalyzer unit as a whole.
For information about configuring allocated space for a device, see Manually adding or
deleting a device or HA cluster on page 129.
Device IP issue
Device IP address displays as 0.0.0.0 on the FortiAnalyzer unit device list (Devices > All
Devices > Allowed) even if the FortiGate unit is already registered on the FortiAnalyzer
unit.
Solution
The FortiAnalyzer unit will change the IP once it receives logs from the FortiGate unit. The
IP address of the FortiGate unit is 0.0.0.0 if the FortiAnalyzer unit has not received logs
from the FortiGate unit.
The FortiAnalyzer unit may not be receiving logs even if the Test Connectivity test on the
FortiGate unit shows that the FortiGate unit is connected to the FortiAnalyzer unit (On the
FortiGate unit: Log&Report > Log Config > Log Settings > FortiAnalyzer > Test
Connectivity). This can be due to the fact that the FortiGate unit is configured to send logs
to the FortiAnalyzer unit but is not generating any logs yet or that a connectivity problem
between the FortiGate unit and the FortiAnalyzer unit on port 514 UDP (Test connectivity
runs on port 514 TCP).
Non encrypted connection
You can use sniffer commands to check if the FortiGate unit is generating logs and if the
FortiAnalyzer unit is receiving them. Note that the commands below are for a nonencrypted traffic.
On the FortiGate unit:
diagnose sniffer packet any 'host <IP address of FortiAnalyzer>
and port 514' 4
On the FortiAnalyzer unit:
FortiAnalyzer Version 4.0 MR2 Administration Guide
Revision 13
http://docs.fortinet.com/ Feedback
299
Troubleshooting
300
Troubleshooting
Always include ICMP in the sniffer filter. You may capture an ICMP error message that
can help identify the cause of the problem. For example, diag sniff packet
interface wan1 'tcp port 3389 or icmp' 3.
Use the "any" interface if you want to confirm that a specific packet is received or sent
by the Fortinet device, without specifically knowing on which interface this may be. This
will essentially enable the sniffer for all interfaces. For example, diag sniff packet
interface any 'tcp port 3389' 3.
The Fortinet device may not display all packets if too much information is requested to
be displayed, or the traffic being sniffed is significant. When this occurs, the unit will log
the following message once the trace is terminated:
12151 packets received by filter
3264 packets dropped by kernel
When this occurs, it is possible that what you were attempting to capture was not
actually captured. In order to avoid this, you may try to tighten the display filters,
reduce the verbose level, or perform the trace during a lower traffic period.
The packet timestamps as displayed by the sniffer may become skewed or delayed
under high load conditions. This may occur even if no packets were dropped (as
mentioned above). Therefore, it is not recommended that you rely on these values in
order to troubleshoot or measure performance issues that require absolute precise
timing.
Enabling the sniffer will consume additional CPU resources. This can be as high as an
additional 25% of CPU usage on low-end models. Therefore, enabling it on a unit that
is experiencing excessively high CPU usage can only render the situation worse. If you
must perform a sniff, keep the sniffing sessions short.
The Ethernet source and/or destination MAC addresses may be incorrect when using
the "any" interface. They may be displayed as all zeros (00:00:00:00:00:00) or
00:00:00:00:00:01.
301
Troubleshooting
Bootup issues
When powering on your FortiAnalyzer unit, you may experience problems. Bootup issues,
while rare, can be very difficult to troubleshoot due to the lack of information about your
issue. When the unit not running, you do not have access to your typical tools such as
diagnose CLI commands. This section walks you through some possible issues to give
you direction in these situations.
To troubleshoot a bootup problem with your unit, go to the section that lists your problem.
If you have multiple problems, go the problem closest to the top of the list first, and work
your way down the list.
Note: It is rare that units experience any of the symptoms listed here. Fortinet hardware is reliable
with a long expected operation life.
The issues covered in this section all refer to various potential bootup issues including:
302
Troubleshooting
Note: FortiAnalyzer units ship with a baud rate of 9600 by default. If you have access, verify this with
the CLI command config system console get , or parse an archived configuration file for the
term baudrate.
303
Troubleshooting
3 Is the power supply defective or you cant determine one way or the other?
If No, go to E. You have a suspected defective FortiAnalyzer unit.
If Yes, go to A. You have text on the screen, but you have problems
304
Troubleshooting
Some error details may vary from a device to another, but the EXT3-fs error indicates
there is an issue with the local file system.
Solution
This issue appears to be due to some corruption in the file system that affects the boot
device and/or firmware loading.
In most cases the issue may be resolved by reformatting the boot device and then
reinstalling the firmware via TFTP.
Make sure to reload the same firmware version as the one used to save the configuration
backup file. In case there is no configuration backup file, the unit needs to be reconfigured
from scratch.
To reload the firmware:
1 Connect to the FortiAnalyzer unit on the serial console.
2 Reboot the unit and hit any key to enter the Boot Menu.
3 Select "format boot device".
4 Select "Reload Firmware via TFTP".
5 When the unit is up, open the web-based manager and go to System > Maintenance >
Backup & Restore and restore the latest configuration from backup.
305
306
Troubleshooting
Description
FORTINET-CORE-MIB
FORTINET-FORTIANALYZER-MIB
You can obtain these MIB files from the Fortinet Technical Support web site,
https://support.fortinet.com.
To be able to communicate with your FortiAnalyzer units SNMP agent, you must first
compile these MIBs into your SNMP manager. If the standard MIBs used by the SNMP
agent are already compiled into your SNMP manager, you do not have to compile them
again.
To view a trap or querys name, object identifier (OID), and description, open its MIB file in
a plain text editor.
All traps sent include the message, the FortiAnalyzer units serial number, and host name.
For instructions on how to configure traps and queries, see Configuring the SNMP agent
on page 94.
307
308
Intrusion Activity
Antivirus Activity
Webfilter Activity
IM Activity
DLP Activity
Network Analysis
Web Activity
Mail Activity
FTP Activity
Terminal Activity
VPN Activity
Event Activity
P2P Activity
VoIP Activity
Network Scan
309
SQL database
Application _Control
Intrusion_Detection
AntiVirus
Data_Leak_Prevention
Email Filter
Event
Traffic
Intrusion Activity
Intrusion Activity report templates contain statistics about the FortiGate intrusion activity.
Table 4: Intrusion Activity report templates
Report
Description
Top Attacks
The most frequently detected attack types over the reporting period.
The number of attacks for each attack category over the reporting period,
broken down by attack type.
Top Attack
Destinations
Attacks by Time
Period
The number of attacks over the reporting period, broken down by direction
and attack ID.
The number of attacks over the reporting period, broken down by attack
status and attack type.
The protocols carrying the most attacks over the reporting period, broken
down by attack type.
The number of attacks over the reporting period, broken down by direction
and source IP address.
Top Sources for Most The most frequently detected attack types over the reporting period,
Common Attacks
broken down by sources.
Top Sources for the
Most Common
Destinations
Top Devices by
Number of Attack
Detections
The most frequently detected attack target devices over the reporting
period.
Top Devices by
Number of Attack
Detections for Most
Common Attacks
The most frequently detected attack types over the reporting period,
broken down by device.
Antivirus Activity
Antivirus Activity report templates contain statistics about the FortiGate antivirus activity.
310
Description
Top Viruses
Top Viruses per Traffic Direction The most frequently detected viruses for each traffic direction
over the reporting period.
AV Events by Top Senders and
Virus Name (MM1)
AV Events by Top Receivers and The most frequent receivers of virus over the reporting period
Virus Name (MM1)
broken down by virus name.
Total Number of Unique Infected The total number of infected MSISDN per protection profile per
MSISDN per Country
VDOM over the reporting period.
Infected Customer Base
Overall Trends
Top Virus Destinations over FTP The most frequent sources of virus over FTP.
Top Virus Destinations over
HTTP
Top Infected File Extensions over The most frequently infected file extensions over POP3.
POP3
Top Infected File Extensions over The most frequently infected file extensions over SMTP.
SMTP
311
The most frequent sources of virus over the reporting period for
each traffic direction.
Webfilter Activity
Webfilter Activity report templates contain statistics about the FortiGate webfiltering
activity.
Table 6: Webfilter Activity report templates
Report
Description
Top Allowed Categories The most frequently allowed web categories over the reporting period.
Top Blocked Categories The most frequently blocked web categories over the reporting period.
All Requested Web
Sites by Time Period
312
The clients with the most web page requests over the reporting period.
The most frequently requested file types over the reporting period.
Total Hits per Web Filter The number of web hits for each filter type.
Type
Top Web Users per
Device
The sources with the most web page requests for each device over the
reporting period.
The sources with the most web page requests over the reporting period,
broken down by webfilter status.
The most frequently requested web sites over the reporting period,
broken down by webfilter status.
The most frequently requested web pages over the reporting period.
Top Requested
Categories
The most frequently blocked web risk groups over the reporting period.
The most frequently requested web risk groups over the reporting period.
Top Web Sites for Most The clients with the most web page requests over the reporting period,
Active Users
broken down by web site.
Top Web Sites for Most The clients with the most blocked web page requests over the reporting
Blocked Users
period, broken down by web site.
Top Web Sites +
Category for Most
Active Users
The clients with the most web page requests over the reporting period,
broken down by web site.
Top Allowed Categories The sources with the most allowed web page requests over the reporting
for Most Active Users
period, broken down by web site.
Top Blocked Categories The sources with the most blocked web page requests over the reporting
for Most Active Blocked period, broken down by category.
Users
313
The most frequently overridden web page requests over the reporting
period.
The sources with the most overridden web page requests over the
reporting period, broken down by web site.
Description
Mail Summary
(by Email Count)
The mail count over the reporting period, broken down by status.
Mail Summary
(by Email Size)
The mail traffic volume over the reporting period, broken down by status.
Top Spam Destinations The most frequent spam receivers over the reporting period.
Spam Activity by Time
Period
Top Spam Sources with The spammers that sent the most spam emails over the reporting period,
Blocking Criteria
broken down by blocking criteria.
Breakdown
Top Spam Sources per The spammers that sent the most spam emails for each device over the
Device
reporting period.
Top Spam Destinations The most frequent mail receivers for each device over the reporting
per Device
period.
Total Spam per Device
(by Email Count)
The spam count over the reporting period, broken down by device.
The spam traffic volume over the reporting period, broken down by
device.
The most frequent spam email receiver over the reporting period, broken
down by mail senders.
The most frequent mail blocking criteria for each device over the
reporting period.
IM Activity
Instant Message (IM) Activity report templates contain statistics about instant messaging
activity filtered by the FortiGate unit.
Table 8: IM Activity report templates
Report
Description
Total IM Events per Protocol The number of established IM sessions for each IM protocol over the
reporting period.
Total IM Events per
Message Category
(chat/file/etc.)
314
The local IM users with the most messages over the reporting period.
The local IM users with the most traffic volume over the reporting
period.
Top IM Destinations by
Messages
The remote IM users with the most messages over the reporting
period.
The remote IM users with the most traffic volume over the reporting
period.
