0% found this document useful (0 votes)

328 views

FortiAnalyzer Student Guide Online

Fortianalyser student guide

Uploaded by

neoalt

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

328 views

FortiAnalyzer Student Guide Online

Fortianalyser student guide

Uploaded by

neoalt

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 348

DO NOT REPRINT

FortiAnalyzer
Student Guide
for FortiAnalyzer 5.2.1
DO NOT REPRINT
© FORTINET
FortiAnalyzer Student Guide
for FortiAnalyzer 5.2.1
Last Updated: 1 June 2016

® ® ®
Fortinet , FortiGate , and FortiGuard are registered trademarks of Fortinet, Inc. in the U.S. and other
jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of
Fortinet. All other product or company names may be trademarks of their respective owners. Copyright
© 2002 - 2016 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet
without prior notice. No part of this publication may be reproduced in any form or by any means or
used to make any derivative such as translation, transformation, or adaptation without permission from
Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
DO NOT REPRINT
© FORTINET
Table of Contents

VIRTUAL LAB BASICS ....................................................................................6

Network topology ....................................................................................................................6

Logging in................................................................................................................................7
Disconnections/timeouts...............................................................................................................................11

Transferring files to the VM.....................................................................................................11

Using HTML5 instead of Java.................................................................................................11

Screen resolution ....................................................................................................................12

International keyboards...........................................................................................................12

Troubleshooting tips................................................................................................................13

LAB 1: INTRODUCTION TO FORTIANALYZER ..................................................15

Objectives ...............................................................................................................................15

Time to complete.....................................................................................................................15

Exercise 1: Logging into the FortiAnalyzer Web-based manager ..........................................16

Exercise 2: Logging into the FortiGate Web-based manager ................................................18

LAB 2: SYSTEM CONFIGURATION ..................................................................20

Objectives ...............................................................................................................................20

Time to complete.....................................................................................................................20

Exercise 1: Increasing the admin idle timeout setting ............................................................21

Exercise 2: Backing up the device configuration ....................................................................22

Exercise 3: Creating an administrative user and profile .........................................................24

Exercise 4: Enabling administrative domains (ADOMs).........................................................30

DO NOT REPRINT
© FORTINET
LAB 3: DEVICE MANAGEMENT .......................................................................32

Lab objectives .........................................................................................................................32

Time to complete.....................................................................................................................32

Prerequisites for lab ................................................................................................................32

Backing up your FortiAnalyzer......................................................................................................................32

Exercise 1: Requesting registration from a supported device ................................................34

Exercise 2: Register a device through the device registration wizard....................................38

Exercise 3: Configuring IPSec communication.......................................................................44

Exercise 4: Creating administrative domains (ADOMs) .........................................................49

LAB 4: LOGS AND ALERTS ............................................................................54

Lab objectives .........................................................................................................................54

Time to complete.....................................................................................................................54

Prerequisites for lab ................................................................................................................54

Backing up your FortiAnalyzer......................................................................................................................54
Backing up your FortiGates ..........................................................................................................................55

Exercise 1: Generating logs....................................................................................................56

Creating and testing Web Filter and Proxy Options profiles ..................................................56

Creating and testing an AntiVirus profile ................................................................................62

Creating and testing an Application Sensor profile ................................................................65

Exercise 2: Examining logs.....................................................................................................70

Exercise 3: Downloading a log file..........................................................................................75

Exercise 4: Configuring an event handler and notification alert .............................................76

Exercise 5: Configuring FortiGate to send content archive data (Data Leak Prevention) .....80

LAB 5: REPORTS ..........................................................................................87

Lab objectives .........................................................................................................................87

Time to complete.....................................................................................................................87
DO NOT REPRINT
© FORTINET
Prerequisites for lab ................................................................................................................87
Backing up your FortiAnalyzer......................................................................................................................87
Backing up your FortiGates ..........................................................................................................................88

Exercise 1: Configuring the basic settings of a default report ................................................89

Exercise 2: Configuring email report notifications ..................................................................92

Exercise 3: Creating a custom dataset, chart, and report ......................................................96

Exercise 4: Modifying the report layout...................................................................................103

Exercise 5: Exporting and importing a report .........................................................................106

APPENDIX A: ADDITIONAL RESOURCES........................................................110

APPENDIX B: PRESENTATION SLIDES ...........................................................111

Lesson 1: Introduction to FortiAnalyzer ..................................................................................112

Lesson 2: Configuration and administration ...........................................................................141

Lesson 3: Device registration .................................................................................................185

Lesson 4: Logs and archives ..................................................................................................217

Lesson 5: Reports ...................................................................................................................276

DO NOT REPRINT  Virtual lab basics Network topology

© FORTINET
Virtual lab basics
In this class, you will use a virtual lab for hands-on exercises. This section explains how to connect to
the lab and its virtual machines. It also shows the topology of the virtual machines in the lab.

Note: If your trainer asks you to use a different lab, such as devices physically located in
your classroom, please ignore this section. This applies only to the virtual lab accessed
through the Internet. If you do not know which lab to use, please ask your trainer.

Network topology

port2
10.200.1.241

WINDOWS1 FortiManager FortiAnalyzer

10.0.1.10 port1 port1
TrueLab trainingAD.training.lab 10.0.1.241 10.0.1.210

10.0.1.254/24 port3
port3 10.200.1.210

FORTIGATE1
port2 port1
10.200.2.1/24 10.200.1.1/24
LINUX
10.200.1.254 10.200.2.254
eth1 eth2
eth0

eth3 eth4
10.200.3.254 10.200.4.254

FORTIGATE2
10.200.4.1/24 10.200.3.1/24
port5 port4

WINDOWS2
10.0.2.10
TrueLab Network 7 port6
10.0.2.254/24

FortiAnalyzer Student Guide 6

DO NOT REPRINT  Virtual lab basics Logging in

© FORTINET
Logging in
1. Run the System Checker. This will fully verify both:
 compatibility with the virtual lab environment's software, and
 that your computer can connect
It can also diagnose problems with your Java Virtual Machine, firewall, or web proxy.
Use the URL for your location.
North America/South America:
https://remotelabs.training.fortinet.com/training/syscheck/?location=NAM-West
Europe/Middle East/Africa:
https://remotelabs.training.fortinet.com/training/syscheck/?location=Europe
Asia/Pacific:
https://remotelabs.training.fortinet.com/training/syscheck/?location=APAC
If a security confirmation dialog appears, click Run.

If your computer successfully connects to the virtual lab, the result messages for the browser
and network checks will each display a check mark icon. Continue to the next step.

FortiAnalyzer Student Guide 7

DO NOT REPRINT  Virtual lab basics Logging in

© FORTINET
If a browser test fails, this will affect your ability to access the virtual lab environment. If a network
test fails, this will affect the usability of the virtual lab environment. For solutions, either click the
Support Knowledge Base link or ask your trainer.
2. With the user name and password from your trainer, log into the URL for the virtual lab. Either:
https://remotelabs.training.fortinet.com/

https://virtual.mclabs.com/

3. If prompted, select the time zone for your location, then click Update.
This ensures that your class schedule is accurate.

FortiAnalyzer Student Guide 8

DO NOT REPRINT  Virtual lab basics Logging in

A list of virtual machines that exist in your virtual lab should appear.
From this page, you can access the console of any of your virtual devices by either:
 clicking the device’s square, or
 selecting System > Open.

FortiAnalyzer Student Guide 9

DO NOT REPRINT  Virtual lab basics Logging in

A new window should open within a few seconds. (Depending on your account’s preferences, the
window may be a Java applet. If this fails, you may need change browser settings to allow Java to
run on this web site. You also may need to review and accept an SSL certificate.)

Depending on the virtual machine, the applet provides access to either the GUI or a text-based
CLI. Connections to Windows machines will use a Remote Desktop-like GUI. The applet
should automatically log in, then display the Windows desktop. For most lab exercises, you will
connect to this VM.

FortiAnalyzer Student Guide 10

DO NOT REPRINT  Virtual lab basics Transferring files to the VM

© FORTINET
Disconnections/timeouts
If your computer’s connection with the virtual machine times out or if you are accidentally
disconnected, to regain access, return to the initial window/tab that contains your session’s list of VMs
and open the VM again.
If your session frequently times out or does not connect, ask your instructor.

Transferring files to the VM

When using the Java applet to connect to a VM, you can drag-and-drop files from your computer to
the VM. For example, if you have a FortiGate configuration file that you want to upload to your lab VM,
you could create it on your computer, then drag it into the Java application window that is connected to
the Windows VM. Usually the destination folder is C:\Uploads.
Alternatively, if you store files in a cloud service such as Dropbox or SugarSync, you can use the web
browser to download them to your VM instead.

Using HTML5 instead of Java

When you open a VM, your browser may download and use a Java application to connect to the
virtual lab’s VM. This means that Java must be installed, updated, and enabled in your browser.
Alternatively, you can use HTML5 instead. Click the Settings button, then select Use Java Client.
Click Save & Disconnect, then log in again. (To use this preference, your browser must allow
cookies.)

FortiAnalyzer Student Guide 11

DO NOT REPRINT  Virtual lab basics Screen resolution

Screen resolution
Some Fortinet devices' user interfaces require a minimum screen size.
In the Java client, to configure the screen resolution, click the arrow at the top of the window.

In the HTML 5 client, to configure screen resolution, open the System menu.

International keyboards
If characters in your language don’t display correctly, keyboard mappings may not be correct.

FortiAnalyzer Student Guide 12

DO NOT REPRINT  Virtual lab basics Troubleshooting tips

© FORTINET
To solve this in the HTML 5 client, open the Keyboard menu at the top of the window. Choose to
either display an on-screen keyboard, or send text from your computer to the VM's clipboard.

To solve this in the Java client, copy and paste between your computer and the Java applet. This
sends special characters or combinations using the keyboard icon at the top of the applet window.

Troubleshooting tips
 If the HTML 5 client does not work, try the Java client instead. Remembering this preference
requires that your browser allow cookies.
 Do not connect to the virtual lab environment through a low-bandwidth or high-latency connection,
including VPN tunnels or wireless such as 3G or Wi-Fi. For best performance, use a stable
broadband connection such as a LAN.
 Do not disable or block Java applets. On Mac OS X since early 2014, to improve security, Java
has been disabled by default. In your browser, you must allow Java for this web site. On
Windows, if the Java applet is allowed and successfully downloads, but does not appear to
launch, you can open the Java console while troubleshooting. To do this, open the Control
Panel, click Java, and change the Java console setting to be Show console.
Network firewalls can also block Java executables.
Note: JavaScript is not the same as Java.

FortiAnalyzer Student Guide 13

DO NOT REPRINT  Virtual lab basics Troubleshooting tips

 Prepare your computer's settings:

o Disable screen savers
o Change the power saving scheme so that your computer is always on, and does not go to
sleep or hibernate
 If disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal),
please attempt to reconnect. If unable to reconnect, please notify the instructor.
 If during the labs, particularly when reloading configuration files, you see a message similar to the
one shown below, the VM is waiting for a response to the authentication server.

 To retry immediately, go to the console and enter the CLI command:

exec update-now

FortiAnalyzer Student Guide 14

DO NOT REPRINT  Lab 1: Introduction to FortiAnalyzer Objectives

© FORTINET
Lab 1: Introduction to FortiAnalyzer
While there is no lab associated with the Introduction to FortiAnalyzer lesson, this lab will provide
instruction on how to log into the devices you will be using with the other labs, such as the
FortiAnalyzer, Student FortiGate, and Remote FortiGate.
When instructed to log into any of these devices, this lab can be used as a reference.
You can practice logging in to the devices now, or jump ahead to Lab 2: System configuration.

Objectives
 Exercise 1: Access the FortiAnalyzer Web-based manager
 Exercise 2: Access the Student FortiGate and Remote FortiGate Web-based manager

Time to complete
Estimated: N/A

FortiAnalyzer Student Guide 15

DO NOT REPRINT  Lab 1: Introduction to FortiAnalyzer Time to complete

In this exercise, you will log in to the FortiAnalyzer Web-based manager. For the remainder of this
guide, any time you are instructed to log in to the FortiAnalyzer Web-based manager, you can
reference this procedure.

To log in to the FortiAnalyzer Web-based manager

1. In the virtual lab applet, click Win-Student to launch the virtual Windows desktop.
2. From the Win-Student desktop, open a web browser and enter the following URL to access the
FortiAnalyzer Web-based manager:
https://10.0.1.210

Note: Accept the self-signed certificate or security exemption if a security alert appears.
HTTPS is the recommended protocol for administrative access to FortiAnalyzer. Other
available protocols include SSH, ping, SNMP, HTTP, and Telnet (if they have been
enabled).

The login screen appears.

3. At the login screen, enter the user name admin, leave the password blank, and click Login.

FortiAnalyzer Student Guide 16

DO NOT REPRINT  Lab 1: Introduction to FortiAnalyzer Time to complete

The FortiAnalyzer Web-based manager appears.

You have successfully logged in to the FortiAnalyzer Web-based manager.

FortiAnalyzer Student Guide 17

DO NOT REPRINT  Lab 1: Introduction to FortiAnalyzer Time to complete

In this exercise, you will log in to the Student FortiGate Web-based manager and/or Remote
FortiGate Web-based manager. For the remainder of this guide, any time you are instructed to log in
to one of the FortiGate Web-based managers, you can reference this procedure.

To log into the FortiGate Web-based manager

1. From the Win-Student desktop, open a web browser and enter one of following URLs to access
the Web-based manager for the Student FortiGate or Remote FortiGate:

Student FortiGate Remote FortiGate

https://10.0.1.254 https://10.200.3.1
This URL is to the Student FortiGate. See This URL is to the Remote FortiGate. See
Network topology for more information. Network topology for more information.

The login screen appears.

c) At the login screen, enter the username admin, leave the password blank, and click Login.

FortiAnalyzer Student Guide 18

DO NOT REPRINT  Lab 1: Introduction to FortiAnalyzer Time to complete

The Web-based manager for the device appears. You successfully logged in.

FortiAnalyzer Student Guide 19

DO NOT REPRINT  Lab 2: System configuration Objectives

© FORTINET
Lab 2: System configuration
FortiAnalyzer has already been installed in the remote lab environment.
In this lab, you will use the FortiAnalyzer Web-based manager to set, examine, and become familiar
with some of the configuration settings.

Objectives
 Exercise 1: Increase the admin idle time out setting
 Exercise 2: Back up the device configuration
 Exercise 3: Create an administrative user and profile
 Exercise 4: Enable administrative domains (ADOMs)

Time to complete
Estimated: 25 minutes

FortiAnalyzer Student Guide 20

DO NOT REPRINT  Lab 2: System configuration Time to complete

By default, the idle timeout for the admin user in the FortiAnalyzer Web-based manager is 15 minutes.
While short idle timeout periods are recommended in active deployments to lower potential security
breaches, for the purpose of these labs we recommend extending the idle timeout period to 60
minutes. This gives you the opportunity to perform the exercises without the interruption of re-
authenticating to FortiAnalyzer after 15 minutes of inactivity.
FortiAnalyzer allows you to set an idle timeout between 1 and 480 minutes.

To increase the admin idle timeout setting

1. From the Win-Student VM, open a browser and log in as admin to the FortiAnalyzer Web-based
manager at 10.0.1.210.
2. Click System Settings > Admin > Admin Settings.
Under Administration Settings, in the Idle Timeout field, enter 60.

3. Click Apply to save the change.

You successfully changed the admin idle timeout setting.

FortiAnalyzer Student Guide 21

DO NOT REPRINT  Lab 2: System configuration Time to complete

In this exercise, you will back up the FortiAnalyzer configuration through the Web-based manager.
In an active deployment scenario, it is best practice to back up the device configuration prior to making
any configuration changes. If the new configuration does not perform as expected, you can revert to
the last sane configuration. Likewise, during these labs, it is beneficial to have a backup of the initial
configuration should you need to roll back for any reason.

Note: FortiAnalyzer configuration files are not stored in plain text like FortiGate
configuration files. To see the difference, you can perform a backup of a FortiGate in your
lab environment and compare that configuration file to the FortiAnalyzer configuration file
using a text editor such as Notepad++.

To back up the device configuration from the Web-based manager

1. From the Win-Student VM, open a browser and log in as admin to the FortiAnalyzer Web-based
manager at 10.0.1.210.
2. Click System Settings > Dashboard.
3. Locate the System Information widget, scroll to System Configuration, and click Backup

Note: Depending on the settings in the web browser, you may be prompted to
select a location and a filename for the system configuration backup file. If not, the
file is saved to the web browser’s default download location.

The Backup dialog box appears.

FortiAnalyzer Student Guide 22

DO NOT REPRINT  Lab 2: System configuration Time to complete

4. From the Backup dialog box, deselect Encryption and click OK.

Note: For any long term storage requirements, it is good practice to save password-
encrypted versions of all your appliances. However, for the sake of simplicity in these labs,
we will save the configuration file unencrypted.

You successfully backed-up the FortiAnalyzer device configuration through the Web-based
manager.
5. It is highly recommended that you modify the name of the configuration file to identify it as being
created for this lab and exercise. For example, SYS_FAZ-Lab1-Exercise2.dat.

FortiAnalyzer Student Guide 23

DO NOT REPRINT  Lab 2: System configuration Time to complete

The goal of this lab is to create an administrative user with restricted access permissions.
In an active deployment scenario, having more than one administrative user makes administering the
network easier, especially if users are delegated specific administrative roles or confined to specific
areas within the network. In a multi-administrator environment, you also want to ensure every
administrator only has permissions necessary for their particular job assignment.
This exercise includes the following procedures:
 To create an administrative profile. As mentioned in the training, each user account must be
associated with an administrator profile. Profiles define administrator privileges, thereby allowing
you to place restrictions on what administrative users can view, modify, or configure. In this
procedure, you will create a new administrator profile.
 To create an administrative user. In this procedure, you will create a new administrative user and
assign the newly created admin profile to the account. You will also view the account configuration
through the CLI and try logging in as the new user to verify if the permission restrictions behave
correctly.
 To control administrative access through trusted hosts. In this procedure, you will restrict access
to the new administrative user account by setting up a trusted host. This restricts administrators to
logins from specific IPs or subnets only.

To create an administrative profile

1. From the Win-Student VM, open a browser and log in as admin to the FortiAnalyzer Web-based
manager at 10.0.1.210.
2. Go to System Settings > Admin > Administrator to view the list of current administrators.

As you can see, the default admin user with which you are logged in is currently the only
administrative user.
3. Next go to System Settings > Admin > Profile to view the default profiles and to create a new
one.

4. Click Create New to create a profile.

FortiAnalyzer Student Guide 24

DO NOT REPRINT  Lab 2: System configuration Time to complete

5. From the Create Profile page, complete the following and click OK:
a) In the Profile Name field, type Network_Admin. This is the name of your administrator profile.
b) From the System Settings option, select Read-Write. This gives the user access to the
features located in the System Settings tab of the Web-based manager.
c) Leave all other options set to their default value of None. This restricts access to the features
available in all other tabs of the Web-based manager.
You successfully created a new administrator profile called Network_Admin.

6. Complete the next procedure to assign this profile to a newly created user.

To create an administrative user

1. Go to System Settings > Admin > Administrator and click Create New.
The New Administrator page appears.

FortiAnalyzer Student Guide 25

DO NOT REPRINT  Lab 2: System configuration Time to complete

2. From the New Administrator page, complete the following and click OK:
a) In the User Name field, type networkadmin.
b) In the New Password field, type fortinet.
c) Repeat the password in the Confirm Password field.
d) From the Admin Profile drop-down list, select Network_Admin.

Note: The user name and password are both case sensitive.
In addition, if you attempt to set a password that is less than 6 characters in length (or blank),
a warning message prompts you to confirm the use of a short password. There is currently
no password profile in place that enforces any minimum password length or other
requirements, so this is simply a warning.

You successfully created an administrative user called networkadmin and assigned the
Network_Admin profile.

Note that the Status column of the networkadmin user appears with a red down arrow, as the user
is not currently logged in. This is one method administrators can use to see which
administrative users are logged into the system.
3. To view the configurations settings for the networkadmin user in the CLI, complete the
following:
a) Click System Settings > Dashboard.
b) From the CLI Console widget, execute the following command:

show system admin user networkadmin

You can see all the information on this admin user as it is stored in the SQL database. For
example, the password (which is encrypted) and the profileid (admin profile)--both things you

FortiAnalyzer Student Guide 26

DO NOT REPRINT  Lab 2: System configuration Time to complete

© FORTINET
configured when creating the user. Everything located under "config dashboard" are the System
Settings > Dashboard widgets visible to the networkadmin user. If the networkadmin user
removes one or more of these widgets from their dashboard, the widget would not appear the next
time you execute the "show system admin user networkadmin" command.

4. Click the icon located in the top right corner of the Web-based manager to log out of the
admin user.
The login screen reappears.

5. Test the new administrative user privileges by logging in as the networkadmin user:
 User Name: networkadmin
 Password: fortinet
Once logged in, you can see that all tabs except for the System Settings tab disappear. This is a
result of the Network_Admin profile associated to the user account.

6. Click the icon located in the top right corner of the Web-based manager to log out.

To control administrative access through trusted hosts

7. From the Win-Student VM, open a browser and log in as admin to the FortiAnalyzer Web-based
manager at 10.0.1.210.
8. Go to System Settings > Admin > Administrator and select the networkadmin user.
The Edit Administrator screen appears.

FortiAnalyzer Student Guide 27

DO NOT REPRINT  Lab 2: System configuration Time to complete

9. Click Trusted Hosts to expand the section.

The current configuration for the user account's trusted hosts appears. Note that Trusted IPv4
Host 1 is set to 0.0.0.0/0.0.0.0, which means the administrator can log in from any IP and subnet.

10. In the Trusted IPv4 Host 1 field, set the trusted host to: 10.0.1.10/32 and click OK.
If you refer to the network topology diagram (see Network topology), you can see that
10.0.1.10/32 is the Win-Student device.
11. In the virtual lab applet, connect to the Win-Remote device.
12. Open a web browser window and this time connect to the FortiAnalyzer GUI:
https://10.200.1.210
The IP address specified in the URL here is not the same as the one used previously because
now the FortiAnalyzer is being accessed from a device that is in a different part of the network
(see Network topology). As such, we are now connecting to the port3 interface of the
FortiAnalyzer device.
13. Log in as the networkadmin user:
 User Name: networkadmin
 Password: fortinet
A "You are not allowed to login!" message appears. This is because you restricted the
networkadmin user to logins from 10.0.1.10/32. If you refer to the network topology (see
Network topology), the IPv4 address of the Win-Remote device is 10.0.2.10--not a trusted
host.

FortiAnalyzer Student Guide 28

DO NOT REPRINT  Lab 2: System configuration Time to complete

14. Switch back to the Win-Student device and log in as admin to the FortiAnalyzer Web-based
manager at 10.0.1.210.
15. Complete the following and then click OK once complete:
a) Click System Settings > Admin > Administrator and select the networkadmin user.
b) Click Trusted Hosts to expand the section.
c) In the Trusted IPv4 Host 1 field, set the trusted host to: 0.0.0.0/0.0.0.0. This allows the
administrative user to log in from any IP and subnet.
16. Next, switch back to Win-Remote and attempt to log in to the Web-based manager again as the
networkadmin user:
 User Name: networkadmin
 Password: fortinet
This time, you should gain access, as Win-Remote is now a trusted host.
Note the alert in the Alert Message Console widget from when you attempted to log in with the
networkadmin user when the host was not trusted.

FortiAnalyzer Student Guide 29

DO NOT REPRINT  Lab 2: System configuration Time to complete

Administrative domains (ADOMs) allow you to group devices for administrators to monitor and
manage. For example, administrators can maintain managed devices specific to their geographic
location or business division.
Not only does this make device management more effective, as administrators need only worry about
devices in their ADOM, but it also makes the network more secure, as administrators are restricted to
only those devices which they should have access. The security risk increases as you open up and
expose more of your network.
Administrators who have the Super_User profile have full access to all ADOMs, whereas
administrators with any other profile only have access to those which they are assigned—this can be
one or more.
ADOMs are not enabled by default and enabling and configuring the domains can only be performed
by the admin administrator.
In this lab, you will enable ADOMs on FortiAnalyzer.

To enable administrative domains

1. From the Win-Student VM, open a browser and log in as admin to the FortiAnalyzer Web-based
manager at 10.0.1.210.
2. Go to System Settings > Dashboard.
3. Locate the System Information widget and from the Administrative Domain field, click Enable.

A pop up message appears confirming whether to enable ADOMs.

FortiAnalyzer Student Guide 30

DO NOT REPRINT  Lab 2: System configuration Time to complete

4. Click OK to confirm.
You are automatically logged out of the FortiAnalyzer Web-based manager.
5. Log back into the FortiAnalyzer Web-based manager as admin.
Note that an ADOM drop-down menu appears in the top left corner of the interface. By default,
only the root ADOM exists. The root ADOM is for FortiGate devices only and cannot be deleted.

6. Optionally, you can also confirm ADOMs are enabled by click System Settings > Dashboard and
viewing the System Information widget > Administrative Domain field.

You successfully enabled ADOMs. In the next lab, you will assign ADOMs to administrative users.

FortiAnalyzer Student Guide 31

DO NOT REPRINT  Lab 3: Device management Lab objectives

© FORTINET
Lab 3: Device management
To FortiAnalyzer, there are only two types of external devices: those that are registered and those that
are unregistered. A registered device is one that has been authorized to store logs on FortiAnalyzer,
whereas a registered device is one that is requesting to store logs on FortiAnalyzer.
In this lab, you will register both the Student FortiGate and Remote FortiGate with FortiAnalyzer, so
you can start collecting logs from those devices on FortiAnalyzer.
As discussed in the Device Registration lesson, there are two methods you can use to register
supported devices:
 Method one: Request from a support device
 Method two: FortiAnalyzer device registration wizard
In this lab, you will use both methods to register the devices with FortiAnalyzer.
Once registered, you will secure communication between the Student FortiGate and FortiAnalyzer by
configuring an IPSec tunnel. Securing communications is extremely important if sending traffic over an
unsecured network like the internet.
Finally, you will create administrative domains (ADOMs) and add the FortiGate devices to them. You
will also create new administrative users and assign those users to specific ADOMs.

Lab objectives
 Exercise 1: Request registration from a supported device
 Exercise 2: Register a device through the device registration wizard
 Exercise 3: Configure IPSec communications
 Exercise 4: Create administrative domains (ADOMs)

Time to complete
Estimated: 45 minutes

Prerequisites for lab

Before you begin this lab, please complete the following task.

Backing up your FortiAnalyzer

Any time you intend to alter the configuration of a network device, best practice is to always make a

FortiAnalyzer Student Guide 32

DO NOT REPRINT  Lab 3: Device management Prerequisites for lab

© FORTINET
backup of the configuration. This way, if there is any sort of mistake, or critical failure, the device can
be brought back to a known state with minimal effort.
As such, before you start this lab, please back up your FortiAnalyzer.
See To back up the device configuration from the Web-based manager for more information.

Remember to modify the name of the file so you can identify the backup more
easily as belonging to this lab.

FortiAnalyzer Student Guide 33

DO NOT REPRINT  Lab 3: Device management Prerequisites for lab

In this exercise, you will register a supported device, in this case, the Remote FortiGate, with
FortiAnalyzer so you can begin collecting logs from the device.
Once the registration request is made from the Remote FortiGate, you must accept the request from
FortiAnalyzer to officially register the device.
This exercise includes the following procedures:
 To send a device registration request to FortiAnalyzer
 To accept the registration request on FortiAnalyzer

To send a device registration request to FortiAnalyzer

1. From the Win-Student VM, open a browser and log in as admin to the Remote FortiGate Web-
based manager at 10.200.3.1.
2. Click Log & Report > Log Config > Log Settings
The Log Settings page appears.

3. From the Logging and Archiving section, complete the following:

a) Enable Send Logs to FortiAnalyzer/FortiManager and in the accompanying IP Address field,
type:

10.200.1.210
This is the URL the Remote FortiGate uses to communicate with the FortiAnalyzer over port3.
See Network topology for more information.
b) Deselect Enable Local Reports.
You'll notice that as soon as you enable Send Logs to FortiAnalyzer/FortiManager, an
exclamation point icon appears beside this field. For performance purposes, it is recommended
that you disable local reporting when using a remote logging service such as FortiAnalyzer.
c) Under Upload Option, select Realtime.

