FortiAnalyzer 6.0 Lab Guide-Online

DO NOT REPRINT
© FORTINET
FortiAnalyzer Lab Guide

for FortiAnalyzer 6.0
DO NOT REPRINT
© FORTINET
Fortinet Training
http://www.fortinet.com/training
Fortinet Document Library

http://docs.fortinet.com
Fortinet Knowledge Base

http://kb.fortinet.com
Fortinet Forums
https://forum.fortinet.com
Fortinet Support
https://support.fortinet.com
FortiGuard Labs
http://www.fortiguard.com
Fortinet Network Security Expert Program (NSE)

https://www.fortinet.com/support-and-training/training/network-security-expert-program.html
Feedback
Email: courseware@fortinet.com
10/2/2018
DO NOT REPRINT
© FORTINET
TABLE OF CONTENTS
Virtual Lab Basics 5

Network Topology 5
Lab Environment 5
Remote Access Test 6
Logging In 7
Disconnections and Timeouts 9
Screen Resolution 9
Sending Special Keys 10
Student Tools 11
Troubleshooting Tips 11
Lab 1: Initial Configuration 14
Exercise 1: Examining the Network Settings 16
Lab 2: Administration and Management 21
Exercise 1: Configuring Administrative Domains 22
View ADOM Information 23
Create Custom ADOMs 24
Exercise 2: Configuring an External Server to Validate Administrators 27
Configure an LDAP Server on FortiAnalyzer 27
Create a Wildcard LDAP Administrator 29
Test External Administrator Access 30
View the Event Logs 33
Lab 3: Device Registration and Communication 34
Exercise 1: Registering Devices on FortiAnalyzer 36
Register a Device Through the Device Registration Wizard 36
Accept a Device Registration Request 38
Exercise 2: Troubleshooting Device Communication 42
Verify Device Registration 42
Verify Device Communication 42
Troubleshoot Device Communication 43
Resolve a Down Connection 45
Lab 4: Logs 48
Exercise 1: Gathering Benchmark Diagnostics 49
View System Resource Information 49
DO NOT REPRINT
© FORTINET
Gather Data Policy and Disk Utilization Information 50
Exercise 2: Enabling Event Handlers 52
Exercise 3: Generating Traffic 54
Generate Traffic with FIT 54
Generate Traffic Through Nikto 55
Exercise 4: Examining Logs and Notifications 58
Log View 58
Use Log Filters 61
FortiView 62
View Event Notifications 64
Exercise 5: Viewing Log Statistics and Used Storage Space 66
View the Raw Log Receiving Rate 66
View the Insert Rate vs. Receive Rate 67
View Used Storage Statistics 68
Exercise 6: Modifying Disk Quotas 70
Compare Storage Space Between ADOMs 70
Modify Disk Quota 70
Exercise 7: Moving Device with Logs Between ADOMs 72
Gathering Log and ADOM Information 72
Move a Device to a Different ADOM 73
Rebuild ADOM Database to Migrate Device Logs 74
Lab 5: Reports 77
Exercise 1: Running a Default Report 78
Exercise 2: Building a Chart Based on Log Search 81
DO Virtual
NOT REPRINT
Lab Basics Network Topology
© FORTINET
Virtual Lab Basics
In this course, you will use a virtual lab for hands-on exercises. This section explains how to connect to the lab
and its virtual machines. It also shows the topology of the virtual machines in the lab.
If your trainer asks you to use a different lab, such as devices physically located in your
classroom, then ignore this section. This section applies only to the virtual lab
accessed through the Internet. If you do not know which lab to use, please ask your
trainer.
Network Topology
Lab Environment
Fortinet's virtual lab for hands-on exercises is hosted on remote data centers that allow each student to have their
own training lab environment or point of deliveries (PoD).
FortiAnalyzer 6.0 Lab Guide 5

Fortinet Technologies Inc.
DO Remote
NOTAccess
REPRINT
Test Virtual Lab Basics
© FORTINET
Remote Access Test
Before starting any course, check if your computer can connect to the remote data center successfully. The
remote access test fully verifies if your network connection and your web browser can support a reliable
connection to the virtual lab.
You do not have to be logged in to the lab portal in order to run the remote access test.
To run the remote access test

1. From a browser, access the following URL:
https://use.cloudshare.com/test.mvc
If your computer connects successfully to the virtual lab, you will see the message All tests passed!:
2. Inside the Speed Test box, click Run.

The speed test begins. Once complete, you will get an estimate for your bandwidth and latency. If those
estimations are not within the recommended values, you will get any error message:
6 FortiAnalyzer 6.0 Lab Guide

DO Virtual
NOT REPRINT
Lab Basics Logging In
© FORTINET
Logging In
After you run the remote access test to confirm that your system can run the labs successfully, you can proceed to
log in.
You will receive an email from your trainer with an invitation to auto-enroll in the class. The email will contain a
link and a passphrase.
To log in to the remote lab

1. Click the login link provided by your instructor over email.
2. Enter your email address and the class passphrase provided by your trainer over email, and then click Login.
3. Enter your first and last name.

4. Click Register and Login.

DO Logging
NOTIn REPRINT Virtual Lab Basics
© FORTINET
Your system dashboard appears, listing the virtual machines (VMs) in your lab topology.
5. To open a VM from the dashboard, do one of the following:

l From the top navigation bar, click a VM's tab.
l From the box of the VM you want to open, click View VM.
Follow the same procedure to access any of your VMs.
When you open a VM, your browser uses HTML5 to connect to it. Depending on the VM you select, the web
browser provides access to either the GUI of a Windows or Linux VM, or the CLI-based console access of a
Fortinet VM.

DO Virtual
NOT REPRINT
Lab Basics Disconnections and Timeouts
© FORTINET
For most lab exercises, you will connect to a jumpbox VM, that could be either a Windows or a Linux VM.
From the jumpbox VM, you will connect over HTTPS and SSH to all other Fortinet VMs in the lab
environment.
Disconnections and Timeouts
If your computer’s connection to the VM times out or closes, to regain access, return to the window or tab that
contains the list of VMs for your session, and reopen the VM.
If that fails, see Troubleshooting Tips on page 11.
Screen Resolution
The GUIs of some Fortinet devices require a minimum screen size.
To configure screen resolution in the HTML5 client, use the Resolution drop-down list on the left. You can also
change the color depth:

DO Sending
NOTSpecial
REPRINT
Keys Virtual Lab Basics
© FORTINET
Sending Special Keys
You can use the Virtual Keyboard panel to either send the Ctrl-Alt-Del combination, or the Windows key:
From the Virtual Keyboard panel, you can also copy text to the guest VM's clipboard:

DO Virtual
NOT REPRINT
Lab Basics Student Tools
© FORTINET
Student Tools
There are three icons on the left for messaging the instructor, chatting with the class, and requesting assistance:
Troubleshooting Tips
l Do not connect to the virtual lab environment through Wi-Fi, 3G, VPN tunnels, or other low-bandwidth or high-
latency connections.
l Prepare your computer's settings by disabling screen savers and changing the power saving scheme so that your
computer is always on, and does not go to sleep or hibernate.
l For best performance, use a stable broadband connection, such as a LAN.

DO Troubleshooting
NOT REPRINT Tips Virtual Lab Basics
© FORTINET
l You can run a remote access test from within your lab dashboard. It will measure your bandwidth, latency and
general performance:
l If the connection to any VM or the virtual lab portal closes unexpectedly, try to reconnect. If you can't reconnect,
notify the instructor.
l If you can't connect to a VM, on the dashboard, open the VM action menu, and select Reset:
l If that does not solve the access problem, you can try to revert the VM back to its initial state. Open the VM action
menu, and select Revert:
Reverting to the VM's initial state will undo all of your work. Try other solutions first.

DO Virtual
NOT REPRINT
Lab Basics Troubleshooting Tips
© FORTINET
l During the labs, if the VM is waiting for a response from the authentication server, a license message similar to the
following example appears:
To expedite the response, enter the following command in the CLI:

execute update-now

DO NOT REPRINT
© FORTINET
Lab 1: Initial Configuration
In this lab, you will examine the network settings of the FortiAnalyzer from the CLI and GUI.
Objectives
l Examine the network settings
Time to Complete
Estimated: 20 minutes
Prerequisites
Before beginning this lab, you must restore a configuration file to Local-Fortigate and Remote-Fortigate.
To restore the Remote-FortiGate configuration file

1. On the Local-Windows VM, open a browser and log in to the Remote-Fortigate GUI at 10.200.3.1 with the user
name admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.
3. Click Local PC,and then click Upload.