The local IM users with the most connection attempts, for configuring
reports with log information that is FortiOS 4.0 GA or earlier.
Top Allowed Local IM Users The local IM users with the most established sessions for each IM
per IM Protocol
protocol over the reporting period.
Top Blocked Local IM Users The local IM users with the most blocked sessions for each IM
per IM Protocol
protocol over the reporting period.
Top Blocked Local IM Users The local IM users with the most blocked sessions for each IM
per IM Protocol
protocol over the reporting period, for configuring reports with log
(FortiOS 4.0 GA or earlier) information that is FortiOS 4.0 GA or earlier.
Top Allowed Local IM Users The local IM users with the most allowed sessions.
Top Blocked Local IM Users The local IM users with the most blocked sessions.
Top Blocked Local IM Users The local IM users with the most blocked sessions, for configuring
(FortiOS 4.0 GA or earlier) reports with log information that is FortiOS 4.0 or earlier.
Top Allowed Remote IM
Users
The remote IM users with the most blocked sessions, for configuring
reports with log information that is FortiOS 4.0 GA or earlier.
The local IM users with the most connection attempts over the
reporting period, broken down by action.
The local IMM users with the most connection attempts over the
reporting period, broken down by action, for configuring reports with
log information that is FortiOS 4.0 GA or earlier.
Top Actions for Most Active The local IP with the most actions over the reporting period.
Sources
Top Local IM Users for Most The local IP with the most active local users over the reporting
Active Sources
period.
Top Remote IM Users for
Most Active Sources
The local IP with the most active remote users over the reporting
period.
DLP Activity
DLP Activity report templates contain statistics about the DLP archive activity filtered by
the FortiGate unit.
Table 9: DLP Activity report templates
Report
Description
Number of Inspected
Messages per
Application
315
Network Analysis
Network Analysis report templates contain statistics about the network activity going
through the FortiGate unit.
Table 10: Network Activity report templates
Report
Description
Traffic Volume by
Direction
The traffic volume for the reporting period, broken down by direction.
Top Services by
Volume
The Internet services with the most traffic volume over the reporting
period.
Top Sources by Volume The sources with the most traffic volume over the reporting period.
Top Destinations by
Volume
The destinations with the most traffic volume over the reporting period.
Top Source-Destination The sources with the most traffic volume over the reporting period,
Pairs by Volume
broken down by destination.
Top Destination-Source The destinations with the most traffic volume over the reporting period,
Pairs by Volume
broken down by source.
Top Denied Sources
Top Denied
Destinations
Top Allowed Policies by The firewall policies with the most allowed sessions.
Number of Firewall
Sessions
Top Allowed Policies by The firewall policies with the most allowed traffic volume.
Volume
316
The traffic volume over the reporting period, broken down by device.
Top Services by
Volume per Device
The traffic volume over the reporting period, broken down by device.
Top Services by
Volume per Traffic
Direction
The Internet services with the most traffic volume over the reporting
period, broken down by direction.
Top Services by
Volume for most
Common Sources
The sources with the most traffic volume over the reporting period,
broken down by Internet service.
The destinations with the most traffic volume over the reporting period,
broken down by Internet service.
Top Sources by Firewall The sources with the longest cumulated traffic duration over the reporting
Sessions Duration
period.
Top Destinations by
Firewall Session
Duration
The destinations with the longest cumulated traffic duration over the
reporting period.
The groups with the longest cumulated traffic duration over the reporting
period.
Top Allowed Policies by The firewall policies with the most allowed session duration.
Firewall Session
Duration
Top Allowed/Denied
Policies by Number of
Firewall Sessions
Overall Bandwidth
Optimization
The overall bandwidth optimization over the reporting period list by time.
Optimization Bandwidth The most bandwidth-optimized application over the reporting period.
by Application
LAN Bandwidth
Composition
WAN Bandwidth
Composition
Optimized Bandwidth
by Source
Optimized Bandwidth
by Destination
Optimized Bandwidth
by Rule
Overall Bandwidth
Optimization by Device
LAN Bandwidth
Composition by Device
WAN Bandwidth
Composition by Device
Optimized Bandwidth
Sources by Device
Optimized Bandwidth
Destinations by Device
Optimized Bandwidth
Rules by Device
Web Activity
Web Activity report templates contain statistics about the web activity going through the
FortiGate unit.
Table 11: Web Activity report templates
Report
Description
The web traffic volume over the reporting period list by time.
Web Volume per Traffic The web traffic volume over the reporting period, broken down by
Direction
direction.
FortiAnalyzer Version 4.0 MR2 Administration Guide
Revision 13
http://docs.fortinet.com/ Feedback
317
The web sites that produced the most traffic volume over the reporting
period.
The web clients that generated the most web traffic volume over the
reporting period.
The web sites that were accessed most often over the reporting period.
The web sites that produced the most traffic volume over the reporting
period, with hit count information.
The web clients with the most web server connections over the reporting
period. This connection may include more than one web page hit.
The web clients with the most server connections over the reporting
period, broken down by web site. This connection may include more than
one web page hit.
The web sites with the longest cumulated traffic duration over the
reporting period.
The web clients with the longest cumulated traffic duration over the
reporting period.
The web clients with the longest cumulated traffic duration over the
reporting period, broken down by web site.
The clients with the most hits over the reporting period.
Mail Activity
Mail Activity report templates contain statistics about the email activity going through the
FortiGate unit.
Table 12: Mail Activity report templates
Report
Description
318
Mail/Volume/Size by
Time
The mail traffic volume over the reporting period list by time.
The mail clients that produced the most amount of traffic volume over the
reporting period.
The mail servers that produced the most traffic volume over the reporting
period.
The mail servers that produced the most amount of traffic volume over
the reporting period, broken down by mail client.
The mail traffic volume over the reporting period, broken down by
direction.
The mail clients that accessed mail servers the most often over the
reporting period.
The mail servers that were accessed the most often over the reporting
period.
The mail servers that were accessed the most often over the reporting
period, broken down by mail clients.
The mail traffic volume over the reporting period, broken down by filtering
status and by mail receiver.
The mail traffic volume over the reporting period, broken down by mail
service (POP3, SMTP, IMAP, etc) and by mail sender.
Top Receiver by
Volume for each Mail
Protocol
The mail traffic volume over the reporting period, broken down by mail
service (POP3, SMTP, IMAP, etc) and by mail receiver.
Top Email Senders By The local IP and email sender with traffic volume over the reporting
Traffic Volume For Most period.
Active Sources
Top Email Senders By
Number Of Emails For
Most Active source
The local IP and email sender with connections over the reporting period.
The local IP and email recipient with traffic volume over the reporting
period.
The local IP and email recipient with number of emails over the reporting
period.
The email recipient and email sender with traffic volume over the
reporting period.
The email recipient and email sender with number of emails over the
reporting period.
Top Protocols By Traffic The local IP and email protocols with traffic volume over the reporting
Volume For Most Active period.
Sources
FTP Activity
FTP Activity report templates contain statistics about the FTP activity going through the
FortiGate unit.
319
Description
The FTP traffic volume over the reporting period listed by time.
FTP Volume per Traffic The FTP traffic volume over the reporting period, broken down by
Direction
direction.
Top FTP Servers by
Volume
The FTP traffic volume over the reporting period, broken down by
direction.
The FTP clients that generated the most traffic volume over the reporting
period.
Top Client-Server Pairs The FTP clients that generated the most traffic volume over the reporting
by Volume
period, broken down by FTP server.
Top FTP Servers by
Connections
The FTP sites that were accessed the most often over the reporting
period.
The FTP clients with the most FTP server connections over the reporting
period.
Top Client-Server Pairs The FTP clients with the most server connections over the reporting
by Connections
period, broken down by FTP server.
Top FTP Servers By
The FTP servers that generated the most traffic volume over the
Traffic Volume For Most reporting period.
Active Sources
Top FTP Servers By
Number of Actions For
Most Active Sources
The FPT clients with the most server connections over the reporting
period.
Terminal Activity
Terminal Activity report templates contain statistics about the terminal activity (including
SSH and Telnet) going through the FortiGate unit.
Table 14: Terminal Activity report templates
Report
Description
Terminal Traffic Volume The terminal traffic volume, broken down by service.
per Service
(Telnet+SSH)
Top Terminal Servers
by Traffic Volume
(per Service)
The terminal servers with the most traffic volume over the reporting
period, broken down by service.
Top Terminal Clients by The terminal clients with the most traffic volume over the reporting
Traffic Volume
period, broken down by service.
(per Service)
SSH Traffic Volume per The SSH traffic volume for each direction.
Direction
Top SSH Servers by
The SSH clients with the most traffic volume over the reporting period,
Traffic Volume for Most broken down by server.
Active Client
Telnet Traffic Volume
per Direction
Top Telnet Servers by The Telnet clients with the most traffic volume over the reporting period,
Traffic Volume for Most broken down by server.
Active Clients
Top Terminal Servers
by Connections (per
Service)
320
The terminal servers with the most connections over the reporting period,
broken down by service.
The SSH clients with the most connections over the reporting period,
broken down by server.
The Telnet clients with the most connections over the reporting period,
broken down by server.
VPN Activity
VPN Activity report templates contain statistics about VPN tunnel activity going through
the FortiGate unit.
Table 15: VPN Activity report templates
Report
Description
The VPN tunnels with the most traffic volume over the reporting period.
VPN Traffic Volume per The VPN traffic volume over the reporting period, broken down by
Direction
direction.
Top VPN Sources
The sources with the most VPN traffic volume over the reporting period.
The destinations with the most VPN traffic volume over the reporting
period.
The VPN peers with the most traffic volume for each device over the
reporting period.
VPN Traffic Volume per The VPN traffic volume for each device over the reporting period.
Device
Total VPN Tunnels per
Device
The number of VPN tunnels for each device over the reporting period.
The VPN peers with the most tunnels for each device over the reporting
period.
Top Protocols over VPN The Internet services with the most traffic volume for each device over
per Device
the reporting period.
(by Traffic Volume)
IPSec Tunnel Activity
per Device
The statistics related to IPSec tunnel activity for each device over the
reporting period.
The statistics related to PPTP tunnel activity for each device over the
reporting period.
The statistics related to L2TP tunnel activity for each device over the
reporting period.
The statistics related to SSL reverse proxy activity for each device over
the reporting period.
SSL Tunnel Activity per The statistics related to the SSL tunnel activity for each device over the
Device
reporting period.
Event Activity
Event Activity report templates contain statistics about the FortiGate event activity.
321
Description
The most frequently occurring event severities over the reporting period.
The most frequently occurring event types over the reporting period.
System Administration
Summary
System Administration
Details
Memory Usage by Time This report shows FortiGate memory usage by time.
Period
Active Firewall
Sessions by Time
Period
This report provides information about the total events count triggered on
each Firewall.
Top Events (by Log ID) The most frequently occurring events over the reporting period.
Top Events per Device
(by Log ID)
This report provides information about the events triggered by device and
severity.
This report provides information on the types of events that are occurring
on a particular system.