FortiAnalyzer Student Guide 34

DO NOT REPRINT  Lab 3: Device management Prerequisites for lab

This is not an error in the true sense. It cannot retrieve the status because the FortiAnalyzer
administrator has not yet accepted the request to register—they are not yet connected. At this
stage, the FortiGate is an unregistered device. Only a request to register has been made.
4. Continue to the next procedure so you can see the request for registration and accept it.

Do not log out of the Remote FortiGate, as you can retry testing the connection once
FortiAnalyzer accepts the registration request.

To accept the registration request on FortiAnalyzer

1. From the Win-Student VM, open a browser and log in as admin to the FortiAnalyzer Web-based
manager at 10.0.1.210.
2. Select the Device Manager tab.
Under the Device & Group left menu, a new device appears in the list as Unregistered
Devices(1).

3. Select the device in the main window and click Add. Alternatively, you can right-click
Unregistered Devices(1) in the left tree menu and click Add Device.
The Add Device dialog box appears.

FortiAnalyzer Student Guide 35

DO NOT REPRINT  Lab 3: Device management Prerequisites for lab

4. In the Assign New Device Name field:

a) Ensure root is selected from the ADOM drop-down menu.
This is the default ADOM for FortiGate devices.
b) In the Assign New Device Name field, modify the name of the device to Remote-FortiGate.
The device name is a friendly name for FortiAnalyzer. It does not modify the device name on the
FortiGate device itself.
5. Click OK to add the device.
A dialog box with a progress bar appears. Once complete, the Remote-FortiGate device is added
to the All FortiGates list in the left tree menu. If this does not occur, refresh the browser tab or log
out and back in.

6. To retry the connection from the Remote FortiGate now that FortiAnalyzer has accepted the
registration request, switch back to the Remote FortiGate Web-based manager and under Log &
Report > Log Config > Log Settings, click Test Connectivity.
The FortiAnalyzer/FortiManager Connection Summary dialog box appears.

The green check mark in the Connection Status column indicates the device has successfully
registered with FortiAnalyzer. You can also see the disk space and log privileges for the
FortiGate Remote device.

FortiAnalyzer Student Guide 36

DO NOT REPRINT  Lab 3: Device management Prerequisites for lab

© FORTINET
As discussed in the training, you can configure the disk log quota and device permissions for all
registered devices. This is done on FortiAnalyzer by right-clicking the device on the Device
Manager tab and selecting Edit from the drop-down menu. While we are not changing any device
logging settings in this lab, feel free to view the settings you can change.
7. Click Close to close the dialog box.

FortiAnalyzer Student Guide 37

DO NOT REPRINT  Lab 3: Device management Prerequisites for lab

In this exercise, you will register a supported device, in this case, the Student FortiGate, through the
FortiAnalyzer device registration wizard.
As mentioned in the Device registration lesson, with this registration method it is the FortiAnalyzer
administrator that proactively initiates, and ultimately performs, the registration. In order to use the
wizard, however, the administrator must have specific details about the device that is to be registered.
This includes the following:
 IP address of the device
 User name and password for the device
 Device type
 Device model
 Firmware version
 License / VM license
 Serial number
As you are registering the Student FortiGate, you can obtain much of this information from the
System > Dashboard > System Information widget.

Student FortiGate System Information widget

However, for the sake of simplicity, we will provide you with all the required device information
within the procedure.
Once the device has been successfully registered through the wizard, you must ensure the Student
FortiGate is configured to send logs to FortiAnalyzer. Otherwise, even though the device is
registered, no logs will be sent.

FortiAnalyzer Student Guide 38

DO NOT REPRINT  Lab 3: Device management Prerequisites for lab

© FORTINET
This exercise includes the following procedures:
 To register a device through the FortiAnalyzer device registration wizard
 To configure the registered device to send logs to FortiAnalyzer

To register a device through the FortiAnalyzer device registration wizard

1. From the Win-Student VM, open a browser and log in as admin to the FortiAnalyzer Web-based
manager at 10.0.1.210.
2. Select the Device Manager tab.
The Device Manager screen appears.

3. Ensure root is selected in the ADOM drop-down list, and click Add Device from the toolbar.
The wizard launches at the Login screen.

4. From the Login screen, add the following details for the Student FortiGate device and click
Next:
a) In the IP Address field, type 10.0.1.254. See Network topology for more information.
b) In the User Name field, type admin. This is the admin account that has the Super_User
profile for the Student FortiGate.
c) Leave the Password field blank.

FortiAnalyzer Student Guide 39

DO NOT REPRINT  Lab 3: Device management Prerequisites for lab

5. Add the following information about the Student FortiGate and click Next.

This information is available from the System Information widget of the

Student FortiGate.

 Name: Student-FortiGate
 Device Model: FortiGate-VM64
 Firmware Version: 5.2
 VM License Type: FGVMEV
 SN: Return to your Student FortiGate dashboard and copy the serial number from the System
Information widget.
The Add Device screen refreshes and provides the status. If all the information is entered
correctly, you should see all green check marks and a Device created successfully status.

FortiAnalyzer Student Guide 40

DO NOT REPRINT  Lab 3: Device management Prerequisites for lab

6. Click Next.
The Summary screen appears.

7. Click Finish.
You successfully registered the Student FortiGate through the FortiAnalyzer device registration
wizard.

FortiAnalyzer Student Guide 41

DO NOT REPRINT  Lab 3: Device management Prerequisites for lab

Note that the Student FortiGate appears with a red circle in the Logs column. This indicates the
FortiAnalyzer has not received any logs recently, even though the device registration was
successful. As mentioned in the training, if the device registration is brokered on the FortiAnalyzer
side, as is the case with the device registration wizard, you must ensure that the registered device
itself is configured to send logs. This adds additional security to the connection process.
8. Continue to the next procedure to ensure the Student FortiGate device sends logs to
FortiAnalyzer.

To configure the registered device to send logs to FortiAnalyzer

1. From the Win-Student VM, open a browser and log in as admin to the Student FortiGate Web-
based manager at 10.0.1.254.
2. Click Log & Report > Log Config > Log Settings
The Log Settings page appears.

3. From the Logging and Archiving section, complete the following:

a) Enable Send Logs to FortiAnalyzer/FortiManager and in the accompanying IP Address field,
type:

10.0.1.210
This is the URL the Student FortiGate uses to communicate with FortiAnalyzer over port1. See
Network topology for more information.
b) Deselect Enable Local Reports.
You'll notice that as soon as you enable Send Logs to FortiAnalyzer/FortiManager, an
exclamation point icon appears beside this field. For performance purposes, it is recommended
that you disable local reporting when using a remote logging service such as FortiAnalyzer.
c) Under Upload Option, select Realtime.

FortiAnalyzer Student Guide 42

DO NOT REPRINT  Lab 3: Device management Prerequisites for lab

© FORTINET
Remember that you don’t always have to send logs in real-time—you have the option to send logs
at a scheduled time (such as a low bandwidth time) on FortiGate models that have a hard drive—
but this is the most immediate way to see whether logs are being received successfully.
d) Click Apply to save your configuration.
e) Click Test Connectivity.
The FortiAnalyzer/FortiManager Connection Summary dialog box appears. Note that this time
you don't receive the Error dialog. This is because the Student FortiGate is already a registered
device by way of the device registration wizard.

4. To see whether the FortiAnalyzer is now receiving logs from the Student FortiGate, switch back to
the FortiAnalyzer Web-based manager and click the Device Manager tab.
The Student FortiGate now has a green circle in the Logs column indicating logs have recently
been received.

FortiAnalyzer Student Guide 43

DO NOT REPRINT  Lab 3: Device management Prerequisites for lab

In this exercise, you will configure the Student FortiGate device to use an IPSec tunnel in order to
transmit log data securely to FortiAnalyzer.
SSL is the default setting for securing communication between FortiGate and FortiAnalyzer. IPSec,
however, adds a higher level of security. As such, this secure communication method requires more
configuration than SSL, as it must be configured on both ends of the tunnel: FortiAnalyzer and
FortiGate.
On the FortiAnalyzer side, you must set up an IPSec tunnel ID and password. On the Student
FortiGate side, the ID and password is added to the configuration. This completes the IPSec tunnel
configuration.
When a secure connection has been configured between two devices, log traffic is sent over UDP port
500/4500, protocol IP/50.
Note: As mentioned in the training, both IPSec and SSL cannot be enabled simultaneously. Since
SSL is enabled by default, you must disable SSL on the Student FortiGate prior to enabling IPSec.
The exercise includes the following procedures:
 To configure IPSec on the FortiAnalyzer side
 To configure IPSec on the Student FortiGate side

To configure IPSec on the FortiAnalyzer side

1. From the Win-Student VM, open a browser and log in as admin to the FortiAnalyzer Web-based
manager at 10.0.1.210.
2. Select the Device Manager tab.
The Device Manager page appears. Note that the Student FortiGate device has a grey x in the
Secure Connection column. This indicates that the IPSec tunnel is disabled.

3. From the main window, right-click the Student-FortiGate device and select Edit from the pop-
up menu.
The Edit Device Student-FortiGate dialog box appears.

FortiAnalyzer Student Guide 44

DO NOT REPRINT  Lab 3: Device management Prerequisites for lab

4. Scroll to the bottom of the dialog box and complete the following:
a) Enable Secure Connection.
b) In the ID field, type ipsectunnel. This is the case-sensitive name that identifies your IPSec
tunnel. Remember this ID, as you need it to configure IPSec on the Student FortiGate side in the
next procedure.
c) In the Pre-Shared Key field, type fortinet. This is the case-sensitive password for the IPSec
tunnel. Remember this password, as you need it to configure IPSec on the Student FortiGate side
in the next procedure.
d) Click OK.
You successfully enabled the FortiAnalyzer side of the IPSec tunnel.
Note that the grey x in the Secure Connection column has now turned into a red down arrow.
This indicates that the IPSec tunnel is down. This is because only one end of the tunnel is
configured: the FortiAnalyzer side.

5. Continue to the next procedure to configure the ID and password on the Student FortiGate and
complete the IPSec tunnel.

To configure IPSec on the Student FortiGate side

1. From the Win-Student VM, open a browser and log in as admin to the Student FortiGate Web-
based manager at 10.0.1.254.
2. Go to System > Dashboard and click inside the CLI Console widget.

FortiAnalyzer Student Guide 45

DO NOT REPRINT  Lab 3: Device management Prerequisites for lab

3. Enter the following commands to first disable SSL--the default communication method--as an
IPsec tunnel cannot be established on the Student FortiGate until SSL is disabled:

config log fortianalyzer setting

set enc-algorithm disable

end

4. Enter the following command to enable IPSec:

config log fortianalyzer setting

set encrypt enable

set server <fortianalyzer_ip>

set localid <ID_of_IPSec_tunnel>

set psksecret <preshared_IPSec_tunnel_key>

end
where:
 <fortianalyzer_ip> is the IP of the FortiAnalyzer with which you are securing
communication over an IPSec tunnel. In this lab environment, it is 10.0.1.210. See Network
topology for more information.
 <ID_of_IPSec_tunnel> is the ID, or name, given to the IPSec tunnel. In this lab, the IPSec

FortiAnalyzer Student Guide 46

DO NOT REPRINT  Lab 3: Device management Prerequisites for lab

© FORTINET
tunnel ID is ipsectunnel.
 <preshared_IPSec_tunnel_key> is the pre-shared key for the IPSec tunnel. In this lab, the
IPSec tunnel password is fortinet.

You successfully enabled IPSec on the Student FortiGate side of the tunnel. The IPSec tunnel
connection is now complete.
5. To confirm the tunnel is up, go to VPN > Monitor > IPSec Monitor.
A VPN called FGh_FtiLog1 appears in the main window with a green up arrow in the Status
column. This is created automatically when you configure a FortiGate to communicate to a
FortiAnalyzer with an IPSec tunnel and confirms the tunnel is established.

6. Optionally, to confirm the IPSec tunnel is up on the FortiAnalyzer, switch back to the FortiAnalyzer
Web-based manager and click the Device Manager tab (to refresh the page).
There is now a green up arrow in the Secure Connection column of the Student FortiGate
device. This also indicates the IPSec tunnel is established.

FortiAnalyzer Student Guide 47

DO NOT REPRINT  Lab 3: Device management Prerequisites for lab

FortiAnalyzer Student Guide 48

DO NOT REPRINT  Lab 3: Device management Prerequisites for lab

In the Lab 2, Exercise 4, you enabled administrative domains (ADOMs). This effectively allows you to
organize devices into groups and provide administrative control to those groups.
As mentioned in the Configuration and administration lesson, this makes device management more
effective, as administrators need only monitor and analyze devices in their ADOM(s). It also makes the
network more secure, as administrators are restricted to only those devices which they should have
access.
How you choose to group your devices depends on your organizational requirements. Geographic
location or business division are common groupings.
In this lab, you will create ADOMs and then assign administrative users (which you must create)
control over one or more ADOMs.
This exercise includes the following procedures:
 To create administrative domains (ADOMs)
 To create administrative users and assign them to one or more ADOMs

To create administrative domains (ADOMs)

1. From the Win-Student VM, open a browser and log in as admin to the FortiAnalyzer Web-based
manager at 10.0.1.210.
2. From the ADOM drop-down menu, select Manage ADOMs.
The Manage ADOMs dialog box appears. Note that both the Remote-FortiGate and the Student-
FortiGate are currently in the root ADOM. This is the default ADOM for FortiGate devices.
However, we can move these devices into a different ADOM, as long as it is based on a FortiGate
ADOM.

3. From the top left corner of the dialog box, click Create New.
The Create ADOM dialog box appears.

FortiAnalyzer Student Guide 49

DO NOT REPRINT  Lab 3: Device management Prerequisites for lab

4. From the Create ADOM dialog box, complete the following:

a) In the Name field, type ADOM1.
b) In the Device Type and Version fields, ensure the options are FortiGate and 5.2 respectively.
You can only add a device to its default ADOM. For example, a FortiGate device can only belong
to a FortiGate ADOM just like a FortiMail device can only belong to FortiMail ADOM. The ADOM
must also be set to the same firmware version of the device.
c) Select Student-FortiGate from the left pane and click the > icon to move the selection into the
right pane.
d) Click OK.
The Manage ADOMs dialog box refreshes and Student-FortiGate is now assigned to ADOM1.

5. Repeat step 4, but this time, create an ADOM called ADOM2 and add the Remote-FortiGate
device to that ADOM.
The Manage ADOMs dialog box refreshes again and Remote-FortiGate is now assigned to
ADOM2.

FortiAnalyzer Student Guide 50

DO NOT REPRINT  Lab 3: Device management Prerequisites for lab

6. Click Close.
7. Click the Device Manager tab. You will notice that no devices appear under the root ADOM now.
Now, you must select the ADOM from the ADOM drop-down list in the toolbar to view device
information. The Device Manager, FortiView, Event Management, and Reports tabs display per
ADOM. Administrators with the Super_User profile have access to all ADOMs.

8. Continue to To create administrative users and assign them to one or more ADOMs to create
three new administrative users. You will assign these users to one or more of the ADOMs you just
created.

To create administrative users and assign them to one or more ADOMs

1. Go to System Settings > Admin > Administrator and click Create New.
The New Administrator page appears.

FortiAnalyzer Student Guide 51

DO NOT REPRINT  Lab 3: Device management Prerequisites for lab

2. From the New Administrator page, complete the following and click OK:
a) In the User Name field, type User1.
b) In the New Password field, type fortinet.
c) Repeat the password in the Confirm Password field.
d) From the Admin Profile drop-down list, select Standard_User.
3) From Administrative Domain, select Specify and select ADOM1.

The user name and password are both case sensitive.

You successfully created an administrative user called User1 and assigned the ADOM1
administrative domain.
3. Repeat this procedure to create the following two administrative users and assign the following
ADOM(s).

User Name New Password / Admin Profile Administrative

Confirm Pasword Domain

User2 fortinet / fortinet Standard_User Specify > ADOM2

FortiAnalyzer Student Guide 52

DO NOT REPRINT  Lab 3: Device management Prerequisites for lab

You successfully created three new administrative users and assigned them to ADOMs.

4. Optionally, try logging in to the FortiAnalyzer Web-based manager with each of these
administrative users to see what each can access.

User Name New Password ADOM

User1 fortinet ADOM1

User2 fortinet ADOM2

User3 fortinet ADOM1, ADOM2

FortiAnalyzer Student Guide 53

DO NOT REPRINT  Lab 4: Logs and alerts Lab objectives

© FORTINET
Lab 4: Logs and alerts
Now that you have registered the Student FortiGate and Remote FortiGate with FortiAnalyzer, the logs
of those devices are being collected by FortiAnalyzer.
In this lab, you will create some security profiles and generate traffic on the FortiGate devices. This will
give you the opportunity to examine the log information regarding these events.
In addition, you will also download a log file (knowing how to protect your log data through backups is
important) as well as configure a notification alert to advise the administrator of specific events
happening on the network.
Finally, you will configure FortiGate to send content archive data (Data Leak Prevention) and view the
summary archive log files on FortiAnalyzer.

Lab objectives
 Exercise 1: Generate logs
 Exercise 2: Examine logs
 Exercise 3: Download a log file
 Exercise 4: Configure an event handler and notification alert
 Exercise 5: Configure FortiGate to send content archive data (Data Leak Prevention)

Time to complete
Estimated: 60 minutes

Prerequisites for lab

Before you begin this lab, please complete the following tasks.

Backing up your FortiAnalyzer

Any time you intend to alter the configuration of a network device, best practice is to always make a
backup of the configuration. This way, if there is any sort of mistake, or critical failure, the device
can be brought back to a known state with minimal effort.
As such, before you start this lab, please back up your FortiAnalyzer.
See To back up the device configuration from the Web-based manager for more information.

FortiAnalyzer Student Guide 54

DO NOT REPRINT  Lab 4: Logs and alerts Prerequisites for lab

Backing up your FortiGates

For the same reason as mentioned in Backing up your FortiAnalyzer, you may wish to back up your
FortiGate devices now.
The backup process is similar to the FortiAnalyzer:
1. From the Win-Student desktop, log in as admin to either the Student FortiGate (10.0.1.254)
and/or Remote FortiGate (10.200.3.1) Web-based manager.
2. Go to System > Dashboard.
3. From the System Information widget, click Backup in the System Configuration field.
4. Backup the configuration to Local PC and do not encrypt the file for the purposes of this lab.
5. Click Backup.
It is highly recommended that you modify the name of the configuration file to identify it as being
created for this lab.

FortiAnalyzer Student Guide 55

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing Web Filter and Proxy Options profiles

In this lab, you will create several security profiles, modify the firewall policy to enable those security
profiles, and then test those security profiles by generating some traffic. This will confirm that log
information is being forwarded to FortiAnalyzer in real-time and is triggering events that will generate
logs.
The goal of this exercise is to see and examine the logs that are generated when traffic passes
through your firewall. Your logs provide vital information about your network and users, so it is
important that you can see what is contained in each log, so that, in the future, your forensic analysis
is easier.
This exercise includes the following sections:
 Creating and testing Web Filter and Proxy Options profiles
 Creating and testing an AntiVirus profile
 Creating and testing an Application Sensor profile

Creating and testing Web Filter and Proxy Options

profiles
In this exercise, you will create a Web Filter profile and set proxy options on the Student FortiGate.
You must then modify the firewall policy to enable your new Web Filter profile and proxy setting.
Finally, you will generate traffic through your firewall and examine the logs that result.
This exercise includes the following procedures:
 To enable web filtering through FortiGuard
 To create a web filter profile
 To set proxy options
 To modify the firewall policy for Web Filter and Proxy Options
 To test the web filter profile

To enable web filtering through FortiGuard

1. From the Win-Student VM, open a browser and log in as admin to the Student FortiGate Web-
based manager at 10.0.1.254.
2. Click System > Config > FortiGuard.
3. Scroll down to the bottom of the page and expand Web Filtering and Email Filtering
Options.
4. Click Test Availability. After a few minutes, the screen should refresh and web filtering is
enabled. This allows you to create a web filter profile in the next procedure.

FortiAnalyzer Student Guide 56

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing Web Filter and Proxy Options profiles

© FORTINET
To create a web filter profile
1. Still in the Student FortiGate Web-based manager, click Security Profiles > Web Filter.
The Edit Web Filter Profile page appears.

2. Click the + icon in the upper right corner of the page to create a new default web filter profile.
The New Web Filter Profile page appears.

FortiAnalyzer Student Guide 57

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing Web Filter and Proxy Options profiles

3. Complete the following on the New Web Filter Profile page:

a) In the Name field, type Category_Monitor.
b) From Inspection Mode, select Proxy.
c) Enable FortiGuard Categories.
d) Right-click Potentially Liable and select Monitor from the menu. Repeat for each FortiGuard
category until all are set to Monitor.
e) Click OK.
4. Continue to the next procedure.

To set proxy options

1. Still in the Student FortiGate Web-based manager, click Policy & Objects > Policy > Proxy
Options
The Edit Proxy Options page appears.

FortiAnalyzer Student Guide 58

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing Web Filter and Proxy Options profiles

2. Click the + icon in the upper right corner of the page to create a new default proxy option.
The New Proxy Options page appears.

3. From the New Proxy Options page, complete the following:

a) In the Name field, type Inspection_Settings.
b) Click OK.

FortiAnalyzer Student Guide 59

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing Web Filter and Proxy Options profiles

To modify the firewall policy for Web Filter and Proxy Options
1. Still in the Student FortiGate Web-based manager, go to Policy & Objects > Policy > IPv4.
2. Under the port3 - port 1 firewall policy, select STUDENT_INTERNAL and click Edit from the
toolbar.
The Edit Policy page appears.

3. Under the Security Profiles section, complete the following:

a) Turn on Web Filter and use the Category_Monitor profile.
b) Set Proxy Options to use Inspection_Settings.

4. In the Logging Options section, select All Sessions.

FortiAnalyzer Student Guide 60

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing Web Filter and Proxy Options profiles

5. Click OK.
You successfully modified the firewall policy for Web Filter and Proxy Options.

To test the web filter profile

1. From the Win-Student desktop, open a web browser, and connect to a various websites.
Some options include:
 www.yahoo.com
 www.google.com
 www.fortinet.com
 www.cnn.com
 <your favorite sports team>
 <your local online newspaper>
Since you set the Web Filter profile, Category_Monitor, to Monitor, these web sites will generate
Web Filter logs on FortiAnalyzer.
2. To generate multiple URL requests quickly, type the below command from the Windows
command prompt. Here, you will use wget do a spider crawl, which means no content is
downloaded--only the URL is requested. This is enough to trigger the content inspection.

cd Desktop\Resources\FAZ\Lab4
wget -i urls.txt -t 1 –T 1 -w 1 –-spider

wget is a free, open source utility for accessing websites. You can use it to quickly
test your web filter settings in order to make sure you do not have any block
messages with critical websites within your infrastructure.

3. While that command is executing (it will take a while to finish), you may wish to see the logs
generating in real-time on FortiAnalyzer. Otherwise, you can continue to Creating and testing
an AntiVirus profile and view the logs later.
To view the logs in real-time, jump to To examine the log files on FortiAnalyzer and complete
steps 1-4.

FortiAnalyzer Student Guide 61

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing an AntiVirus profile

© FORTINET
Creating and testing an AntiVirus profile
In this exercise, you will create an antivirus profile on the Student FortiGate. You must then modify the
firewall policy to enable your new antivirus profile. Finally, you will generate logs to test your new
policy.
This exercise includes the following procedures:
 To create an AntiVirus profile
 To modify the firewall policy for AntiVirus
 To test the AntiVirus profile

To create an AntiVirus profile

1. From the Win-Student VM, open a browser and log in as admin to the Student FortiGate Web-
based manager at 10.0.1.254.
2. Click Security Profiles > AntiVirus.
The Edit AntiVirus Profile page appears.

3. Click the + icon in the upper right corner of the page to create a new default anti-virus profile.
The New AntiVirus Profile page appears.

FortiAnalyzer Student Guide 62

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing an AntiVirus profile

4. Complete the following from the New Web Filter Profile page:
a) In the Name field, type Virus_Block.
b) From Inspection Mode, select Proxy.
c) In the table that appears, enable Virus Scan and Block for HTTP traffic.
d) Click OK.
5. Continue to the next procedure.

To modify the firewall policy for AntiVirus

1. Still in the Student FortiGate Web-based manager, go to Policy & Objects > Policy > IPv4.
2. Under the port3 - port 1 firewall policy, select STUDENT_INTERNAL and click Edit from the
toolbar.
The Edit Policy page appears.

FortiAnalyzer Student Guide 63

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing an AntiVirus profile

3. Under the Security Profiles section, turn on AntiVirus and select Virus_Block profile (leave the
current Web Filter and Proxy Option profiles as they are).

4. Click OK.
You successfully modified the firewall policy for AntiVirus.

To test the AntiVirus profile

1. From the Win-Student desktop, open a web browser and access the following web site:
http://eicar.org
2. On the EICAR web page, find and download the Anti Malware Test File.
The download path may appear like this (the website navigation is subject to change):

FortiAnalyzer Student Guide 64

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing an Application Sensor profile

3. Try downloading eicar.com.txt from using the standard protocol http.

As a result of the AntiVirus profile you created, the download is blocked and a Virus detected
replacement page appears.

Any of the HTTPS downloads of the test virus will pass through undetected with
the current configuration. Unless there is SSL interception and inspection of the
traffic occurring, it is impossible to view the contents of SSL encrypted traffic.

You successfully tested the AntiVirus profile.

Creating and testing an Application Sensor profile

In this exercise, you will create an Application Sensor profile on the Student FortiGate. You must then
modify the firewall policy to enable your new Application Sensor profile. Finally, you will generate logs
to test your new policy.
This exercise includes the following procedures:
 To create an Application Sensor profile
 To modify the firewall policy for the Application Sensor
 To test the Application Sensor profile

To create an Application Sensor profile

1. From the Win-Student VM, open a browser and log in as admin to the Student FortiGate Web-
based manager at 10.0.1.254.
2. Click Security Profiles > Application Control.
The Edit Application Sensor page appears.

FortiAnalyzer Student Guide 65

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing an Application Sensor profile

3. Click the + icon in the upper right corner of the page to create a new default application control
sensor.
The New Application Sensor page appears.

4. In the Name field, type App_Block.

5. In the Application Overrides section, complete the following:
a) Click Add Signatures.
The Add Signatures dialog box appears.

FortiAnalyzer Student Guide 66

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing an Application Sensor profile

b) From the Application Name column, select the filter icon.

The Filter <Application Name> dialog box appears.

c) In the Value field, type Dailymotion and click Apply.

The Add Signatures dialog box reappears, filtering on applications that include Dailymotion.

d) From the Application Name column, select Dailymotion (close the pop up dialog boxes
that appear) and click Use Selected Signatures.
The application signatures appear in the Application Overrides table.

FortiAnalyzer Student Guide 67

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing an Application Sensor profile

© FORTINET
e) Ensure Block is selected in the Action column.
6. In the Options section, make sure Replacement Messages for HTTP-based Applications is
enabled.
The application control can provide feedback to the user with block replacement message. It is
also worth mentioning if deep inspection is enabled; all HTTPS-based applications will also
provide this replacement message.

7. Click OK.
You successfully created an Application Sensor profile.
8. Continue to the next procedure.

To modify the firewall policy for the Application Sensor

3. Under the Security Profiles section, enable Application Control and select App_Block.
Leave all the currently enabled security profiles as they are.

FortiAnalyzer Student Guide 68

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing an Application Sensor profile

4. Click OK.
You successfully modified the firewall policy for Application Control.

To test the Application Sensor profile

1. From the Win-Student desktop, open a web browser and access the following web site:
http://www.dailymotion.com
2. A block replacement page will appear.
You successfully tested the Application Sensor profile.

FortiAnalyzer Student Guide 69

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing an Application Sensor profile

In this exercise, you will examine the logs from the traffic you generated against the security profiles.