4. Click Desktop > Resources > FortiAnalyzer > LAB-1 > Remote-FortiGate-initial.conf, and then
click Open.
5. Click OK.
6. Click OK to reboot.
To restore the Local-Fortigate configuration file

1. On the Local-Windows VM, open a browser and log in to the Local-Fortigate GUI at 10.0.1.254 with the user

DO Lab
NOT 1: InitialREPRINT
Configuration
© FORTINET

4. Click Desktop > Resources > FortiAnalyzer > LAB-1 > Local-FortiGate-initial.conf, and then click
Open.
5. Click OK.

DO NOT REPRINT
© FORTINET
Exercise 1: Examining the Network Settings
In this exercise, you will examine the initial configuration of the FortiAnalyzer from the CLI and GUI.
To examine the network settings through the CLI

1. In Local-Windows, open PuTTY and connect to the FORTIANALYZER saved session (connect over SSH).
2. At the login prompt, enter the user name admin and password password.
3. Enter the following command to display basic status information about FortiAnalyzer:
CLI Command Data Result
# get system What is the firmware version?

status
Knowing your FortiAnalyzer firmware version is
important, because it determines what Fortinet
products—and associated firmware versions—
are supported.
What is the administrative domain (ADOM)

configuration?
By default, ADOMs are disabled.
What is the time zone?
For proper log correlation, it is important that

your system time on FortiAnalyzer and all
registered devices are synced.
What is the license status
To ensure FortiAnalyzer continues to collect

and store logs, a valid license is required.
4. Enter the following command to display information about the FortiAnalyzer interface configuration:

DO Exercise
NOT1: Examining
REPRINTthe Network Settings
© FORTINET
CLI Command Diagnostic Result
# show system What is the IP for port1?

interface
Port1 is the management port and is the IP of
FortiAnalyzer.
What administrative access protocols are

configured for port1?
This will help troubleshoot any access issues

you may experience. For example, this PuTTY
session would not be able to connect without
the SSH protocol enabled.
What is the IP for port3?
According to the Network Topology diagram,

port3 is how traffic is routed between Remote-
FortiGate and FortiAnalyzer. Remote-
FortiGate, therefore, will connect to
FortiAnalyzer with this port3 IP.
What administrative access protocols are

configured for port3?
5. Enter the following command to display DNS setting information:
# show system dns What are the primary and secondary DNS
settings?
Several FortiAnalyzer functions use DNS, such

as sending alert email and resolving
hostnames in the logs. By default,
FortiAnalyzer uses FortiGuard DNS servers
6. Enter the following commands to display NTP setting information:
# get system ntp Is NTP enabled?
NTP is recommended on FortiAnalyzer and all

registered devices for proper log correlation.
How often does FortiAnalyzer synchronize its time

with the NTP server?
# show system What server is configured for NTP?

ntp
By default, Fortinet servers are configured.

DO NOT REPRINT Exercise 1: Examining the Network Settings
© FORTINET
7. Enter the following command to display information about the FortiAnalyzer routing configuration:
# show system What is the gateway route associated with port3?

route
According to the Network Topology diagram, this
IP is the default route to go out to the Internet.
8. To test basic network connectivity, and to ensure the default route out to the Internet is working, enter the
following command to ping IP 4.2.2.2 (public IP that is highly available):
execute ping 4.2.2.2
Packets should transmit successfully.
9. Close your PuTTY session.
To examine the network settings through the GUI

1. On the Local-Windows VM, open a browser and log in as admin and password password to the FortiAnalyzer
GUI at 10.0.1.210.
2. Click System Settings from the main tiles.
The dashboard appears.

DO Exercise
NOT1: Examining
REPRINTthe Network Settings
© FORTINET
3. Examine the System Information and License Information widgets to display the below information.
This displays the same information available from the CLI command get system status.
l Firmware version
l ADOM status
l System time and time zone
l License status (VM)
4. From the System Information widget, edit the System Time to view the NTP information.
This displays the same information available from the CLI commands get system ntp and show
system ntp.
5. Click X to go back to System Information widget.

6. From the left menu, click Network.
This page displays information about the port1 management interface, including the IP address,
administrative access protocols, and DNS information. This displays the same information available from the
CLI commands show system interface and show system dns.
7. Click All Interfaces to view other configured interfaces.

According to the CLI command show system interface, you should see that port3 is also configured.

DO NOT REPRINT Exercise 1: Examining the Network Settings
© FORTINET
8. From the left menu, click Network, and from the main window, click Routing Table.
This page displays the network gateway and associated interface. This displays the same information
available from the CLI command show system route.
To examine the Local-FortiGate system time

1. Open a second browser tab, and log in using username admin and password password to the Local-
FortiGate GUI at 10.0.1.254.
2. From the left menu, go to System > Settings and check System Time.
Does Local-FortiGate have the same system time settings as FortiAnalyzer?
This is important to ensure log correlation between Local-FortiGate and FortiAnalyzer
Setting FortiAnalyzer Local-FortiGate
Time Zone (GMT-8:00) Pacific Time (US & Canada)
Synchronize with NTP Yes

server?
NTP server ntp1.fortinet.com

(i.e. FortiGuard)
3. Close the browser.
You have completed Lab 1.

DO NOT REPRINT
© FORTINET
Lab 2: Administration and Management
In this lab, you will configure FortiAnalyzer for Administrative Domains (ADOMs) as well as configure an external
server to validate non-local (external) administrators.
You will configure the external administrator to have access to a specific ADOM only.
Objectives
l Configure ADOMs
l Configure an external server to validate administrators
Time to Complete

DO NOT REPRINT
© FORTINET
Exercise 1: Configuring Administrative Domains
In this exercise, you will enable Administrative Domains (ADOMs), view default ADOM information, and create
two custom ADOMs.
One use case for employing ADOMs is to restrict other administrator's access privileges to a subset of devices in
the device list.
To enable ADOMs
1. On the Local-Windows VM, open a browser and log in to the FortiAnalyzer GUI at 10.0.1.210 using the user
2. Click System Settings.
3. On the dashboard, in the System Information widget, turn on Administrative Domain.
4. Click OK to confirm.
You are automatically logged out of the GUI.
5. Log back in to the FortiAnalyzer GUI using username admin and password password.
Since ADOMs are now enabled, you must select an ADOM to log into. The ADOMs with which you are
presented are based on your administrator permissions.
6. Select the root ADOM.

7. Continue to the next procedure.

DO Exercise
NOT1: Configuring
REPRINT Administrative Domains View ADOM Information
© FORTINET
View ADOM Information
Before creating new ADOMs, you should be aware of what ADOM types are available to you. You will view ADOM
information through both the GUI and CLI.
To view ADOM information

1. Once logged into the root ADOM on FortiAnalyzer, click System Settings.
2. From the left menu, click All ADOMs.
This page lists all available ADOMs and lists any devices added to those ADOMs.
3. Continuing on the Local-Windows VM, open PuTTY and connect to the FORTIANALYZER saved session
(connect over SSH).
4. Log in using username admin and password password and execute the following command to view what
ADOMs are currently enabled on FortiAnalyzer and the type of device you can register to each ADOM:
diagnose dvm adom list
The CLI output is easier to read if you maximize your PuTTY window. If you've already
executed the command, once the window is maximized, press the up arrow to show
the last command you entered and click Enter to re-run the command.

DO Create
NOT REPRINT
Custom ADOMs Exercise 1: Configuring Administrative Domains
© FORTINET
As you can see, there are 15 ADOMs that FortiAnalyzer supports, each associated with different devices.
5. Close your PuTTY session.
Create Custom ADOMs
Now that you have enabled ADOMs on FortiAnalyzer, you can create your own custom ADOMs. In this exercise,
you will create two FortiGate ADOMs (in Lab 3, you will add FortiGate devices to these ADOMs).
You do not have to create ADOMs prior to registering devices to FortiAnalyzer—you

can register devices to the default ADOMs first and then move those devices into
custom ADOMs later.
The benefit of creating custom ADOMs prior to device registration is that logs collected for the device that you
add to the ADOM are stored on the ADOM from the outset. If log collection begins in one ADOM, and then you
move the device to a different ADOM, the analytics (indexed) logs are not automatically moved with the device.
We will explore this topic in Lab 4.
To create custom ADOMs for FortiGate devices

1. Continuing on the FortiAnalyzer GUI, click All ADOMs.
2. Click Create New to create a custom ADOM.
3. On the Create New ADOM window, complete the following:
Field Value
Name ADOM1
Type FortiGate

DO Exercise
NOT1: Configuring
REPRINT Administrative Domains Create Custom ADOMs
© FORTINET
4. Click Select Device.

If you had any devices registered to FortiAnalyzer, you could select your device and add it to the ADOM at
this time. However, in this lab, you have not yet registered any devices, so the list is empty.
Click Close.
5. Review the information in the Disk Utilization section for the new ADOM. By default, the ADOM will use maximum
disk space available.
Change the Maximum Allowed setting to 1000 MB and click OK.
ADOM1, the FortiGate ADOM you just created, now appears in the ADOMs list. No registered devices are
yet associated with ADOM1.
6. Repeat the procedure, but this time create a FortiGate ADOM called ADOM2.
Your ADOMs should now appear as follows:

DO Create
NOT REPRINT
Custom ADOMs Exercise 1: Configuring Administrative Domains
© FORTINET
You will add FortiGate devices to these ADOMs in Lab 3.
By default, FortiAnalyzer includes a root ADOM. Only FortiGate devices can register to
the root ADOM. As such, if you do not create custom ADOMs before device
registration, any FortiGate devices you register will automatically register to root.
You can switch between ADOMs on the GUI—you do not have to log out and log back
in. To switch ADOMs on the GUI, click ADOM in the top-right corner of the GUI. Your
administrator privileges determine which ADOMs you have access to.