The total number of virus notifications per protection profile per VDOM
over the reporting period.
P2P Activity
P2P Activity report templates contain statistics about the peer-to-peer (P2P) activity
filtered by the FortiGate unit.
322
Description
The remote P2P peers with the most allowed sessions, for configuring
reports containing log information that is FortiOS 4.0 GA or earlier.
Top Blocked P2P Remote The remote P2P peers with the most blocked sessions, for configuring
Peers
reports containing log information that is FortiOS 4.0 GA or earlier.
(FortiOS 4.0 GA or earlier)
Top P2P Protocols For
Most Active Sources By
Traffic Volume
The local IP with the most protocols and traffic volume over the
reporting period.
The most protocols with traffic volume over the reporting period.
The local BitTorrent peers with the most blocked sessions, for
Top Blocked BitTorrent
configuring reports containing log information that is FortiOS 4.0 GA or
Local Peers
(FortiOS 4.0 GA or earlier) earlier.
Top Allowed eDonkey
Local Peers
323
Top Allowed KaZaa Local The local KaZaa peers with the most allowed sessions, for configuring
Peers
reports containing log information that is FortiOS 4.0 GA or earlier.
(FortiOS 4.0 GA or earlier)
Top Blocked KaZaa Local
Peers
Top Blocked KaZaa Local The local KaZaa peers with the most blocked sessions, for configuring
Peers
reports containing log information that is FortiOS 4.0 GA or earlier.
(FortiOS 4.0 GA or earlier)
Top Allowed Skype Local
Peers
Top Allowed Skype Local The local Skype peers with the most allowed sessions, for configuring
Peers
reports containing log information that is FortiOS 4.0 GA or earlier.
(FortiOS 4.0 GA or earlier)
Top Blocked Skype Local
Peers
Top Blocked Skype Local The local Skype peers with the most blocked sessions, for configuring
Peers
reports containing log information that is FortiOS 4.0 GA or earlier.
(FortiOS 4.0 GA or earlier)
Top Allowed WinNY Local
Peers
Top Allowed WinNY Local The local WinNY peers with the most allowed sessions, for configuring
Peers
reports containing log information that is FortiOS 4.0 GA or earlier.
(FortiOS 4.0 GA or earlier)
Top Blocked WinNY Local
Peers
Top Blocked WinNY Local The local WinNY peers with the most blocked sessions, for
Peers
configuring reports containing log information that is FortiOS 4.0 GA or
(FortiOS 4.0 GA or earlier) earlier.
VoIP Activity
VoIP Activity report templates contain statistics about the Voice-over-IP activity filtered by
the FortiGate unit.
324
Description
Top VoIP Sources by Traffic The Voice-over-IP sources that generated the most traffic volume
Volume
over the reporting period.
Top VoIP Destinations by
Traffic Volume
The most frequently called SIP numbers over the reporting period.
The SIP users that produced the most amount of calls over the
reporting period.
The SIP users the produced the longest cumulated call durations
over the reporting period.
The most frequently blocked SIP users over the reporting period.
The most frequently blocked SIP users over the reporting period, for
configuring reports containing log information that is FortiOS 4.0 GA
or earlier.
The most frequently blocked SIP callers over the reporting period.
The most frequently blocked SIP callers over the reporting period, for
configuring reports containing log information that is FortiOS 4.0 GA
or earlier.
Total SIP Calls by Duration The SIP call durations over the reporting period, broken down by
Ranges
range.
Top SCCP Called Numbers The most frequently called SCCP numbers over the reporting period.
Top SCCP Users by
Number of Calls
The SCCP users that produced the most amount of calls over the
reporting period.
The SCCP users that produced the longest cumulated call durations
over the reporting period.
The most frequently blocked SCCP users over the reporting period.
The most frequently blocked SCCP users over the reporting period,
for configuring reports containing log information that is FortiOS 4.0
or earlier.
Top Blocked SCCP Callers The most frequently blocked SCCP callers over the reporting period.
Top Blocked SCCP Callers The most frequently blocked SCCP callers over the reporting period,
(FortiOS 4.0 GA or earlier) for configuring reports containing log information that is FortiOS 4.0
GA or earlier.
Total SCCP calls by
Duration Ranges
The SCCP call durations over the reporting period, broken down by
range.
325
The most frequently blocked SIP users, broken down by reason, for
configuring reports containing log information that is FortiOS 4.0 GA
or earlier.
Top Blocked SIP Callers by The most frequently blocked SIP callers, broken down by reason.
Blocking Criteria
Top Blocked SIP Callers by The most frequently blocked SIP callers, broken down by reason, for
Blocking Criteria
configuring reports containing log information that is FortiOS 4.0 or
earlier.
Total SIP Calls per Status
(Start/End/etc)
The number of SIP calls over the reporting period, broken down by
status.
Total SIP Call Registrations The time period breakdown of the number of SIP call registers over
by Time Period
the reporting period.
Top SIP Called Numbers
for Most Active Callers
Top SIP callers over the reporting period, broken down by called
numbers.
Top Blocked SCCP Callers The most frequently blocked SCCP callers, broken down by reason.
by Blocking Criteria
Top Blocked SCCP Callers The most frequently blocked SCCP callers, broken down by reason,
by Blocking Criteria
for configuring reports containing log information that is FortiOS 4.0
or earlier.
Total SCCP Calls per
Status (Start/End/etc)
The number of SCCP calls over the reporting period, broken down by
status.
Top SCCP Called Numbers Top SCCP callers over the reporting period, broken down by called
for Most Active Callers
numbers.
Description
The most frequently triggered data leak prevention rules over the
reporting period.
The most frequent sources for data leaks over the reporting period.
The most frequent destinations for data leaks over the reporting
period.
The protocols causing the most data leaks over the reporting
period.
Top Data Leak Mail Senders The mail senders causing the most data leaks over the reporting
period.
Top Data Leak Mail
Receivers
The mail receivers causing the most data leaks over the reporting
period.
Top Data Leak Web Servers The web servers causing the most data leaks over the reporting
period.
Top Data Leak FTP Servers
326
The FTP servers causing the most data leaks over the reporting
period.
Description
Top Applications
The top applications for the most frequently used application types.
Network Scan
Network Scan report templates contain statistics about the FortiGate vulnerability
management activity.
Table 21: Network scan report templates
Report
Description
Vulnerabilities by Severity
Vulnerabilities by Category
Application _Control
Application_Control report templates contain statistics about the FortiGate application
control activity.
Table 22: Application control report templates
Report
Description
appctrl-count-p2p-eventslast24hours
appctrl-top10-apps-usedlast24hours
appctrl-top10-email-userslast24hours
appctrl-top10-media-destlast24hours
appctrl-top10-p2p-appvolume-last24hours
327
appctrl-top10-p2p-localpeers-blocked-last24hours
appctrl-top10-web-userslast24hours
Intrusion_Detection
Intrusion_Detection report templates contain statistics about the FortiGate intrusion
activity.
Table 23: Intrusion detection report templates
Report
Description
attack-dist-protocollast24hours
attack-top10last24hours
attack-top10-sourcelast24hours
AntiVirus
AntiVirus report templates contain statistics about the FortiGate antivirus activity.
Table 24: Antivirus report templates
Report
Description
av-dist-protocol-last24hours
av-dist-violations-last24hours
av-top10-file-extensionlast24hours
av-top10-file-name-last24hours
av-top10-sources-httplast24hours
av-top10-sources-last24hours
av-top10-virus-last24hours
Data_Leak_Prevention
Data Leak Prevention report templates contain log information from Data Leak Protocol
logs.
Table 25: Data Leak Prevention report templates
Report
Description
dlp-dist-protocol-last24hours The distribution of data leaks by protocol over the last 24 hours.
328
dlp-top10-email-receiverslast24hours
The top 10 email receivers triggering DLP rules in the last 24 hours.
dlp-top10-email-senderslast24hours
The top 10 email senders triggering DLP rules in the last 24 hours.
Email Filter
Email Filter report templates contain statistics about the FortiGate antispam activity.
Table 26: Email filter report templates
Report
Description
email-count-volumelast24hours
email-top10-receiverslast24hours
email-top10-senderslast24hours
email-top10-spamsources-last24hours
email-usage-incominglast24hours
email-usage-outgoinglast24hours
Event
Event report templates contain statistics about the FortiGate event activity.
Table 27: Event report templates
Report
Description
event-count-sessionslast24hours
event-dist-last24hours
event-top10-alllast24hours
event-top10-criticallast24hours
event-usage-memlast24hours
Traffic
Traffic report templates contain statistics about the network traffic activity going through
the FortiGate unit.
Description
traffic-count-networksession-last24hours
traffic-count-port1volume-last24hours
The traffic volume count for port1 interface over the last 24 hours.
329
The count of SSH terminal client by volume over the last 24 hours.
traffic-count-terminaltelnet-volumelast24hours
The count of telnet terminal client by volume over the last 24 hours.
traffic-count-wanoptbandwidth-last24hours
traffic-dist-networkbandwidth-last24hours
traffic-dist-wanopt-applan-bandwidthlast24hours
The Wan Opt application in LAN composition over the last 24 hours.
traffic-dist-wanopt-appwan-bandwidthlast24hours
The Wan Opt application in WAN composition over the last 24 hours.
traffic-top10-ftp-clientvolume-last24hours
traffic-top10-ftp-pairvolume-last24hours
The top 10 FTP client server pairs by volume over the last 24 hours.
traffic-top10-ftpservers-volumelast24hours
The top 10 FTP servers accessed by volume over the last 24 hours.
traffic-top10-im-userblocked-last24hours
traffic-top10-im-uservolume-last24hours
traffic-top10-networkdest-blockedlast24hours
The top 10 network destinations blocked (denied) over the last 24 hours.
traffic-top10-networkdest-volumelast24hours
traffic-top10-networkpolicies-blockedlast24hours
The top 10 network policies blocked (denied) over the last 24 hours.
traffic-top10-networksource-blockedlast24hours
The top 10 network sources blocked (denied) over the last 24 hours.
traffic-top10-networksource-volumelast24hours
traffic-top10-networkusers-sourcebandwidth-last24hours
The top 10 users by source and bandwidth over the last 24 hours.
traffic-top10-terminalvolume-last24hours
The following are FortiClient report templates that are only available for Proprietary Index
file system. FortiClient logs are the only logs used when compiling FortiClient reports.
Table 29: FortiClient Network Activity
330
Top Denied
Destinations
Top Blocked Mail Receivers Breakdown of the most blocked receiver email addresses.