To examine the log files on FortiAnalyzer

1. From the Win-Student VM, open a browser and log in as admin to the FortiAnalyzer Web-based
manager at 10.0.1.210.
2. From the ADOM drop-down menu, select ADOM1.
In the Lab 3, Exercise 4 procedure, To create administrative domains (ADOMs), we added the
FortiGate-Student device to ADOM1. This is the device we generated traffic through and from
where the logs generated.
Remember that when ADOMs are enabled, the Device Manager, FortiView, Event
Management, and Reports tabs display per ADOM.
3. Click FortiView and from the left menu, select Log View.
The Log View page appears.

4. From the search toolbar:

a) Select Student-FortiGate from the Device drop-down list.
Because only one device is added to ADOM1 (Student-FortiGate), the option All Devices would
only supply logs from the Student-FortiGate as well. However, if you did have multiple devices in
an ADOM, All Devices would supply logs from all devices assigned to that specific ADOM.
b) Select a time period from the drop-down list beside it. Ensure that, at minimum, the time period
encapsulates when you generated traffic in Exercise 2 (for example, Last 1 hour).
IF YOU JUMPED TO THIS PROCEDURE TO VIEW YOUR WEB FILTER LOGS IN REAL-
TIME, YOU DO NOT NEED TO SELECT A TIME PERIOD. SELECT Tools > Real-time Log
and view your web filter logs as they drop in. Otherwise, please ignore.
c) Click GO.
5. In the left menu under Log View, select Security and locate the AntiVirus, Web Filter, and
Application Control logs. Scan the events that were generated.

FortiAnalyzer Student Guide 70

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing an Application Sensor profile

6. You can click any log entry and view the details of the event in the frame at the bottom of the
page. You may need to expand Display Details 

By default, logs do now show up in real-time. They must be processed and added
to the database. If your FortiAnalyzer is busy or has lots of devices sending logs
this can result in a delay in the logs being viewable.

7. To customize the log columns, right-click any column and select/deselect columns from the
pop-up menu. A green checkmark indicates the column is currently visible.

FortiAnalyzer Student Guide 71

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing an Application Sensor profile

If you are searching the logs with a purpose in mind, it is a good idea to set up the
columns to only show you the specific data for which you are looking.

8. To view real-time logs or display raw logs, click the Tools menu and make the appropriate
selection.

9. From the left menu under Log View, click Traffic to view all traffic logs.

FortiAnalyzer Student Guide 72

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing an Application Sensor profile

10. In the search field, set up a filter to search by on Source IP and use the address 1.2.3.4.
Because FortiAnalyzer uses SQL query to search the database, the search should be entered as:

srcip=1.2.3.4
If you click the down arrow at the end of the search, the filters appear in the drop-down list. You
can select a filter and it will translate into the proper SQL query (for example, Source IP  srcip=).
If you do not know what filter to use, you can look at the log in raw format (Tools > Display Raw)
in order to find out what the field name is.

This will result in no records found being displayed. Remove this search filter by clicking X at the
end of the search field.
11. Right-click any column heading and select More Columns.

FortiAnalyzer Student Guide 73

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing an Application Sensor profile

12. Locate and select Host Name and click OK.

The Host Name column is now added as the last column in the logs table. You can reorder the
columns by dragging and dropping the column. While each log type has a default set of columns,
you can modify them based on your requirements.
13. In the search field, type facebook.
The Host Name column displays all logs that include "facebook" in the host name.

This just gives you an idea of the various filters you can use when searching logs. Feel free to
continue looking at the logs, performing searches, and setting filters.

FortiAnalyzer Student Guide 74

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing an Application Sensor profile

Not every FortiAnalyzer is capable of doing disk RAID, so you need to take steps to protect your log
data. Even on the large FortiAnalyzers it’s more likely that your log data is vitally important, so you
must take every reasonable precaution to ensure your data is protected.
In this exercise, you will download a log file from the Student FortiGate based on log type (such as
Event log or Traffic log).

To download a log file

1. From the Win-Student VM, open a browser and log in as admin to the FortiAnalyzer Web-based
manager at 10.0.1.210.
2. From the ADOM drop-down menu, select ADOM1.
3. Click FortiView > Log View > Log Browse.

Logs are grouped by log type, for example, Event and Traffic and display all logs of those types
associated with the device.
4. Select any of the log files from the list and click Download and save the file to your Desktop.

FortiAnalyzer Student Guide 75

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing an Application Sensor profile

FortiAnalyzer allows you to configure event handlers, which is a way of monitoring events on
registered devices as well as the logs associated with the event. You configure event handlers based
on log type and logging filters and you can configure them per device, for all devices, or for the local
FortiAnalyzer event logs.
When an event occurs that matches a configured event handler, you can view the notification via the
Web-based manager Event Management tab. However, you can also specify other notification
methods such as email.
In this lab, you will create an event handler based on the Application Control log type. You will then
generate some undesirable traffic associated with this log type, which will generate a notification alert.
For the purposes of this lab, we will view the notification through the Event Management tab.
This exercise includes the following procedures:
 To create an event handler
 To trigger an alert

To create an event handler

1. From the Win-Student VM, open a browser and log in as admin to the FortiAnalyzer Web-based
manager at 10.0.1.210.
2. Click Event Management and select ADOM1 from the ADOM drop-down menu.
3. From the left menu, select Event Handler and click Create New.
The Create New Event Handler dialog box appears.

4. In the Name field, type Unwanted traffic detected and click OK.
5. From the Definition tab in the main window, complete the following:
a) From Devices, select All Devices.
b) Ensure Severity is set to Medium.

FortiAnalyzer Student Guide 76

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing an Application Sensor profile

6. In the Filters section on the Definition tab, complete the following:

a) From the Log Type drop-down list, select Application Control. If a dialog box appears stating
that all filters and events details will reset, click OK.
b) From Log messages that match, select Any of the Following Conditions.
c) From the filter table, complete the following:
 Log Field = Level
 Match Criteria = Greater Than
 Value = Information

d) Click the green + Add Filter to add the following additional filters:
 Log Field = Application Category
 Match Criteria = Equal To
 Value = Video/Audio

 Log Field = Action

 Match Criteria = Equal To
 Value = Block

e) Click Apply.
7. Click the Notification tab in the main window and set to generate alert when at least 1 match
occurs over a period of 5 minutes.

FortiAnalyzer Student Guide 77

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing an Application Sensor profile

The threshold is set to 1 log every 5 minutes. What this means is that the first log
entry to come in will trigger the event immediately. After that, there is a 5 minute
countdown before this alert can be triggered again. This helps prevent the
FortiAnalyzer from sending out alerts too often.
If multiple events occur to trigger this alert within the 5 minute time frame, the next
alert email will contain all of those.

8. Click Apply.
9. Continue to the next procedure.

To trigger an alert
1. From the Win-Student desktop, open a web browser and access the following web site:

http://www.dailymotion.com
This will generate a log entry that matches the Application Control security profile, which will then
trigger the Unwanted traffic detected alert.
2. From the FortiAnalyzer Web-based manager, click Event Management > Events By Handler.
All triggered event handlers appear.

3. Double-click the event to view more information.

4. Right-click the event and select View Details.

5. Once finished, click the blue back arrow in the top right corner, right-click on the event and
select Acknowledge.

FortiAnalyzer Student Guide 78

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing an Application Sensor profile

© FORTINET
This removes the notification, but you can still see acknowledged notifications later by enabling
Show Acknowledged and selecting an appropriate time filter.
You successfully view an event notification.

FortiAnalyzer Student Guide 79

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing an Application Sensor profile

Data Leak Prevention (DLP) archiving on FortiAnalyzer comes in two forms, summary and full, and
FortiGate can record occurrences of specific types of traffic when they are detected by DLP sensors.
Summary archiving records metadata only, while full archiving records metadata as well as copies of
files or messages.
DLP archiving is not enabled by default.
In this exercise, you will enable DLP archiving on the Student FortiGate. You will need to set up a DLP
Sensor and then configure the conditions that say when it will send data to FortiAnalyzer to be
archived. This means your FortiGate configuration dictates which protocols to archive. For the
purposes of this lab, the HTTP protocol (websites) is used.
Once your DLP Sensor is created, you must then modify the firewall policy to enable your new DLP
sensor. Finally, you will generate traffic through your firewall and examine the DLP logs that result.
The exercise includes the following procedures:
 To enable the DLP security feature on FortiGate
 To create a DLP Sensor
 To modify the firewall policy for the DLP Sensor
 To test the DLP Sensor
 To view the DLP logs in FortiAnalyzer

To enable the DLP security feature on FortiGate

1. From the Win-Student VM, open a browser and log in as admin to the Student FortiGate Web-
based manager at 10.0.1.254.
2. Click System > Dashboard.
3. In the Features widget under the Security Features section, turn on DLP.

FortiAnalyzer Student Guide 80

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing an Application Sensor profile

4. Click Apply.
You successful enabled the DLP security feature.
By default, summary archiving is enabled. You must use the CLI to enable full archiving. However,
for the purposes of this exercise, we will be using summary archiving.
5. Continue to the next procedure.

To create a DLP Sensor

1. Still in the Student FortiGate Web-based manager, click Security Profiles > Data Leak
Prevention.
The Edit DLP Sensor page appears.

2. Click the + icon in the upper right corner of the page to create a new default DLP Sensor.
The New DLP Sensor page appears.

FortiAnalyzer Student Guide 81

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing an Application Sensor profile

3. In the Name field, type Archive_Sites.

4. Click Create New to create two new filter entries that will detect any HTTP traffic passing through
the Firewall policy.
5. From the New Filter dialog box that appears, enter the filter information as provided in the
screenshot below and click OK.

The filter is added to your DLP Sensor.

FortiAnalyzer Student Guide 82

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing an Application Sensor profile

6. Click Create New to create a second filter and enter the filter information as provided in the
screenshot below and click OK once complete.

The second filter is added to your DLP Sensor.

FortiAnalyzer Student Guide 83

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing an Application Sensor profile

You successfully created a DLP Sensor.

7. Continue to the next procedure.

To modify the firewall policy for the DLP Sensor

3. Under the Security Profiles section, turn on DLP Sensor and select the Archive_Sites profile
(leave the other security profiles as they are).

4. Click OK.
You successfully modified the firewall policy for DLP Sensor.

FortiAnalyzer Student Guide 84

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing an Application Sensor profile

© FORTINET
To test the DLP Sensor
1. From the Win-Student desktop, open a web browser and access a couple of websites. For
example:

www.google.com

www.yahoo.com

www.cnn.com

In order to make sure your browser is not accessing the local cache, be sure to
refresh the website a couple of times, or clear the browsers cache before visiting
some websites

To view the DLP logs in FortiAnalyzer

4. You can click any log entry and view the details of the event in the frame at the bottom of the
page. You may need to expand Display Details.

FortiAnalyzer Student Guide 85

DO NOT REPRINT  Lab 4: Logs and alerts Creating and testing an Application Sensor profile

5. Click the Archive tab in the lower pane.

This tab appears because you enabled archiving when creating your DLP Sensor.

From the Archive tab, you can click the download icon to download the file.

FortiAnalyzer Student Guide 86

DO NOT REPRINT  Lab 5: Reports Lab objectives

© FORTINET
Lab 5: Reports
One of the key features of FortiAnalyzer is the ability to produce graphical reports based on logged
data from your network. Once configured, reports do all the investigation of your data for you and
provide a quick and detailed analysis of activity on your network. You can then use that information to
better understand your network or improve your network security.
In this lab, you will configure the basic settings of a default report and generate the report on demand.
You will also configure email report notifications to notify, via email, when a report has been
generated.
While FortiAnalyzer does provide preconfigured reports, it also allows you to create your own custom
reports. Accordingly, in this lab you will create a custom report. Since reports are based on charts, and
charts are based on datasets, you will create a custom chart and dataset as well.
Finally, you will modify the default report layout and then export the report from one ADOM and import
it into another ADOM.

Lab objectives
 Exercise 1: Configure the basic settings of a default report
 Exercise 2: Configure email report notifications
 Exercise 3: Create a custom dataset, chart, and report
 Exercise 4: Modify the report layout
 Exercise 5: Export and import a report

Time to complete
Estimated: 50 minutes

Prerequisites for lab

Before you begin this lab, please complete the following tasks.

Backing up your FortiAnalyzer

FortiAnalyzer Student Guide 87

DO NOT REPRINT  Lab 5: Reports Prerequisites for lab

Backing up your FortiGates

For the same reason as mentioned in Backing up your FortiAnalyzer, you may wish to back up your
FortiGate devices now.
The backup process is similar to the FortiAnalyzer:
1. From the Win-Student desktop, log in as admin to either the Student FortiGate (10.0.1.254)
and/or Remote FortiGate (10.200.3.1) Web-based manager..
2. Go to System > Dashboard.
3. From the System Information widget, click Backup in the System Configuration field.
4. Backup the configuration to Local PC and do not encrypt the file for the purposes of this lab.
5. Click Backup.
It is highly recommended that you modify the name of the configuration file to identify it as being
created for this lab.

FortiAnalyzer Student Guide 88

DO NOT REPRINT  Lab 5: Reports Prerequisites for lab

After logs are collected or uploaded, you can then run a report. FortiAnalyzer provides predefined
reports that can run "as is", but as mentioned in the Reports lesson, there are some basic
configurations that should, at minimum, be reviewed.
These basic configuration options allow you to:
 Specify the time period in which to run the report
 Select which device to run the report on, and
 Select the type of report, whether it’s a single report for all devices, or multiple reports per device
In this exercise, you will perform the basic configuration on a report and then run the report on-
demand.

To configure the basic settings of a default report

1. From the Win-Student VM, open a browser and log in as admin to the FortiAnalyzer Web-based
manager at 10.0.1.210.
2. From the ADOM drop-down menu, select ADOM1.
3. Click Reports > Reports and select the User Security Analysis report.
The User Security Analysis report configuration options appear in the main window.

4. Select the Configuration tab.

The basic configuration options under the Configuration tab appear.

FortiAnalyzer Student Guide 89

DO NOT REPRINT  Lab 5: Reports Prerequisites for lab

5. From the Configuration tab, complete the following:

a) From the Time Period drop-down list, select This Week.
b) From Devices, select All Devices.
This is all devices in ADOM1, which is the Student FortiGate.
c) From Type, select Single Report (Group Report).
This specifies that only one report will generate for all devices in the ADOM.
d) Click Apply.
6. Select the View Report tab.
The View Report tab for the report appears.

7. Click Run Report Now.

Once complete, the report appears. You can view the report in HTML or PDF format.

8. Click either HTML or PDF in the Format column to view the report.

Reports may require that certain features are enabled, in order to provide useful
data.
For example, the charts in the Client Reputation report are designed to provide
information about the overall behavior of devices when client reputation is
enabled. But if you have not enabled client reputation, then the charts will be blank

You successfully configured the basic settings for a predefined report and generated the report
on demand.
The generated report will remain under the View Report tab (unless deleted by selecting the
report and clicking Delete from the toolbar). However, reports that have finished being processed

FortiAnalyzer Student Guide 90

DO NOT REPRINT  Lab 5: Reports Prerequisites for lab

FortiAnalyzer Student Guide 91

DO NOT REPRINT  Lab 5: Reports Prerequisites for lab

Report notifications allow you to send a report via email and/or upload the report to a server when
generated. This is enabled on a per-report basis—it is not a global setting for all reports.
If you want to enable notification, you must configure an output profile. An output profile determines
where the report should be sent. Reports can be sent to an email address as well as uploaded to a
server. Without an output profile, you cannot enable notification, and the report remains on the local
FortiAnalyzer.
In this exercise, you will configure FortiAnalyzer to send a report via email. Not only do you have to
configure an output profile for emailing report notifications, but you must configure a mail server so
FortiAnalyzer can email reports in the first place.
This exercise includes the following procedures:
 To configure a mail server
 To create an output profile for email report notifications
 To test report notifications

To configure a mail server

1. From the Win-Student VM, open a browser and log in as admin to the FortiAnalyzer Web-based
manager at 10.0.1.210.
2. Go to System Settings > Advanced > Mail Server and click Create New.
The Mail Server Settings dialog box appears.

3. From the Mail Server Settings dialog box, complete the following:
a) In the SMTP Server Name field, type Mail_Server.
b) In the Mail Server field, type 10.200.1.254. This is the Linux server, where a mail server has
been pre-configured. See Network topology for more information.
c) In the SMTP Server Port field, ensure the default 25 is entered.
d) Click OK.
You successfully created a mail server.

FortiAnalyzer Student Guide 92

DO NOT REPRINT  Lab 5: Reports Prerequisites for lab

4. Continue to the next procedure.

To create an output profile for email report notifications

1. Still in the FortiAnalyzer Web-based manager, click Reports > Advanced > Output Profile.

2. Click Create New.

The Create a New Output Profile dialog box appears.

3. From the Create a New Output Profile dialog box, complete the following:
a) In the Name field, type Email_output_profile.

FortiAnalyzer Student Guide 93

DO NOT REPRINT  Lab 5: Reports Prerequisites for lab

© FORTINET
b) Select Email Generated Reports and enter a subject for the email and some body text for the
email. For example:
 Subject: A report has been generated
 Body: A report has been generated. Please review. -admin
c) Click the green + icon to add a new email recipient and set the following:
 Email server: Mail_Server (10.200.1.254). This is the mail server you configured in To
configure a mail server.
 From: [email protected]
 To: [email protected]
4. Click OK.
You successfully created an output profile designed to email notifications using the mail server
you configured at the email addresses you specified. Now you can assign that output profile to a
report.
5. Continue to the next procedure.

To test report notifications

1. Still in the FortiAnalyzer Web-based manager, click Reports and select the User Security
Analysis report you configured in To configure the basic settings of a default report.
2. Click the Configuration tab for the report.
You can see the basic configurations you set earlier.
3. Select Enable Notification and from the Output Profile drop-down list, select
Email_output_profile.

Note the green + icon beside the Output Profile drop-down list. This allows you to create an
output profile at the time you configure the report. If you create an output profile in this way, the
profile is available to use for other reports just like when you create the output profile through
Reports > Advanced > Output Profile (as you did in To create an output profile for email
report notifications). However, you may wish to create all your output profiles in advance so
you can just select the necessary output profile from the drop-down list when you configure
your reports (as opposed to creating an output profile while you also configure the report).
Either way is acceptable.
4. Click Apply.
5. Select the View Report tab for the report and click Run Report Now.

FortiAnalyzer Student Guide 94

DO NOT REPRINT  Lab 5: Reports Prerequisites for lab

© FORTINET
6. When the report is finished processing, go to your desktop (Win-Student) and launch Mozilla
Thunderbird.
Mozilla Thunderbird has been preconfigured to communicate with the mail server at 10.200.1.254.
When you open it you will see the report notification.

FortiAnalyzer Student Guide 95

DO NOT REPRINT  Lab 5: Reports Prerequisites for lab

If FortiAnalyzer's preconfigured reports do not fit your needs, you can create a custom report. You can
also create custom charts and custom datasets.
Since a report is based on a chart, and a chart is based on a dataset, in this exercise you will first
create a custom dataset. You will then create a chart based on that dataset, and finally you will create
a custom report based on that chart.
Finally, you will schedule the new report to run on a scheduled basis (in the near future) and view the
report once complete.

Creating a dataset requires knowledge of Structured Query Language (SQL)

For more information on PostgreSQL visit POSTGRESQL.COM. There are also

many tutorials available on the Internet.

This exercise includes the following procedures:

 To create a new dataset
 To create a new chart
 To create a new report

To create a new dataset

1. From the Win-Student VM, open a browser and log in as admin to the FortiAnalyzer Web-based
manager at 10.0.1.210.
2. From the ADOM drop-down menu, select ADOM1.
3. Click Reports > Advanced > Dataset.
The preconfigured datasets appear in the main window.

4. Click Create New.

The New Dataset dialog box appears.

FortiAnalyzer Student Guide 96

DO NOT REPRINT  Lab 5: Reports Prerequisites for lab

5. From the New Dataset dialog box, complete the following:

a) In the Name field, type Top-domains-visited.
b) From the Log Type drop-down list, select Traffic.
c) In the Query field, type the following:

SELECT root_domain(hostname) as website, count(*) as totalnum,

dstcountry FROM $log WHERE $filter and hostname is not null GROUP BY
hostname, dstcountry ORDER BY totalnum desc
This query aims to discover which domains have been visited the most and what destination
countries are associated with these domains. The data is ordered by totalnum in descending
order. You can test the query by selecting device and the time period.
6. From Devices, select All Devices.
7. From the Time Period drop-down list, select This Week.
8. Click Test to test the query. If the query is successful, the window below is populated with the
query results.

It may take a few minutes for the output from the query to appear.

FortiAnalyzer Student Guide 97

DO NOT REPRINT  Lab 5: Reports Prerequisites for lab

If the data is not as you expect, this is the time to modify your dataset and re-test. This is what the
test feature is for.
9. Click OK to save your dataset.
10. Continue to the next procedure.

To create a new chart

1. Still in the FortiAnalyzer Web-based manager, click Reports > Chart Library.
The Chart Library appears.

2. Right-click on any chart icon in the main window and select Create New from the pop-up
menu.
The New Chart dialog box appears.

FortiAnalyzer Student Guide 98

DO NOT REPRINT  Lab 5: Reports Prerequisites for lab

3. From the New Chart dialog box, complete the following:

a) In the Name field, type Top-25-domains-visited.
b) From the Dataset drop-down list, select Top-domains-visited. Note that you can type the
dataset name into the search in the Dataset drop-down list as well.
The columns in the Data Bindings section adjust according to the dataset selected.
c) From the Graph Type drop-down list, select table.
d) From Only Show First, type 25.
4. Click OK.
You successfully created a chart based on the Top-domains-viewed dataset.
5. Continue to the next procedure.

To create a new report

1. Still in the FortiAnalyzer Web-based manager, click Reports.
2. Right-click Reports in the left menu and select Create New from the pop-up menu.
The Create New Report dialog box appears.

FortiAnalyzer Student Guide 99

DO NOT REPRINT  Lab 5: Reports Prerequisites for lab

3. In the Name field, type Top 25 Domains Viewed and click OK.
The Configuration tab for the report appears.

4. From the Configuration tab, complete the following:

a) From the Time Period drop-town list, select This Week.
b) From Devices, select All Devices.
c) From Type, select Single Report (Group Report).
d) Select Enable Schedule to configure the report to run at a scheduled time. This does not affect
your ability to run the report on demand if required.
e) From Generate PDF Report Every, type 1 and select Weeks from the drop-down list.
f) From Start Time, select the current date and a select a time 5-7 minutes in the future (or
however long it will take you to finish this procedure).
Remember, you must use your FortiAnalyzer system time (you can open a new browser tab
get the time from the System Settings > System Information widget of FortiAnalyzer).
g) From End Time, select Never.
5. Click Apply.
6. Select the Layout tab for the report.
7. From the Layout toolbar, select the FortiAnalyzer Chart icon.

FortiAnalyzer Student Guide 100

DO NOT REPRINT  Lab 5: Reports Prerequisites for lab

© FORTINET
Mouse over the icons at the top of the page to view the name for that icon.
Besides adding charts, the icons are used in order to format the report and make it
look professional.

The Chart Properties dialog box appears.

8. From the Chart drop-down list, select the chart you created, Top-25-domains-visited, and click
OK. Note that you can type the chart name into the search in the Chart drop-down list as well.
The chart, which is based on the dataset you created, is added to the report's layout.

9. Click the Save icon in the top left corner of the Layout toolbar.
You successfully created a new report, based on the chart you created, which, in turn, is based
on the dataset your created.

FortiAnalyzer Student Guide 101

DO NOT REPRINT  Lab 5: Reports Prerequisites for lab

© FORTINET
10. Go to Reports > Report Calendar. If the report is still pending, a clock icon appears beside the
report name.

Once complete, a green checkmark appears beside the report.

11. Once the report generates, view the report. You can view the report on the Report Calendar page
(click the generated report and download the PDF), or go to the View Report tab for the report
and click to view in PDF format.

FortiAnalyzer Student Guide 102

DO NOT REPRINT  Lab 5: Reports Prerequisites for lab

Apart from configuring the data that goes into the reports, you can configure the overall look and feel
of the report. You can control the template color scheme, fonts, and layout, as well as configure print
options and other settings.
In this exercise, you will make a few changes to the report layout.

To modify the report layout

1. From the Win-Student VM, open a browser and log in as admin to the FortiAnalyzer Web-based
manager at 10.0.1.210.
2. From the ADOM drop-down menu, select ADOM1.
3. Click Reports > Reports and select Top 25 Domains Viewed.
4. Select the Advanced Settings tab for the report and expand the Advanced Settings section.

5. Click Customize associated with Print Cover page.

The Cover Page Settings dialog box appears along with the default cover page settings.

FortiAnalyzer Student Guide 103

DO NOT REPRINT  Lab 5: Reports Prerequisites for lab

6. Change any settings you wish and click Save. For example, type Created by admin in the Custom
Text 1 field and change the Footer Background Color to Bold Red.
7. Click Return to return back to the Advanced Settings tab.
8. From the Advanced Settings section, deselect Print Table of Contents. The report only has one
chart with 25 results, so a table of contents is not necessary.
9. Change Color Code to a different color. This is the color the report will appear under in Report
Calendar. The Top 25 Domains Viewed report appeared in the same color as the predesigned
report you generated in demand earlier. By assigning a new color code to this report, it becomes
more noticeable in the Report Calendar.
10. Click Apply.
11. Click the View Report tab associated with the report and click Run Report Now.
12. View the PDF version of the report when it finishes generating and note the changes.
13. Finally, click Report Calendar to see how the report now appears.

FortiAnalyzer Student Guide 104

DO NOT REPRINT  Lab 5: Reports Prerequisites for lab

You successfully modified the layout of the report.

FortiAnalyzer Student Guide 105

DO NOT REPRINT  Lab 5: Reports Prerequisites for lab

All reports and datasets are only valid within that particular ADOM. If you make a new report, dataset,
or chart, you cannot copy or clone from one ADOM to another. Reports, however, provide the option to
import and export. Accordingly, you can export a report from one ADOM and import it into a different
ADOM, or export and import between devices.
This is only a feature for reports. Custom charts and datasets cannot be exported.
In this exercise, you will export the custom report created in ADOM1 in Exercise 3 and import it into
ADOM2.
This exercise includes the following procedures:
 To export a report
 To import a report

To export a report
1. From the Win-Student VM, open a browser and log in as admin to the FortiAnalyzer Web-based
manager at 10.0.1.210.
2. From the ADOM drop-down menu, select ADOM1.
3. Click Reports > Reports.
4. Right-click Top 25 Domains Viewed (your custom report) and select Export from the pop-up
menu.

FortiAnalyzer Student Guide 106

DO NOT REPRINT  Lab 5: Reports Prerequisites for lab

You successfully exported a report.

5. Continue to the next procedure.

To import a report
1. Still in the FortiAnalyzer Web-based manager Reports tab, select ADOM2 from the ADOM drop-
down list.
Notice that your custom report, Top 25 Domains Viewed, no longer appears in the Report list.
This is because reports are ADOM-specific.

2. Right-click anywhere within the Reports list and select Import from the pop-up menu.

FortiAnalyzer Student Guide 107

DO NOT REPRINT  Lab 5: Reports Prerequisites for lab

The Import Report Configurations dialog box appears.

3. Click Choose File and select the file you saved in the previous procedure (ie.
<report_name>.dat), and click OK.
The report from ADOM1 imports into the Reports list in ADOM2.

FortiAnalyzer Student Guide 108

DO NOT REPRINT  Lab 5: Reports Prerequisites for lab

This report is now available to be run on devices within ADOM2. Reports in different ADOMs are
not linked in any way. For example, changes to the report in ADOM1 will not change the same
report in ADOM2.

FortiAnalyzer Student Guide 109

DO NOT REPRINT  Appendix A: Additional Resources Prerequisites for lab

Training Services http://training.fortinet.com

Technical Documentation http://help.fortinet.com

Knowledge Base http://kb.fortinet.com

Forums https://forum.fortinet.com/

Customer Service & Support https://support.fortinet.com

FortiGuard Threat Research & Response http://www.fortiguard.com

FortiAnalyzer Student Guide 110

DO NOT REPRINT  Appendix B: Presentation Slides Prerequisites for lab

FortiAnalyzer Student Guide 111

DO NOT REPRINT  Introduction to FortiAnalyzer

In this lesson, we will show you how to use FortiAnalyzer, a centralized logging and reporting
platform for your network. FortiAnalyzer aggregates logs from a variety of Fortinet devices, such as
FortiGate, and uses them to generate reports to make sense of the “big picture”.