DO NOT REPRINT
© FORTINET
Exercise 2: Configuring an External Server to Validate
Administrators
In this exercise, you will configure an external LDAP server on FortiAnalyzer to validate administrator logins. You
will also create a new administrator account and permit LDAP group access by enabling the wildcard
administrator account feature. You will also configure the wildcard administrator account for access to a specific
ADOM only.
Most companies, especially mid- to large-sized companies, have employees located in a central database, with
employees as members of specific groups. As such, instead of managing employees designated as FortiAnalyzer
administrators locally on FortiAnalyzer across multiple administrator accounts (as well managing these
employees in the organization's central database), you can configure one wildcard administrator account on
FortiAnalyzer to point to an LDAP group of which those FortiAnalyzer administrators are members. This allows
you to have centralized control over your administrators.
Your Local Windows VM is already configured with Active Directory and directory
users, because this is out of scope for FortiAnalyzer training.
Once complete, you will test your ability to access FortiAnalyzer and then check the Event logs for details.
Configure an LDAP Server on FortiAnalyzer
Now, you will configure FortiAnalyzer to point to a preconfigured LDAP server.

DO Configure
NOTanREPRINT
LDAP Server on FortiAnalyzer Exercise 2: Configuring an External Server to Validate Administrators
© FORTINET
To configure an LDAP server on FortiAnalyzer
1. On the Local-Windows VM, open a browser and log in using the user name admin and password password to
the FortiAnalyzer GUI at 10.0.1.210.
2. Click root.

4. From the left menu, click Admin > Remote Authentication Server.
5. Click Create New and select LDAP Server from the dialog box that opens.
6. Complete the following:
You can copy the distinguished name (DN) and user DN as from the ADserver-
info.txt file by clicking Desktop > Resources > FortiAnalyzer > LAB2, opening
the file, copying the information, and pasting directly into the fields.
Field Value
Name ADserver
Server Name/IP 10.0.1.10
This is the IP address of the Windows Server (Local-Windows), where

Active Directory is configured. For more information, see Network
Topology.
Distinguished Name ou=training,dc=trainingAD,dc=training,dc=lab
This is the domain name for Active Directory on Local-Windows. Active

Directory has already been pre-configured, with all users located in the
Training organizational unit (ou).
Bind Type Regular

DO Exercise
NOT2: Configuring
REPRINT an External Server to Validate Administrators Create a Wildcard LDAP Administrator
© FORTINET
Field Value
User DN cn=FAZadmin,ou=Training,dc=trainingAD,dc=training,dc=lab
FAZadmin is the LDAP bind account. FortiAnalyzer uses these account

credentials to authenticate to the LDAP server.
Password Training!
Administrative Domain All ADOMs
While this ensures that the LDAP server can provide administrator's
access to all ADOMs, it is ultimately the LDAP administrator account that
determines which ADOMs are accessible.
7. Click the icon ( ) at the end of the Distinguished Name field to query theDN and test your LDAP
connection.
If the connection is successful, you will see the DN in the LDAP Browser window. If you do not see the DN,
verify you have entered the correct LDAP server information as outlined in the previous step.
8. Click Close to close the LDAP Browser window.

9. Click OK to accept your configuration.
Your remote LDAP authentication server is added to FortiAnalyzer.
Create a Wildcard LDAP Administrator
Create a new administrator account and permit LDAP group access by enabling the wildcard administrator
account feature.
To create a wildcard LDAP administrator

1. Continuing on the FortiAnalyzer GUI, click Admin > Administrators.
2. Click Create New.
3. Complete the following:
Field Value
User Name remote-admins
Admin Type LDAP

DO Test
NOT REPRINT
External Administrator Access Exercise 2: Configuring an External Server to Validate Administrators
© FORTINET
Field Value
LDAP Server ADserver
This is the LDAP server you just created in the previous procedure.
Wildcard <enable>
This ensures that any user account located in the LDAP group (ou) you
specified in the LDAP server configuration can authenticate.
Admin Profile Standard_User
This provides read/write access for all device privileges, but disables
system privileges.
4. Beside Administrative Domain, click Specify and select ADOM1 from the drop-down list.
Even though you configured the LDAP server for access to all ADOMs, this LDAP administrator account limits
access to ADOM1 only. This provides you with more flexibility and security, as you can create additional
LDAP administrator accounts for different ADOM access rights, if required.
5. Click OK.
You successfully created a wildcard LDAP administrator.
6. Log out of FortiAnalyzer.
Test External Administrator Access
Now that you've configured an external server and created a wildcard administrator account that points to that
external server, you are ready to test your configuration.
Based on the preconfigured Active Directory server, you should be able to successfully authenticate with the
following two users:
l aduser1
l aduser2

DO Exercise
NOT2: Configuring
REPRINT an External Server to Validate Administrators Test External Administrator Access
© FORTINET
Also, since you gave this account the Standard_User profile and access to ADOM1 only, you will notice a
reduction in permissions (in comparison to the admin user account with the Super_User profile).
To test external administrator account access

1. On the Local-Windows VM, open a browser and log in to the FortiAnalyzer GUI at 10.0.1.210 using the
username aduser1 and the password Training!.
l Username: aduser1
l Password: Training!
You successfully logged in as an external administrator!

DO Test
NOT REPRINT
External Administrator Access Exercise 2: Configuring an External Server to Validate Administrators
© FORTINET
Stop and think!
As ADOMs are enabled, why do you not have to select an ADOM to log into after authenticating?
You configured the remote-admins account with permission to access ADOM1 only. As such, you are
logged directly into ADOM1 (your only option).
Why do you not have access to System Settings?
You configured the remote-admins account with the Standard_User profile. This profile does not provide
system privileges.
2. Log out as aduser1 and log in with the following credentials:

l Username: aduser2
You successfully logged in as an external administrator.
Since you configured wildcard access on the remote-user administrator account, any user account located in
the LDAP group (ou) you specified in the LDAP server configuration can authenticate. ADOM permissions
and administrator privileges are the same for each user in the LDAP group.
3. Log out as aduser2.

4. Now try logging in as a user located in the same Active Directory server (trainingAD.training.lab), but in
the Users organizational unit, not the Training organizational unit that you configured on FortiAnalyzer.
l Username: ADadmin

DO Exercise
NOT2: Configuring
REPRINT an External Server to Validate Administrators View the Event Logs
© FORTINET
Access is denied, because ADadmin is not in a permitted LDAP group.
You successfully tested external validation of administrators.
View the Event Logs
FortiAnalyzer audits administrator activity, so changes can be sourced to an individual. View the event logs to see
your recent administrative user activity.
To view the event logs

1. Log back in to the FortiAnalyzer GUI and log in using the user name admin and password password.
2. Click root.
3. Go to System Settings.
4. From the left menu, select Event Log.
5. Examine your logins from aduser1, aduser2, ADadmin, and admin.
6. Close your browser.

DO NOT REPRINT
© FORTINET
Lab 3: Device Registration and Communication
In this lab, you will register the Local-FortiGate, ISFW, and Remote-FortiGate devices on FortiAnalyzer for the
purpose of log collection.
Once you register devices, you will add the FortiGate devices to the custom ADOMs you created in Lab
2: Administration and Management on page 21.
Finally, you will run some diagnostics to troubleshoot device connection issues.
Objectives
l Register devices on FortiAnalyzer
l Troubleshoot device communication
Time to Complete
Prerequisites
Before beginning this lab, you must restore a configuration file to Local-Fortigate and ISFW.
To restore the ISFW configuration file

1. On the Local-Windows VM, open a browser and log in to the ISFW GUI at 10.0.1.200 with the user name
admin and password password.

4. Click Desktop > Resources > FortiAnalyzer > LAB-3 > ISFW.conf, and then click Open.
5. Click OK.

DO Lab
NOT REPRINT
3: Device Registration and Communication
© FORTINET
To restore the Local-Fortigate configuration file

4. Click Desktop > Resources > FortiAnalyzer > LAB-3> Local-Fortigate.conf, and then click Open.
5. Click OK.

DO NOT REPRINT
© FORTINET
Exercise 1: Registering Devices on FortiAnalyzer
In this exercise, you will register Remote-FortiGate on one ADOM, and Local-FortiGate and ISFW on a different
ADOM, using different methods of device registration.
One use case for adding FortiGate devices to different ADOMs is to more efficiently manage data policies and
disk space allocation—because these features are set for each ADOM, and not for each device.
For example, if you know (or have identified over time) that one of your FortiGate devices receives a higher
volume of traffic than another (such as a core FortiGate rather than an internal FortiGate), you may not want both
devices to share the allocated 1000MB ADOM disk space.
Register a Device Through the Device Registration Wizard
Use the FortiAnalyzer device registration wizard to add the Remote-FortiGate device to ADOM2 in FortiAnalyzer.
You will need the serial number and firmware version of Remote-FortiGate for device registration. You can also
gather this information by logging in to the Remote-FortiGate GUI at 10.200.3.1 using username admin and
password password.
To register Remote-FortiGate from FortiAnalyzer

2. Click ADOM2.
This ensures that Remote-FortiGate will be registered to ADOM2.
3. Click Device Manager.

4. Click Add Device.
5. Configure the following settings:

DO Exercise
NOT1: Registering
REPRINT Devices on FortiAnalyzer Register a Device Through the Device Registration Wizard
© FORTINET
Field Value
IP Address 10.200.3.1
This is the IP address of Remote-FortiGate. See the Network Topology

section for more information.
SN This is the serial number of FortiGate. You can find this serial number on
the dashboard of Remote-FortiGate.
Device Name Remote-FortiGate
Device Model FortiGate-VM64
Firmware Version 6.0
6. Click Next.
A success message appears.
7. Click Finish.
The Device Manager indicates that Remote-FortiGate is now a registered device.
8. Examine the Logs column.