Description
Top Client IP
Spam Filter
Disposition Action
Top Virus
Description
Top Sender
Top Sender IP
Top Recipient
Description
331
Top Spam IP
332
Report
Description
Top Virus IP
Administrative
domains (ADOMs)
10
50
50
100
250
100
200
500
2000
2000
2000
Administrators
10
20
100
100
200
500
Administrator access
profiles
10
20
100
100
200
500
RADIUS servers
RADIUS
6
authentication groups
Static routes
32
32
32
32
32
32
SMB shares
16
32
64
64
64
64
SMB users
16
32
64
64
64
64
SMB groups
16
32
64
64
64
64
16
32
64
64
64
64
16
32
64
64
64
64
16
32
64
64
64
64
NFS exports
16
32
64
64
64
64
16
32
64
64
64
64
16
32
64
64
64
64
Registered log
devices
(FGT/FMG/FML/SL
+FC)
100
200
500
2000
2000
2000
50
100
250
1000
1000
1000
100
200
500
2000
2000
2000
Unregistered log
devices
100
200
500
2000
2000
2000
100
200
500
2000
2000
2000
333
Report IP aliases
256
256
512
512
512
512
Report schedules
250
250
500
500
750
1000
Report layouts
250
250
500
500
750
1000
Objects/queries per
report layout
500
500
500
500
500
500
Report outputs
250
250
500
500
750
1000
Report filters
250
250
500
500
750
1000
Report datasets
250
250
500
500
750
1000
250
500
500
750
1000
250
250
500
500
750
1000
250
250
500
500
750
1000
250
250
500
500
750
1000
SQL report
components per
layout
500
500
500
500
500
500
Alerts/SNMP
managers
(CmdGens/NotRcvrs)
31
31
31
31
31
31
Alerts/SNMP
managers per
community
10
10
10
10
10
10
16
16
32
32
16
16
32
32
Alerts events
10
100
100
100
256
256
Alerts destinations
per event
16
16
32
32
64
64
VM host assets
100
200
200
500
500
1000
VM business risks
Administrator
sessions
300
300
300
300
300
300
NTP servers
20
20
20
20
20
20
334
Creating datasets
Creating datasets
SQL tables
Examples
Creating datasets
The following procedure describes how to create datasets in the web-based manager. You
can also use the CLI command config sql-report dataset to create datasets. For
details, see the FortiAnalyzer CLI Reference and the Examples section.
To create a custom data set in the web-based manager
1 Go to Report > Chart > Data Set.
2 Click Create New.
3 Configure the following, then click OK.
Name of the
GUI item
Description
Name
Log Type
($log)
335
Creating datasets
Time Period
($filter)
Select to use logs from a time frame, or select Specified and define a custom
time frame by selecting the Begin Time and End Time. $filter is used in the SQL
query "where" clause to limit the results to the period you select.
Past N
If you selected Past N Hours/Days/Weeks for Time Period, enter the number.
Hours/Days
/Weeks
Begin Time Enter the date (or use the calendar icon) and time of the beginning of the
custom time range.
This option appears only when you select Specified in the Time Period ($time)
field.
End Time
Enter the date (or use the calendar icon) and time of the end of the custom time
range.
This option appears only when you select Specified in the Time Period ($time)
field.
SQL Query
Enter the SQL query syntax to retrieve the log data you want from the SQL
database.
Different SQL systems use different query syntaxes to deal with date/time
format. The FortiAnalyzer unit uses PostgreSQL as the local database and
supports MySQL as the remote database. To facilitate querying in both MySQL
and PostgreSQL systems, you can use the following default date/time macros
and query syntaxes for the corresponding time period you choose:
Hour_of_day: For example, you can select Yesterday for the Time Period
and enter the syntax "select $hour_of_day as hourstamp, count(*) from $log
where $filter group by hourstamp order by hourstamp ".
Day_of_week: For example, you can select This Week for the Time Period
and enter the syntax "select $day_of_week as datestamp, count(*) from
$log where $filter group by datestamp order by datestamp".
Day_of_month: For example, you can select This Month for the Time Period
and enter the syntax "select $day_of_month as datestamp, count(*) from
$log where $filter group by datestamp order by datestamp.
Week_of_year: For example, you can select This Year for the Time Period
and enter the syntax "select $week_of_year as weekstamp, count(*) from
$log where $filter group by weekstamp order by weekstamp.
Month_of_year: For example, you can select This Year for the Time Period
and enter the syntax "select $month_of_year as monthstamp, count(*) from
$log where $filter group by monthstamp order by monthstamp.
The results of running the queries will display the date and time first, followed
by the log data.
Test
Click to test whether or not the SQL query is successful. See To test a SQL
query on page 336.
336
Creating datasets
VDom
If you want to apply the SQL query to a FortiGate VDOM, enter the name of
the VDOM.
Time Period
($filter)
Select to query the logs from a time frame, or select Specified and define a
custom time frame by selecting the Begin Time and End Time. $filter is used
in the where clause of the SQL query to limit the results to the period you
select.
Past N
If you selected Past N Hours/Days/Weeks for Time Period, enter the number.
Hours/Days
/Weeks
Begin Time Enter the date (or use the calendar icon) and time of the beginning of the
custom time range.
This option appears only when you select Specified in the Time Period
($filter) field.
End Time
SQL Query
Enter the date (or use the calendar icon) and time of the end of the custom
time range.
This option appears only when you select Specified in the Time Period
($filter) field.
Enter the SQL query to retrieve the log data you want from the SQL
database.
Run
Clear
337
SQL tables
Save
Options
Select to save the SQL query console configuration to the data set
configuration.
The Device and VDOM configurations are not used by the data set
configuration.
Close
Troubleshooting
If the query is unsuccessful, an error message appears in the results window indicating
the cause of the problem.
Check that SQL keywords are spelled correctly, and that the query is well-formed.
Table and column names are demarked by grave accent (`) characters. Single (') and
double (") quotation marks will cause an error.
No data is covered.
The query is correctly formed, but no data has been logged for the log type. Check that
you have configured the FortiAnalyzer unit to save that log type. Under System >
Config > SQL Database, make sure that the log type is checked.
Connection problems
If well formed queries do not produce results, and logging is turned on for the log type,
there may be a database configuration problem with the remote database.
Ensure that:
You have created an empty database and a user with create permissions for the
database.
Here is an example of creating a new MySQL database named fazlogs, and adding a
user for the database:
#Mysql u root p
mysql> Create database fazlogs;
mysql> Grant all privileges on fazlogs.* to fazlogger@*
identified by fazpassword;
mysql> Grant all privileges on fazlogs.* to
fazlogger@localhost identified by fazpassword;
SQL tables
The FortiAnalyzer unit creates a database table for each managed device and each log
type, when there is log data. If the FortiAnalyzer unit is not receiving data from a device, or
logging is not enabled under System > Config > SQL Database, it does not create log
tables for that device.
SQL tables follow the naming convention of [Device Name]-[SQL table type]-[
timestamp], where the SQL table type is one of the types listed in Table 37 on page 339.
338
SQL tables
Note: The timestamp portion of the log name depends on the FortiAnalyzer unit firmware
release. It is either the creation time of the table (in releases before 4.2.1), or the timestamp
of the log on disk (in releases 4.2.1 and later).
To view all the named tables created in a database, you can use:
The names of all created tables and their types are stored in a master table named
table_ref.
Table 37: Log types and table types
Log Type
SQL table
Description
type
Traffic log
tlog
The traffic log records all traffic to and through the FortiGate
interface.
Event log
elog
Antivirus log
vlog
The antivirus log records virus incidents in Web, FTP, and email
traffic.
Webfilter log
wlog
The web filter log records HTTP FortiGate log rating errors
including web content blocking actions that the FortiGate unit
performs.
Attack log
alog
The attack log records attacks that are detected and prevented
by the FortiGate unit.
Spamfilter log
slog
Data Leak
Prevention log
dlog
Application
Control log
rlog
Vulnerability
Management
log
nlog
FortiAnalyzer logs also include log sub-types, which are types of log messages that are
within the main log type. For example, in the event log type there are the subtype admin
log messages. FortiAnalyzer log types and subtypes are numbered, and these numbers
appear within the log identification field of the log message.
339
SQL tables
340
Sub-Type
dlp
(Data Leak
Prevention)
app-crtl
(Application
Control Log)
DLP archive
(DLP Archive
Log)
virus (Antivirus
Log)
webfilter (Web
Filter Log)
emailfilter
(Spam Filter
Log)
SMTP
POP3
IMAP
SQL tables
Description
Generated by
0 - Emergency
1 - Alert
2 - Critical
Functionality is affected.
3 - Error
4 - Warning
5 - Notification
6 - Information
The Debug severity level, not shown in Table 39, is rarely used. It is the lowest log severity
level and usually contains some firmware status information that is useful when the
FortiGate unit is not functioning properly. Debug log messages are only generated if the
log severity level is set to Debug. Debug log messages are generated by all types of
FortiGate features.
341
SQL tables
Type
Description
Tables
PostgreSQL
MySQL
id
int unsigned
ID / primary key for the record
not null primary
key
all
itime
timestamp
datetime
all
dtime
timestamp
datetime
all
cluster_id
varchar(24)
varchar(24)
all
device_id
varchar(16)
varchar(16)
all
log_id
int default 0
smallint
unsigned
default 0
subtype
varchar(255)
varchar(255)
type
varchar(255)
varchar(255)
all
timestamp
int default 0
int unsigned
default 0
all
pri
varchar(255)
varchar(255)
all
vd
varchar(255)
varchar(255)
all
user
varchar(255)
varchar(255)
group
varchar(255)
varchar(255)
src
varchar(40)
(255 for alog)
varchar(40)
(255 for alog)
dst
varchar(40)
(255 for alog)
varchar(40)
(255 for alog)
src_port
int default 0
smallint
unsigned
default 0
The source port of the TCP or UDP traffic. The source all except nlog
protocol is zero for other types of traffic.
dst_port
int default 0
smallint
unsigned
default 0
The destination port number of the TCP or UDP traffic. all except nlog
The destination port is zero for other types of traffic.
src_int
varchar(255)
varchar(255)
dst_int
varchar(255)
varchar(255)
policyid
bigint default
0
int unsigned
default 0
The ID number of the firewall policy that applies to the all except nlog
session or packet. Any policy that is automatically
added by the FortiGate will have an index number of
zero. For more information, see the Fortinet
Knowledge Base article, Firewall policy=0.
342
SQL tables
varchar(255)
varchar(255)
identidx
bigint default
0
int unsigned
default 0
profile
varchar(255)
varchar(255)
profiletype
varchar(255)
varchar(255)
profilegroup
varchar(255)
varchar(255)
Type
Description
PostgreSQL
MySQL
status
varchar(255)
varchar(255)
The status of the action the FortiGate unit took when the event
occurred.
For application control logs, this field can be:
request
cancel
accept
fail
download
stop
start
end
timeout
blocked
succeeded
failed
authentication-required
pass
block
carrier_ep
varchar(255)
varchar(255)
343
SQL tables
Field
Type
PostgreSQL
MySQL
kind
varchar(255)
varchar(255)
dir
varchar(255)
varchar(255)
The direction of the traffic. This field is an enum, and can be one of the
following:
incoming
outgoing
N/A
src_name
varchar(255)
varchar(255)
dst_name
varchar(255)
varchar(255)
proto
int default 0
smallint unsigned The protocol number that applies to the session or packet. The
default 0
protocol number in the packet header that identifies the next level
protocol. Protocol numbers are assigned by the Internet Assigned
Number Authority (IANA).
serial
bigint default 0
int unsigned
default 0
app_list
varchar(255)
varchar(255)
The application control list (under UTM > Application Control >
Application Control List on the FortiGate unit) that contains the policy
that triggered this log item.
app_type
varchar(255)
varchar(255)
app
varchar(255)
varchar(255)
The application name. You can look the application type up in UTM >
Application Control > Application List, and then select the name that is
in the field to go to more detailed information on the FortiGuard
Encyclopedia.
action
varchar(255)
varchar(255)
The action the FortiGate unit took for this session or packet.