FortiAuthenticator Student Guide 112

DO NOT REPRINT  Introduction to FortiAnalyzer

After completing this lesson, you should have these practical skills that will allow you to employ and
configure a FortiAnalyzer in your network and use log data and reports to enhance your network
security.

FortiAuthenticator Student Guide 113

DO NOT REPRINT  Introduction to FortiAnalyzer

Network security isn't just about stopping attacks, as most network security analysts would agree it is
almost impossible to build an impervious network. Logging is a key tool in detecting if a network has
been compromised and allows you to take the necessary preventative measures to better secure
your network.

FortiAnalyzer is a centralized logging, analysis, and reporting platform that facilitates the investigative
process by automatically gathering and correlating log data. Comparing characteristics to known
baselines can help you to identify various types of deficiencies in your network security.

FortiAnalyzer therefore centralizes certain activities, such as:

• Log analysis
• Reporting, and
• Content archiving

FortiAuthenticator Student Guide 114

DO NOT REPRINT  Introduction to FortiAnalyzer

Why is it important to analyze your logs? Think about logs like your credit card statements. Each
month, you have to audit your statements to ensure there are no unauthorized charges and your
credit card hasn’t been compromised. Simply saving and filing away your statements isn't sufficient—
you have to audit them. You don’t want to find out months later that there was, and continues to be, a
breach.

The big difference between credit card statements and logs is the greater volume of log data and the
complexity of the data itself—especially if you have a large network with a complex setup. Performing
forensics manually on your logs without proper tools is painful and time consuming. You need tools to
help analyze, and make sense of, all that data. This is the FortiAnalyzer.

FortiAnalyzer analyzes your network, traffic, and user events and helps you to:

• Discover deficiencies in your network security

• Mitigate attacks from occurring
• Compare system characteristics to known baselines
• Gather evidence for a court of law, and more

You can browse logs on FortiAnalyzer in real-time or use them for historical analysis.

FortiAuthenticator Student Guide 115

DO NOT REPRINT  Introduction to FortiAnalyzer

Now that we know what a FortiAnalyzer does, let’s examine some of the key features. Key features
of FortiAnalyzer include:

• Centralized log repository, including FortiAnalyzer supported devices

• Log storage capacity
• Reports
• Alerts, and
• Content archive

FortiAuthenticator Student Guide 116

DO NOT REPRINT  Introduction to FortiAnalyzer

One of the key features of FortiAnalyzer is the ability to centrally store logs from one or more
supported (and configured) devices. A centralized log repository provides one single channel for
accessing your complete network data, thereby avoiding the need to access multiple different
devices — potentially hundreds or thousands depending on your network size and deployment —
several times a day.

FortiAuthenticator Student Guide 117

DO NOT REPRINT  Introduction to FortiAnalyzer

What devices does FortiAnalyzer support? You can configure FortiAnalyzer to collect logs from:

• FortiGate
• FortiCarrier
• FortiMail
• FortiWeb
• FortiCache
• FortiClient
• FortiSandbox
• FortiManager
• Syslog, and
• FortiAnalyzers in Collector mode

We’ll discuss FortiAnalyzer Collector mode later, as it will help to explain the use case of obtaining
logs from another FortiAnalyzer device.

FortiAuthenticator Student Guide 118

DO NOT REPRINT  Introduction to FortiAnalyzer

Another benefit of FortiAnalyzer is its storage capacity. FortiAnalyzer can receive large volumes of
logs as well as store those logs over an extended period of time. While other network devices may
provide storage space for logs as well, it is often insufficient, as log storage is not the primary
purpose of those devices.

As an example, FortiManager, even though it shares a common hardware and software platform with
FortiAnalyzer and the two are very close to being the same device, is not purposed to collect
significant amounts of log information. FortiManager has a much lower limit on the amount of logs it
can receive in a day.

FortiAuthenticator Student Guide 119

DO NOT REPRINT  Introduction to FortiAnalyzer

To get a clear picture of network events, activities, and trends, FortiAnalyzer includes a reporting
feature. FortiAnalyzer reports collate the information in the logs so that you can interpret the
information and, if necessary, take action. Network knowledge gleaned from these reports can also
be archived, filtered, and mined for compliance or historical analysis purposes.

FortiAnalyzer includes a large number of canned (predefined) reports for different Fortinet products
as well as highly flexible custom reports. You can schedule the reports to run at specific intervals (for
example, every Friday at 5pm) or you can run them ad-hoc if immediacy is required.

FortiAuthenticator Student Guide 120

DO NOT REPRINT  Introduction to FortiAnalyzer

Attacks on your network, or the passing of undesirable traffic, don’t always occur during your
scheduled work hours, thus allowing you the opportunity to resolve any issues quickly. And it’s not
realistic to physically monitor your network around the clock.

To address this issue, FortiAnalyzer provides an alert feature. Alerts generate when specific
conditions in the logs are met — conditions you have configured FortiAnalyzer to monitor for
managed devices (such as FortiGates). Alerts are found on the Event Management tab and can
also be delivered to multiple recipients through email, SNMP, or syslog.

Alerts allow you to fix problems quickly and preferably before anyone else finds out there’s a problem
in the first place.

FortiAuthenticator Student Guide 121

DO NOT REPRINT  Introduction to FortiAnalyzer

Another important feature of FortiAnalyzer is Data Leak Prevention (DLP) archiving, which provides a
way to simultaneously log and archive full or summary copies of content transmitted over the
network. Content archiving is typically used to prevent sensitive information from getting out of your
company network, but it can also be used to record network use. The DLP engine examines email,
FTP, NNTP, and web traffic, though because the archive setting is configured for each rule in a DLP
sensor, you can archive only the things you want.

The default behavior of FortiGate is to do summary archiving. The reason is simple: performance.
Keeping a full archive causes traffic to more than double. You have the original data plus a complete
copy of the data encapsulated by the logging meta-data.

You can use DLP archiving to collect and view historical logs that have been archiving to a
FortiAnalyzer device and use filters to track and locate specific content.

FortiAuthenticator Student Guide 122

DO NOT REPRINT  Introduction to FortiAnalyzer

Now let’s take a look at the some of the concepts you need to understand before adding a
FortiAnalyzer to your network. Key concepts include:

• Administrative domains, known as ADOMs

• Operation modes of FortiAnalyzer
• Logging and reporting workflow, and
• Database language support.

FortiAuthenticator Student Guide 123

DO NOT REPRINT  Introduction to FortiAnalyzer

Administrative domains (ADOMs) enable the admin administrator to constrain other administrators’
access privileges to a subset of devices in the device list. If virtual domains (VDOMs) are used,
ADOMs can further restrict access to only data from a specific device’s VDOM.

ADOMs are not enabled by default and enabling and configuring the domains can only be performed
by the admin administrator. Once enabled through either the Web-based manager or CLI, the
FortiAnalyzer Web-based manager menu changes, in that the Device Manager, FortiView, Event
Management, and Reports tab display per ADOM. CLI commands also change when ADOMs are
enabled.

FortiAuthenticator Student Guide 124

DO NOT REPRINT  Introduction to FortiAnalyzer

A FortiAnalyzer device has two modes of operation: Analyzer and Collector. The mode of operation
you choose depends on your network topology and individual requirements.

Knowing your network topology in advance of selecting your FortiAnalyzer model is of crucial
importance.

The default operating mode is Analyzer. Should you want to change the mode of operation, go to the
Web-based manager under System Settings > Dashboard > System Information widget and
under Operation Mode, click Change.

Why are there two modes of operation? Let’s take a closer look at what differentiates the two modes,
starting first with Analyzer mode.

FortiAuthenticator Student Guide 125

DO NOT REPRINT  Introduction to FortiAnalyzer

When operating in Analyzer mode, the FortiAnalyzer aggregates logs from one or more log
collectors. It is the default mode that supports all FortiAnalyzer features with the exception of log
forwarding, which is sending logs to another device (such as another FortiAnalyzer, a syslog server,
or a Common Event Format server).

Analyzer mode includes the following Web-based manager tabs:

• Event Management
• Reporting
• FortiView
• Device Manager, and
• System Settings

FortiAuthenticator Student Guide 126

DO NOT REPRINT  Introduction to FortiAnalyzer

This is an example network topology for employing FortiAnalyzer in Analyzer mode. As you can see,
the FortiAnalyzer in Analyzer mode aggregates logs from multiple monitored devices (in this
example, the devices are FortiGates). FortiAnalyzer can collect logs over a local area network (LAN)
or a wide area network (WAN).

FortiAuthenticator Student Guide 127

DO NOT REPRINT  Introduction to FortiAnalyzer

The other FortiAnalyzer operating mode is Collector mode. When operating in Collector mode, the
FortiAnalyzer collects logs from multiple devices and then forwards those logs in their original binary
format to another device, such as a FortiAnalyzer in Analyzer mode, a syslog server, or a Common
Event Format (CEF) server. It is important to remember that this device is not the end of the chain—
you need to configure the device to forward logs for analysis and reporting. For example, you can
configure one or more FortiAnalyzers in Collector mode to send its logs to a FortiAnalyzer in
Analyzer mode.

The Collector mode does not have the same feature-rich options as a FortiAnalyzer operating in
Analyzer mode, as its only purpose is to collect and forward logs. Collector mode includes the
following Web-based manager tabs:

• FortiView
• Device Manager, and
• System Settings

It does not allow event management or reporting.

FortiAuthenticator Student Guide 128

DO NOT REPRINT  Introduction to FortiAnalyzer

This is an example network topology for employing FortiAnalyzer in Collector mode. As you can see,
the FortiAnalyzers in Collector mode save logs from various devices and then forward them to a
FortiAnalyzer in Analyzer mode where they can be aggregated. You can place FortiAnalyzer’s in
Collector mode on a local network or remotely (on the Internet).

By using both Analyzer and Collector modes, you increase the FortiAnalyzer’s performance:
Collectors off-load the task of receiving logs from multiple devices from the Analyzer so it can expend
its resources collating and storing those logs in a fashion that makes it easy to search and run
reports, and because Collectors are strictly dedicated to log collection, its log receiving rate and
speed are maximized.

Furthermore, you can schedule the Collectors to send logs to the Analyzer at certain times, such as
low-bandwidth periods. This saves bandwidth during high bandwidth periods, such as during regular
business hours.

FortiAuthenticator Student Guide 129

DO NOT REPRINT  Introduction to FortiAnalyzer

Here is the logging and reporting workflow:

First, monitored devices send logs to FortiAnalyzer.

FortiAnalyzer then collates and stores those logs in a fashion that makes it easy to search and run
reports.

Finally, administrators can connect to the FortiAnalyzer through the Web-based manager to view the
logs manually or they can look at the data from any automatic reports they have configured and
request specific reports if required.

Reports do not provide any recommendations or give any indication of problems: Administrators
must be able to look beyond the data and charts to see what is happening within their network.

FortiAuthenticator Student Guide 130

DO NOT REPRINT  Introduction to FortiAnalyzer

Structured Query Language (SQL) is the database language that FortiAnalyzer uses for logging and
reporting. While we will examine reports later in this training, it is important to point out that some
knowledge of SQL is necessary in order to create custom reports. For example, you need to know
how to define SQL queries to create datasets (datasets are essentially componentized
representations of SQL queries and are used to create charts for reports). Your SQL query instructs
FortiAnalyzer what specific information to extract from the database.

FortiAuthenticator Student Guide 131

DO NOT REPRINT  Introduction to FortiAnalyzer

Now that you understand how FortiAnalyzer works and how it fits into your network topology, let’s
take a look at the different types of FortiAnalyzer models available and their compatibility with other
Fortinet products.

FortiAuthenticator Student Guide 132

DO NOT REPRINT  Introduction to FortiAnalyzer

You can deploy FortiAnalyzer with either a physical hardware appliance or a virtual machine (VM).
Depending on the hardware model, the physical size, shape, and layout of the device is different.
APIs are also available on both the physical and virtual appliances.

FortiAuthenticator Student Guide 133

DO NOT REPRINT  Introduction to FortiAnalyzer

As you can see on the hardware side, there are many different models of FortiAnalyzer available.
Each have different capabilities designed with flexibility and versatility in mind.

Small networks might look to the 200D. From a hardware perspective, it includes 1 TB of storage
capacity and support for four interfaces. It does not have a removable hard drive or support RAID
storage management (which we’ll discuss later in the FortiAnalyzer training) or redundant hot swap
power supplies.

Large organizations with multi-tenant environments, on the other hand, would require something
more robust, like the 3900E. It provides more storage capacity at 15 hard drives of 960 GB each –
totaling 14 TB (though depending on the RAID level configured, actual storage space varies) – as
well as support for four interfaces: two RJ45 connectors, an 8 position 8 contact (8P8C) used for
Ethernet, and two SFP+ (enhanced small form-factor pluggable) connectors, which supports data
rates up to 10 Gigabits/sec. It includes removable hard drives, support for RAID storage
management, and redundant hot swap power supplies.

It’s important to note that the GB/day of logs identified for each model is a hard limit — not a
recommendation.

FortiAuthenticator Student Guide 134

DO NOT REPRINT  Introduction to FortiAnalyzer

Virtual machines (VMs) are different from hardware appliances in that they do not have different
models, but different “images” or “packaged bundles”. Once you have determined the appropriate VM
package — each available for both 32-bit and 64-bit environments — you can log into
support.fortinet.com and download it.

FortiAuthenticator Student Guide 135

DO NOT REPRINT  Introduction to FortiAnalyzer

Usage limitations on your VM are imposed on the license you purchase. Different licenses allow for
more devices and more traffic to be collected. FortiAnalyzer VM licenses are stackable based on GB
logs per day and storage add-ons. This stackable licensing model allows your solution to grow as
your organization grows.

FortiAuthenticator Student Guide 136

DO NOT REPRINT  Introduction to FortiAnalyzer

While FortiAnalyzer can collect logs from multiple Fortinet devices, it is important to always check the
release notes for specific details regarding product integration and support information.

Each version of the FortiAnalyzer firmware supports specific Fortinet devices and firmware revisions.
Not every patch supports every Fortinet firmware version. Periodically the format of the logs change
in order to accommodate more or different information. As such, ensure you read the release notes,
available from either the Technical Documentation area of the Fortinet website or on the Support
website in the firmware download folder, as new products are released.

FortiAuthenticator Student Guide 137

DO NOT REPRINT  Introduction to FortiAnalyzer

Logs are an important asset, so it is vitally important to follow the proper firmware upgrade
procedure. You can find the specific procedure in the version-specific Upgrade Guide, which is only
available on the Support website. There may also be important information in the Upgrade Guide
concerning the upgrade itself (and possible downgrade).

FortiAuthenticator Student Guide 138

DO NOT REPRINT  Introduction to FortiAnalyzer

If you need to check the current firmware version that a device is using, you can do so from both the
Web-based manager and the CLI.

On the Web-based manager, go to System Settings > Dashboard. The firmware version is located
in the System Information widget.

From the CLI, enter the command get system status to view the firmware version.

FortiAuthenticator Student Guide 139

DO NOT REPRINT  Introduction to FortiAnalyzer

After this lesson, you should be able to explain FortiAnalyzer; understand key features and key
concepts; and understand the different FortiAnalyzer models and firmware versions and upgrades.

FortiAuthenticator Student Guide 140

DO NOT REPRINT  Configuration & Administration

In this lesson, we will show you how to set up and administer FortiAnalyzer.

FortiAuthenticator Student Guide 141

DO NOT REPRINT  Configuration & Administration

After completing this lesson, you should have these practical skills that will allow you to configure and
administer FortiAnalyzer. This includes:

• Understanding deployment requirements

• Understanding the available configuration tools
• Configuring the network settings
• Backing up the system configuration
• Configuring administrative users
• Understanding, configuring, enabling, and assigning ADOMs, and
• Understanding and configuring RAID.

FortiAuthenticator Student Guide 142

DO NOT REPRINT  Configuration & Administration

Before FortiAnalyzer can start collecting logs and running reports, it has to be properly deployed in
your network. This involves identifying your deployment requirements, placing your FortiAnalyzer
correctly within your network, connecting the appliance, and selecting a configuration tool to manage
and administer the FortiAnalyzer.

FortiAuthenticator Student Guide 143

DO NOT REPRINT  Configuration & Administration

As discussed in the last lesson, FortiAnalyzer has a range of different models to meet the different
log collection and data analysis requirements of enterprises big and small. So when selecting your
FortiAnalyzer appliance, you need to consider your current needs and projected network growth.
What sorts of things should you consider?

• Amounts of network traffic

• Types of data that will be collected
• Number of Fortinet devices on the network
• Data retention requirements
• Frequency of report generation, and
• Concurrent users accessing the FortiAnalyzer system

In general, the FortiAnalyzer model should match the FortiGate model(s) and account for projected
growth. Remember, you can have multiple FortiAnalyzers operating in Collector mode to ease some
of the resource burden from the FortiAnalyzer operating in Analyzer mode.

FortiAuthenticator Student Guide 144

DO NOT REPRINT  Configuration & Administration

You can position FortiAnalyzer just about anywhere that you position a server or other end point
device. Administrative access operates like a FortiGate, in that you can manage FortiAnalyzer within
the local network or over the Internet (remotely). However, in the case of an emergency you need to
be able to connect to “port 1”, or the port labeled “MGMT”. As such, it is best practice to have a
management computer directly connected to FortiAnalyzer. This diagram shows a management
computer connected to FortiAnalyzer by way of a hub or switch.

FortiAuthenticator Student Guide 145

DO NOT REPRINT  Configuration & Administration

Once you’ve figured out where to place your FortiAnalyzer, let’s take a look at how to physically
connect the device.

This illustration depicts the back of a FortiAnalyzer 800B model, but all FortiAnalyzers include the
following basic connections:

• One or more power cable connections. This connects your device to a power outlet, or if more
than one, also to a redundant swappable power supply.
• Management port (serial port). This connects to the management computer and provides access
to the command line interface.
• One or more Ethernet ports. This connects you to the Internet. This is normally connected to a
modem, but it can also be another device on your network. Ethernet “Port 1”, or the port labeled
“MGMT”, is used to connect your management computer and FortiAnalyzer directly for access to
the Web-based manager. While you can access the Web-based manager remotely, it is best
practice to have a management computer directly connected in case of an emergency.

FortiAuthenticator Student Guide 146

DO NOT REPRINT  Configuration & Administration

Once your FortiAnalyzer is connected, your need to begin with the initial configuration. There are two
tools you can use to configure the FortiAnalyzer, both for initial configuration and beyond: the Web-
based manager (which provides access to a graphical user interface accessed through a configured
IP address) and the CLI (which provides access to a command line interface through various
connection methods). Both allow you to configure the administrator password, the interface
addresses, the default gateway addresses, and the DNS server addresses—all steps required for
initial configuration.

FortiAuthenticator Student Guide 147

DO NOT REPRINT  Configuration & Administration

Before logging into the FortiAnalyzer to initially configure logging and reporting for your network, you
need to know the factory default settings. You can find the default settings in your model-specific
QuickStart Guide. Important to know for login is the default user name and password as well as the
port 1 IP address, netmask, and default supported management access protocols so you can
connect your management computer. Different FortiAnalyzer models have different numbers of ports,
but port 1 is the management port and will always have this default IP.

FortiAuthenticator Student Guide 148

DO NOT REPRINT  Configuration & Administration

The Web-based manager is the graphical user interface (GUI) configuration tool for FortiAnalyzer
and is accessible both locally, by connecting directly to the FortiAnalyzer device, and remotely, based
on your configured settings (you can deny or permit access to the Web-based manager based on IP
address).

What features an administrator has access to upon login is dependant on two factors: the operation
mode of FortiAnalyzer and the administrator profile of the user. For example, when operating in
Collector mode, the Web-based manager does not display the Event Management or Reports tab.
And if logged in with the Standard_User or Restricted_User administrator profile, full accesses
privileges, like those granted to the Super_User, are not available.

Any configuration changes made using the Web-based manager take effect immediately without
resetting the FortiAnalyzer system or interrupting service.

FortiAuthenticator Student Guide 149

DO NOT REPRINT  Configuration & Administration

The command line interface (CLI) is the other configuration tool for FortiAnalyzer and is accessible
both locally and remotely, just like the Web-based manager. You can execute CLI commands
through the CLI Console widget available in the Web-based manager under System Settings >
Dashboard or use a terminal emulation application. The latter requires a separate Telnet, SSH, or
local console connection.

Again, just like the Web-based manager, the commands available to execute are based on the
operation mode of the FortiAnalyzer and the administrator profile of the logged in user. Note that
there are some settings that are CLI only and cannot be performed through the Web-based manager.

FortiAuthenticator Student Guide 150

DO NOT REPRINT  Configuration & Administration

Once connected to the Web-based manager, you are ready to configure the FortiAnalyzer network
settings, which include the IP address and netmask, default gateway, and DNS servers. You should
also back up your system configuration.

FortiAuthenticator Student Guide 151

DO NOT REPRINT  Configuration & Administration

If using the Web-based manager configuration tool, you need to connect an Ethernet cable between
FortiAnalyzer and the management computer on port 1. You also must configure the management
computer to be on the same subnet as the FortiAnalyzer port 1 interface.

As specified in the factory defaults, the port 1 interface has an IP of 192.168.1.99. So in order to log
into FortiAnalyzer, open a supported browser and enter the default IP preceded by https://. At the
login screen, use the factory default administrator password to log in, which is “admin” in all lower
case, and a blank password.

FortiAuthenticator Student Guide 152

DO NOT REPRINT  Configuration & Administration

If using the CLI configuration tool, you can use one of two methods. If you prefer to use the CLI
Console widget in the Web-based manager, you are automatically logged into the CLI console once
you log into the Web-based manager as described in the previous slide. Once you click within the
console area, you can begin executing CLI commands.

If you prefer to access FortiAnalyzer using a terminal emulation application, such as PuTTy, you
need to enter the default FortiAnalyzer port 1 IP address and select a supported management access
protocol, such as SSH.

To log into FortiAnalyzer, use the same factory default for the administrator account.

FortiAuthenticator Student Guide 153

DO NOT REPRINT  Configuration & Administration

Once logged in, you must configure the interface, the primary and secondary DNS server IP
addresses, and the default gateway. While you can perform these tasks through the Web-based
manager as well as the CLI, the Web-based manager will be used in this lesson for the sake of
simplicity.

All initial configuration tasks are performed from the same area of the Web-based manager: System
Settings > Network.

FortiAuthenticator Student Guide 154

DO NOT REPRINT  Configuration & Administration

Before going over the configuration settings, it is important to discuss the importance of security.
Your FortiAnalyzer stores your network log information, so it is vital that data is properly protected.

Here are some security recommendations:

• Deploy your FortiAnalyzer within a protected and trusted private network. It should never be
deployed directly on the outside.
• Always use secure connection methods in order to do administration: HTTPS for Web-based
management or SSH for the CLI. Unsecure methods (like HTTP or telnet) are plain text, so an
attacker can use packet sniffing tools to obtain information that can then be used to breach your
network.
• Use trusted hosts on your users and only allow logins from specific locations. If you do need to
open outside access to the device so that remote FortiGates can connect, only open the ports
necessary for this. Additional open ports increases your security risk. If you need to open direct
login access from the outside, be sure to set up special user accounts for this and only open
protocols that are secure. Secure password should also be used, as they are important if you start
transmitting traffic over connections where anyone could be listening (i.e. the Internet).

FortiAuthenticator Student Guide 155

DO NOT REPRINT  Configuration & Administration

To configure the network settings of the management interface, which includes an IP address and
netmask, supported administrative access protocols, and a default gateway for routing packets, go to
System Settings > Network.

Upon initial logon, the IP/Netmask field is prefilled with the default network settings (see Default
settings slide), which is either Port 1 or the interface designated as MGMT on the FortiAnalyzer
device. Change the IP and, if necessary, netmask, associated with this interface based on your own
network. This provides more security than using the default address and, if more than one
FortiAnalyzer is located in the network, different network settings are mandatory. The management
interface must have a dedicated (unique) address.

To configure multiple interfaces, click All Interfaces. FortiAnalyzer can manage Fortinet devices
connected to any of its interfaces.

You can assign IPv4 and IPv6 addresses, which must be static. Administrative access for IPv4 and
IPv6 have been separated, so you can mix and match the options you want.

Administrative Access allows you to select the administrative protocols you want to support for
IPv4 and IPv6. Any interface that is used to provide administration access to FortiAnalyzer requires
at least HTTP or HTTPs for Web-based manager access, or SSH for CLI access. These are enabled
by default. There are three “non-standard” protocols that are worth mentioning as well: Web Service,
Aggregator, and FortiManager.

Enable Web Service to allow access to FortiAnalyzer from a Web service such as SOAP, a
messaging protocol that allows programs that run on disparate operating systems (such as Windows
and Linux). The FortiAnalyzer server runs in Linux.

FortiAuthenticator Student Guide 156

DO NOT REPRINT  Configuration & Administration

© FORTINET
Enable Aggregator to allow log aggregation transmission (for example, if you have a FortiAnalyzer
operating in Collector mode that is sending logs).

Enable FortiManager to allow FortiAnalyzer to be managed by a FortiManager.

FortiAuthenticator Student Guide 157

DO NOT REPRINT  Configuration & Administration

In the same Management Interface pane you can configure the default gateway associated with the
interface. The default gateway is the next hop that routes internal traffic to another, usually external,
network. To simplify, a default gateway acts as an entry and exit point in a network. All computers on
your local network need to know the default gateway IP in order to access the internet. To configure,
add the next hop IP address of FortiAnalyzer to the Default Gateway field.

If you want to configure another port on FortiAnalyzer, you can assign specific IPv4 or IPv6 static
routes to a different gateway so that packets are delivered by a different route. Click Routing Table
or IPv6 Routing Table respectively and create a new route. Here, you need to configure the
destination IP and mask, the gateway, and the interface (port).

FortiAuthenticator Student Guide 158

DO NOT REPRINT  Configuration & Administration

On this same System Settings > Network screen, you also configure the DNS servers. The DNS, or
Domain Name System, servers must be on the networks to which FortiAnalyzer connects and should
have two different addresses, a primary and a secondary. This ensures human-friendly hostnames
are translated into IP addresses.

The default primary and secondary DNS server addresses are the FortiGuard DNS servers. You can
use these or change to something else. Considering the role of FortiAnalyzer, it’s not vital that DNS is
operational. However, if you want to be able to resolve hostnames in the logs, then it will be
necessary.

FortiAuthenticator Student Guide 159

DO NOT REPRINT  Configuration & Administration

Once you complete your FortiAnalyzer deployment, you should back it up as a best practice. You can
perform a backup directly within the Web-based manager through System Settings > Dashboard.

Your configuration contains all of the system information, such as the device IP and admin user
information. It also contains the device list, which is any devices you have configured to allow log
access. Finally it contains report information, which is any automatic reports you have configured to
run as well as all of your custom report details. Essentially, the backup contains everything except
the actual logs and generated reports. You can save the backup file as an encrypted file for additional
security. Multiple backups can exist from different points in time. Make sure you save the file name to
indicate the point in time of the backup.

If changes are made to the FortiAnalyzer device that end up negatively affecting your network, you
can also restore the configuration from any of the backups you performed.

FortiAuthenticator Student Guide 160

DO NOT REPRINT  Configuration & Administration

Once your FortiAnalyzer settings are configured and the appliance deployed, you can start setting up
your administrative users. This includes changing the default administrator password; configuring
administrator profiles, remote authentication servers, and global settings for administrators; creating
administrative users, configuring trusted hosts for administrative users, and monitoring administrator
sessions.

FortiAuthenticator Student Guide 161

DO NOT REPRINT  Configuration & Administration

One of the first administration tasks you should perform is changing the default administrator
password. From the Web-based manager, select System Settings > Admin > Administrator and
select the admin user. From the Edit Administrator screen that appears, click Change Password to
change the default blank password of the admin user. Ensure you select a secure password.