DO Accept
NOT REPRINT
a Device Registration Request Exercise 1: Registering Devices on FortiAnalyzer
© FORTINET
FortiAnalyzer indicates it is not receiving logs (red circle).
You will diagnose this issue later in this lab.
9. Log out of FortiAnalyzer.
Accept a Device Registration Request
In this scenario, you will review the preconfigured Security Fabric on ISFW and Local-FortiGate, and both
FortiGate devices have requested registration on FortiAnalyzer. You need to review and accept the connection
request. Once you accept the request, the device is registered.
If you use this registration method, you do not need to use the device registration wizard to register a device as
you did in the previous procedure.
To review the Security Fabric on ISFW and Local-FortiGate

2. On the menu on the left side of the window, click Security Fabric > Settings.

DO Exercise
NOT1: Registering
REPRINT Devices on FortiAnalyzer Accept a Device Registration Request
© FORTINET
3. Review the configuration on Local-FortiGate.
4. Log out of Local-FortiGate.

5. On the Local-Windows VM, open a browser and log in to the ISFW GUI at 10.0.1.200 with the user name
admin and password password.
6. On the menu on the left side of the screen, click Security Fabric > Settings.
7. Review the configuration.
8. Log out of ISFW.
To accept a device registration request

2. Click root.
All FortiGate registration requests go to root.

DO Accept
NOT REPRINT
a Device Registration Request Exercise 1: Registering Devices on FortiAnalyzer
© FORTINET
3. Click Device Manager.
4. Click the Unregistered tile that indicates 2 devices are unregistered.
You will also see a notification in the top-right corner of the GUI.
5. Select both FortiGates and click Add.
The Add Device window opens. As ADOMs are enabled, and you have created additional FortiGate
ADOMs, you now have the ability to select which ADOM you want to register the device on.
6. Select ADOM1 and click OK.
The dialog box will auto close when the progress reaches 100%.
7. Switch to ADOM1.
You will see a yellow triangle with an exclamation point.
8. Click the yellow triangle with the exclamation point.

It will ask for authentication.

DO Exercise
NOT1: Registering
REPRINT Devices on FortiAnalyzer Accept a Device Registration Request
© FORTINET
9. Enter the Local-FortiGate credentials (username admin and password password) and click OK.
Both the devices are now registered.
10. Examine the Device Name and Logs columns.

You will notice the security fabric group name at the top. This indicates that ISFW and Local-FortiGate are part of
the security fabric group called Training-Lab.
FortiAnalyzer indicates it is receiving logs (green circle).
Stop and think!

Why does FortiAnalyzer indicate it is receiving logs from Local-FortiGate and ISFW (green circle), but not
from Remote-FortiGate (red circle)? You will diagnose this issue next.

DO NOT REPRINT
© FORTINET
Exercise 2: Troubleshooting Device Communication
In the Device Manager of all the registered devices, you saw an indication that Local-FortiGate, ISFW, and
Remote-FortiGate have different statuses with FortiAnalyzer.
FortiAnalyzer showed it was receiving logs successfully from Local-FortiGate and ISFW, but not from Remote-
FortiGate.
Now you'll troubleshoot.
Verify Device Registration
A quick way to verify device registration with FortiAnalyzer is using the diagnose dvm device list
command. This command provides the device serial number, IP address, name, and registered ADOM.
To verify device registration information

1. On the Local-Windows VM, open PuTTY and connect over SSH to the FORTIANALYZER saved session.
2. Log in using username admin and password password and run the following command to view which ADOM
your devices are currently registered on:
The CLI output formatting is easier to read if you maximize your PuTTY window.
# diagnose dvm device list
The output indicates that there are three devices currently registered: ISFW (10.0.1.200) on ADOM1,
Local-FortiGate (10.0.1.254) on ADOM1, and Remote-FortiGate (10.200.3.1) on ADOM2.
Verify Device Communication
Just because a device successfully registers with FortiAnalyzer, it does not mean there is successful
communication between the devices. As you have identified, Remote-FortiGate is registered with FortiAnalyzer,
but log communication is down.

DO Exercise
NOT2: Troubleshooting
REPRINT Device Communication Troubleshoot Device Communication
© FORTINET
To verify FortiAnalyzer log connectivity from the FortiGate side
1. On the Local-Windows VM, open another PuTTY application and connect over SSH to the REMOTE-FORTIGATE
saved session.
2. Log in using username admin and password password and run the following command to view log connectivity
to FortiAnalyzer:
# execute log fortianalyzer test-connectivity
Output should indicate that logging to FortiAnalyzer is not enabled.
3. Leave the REMOTE-FORTIGATE PuTTY session open because you will use it again shortly.
4. Open another PuTTY application and connect over SSH to the ISFW saved session.
5. Log in using username admin and password password and run the following command to view log connectivity
to FortiAnalyzer:
# execute log fortianalyzer test-connectivity
The output should indicate that logging connectivity is allowed.
These results indicate that the issue probably exists on the Remote-FortiGate side and not FortiAnalyzer.
Troubleshoot Device Communication
So far, diagnostics indicate that logging connectivity is not enabled on Remote-FortiGate.
A quick way to verify whether the downed process is preventing logs being sent from Remote-FortiGate to
FortiAnalyzer is to enable real-time debugging on the oftpd process and run some test traffic through Remote-
FortiGate. This should also confirm the logging connectivity results.
To verify if FortiAnalyzer is receiving logs from FortiGate

1. Continuing on your FORTIANALYZER PuTTY session, enter the following command to enable the real-time
debugging on the oftpd process between FortiAnalyzer and Remote-FortiGate:

DO Troubleshoot
NOT REPRINT Device Communication Exercise 2: Troubleshooting Device Communication
© FORTINET
# diagnose debug enable
# diagnose debug application oftpd 8 10.200.3.1
2. Return to the REMOTE-FORTIGATE session and enter the following command to create some test logs:
It is helpful to have both PuTTY windows side by side, so you can see the output as it
occurs.
# diagnose log test
3. Return to your FORTIANALYZER PuTTY session.

Do you see any logs from IP 10.200.3.1 (the Remote-FortiGate device)?
FortiAnalyzer did not receive any logs from Remote-FortiGate.
4. Perform a log test on ISFW so you know what you should see when the connection is successful:
a. In the FortiAnalyzer PuTTY session, press the up arrow to retrieve the last command you entered, delete the
Remote-FortiGate IP and type 10.0.1.200 (this is the IP for ISFW).
b. Return to the ISFW session and enter the following command to create some test logs:
It is helpful to have both PuTTY windows side by side, so you can see the output as it
occurs.
# diagnose log test

c. Return to your FortiAnalyzer PuTTY session.
Do you see any logs from IP 10.0.1.200 (the ISFW device)?

DO Exercise
REPRINT Device Communication Resolve a Down Connection
© FORTINET
FortiAnalyzer received the test logs sent by ISFW. The information we see here aligns with what we see
for the device communication: FortiAnalyzer is communicating with ISFW, but not with Remote-
FortiGate.
5. Continuing on the FORTIANALYZER PuTTY session, type the following commands to stop the debug:
Press Enter a few times to get a fresh prompt.
# diag debug disable
# diag debug application oftpd ""
6. Close all the PuTTY sessions.
Resolve a Down Connection
FortiAnalyzer diagnostics indicate that logs are not being received from Remote-FortiGate.
Since the Remote-FortiGate device was the device you registered on the FortiAnalyzer side (using the device
registration wizard), you should check the following:
l Is FortiGate enabled for remote logging to FortiAnalyzer?

l What are the logging filters on Remote-FortiGate?
To resolve a down connection

1. On the Local-Windows VM, open a new browser tab and log in to the Remote-FortiGate GUI at 10.200.3.1
using the username admin and password password.
2. On the menu on the left side of the window, click Log & Report > Log Settings.
3. Examine the Remote Logging and Archiving section. Is remote logging to FortiAnalyzer enabled and
configured?

DO Resolve
NOTa Down
REPRINT
Connection Exercise 2: Troubleshooting Device Communication
© FORTINET
Remote logging is not enabled.
4. Enable Send Logs to FortiAnalyzer/FortiManager.