This field is an enum and can be one of the following values:
pass
block
monitor
kickout
encrypt-kickout
reject
count
bigint default 0
int unsigned
default 0
filename
varchar(255)
varchar(255)
filesize
bigint default 0
int unsigned
default 0
message
varchar(255)
varchar(255)
content
varchar(255)
varchar(255)
344
Description
Field
Type
SQL tables
Description
PostgreSQL
MySQL
reason
varchar(255)
varchar(255)
req
varchar(255)
varchar(255)
Request.
phone
varchar(255)
varchar(255)
msg
varchar(255)
varchar(255)
attack_id
bigint default 0
int unsigned
default 0
Attack ID.
Type
Description
PostgreSQL
MySQL
status
varchar(255)
varchar(255)
The status of the action the FortiGate unit took when the event
occurred.
For attack logs, this field can be:
detected
dropped
reset
reset_client
reset_server
drop_session
pass_session
clear_session
serial
bigint default 0
int unsigned
default 0
attack_id
bigint default 0
int unsigned
default 0
severity
varchar(255)
varchar(255)
carrier_ep
varchar(255)
varchar(255)
sensor
varchar(255)
varchar(255)
345
SQL tables
Field
Type
Description
PostgreSQL
MySQL
icmp_id
varchar(255)
varchar(255)
icmp_type
varchar(255)
varchar(255)
icmp_code
varchar(255)
varchar(255)
proto
smallint default 0
tinyint unsigned
default 0
ref
varchar(255)
varchar(255)
count
bigint default 0
int unsigned
default 0
incident_serialno
bigint default 0
int unsigned
default 0
The unique ID for this attack. This number is used for crossreferences IPS packet logs.
msg
varchar(255)
varchar(255)
Type
Description
PostgreSQL
MySQL
status
varchar(255)
varchar(255)
The status of the action the FortiGate unit took when the
event occurred.
clogver
smallint default 0
epoch
bigint default 0
eventid
bigint default 0
SN
bigint default 0
endpoint
varchar(255)
varchar(255)
client
varchar(40)
varchar(40)
server
varchar(40)
varchar(40)
laddr
varchar(40)
varchar(40)
raddr
varchar(40)
varchar(40)
346
Field
cstatus
Type
SQL tables
Description
PostgreSQL
MySQL
varchar(255)
varchar(255)
347
SQL tables
Field
Type
Description
PostgreSQL
MySQL
infection
varchar(255)
varchar(255)
virus
varchar(255)
varchar(255)
rcvd
bigint default 0
sent
bigint default 0
method
varchar(255)
varchar(255)
url
varchar(255)
varchar(255)
cat
varchar(255)
varchar(255)
cat_desc
varchar(255)
varchar(255)
to
varchar(255)
varchar(255)
To
from
varchar(255)
varchar(255)
From
subject
varchar(255)
varchar(255)
Subject
direction
varchar(255)
varchar(255)
Incoming or outgoing.
348
SQL tables
Field
Type
Description
PostgreSQL
MySQL
attachment
smallint default 0
ftpcmd
varchar(255)
varchar(255)
file
varchar(255)
varchar(255)
local
varchar(255)
varchar(255)
remote
varchar(255)
varchar(255)
proto
varchar(255)
varchar(255)
The protocol.
kind
varchar(255)
varchar(255)
action
varchar(255)
varchar(255)
The action.
dir
varchar(255)
varchar(255)
messages
bigint default 0
start-date
varchar(255)
varchar(255)
end-date
varchar(255)
varchar(255)
content
varchar(255)
varchar(255)
IM chat content.
filename
varchar(255)
varchar(255)
File name.
filesize
bigint default 0
File size.
message
varchar(255)
varchar(255)
Message.
conn-mode
varchar(255)
varchar(255)
Connection mode.
heuristic
varchar(255)
varchar(255)
Heuristic.
duration
bigint default 0
reason
varchar(255)
varchar(255)
The reason.
phone
varchar(255)
varchar(255)
Phone number.
dlp_sensor
varchar(255)
varchar(255)
DLP sensor.
349
SQL tables
Field
Type
Description
PostgreSQL
MySQL
message_type
varchar(255)
varchar(255)
request_name
varchar(255)
varchar(255)
Request name.
malform_desc
varchar(255)
varchar(255)
malform_data
bigint default 0
Malform data.
line
varchar(255)
varchar(255)
Line.
column
bigint default 0
Column.
<att-value>expected
<bwtype>execpted
<callid>-expected
<CSeq-num>expected
<delta-seconds>expected
<encoding-name>- <fmt>-expected
expected-in-rtpmap
<gen-value>expected
<generic-param>with-invalid-<genvalue>
<integer>-expected
<m-attribute>expected-afterSEMI
<m-subtype>expected
<method>-doesnot-match-therequest-line
<method>expected
<Method>expected-after<CSeq-num>
<payload-type><proto>-expected
expected-in-rtpmap
<repeat-interval>expected
<response-num>expected
<seq>-numberexpected
<sess-id>expected
<sess-version>expected
<text>-expected
<time>-expected
<token>-expected- <typed-time>in-<proto>-afterexpected
slash
<username>exepcted
<word>-expected
boundaryparameterappears-morethan-once
colon-expected
digits-expected
domain-labeloversize
domain-nameinvalid
domain-nameoversize
duplicated-sipheader
empty-quotedstring
end-of-line-error
EQUAL-expectedafter-<m-attribute>
expires-headerrepeated
header-lineoversize
header-parameter- IN-expected
expected
invalid-<clockrate>-in-rtpmap
invalid-<encodingparameters>-inrtpmap
invalid-<genvalue>
invalid-<m-value>
invalid-<protocolname>
invalid-<quotedstring>-in-<genvalue>
invalid-<quotedstring>-in-<mvalue>
invalid-<SIPVersion>-onrequest-line
invalid-<userinfo>
invalid-branchparameter
invalid-candidateline
invalid-escapeencoding-in<reason-phrase>
invalid-escapeencoding-in<userinfo>
invalid-escapeencoding-in-uriheader
invalid-escapeencoding-in-uriparameter
invalid-expiresparameter
invalid-fqdn
invalid-ipv4address
invalid-ipv6address
invalid-maddrparameter
invalid-maxforwards
invalid-method-uriparameter
invalid-port
invalid-quotingcharacter
invalid-receivedparameter
invalid-rportparameter
invalid-status-code invalid-tagparameter
invalid-transporturi-parameter
invalid-ttlparameter
invalid-ttl-uriparameter
invalid-uri-headername
invalid-uri-headername-value-pair
invalid-uriparameter-pname
350
<bandwidth>expected
<m-type>-expected <media>-expected
invalid-<protocolversion>
invalid-uri-headervalue
SQL tables
invalid-user-uriparameter
IP-expected
IP4-or-IP6expected
ipv4-addressexpected
IPv4-or-IPv6address-expected
ipv6-addressexpected
left-angle-bracketis-mandatory
line-order-error
LWS-expected
missingmandatory-field
msg-body-oversize
multipart-ContentType-has-noboundary
no-matchingdouble-quote
no-METHOD-onrequest-line
no-SLASH-after<protocol-name>
no-SLASH-after<protocol-version>
no-tag-parameter
o-line-not-allowedon-media-level
port-expected
port-not-allowed
r-line-not-allowedon-media-level
right-angle-bracket- s-line-not-allowednot-found
on-media-level
sdp-rtcp-linebefore-m-line
sdp-v-o-s-t-linesare-mandatory
sip-udp-messagetruncated
sip-Yahoocandidate-invalidprotocol
slash-expectedafter-<encodingname>-in-rtpmap
SLASH-expectedafter-<m-type>
space-violation
syntax-malformed
t-line-not-allowedon-media-level
token-expected
too-many-c-lines
too-manycandidate-lines
too-many-i-lines
too-many-m-lines
too-many-o-lines
too-many-rtcp-lines too-many-s-lines
too-many-v-line
trailing-bytes
unexpectedcharacter
unknown-header
unknown-scheme
uri-expected
uri-parameterrepeat
uri-parameters-not- v-line-not-allowedallowed-by-RFC
on-media-level
whitespaceexpected
z-line-not-allowedon-media-level
via-parameterrepeat
Type
Description
PostgreSQL
MySQL
status
varchar(255)
varchar(255)
The status of the action the FortiGate unit took when the
event occurred.
For DLP logs, this field can be:
detected
blocked
service
varchar(255)
varchar(255)
serial
bigint default 0
351
SQL tables
Field
Type
Description
PostgreSQL
MySQL
sport
int default 0
smallint unsigned
default 0
dport
int default 0
smallint unsigned
default 0
hostname
varchar(255)
varchar(255)
url
varchar(255)
varchar(255)
from
varchar(255)
varchar(255)
to
varchar(255)
varchar(255)
msg
varchar(255)
varchar(255)
rulename
varchar(255)
varchar(255)
compoundname
varchar(255)
varchar(255)
action
varchar(255)
varchar(255)
The action that was specified within the rule. In some rules
within sensors, you can specify content archiving. If no log
type is specified, this field displays log-only.
This field is an enum, and can have one of the following
values:
log-only
block
exempt
ban
ban sender
quarantine ip
quarantine interface
severity
smallint default 0
tinyint unsigned
default 0
352
Type
Description
PostgreSQL
MySQL
varchar(255)
varchar(255)
The status of the action the FortiGate unit took when the
event occurred.
For email filter logs, this field can be:
exempted
blocked
detected
SQL tables
Field
Type
Description
PostgreSQL
MySQL
service
varchar(255)
varchar(255)
serial
bigint default 0
sport
int default 0
smallint unsigned
default 0
dport
int default 0
smallint unsigned
default 0
carrier_ep
varchar(255)
varchar(255)
from
varchar(255)
varchar(255)
to
varchar(255)
varchar(255)
banword
varchar(255)
varchar(255)
tracker
varchar(255)
varchar(255)
Tracker
dir
varchar(255)
varchar(255)
The email direction. This field is an enum, and can have one
of the following values:
tx
rx
agent
varchar(255)
varchar(255)
msg
varchar(255)
varchar(255)
353
SQL tables
Field
Type
Description
PostgreSQL
MySQL
status
varchar(255)
varchar(255)
The status of the action the FortiGate unit took when the
event occurred.