FortiAuthenticator Student Guide 162

DO NOT REPRINT  Configuration & Administration

In order to efficiently administer your system, FortiAnalyzer comes pre-installed with three default
profiles that you can assign to other administrative users. Administrator profiles define administrator
privileges and are required. The three default profiles, which are located under System Settings >
Admin > Profile, are:

• Super_User, which like a FortiGate, provides access to all device and system privileges
• Standard User, which provides read and write access to devices privileges, but not system
privileges, and
• Restricted User, which provides read access only to device privileges, but not system privileges.

If required for your management requirements, you can double-click Standard_User and/or
Restricted_User to modify the individual privileges of the profile. Note that Super_User cannot be
modified.

To create a custom profile, click Create New in the menu bar.

FortiAuthenticator Student Guide 163

DO NOT REPRINT  Configuration & Administration

Administrative user accounts do not need exist locally. Through System Settings > Admin >
Remote Auth Server, you can configure external servers to validate your administrator logins.
RADIUS, LDAP, TACACS+, and PKI can all be used as a means of verifying the administrator
passwords. To configure two-factor authentication, you require FortiAuthenticator and FortiToken.

Click Create New from the menu and select an external server to configure. A pop up dialog appears
where you can configure the specific server details for connection purposes. For more information
about setting up each server, see the FortiAnalyzer Administration Guide.

FortiAuthenticator Student Guide 164

DO NOT REPRINT  Configuration & Administration

FortiAnalyzer also provides the option of configuring global settings for administrator access through
System Settings > Admin > Admin Settings. These settings can only be configured by the admin
administrative user.

You can set the following:

• Ports for HTTP/S administrative access

• HTTPS and Web Service server certificate
• Idle timeout settings
• Language of the Web-based manager, and
• Password policy

FortiAuthenticator Student Guide 165

DO NOT REPRINT  Configuration & Administration

Once your administrative profiles, remote authentication servers, and global admin settings are
configured, you can create administrative user accounts. This is performed through System Settings
> Admin > Administrator. Click Create New to create a new account.

To select the type of authentication the administrator will use when logging in to FortiAnalyzer, click
the Type drop-down list. Options include LOCAL, RADIUS, LDAP, TACACS+, or PKI. If you select
LOCAL, you must add a password.

The Admin Profile drop-down box allows you to select the administrator profiles you configured
previously.

FortiAuthenticator Student Guide 166

DO NOT REPRINT  Configuration & Administration

In addition to controlling administrative access through assigning and configuring administrator

profiles, you can further control access by setting up trusted hosts for each administrative user. This
restricts administrators to logins from specific IPs or subnets only. You can even restrict an
administrator to a single IP address if you define only one trusted host IP. However, FortiAnalyzer
allows you to configure up to ten IPv4 or IPv6 trusted hosts by clicking the green + icon.

The trusted hosts you define apply to both the Web-based manager and the CLI when accessed
through SSH.

FortiAuthenticator Student Guide 167

DO NOT REPRINT  Configuration & Administration

For a simple means of tracking administrator user sessions, including who is currently logged in and
through what trusted host, select System Settings > Admin > Administrator. Only the default
admin administrator can see the complete administrator’s list.

A more complete view of administrator activity is located through the FortiView tab on the Admin
Logins page. From here you can see any configuration changes made by the administrator as well
as the duration of their login and any failed login attempts. We will discuss the FortiView tab later in
the training.

FortiAuthenticator Student Guide 168

DO NOT REPRINT  Configuration & Administration

Once FortiAnalyzer is deployed, you can look into more advance features of administering and
managing your system. This includes setting up Administrative Domains (ADOMs) and protecting
your log data through RAID.

FortiAuthenticator Student Guide 169

DO NOT REPRINT  Configuration & Administration

In order to better manage your network through FortiAnalyzer and get a centralized summary of your
system information and snapshot of your system resources, use the Dashboard in the Web-based
manager.

You can find the dashboard under the System Settings tab. The dashboard includes:

• System information
• License information
• System resources
• Unit operation
• CLI Console
• Log Receive Monitor
• Logs/Data Received
• Statistics, and
• Alert Message Console

FortiAuthenticator Student Guide 170

DO NOT REPRINT  Configuration & Administration

The dashboard is comprised of various widgets, such as System Information, System Resources,
and the CLI Console to name a few. If you find some widgets unnecessary for your particular
management requirements, you can disable them so they no longer appear on your dashboard.
Hover over the top bar of the widget and click “x” to close any widget. By default, all widgets are
enabled.

Likewise, you can enable widgets as well (or re-enable any previously disabled widgets). Click Add
Widget in the menu bar and, from the pop up dialog box that appears, select the widget to enable.

You can also rearrange the position of the widgets on the page by dragging and dropping individual
widgets. Should you wish to reset your dashboard to the default at any time, click Dashboard >
Reset Dashboards in the top menu.

Several widgets have the option to adjust some of the internal parameters. If you hover over the
menu bar of the widget and a pencil icon appears it means you can edit that particular widget’s
parameters. For example, the Alert Message Console widget allows you to set the number of alert
entries that appear as well as the refresh interval in seconds.

FortiAuthenticator Student Guide 171

DO NOT REPRINT  Configuration & Administration

Now let’s look into how you can better administer your network through Administrative Domains,
known as ADOMs. ADOMs allow the admin administrator to create groupings of devices for
administrators to monitor and manage. For example, administrators can maintain managed devices
specific to their geographic location or business division.

Not only does this make device management more effective, as administrators need only worry about
devices in their ADOM, but it also makes the network more secure, as administrators are restricted to
only those devices which they should have access. The security risk increases as you open up and
expose more of your network.

Administrators who have the Super_User profile have full access to all ADOMs, whereas
administrators with any other profile only have access to those which they are assigned—this can be
one or more.

ADOMs are not enabled by default and enabling and configuring the domains can only be performed
by the admin administrator.

FortiAuthenticator Student Guide 172

DO NOT REPRINT  Configuration & Administration

ADOMs are enabled (or disabled) from the System Settings > Dashboard > System Information
widget. Once you change the ADOM mode you are logged out so the system can reinitialize with the
new settings. The maximum number of ADOMs you can enable varies by FortiAnalyzer model.

Once enabled, the Web-based manager navigation changes. Now, you must select the ADOM from
the drop-down list in the toolbar to view device information. The Device Manager, FortiView, Event
Management, and Reports tabs are displayed per ADOM.

FortiAuthenticator Student Guide 173

DO NOT REPRINT  Configuration & Administration

With ADOMs enabled, any administrator with the Super_User profile will now see an All ADOMs
page under the System Settings tab. The All ADOMs page displays all the ADOMs configured on
the device and provides the option to create new ADOMs (which we’ll discuss later). FortiAnalyzer
has default ADOMs for all non-FortiGate devices. While you can edit the default ADOMs, you cannot
edit the device type or firmware version of the device. These default ADOMs should not be deleted,
so you can create a new ADOM if the default options do not meet your requirements.

Note that the list of ADOMs displays alphabetically, with capital letters appearing before lower case.
So, in this example, ADOM2 comes before adom1, because ADOM2 is capitalized.

FortiAuthenticator Student Guide 174

DO NOT REPRINT  Configuration & Administration

If the default list of ADOMs do not fit your requirements, you can create a new one. Click Create New
from System Settings > All ADOMs. The Create ADOM dialog box appears. An important field to
note within the dialog box is Device Type. Here, you must not only select the device type from the
drop-down list, but you must also select the firmware version of the device. FortiAnalyzer cannot read
logs messages from just any version, so the device’s firmware version must be supported. Check
your model’s release notes for more information.

It is important to note that an ADOM has two device modes: normal, which is the default mode, and
advanced. In normal mode, you cannot assign different FortiGate virtual domains (VDOMs) to
multiple FortiAnalyzer ADOMs. The FortiGate device can only be added to a single ADOM. In
advanced mode, you can assign different VDOMs from the same FortiGate device to multiple
ADOMs. This will result in a reduced operation mode and more complicated management scenarios
(recommended for advanced users only).

To change modes, go to System Settings > Advanced > Advanced Settings and change the
selection in the ADOM Mode field.

FortiAuthenticator Student Guide 175

DO NOT REPRINT  Configuration & Administration

When you create a new ADOM or edit an ADOM, you can select the devices to be included in an
ADOM. From the box on the left, select the devices you want to associate with the ADOM. Click the
right arrow to move them to the box on the right. If the device mode is advanced, you can add
separate FortiGate VDOMs to the ADOM as well as FortiGate devices.

Note that you cannot assign the same device to two different ADOMs.

FortiAuthenticator Student Guide 176

DO NOT REPRINT  Configuration & Administration

Once you configure ADOMs, you can assign administrators to them. You can assign one or more
ADOMs to an administrator. This constrains administrators to configurations and data that apply only
to devices in their assigned ADOM or ADOMs.

Through System Settings > Admin > Administrator, select the administrator to which you want to
assign an ADOM. From the Administrative Domain field, select All ADOMs to assign all ADOMs
to the administrator, or Specify to select specific ADOMs from the list of configured ADOMs that
appears. By default, administrators are assigned all ADOMs.

The admin administrator account has access to all ADOMs as a result of the Super_User profile and
cannot be edited.

FortiAuthenticator Student Guide 177

DO NOT REPRINT  Configuration & Administration

Administering and managing your system also includes protecting your log information. This includes
having a back up of your data should some, or part, of the system go down. While we discussed
backups earlier in the lesson, those backups only save system settings, which does not include your
logs. The method most commonly used for high performance storage is RAID. RAID, which stands
for redundant array of independent disks, is not supported on all FortiAnalyzer models.

RAID enables you to store your data in different places on multiple hard disks. Data is distributed
across drives in different ways, referred to as “RAID levels”. The level you ultimately select depends
on your goal, as each level provides a different balance between reliability, availability, performance,
and capacity.

If you have multiple identical drives, most devices can be set up in one type of a RAID array or
another. However, in order for there to be a RAID array in the first place, all of the drives must be of
the same size.

FortiAuthenticator Student Guide 178

DO NOT REPRINT  Configuration & Administration

Basic RAID has two types of operation: mirroring and striping.

With mirroring, instead of writing the file to a single hard drive, it writes the file to another hard drive
as well. This way you have a real-time backup of the data. With striping, two or more drives combine
into a single logical drive. When data gets stored onto the drive, it splits the data into pieces and
distributes those pieces across all the drives in the array.

It is important to note that not all RAID version behave the same way. Some do mirror only, others
stripe only, others both, and others include distributed parity, which is a way to achieve redundancy.
With distributed parity, parity data is distributed among multiple drives and requires three or more
disks (RAID 5 and above). Also, the number of drives that can fail depends on the RAID level.
Regardless of the level, too many failed drives will result in the loss of data.

FortiAuthenticator Student Guide 179

DO NOT REPRINT  Configuration & Administration

As mentioned, not all models support RAID, so the menu option to configure RAID may not appear in
the Web-based manager. Be sure to check the model specifications, as it will tell you whether RAID
is supported and to what level.

If RAID is supported, you can configure RAID through System Settings > RAID Management by
clicking Change in the RAID Level field. From the RAID settings dialog box that appears, you can
select the specific RAID level you want to use. Supported levels include Linear, RAID 0, RAID 1,
RAID 1 +spare, RAID 5, RAID 5 +spare, RAID 6, RAID 6 +spare, RAID 10, RAID 50, RAID 60.

FortiAuthenticator Student Guide 180

DO NOT REPRINT  Configuration & Administration

Some common types of RAID levels are RAID 0 (striping), RAID 1 and its variants (mirroring),
RAID 5 (distributed parity), and RAID 6 (dual parity), RAID 50 (striping and distributed parity), and
RAID 60

• RAID 0 splits data evenly across two or more disks. Speed and performance are the main goals.
There is no parity information or data redundancy, which means that there is no fault tolerance: if
one disk fails, it affects the entire array.
• RAID 1 consists of an exact copy of a set of data on two or more disks. Read performance and
reliability are the main goals. RAID 1 includes fault tolerance, so if one disk fails the other can
keep working since it contains an exact copy of the data.
• RAID 5 consists of block-level striping with distributed parity. Data and parity are striped across
three or more disks. This RAID level provides better performance than mirroring as well as fault
tolerance. It can withstand the failure of a single drive, as subsequent reads can be calculated
from the distributed parity so that no data is lost.
• RAID 6 extends RAID 5 by adding another parity block. Accordingly, it consists of block-level
striping with two parity blocks distributed across all member disks. It’s more robust than RAID 5,
as the system can remain operational even if two disks fail.
• RAID 50 combines block-level striping of RAID 0 with the distributed parity of RAID 5. Write
performance is improved over RAID 5 and it provides better fault tolerance than a single RAID
level. With this level, one drive from each of the RAID 5 sets can fail.
• RAID 60 combines block-level striping of RAID 0 with the distributed double parity of RAID 6.
Write performance is affected, but the enhanced redundancy provides peace of mind. Dual parity
allows the failure of two disks in each RAID 6 array.

For more information on RAID levels, see the FortiAnalyzer Administration Guide.

*source: Wikipedia, Standard RAID levels and Nested RAID levels

FortiAuthenticator Student Guide 181

DO NOT REPRINT  Configuration & Administration

You can view your RAID status from System Settings > RAID Management. Here, you can view
the status of each disk in the RAID array including the disk’s RAID level. You can also see how much
disk space is being used among other details.

The possible disk states for a RAID disk status include:

• OK: The hard drive is functioning normally.
• Rebuilding: FortiAnalyzer is writing data to a newly added hard drive in order to restore the hard
drive to an optimal state. FortiAnalyzer is not fully fault tolerant until rebuilding is complete.
• Initializing: FortiAnalyzer is writing to all the hard drives in the device in order to make the array
fault tolerant.
• Verifying: FortiAnalyzer is ensuring the parity data of a redundant drive is valid.
• Degraded: The hard drive is no longer being used by the RAID controller.
• Inoperable: One or more drives are missing from FortiAnalyzer. The drive is no longer available
to the operating system. Data on an inoperable drive cannot be accessed.

FortiAuthenticator Student Guide 182

DO NOT REPRINT  Configuration & Administration

You can view any RAID failures from the System Settings > Dashboard > Alert Message Console
widget. A log message appears in this widget if there are any failures.

Should a hard disk on a FortiAnalyzer fail, it must be replaced. On FortiAnalyzer devices that support
hardware RAID, you can replace the disk while FortiAnalyzer is still running. This is known as “hot
swapping”. On FortiAnalyzer’s with software RAID, you must shut down FortiAnalyzer prior to
exchanging the hard disk.

FortiAuthenticator Student Guide 183

DO NOT REPRINT  Configuration & Administration

After this lesson, you should be able to deploy and configure FortiAnalyzer, administer administrative
users, and administer and manage ADOMs and RAID arrays.

FortiAuthenticator Student Guide 184

DO NOT REPRINT  Device Registration

In this lesson, we will examine how devices become registered with FortiAnalyzer so they can begin
sending logs and how to secure communication between devices.

FortiAuthenticator Student Guide 185

DO NOT REPRINT  Device Registration

After completing this lesson, you should have these practical skills that will allow you to register a
device with FortiAnalyzer and configure device options, logging permissions, and secure
communication.

FortiAuthenticator Student Guide 186

DO NOT REPRINT  Device Registration

To FortiAnalyzer, there are only two types of external devices: those that are registered and those
that are unregistered.

A registered device is one that has been authorized to store logs on FortiAnalyzer, whereas an
unregistered device is one that is requesting to store logs on FortiAnalyzer.

As mentioned in the Introduction to FortiAnalyzer lesson, FortiAnalyzer supports the registration of

many different devices, including:

• FortiGate
• FortiCarrier
• FortiMail
• FortiWeb
• FortiCache
• FortiClient
• FortiSandbox
• FortiManager
• Syslog, and
• FortiAnalyzers in Collector mode

So how do you register a device?

FortiAuthenticator Student Guide 187

DO NOT REPRINT  Device Registration

There is more than one method you can use to register a supported device with FortiAnalyzer. This
section aims to explain the available options.

FortiAuthenticator Student Guide 188

DO NOT REPRINT  Device Registration

There are two ways you can register a device with FortiAnalyzer:

The first method involves a request for registration from a supported device. When the FortiAnalyzer
administrator receives that request, the request is accepted (though it can be denied).

The second method involves the FortiAnalyzer device registration wizard. If the device is supported
and all the details of the device are correct, the device becomes registered.

FortiAuthenticator Student Guide 189

DO NOT REPRINT  Device Registration

Let’s take a closer look at method one: request from a supported device. In this example, a FortiGate
is requesting registration. This is done in the FortiGate Web-based manager through Log & Report >
Log Config > Log Settings. The FortiGate administrator must enable Send Logs to
FortiAnalyzer/FortiManager and enter the IP address of the FortiAnalyzer in the field below.

When the FortiGate administrator clicks Test Connectivity an error dialog box appears stating:
“Unable to retrieve FortiAnalyzer/FortiManager status”. This is not an error in the true sense. It
cannot retrieve the status because the FortiAnalyzer administrator has not yet accepted the request
to register—they are not yet connected. At this stage, the FortiGate is an unregistered device.

FortiAuthenticator Student Guide 190

DO NOT REPRINT  Device Registration

So how does the FortiGate move from an unregistered device to a registered one? This is performed
on the FortiAnalyzer side. Once the request is made from the supported device, the request
automatically appears in the Device Manager tab of the FortiAnalyzer Web-based manager. All
external devices that request registration appear here.

The FortiAnalyzer administrator should review the details of the unregistered device, and, if satisfied
add the device.

To add a device, either select the unregistered device and click Add from the menu bar, or right-click
the unregistered device and click Add from the pop up menu options. If ADOMs are enabled on
FortiAnalyzer, the root ADOM is selected by default. Only FortiGate can be added to the root ADOM.
For all other supported devices, select a custom ADOM based on the device type or the pre-
configured ADOM specific to the device (for example, FortiMail to the FortiMail ADOM).

FortiAuthenticator Student Guide 191

DO NOT REPRINT  Device Registration

FortiManager*, on the other hand, requests registration with FortiAnalyzer differently than FortiGate.
With FortiManager, the request is through this CLI command. Here, you are enabling logging to
FortiAnalyzer, setting the severity level of logs to be sent (for example, information), and configuring
the FortiAnalyzer IP address. Once FortiManager begins to send logs, the FortiManager device
appears in the Device Manager tab of FortiAnalyzer as an unregistered device. In order to add the
device to FortiAnalyzer, ADOMs must be enabled (System Settings > Dashboard > System
Information widget) and you must add the FortiManager to a FortiManager ADOM. The
FortiManager logs to a FortiManager ADOM.

*FortiManager 5.2.1

FortiAuthenticator Student Guide 192

DO NOT REPRINT  Device Registration

FortiMail* is different still. With FortiMail, the request can be performed through the Web-based
manager through Log and Report > Log Settings > Remote Log Settings. You need to set the
FortiAnalyzer IP, the log severity level, the facility identifier FortiMail will use to identify itself when
sending log messages, and the log protocol to use (you can select Syslog or the secure protocol
OFTPS—FortiAnalyzer supports both).

You also have to set your logging policy configuration—what types of logs you want to record to
FortiAnalyzer.

Once FortiMail begins to send logs, the FortiMail device appears in the Device Manager tab of
FortiAnalyzer as an unregistered device. In order to add the device to FortiAnalyzer, ADOMs must be
enabled (System Settings > Dashboard > System Information widget) and you must add the
FortiMail to a FortiMail ADOM. The FortiMail logs to a FortiMail ADOM.

While we’re not going to demonstrate registration requests from every supported Fortinet device—
you can check the device’s Administration Guide for more information on logging to a FortiAnalyzer—
you can see that the action taken on the FortiAnalyzer side is the same: a registration request
appears in the Device Manager tab and you add the device. Other than FortiGates, all other
supported devices require that FortiAnalyzer has ADOMs enabled and that the device is added to its
device-specific ADOM.

*FortiMail 5.2.1

FortiAuthenticator Student Guide 193

DO NOT REPRINT  Device Registration

The one third-party device that is supported is syslog. Syslog does not make a request to become a
registered device in the same way as Fortinet devices. In this case, you have to configure your
syslog server to send logs to FortiAnalyzer and then ensure FortiAnalyzer is reachable for syslog.

For example, on a Linux server syslog this command sets the rule to log all incoming packets limited
to 20 messages per minute. Log level 6 is info. Then, you have to edit the syslog.conf file to send
those logs to FortiAnalyzer by adding these lines at the end of the file.

On the FortiAnalyzer side, ensure FortiAnalyzer is listening for syslog (System Settings > Network
> All Interfaces). Once completed, you should see syslog appear as an unregistered device in the
Device Manager tab. You cannot add the syslog device unless ADOMs are enabled (System
Settings > Dashboard > System Information widget). The syslog logs to a Syslog ADOM.

FortiAuthenticator Student Guide 194

DO NOT REPRINT  Device Registration

The second registration method is using the device registration wizard on FortiAnalyzer. Here, it is
the FortiAnalyzer administrator that proactively initiates, and ultimately performs, the registration.
With this method, the administrator must have specific details about the device that is to be
registered.

You can launch the wizard from the Device Manager tab by clicking Add Device from the menu bar.
If you have enabled ADOMs and want to add the device to a specific ADOM, select the ADOM from
the drop down-list before clicking Add Device. Otherwise, it is created in root.

FortiAuthenticator Student Guide 195

DO NOT REPRINT  Device Registration

The first step in the device registration wizard is adding the model device. On the Login page, select
Add Model Device and enter the IP address of the device you want to register as well as the user
name and password.

FortiAuthenticator Student Guide 196

DO NOT REPRINT  Device Registration

The second step is adding the specific details of the device, such as the device type, model, firmware
version, whether the device is part of a high availability cluster, serial number, and, if a VM, the VM
license type. You also need to specify configuration options, such as the amount of space the disk
log is allowed to use, the action the system is to take when the allocated disk quota is filled, and the
device permissions, such as what the device is authorized to send to FortiAnalyzer.

If the device information verifies, the wizard changes the status to “device created successfully”.

FortiAuthenticator Student Guide 197

DO NOT REPRINT  Device Registration

The third step requires no action, but rather provides confirmation of the registered device along with
the specific details of the device added.

The Device Manager tab now shows the device as registered.

FortiAuthenticator Student Guide 198

DO NOT REPRINT  Device Registration

If the device registration is brokered on the FortiAnalyzer side, as is the case with the device
registration wizard, the device may appear on the Device Manager tab with a red circle in the Logs
field. This indicates no logs have recently been received by FortiAnalyzer, even though the device
registration was successful. To troubleshoot the connection, ensure Send Logs to
FortiAnalyzer/FortiManager is enabled on FortiGate along with the correct IP address, and that
Realtime is enabled (through Log & Report > Log Settings). You don’t always have to send logs in
real-time—you have the option to send logs at a scheduled time (such as a low bandwidth time) on
FortiGate models that have a hard drive—but this is the most immediate way to see whether logs are
being received successfully.

If the Send Logs to FortiAnalyzer/FortiManager setting is enabled, the registered device on the
FortiAnalyzer displays a green circle in the Logs field. This indicates FortiAnalyzer is receiving logs
from the device.

FortiAuthenticator Student Guide 199

DO NOT REPRINT  Device Registration

Once you register various Fortinet devices, they appear on the Device Manager tab.

If using virtual domains (VDOMs), you can configure the Device Manager tab to reflect the set up of
the FortiGate. In this example, Device_Two includes VDOM1 and VDOM2.

FortiAuthenticator Student Guide 200

DO NOT REPRINT  Device Registration

This section outlines some of the device options available for registered devices, such as high
availability, disk log quotas, and device permissions.

FortiAuthenticator Student Guide 201

DO NOT REPRINT  Device Registration

After a device is registered with FortiAnalyzer, you can edit some of the configuration options
associated with the device. In the Device Manager tab, right-click the device you want to edit and
select Edit from the menu.

This is useful as your network expands or requirements change. For example, if the device is now
part of a high availability cluster—or was recently removed from one—you can enable or disable the
option. You can also change the disk log quota, the behavior taken by FortiAnalyzer when the
allocated disk space is full, and the device’s permissions.

Let’s take a closer look at some of these options.

FortiAuthenticator Student Guide 202

DO NOT REPRINT  Device Registration

If the registered device is part of a high availability cluster, you can enable the HA Cluster option and
enter the serial numbers associated with each device in the cluster. The only device that
communicates with FortiAnalyzer is the primary device. The other devices in the cluster sends their
logs to the primary device, which then forwards them along to FortiAnalyzer.

FortiAnalyzer distinguishes different devices based on their serial numbers. These are found in the
headers for all the different log message types.

FortiAuthenticator Student Guide 203

DO NOT REPRINT  Device Registration

By default, each device is allowed 1000 Megabytes (or just under 1 Gigabyte) worth of drive space
on FortiAnalyzer in order to store log data. However this number is configurable. You cannot set the
minimum below 100MB and the maximum depends on the disk space allocation of the specific
FortiAnalyzer device. The FortiAnalyzer system reserves between 10%-25% disk space for system
usage and unexpected quota overflow, leaving about 75%-90% disk space for allocation to devices.

You can also adjust the action the FortiAnalyzer takes when the disk log quota is filled. You can
choose to overwrite the oldest logs or stop logging completely.

The available space per device is graphically represented in the Quota column for each device in the
Device Manager tab. The bar grows as more logs are received and stored.

FortiAuthenticator Student Guide 204

DO NOT REPRINT  Device Registration

You can also specify the device permissions of the registered device, such as what log types
FortiAnalyzer will store. Options include:

• Logs. This option stores logs of the registered device. The type of log depends on the device, as
FortiAnalyzer only supports specific logs types from each device. This is covered in the Logs and
Archives lesson.
• DLP archive. This option store logs detailing information about any sensitive data trying to get in,
or out of, your network.
• Quarantine. This option stores logs detailing files that have been placed into quarantine on the
device.
• IPS Packet log. This option stores logs detailing information about misidentified or missing
packets and network intrusions involving malicious packets.

FortiAuthenticator Student Guide 205

DO NOT REPRINT  Device Registration

The last thing we are going to explore is securing communication between FortiGate and
FortiAnalyzer.

FortiAuthenticator Student Guide 206

DO NOT REPRINT  Device Registration

Between supported devices, log messages are sent over UDP port 514 or OFTP (TCP 514). When a
secure connection is configured, log traffic is sent over UDP port 500/4500, protocol IP/50.

There are two ways you can secure connections:

• SSL encryption (which is enabled by default between FortiAnalyzer and FortiGate), and
• IPsec

Let’s start with SSL.

FortiAuthenticator Student Guide 207

DO NOT REPRINT  Device Registration

SSL is the default setting for securing communications between FortiGate and FortiAnalyzer.

SSL communications are auto-negotiated between FortiAnalyzer and FortiGate, so the OFTPD
server will use the SSL-encrypted FTP protocol only if being used by the connecting FortiGate. If the
FortiGate is configured to send data in plain text, then FortiAnalyzer responds the same way.

SSL can send logs in real time, and if the FortiGate model has a hard disk for log storage, you also
have the option to store and upload logs. If using the store and upload option, you must enable disk
logging on FortiGate through the CLI.

FortiAuthenticator Student Guide 208

DO NOT REPRINT  Device Registration

Since SSL is enabled by default once a connection is established between FortiAnalyzer and
FortiGate, the only thing you may need to do is set the encryption level. By default, FortiAnalyzer is
set to low, while FortiGate is set to medium. It is important to note that the encryption level of
FortiAnalyzer must be equal to, or less than, the FortiGate encryption level. FortiAnalyzer will not be
able to connect to the device if the encryption level is higher than the encryption level of the device
from which it intends to receive logs.

The FortiAnalyzer encryption level is global – it applies to all connecting FortiGates. Accordingly, if
you even have one low encryption FortiGate in your network while the rest are high, you must set the
FortiAnalyzer encryption level to low.

FortiAuthenticator Student Guide 209

DO NOT REPRINT  Device Registration

This table outlines the available encryption settings and levels.

• High uses the strongest encryption algorithms (Diffie-Hellman and AES to name a couple).
• Medium uses high strength encryption methods, but also allows the medium strength ones, such
as RC4.
• Low uses weak encryption methods or encryption algorithms that have small keys.