Field Setting
IP Address 10.200.1.210
This is the IP of FortiAnalyzer for Remote-FortiGate.
Upload Option Realtime
For the purposes of this lab we are using real-time so you can see the logs
instantly.
6. Click Apply.
7. In the Remote Logging and Archiving section, click Test Connectivity.
Are the devices connected?
10. Log out of Remote-FortiGate and, continuing on the FortiAnalyzer GUI, select ADOM2.
11. Click (or refresh) Device Manager.
In the registered device Logs column, does FortiAnalyzer indicate it is receiving logs from Remote-FortiGate
(green circle)?

DO Exercise
REPRINT Device Communication Resolve a Down Connection
© FORTINET
You can run execute log fortianalyzer test-connectivity on
Remote-FortiGate again to see that log connectivity is enabled.
13. Optional! It is always a good idea to check your logging filters on the FortiGate firewall policies to ensure you get
the logs you are expecting:
a. Login to the Local-FortiGate GUI using the username admin and password password and click Policy &
Objects > IPv4 Policy.
b. Review the Logging Options section for all the policies.
You should see All Sessions enabled for both policies and some security profiles enabled. While logging all
sessions requires more system resources and storage space, it's always a good option when you want to
verify that logging has been set up successfully.

DO NOT REPRINT
© FORTINET
Lab 4: Logs
In this lab, you will generate some traffic so you can see where logs are stored on FortiAnalyzer, what information
is included in logs, and different ways of viewing log data. But before you generate traffic, you will gather
information about your FortiAnalyzer performance benchmarks and log storage policies.
You will also enable some event handlers so you can receive notifications when specific traffic passes through the
network.
After traffic has passed through the network for a while, you will examine your used storage statistics and modify
the ADOM disk quota based on those results.
Objectives
l Gather benchmark diagnostics
l Enable event handlers
l Examine logs and event handler notifications
l Gather logs statistics and used storage information
l Modify disk quota
l Move a device to a different ADOM
Time to Complete

DO NOT REPRINT
© FORTINET
Exercise 1: Gathering Benchmark Diagnostics
Before you start generating traffic, you should be aware of the system resources for FortiAnalyzer as well as the
log storage policies. This can help you properly manage your device and the logs being stored.
View System Resource Information
You can view the real-time and historical usage status of the CPU, memory, and hard disk on FortiAnalyzer. You
can monitor these statistics over time to see how your device is performing.
You can also use the FortiAnalyzer CLI commands get system status and get
system performance to view this information.
To view system performance information

1. On the Local-Windows VM, open a browser and log in to the FortiAnalyzer GUI at 10.0.1.210 as admin and
password password.
2. Click ADOM1.
4. On the dashboard, examine the System Resources widget.
You can click the refresh icon to get the latest statistics.
Diagnostic Result
What is the CPU usage?
What is the memory usage?
What is the disk usage?
5. Click the Edit icon to view the historical usage over the past hour.

DO Gather
NOT DataREPRINT
Policy and Disk Utilization Information Exercise 1: Gathering Benchmark Diagnostics
© FORTINET
Gather Data Policy and Disk Utilization Information
You should also be aware of your disk quota for each ADOM. This can help prevent any log storage issues that
may occur, especially if some devices produce a high volume of logs.
You can also use the FortiAnalyzer CLI command diagnose log device to
obtain this information.
To check log storage information

1. Continuing on the FortiAnalyzer GUI (ADOM1), click System Settings.
2. On the menu on the left side of the window, click Storage Info.
3. Double-click (or edit) ADOM1 and view the data policy and disk utilization policies.
How long are logs configured to be kept in the SQL database (Keep Logs for Analytics)?
This is the number of days you can view information about the logs on FortiView, Event
Management, and Reports. After the specified amount of time expires, logs are
automatically purged from the SQL database.
How long are logs configured to be kept in the compressed state (Keep Logs for Archive)?
When logs are in the compressed state, you cannot view information about the log
messages on FortiView, Event Management, and Reports. After the specified amount of
time expires, archive logs are automatically deleted from FortiAnalyzer.
What is the maximum amount of FortiAnalyzer disk space available to use for logs?
Note: The reserved space is already deducted from this total.
How much is disk space is allotted to ADOM1?
(Out of Available)
What is the allotted disk space percentage available for indexed (analytics) and
compressed (archive) logs?
Analytics logs require more space than archive logs.

DO Exercise
NOT1: Gathering
REPRINTBenchmark Diagnostics Gather Data Policy and Disk Utilization Information
© FORTINET
At what fullness are alert messages to be generated and logs automatically deleted?
The oldest archive log files or analytics database tables are deleted first.
The log storage information for ADOM2 is the same. It is the same ADOM type (FortiGate) as ADOM1 and
they are both in the default state.
4. Click Cancel to close the window.

DO NOT REPRINT
© FORTINET
Exercise 2: Enabling Event Handlers
In this exercise, you will enable some of the default event handlers. Event handlers define what messages to
extract from the logs and display in Event Management. You will also configure an event handler notification to
send over email.
Later, after FortiAnalyzer starts collecting logs, you can see what event handlers hit and investigate one of the
events.
To configure alerts for event handlers

password password.
2. Click ADOM1.
3. Click Event Manager.
4. From the left menu, click Event Handler List.
5. Select IPS - High Severity and select Edit.

6. By default, the status is enabled for this event handler.
This event handler creates events for any IPS log that has a severity level of critical. It is also configured for
all devices in ADOM1 (event handlers are configured for eachADOM).
7. In the Notifications section, configure the following:
Field Setting
Send Alert Email <enable>
To admin@training.lab
From admin@training.lab
Subject IPS High Severity Event Notification

DO Exercise
NOT2: Enabling
REPRINT
Event Handlers
© FORTINET
Field Setting
Email Server click on the plus sign and add the following:
SMTP server Name: Mail_Server
Mail Server: 10.200.1.254
Click OK
Select Mail_Server:10.200.1.254 from the Email Server drop down menu
Note: This mail server has been preconfigured for you
8. Click OK.
You successfully enabled this event handler and configured notifications to be sent over email.
9. Review the status of the following event handlers:

l IPS - Critical Severity
l UTM App Ctrl Event
l UTM Web Filter Event
You can double-click each event handler to view the settings. However, for the
purposes of this lab, we are using the default settings. These are also not configured
to send alerts over email.
Based on the traffic you will generate in the next exercise, these event handlers will return some hits (only
IPS - High Severity is configured to send notifications over email). In a real-world situation, you would only
enable those event handlers for which you want notifications.

DO NOT REPRINT
© FORTINET
Exercise 3: Generating Traffic
For the purposes of this lab, you need to generate traffic so you can see the logs received by FortiAnalyzer.
The traffic you generate will go through ISFW and Local-FortiGate. The firewall
policies have been preconfigured for you and logging for all sessions is enabled. To
view the firewall policies in the Local-FortiGate GUI, click Policy & Objects > IPv4
Policy.
You will use two different tools to create different types of traffic.
Generate Traffic with FIT
The firewall inspection tester (FIT) VM generates web browsing traffic, application control, botnet IP hits,
malware URLs, and malware downloads.
In this lab, you will direct FIT-generated traffic through the ISFW Full_Access firewall policy. This firewall policy
has been preconfigured for you and includes the following security policies and logging options:
Because FIT-generated traffic will originate from the IP of the FIT VM (10.0.3.20),
all these logs will show the same source IP in the FortiAnalyzer logs. This is a
limitation of the lab environment. In a real-world scenario, you will likely see many
different source IPs for your traffic.

DO Exercise
NOT3: Generating
REPRINT Traffic Generate Traffic Through Nikto
© FORTINET
To generate traffic through FIT
1. On the Local-Windows VM, open PuTTY and connect to the FIT saved session (connect over SSH).
2. Log in as student with the password password.
3. Type the following command to change the default route of FIT to send traffic through ISFW. (Please refer to the
Network Topology on page 5).
$ sudo ip route change default via 10.0.3.254 dev ens37
4. After you enter the above command it will ask you to enter the password again.
5. You can check the default route by using following command:
$ ip route
6. Type the following commands:
# cd FIT
# ./fit.py all --repeat
Traffic will begin to generate and repeat the script each time it completes.
7. Leave the PuTTY session open (you can minimize it) so traffic continues to generate. This will run throughout the
remainder of the labs.
Do not close the FIT PuTTY session or traffic will stop generating.
Generate Traffic Through Nikto
Nikto generates intrusion prevention system (IPS) traffic.
You will direct the Nikto-generated traffic through the Local-FortiGate IPS-traffic-policy firewall policy. This
firewall policy has been preconfigured for you and includes the following security policies and logging options:

DO Generate
NOTTraffic
REPRINT
Through Nikto Exercise 3: Generating Traffic
© FORTINET
Because Nikto-generated traffic will originate from the IP of the Linux VM where Nikto
is installed (10.200.1.254), all these logs will show the same source IP in the
FortiAnalyzer logs. This is a limitation of the lab environment. In a real-world scenario,
you will likely see many different source IPs for your traffic.
To generate traffic through Nikto

1. Continuing on Local-Windows, open a second PuTTY application and connect to the LINUX saved session
(connect over SSH).
2. Log in as student with password password.
3. Type the following command:
nikto.pl -host 10.200.1.10
The vulnerability scanning will result in traffic beginning to generate.