For event logs, the possible values of this field depend
on the subcategory:
subcategory ipsec
success
failure
negotiate_error
esp_error
dpd_failure
subcategory voip
start
end
timeout
blocked
succeeded
failed
authentication-required
subcategory gtp
forwarded
prohibited
rate-limited
state-invalid
tunnel-limited
traffic-count
user-data
msg
varchar(255)
varchar(255)
ssid
varchar(255)
varchar(255)
354
Field
action
Type
SQL tables
Description
PostgreSQL
MySQL
varchar(255)
varchar(255)
The action the FortiGate unit should take for this firewall
policy.
For event logs, the possible values of this field depend
on the subcategory of the event:
subcategory ipsec:
negotiate
error
install_sa
delete_phase1_sa
delete_ipsec_sa
dpd
tunnel-up
tunnel-down
tunnel-stats
phase2-up
phase2-down
subcategory nac-quarantine:
ban-ip
ban-interface
ban-src-dst-ip
subcategory sslvpn-user
tunnel-up
tunnel-down
ssl-login-fail
subcategory sslvpn-admin
info
subcategory sslvpn-session
tunnel-stats
ssl-web-deny
ssl-web-pass
ssl-web-timeout
ssl-web-close
ssl-sys-busy
ssl-cert
ssl-new-con
ssl-alert
ssl-exit-fail
ssl-exit-error
tunnel-up
tunnel-down
tunnel-statsssl-tunnel-unknown-tag
ssl-tunnel-error
355
SQL tables
Field
Type
PostgreSQL
Description
MySQL
action
(continued)
subcategory voip:
permit
block
monitor
kickout
encrypt-kickout
cm-reject
exempt
ban
ban-user
log-only
subcategory his-performance
perf-stats
session_id
bigint default 0
The session ID
count
bigint default 0
proto
varchar(255)
varchar(255)
The protocol
cpu
smallint default 0
epoch
bigint default 0
mem
smallint default 0
duration
bigint default 0
infected
bigint default 0
from
varchar(255)
varchar(255)
Source IP address.
ha_group
smallint default 0
tunnel_id
bigint default 0
Tunnel ID
bssid
varchar(255)
varchar(255)
tunnel_type
varchar(255)
varchar(255)
Tunnel type
event_id
bigint default 0
Event ID
ip
varchar(40)
varchar(40)
IP address
ha_role
varchar(255)
varchar(255)
rem_ip
varchar(40)
varchar(40)
suspicious
bigint default 0
sn
varchar(255)
varchar(255)
to
varchar(255)
varchar(255)
Destination IP address..
total_session
bigint default 0
Total IP sessions.
ap
varchar(255)
varchar(255)
scanned
bigint default 0
vcluster
bigint default 0
Virtual cluster.
remote_ip
varchar(40)
varchar(40)
carrier_ep
varchar(255)
varchar(255)
356
SQL tables
Field
Type
Description
PostgreSQL
MySQL
imsi
varchar(255)
varchar(255)
loc_ip
varchar(40)
varchar(40)
Local IP
from_vcluster
bigint default 0
rem_port
int default 0
Remote port.
msisdn
varchar(255)
varchar(255)
tunnel_ip
varchar(40)
varchar(40)
Tunnel IP.
intercepted
bigint default 0
vap
varchar(255)
varchar(255)
apn
varchar(255)
varchar(255)
out_intf
varchar(255)
varchar(255)
blocked
bigint default 0
mac
varchar(255)
varchar(255)
MAC address.
to_vcluster
bigint default 0
To virtual cluster.
acct_stat
varchar(255)
varchar(255)
selection
varchar(255)
varchar(255)
reason
varchar(255)
varchar(255)
rate
smallint default 0
Traffic rate
loc_port
int default 0
Local port.
vcluster_mem
ber
bigint default 0
vcluster_state
varchar(255)
varchar(255)
app-type
varchar(255)
varchar(255)
Application type.
nsapi
smallint default 0
dport
int default 0
Destinatlon port.
channel
smallint default 0
Channel.
cookies
varchar(255)
varchar(255)
Cookies.
checksum
bigint default 0
dst_host
varchar(255)
varchar(255)
357
SQL tables
Field
Type
PostgreSQL
MySQL
nf_type
varchar(255)
varchar(255)
vdname
varchar(255)
varchar(255)
linked-nsapi
smallint default 0
next_stats
bigint default 0
Next Statistics.
virus
varchar(255)
varchar(255)
Virus name.
imei-sv
varchar(255)
varchar(255)
devintfname
varchar(255)
varchar(255)
security
varchar(255)
varchar(255)
policy_id
bigint default 0
rai
varchar(255)
varchar(255)
hostname
varchar(255)
varchar(255)
xauth_user
varchar(255)
varchar(255)
uli
varchar(255)
varchar(255)
xauth_group
varchar(255)
varchar(255)
sent
numeric(20)
default 0
rcvd
numeric(20)
default 0
sess_duration
bigint default 0
hbdn_reason
varchar(255)
varchar(255)
banned_src
varchar(255)
varchar(255)
358
Description
Field
Type
SQL tables
Description
PostgreSQL
MySQL
end-usraddress
varchar(40)
varchar(40)
msg-type
smallint default 0
Message type.
sync_type
varchar(255)
varchar(255)
banned_rule
varchar(255)
varchar(255)
vpn_tunnel
varchar(255)
varchar(255)
VPN tunnel.
sync_status
varchar(255)
varchar(255)
alert
varchar(255)
varchar(255)
Alert.
sensor
varchar(255)
varchar(255)
Sensor name.
endpoint
varchar(255)
varchar(255)
The endpoint.
stage
smallint default 0
Stage.
voip_proto
varchar(255)
varchar(255)
deny_cause
varchar(255)
varchar(255)
desc
varchar(255)
varchar(255)
Description
dir
varchar(255)
varchar(255)
kind
varchar(255)
varchar(255)
359
SQL tables
Field
Type
PostgreSQL
MySQL
init
varchar(255)
varchar(255)
mode
varchar(255)
varchar(255)
cert-type
varchar(255)
varchar(255)
ui
varchar(255)
varchar(255)
User interface.
exch
varchar(255)
varchar(255)
rat-type
varchar(255)
varchar(255)
error_num
varchar(255)
varchar(255)
method
varchar(255)
varchar(255)
The method.
phase2_name
varchar(255)
varchar(255)
spi
varchar(255)
varchar(255)
c-sgsn
varchar(40)
varchar(40)
request_name
varchar(255)
varchar(255)
Request name
seq
varchar(255)
varchar(255)
Sequence number
c-ggsn
varchar(40)
varchar(40)
in_spi
varchar(255)
varchar(255)
u-sgsn
varchar(40)
varchar(40)
out_spi
varchar(255)
varchar(255)
u-ggsn
varchar(40)
varchar(40)
360
Description
SQL tables
Field
Type
Description
PostgreSQL
MySQL
c-sgsn-teid
bigint default 0
enc_spi
varchar(255)
varchar(255)
c-ggsn-teid
bigint default 0
dec_spi
varchar(255)
varchar(255)
message_type
varchar(255)
varchar(255)
malform_desc
varchar(255)
varchar(255)
tunnel
varchar(255)
varchar(255)
Tunnel name
u-sgsn-teid
bigint default 0
u-ggsn-teid
bigint default 0
malform_data
bigint default 0
Malformed data.
tunnel-idx
bigint default 0
line
varchar(255)
varchar(255)
column
bigint default 0
c-pkts
numeric(20)
default 0
phone
varchar(255)
varchar(255)
profile_group
varchar(255)
varchar(255)
c-bytes
numeric(20)
default 0
u-pkts
numeric(20)
default 0
profile_type
varchar(255)
varchar(255)
Profile type.
u-bytes
numeric(20)
default 0
next_stat
bigint default 0
Next stat.
user_data
varchar(255)
varchar(255)
User data.
role
varchar(255)
varchar(255)
result
varchar(255)
varchar(255)
xauth_result
varchar(255)
varchar(255)
361
SQL tables
Field
Type
Description
PostgreSQL
MySQL
esp_transform
varchar(255)
varchar(255)
esp_auth
varchar(255)
varchar(255)
error_reason
varchar(255)
varchar(255)
362
Field
peer_notif
Type
SQL tables
Description
PostgreSQL
MySQL
varchar(255)
varchar(255)
Peer Notification.