So long as the setting on the FortiGate is equal to, or higher than, the minimum level on the
FortiAnalyzer, SSL negotiations will complete properly.

Keep in mind that higher level SSL and IPsec requires additional CPU resources.

FortiAuthenticator Student Guide 210

DO NOT REPRINT  Device Registration

On the FortiAnalyzer CLI you can adjust the minimum SSL level to allow. Remember, this setting is
global, so it applies to all incoming device connections. Do not set it too high, or FortiAnalyzer will not
be able to connect to the device.

To first verify the current setting, enter the “get system global” CLI command. If required, change the
level using the command noted on this slide, where {high | medium | low} refer to the encryption
levels explained on the previous slide (medium = default).

Note that changing the enc-algorithm setting on FortiAnalyzer will cause all existing FGFM
tunnel/WebService connection to reset.

On the FortiGate side, change the level using the command noted on this slide. Again, {default | high
| low} refers to the encryption levels explained on the previous slide.

The “set enc-algorithm” command is not available if you have IPsec enabled as the secure
communication method. If this is the case, you first need to disable IPsec by entering “set encrypt
disable”.

FortiAuthenticator Student Guide 211

DO NOT REPRINT  Device Registration

Now, let’s look into configuring an IPsec tunnel between FortiGate and FortiAnalyzer. This secure
communication method requires more configuration, as it must be configured on both ends of the
tunnel: FortiAnalyzer and FortiGate.

Securing communications is extremely important if sending traffic over an unsecured network like the
internet. This secure communication type allows logs to be sent in real-time, and if the FortiGate
model has a hard disk for log storage, you also have the option to store and upload logs. If using the
store and upload option, you must enable disk logging on FortiGate through the CLI.

FortiAuthenticator Student Guide 212

DO NOT REPRINT  Device Registration

On the FortiAnalyzer side, select the Device Manager tab. Right-click the device with which you
want to configure an IPsec tunnel and select Edit from the menu. Locate the Secure Connection
section in the Edit Device dialog box and enable Secure Connection. In the ID field, accept the
default ID or create your own. This is the name of your IPsec tunnel. In the Pre-Shared Key field,
enter a key (password).

The FortiGate administrator requires both the ID and pre-shared key.

FortiAuthenticator Student Guide 213

DO NOT REPRINT  Device Registration

On the FortiGate side, the administrator must enter the CLI command shown here, where:
• <fortianalyzer_ip> is the IP of the FortiAnalyzer with which you are securing communication over
an IPsec tunnel.
• <name_of_IPsec_tunnel> is the name given to the IPsec tunnel. You must use the same identifier.
• <preshared_IPsec_tunnel_key> is the pre-shared key, or password, for the IPsec tunnel.

This assumes communication between the two is already enabled. If not, enter: “set status enable”.

Note: If SSL encryption is enabled, you first need to disable it on FortiGate. This is still done within
the “config log fortianalyzer setting” CLI option:

set enc-algorithm disable

FortiAuthenticator Student Guide 214

DO NOT REPRINT  Device Registration

To verify whether you successfully established an IPsec tunnel on FortiAnalyzer, view the Device
Manager tab. The Secure Connection column associated with the device with which you set up an
IPsec tunnel indicates the status. A green up arrow indicates the IPsec tunnel is up, whereas a red
down arrow indicates the IPsec tunnel is down. A grey “x” denotes that no secure connection has
been enabled.

The same green up arrow indicates a connection on FortiGate, through the Log & Report > Log
Config > Log Settings page.

FortiAuthenticator Student Guide 215

DO NOT REPRINT  Device Registration

After this lesson, you should be able to describe the difference between a registered and
unregistered device; explain the methods available for registering a device; configure device logging
options, such as a high availability cluster, disk log quota, and device permissions; explain the
methods available to secure communication; configure SSL encryption and set encryption levels; and
configure an IPsec tunnel.

FortiAuthenticator Student Guide 216

DO NOT REPRINT  Logs & Archives

In this lesson, we will show you how to view, manage, and configure FortiAnalyzer logs and archives.

FortiAuthenticator Student Guide 217

DO NOT REPRINT  Logs & Archives

After completing this lesson, you should have these practical skills that will allow you view and
manage your logs. This includes understanding log basics; finding, viewing, and filtering logs through
the FortiView tab in the Web-based manager; and configuring various log options, such as log
arrays and event handlers.

FortiAuthenticator Student Guide 218

DO NOT REPRINT  Logs & Archives

You should also be able to describe and configure log rolling, log forwarding, and log aggregation;
describe and deploy different log back up strategies; describe data archiving and the different forms;
and finally describe and enable content archiving.

FortiAuthenticator Student Guide 219

DO NOT REPRINT  Logs & Archives

In this section, we will provide a brief overview of logs—information important to know prior to
administering logs.

FortiAuthenticator Student Guide 220

DO NOT REPRINT  Logs & Archives

Log messages help paint a picture of what is going on in your network. You can determine the load
on your network devices, you can track service usage, and you can identify any security breaches in
your network. However, it is important to understand that logs are like a puzzle—you need to put
several pieces together in order to get a complete understanding of what is going on. This is to say
that multiple log messages are required to determine the exact chain of activity that leads to a
breach—a log in isolation often won’t help you to best configure your network to prevent such
breaches in the future.

This is why centralized log storage is so important.

FortiAuthenticator Student Guide 221

DO NOT REPRINT  Logs & Archives

In certain physical areas, and in some areas of business, there are regulations that require and
mandate that companies log specific information and store logs for a minimum amount of time.

The regulations often detail the specific types of logs and data required, as those log entries can be
used as evidence in cases of unauthorized or illegal activity. The data must be able to stand up in
court, so being able to understand and analyze your logs is very important.

There is such a thing as information overflow. You want to make sure that whatever information you
are logging is enough to satisfy the regulations while still being able to do your job. Having too much
data is just as bad (and in some ways worse) then having too little.

FortiAuthenticator Student Guide 222

DO NOT REPRINT  Logs & Archives

It is important not only to collect and store logs, but to manage them efficiently. If you don’t create
best practices to manage your logs, it can result in loss of data and even loss of revenue. Especially
if the network attack results in a legal case, it is essential that you provide the appropriate data in
court.

Some best practices include:

• Documenting what is being logged and why. It’s important to have this because if you ever need
to find out something new based on your log data you can look at it and see what exactly you’re
logging so you know if it’s even possible to figure out.
• Ensuring that data for all your devices and applications are being captured and not filtered.
Something as simple as an update to firmware or software can break your logging, so it is
important to monitor your devices to ensure they are sending logs.
• Centralizing log storage and storing in a common format. This makes your job easier since there
is no need to check multiple locations in order to look at the log data.
• Synchronizing the time on all logged devices. If your firewall says it’s 3am, your FortiAnalyzer
says it 12:30am, and the computer says it’s 8:56am, it makes cross-referencing logs very difficult.
• Maintaining a backup of logs and implementing a policy that specifies log retention periods.
• Defining procedures to preserve data integrity, and finally,
• Testing and re-testing your incident response plan to ensure it works and other administrators
know their roles.

FortiAuthenticator Student Guide 223

DO NOT REPRINT  Logs & Archives

To be able to analyze and interpret your logs, it is important to understand the different logs types
and what information they contain; what logs FortiAnalyzer collects from each supported device; and
the format of log messages.

As you learned in the FortiGate training, there are three log types: traffic logs, event logs, and
security logs. Each log type has corresponding log subtypes.

The traffic log type records the traffic flowing through a FortiGate device. This type of logging is also
called firewall policy logging, since traffic needs firewall policies to properly flow through the device.

The event log type records administration management and Fortinet device system activity, such as
configuration changes, administrator logins, or when high availability events occur. This log type also
include system, router, VPN, and user logs.

The security log type records all security related activity on your managed devices, such as antivirus,
web filtering, application control, intrusion prevention, email filtering, data leak prevention,
vulnerability scan and VoIP. This section is not created by default.

FortiAuthenticator Student Guide 224

DO NOT REPRINT  Logs & Archives

The logs displayed on your FortiAnalyzer are dependent on the device type logging to it and the
features enabled. This table illustrates the log types and subtypes FortiAnalyzer collects from various
supported devices. Note that ADOMs must be enabled to support non-FortiGate logging.

FortiAuthenticator Student Guide 225

DO NOT REPRINT  Logs & Archives

So we know that FortiAnalyzer collects and stores logs of various types from various devices, but it’s
important to know where and how those logs are actually stored. In order to conduct proper searches
for data and to create customized reports, you need to know how the data is formatted, and this
depends on the database the data is stored. With FortiAnalyzer, log data is stored in an SQL
database.

There’s a lot of advantages to using SQL:

• Upper limits on the amount of available log storage are removed, beyond the physical limitations
of the device.
• Reporting capabilities become incredibly flexible. By altering the query in order to fine tune the
information that populates the report, you can customize the output.

To the last point, you need to know SQL in order to take advantage of the advanced reporting
capabilities. It’s recommended that you have—or obtain—a moderate degree of understanding of
SQL. SQL is outside the scope of this course.

FortiAuthenticator Student Guide 226

DO NOT REPRINT  Logs & Archives

Now that we have a clearer understand of logs and how FortiAnalyzer collects and stores them, let’s
look at how you can view your logs so you can monitor your network.

FortiAuthenticator Student Guide 227

DO NOT REPRINT  Logs & Archives

There are two log viewing options: Raw and Format.

• Raw format displays logs as they appear within the log file. You can view raw log messages from
both the Web-based manager and CLI.
• Formatted format is more human-readable. You view formatted log messages from the Web-
based manager.

You also have the option to download the logs in either the .txt or .csv file type.

Let’s take a closer look at viewing logs through the Web-based manager.

FortiAuthenticator Student Guide 228

DO NOT REPRINT  Logs & Archives

You can view logs in the Web-based manager though the FortiView tab. The FortiView tab includes
a menu on the left that provides different ways of viewing logs. Options include Summary View, Log
View, and Custom View.

FortiAuthenticator Student Guide 229

DO NOT REPRINT  Logs & Archives

The Summary View page provides a snapshot view of all monitored devices. You can use the
various preset search options in the left tree menu to view data such as top destinations and top web
sites, and also use the search filters to narrow down results by a specific attribute, device (this
includes all devices, a specific device, or a log array), and time period. The search field allows you to
filter data based on correctly formed SQL queries, such as: devid=<device ID> srcip=<source ID>.

Log arrays refer to a group of devices that you can place together so it appears as a single device.
We will discuss log arrays in more detail later in this lesson.

By default, all logs from a device are stored under that device. However, if VDOMs are present, the
log header indicates to which VDOM the log belongs.

FortiAuthenticator Student Guide 230

DO NOT REPRINT  Logs & Archives

The Log View page provides logs for all registered devices. If ADOMs are used, administrators only
have access to the logs of devices within the ADOM(s) assigned, while admin administrators retain
access to all.

The log messages are grouped by log type: traffic, event, and security (security logs do not appear
unless configured on a FortiGate device and actual security events have occurred).

Just like on the Summary View page, you can filter by various attributes, device (this includes all
devices, a specific device, or a log array), and time period. The search field filters data based on
correctly formed SQL queries.

FortiAuthenticator Student Guide 231

DO NOT REPRINT  Logs & Archives

Let’s take a closer look at the Log View page and its powerful search field based on SQL queries.

If you need to sift through large volumes of log entries, you can enter an SQL search string in the text
field to filter the logs and narrow the results. FortiAnalyzer looks for an exact match in the log, so the
search string must be formed correctly. Note that under the Tools menu, Case Sensitive Search is
enabled by default, so this may effect your search outcome as a result of how you enter your query.

As an example, let’s say that DHCP is not working properly. You start your investigation by looking at
the traffic log, but you can’t see anything to do with DHCP. You can use the SQL query
service=DHCP to filter through the logs. If you are unaware what SQL query your search falls under,
you can always scan through various raw logs (available as an option through the Tools menu). The
raw logs provide the SQL query associated with the data. In this case, you find DHCP associated
with the “service” query.

Depending on the size of your search results, you might need to add additional criteria.

FortiAuthenticator Student Guide 232

DO NOT REPRINT  Logs & Archives

If you have syslog as a registered device on your FortiAnalyzer, you can also view syslog server
logs. As syslog can only be registered within a syslog ADOM, you must ensure the ADOM is set to
Syslog in order to view logs from the Log View page. You can view syslog logs in both raw and
formatted, and historical and real-time.

FortiAuthenticator Student Guide 233

DO NOT REPRINT  Logs & Archives

The Log View page also includes two additional features: Log Browse and the Tools menu.

FortiAuthenticator Student Guide 234

DO NOT REPRINT  Logs & Archives

With Log Browse, you can delete, display, download, and import log files. Each entry has “From”
and “To” time, so you can determine the first and last log entry for each file.

When a log file reaches its maximum size or a scheduled time, FortiAnalyzer rolls the active log file
by renaming the file. The default is to roll the files when they reach 200 Megabytes. You can change
that to a different size and/or to occur at specific times and only on a specific day (or days) of the
week. The hour specification is based on a 24-hour clock.

FortiAuthenticator Student Guide 235

DO NOT REPRINT  Logs & Archives

On the far right of the Log View page, there is a Tools menu, which allows you to:

• Specify the log view. By default, logs are historical, but you can elect to view logs in real-time.
There is no difference in how things look in real-time, just that new log entries will show up as they
are processed by FortiAnalyzer and inserted into the database.
• Specify the log format. By default, logs appear in the more consumable format view, but you can
elect to view logs in raw format.
• Download logs. You can only download historical logs. You cannot download real-time logs as you
are viewing the data in real-time—they are not files yet. The supported download log file formats
are text and CSV and you can compress the file with gzip.
• Manage log arrays. We will discuss log arrays later in this lesson, but essentially it is a way of
grouping devices into a single logical object.
• Adjust search and column options, such as enabling or disabling case-sensitivity (which we
discussed earlier) and column filters.

FortiAuthenticator Student Guide 236

DO NOT REPRINT  Logs & Archives

When column filters are enabled, a funnel icon appears on each column header. Click the icon to set
the filters according to your requirements. Depending on the column, the filter setting options differ.
Filters help you to find logs, especially if you are unsure of the log syntax to enter in the Search field,
and can also help you see patterns.

FortiAuthenticator Student Guide 237

DO NOT REPRINT  Logs & Archives

The last left menu tab on the FortiView tab is Custom View. If there are logs based on specific
search criteria that you want to view on a regular basis, you can create a custom view that will save
under this page.

To create a custom view, perform a custom search on the Log View page and click the Save icon. A
dialog box appears where you can name your custom search. Once saved, it appears under the
Custom View menu. Next time, instead of reconfiguring the search parameters, you can select your
search under the Custom View menu.

FortiAuthenticator Student Guide 238

DO NOT REPRINT  Logs & Archives

We’ve just discussed how to view logs from various registered devices, but you can also view the
logs FortiAnalyzer generates as a result of events occurring directly on the FortiAnalyzer itself. Logs
include various system events, such as registration of devices, administrator logins, and database
upgrades to name a few. Because these are not logs sent from registered devices, but logs for things
that happen on the FortiAnalyzer itself, they are not stored on the FortiView tab. FortiAnalyzer event
logs are stored in System Settings > Event Log.

Logs are stored locally, but for redundant storage and backup you can download the logs in .csv or
.txt file format through the Web-based manager or use the CLI to configure the logs to forward to
another device. For the latter, use CLI command: config system locallog disk setting. In this example,
the <server_IP> is the IP address of the server in which you are forwarding the FortiAnalyzer logs.
See the FortiAnalyzer CLI Guide for other options you can configure under this command.

FortiAuthenticator Student Guide 239

DO NOT REPRINT  Logs & Archives

Now let’s take a closer look at some of the ways you can configure logs to more efficiently monitor
your network, namely configuring log arrays and event handlers.

FortiAuthenticator Student Guide 240

DO NOT REPRINT  Logs & Archives

As mentioned previously, FortiAnalyzer supports log arrays, which refers to a group of devices that
you can place together into a single logical object. This allows you to run reports that look at the log
data from the group as if it were a single device.

One such use case for log arrays is to determine how a high availability (HA) cluster is performing, as
by default FortiAnalyzer treats each member in a HA cluster as a separate device. For example, the
logs of each member of the cluster is stored separately, based on the member’s serial number.
Accordingly, to get an accurate look at how an HA cluster is performing, you can place the cluster in
a log array to see how they are performing as a single unit. You can still access the logs for each
device individually.

Another use case for log arrays is to determine how your network is performing as a whole,
especially if you have a large network with multiple FortiGates positioned at different points. If
combined into a log array, you can obtain information about total traffic usage and get a complete
picture of your network instead of receiving a fragmented look based on multiple, unconnected
devices.

Lastly, you many want to use log arrays to determine how devices in a specific geographical location
are performing.

FortiAuthenticator Student Guide 241

DO NOT REPRINT  Logs & Archives

You can create log arrays from the Tools menu > Manage Log Arrays option on the Log View
page. In the Create New Log Array dialog box, set name of your log array and select the add icon to
select devices and virtual domains (VDOMs) to add to the log array.

When selecting to add a device with VDOMs, all VDOMs are automatically added to the log array.
However, you can still deselect the VDOMs that you do not want to include in the log array.

FortiAuthenticator Student Guide 242

DO NOT REPRINT  Logs & Archives

FortiAnalyzer also allows you to configure event handlers, which is a way of monitoring events on
registered devices as well as the logs associated with the event. You configure event handlers based
on log type and logging filters and you can configure them per device, for all devices, or for the local
FortiAnalyzer event logs.

When an event occurs that matches a configured event handler, you can specify by what method one
or more administrators are notified if notification via the Web-based manager Event Management
tab isn’t sufficient for your requirements. There are three different methods you can employ in order
to receive notifications:

• The first is via email.

• The second is via a log entry to an external syslog server. This is handy if you already have a
system set up for notifications, since it allows you to easily hook into it.
• The third is via an SNMP community.

In order to use any of these notification methods, you must first set up the back-end.

FortiAuthenticator Student Guide 243

DO NOT REPRINT  Logs & Archives

Under System Settings > Advanced > Mail Server, you can configure the mail server settings
should you want to send event notifications to administrators via email. You require an SMTP server
name (ie. a name for the profile), port (the default port is 25), and the mail server (for example,
[email protected]). If you want to enable authentication, an email account and password is also
required.

FortiAuthenticator Student Guide 244

DO NOT REPRINT  Logs & Archives

Under System Settings > Advanced > SNMP, you can configure the SNMP agent should you want
to send event notifications to administrators via an SNMP community. SNMP is a method for a
FortiAnalyzer system to monitor and report on FortiGate devices, but it can also monitor a
FortiAnalyzer system on a local computer (typically where your SNMP manager is located). To do
this, you require an SNMP agent on your computer to read the SNMP information. The FortiAnalyzer
SNMP implementation is read-only—the SNMP manager has read-only access to system information
and can receive FortiAnalyzer system traps.

You must enable the SNMP Agent setting and add the location of the FortiAnalyzer system to help
find it if it requires attention. Once enabled, you can configure your SNMP v1/v2 communities (up to
eight) and SNMP v3 users. Each community can have a different configuration for SNMP traps and
can be configured to monitor different events.

In order to send event notifications to an SNMP community, you must compile the FORTINET-
CORE-MIB and FORTINET-FORTIMANAGER-FORTIANALYZER-MIB MIB files into your SNMP
manager. These Fortinet-proprietary MIBs enable your SNMP manager to query for FortiAnalyzer-
specific information and to receive FortiAnalyzer-specific traps. You can obtain these MIB files from
the Customer Service & Support portal at https://support.fortinet.com. They are located in the
Firmware Images folder for the FortiAnalyzer product.

FortiAuthenticator Student Guide 245

DO NOT REPRINT  Logs & Archives

Under System Settings > Advanced > Syslog Server, you can configure the syslog server should
you want to send event notifications to that server. You require the name, IP address or fully qualified
domain name, and the port (default port is 514).

FortiAuthenticator Student Guide 246

DO NOT REPRINT  Logs & Archives

Once the back end is set up to receive event notifications, you can create an event handler. This is
done on the Event Management > Event Handler page.

To create a new event handler, click Create New. In the Create New Event Handler dialog box, give
the alert a name. Once this is done, you can set the definition and how you want to be notified.

FortiAuthenticator Student Guide 247

DO NOT REPRINT  Logs & Archives

From the Definition tab, you must set which devices to monitor (note that if you select Local
FortiAnalyzer, it refers to the root ADOM only and is used to query local FortiAnalyzer event logs
only). You must also select the severity level of the event (ie. the priority level of the notification), and
add various filters, such as the log type to monitor, the event category, and the log messages that
match. You can further filter by generic text filter (for example, filtering on source IP and port, the
syntax would be srcip==192.168.1.10 and dstport==80).

FortiAuthenticator Student Guide 248

DO NOT REPRINT  Logs & Archives

Once you have the definition set up, you can specify the notification location (where to send the alerts
to) through the Notification tab. You can choose to send a single event handler to multiple different
notification locations if your needs dictate. Select the destination and select or add the required
information. Each destination drop-down comes from an entry you preconfigured in System Settings
> Advanced, as we discussed earlier.

Once you’ve set your definition and notification, your event handler is configured.

FortiAuthenticator Student Guide 249

DO NOT REPRINT  Logs & Archives

Event notifications are available to view on the Event Management tab. In the left menu, you can
view by all events, events by severity, or events by handler. If ADOMs are enabled, you must select
the ADOM to see the event notifications.

Right-click an event to view the event details, including the raw log entries. You can also
acknowledge the event to remove it from the list. However, you can still view acknowledged events
later by selecting Show Acknowledged in the menu bar.

You can also search events based on time from the drop-down menu or by attributes in the search
field.

FortiAuthenticator Student Guide 250

DO NOT REPRINT  Logs & Archives

This section describes how to manage your logs, namely by configuring rolling and uploading of logs.

FortiAuthenticator Student Guide 251

DO NOT REPRINT  Logs & Archives

The size of your logs and the disk space used by FortiAnalyzer for log storage is important to
manage. You do not want to lose logs by overwriting or stop logging altogether due to lack of disk
space. Remember that the total capacity of your FortiAnalyzer is not available for logs—FortiAnalyzer
reserves some disk space for compressions files, upload files, and temporary report files. As this
table indicates, between 10%-25% (which is device-dependant) must be deducted from total
capacity.

In order to control log file size and use of FortiAnalyzer disk space, you must configure log rolling and
scheduling uploads to a server. Smaller log files require less CPU/memory to process, which results
in better granularity for backup and deletion and reduced impact of corruption (less data for you to
restore with smaller files).

FortiAuthenticator Student Guide 252

DO NOT REPRINT  Logs & Archives

From System Settings > Advanced > Device Log Settings, you can configure FortiAnalyzer to roll
the log files at either a predetermined file size and/or a set daily or weekly time.

When logs are rolled, FortiAnalyzer starts to increment the log file names by adding a number.
Higher numbers mean the log is older.

FortiAuthenticator Student Guide 253

DO NOT REPRINT  Logs & Archives

From the same page, you can configure to upload the rolled logs to another server via a standard file
transfer protocol such as FTP, SFTP, or SCP. To ensure you are uploading rolled logs only, select
the When rolled option. You also have the option to delete the log files after uploading to free up disk
space on the FortiAnalyzer.

FortiAuthenticator Student Guide 254

DO NOT REPRINT  Logs & Archives

If you want to automatically delete device log files, quarantined files, and content archive files after a
set period of time, this can be done from System Settings > Advanced > File Management
(reports can also be deleted here, but we’ll discuss that in the Reports lesson). This is different from
deleting the log files after log uploading as per the previous slide—these deletions are not contingent
on log uploading first.

It is highly recommended that you have a clear understanding of all regulatory requirements
mandating the use of your logs, as you do not want to delete log entries that can be used as
evidence in cases of unauthorized or illegal activity.

FortiAuthenticator Student Guide 255

DO NOT REPRINT  Logs & Archives

This section outlines how to enable log aggregation on your FortiAnalyzer.

FortiAuthenticator Student Guide 256

DO NOT REPRINT  Logs & Archives

Log aggregation is a way of collecting logs from one or more FortiAnalyzers to a central
FortiAnalyzer. Generally, your central device is going to be a larger FortiAnalyzer, but this is not a
requirement. As a Collector, the device doesn’t send all of its logs to the Analyzer—only a delta of the
logs is sent. The two devices compare what they have stored and the Collector sends only what the
Analyzer doesn’t have. This not only reduces the amount of traffic that is sent, but it also provides a
level of redundancy. If there’s a catastrophic failover of the Analyzer device, the Collector sends all of
the data it has and repopulates the Analyzer automatically. If it’s acting in Analyzer mode, then it’s
collecting data from other FortiAnalyzer devices.

FortiAuthenticator Student Guide 257

DO NOT REPRINT  Logs & Archives

When configuring log aggregation, you need to decide which FortiAnalyzer to be your central one.
After that, everything else connects to that.

The operating mode is determined by the role you select for your FortiAnalyzer. If it’s the central
server, its log mode is Analyzer. Otherwise it is Collector. Changing the log mode is accomplished
through the Web-based manager via System Settings > Dashboard, at the bottom of the System
Information widget.

FortiAuthenticator Student Guide 258

DO NOT REPRINT  Logs & Archives

On the FortiAnalyzer in Collector mode, you need to enable log aggregation, set up a password, and
configure the time to upload logs. Best practice is to stagger your uploads to distribute the load and
select off-peak bandwidth hours to upload.

On this page, you must also configure log aggregation by specifying the remote server type (in this
case, FortiAnalyzer), the IP of the aggregation server, and the devices in which you want to forward
logs.

Generally real-time forwarding of logs isn’t needed. The best way to set it up is to only forward the
important logs so that the alerts you configure will function. Everything else is not mission critical, so
it can wait for the daily upload.

FortiAuthenticator Student Guide 259

DO NOT REPRINT  Logs & Archives

To configure log aggregation on a FortiAnalyzer in Analyzer mode, you must enable the “Aggregator”
type of management access permitted on the interface. This is done under System Settings >
Network and can be enabled for IPv4 and IPv6.

FortiAuthenticator Student Guide 260

DO NOT REPRINT  Logs & Archives

This section describes how to back up and restore your logs.

FortiAuthenticator Student Guide 261

DO NOT REPRINT  Logs & Archives

You can back up the log files through the Web-based manager or CLI. You can also set up log
forwarding to have FortiAnalyzer send entries to a Syslog server.

FortiAuthenticator Student Guide 262

DO NOT REPRINT  Logs & Archives

From the Web-based manager, you can download files from the Tools menu on the FortiView > Log
View page.

You can browse to a specific log file or view the most recent files under Traffic or Event and then
select the Download option. You can download the log files in either text or CSV format (select the
option the best fits your plans for the file going forward), and if downloading multiple log files, specify
to download the current page or all pages. You can also select whether you want to compress the
data first—a good idea for large volumes of logs.

Note that this back up only downloads the logs based on any filters you may have set. In this
example, only traffic logs from the FortiGate from the last 4 hours are downloaded.

FortiAuthenticator Student Guide 263

DO NOT REPRINT  Logs & Archives

From the Web-based manager, you can download the rolled log files from FortiView > Log View >
Log Browse. On the Log Browse page, the log file for the device is based on log type. For example,
the event logs for FortiGate. The From and To dates associated with the log file determines the first
and last log entry for each file. This is based on your rolled logs settings (remember, when a log file
reaches its maximum size or a scheduled time, FortiAnalyzer rolls the active log file).

FortiAuthenticator Student Guide 264

DO NOT REPRINT  Logs & Archives

You can restore logs previously backed up by selecting Import on the Log Browse page. You can
either:

• Leave the default Device drop-down menu option set to [Take From Imported File].
FortiAnalyzer parses the logs and automatically reads the device_id from the log file to assign it to
the device. If you select this option, your log file must contain a device_id field in its log messages.
FortiAnalyzer checks whether FortiAnalyzer’s device list contains the device. If it does not, a
message appears after the upload and you can automatically add the device to the device list.
• Select the device from which the imported logs belong from the Device drop-down menu (this is
useful if there was an RMA in the past). FortiAnalyzer checks whether the device_id field in the
uploaded log file matches the device. If it does not, the import fails.