DO Exercise
NOT3: Generating
REPRINT Traffic Generate Traffic Through Nikto
© FORTINET
The scan will continue for approximately 25 minutes. The window displays an End Time and indication that
1 host(s) is tested when complete.
You can run the command again once complete press the up arrow and then press Enter to generate more
logs, but it's not required. One cycle will provide enough logs for the purposes of this lab.
4. Leave the PuTTY session open (you can minimize it) so traffic continues to generate. This will run for the
remainder of the labs.
Do not close the LINUX PuTTY session or traffic will stop generating.

DO NOT REPRINT
© FORTINET
Exercise 4: Examining Logs and Notifications
There are many ways to view logs in FortiAnalyzer. In order to get familiar with the options that are available to
you, in this exercise you will explore some different views:
l Log View
l FortiView
Not all views will be populated because of the simulated traffic limitations in this lab.
Log View
Log View allows you to view traffic logs (also referred to as firewall policy logs), event logs, and security logs for
each device (or for each log group, which is a feature we are not using in this lab).
When ADOMs are enabled, each ADOM has its own information displayed in Log View.
Log View displays log messages from analytics logs and archive logs:
l Historical logs and real-time logs in Log View are from analytics logs
l Log Browse can display logs from both the current, active log file and any of the compressed log files
In this exercise, you will examine traffic logs and security logs only.

DO Exercise
NOT4: Examining
REPRINTLogs and Notifications Log View
© FORTINET
To view logs in Log View
password password.
2. Select ADOM 1.
3. Click Log View.
4. In the menu, on the left side of the window, select Traffic.
5. Explore the different ways of viewing logs, such as real-time, historical, and raw:
l On the right side of the GUI, click Tools > Real-time Log.
You should see traffic logs in real time and in the formatted view.
Note that you can click Pause to stop the traffic if you want to look at one or more logs without losing
them among all the real-time logs constantly dropping in. Click Resume to resume.
Real-time logs are temporarily considered compressed, but are indexed as soon as
FortiAnalyzer has available CPU and memory.
l Click Tools > Historical Log.

You should see formatted, historical logs according to the filters that are set. For example, All Devices,
Last 1 hour. Historical logs are the default view. Double-click a log for more details.
You can view details about historical logs, as they have been indexed in the SQL
database.

DO Log
NOT View REPRINT Exercise 4: Examining Logs and Notifications
© FORTINET
l Click Tools > Display Raw.

You should see the raw logs (not formatted).
While logs are compressed, they are considered offline, and you cannot view details
about the logs in Log View (or FortiView). You also cannot customize the columns.
6. Click Tools > Formatted Log to return the view to formatted logs.
7. Now, from the left menu, click Security to examine the security logs.
Security logs from FortiAnalyzer include antivirus, web filtering, application control, intrusion prevention,
email filtering, data leak prevention, vulnerability scan, and VoIP. The logs displayed on FortiAnalyzer are
dependent on the device type logging to it, the traffic, and the features enabled. In this lab, only Web Filter,
Application Control, and Intrusion Prevention logs are triggered.
You can also view security logs in real-time or historical, and in raw or formatted
format.
l In the left menu, click Security > Web Filter.

You should see all logs that match web filter traffic. Double-click a log for more details.
l Click Security > Application Control.

DO Exercise
NOT4: Examining
REPRINTLogs and Notifications Log View
© FORTINET
You should see all logs that match application control traffic. Double-click a log for more details.
l Click Security > Intrusion Prevention.

You should see all logs that match IPS traffic. Double-click a log for more details.
Use Log Filters

You can use log filters to narrow down search results and locate specific logs.
Tips:
l Check the filter drop-down list first to see if it contains the SQL column filter name on which you want to filter. This
way, you can select it from the list and ensure the filter name is properly formed.
l Add the column name on which you want to search from the Column Settings drop-down list if you are unsure
what the properly formed column name is.
l Ensure your time filter covers the logs for which you are searching.
l Ensure the device is set accordingly for the logs you want to return.
l Verify whether case sensitive search is enabled or disabled (Tools).
l Ensure you are searching on the appropriate log type for the logs you want to return (for example, Traffic, Web
Filter, Application Control, IPS, and so on)
l Ensure you are not in the raw log view, as you cannot filter on raw logs (only historical and real-time).
l Ensure you are not filtering in real-time logs if you want to search on historical logs.
l Ensure you click Go after you set your filters.
Use filters to find the following logs in ADOM1.
To use log filters

1. Still in the FortiAnalyzer GUI (ADOM1), go to Log View.
2. Locate the following logs:
l Web Filter logs on Training-Lab security fabric device group over the past 1 hour with a specific Category
Description (for example, gambling, phishing, malicious websites).

DO FortiView
NOT REPRINT Exercise 4: Examining Logs and Notifications
© FORTINET
l Application Control logs on Training-Lab security fabric device group over the past 1 hour with a specific
Application Category(for example, general interest, web client)
l Intrusion Prevention logs on Training-Lab security fabric device group over the last 30 minutes with a
Threat Level of high.
As you can see, the Threat Level filter string doesn't appear in the filter drop-down
list. Try adding the Threat Level column and refreshing the page. The filter string now
appears in the filter drop-down list.
FortiView
You can view summaries of log data in FortiView in both tabular and graphical formats. For example, you can
view top threats to your network, top sources of network traffic, and top destinations of network traffic, to name a
few. For each summary view, you can drill down into details.
When ADOMs are enabled, each ADOM has its own data analysis in FortiView.
To view logs in FortiView

1. From left hand drop-down menu click Log View > FortiView.
2. Examine (and experiment with) the following views and feel free to add any notes:
Set your time filters appropriately!

DO Exercise
NOT4: Examining
REPRINTLogs and Notifications FortiView
© FORTINET
Category View Notes
Summary Displays an overview of the most used summary

views (each summary view is called a widget on the
Summary page).
Threats Top Threats
Displays a list of the top threats to your network.
Compromised Hosts
Displays any hits using fresh threat intelligence

against current logs. Note: If there are no hits, try
coming back later after FortiAnalyzer has collected
more logs.
Traffic Top Sources
Displays information about the sources of network

traffic by source IP address and interface.
Top Destinations
Displays information about the top destinations of

network traffic by destination IP addresses and the
application used to access the destination.
Top Countries
Displays information about top countries in terms of

traffic sessions, including threat score and
destination.
Policy Hits
Displays information about the FortiGate policy hits.

Displays the name of the policy, the name of the
FortiGate device, and the number of hits.
Applications & Websites Top Applications
Displays information about the top applications

being used on the network, including the application
name, category, and risk level.
Top Web Sites
Displays information about the top categories,

browsing time, threat score, and sessions.

DO View
NOT Event REPRINT
Notifications Exercise 4: Examining Logs and Notifications
© FORTINET
View Event Notifications
Now let's see your event notifications based on the event handlers you configured. These notifications will allow
you to act quickly on any threat to your network.
To view event notifications in Event Manager

1. Continuing on the FortiAnalyzer GUI (ADOM1), from left hand dropdown menu click FortiView > Event
Manager.
You should see many different event types based on the event handlers you configured. This includes IPS,
Web Filter, and Application Control events.
2. Expand the event for any IPS and review all the events matching the signature.
You can use the search field to narrow your results.
3. Double click any sub events to review all the logs related to the event.
Use the back arrow to go back to the Event List.
4. Refresh the page to ensure any search filters are removed.
5. After you examine the event notification, right click on event and click Acknowledge to remove it from the event
notification list. Optionally, you can add a comment and click Save Comment before you acknowledge it.
The details include summary information about the event as well as all the corresponding logs.
6. You can enable Show Acknowledged to view all acknowledged events.

DO Exercise
NOT4: Examining
REPRINTLogs and Notifications View Event Notifications
© FORTINET
To view event notifications in email
1. From the Local-Windows desktop, open the Mozilla Thunderbird application.
2. In the admin@training.lab inbox, you should see event notifications for the IPS - High Severity event handler you
configured.
If you do not see the emails, click on Get Messages on the top left corner.
3. View any email to see what details are included.
You can use the Log ID to search for this log in the FortiAnalyzer GUI. The Reference URL links to the
FortiGuard Threat Research and Response page for this particular vulnerability.
4. Close Mozilla Thunderbird.