This field is an enum, and can have one of the following
values:
NOT-APPLICABLE
INVALID-PAYLOAD-TYPE
DOI-NOT-SUPPORTED
SITUATION-NOT-SUPPORTED
INVALID-COOKIE
INVALID-MAJOR-VERSION
INVALID-MINOR-VERSION
INVALID-EXCHANGE-TYPE
INVALID-FLAGS
INVALID-MESSAGE-ID
INVALID-PROTOCOL-ID
INVALID-SPI
INVALID-TRANSFORM-ID
ATTRIBUTES-NOT-SUPPORTED
NO-PROPOSAL-CHOSEN
BAD-PROPOSAL-SYNTAX
PAYLOAD-MALFORMED
INVALID-KEY-INFORMATION
INVALID-ID-INFORMATION
INVALID-CERT-ENCODING
INVALID-CERTIFICATE
BAD-CERT-REQUEST-SYNTAX
INVALID-CERT-AUTHORITY
INVALID-HASH-INFORMATION
AUTHENTICATION-FAILED
INVALID-SIGNATURE
ADDRESS-NOTIFICATION
NOTIFY-SA-LIFETIME
CERTIFICATE-UNAVAILABLE
UNSUPPORTED-EXCHANGE-TYPE
UNEQUAL-PAYLOAD-LENGTHS
CONNECTED
RESPONDER-LIFETIME
REPLAY-STATUS
INITIAL-CONTACT
R-U-THERE
R-U-THERE-ACK
HEARTBEAT
RETRY-LIMIT-REACHED
unexpected-character
invalid-quoting-character
trailing-bytes
header-line-oversize
msg-body-oversize
domain-name-oversize
domain-label-oversize
syntax-malformed
363
SQL tables
364
duplicated-sip-header
space-violation
invalid-ipv4-address
invalid-ipv6-address
invalid-port
invalid-fqdn
no-matching-double-quote
empty-quoted-string
invalid-<userinfo>
invalid-escape-encoding-in-<userinfo>
invalid-escape-encoding-in-uri-parameter
invalid-escape-encoding-in-uri-header
invalid-escape-encoding-in-<reason-phrase>
port-expected
port-not-allowed
domain-name-invalid
<gen-value>-expected
invalid-<gen-value>
invalid-<quoted-string>-in-<gen-value>
ipv4-address-expected
ipv6-address-expected
uri-expected
invalid-transport-uri-parameter
invalid-user-uri-parameter
invalid-method-uri-parameter
invalid-ttl-uri-parameter
invalid-uri-parameter-pname
invalid-uri-parameter-value
uri-parameter-repeat
invalid-uri-header-name
invalid-uri-header-value
invalid-uri-header-name-value-pair
invalid-quoted-string-in-display-name
left-angle-bracket-is-mandatory
right-angle-bracket-not-found
invalid-status-code
no-METHOD-on-request-line
uri-parameters-not-allowed-by-RFC
unknown-scheme
whitespace-expected
LWS-expected
invalid-<SIP-Version>-on-request-line
invalid-<protocol-name>
invalid-<protocol-version>
invalid-<transport>
no-SLASH-after-<protocol-name>
no-SLASH-after-<protocol-version>
header-parameter-expected
invalid-ttl-parameter
invalid-maddr-parameter
invalid-received-parameter
invalid-branch-parameter
invalid-rport-parameter
via-parameter-repeat
<seq>-number-expected
<method>-expected
<method>-does-not-match-the-request-line
<response-num>-expected
<CSeq-num>-expected
<Method>-expected-after-<CSeq-num>
expires-header-repeated
<delta-seconds>-expected
invalid-max-forwards
token-expected
invalid-expires-parameter
invalid-q-parameter
<generic-param>-with-invalid-<gen-value>
<m-type>-expected
SLASH-expected-after-<m-type>
<m-subtype>-expected
<m-attribute>-expected-after-SEMI
boundary-parameter-appears-more-than-once
EQUAL-expected-after-<m-attribute>
invalid-<quoted-string>-in-<m-value>
invalid-<m-value>
multipart-Content-Type-has-no-boundary
digits-expected
IN-expected
IP-expected
IP4-or-IP6-expected
SQL tables
365
SQL tables
366
IPv4-or-IPv6-address-expected
line-order-error
z-line-not-allowed-on-media-level
<time>-expected
<typed-time>-expected
r-line-not-allowed-on-media-level
<repeat-interval>-expected
<bwtype>-execpted
colon-expected
<bandwidth>-expected
t-line-not-allowed-on-media-level
invalid-<start-time>
invalid-<stop-time>
too-many-i-lines
<text>-expected
too-many-c-lines
too-many-v-line
v-line-not-allowed-on-media-level
too-many-o-lines
o-line-not-allowed-on-media-level
<username>-exepcted
<sess-id>-expected
<sess-version>-expected
too-many-s-lines
s-line-not-allowed-on-media-level
too-many-m-lines
<media>-expected
<integer>-expected
<proto>-expected
<token>-expected-in-<proto>-after-slash
<fmt>-expected
<att-field>-expected
<att-value>-expected
<payload-type>-expected-in-rtpmap
<encoding-name>-expected-in-rtpmap
slash-expected-after-<encoding-name>-in-rtpmap
invalid-<clock-rate>-in-rtpmap
invalid-<encoding-parameters>-in-rtpmap
invalid-candidate-line
sdp-candidate-line-before-m-line
SQL tables
sip-Yahoo-candidate-invalid-protocol
invalid-port-after-ip-address-in-candidate-line
too-many-candidate-lines
sdp-invalid-alt-line
sdp-alt-line-before-m-line
invalid-port-after-ip-address-in-alt-line
sdp-rtcp-line-before-m-line
invalid-port-in-rtcp-line
too-many-rtcp-lines
<callid>-expected
<word>-expected
invalid-tag-parameter
no-tag-parameter
sdp-v-o-s-t-lines-are-mandatory
unknown-header
end-of-line-error
sip-udp-message-truncated
missing-mandatory-field
Type
Description
PostgreSQL
MySQL
status
varchar(255)
varchar(255)
dir_disp
varchar(255)
varchar(255)
tran_disp
varchar(255)
varchar(255)
srcname
varchar(255)
varchar(255)
dstname
varchar(255)
varchar(255)
tran_ip
varchar(40)
varchar(40)
367
SQL tables
Field
Type
PostgreSQL
MySQL
tran_port
int default 0
smallint unsigned default 0 The translated port number in NAT mode. For
transparent mode, it is zero (0).
proto
int default 0
app_type
varchar(255)
varchar(255)
duration
bigint default 0
rule
bigint default 0
sent
bigint default 0
rcvd
bigint default 0
sent_pkt
bigint default 0
rcvd_pkt
bigint default 0
vpn
varchar(255)
varchar(255)
SN
bigint default 0
carrier_ep
varchar(255)
varchar(255)
wanopt_app_type
varchar(255)
varchar(255)
wan_in
bigint default 0
wan_out
bigint default 0
lan_in
bigint default 0
lan_out
bigint default 0
368
Description
SQL tables
Field
Type
Description
PostgreSQL
MySQL
app
varchar(255)
varchar(255)
app_cat
varchar(255)
varchar(255)
shaper_drop_sent
bigint default 0
shaper_drop_rcvd
bigint default 0
perip_drop
bigint default 0
shaper_sent_name
varchar(255)
varchar(255)
shaper_rcvd_name
varchar(255)
varchar(255)
perip_name
varchar(255)
varchar(255)
Type
Description
PostgreSQL
MySQL
status
varchar(255)
varchar(255)
The status of the action the FortiGate unit took when the event
occurred.
For antivirus logs, this field can be:
blocked
passthrough
monitored
msg
varchar(255)
varchar(255)
Explains the activity or event that the FortiGate unit recorded. For
example, the file that was downloaded from the web site exceeded
the specified size limit.
sport
int default 0
smallint
The source port of where the traffic is originating from.
unsigned default
0
dport
int default 0
smallint
The destination port of where the traffic is going to.
unsigned default
0
serial
bigint default 0
int unsigned
default 0
dir
varchar(255)
varchar(255)
Direction
filefilter
varchar(255)
varchar(255)
The file filter. This field is an enum, and can have one of the
following values:
none
file pattern
file type
369
SQL tables
Field
Type
Description
PostgreSQL
MySQL
filetype
varchar(255)
varchar(255)
The file type. This field is an enum, and can have one of the
following values:
arj
cab
lzh
rar
tar
zip
bzip
gzip
bzip2
bat
msc
uue
mime
base64
binhex
com
elf
exe
hta
html
jad
class
cod
javascript
msoffice
fsg
upx
petite
aspack
prc
sis
hlp
activemime
jpeg
gif
tiff
png
bmp
ignored
unknown
file
varchar(255)
varchar(255)
checksum
varchar(255)
varchar(255)
quarskip
varchar(255)
varchar(255)
This field is an enum, and can have one of the following values:
No skip
No quarantine for HTTP GET file pattern block.
No quarantine for oversized files.
File was not quarantined.
virus
varchar(255)
varchar(255)
ref
varchar(255)
varchar(255)
The URL reference that gives more information about the virus. If
you enter the URL in your web browsers address bar, the URL
directs you to the specific page that contains information about the
virus.
370
Field
Type
SQL tables
Description
PostgreSQL
MySQL
url
varchar(255)
varchar(255)
carrier_ep
varchar(255)
varchar(255)
agent
varchar(255)
varchar(255)
This field is for FortiGate units running FortiOS Carrier. If you do not
have FortiOS Carrier running on your FortiGate unit, this field
always displays N/A.
from
varchar(255)
varchar(255)
to
varchar(255)
varchar(255)
command
varchar(255)
varchar(255)
dtype
varchar(255)
varchar(255)
Type
Description
PostgreSQL
MySQL
status
varchar(255)
varchar(255)
The status of the action the FortiGate unit took when the
event occurred.
For web filter logs, this field can be:
blocked
exempted
allowed
passthrough
filtered
DLP
serial
bigint default 0
sport
int default 0
smallint unsigned
default 0
dport
int default 0
smallint unsigned
default 0
hostname
varchar(255)
varchar(255)
carrier_ep
varchar(255)
varchar(255)
req_type
varchar(255)
varchar(255)
url
varchar(255)
varchar(255)
The URL.
msg
varchar(255)
varchar(255)
dir
varchar(255)
varchar(255)
The direction.
agent
varchar(255)
varchar(255)
371
SQL tables
Field
Type
Description
PostgreSQL
MySQL
from
varchar(255)
varchar(255)
From
to
varchar(255)
varchar(255)
To
banword
varchar(255)
varchar(255)
error
varchar(255)
varchar(255)
method
varchar(255)
varchar(255)
class
smallint default 0
class_desc
varchar(255)
varchar(255)
cat
smallint default 0
cat_desc
varchar(255)
varchar(255)
Category description
mode
varchar(255)
varchar(255)
rule_type
varchar(255)
varchar(255)
Rule type. This field is an enum, and can have one of the
following values:
directory
domain
rating
rule_data
varchar(255)
varchar(255)
Rule data
ovrd_tbl
varchar(255)
varchar(255)
Override table
ovrd_id
bigint default 0
Override ID
count
bigint default 0
url_type
varchar(255)
varchar(255)
urlfilter_idx
bigint default 0
urlfilter_list
varchar(255)
varchar(255)
quota_exceeded
varchar(255)
varchar(255)
quota_used
bigint default 0
quota_max
bigint default 0
Class description
372
Field
Type
Examples
Description
PostgreSQL
MySQL
action
varchar(255)
varchar(255)
start
bigint default 0
end
bigint default 0
engine
varchar(255)
varchar(255)
plugin
varchar(255)
varchar(255)
ip
varchar(40)
varchar(40)
proto
varchar(255)
varchar(255)
port
int default 0
vuln
varchar(255)
varchar(255)
vuln_cat
varchar(255)
varchar(255)
vuln_id
bigint default 0
vuln_ref
varchar(255)
varchar(255)
severity
varchar(255)
varchar(255)
os
varchar(255)
varchar(255)
os_family
varchar(255)
varchar(255)
os_gen
varchar(255)
varchar(255)
os_vendor
varchar(255)
varchar(255)
message
varchar(255)
varchar(255)
Informational message.
Examples
The following examples illustrate how to write custom datasets.
After you create the datasets, you can use them when you configure chart templates
under Report > Chart > Template.
373
Examples
Then you can use add the chart template to a report when you create the new report
under Report > Config > Report.
Figure 3: Adding a chart to a report
374
Examples
Note: On the FortiGate unit, custom datasets can only be created via the CLI. On the
FortiAnalyzer unit, datasets can be created via the CLI or the GUI. As well, on the
FortiAnalyzer unit, queries support additional variables for log types ($log) and time periods
($filter) that make authoring queries easier.
GUI procedure
1 Go to Report > Chart > Data Set.
2 Click Create New to create a new dataset and enter a name (such as
"apps_type_24hrs").
3 Under Log Type($log), select Application Control.
4 Under Time Period, select Past N Hours, and enter 24 in Past N Hours.
5 Enter the query:
SELECT app_type, COUNT( * ) AS totalnum
FROM $log
WHERE $filter
AND app_type IS NOT NULL
GROUP BY app_type
ORDER BY totalnum DESC
CLI procedure
To perform the same task using the CLI, use these commands:
config sql-report dataset
edit apps_type_24hrs
set log-type app-ctrl
set time-period last-n-hours
set period-last-n 24
set query "SELECT app_type, COUNT( * ) AS totalnum FROM $log
WHERE $filter AND app_type IS NOT NULL GROUP BY app_type
ORDER BY totalnum DESC"
end
Notes:
375
Examples
$filter restricts the query result to the time period specified; in this case, its the past 24
hours.
The application control module classifies each firewall session in app_type. One
firewall session may be classified to multiple app_types. For example, an HTTP
session can be classified to: HTTP, Facebook, etc.
Some app/app_types may not be able to detected, then the app_type field may be
null or N/A. These will be ignored by this query.