FortiAuthenticator Student Guide 265

DO NOT REPRINT  Logs & Archives

You can back up the log data from CLI as well. The command is:

execute backup logs

After that, you specify which device, or list of devices, you want to back up. Then you specify the
protocol to use for the backup, the address of the server to send the logs to, a user name and
password to connect with, and a directory to store the data in. This does not give you the ability to
pick individual logs like the Web-based manager does: it sends everything for whatever device or
devices you specify. The data is compressed before being sent, so the transfer does not begin
instantaneously. The device needs to process the logs and store them in an archive, which can take
some time. Also this can wind up being a lot of data so make sure your server has enough disk
space.

FortiAuthenticator Student Guide 266

DO NOT REPRINT  Logs & Archives

Just like the Web-based manager, you can restore logs from the CLI as well. The command is:

execute restore logs

The format for this command is identical to the “execute backup logs” command: you must specify
the protocol to use for the restore, the address of the server, a user name and password, and a
directory in which to restore the data.

FortiAuthenticator Student Guide 267

DO NOT REPRINT  Logs & Archives

Another way to back up your logs is by forwarding them to a syslog server for storage. You set up
forwarding through the FortiAnalyzer CLI. However, as discussed in the Configuring logs section, you
must configure your syslog server first through System Settings > Advanced > Syslog.

On the FortiAnalyzer CLI, configure the log aggregation client with the “config system aggregation-
client” command as provided here. For more information, see the FortiAnalyzer CLI Reference
Guide.

To test whether the logs received on FortiAnalyzer are being forwarded to the syslog server, use the
“diagnose sniffer packet” command.

FortiAuthenticator Student Guide 268

DO NOT REPRINT  Logs & Archives

As discussed in the Log Management section, uploading logs to a FTP, SFTP, or SCP server is
another way to back up logs. You can select to either forward the logs when rolled, or at a specific
time of day.

FortiAuthenticator Student Guide 269

DO NOT REPRINT  Logs & Archives

The last topic in this lesson is content archiving, also known as Data Leak Prevention (DLP)
archiving. While a log message tells you what happened, it doesn’t tell you very much about the data
itself. This is where log archiving comes in.

FortiAuthenticator Student Guide 270

DO NOT REPRINT  Logs & Archives

DLP archiving on FortiAnalyzer comes in two forms, summary and full, and FortiGate can record
occurrences of specific types of traffic when they are detected by DLP sensors.

Summary archiving records metadata only. For example, date and time, source and destination,
request and response size, and scan result.

Full archiving records metadata as well as copies of files or messages. For example, metadata plus
the file or message itself, including any attachments.

Email is a good example of when data archiving is useful. Without archiving your email message, the
log file just shows to/from information and if the email was considered spam or not. Summary
archiving on the FortiGate provides some additional details, such as the subject and size. Full
Archiving provides a complete copy of the entire email.

FortiAuthenticator Student Guide 271

DO NOT REPRINT  Logs & Archives

There are some things to consider if you want to enable full content archiving.

First, it more than doubles the original traffic. The original data gets sent to its destination, a complete
copy of that also gets sent to FortiAnalyzer, and you also have the meta data and log entries that go
with it.

Second, it increases the CPU and memory requirements on your FortiGate. It is the difference
between sending a couple of log entries vs. a complete copy of the data. Emails, for example, can
easily be several megabytes in size, so you need to consider the amount of data to archive, as you
could overload your firewall.

Third, archiving increases the drive space requirements on your FortiAnalyzer. Content archive data
is counted just like normal logs towards the device’s overall limit. Too much will limit the amount of
historical data you can store long term.

Finally, in order to archive encrypted data, FortiGate MUST be configured for SSL deep scanning.
Without being set up to do Man-in-the-Middle SSL communications, it’s impossible to decode the
contents for encrypted communications.

FortiAuthenticator Student Guide 272

DO NOT REPRINT  Logs & Archives

Enabling DLP archiving is done on your FortiGate. You need to set up a DLP sensor and then
configure the conditions that say when it will send data to FortiAnalyzer to be archived. This means
your FortiGate configuration dictates which protocols to archive. You can choose to archive:

• websites, which is the HTTP protocol

• mail, which is SMTP, IMAP, POP3 and MAPI
• file transfers, which is FTP, and
• news networks, which is NNTP.

Secure protocol content archiving is only available on devices that can do SSL inspection.

FortiAuthenticator Student Guide 273

DO NOT REPRINT  Logs & Archives

You can view archived logs from the FortiView > Log View page. The Archive tab appears next to
the Log Details tab in the lower content pane only when archived logs are available. You can also
download the file by selecting the download icon next to the file name.

FortiAuthenticator Student Guide 274

DO NOT REPRINT  Logs & Archives

After this lesson, you should be able to describe log basics, and understand the FortiView tab; log
arrays; event handlers; log rolling and log forwarding; log aggregation; log back-up strategies; log
forwarding and log uploading; data archiving forms; and content archiving.

FortiAuthenticator Student Guide 275

DO NOT REPRINT  Reports

In this lesson, we will show you how to extract useful information out of your logs for analysis
purposes. To do this, you need to understand how data is formatted, stored, and organized in the
database and how you can utilize the FortiAnalyzer reporting feature to summarize your data.

FortiAuthenticator Student Guide 276

DO NOT REPRINT  Reports

After completing this lesson, you should have these practical skills that will allow you configure and
run reports. This includes:

• Understanding the purpose of reports and how they work under the hood
• Describing the relationship between reports, charts, and datasets
• Describing the effect of ADOMs on report settings
• Defining SQL SELECT queries and understand how they are formed with clauses
• Understanding SQL functions and operators as well as FortiAnalyzer-specific functions and
macros
• Describing the elements involved in building or customizing a chart, and
• Describing report features (creating, cloning, configuring)

FortiAuthenticator Student Guide 277

DO NOT REPRINT  Reports

You should also be able to understand report scheduling, notifications, and output profiles; the report
import/export feature; and identify the ramifications of reports on CPU and memory.

FortiAuthenticator Student Guide 278

DO NOT REPRINT  Reports

One of the key features of FortiAnalyzer is the ability to produce graphical reports based on logged
data from your network. The intent of this section is to provide a general overview of FortiAnalyzer’s
reporting solution.

FortiAuthenticator Student Guide 279

DO NOT REPRINT  Reports

The purpose of a report is to summarize large amounts of logged, which is to say existing, text data.
A report does not provide recommendations on how to better resolve any network security issues, it
simply extracts large amounts of data and presents it in a graphical manner that makes it easier—
and quicker—to digest. In fact, the patterns and trends that reports bring to light already exist as
several points of data within your database, but it would be incredible difficult and time consuming to
manually locate, cross-reference, and analyze multiple log files—not to mention knowing in advance
what trend or pattern you are hoping to find. This is why you need reports. Once configured, reports
do all the investigation for you and provide a quick and detailed analysis of activity on your network.
You can then use that information to better understand your network or improve your network
security.

FortiAuthenticator Student Guide 280

DO NOT REPRINT  Reports

Under the hood, a report is a set of data organized in charts. In FortiAnalyzer, charts consist of two
elements: select data from the SQL database and the format to display that data.

In order for a chart to extract data from the database, it relies on a dataset, which is a specific SQL
SELECT query that specifies what data to extract from the database.

The format options to display this data includes pie charts, bar charts, or tables.

So, for example, let’s say you want a report to provide a list of active traffic users. You need a chart
that includes a dataset that queries the database for specific criteria surrounding active traffic users,
and a format, like a table, so the information is presented in a digestible format.

We will take a closer look at constructing datasets later in this lesson.

FortiAuthenticator Student Guide 281

DO NOT REPRINT  Reports

As mentioned earlier in the FortiAnalyzer training, the log data from registered devices, such as
FortiGates, are stored in the internal PostgreSQL or remote MySQL databases.

Logs are received in binary format and normalized in raw logs. Individual raw logs are organized by
device as well as by log type, such as event logs, traffic logs, and security logs. In this example, the
device FortiGate_Remote and FortiGate_Student appear individually and for each device there are
separate logs files based on the log type Event and Traffic.

FortiAuthenticator Student Guide 282

DO NOT REPRINT  Reports

Let’s take a closer look at the log processing flow, specifically between FortiGate and FortiAnalyzer.
Here the fortilogd on FortiGate forwards logs to FortiAnalyzer. The fortilogd on FortiAnalyzer accepts
the inbound real-time logs and creates raw logs. The FortiAnalyzer sqllogd reads those raw logs and
creates temporary SQL-ready logs. Lastly, the FortiAnalyzer sqlplugin inserts the logs into the SQL
database, verifies the database records, and signals to sqllogd that the logs have been received
successfully. Sqllogd then deletes the temporary SQL logs.

FortiAuthenticator Student Guide 283

DO NOT REPRINT  Reports

This is a graphical representation of the report workflow, starting with the SQL database that contains
all the raw logs. The database holds massive amounts of data on various events. From there, you
make an SQL SELECT query that polls the database for the specific information you want, otherwise
known as a dataset. As you can see, the results of the dataset query look very similar to the
database. This is because the query is extracting only a subset of information stored in the logs.

This subset of data defines a chart and charts are used to create reports.

FortiAuthenticator Student Guide 284

DO NOT REPRINT  Reports

Datasets, charts, reports and everything required to configure, run, and view reports is located in the
FortiAnalyzer Web-based manager under the Reports tab. The Reports tab allows you to:

• View, configure, create, and run reports

• View, clone, and create charts
• View, clone, and create macros
• View history and calendar
• View, clone, and create datasets
• Configure output profiles, and
• Configure report language

We will examine all these report features in this lesson.

FortiAuthenticator Student Guide 285

DO NOT REPRINT  Reports

If administrative domains (ADOMs) are enabled, each ADOM will have its own report settings
including Chart Library, Macro Library, Dataset Library, and Output Profile.

Also, FortiCarrier, FortiCache, FortiMail, and FortiWeb reports are available when ADOMs are
enabled. Reports for the devices are configured within their respective default ADOMs. These
devices also have device-specific charts and datasets.

FortiAuthenticator Student Guide 286

DO NOT REPRINT  Reports

One of the major elements that comprise reports are datasets. Remember, datasets define what data
is extracted from the database and represented in a report’s chart. While FortiAnalyzer does provide
pre-defined datasets that address the most common queries, it is still important to understand how a
dataset is properly formed in the event you want to modify an existing dataset or create your own
custom dataset. In order to understand datasets, you need to understand Structured Query
Language, also known as SQL.

While this section aims to provide some SQL basic knowledge, it only does so as far as it relates to
FortiAnalyzer reports. It is not intended to teach SQL.

FortiAuthenticator Student Guide 287

DO NOT REPRINT  Reports

As discussed earlier, a dataset is an SQL SELECT query. The result from that query—the specific
data polled from the database—is what populates a chart.

FortiAnalyzer includes many predefined datasets that contain some of the most common database
queries. These are available to view from Reports > Advanced > Dataset. You can also clone and
create new datasets from here as well.

If ADOMs are enabled, each ADOM has its own datasets.

This is an example of the default Top-Destinations-By-Sessions dataset.

FortiAuthenticator Student Guide 288

DO NOT REPRINT  Reports

When you are building your queries, you must use PostgreSQL syntax to interface with the database.
When creating or editing datasets, there is a Test button where you can test your query. If it is not
formed correctly, an error message appears. If it formed correctly, and the data you are querying is
available in the database, the results appear.

Note that SQL queries are not case-sensitive.

FortiAuthenticator Student Guide 289

DO NOT REPRINT  Reports

In order to form your queries correctly, you must know the SQL language and understand database
schemas. Schemas are used to logically group objects, such as tables. The table is the root structure
in SQL and consists of rows and columns. Each column name is unique and has a defined data type,
so the value for the column in each row must be from the defined data type or be null.

In order to create a query, you need to know the column names as they appear in the database. The
simplest way to know the column names is to obtain the database schema. In FortiAnalyzer, you can
obtain the schema from Reports > Advanced > Dataset. Click Create New, select a log type from
the Log Type drop-down list (such as Traffic for the traffic log), and in the Query field type:

SELECT * FROM $log

This SELECT statement returns everything from the log type schema you selected (for example, the
traffic log type). The * symbol is used as a way to return all data.

FortiAuthenticator Student Guide 290

DO NOT REPRINT  Reports

Now let’s take a closer look at the query itself. In order to understand this example dataset, and more
specifically, what it is querying, you need to understand SQL. SQL is what is known as a declarative
language—it describes what needs to be done rather then how to do it.

As just described, in an SQL database all information is represented as tables, each table consists of
a set of rows and columns. There are two types of tables:

User tables, which contain information that is in the database, and

System tables, which contain the database description.

FortiAuthenticator Student Guide 291

DO NOT REPRINT  Reports

In order to retrieve and manipulate data in the database, you need to use data manipulation
language, which is a family of syntax elements used by SQL. These syntax elements are SELECT,
INSERT, UPDATE, and DELETE. These are the first words used in a query—they are the declarative
verbs describing what you want done.

As far as FortiAnalyzer reports are concerned, only the SELECT statement is used. It is purely a
read-only query statement that is used to retrieve data from the database.

FortiAuthenticator Student Guide 292

DO NOT REPRINT  Reports

So now that we know FortiAnalyzer reports only use the SELECT statement, let’s take a closer look
at how it works.

The SELECT statement is used to query the database and retrieve log data. In order to pull the data
you want, you must specify the criteria. For example, let’s say you want to query the database for a
list of employees who work in the IT department. In order to put this criteria into a language that SQL
understands, you must use a clause recognized by the SELECT statement.

The main clauses FortiAnalyzer reports use are:

• FROM, which specifies the table.

• WHERE, which specifies the conditions. All rows that do not satisfy the condition are eliminated
from the output.
• GROUP BY, which collects data across multiple records and groups the results by one or more
columns.
• ORDER BY, which orders the results by rows. If ORDER BY is not given, the rows are returned in
whatever order the system finds the fastest to produce. And finally,
• LIMIT, which limits the number of records returned based on a specified value. OFFSET is
another clause often used along with LIMIT, which offset the results by the number specified. For
example, if you place a limit of 3 records and an offset of 1, the first record that would normally be
returned is skipped and instead the second, third, and fourth records (3 in total) are returned.

FROM is the only mandatory clause required to form a SELECT statement; the rest of the clauses
are optional and serve to filter or limit, aggregate or combine, and control the sort. It is also important
to note that the clauses must be coded in a specific sequence. This is to say that following the
SELECT keyword, the statement must be followed by one or more clauses in the order they appear
in this table provided. For example, you cannot use the WHERE clause before the FROM clause.

FortiAuthenticator Student Guide 293

DO NOT REPRINT  Reports

© FORTINET
You do not have to use all optional clauses, but whichever ones you do use they have to be in the
correct sequence.

FortiAuthenticator Student Guide 294

DO NOT REPRINT  Reports

SELECT is the first word used in any SQL query that involves FortiAnalyzer reports. This is a
declarative statement that instructs the program to query the column in the database for the
information you want returned. For example:

SELECT dstip.

Dstip is the column name for destination IP in the SQL schema. Note that you can select more than
one column name and you can also have the column name appear under a more user friendly name
in the results table by appending the command with “as <friendly_name_of_column>. For example,
SELECT dstip as domain. In the results table, the values for dstip will now appear under a column
named domain.

If you want to return all data, you can use the * symbol. For example, SELECT *. Though most of the
time that is more information that you require.

At minimum, you must use the FROM clause with your SELECT statement. This instructs the
program where the information is located.

For example:

FROM $log

Here $log refers to the logs in the log type selected for the dataset, such as traffic logs or web filter
logs to name a few.

FortiAuthenticator Student Guide 295

DO NOT REPRINT  Reports

Note that you can search multiple log types in order to combine the data so that you can compare
and contrast information. To do this, use the log type syntax associated with the specific log type. For
example, if you want to search both the traffic logs and web filter logs, use:

FROM $log-traffic, $log-webfilter

FortiAuthenticator Student Guide 296

DO NOT REPRINT  Reports

Out of all the optional clauses, the WHERE statement is really the heart of the query, because this is
where you specify the criteria.

The WHERE statement must always come after the FROM statement.

In this example, the first expression is $filter, which is used to restrict the results to the time period
you select. While the time period is not added to the query itself, it is specified by way of a drop-down
box when creating the dataset through the FortiAnalyzer Web-based manager.

The second expression is dstip, which is the destination IP, while the third expression is NULL.

SQL supports logic operators as well, so you can use AND/OR/NOT statements in order to build out
the query. Operators will be discussed later in this lesson.

FortiAuthenticator Student Guide 297

DO NOT REPRINT  Reports

The GROUP BY clause is used to create one output row for each group. It is usually used with an
aggregate function within the SELECT statement. We will cover aggregate functions later, but
essentially they perform a calculation on a set of values and return a single value. If it is not used with
an aggregate function, it is similar to the DISTINCT clause, in that it removes duplicates from the
result set of a SELECT statement.

In this example, the GROUP BY clause is use with an aggregate function. The aggregate function is
count(*), which selects all rows in a table, even if some columns contain a NULL value.

In this example, we are grouping by dstip (destination IP).

FortiAuthenticator Student Guide 298

DO NOT REPRINT  Reports

ORDER BY is a clause that allows you to sort queries by column name or column number. By
default, rows of an SQL query result table are not arranged in a particular order, so you can use the
ORDER BY clause to sort column values in either ascending (asc) or descending (desc) order. If you
use this clause and do not specify ascending or descending, the default is ascending.

You can order multiple columns and specify different sort orders for each. For example, you can sort
one column in ascending order and another column in descending order.

In this example, we are ordering by session in descending order.

FortiAuthenticator Student Guide 299

DO NOT REPRINT  Reports

By default, all results that satisfy the conditions specified in the query are returned. However, if you
only want to retrieve a subset of records, you can place a limit on the records returned. To do this,
use the LIMIT clause and specify the number of results you want. For example, LIMIT 7. This is a
great way of making sure that the query doesn’t use unnecessary CPU or memory, especially if you
have a large scale deployment with lots of devices logging to the FortiAnalyzer. You can also
combine LIMIT with ORDER BY asc to get the “top <x> results” (or desc for the “bottom <x>
results”).

In conjunction with the LIMIT clause you can use the OFFSET clause. This offsets the results by a
set value. For example, if you place a limit of 7 records and an offset of 1, the first record that would
normally be returned is skipped and instead 2 through 8 are returned.

FortiAuthenticator Student Guide 300

DO NOT REPRINT  Reports

As we’ve been introducing and explaining the main SQL clauses, we’ve been forming a full dataset
query along the way. To visually see how it all ties together, we can use the dataset Test feature in
the Web-based manager. The feature is intended to test or modify a query in order to get the specific
output you want.

The test feature is located in the dialog box used to create new datasets, view existing datasets,
clone existing datasets, or edit custom datasets (for all intents and purposes it is the same dialog box
with the same features) and is available under Reports > Advanced > Dataset.

To test the dataset we created, we’ll click Create New on the toolbar of the Dataset page to launch
the New Dataset dialog box.

In the Query field, we’ve added our example dataset query.

First thing we must do is give our dataset a name.

The next thing we must do is select the log type. This is the log type we entered as the FROM clause
in the query. In this case, we entered the generic “$log”, as we are specifying the log type as Traffic
from the Log Type drop-down field here. However, we could just have easily entered “$log-traffic” in
the query instead, but should we wish to view this query on a different log type later, it’s less risky
and easier to change from the Log Type drop-down field than fumble around with the actual dataset
query itself.

On the right side of the dialog box, we must specify the device or devices on which to use this query.
Here, we have specified All Devices.

We must also specify a time period for this query. As mentioned earlier, the “$filter” expression used

FortiAuthenticator Student Guide 301

DO NOT REPRINT  Reports

© FORTINET
with our WHERE clause states that we want to limit the results to the time period we specify. The Time
Period drop-down box is where we specify this time period.

Now we are ready to click the Test button. If there is an error in the query, the error message appears
in the window below. If the query is correct, the results appear in the window below. Since the results
appear in the window below, we know our dataset has been correctly formed.

FortiAuthenticator Student Guide 302

DO NOT REPRINT  Reports

Now let’s align the written query with the visual results to fully understand how the query is
interpreted by FortiAnalyzer.

SELECT dstip as domain, count(*) as session  This says: select the destination IP address and call
the column “domain”. Select the count (all data) and call the column “session”.

FROM $log  This says: query the traffic log for the data, which is specified in the Log Type drop-
down list.

WHERE $filter and dstip is not null  This says: limit the results to the time period specified, which is
Last 30 Days according to the selection in the Time Period drop-down list, and only provide
destination IP addresses that are not null. Note that “null” represents unknown data—it does not
represent zero.

GROUP BY dstip  This says: group the results by destination IP. Remember, we specified we
wanted dstip put in a column called “domain”.

ORDER BY session desc  This says: order the results by session in descending order. Note that
the results go from high (3,928) to low (1,183).

LIMIT 7  This says: only provide the first seven results.

OFFSET 1  This says: skip the first result, but still limit the results to the next 7 (ie. 2 through 8).

FortiAuthenticator Student Guide 303

DO NOT REPRINT  Reports

Now that we’ve examined the SELECT syntax element, let’s take a look at a few SQL functions and
operators. This is not intended as a complete and exhaustive list of all functions and operators—it
simply covers a few of the most common ones used in FortiAnalyzer datasets.

FortiAuthenticator Student Guide 304

DO NOT REPRINT  Reports

SQL has two types of functions: “normal” functions and aggregate functions.

Aggregate functions use the entire column of data as their input and produce a single output, while
the “normal” functions operate on each element in the column of data.

FortiAuthenticator Student Guide 305

DO NOT REPRINT  Reports

One common function used in FortiAnalyzer datasets is NULLIF. The NULLIF function takes two
arguments. If the first two arguments are equal, then NULL is returned. Otherwise, the first argument
is returned. Note that NULL represents unknown data—it does not represent zero.

FortiAuthenticator Student Guide 306

DO NOT REPRINT  Reports

Another common function used in FortiAnalyzer datasets is COALSECE. The COALESCE function
returns the first non-NULL expression among its arguments. Null is returned only if all arguments are
null. It is often used to substitute a default value for null values when data is retrieved for display.

COALESCE is used with the SELECT statement. It takes one or more expressions as an argument.
The values do not have to be string data types—they can be any data type (and also different data
types). The syntax is:

COALESCE (expression 1, expression 2, …)

FortiAuthenticator Student Guide 307

DO NOT REPRINT  Reports

Aggregate functions are a special category with different rules, as they operate on entire columns of
data instead of discrete values. These functions perform a calculation on a set of values in a column
and returns a single value. Although aggregate functions are usually used in conjunction with the
GROUP BY clause, these functions can be used on their own in a SELECT statement.

This table includes a list of aggregate functions used in SQL. All can take an expression as an
argument and ignore null values, except for count. Count can take an asterisk as an argument. The
asterisk in this case means all rows are returned, even if some columns contain a NULL value.

An example of an expression used with an aggregate function is SELECT count(unauthuser). This

would return the number of unauthorized users.

FortiAuthenticator Student Guide 308

DO NOT REPRINT  Reports

Now let’s take a look at SQL operators. An operator is a reserved word or a character used primarily
in an SQL statement's WHERE clause to perform various operations.

There are three types of operators:

• Arithmetic operators
• Comparison operators
• Logical operators

FortiAuthenticator Student Guide 309

DO NOT REPRINT  Reports

Here are some examples of arithmetic operators. Arithmetic operators perform mathematical
operations on two expressions of one or more of the data types of the numeric data type category.

FortiAuthenticator Student Guide 310

DO NOT REPRINT  Reports

Here are some examples of comparison operators. Comparison operators test whether two
expressions are the same and can be used on all expressions except expressions of the text, ntext,
or image data types.

FortiAuthenticator Student Guide 311

DO NOT REPRINT  Reports

Here are some examples of logical operators. Logical operators test for the truth of some condition.
Like comparison operators, they return a Boolean data type with a value of TRUE, FALSE, or
UNKNOWN.

FortiAuthenticator Student Guide 312

DO NOT REPRINT  Reports

FortiAnalyzer includes some built-in functions that are based on known SQL functions, but scripted
differently. Also, FortiAnalyzer includes macros, which are best described as lengthy or complex SQL
statements scripted more simplistically. An SQL macro can be used anywhere in a query where an
ordinary SQL expression can be used. In this section, we will explore both.

FortiAuthenticator Student Guide 313

DO NOT REPRINT  Reports

One FortiAnalyzer-specific function is root_domain(hostname). This provides the root domain of the
fully qualified domain name. As per the query, in this example root_domain(hostname) is listed under
the website column in ascending order (the default for the ORDER BY clause if not specified).

FortiAuthenticator Student Guide 314

DO NOT REPRINT  Reports

Another FortiAnalyzer-specific function is nullifna, which takes an expression as an argument. The

actual SQL syntax this is based on is SELECT NULLIF(NULLIF(expression, 'N/A'), 'n/a').

In this example, if the user is n/a the source IP is displayed, otherwise it returns the user name. It
performs the inverse operation of the COALESCE function. As you can see in the user_src column,
there are some IP address and some user names.

FortiAuthenticator Student Guide 315

DO NOT REPRINT  Reports

email_domain and email_user are other FortiAnalyzer-specific functions. email_domain retrieves

anything that is after the @ symbol in an email address—the domain. email_user retrieves anything
that is before the @ symbol in an email address.

As per the query, in this example email_user displays in the column e_user, while email_domain
displays in the column e_domain.

FortiAuthenticator Student Guide 316

DO NOT REPRINT  Reports

from_dtime and from_itime are other FortiAnalyzer-specific functions. from_dtime returns the device
timestamp without the time zone, while from_itime returns FortiAnalyzer’s timestamp without the time
zone.

As per this query, from_itime appears in the column faz_local_time, while from_dtime appears in the
column dev_local_time.

FortiAuthenticator Student Guide 317

DO NOT REPRINT  Reports

Here are some common date and time macros used in FortiAnalyzer. Macros are simple
substitutions for more complex SQL statements—usually created for SQL statements that are
frequently used.

FortiAuthenticator Student Guide 318

DO NOT REPRINT  Reports

As previously mentioned, in order to build a report you need a chart. And in order to build a chart you
need a dataset. Since we discussed in detail how to create datasets, we will now examine how to
create and customize charts.

FortiAuthenticator Student Guide 319

DO NOT REPRINT  Reports

You can create and customize charts from Reports > Chart Library. As discussed earlier,
FortiAnalyzer charts consist of two elements: datasets (SQL queries) and the format to display that
data (pie chart, bar chart, table chart).

The chart library includes predefined charts and any custom charts you create. Note that the table
displays charts according to the display options enabled: Show Predefined and Show Custom. If
you create a custom chart and cannot find it in the list or though a search in the Search field, you
might want to check whether Show Custom is disabled.

You can clone existing charts and create your own charts.

If ADOMs are enabled, each ADOM has its own chart library.

FortiAuthenticator Student Guide 320

DO NOT REPRINT  Reports

Let’s first look into creating a chart. There are two methods you can use. The first is using the
Custom Chart wizard which guides you through the process. The second method is for more
advanced users, as the process is not guided.

Regardless of the chart creation method you choose, you first need a dataset that will query the
database for the information you want. This is absolutely required. All a chart does is convert the text
based results of that query into a graphical format.

FortiAuthenticator Student Guide 321

DO NOT REPRINT  Reports

The Custom Chart wizard makes the chart creation process easier for those not as familiar with
SQL, as a dataset is automatically created as you go through the wizard. The limitation with the
wizard is that you can only create charts based on traffic or event logs and only two variable charts
are supported.

FortiAuthenticator Student Guide 322

45
DO NOT REPRINT  Reports

To create a chart through the wizard, click Wizard. The first step involves choosing your data.

From the Log Type field, you must specify from where the data will be extracted (this is the FROM
SQL clause): the traffic log or the event log.

From the Group by drop-down, you must specify the column in the database by which you want to
group the data (this is the GROUP BY SQL clause). The options available to select depend on the
log type you selected previously. For example, if you select the Traffic Log log type, the Group by
drop-down provides the columns associated with that log type.

From the Aggregate by drop-down, you must specify how you want to aggregate the data—an
aggregate is formed by the conjunction or collection of particulars into a whole sum. Again, the
options available to select depend on the log type you selected previously.