DO NOT REPRINT
© FORTINET
Exercise 5: Viewing Log Statistics and Used Storage
Space
Now that FortiAnalyzer is collecting logs, you should view your log statistics and used storage space to determine
whether your FortiAnalyzer is adequately configured to store the logs it receives from the registered devices in
your network.
In this exercise, you will:
l View the raw log receiving rate

l View the insert rate vs. receive rate
l View used storage statistics
View the Raw Log Receiving Rate
The fortilogd daemon is the process responsible for receiving the raw logs at FortiAnalyzer. Multiple diagnostic
commands show the rate at which the logs and messages are received and the status of the process.
This will allow you to identify and understand:
l The log rate

l The log message rate
l The log message volumes and whether they are well-balanced among the devices
l The log message type distribution (traffic, event, and so on)
To view the raw log receiving rate

1. In Local-Windows, open a PuTTY application and connect to the FORTIANALYZER saved session (connect over
SSH).
2. Log in using username admin and password password and enter the following commands to view fortilog
daemon information:
Diagnostic Command
What is the log rate every diagnose fortilogd lograte

second / 30 seconds / 60
seconds?
What is the message log rate diagnose fortilogd msgrate

every second / 30 seconds /
60 seconds?
One log message can consist of multiple logs in LZ4 format. As such, the
rate should be lower for msgrate than lograte.

DO Exercise
NOT5: Viewing
REPRINT
Log Statistics and Used Storage Space View the Insert Rate vs. Receive Rate
© FORTINET
Diagnostic Command
What is the log message rate diagnose fortilogd msgrate-device

per device per second?
Since all traffic is going through Local-FortiGate and ISFW, the totals for
the Local-FortiGate and ISFW should be higher than Remote-FortiGate
What is the log type diagnose fortilogd msgrate-type

distribution per second?
FortiGate only sends two types of log files to FortiAnalyzer: tlog (traffic)
and elog (event). All UTM logs are sent with tlog.
3. Close your FORTIANALYZER PuTTY session.
View the Insert Rate vs. Receive Rate
The FortiAnalyzer dashboard includes a widget that shows the rate at which raw logs are reaching the
FortiAnalyzer (receive rate) and the rate at which they are indexed by the SQL database (insert rate) by the
sqlplugind daemon.
Another widget displays the log insert lag time (how many seconds the database is behind in processing the logs).
To view log rates

1. On the Local-Windows VM, open a browser and log in to the FortiAnalyzer GUI at 10.0.1.210 using
username admin and password password.
2. Click ADOM1.
4. On the dashboard, view the information in the following widgets:
l Insert Rate vs. Receive Rate
At any point, is the log receive rate higher than the log insert rate? This indicates that the raw logs are
being received faster than they can be indexed (inserted) in the database.

DO View
NOT REPRINT
Used Storage Statistics Exercise 5: Viewing Log Statistics and Used Storage Space
© FORTINET
l Log Insert Lag Time
At any point, is there a high lag time? This indicates how many seconds the database is behind in
processing the logs.
View Used Storage Statistics
Earlier, you obtained your data policy and disk utilization information. Now that FortiAnalyzer has collected some
logs, you'll look at the current status for the used storage.
You can also use the FortiAnalyzer CLI command diagnose log device to
obtain this information.
To view the current used storage

1. Continuing on the FortiAnalyzer GUI (ADOM1), from left hand drop-down menu click System Settings > Log
View > Storage Statistics.
2. Hover your cursor over the analytic and archive quotas (which are rounded) to get more specific statistics.

DO Exercise
NOT5: Viewing
REPRINT
Log Statistics and Used Storage Space View Used Storage Statistics
© FORTINET

DO NOT REPRINT
© FORTINET
Exercise 6: Modifying Disk Quotas
In this exercise, you will compare the storage space available on both ADOMs. Then you will modify the disk
quota on your ADOMs to reflect what is happening.
Compare Storage Space Between ADOMs
In this exercise, you will run a CLI command so you can compare the used storage space between ADOM1 and
ADOM2. Remember, you ran all your traffic through Local-FortiGate and ISFW, which is located in ADOM1.
To compare storage space

1. In Local-Windows, open a PuTTY application and connect to the FORTIANALYZER saved session (connect over
SSH).
2. Log in using username adminand password password and enter the following command to check the storage
space for each ADOM:
The CLI output formatting is easier to read if you maximize your PuTTY window.
# diagnose log device
You should see that ADOM1 is using more of its log storage and database storage than ADOM2.
Modify Disk Quota
The diagnose log device output indicated that ADOM1 is receiving more traffic than ADOM2. In the real
world, if you were consistently seeing high log volume in a specific ADOM over a reasonable amount of time, it
might cause your disk to fill up and result in lost logs. In that case, you would do one of the following:
l Modify your firewall policies to reduce the amount of traffic you are monitoring
l Modify your disk quotas

DO Exercise
NOT6: Modifying
REPRINTDisk Quotas Modify Disk Quota
© FORTINET
The easiest way to resolve this imbalance between ADOM disk usage is to modify your disk quotas, becasue it
allows you to keep your firewall policies intact.
As such, in this exercise you will increase the disk quota in ADOM1, which is the ADOM receiving the most traffic.
To modify the disk quota

password password.
2. Click ADOM1.
4. In the left menu, select All ADOMs and then edit ADOM1.
5. Modify the maximum allowed disk utilization from 1000 MB to 5000 MB.
6. Click OK.
You successfully increased your disk storage in ADOM1.

DO NOT REPRINT
© FORTINET
Exercise 7: Moving Device with Logs Between ADOMs
As you expand your network, or as your organizational structure changes, you may need to reorganize your
devices in ADOMs. Accordingly, in this exercise, you will move two devices out of one ADOM and into another.
As mentioned in the Device Registration and Communication lesson, when you move a device into a different
ADOM, the archive (compressed) logs are migrated to that ADOM, but the analytics (indexed) logs do not
migrate.
As such, you need to rebuild the ADOMs to move the analytics logs into the new ADOM and delete them from the
old ADOM.
In a real-world scenario, you would perform this procedure during a low maintenance
time, when little traffic is passing through the device you are moving.
Gathering Log and ADOM Information
Before you move a device out of an ADOM, there is some information of which you should first be aware:
l The disk quota set on the current ADOM (System Settings > All ADOMs)
Since disk quota is set for each ADOM and not for each device, you do not necessarily need to match the disk
quota from the current ADOM to the new ADOM, because the new ADOM may contain less devices then the
current one, for example. However, you do need to ensure your new ADOM will have enough space for the
device you are moving into it.
In this lab environment, ADOM1 currently has a 5000 MB disk quota.
l The volume of logs (System Settings > Storage Info or # diagnose log device)
Although disk quota is set for eachADOM, it is important to know the actual log volume associated with the
device you are moving. You need to ensure the new ADOM, at minimum, has enough space to move the
device's current logs. You will still need to select a disk quota with future logs in mind though.

DO Exercise
NOT7: Moving
REPRINT
Device with Logs Between ADOMs Move a Device to a Different ADOM
© FORTINET
Move a Device to a Different ADOM
Since the Local-FortiGate and ISFW devices in ADOM1 contain the logs from all the traffic you have been
generating through FIT and Nikto, you will move both FortiGates out of ADOM1 and into a new ADOM call NEW.
To move a device to a different ADOM

password password.
2. Click ADOM1.
4. In the left menu, select All ADOMs and click Create New.
5. Complete the following to create a new ADOM for Local-FortiGate and ISFW:
Field Value
Name NEW
Type FortiGate
6. Click Select Device and from the Select Device pane that opens, select Local-FortiGate and ISFW .
The Local-FortiGate and ISFW are added to the Devices list for the NEW ADOM.
7. Click Close after selecting devices.

8. Under Disk Utilization, modify the Maximum Allowed setting to 1000 MB.

DO Rebuild
NOTADOM REPRINT
Database to Migrate Device Logs Exercise 7: Moving Device with Logs Between ADOMs
© FORTINET
At minimum, the disk quota should support the volume of logs you are moving into it.
9. Click OK.
10. Click Close.
Both FortiGates move from ADOM1 to NEW ADOM.
11. Switch into NEW ADOM, and under Device Manager, verify Local-FortiGate and ISFW is registered and still
collecting logs.
Rebuild ADOM Database to Migrate Device Logs
Assuming you want the old logs (analytics logs) in the new ADOM so you can run reports against them, and no
longer want to see the device logs in the old ADOM, you need to rebuild the new ADOM database and the old
ADOM database.
Ensure you remember your log volume associated with your Local-FortiGate and ISFW devices (# diagnose
log device).
To verify location of Local-FortiGate logs

1. In the Local-Windows, open PuTTY and connect to the FORTIANALYZER saved session (connect over SSH).
2. Log in as admin and enter the following command to display log information:
# diagnose test application logfiled 4
3. Confirm the location of the logs by examining the ADOM1 (the old ADOM) and NEW ADOM (the new ADOM).

DO Exercise
NOT7: Moving
REPRINT
Device with Logs Between ADOMs Rebuild ADOM Database to Migrate Device Logs
© FORTINET
As you can see, the log-files (archive logs) have moved from ADOM1 to NEW , but ADOM1 still contains the
log-db (analytics logs) logs.
To rebuild the ADOM database

1. Still in the FORTIANALYZER PuTTY session, execute the following command to rebuild the two ADOMs and
transfer the analytics logs.
# execute sql-local rebuild-adom NEW ADOM1
2. Click y to continue with the operation.
3. Wait a few minutes for the databases to rebuild.