The result is ordered by the total session number of the same app_type. The most
frequent app_types will appear first.
CLI procedure
To perform the same task using the CLI, use these commands:
config sql-report dataset
edit top_100_apps_24hrs
set log-type traffic
set time-period last-n-hours
set period-last-n 24
set query "SELECT ( TIMESTAMP - TIMESTAMP %3600 ) AS
hourstamp, app, service, SUM( sent + rcvd ) AS volume
FROM $log WHERE $filter and app IS NOT NULL GROUP BY app
ORDER BY volume DESC LIMIT 100"
end
Notes:
376
SUM( sent + rcvd ) AS volume - this calculates the total sent and received
bytes.
Examples
ORDER BY volume DESC - this orders the results by descending volume (largest
volume first)
CLI procedure
To perform the same task using the CLI, use these commands:
config sql-report dataset
edit top_attacks_1hr
set log-type attack
set time-period last-n-hours
set period-last-n 1
set query "SELECT attack_id, COUNT( * ) AS totalnum FROM
$log WHERE $filter and attack_id IS NOT NULL GROUP BY
attack_id ORDER BY totalnum DESC LIMIT 10"
end
Notes:
The result is ordered by the total attack number of the same attack_id. The most
frequent attack_id will appear first.
377
Examples
FROM $log
WHERE $filter
AND subtype = 'wanopt-traffic'
GROUP BY wanopt_app_type
ORDER BY SUM( wan_in + wan_out ) DESC
LIMIT 5
CLI procedure
To perform the same task using the CLI, use these commands:
config sql-report dataset
edit WAN_OPT_24hrs
set log-type traffic
set time-period last-n-hours
set period-last-n 24
set query "SELECT wanopt_app_type, SUM( wan_in + wan_out )
AS bandwidth FROM $log WHERE $filter AND subtype =
'wanopt-traffic' GROUP BY wanopt_app_type ORDER BY SUM(
wan_in + wan_out ) DESC LIMIT 5"
end
Notes:
378
The WAN optimizer module will log each application bandwidth. All bandwidth data is
logged in traffic logs and wan opt data will have the subtype wanopt-traffic
SUM( wan_in + wan_out ) AS bandwidth - this calculates the total in and out
traffic.
Traffic varies by enabled options and configured ports. Only default ports are listed.
Table 42: FortiAnalyzer outbound ports
Functionality
Port(s)
DNS lookup
UDP 53
NTP synchronization
UDP 123
Windows share
UDP 137-138
SNMP traps
UDP 162
UDP 514
Note: If a secure
connection has been
configured between a
Fortigate and a
FortiAnalyzer, Syslog
traffic will be sent into
an IPSec tunnel. Data
will be exchanged
over UDP 500/4500,
Protocol IP/50.
TCP 21 or TCP 22
TCP 25
TCP 443
RADIUS authentication
TCP 1812
TCP 3000
379
Port(s)
Windows share
UDP 514
Note: If a secure
connection has been
configured between a
Fortigate and a
FortiAnalyzer, Syslog
traffic will be sent into
an IPSec tunnel. Data
will be exchanged
over UDP 500/4500,
Protocol IP/50.
TCP 22
TCP 23
TCP 80
TCP 443
TCP 514
Device registration of FortiGate or FortiManager units; remote access to
quarantine, logs & reports from a FortiGate unit; remote management from
a FortiManager unit (configuration retrieval) (OFTP)
NFS share
TCP 2049
TCP 2032
TCP 3000
TCP 3306
380
Functionality
Port(s)
TCP 443
Index
Index
Symbols
_email, 18
_fqdn, 18
_index, 18
_int, 18
_ipv4, 18
_ipv4/mask, 18
_ipv4mask, 18
_ipv6, 18
_ipv6mask, 18
_name, 18
_pattern, 18
_str, 18
_url, 18
_v4mask, 18
_v6mask, 18
A
access profile, 25, 27
adding configuring defining
log severity levels, 341
administrative access
interface settings, 65
restricting, 64, 65, 77
administrative domains. See ADOMs
administrator
admin, accessing ADOMs, 32
assigning to ADOM, 32
ADOMs, 27
access privileges, 25
accessing as admin administrator, 32
admin account privileges, 25
assigning administrators, 32
disabling, 31
enabling, 28
Global, 27
maximum number, 333
permissions, 25
root, 31
aggregation client, 101
alerts, 87, 96, 98
testing, 91
alias, 104
ARP, 292
authenticated network scan
preparing, 223
B
backing up log files, 276
backing up the configuration
using the CLI, 276
using web-based manager, 276
backup & restore, 114
baud rate, 303
blocking device connection attempts, 134
FortiAnalyzer Version 4.0 MR2 Administration Guide
Revision 13
http://docs.fortinet.com/ Feedback
C
charts, 173
CIDR, 18
classifying FortiGate network interfaces, 137
CLI
commands, 288
clock, 38, 39
column view
network analyzer logs, 265
command line interface (CLI), 16, 17, 35, 53, 77
Console widget, 53
prompt, 39
command prompt, 39
connection attempt handling, 133
contract, 40
conventions, 16
count, 152
CPU usage, 41, 42
D
dashboard, 35, 207
data filter template, 178
data set, 201
DC (duplicate count), 153
default
password, 16
delete after upload
network analyzer log, 272
device
adding or deleting, 131
groups, 136
list, 123
maximum number, 126
registration and reports, 152
unregistered vs. registered, 126
disk space
allocated to Network Analyzer, 272
DLP archive, 149
backing up, 158
DNS server, 69
test connection, 291
documentation
conventions, 16
dotted decimal, 18
down, 64
download
logs, 156, 270
network analyzer logs, 263
search results, 270
381
Index
eDiscovery, 160
expected input, 17
JavaScript, 53
F
Federal Information Processing Standards (FIPS), 13
file
extension, 46, 264, 270
filter
criteria, 267
icon, 264, 266, 268
logs, 144
network analyzer, 266
tip, 267
tips, 145
firmware
install, 38
version, 35, 38
formatted view
network analyzer logs, 265
Fortinet
Knowledge Base, 15
Technical Documentation, 15
comments, 15
conventions, 16
Technical Support, 14
Training Services, 15
Fortinet Discovery Protocol (FDP), 64, 65, 66
FTP, 272
fully qualified domain name (FQDN), 18
G
graphical user interface (GUI), 23
gzip, 46, 264, 270, 272
H
HA cluster, 128, 131
hard disk, 49
historical viewer
network analyzer, 261
host name, 35, 39
hot swap, 49
HTTP, 65
HTTPS, 64, 65
I
ICMP, 65
importing log files, 155
index number, 18
indexed log fields, 268
input constraints, 17
installation, 15
IP alias, 104
resolve host names, 151
IPsec VPN tunnel, 128
382
L
language, 24, 184
license information, widget, 40
lightweight directory access protocol (LDAP), 111, 114
Linux, 292
local console access, 53
log forwarding, 103
logs, 38
backing up, 158
content. See DLP archive
CSV format, 270
download, 270
gzip, 46, 264, 270
indexed fields, 268
raw view, 266, 268
search, 268
search tips, 148
unindexed fields, 266, 268
M
mail server, 91
maximum transmission unit (MTU), 66, 284
Maximum Values Matrix, 333
media access control (MAC) address, 65
memory usage, 41
Microsoft
Internet Explorer, 23
migrating data, 118
Mozilla Firefox, 23
MS Windows, 292
N
network
sniffer, 262
network analyzer
browse, 262
column view, 260
delete after download, 272
download logs, 263
enable, 271
filter, 266
gzip, 272
historical viewer, 261
real-time viewer, 259
resolve host names, 260, 262
roll settings, 270
upload to, 272
network analyzer logs
column view, 265
formatted view, 265
network file share (NFS), 13
network interface
administrative access, 65
status, 64
network interfaces, classifying (FortiGate), 137
network maps, 217
Index
P
password, 79
administrator, 16
log upload, 272
patch releases, 275
pattern, 18
Payment Card Industry Data Security Standard (PCI DSS),
247
performance, 35
permissions
access profile, 80
ADOMs, 25
ping, 65
port
destination, 260
number, 24
numbers, 288
scan, 13
source, 260
ports
UDP ports 33434-33534, 291
powering on, 302
prompt, 53
protocol
FTP, 272
SCP, 272
SFTP, 272
Q
quarantine, 151
count, 152
duplicate count, 153
ticket number, 153
query, 111, 114
DNS, 69
R
raid monitor, widget, 47
random access memory (RAM), 43
real-time viewer
network analyzer, 259
regular expression, 18
remote authentication dial in user service (RADIUS), 82
report
browsing, 210
chart template, 197
charts, 173
data filter, 178
FortiClient example, 191
FortiGate example, 188, 208
FortiMail example, 194
language, 184
layout, 168, 173, 181, 184
output template, 91
profiles, 173
383
schedule, 181
uploading graphics for, 203
report engine, widget, 47
resolution, 23
resolve host names, 151
network analyzer, 260, 262
roll settings
network analyzer, 270
root (Management Administrative Domain), 31
root ADOM, 27, 31
S
scheduling, 38
SCP, 272
search
DLP archive, 149
download results, 270
Network Analyzer logs, 257, 268
tips, 148, 269
user data, 149
secure connection, 152
Secure Shell (SSH), 53, 64, 65
serial number, 38
serial port parameters, 302
severity levels (logs), 341
SFTP, 272
share, 13
simple network management protocol (SNMP)
system name, 39
sniffer, 257, 262
See also network analyzer
SNMP
community, 96
event, 98
manager, 97
queries, 98
spam, 194
span port, 257
special characters, 40
SSL, 38
statistics widget, 44
string, 18
subnet, 269
supported RFCs
1213, 95
1918, 16
2665, 95, 307
sync interval, 39
syntax, 17
Syslog server, 98
system information, widget, 38
system operation, widget, 41
system resource usage, 35
system resources, widget, 41
system time, 35, 288
T
Technology Assistance Center (TAC), 287
Telnet, 53, 65
Index
throughput, 35
ticket number, 153
time, 38
time to live (TTL), 291
traceroute, 291
tracert, 292
troubleshooting, 285
packet sniffing, 293
routing table, 292
U
unindexed log fields, 266, 268
unknown, 133
unregistered, 126, 152
up, 64
upgrading, 279
uptime, 35, 288
US-ASCII, 40
V
value parse error, 18
virus
See quarantine
vulnerability management, 213
asset groups, 216
assets, 214
database, 213, 242
host status, 239
network map, 217
384
W
web browser, 23
web filtering, 148
web services, 66
widget, 35
intrusion activity, 62
license information, 40
log receive monitor, 50
logs/data received, 43
raid monitor, 47
report engine, 47
statistics, 44
system information, 38
system operation, 41
system resources, 41
top email traffic, 57
top ftp traffic, 58
top im/p2p traffic, 59
top traffic, 54
top web traffic, 56
virus activity, 61
wild cards, 18
WSDL file
obtaining, 68
Index
385
Index
386
www.fortinet.com
www.fortinet.com