Finally, from the Show drop-down, you must specify how many results you want to show. Options
include top 5, 10, 25, 50, 100.

FortiAuthenticator Student Guide 323

DO NOT REPRINT  Reports

In step 2, you can specify filters and choose to match on all or any of the conditions (this is SQL
and/or logic). You can add as many filters as required by clicking Add.

FortiAuthenticator Student Guide 324

DO NOT REPRINT  Reports

The final step does not require much configuration, as it is more of a preview. You can select your
chart type, but often the optimal format is automatically selected based on your query. You can also
change the name of the chart. By default, the name is based on the dataset query you created.

FortiAuthenticator Student Guide 325

DO NOT REPRINT  Reports

If you want more flexibility in your chart creation and are familiar with SQL, right-click on any chart
icon in the table and from the menu select Create New. In the New Chart dialog box that appears,
you first need to give your chart a name. A description is optional, but recommended.

From the Dataset drop-down list, select the query that represents the data you want to graphically
display. All pre-defined and custom datasets are available to select. Unlike the Custom Chart
wizard, the predefined datasets you select here are more powerful/complex than the ones you create
within the wizard itself.

From the Graph Type drop-down list, select the format for the chart. Options include table, bar, pie,
and line. Once you select your dataset, the information in the Data Bindings section automatically
changes based on the query. Check the FortiAnalyzer Administration Guide for more information on
configuring the graph type you want to use.

And finally, from the Resolve Hostname drop-down list, select to inherit the hostname, or to enable
or disable this option.

FortiAuthenticator Student Guide 326

DO NOT REPRINT  Reports

If FortiAnalyzer includes an existing chart that is very similar to the output you want, you can elect to
clone and modify the chart rather than create a brand new one. To clone a chart, select the chart
from the table and click Clone. The Clone Chart dialog box that appears is the same one used to
create a chart, just with all the fields pre-filled based on the chart you are cloning. You can modify the
chart based on your requirements.

A cloned chart is categorized as a custom chart, so remember to enable Show Custom so that it
appears in the chart library table for easy viewing or access.

FortiAuthenticator Student Guide 327

DO NOT REPRINT  Reports

Now that we understand charts, and how they graphically represent the dataset query, we can turn
our attention to reports. FortiAnalyzer includes predefined reports that you can configure, or if they do
not meet your requirements, you can create your own. Once complete, you can run your reports.

FortiAuthenticator Student Guide 328

DO NOT REPRINT  Reports

Before you configure or create a report, there are certain factors you need to consider to ensure the
report as effective as possible.

The first consideration is your audience. Who’s going to be looking at this report? Depending on
what they want to see and their level of skill, you may need to add, remove, or modify charts in order
to convey the information appropriately.

The second consideration is your purpose. If you look at the pre-defined reports, each one focuses
on a specific piece of information. They are based on specific datasets and contain charts that format
that query. So for reports that are effective and easily digestible, they need to be focused and this is
achieved by having a strong purpose.

The next consideration is the level of detail. Too much information is just as bad as too little. Best
practice is to keep reports short and concise. Not only will it focus your view of your network and
users, but shorter reports have fewer charts and fewer queries to run. This helps with performance,
as large reports effect CPU and memory.

The final consideration is the format. You need to know how you want to format that data so that it
displays in the most digestible and telling way possible. This is important. A table chart, bar chart,
and pie chart do not necessarily represent the same data with the same effectiveness. Based on your
query, you may only be able to use one type of chart, but if options are available, you need to select
the right chart. Think about how the data would best be represented visually and the audience
consuming the data. Aside from the chart format, you can also change the design of the report by
adding separators, page breaks, images, and renaming charts.

FortiAuthenticator Student Guide 329

DO NOT REPRINT  Reports

As mentioned previously, FortiAnalyzer includes preconfigured reports for FortiGate, FortiMail, and
FortiWeb devices. They are available under the Reports tab and the first left tree menu also called
Reports. Reports for Application, Detailed User Report, and Web are organized into different
folders for easy navigation.

You can run these reports as is, or clone and configure the reports.

Let’s first look into how to run reports and configure various options, such as the device(s) to run the
reports on, the time period to run the report, and the type of report to generate. We’ll also look at
enabling a schedule, which is running the report automatically at specific time-intervals, and enabling
notification, which is sending the generated reports via email or uploading generated reports to a
server.

FortiAuthenticator Student Guide 330

DO NOT REPRINT  Reports

If a predefined report is very close to the report you want to create, but not quite, you can choose to
clone it. Clone a report when you want to leave the existing report as is, but want to borrow many of
the elements and modify them to meet your requirements.

To clone an existing report, right-click the report you want to clone in the Reports list and click Clone
from the menu options. You can rename the cloned report accordingly.

Once created, you must configure the report. We’ll take a look at the configuration options in just a
bit.

Note that you can rename and delete a cloned report, unlike predefined reports.

FortiAuthenticator Student Guide 331

DO NOT REPRINT  Reports

If there are no predefined reports that meet your needs and cloning an existing report is not an
option, you can choose to create a report from scratch.

To create a new report, right-click the Reports list and click Create New under from the menu
options. You are then asked to name the new custom report.

As you can see, there is another Create New option in the menu under the Folder section. If you
want to group your custom report (or all custom reports) in its own folder in the Reports list, you can
create a folder here. Otherwise, the custom report is added to the main Reports list.

Note that you can rename and delete a custom report, unlike predefined reports.

Once created, you must configure the report.

FortiAuthenticator Student Guide 332

DO NOT REPRINT  Reports

The report configuration options are the same as the configuration options for all reports (whether
custom, cloned, or existing). The only difference is how much configuration is required. With custom
reports for example, all the configuration is required. For cloned reports, all the necessary
configuration for the report you cloned is established—and will run “as is”—but you need to re-
configure elements to meet your needs (how involved that is, however, is up to you). And finally,
existing reports are preconfigured and can run “as is”, but you may need to do some very minimal
configuration.

The Configuration tab available for reports allows you to configure some report options. This first
section of the tab comprises the most basic options, and even though you can run predefined reports
“as is”, these three options should, at minimum, be reviewed. These options allow you to:

• Specify the time period in which to run the report

• Select which device to run the report on, and
• Select the type of report, whether it’s a single report for all devices, or multiple reports per device

FortiAuthenticator Student Guide 333

DO NOT REPRINT  Reports

Another configuration option is report scheduling. This is done from the Configuration tab of each
report by selecting Enable Schedule. This allows you to schedule reports to run automatically based
on your criteria. You can specify:

• how often to generate the PDF report in hours, days, weeks, or months
• the date and time to start running the reports, and
• the date and time to stop running the reports, though you can specify to run the report indefinitely
as well

Once a report is scheduled, a clock icon appears before the report name in the left menu.

FortiAuthenticator Student Guide 334

DO NOT REPRINT  Reports

Not only can you see what reports are scheduled with the clock icon, but under Reports > Report
Calendar you can see an overview of all your scheduled reports. A check icon means the report is
finished, while a clock icon means it is pending.

In this example, you can also see different colors associated with different reports. This is a
configuration setting for the report set through the Advanced Settings tab (to be discussed later):
you can select the color you want the report to appear under in the report calendar. This allows you
to more easily spot the report in the calendar, which is especially helpful if you have many reports
scheduled.

When you hover your mouse cursor over a scheduled report, a notification box appears that displays
the reports name, status, and device type.

You can edit and disable upcoming scheduled reports as well as delete or download completed
reports by right-clicking the name of the report in the calendar.

Note that the scheduling is not actually done on this page, but configured in the specific report
configuration itself.

FortiAuthenticator Student Guide 335

DO NOT REPRINT  Reports

Another report configuration option is notifications. This allows you to send the report via email and/or
upload the report to a server. To do this, you must select the Enable Notification option available on
the Configuration tab for the specific report. This is enabled on a per-report basis—it is not a global
setting for all reports.

If you want to enable notification, you must configure an output profile. An output profile determines
where the report should be sent. Reports can be sent to an email address as well as uploaded to a
server. If you do not use an output profile, you cannot enable notification, and the report remains on
the local FortiAnalyzer.

In this example, three different output profiles have been created. One that just sends the report via
email, one that just uploads the report to a server, and another that sends the report via email as well
as uploads the report to a server.

There are two methods for creating an output profile. First, you can create output profiles within the
Configuration tab of each report by clicking the green plus icon beside the Output Profile drop-
down list. Any output profile you create here is saved globally and thus can be used with other
reports as well.

FortiAuthenticator Student Guide 336

DO NOT REPRINT  Reports

The second method is to pre-configure one or more output profiles under Reports > Advanced >
Output Profile. Click Create New to create a new profile. The Create New Output Profile dialog
box appears, which provides the exact same configuration options available as the first method of
creating an output profile (the dialog boxes are named differently, but for all intents and purposes, it is
the same dialog box). All reports created here are also available to use globally and can be used with
any report.

The benefit to creating output profiles through the Output Profile page versus under the
Configuration tab of a report, is that you can pre-configure many output profiles in advance so they
are all teed up for selection when enabling notification for various reports.

If ADOMs are enabled, each ADOM has its own output profiles.

Now let’s take a quick look at how to create an output profile to send a report via email and server.

FortiAuthenticator Student Guide 337

DO NOT REPRINT  Reports

To send generated reports via email, select Email Generated Reports and enter the subject for the
email as well as body text to help identify the purpose of the email for the recipient(s). To add one or
more email recipients, click Add New. Note that along with the From and To email addresses, you
require a mail server to be pre-configured (otherwise nothing is available to select from the Email
Server drop-down list). You can configure a mail server via System Settings > Advanced > Mail
Server (this is discussed in the previous lesson: Logs and archives).

FortiAuthenticator Student Guide 338

DO NOT REPRINT  Reports

Alternatively (or in addition), to upload generated reports to a server, select Upload Report to
Server. You can select to generate and upload the report in PDF and/or HTML format. As far as your
server configuration, you must select your server type (FTP, SFTP, or SCP), as well as enter the
server IP, user name, password, and directory on the server for the reports to upload. You also have
the option to delete the file after it is uploaded to the server. Otherwise, it remains on the local
FortiAnalyzer as well.

FortiAuthenticator Student Guide 339

DO NOT REPRINT  Reports

Now that we’ve looked at the Configuration tab for reports, let’s look at the Advanced Settings tab.
This tab allows you to configure report filters, LDAP query, and other advanced settings.

The Filters section allows you to create and apply log message filters to the report. You can use
these filters with AND and OR logic. You can also enable the LDAP Query option, which adds an
LDAP query to the report.

The Advanced Settings section allows you to configure language and print options and other
settings. For example, print and customize the cover page, print the table of contents, print a device
list, obfuscate users, and set the color code for the report to appear under in the Report Calendar.

Note that the options available from the Language drop-down list are based on the configured
languages in Reports > Advanced > Language. By default, there are many predefined languages
included, but you can also add additional ones. Adding a new language doesn’t create that
language—it adds a placeholder for that language that contains the language name and description.

FortiAuthenticator Student Guide 340

DO NOT REPRINT  Reports

The last configuration tab for individual reports is the Layout tab. From this tab, you can configure
the report template layout. This includes adding various content to a report template, such as charts,
images, and typographic elements. You can configure the template using the layout toolbar.

You can control the template color scheme, fonts, and layout as well as edit and customize all other
report elements as needed.

The toolbar also contains the FortiAnalyzer Macro button. This allows you to select a macro from
the Macro Library (available under Reports > Macro Library) to add to the report layout. Macros
are predefined to use specific datasets and queries. The macro library is ADOM-specific and
supported in FortiGate and FortiCarrier ADOMs only.

For more information on configuring a report’s layout, see the FortiAnalyzer Administrator Guide.

FortiAuthenticator Student Guide 341

DO NOT REPRINT  Reports

If you accidently botch the layout and can’t figure out how to recover gracefully, note that each report
has an associated report template you can use. Report templates provide the format and structure
used to build the FortiAnalyzer reports.

The templates are located in the Reports tree menu under Default Templates. Just like the pre-
defined reports, the templates for Application, Detailed User Report, and Web are separated into
sub-folders for easy navigation.

You can clone the template that includes the format and structure you want, and then configure the
report.

You cannot delete default templates.

FortiAuthenticator Student Guide 342

DO NOT REPRINT  Reports

After you have completed your configuration, you can run the report. If you scheduled the report
during configuration, it will run at the time you specified. However, you do have the option to run the
report on demand (whether scheduled or not). To run a report on demand, click the View Reports
tab for the report and click Run Report Now.

A progress bar appears under the Total Time/Status column and once complete the report appears.
You can view the report in HTML or PDF format.

You also have the option to delete the report (or any reports that have already run) as well as
download the report.

FortiAuthenticator Student Guide 343

DO NOT REPRINT  Reports

All reports and datasets are only valid within that particular ADOM. If you make a new report, dataset,
or chart, you cannot copy or clone from one ADOM to another. Reports, however, provide the option
to import and export. Accordingly, you can export a report from one ADOM and import it into a
different ADOM, or export and import between devices. To import and export, right-click the report in
the Report list and select either Import or Export.

This is only a feature for reports. Custom charts and datasets cannot be exported.

FortiAuthenticator Student Guide 344

DO NOT REPRINT  Reports

This section intends to briefly identify any ramifications of reports on FortiAnalyzer’s CPU or memory.

FortiAuthenticator Student Guide 345

DO NOT REPRINT  Reports

One of the advantages of using SQL is that it provides much flexibility for creating reports—your
queries can be quite complex and extract very specific information on your network and users.
However, with this comes a disadvantage, in that it requires significant resources. For example, a
100Mb log can take approximately 300Mb disk space in raw logs, SQL tables, and index.

Customizing reports is also easier with SQL, though configuring new reports can take longer as there
are extra steps to perform.

FortiAuthenticator Student Guide 346

DO NOT REPRINT  Reports

Here is a rough approximation on the allocated quota used when generating reports, along with the
formula. You can see that the SQL tables and indexes are twice the size of the raw logs.

As mentioned previously, it is best practice to keep reports short and concise, as large reports effect
CPU and memory.

FortiAuthenticator Student Guide 347

DO NOT REPRINT  Reports

After this lesson, you should be able to:

• Understand the purpose of reports and how they work

• Describe the relationship between reports, charts, and datasets
• Describe the effect of ADOMs on report settings
• Define SQL SELECT queries and clauses
• Understand SQL functions and operators as well as FortiAnalyzer-specific functions and macros
• Describe the elements involved in building or customizing a chart
• Describe report features (creating, cloning, configuring)
• Understand report scheduling, notifications, and output profiles
• Understand the report import/export feature, and
• Identify the ramifications of reports on CPU and memory

FortiAuthenticator Student Guide 348

Palo-Alto-Firewall-Training I-MEDITA
0% (1)
Palo-Alto-Firewall-Training I-MEDITA
4 pages
Fortinet Network Security Support Engineer Study Guide For Fortios 72
No ratings yet
Fortinet Network Security Support Engineer Study Guide For Fortios 72
536 pages
Emc Cx3 Cx4 VNX Factory Reset
100% (1)
Emc Cx3 Cx4 VNX Factory Reset
9 pages
OPS Backup PDF
No ratings yet
OPS Backup PDF
18 pages
Self Study Guide Nse4 Cert
No ratings yet
Self Study Guide Nse4 Cert
1 page
Forescout Administrator Training and Certification: The Pathway To Success
0% (1)
Forescout Administrator Training and Certification: The Pathway To Success
3 pages
Unit Iv Mapreduce Applications
No ratings yet
Unit Iv Mapreduce Applications
70 pages
LIS Training
No ratings yet
LIS Training
60 pages
Basic Setup of FortiGate Firewall
From Everand
Basic Setup of FortiGate Firewall
Dr. Hidaia Mahmood Alassoulii
No ratings yet
Fortisandbox Student Guide Online
No ratings yet
Fortisandbox Student Guide Online
255 pages
Troubleshoot SD-WAN Control Connections - Cisco
No ratings yet
Troubleshoot SD-WAN Control Connections - Cisco
14 pages
FortiGate LED Specs
No ratings yet
FortiGate LED Specs
4 pages
Examcollection 210-260 VCE
100% (1)
Examcollection 210-260 VCE
7 pages
AOS-CX Switch Simulator - NetEdit 2.1 Part 1 Lab Guide
100% (1)
AOS-CX Switch Simulator - NetEdit 2.1 Part 1 Lab Guide
13 pages
ASA Firewalldesign
No ratings yet
ASA Firewalldesign
118 pages
FortiGate VM Azure
No ratings yet
FortiGate VM Azure
11 pages
Omniswitch 6900 Stackable Lan Switches Datasheet en
No ratings yet
Omniswitch 6900 Stackable Lan Switches Datasheet en
15 pages
AOS-CX Simulator - MSTP Lab Guide
No ratings yet
AOS-CX Simulator - MSTP Lab Guide
14 pages
LTM Fundamentals ExGuide - v12.0.0.08
No ratings yet
LTM Fundamentals ExGuide - v12.0.0.08
191 pages
AOS-CX Simulator Lab - Multicast PIM Dense Mode Lab Guide
No ratings yet
AOS-CX Simulator Lab - Multicast PIM Dense Mode Lab Guide
15 pages
Policy Based Routing On Fortigate Firewall
No ratings yet
Policy Based Routing On Fortigate Firewall
2 pages
60 Active Passive+Lab
No ratings yet
60 Active Passive+Lab
13 pages
- Fortinet FortiClient EMS Lab Guide for FortiClient EMS 7.0
No ratings yet
- Fortinet FortiClient EMS Lab Guide for FortiClient EMS 7.0
110 pages
Module 01 (Intro)
No ratings yet
Module 01 (Intro)
24 pages
FortiManager-7 6 1-Administration - Guide
No ratings yet
FortiManager-7 6 1-Administration - Guide
1,066 pages
CSE HOL FortiLink 7.2
No ratings yet
CSE HOL FortiLink 7.2
54 pages
Understanding 5G Fundamentals
No ratings yet
Understanding 5G Fundamentals
11 pages
FGT2 12 Virtual Domains
No ratings yet
FGT2 12 Virtual Domains
31 pages
Fortigate Logging 60
No ratings yet
Fortigate Logging 60
56 pages
Management Network Diagram: Student Virtual Environment
No ratings yet
Management Network Diagram: Student Virtual Environment
10 pages
NSE7_SDW-7.2-questions
No ratings yet
NSE7_SDW-7.2-questions
7 pages
BRKEWN - Cisco - Live - Understanding RF Fundamentals-2017
No ratings yet
BRKEWN - Cisco - Live - Understanding RF Fundamentals-2017
170 pages
Hosting More Than One Fortios Instance On A Single Fortigate Unit Using Vdoms and Vlans
No ratings yet
Hosting More Than One Fortios Instance On A Single Fortigate Unit Using Vdoms and Vlans
35 pages
FortiNAC 9.4.6 Release Notes
No ratings yet
FortiNAC 9.4.6 Release Notes
76 pages
Lab 1a ACI Fabric Discovery v3.5
No ratings yet
Lab 1a ACI Fabric Discovery v3.5
20 pages
ASC Troubleshooting Cheatsheet - Rev2.2 - FINAL
No ratings yet
ASC Troubleshooting Cheatsheet - Rev2.2 - FINAL
14 pages
Vyatta VPNRef R6.1 v02
No ratings yet
Vyatta VPNRef R6.1 v02
321 pages
IPv 6
No ratings yet
IPv 6
197 pages
administration_guide
No ratings yet
administration_guide
63 pages
Datacenter Network Vs SP Network BRKSPG-2777
No ratings yet
Datacenter Network Vs SP Network BRKSPG-2777
94 pages
Automating Cisco ACI With Python Day 1
No ratings yet
Automating Cisco ACI With Python Day 1
29 pages
FortiGate HA Guide
No ratings yet
FortiGate HA Guide
144 pages
PCNSE Exam - Jan2022
No ratings yet
PCNSE Exam - Jan2022
271 pages
FCP Faz Ad-7.4
No ratings yet
FCP Faz Ad-7.4
4 pages
Fortiswitch: High Performance Gigabit and 10 Gigabit Ethernet Switches
No ratings yet
Fortiswitch: High Performance Gigabit and 10 Gigabit Ethernet Switches
3 pages
Checkpoint - Premium.156 915.80.by - Vceplus.100q
No ratings yet
Checkpoint - Premium.156 915.80.by - Vceplus.100q
47 pages
Fortimanager - Vmware Esxi Cookbook
No ratings yet
Fortimanager - Vmware Esxi Cookbook
35 pages
Fortigate Infrastructure: Course Description
No ratings yet
Fortigate Infrastructure: Course Description
2 pages
IP Address Manager: Evaluation Guide
No ratings yet
IP Address Manager: Evaluation Guide
19 pages
10 WLAN Troubleshooting Basics
No ratings yet
10 WLAN Troubleshooting Basics
73 pages
Chapter 5 Tenant Building Blocks
No ratings yet
Chapter 5 Tenant Building Blocks
38 pages
HCIE-Routing & Switching V3.0 Mock Exam
100% (1)
HCIE-Routing & Switching V3.0 Mock Exam
4 pages
Juniper Mist Enterprise Product Portfolio
No ratings yet
Juniper Mist Enterprise Product Portfolio
1 page
F5 301a - Study Guide - LTM Specialist r2
No ratings yet
F5 301a - Study Guide - LTM Specialist r2
234 pages
2-4 WLAN Basics PDF
No ratings yet
2-4 WLAN Basics PDF
28 pages
Configuring Security Features
No ratings yet
Configuring Security Features
8 pages
8.3.5 Lab - Explore YANG Models
No ratings yet
8.3.5 Lab - Explore YANG Models
4 pages
Enterprise Firewall 6.4 Course Description-Online
No ratings yet
Enterprise Firewall 6.4 Course Description-Online
2 pages
FortiGate FGT2 12 Virtual Domains
100% (1)
FortiGate FGT2 12 Virtual Domains
31 pages
CCIE Enterprise - Syllabus PDF
No ratings yet
CCIE Enterprise - Syllabus PDF
12 pages
Ramp-Up - Versa Support
No ratings yet
Ramp-Up - Versa Support
36 pages
nse7_efw-7.2_8
No ratings yet
nse7_efw-7.2_8
10 pages
FirePOWER Services For ASA POV Best Practices 1504
No ratings yet
FirePOWER Services For ASA POV Best Practices 1504
66 pages
Border Gateway Protocol Second Edition
From Everand
Border Gateway Protocol Second Edition
Gerardus Blokdyk
No ratings yet
Cohesity Data Security Administration
No ratings yet
Cohesity Data Security Administration
2 pages
Certified Professional Pingone
No ratings yet
Certified Professional Pingone
2 pages
Certified Professional-Certified Professional - PingOne DaVinci PODV-001
No ratings yet
Certified Professional-Certified Professional - PingOne DaVinci PODV-001
2 pages
Beyondtrust PAM Unix:Linux
No ratings yet
Beyondtrust PAM Unix:Linux
3 pages
Arbor DDOS Protection Training
No ratings yet
Arbor DDOS Protection Training
4 pages
Centrify PAS Administration
No ratings yet
Centrify PAS Administration
2 pages
Arista Training
No ratings yet
Arista Training
2 pages
Bravura PAM
No ratings yet
Bravura PAM
2 pages
Beyondtrust PAM MAC
No ratings yet
Beyondtrust PAM MAC
2 pages
Aryaka Certified Engineer
No ratings yet
Aryaka Certified Engineer
1 page
Bastion Architecture
No ratings yet
Bastion Architecture
10 pages
Barracuda Web Application Firewall
No ratings yet
Barracuda Web Application Firewall
2 pages
Akamai CDN Training
No ratings yet
Akamai CDN Training
5 pages
Beyodtrust- PAM for Windows
No ratings yet
Beyodtrust- PAM for Windows
3 pages
Administerting Trust Lifecycle Manager
No ratings yet
Administerting Trust Lifecycle Manager
2 pages
Administering Enterprise Security Course Description
No ratings yet
Administering Enterprise Security Course Description
2 pages
Checkpoint Harmony Endpoint Specialist
No ratings yet
Checkpoint Harmony Endpoint Specialist
1 page
Checkpoint Maestro
No ratings yet
Checkpoint Maestro
1 page
Checkpoint CCSE Day Wise TOC
No ratings yet
Checkpoint CCSE Day Wise TOC
3 pages
Beyindtrust ADBridge coundation
No ratings yet
Beyindtrust ADBridge coundation
2 pages
Administering Splunk Soar Course Description
No ratings yet
Administering Splunk Soar Course Description
1 page
Checkpoint Harmony Email Security
No ratings yet
Checkpoint Harmony Email Security
2 pages
Akamai Waf and Ddos Protection
No ratings yet
Akamai Waf and Ddos Protection
2 pages
Chronicle SOAR
No ratings yet
Chronicle SOAR
1 page
Checkpoint CCMS
No ratings yet
Checkpoint CCMS
1 page
Akamai DNS Edge
No ratings yet
Akamai DNS Edge
1 page
Administering Software Manager
No ratings yet
Administering Software Manager
2 pages
Advance Threat Hunting With Falcon
No ratings yet
Advance Threat Hunting With Falcon
2 pages
Akamai Performance & Troubleshooting
No ratings yet
Akamai Performance & Troubleshooting
2 pages
Chronicle SIEM
No ratings yet
Chronicle SIEM
2 pages
Getac Software Development Kit Spec R17 20130314
No ratings yet
Getac Software Development Kit Spec R17 20130314
79 pages
Zen Mini Mk3 - Bios Update Manual
No ratings yet
Zen Mini Mk3 - Bios Update Manual
8 pages
Marshalling
No ratings yet
Marshalling
68 pages
SAP BASIS FAQ and Important T Code
No ratings yet
SAP BASIS FAQ and Important T Code
6 pages
Quickspecs: HP Probook 640 G5 Notebook PC
No ratings yet
Quickspecs: HP Probook 640 G5 Notebook PC
60 pages
BBV RS422 Telemetry Control Protocol V3 Dec 08
No ratings yet
BBV RS422 Telemetry Control Protocol V3 Dec 08
8 pages
AOS 13.1 Command Reference Guide - NetVanta 1224 Series (10 MB) PDF
No ratings yet
AOS 13.1 Command Reference Guide - NetVanta 1224 Series (10 MB) PDF
2,041 pages
SRAVANI
No ratings yet
SRAVANI
16 pages
Forcepoint Email Security in Azure Release Notes v8.5
No ratings yet
Forcepoint Email Security in Azure Release Notes v8.5
4 pages
6-Network Topologies
No ratings yet
6-Network Topologies
4 pages
OS_PYQs
No ratings yet
OS_PYQs
9 pages
Configuration Switch Cisco Vlan
No ratings yet
Configuration Switch Cisco Vlan
2 pages
HW 3
No ratings yet
HW 3
8 pages
Oracle Database 12c Architecture
No ratings yet
Oracle Database 12c Architecture
51 pages
Unit 2cc
No ratings yet
Unit 2cc
11 pages
IC3 Placement Test Sample 2 (1)
No ratings yet
IC3 Placement Test Sample 2 (1)
14 pages
Free Geek Workbook
No ratings yet
Free Geek Workbook
61 pages
Esprimo M9400 - Inventec M11D - Rev AX1
No ratings yet
Esprimo M9400 - Inventec M11D - Rev AX1
44 pages
5 - Predict Housing Prices With Tensorflow and AI Platform
No ratings yet
5 - Predict Housing Prices With Tensorflow and AI Platform
11 pages
Need For Speed Underground Setup Log
No ratings yet
Need For Speed Underground Setup Log
53 pages
Digital Systems and VLSI Design: by Vijaya Prakash A M
No ratings yet
Digital Systems and VLSI Design: by Vijaya Prakash A M
77 pages
Hp-Ux Hardening Guide v1
No ratings yet
Hp-Ux Hardening Guide v1
23 pages
Hospital Management System SRS
No ratings yet
Hospital Management System SRS
2 pages
A Research Paper On Serverless Computing IJERTV11IS090064
No ratings yet
A Research Paper On Serverless Computing IJERTV11IS090064
3 pages
InlineQC Software Manual
No ratings yet
InlineQC Software Manual
9 pages
CC 20200915 033731
No ratings yet
CC 20200915 033731
30 pages