The FortiAnalyzer GUI shows the rebuild progress.
4. Enter the following command to recheck log storage for both ADOM1 and NEW:
# diagnose test application logfiled 4
If you do not see the logs move, wait a few minutes and try again.

DO Rebuild
NOTADOM REPRINT
Database to Migrate Device Logs Exercise 7: Moving Device with Logs Between ADOMs
© FORTINET
The log-db (analytics logs) successfully migrated from ADOM1 to the NEW ADOM.
You can also see that the log-files (archive logs) in NEW were reduced. This is because the logs were
compressed.
You can also see that the log-db in ADOM1 still contains some data, even after the rebuild. This small
amount of data amounts to the system (management) tables.
5. Close your FORTIANALYZER PuTTY session.


DO NOT REPRINT
© FORTINET
Lab 5: Reports
In this lab, you will generate a default report, build a chart based on a log search, and perform some diagnostic
checks.
Objectives
l Generate a report
l Build a chart based on a log search
l Run report diagnostics
Time to Complete

DO NOT REPRINT
© FORTINET
Exercise 1: Running a Default Report
In this exercise, you will run one of the default reports on demand. This will allow you to see the report
immediately.
You will also run diagnostics for this report.
To generate a default report

1. On the Local-Windows VM, open a browser and log in to the FortiAnalyzer GUI at 10.0.1.210 with the
usernameadmin and password password.
2. Click NEW .
3. Click Reports.
4. From the left menu, select All Reports.
This page provides all available default reports.
5. Double-click the 360-Degree Security Review report.

6. Click the Settings tab and, in the Time Period drop-down list, select Today.
7. Click Apply.
8. Return to the View Report tab and click Run Report to run the report on demand.
9. When the report is ready, view the report in HTML format.

10. Use the left menu to go to the Intrusion and Attacks.
As you can see from the report, both code and SQL injection attacks are occurring in your network.

DO Exercise
NOT1: Running
REPRINT
a Default Report
© FORTINET
11. Look for any severity 4 attacks.
12. Click the malware name for the highest severity attack.
This takes you to FortiGuard to learn more information about the attack.
To run diagnostics on a report

1. Return to the FortiAnalyzer GUI, right-click the report you just ran and select Retrieve Diagnostic.
2. Save the file.
3. When complete, view the rpt_status.log file saved to your Downloads folder in Notepad++.
4. Scroll down to the bottom of the file to the "Report Summary" section and record the following:
HCACHE building time
Rendering time
Total time
For example:
5. Return to the FortiAnalyzer GUI and click Settings tab for the report, and enable Enable Auto-cache.

DO NOT REPRINT Exercise 1: Running a Default Report
© FORTINET
The hcache is updated when new logs come in and new log tables generate. If you do not enable auto-cache,
the report only generates the hcache for the current log tables. Remember, you are currently generating
traffic in your lab.
6. Click Apply.
7. Run the report again and then run diagnostics again. What is the output this time?
HCACHE building time
Rendering time
Total time
For example:
While your lab environment does not have a large number of logs, you can still see that by enabling auto-
cache, the report builds faster. This is more noticeable if you have higher log volumes dropping in.
8. Logout of FortiAnalyzer.

DO NOT REPRINT
© FORTINET
Exercise 2: Building a Chart Based on Log Search
As you were able to see in the 360-degree report, both code and SQL injection attacks are occurring in your
network.
Because injection attacks are one of the most common vulnerabilities in web applications, in this exercise you will
create a chart based on code and SQL injection attacks. You will then add this chart to a report and run it.
To create a chart based on a log search

1. On the Local-Windows VM, open a browser and log in to the FortiAnalyzer GUI at 10.0.1.210 with the
username admin and password password.
2. Click NEW .
3. Click Log View.
4. On the menu on the left side of the screen, click Security > Intrusion Prevention.
5. Add a filter for any Attack Name.
Ensure your time filter is set correctly (includes the time you have been generating traffic).
6. Click Custom View.
While a customer view isn't required to build a chart, it is a nice feature that allows you
to save your filtered searches. Custom View is only available in the historical log
view.
7. Name your custom view Training, and click OK.

8. In your Training custom view, click Column Settings > More Columns.

DO NOT REPRINT Exercise 2: Building a Chart Based on Log Search
© FORTINET
9. In Column Settings, find and select the column names Attack Name and Source IP, then click OK.
10. In your Training custom view, click Tools > Chart Builder.
Chart Builder is only available in the historical log view.
The dataset query is pre-generated based on your search filters. The Preview window indicates what the
results will look like in a report.
11. Configure the following settings to fine tune your results:

DO Exercise
NOT2: Building
REPRINT
a Chart Based on Log Search
© FORTINET
Field Value
Name Training_Chart
Columns Select:
l Date/Time
l Device ID
l Severity
l Source IP
l Attack Name
This will allow you to select only five Columns. Cancel the selection of
any other columns if they are selected by default.
Order By Date/Time
Sort By Descending
Show Limit 500
12. Click Preview.

The dataset query updates based on your modifications. Review the following example of a dataset query:
13. View the preview and click Save.

Your dataset and chart are created.
To run a report on the custom chart

1. Continuing on the FortiAnalyzer GUI (NEW), on the drop-down list on the left side of the screen, click Log View
> Reports.
2. Click All Reports, and then click Create New.
Field Value
Name Training_Report
Create from Blank
4. Click OK.
The Settings tab for the report appears.

DO NOT REPRINT Exercise 2: Building a Chart Based on Log Search
© FORTINET
5. In the Time Period drop-down list, select Today.
6. Click the Layout tab, then click Insert Chart.
7. Click the Chart drop-down list, and in the text field start typing Training_Chart and select it when it appears
in the list.
8. Click OK.
9. Click Apply.
10. Optionally, try inserting one of the IPS macros:
a. Click to insert your cursor below the chart you just added to the layout.
b. Click Insert Macro.
c. Click the Macro drop-down list,scroll up to the Intrusion Prevention section, then select any of the default
macros.
d. Type some text to add context to the macro you added. For example, if you selected the Total Number of
Attacks macro, type Total Number of Attacks.
e. Click OK.
f. Click Apply.
11. Click the View Report tab, and then click Run Report.
12. View the HTML format.
You successfully created a report based on a chart and dataset created from a filtered search result.
You've successfully completed the FortiAnalyzer labs!
Stop your log generators by closing the FIT and LINUX PuTTY sessions.

DO NOT REPRINT
© FORTINET
No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

FortiAnalyzer 6.0 Lab Guide-Online

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiAnalyzer 6.0 Lab Guide-Online

Uploaded by

Copyright:

Available Formats

DO NOT REPRINT

FortiAnalyzer Lab Guide

Fortinet Document Library

Fortinet Knowledge Base

Fortinet Network Security Expert Program (NSE)

Virtual Lab Basics 5

FortiAnalyzer 6.0 Lab Guide 5

To run the remote access test

2. Inside the Speed Test box, click Run.

6 FortiAnalyzer 6.0 Lab Guide

To log in to the remote lab

3. Enter your first and last name.

FortiAnalyzer 6.0 Lab Guide 7

5. To open a VM from the dashboard, do one of the following:

Follow the same procedure to access any of your VMs.

8 FortiAnalyzer 6.0 Lab Guide

Disconnections and Timeouts

If that fails, see Troubleshooting Tips on page 11.

The GUIs of some Fortinet devices require a minimum screen size.

FortiAnalyzer 6.0 Lab Guide 9

Sending Special Keys

10 FortiAnalyzer 6.0 Lab Guide

FortiAnalyzer 6.0 Lab Guide 11

12 FortiAnalyzer 6.0 Lab Guide

To expedite the response, enter the following command in the CLI:

FortiAnalyzer 6.0 Lab Guide 13

To restore the Remote-FortiGate configuration file

3. Click Local PC,and then click Upload.

To restore the Local-Fortigate configuration file

14 FortiAnalyzer 6.0 Lab Guide

3. Click Local PC,and then click Upload.

FortiAnalyzer 6.0 Lab Guide 15

To examine the network settings through the CLI

CLI Command Data Result

# get system What is the firmware version?

What is the administrative domain (ADOM)

By default, ADOMs are disabled.

What is the time zone?

For proper log correlation, it is important that

What is the license status

To ensure FortiAnalyzer continues to collect

16 FortiAnalyzer 6.0 Lab Guide

# show system What is the IP for port1?

What administrative access protocols are

This will help troubleshoot any access issues

What is the IP for port3?

According to the Network Topology diagram,

What administrative access protocols are

5. Enter the following command to display DNS setting information:

CLI Command Diagnostic Result

Several FortiAnalyzer functions use DNS, such

6. Enter the following commands to display NTP setting information:

CLI Command Diagnostic Result

# get system ntp Is NTP enabled?

NTP is recommended on FortiAnalyzer and all

How often does FortiAnalyzer synchronize its time

# show system What server is configured for NTP?

FortiAnalyzer 6.0 Lab Guide 17

CLI Command Diagnostic Result

# show system What is the gateway route associated with port3?

Packets should transmit successfully.

9. Close your PuTTY session.

To examine the network settings through the GUI