DO NOT REPRINT

© FORTINET

FortiAnalyzer Administrator
Study Guide
for FortiAnalyzer 7.2
DO NOT REPRINT
© FORTINET
Fortinet Training Institute - Library

https://training.fortinet.com

Fortinet Product Documentation

https://docs.fortinet.com

Fortinet Knowledge Base

https://kb.fortinet.com

Fortinet Fuse User Community

https://fusecommunity.fortinet.com/home

Fortinet Forums

https://forum.fortinet.com

Fortinet Product Support

https://support.fortinet.com

FortiGuard Labs

https://www.fortiguard.com

Fortinet Training Program Information

https://www.fortinet.com/nse-training

Fortinet | Pearson VUE

https://home.pearsonvue.com/fortinet

Fortinet Training Institute Helpdesk (training questions, comments, feedback)

https://helpdesk.training.fortinet.com/support/home

11/30/2022
DO NOT REPRINT
© FORTINET

TABLE OF CONTENTS

00 SQL and Datasets (supplementary material) 4

01 Introduction and Initial Configuration 38
02 Administration and Management 67
03 RAID and HA 116
04 Device Management 140
05 Logs and Reports Management 174
 SQL and Datasets

DO NOT REPRINT
© FORTINET

This supplemental material aims to provide an overview of SQL and datasets. While teaching SQL in its
entirety is out of scope for FortiAnalyzer training, the goal is to provide you with enough information so you
can modify or create datasets for the purpose of extracting data for reports.

FortiAnalyzer Administrato 7.2 Study Guide 4

 SQL and Datasets

DO NOT REPRINT
© FORTINET

These are the topics we will explore in this lesson, beginning with datasets and SQL.

FortiAnalyzer Administrato 7.2 Study Guide 5

 SQL and Datasets

DO NOT REPRINT
© FORTINET

This section covers datasets. Datasets define what data is extracted from the database and represented in a
report’s chart.

While FortiAnalyzer does provide pre-defined datasets that address the most common queries, you need to
understand Structured Query Language, also known as SQL, in order to modify those datasets or create your
own.

FortiAnalyzer Administrato 7.2 Study Guide 6

 SQL and Datasets

DO NOT REPRINT
© FORTINET

A dataset is an SQL SELECT query. The result from that query—the specific data polled from the database—
is what populates a chart.

FortiAnalyzer includes many predefined datasets that contain some of the most common database queries.
These are available to view from the Datasets page.

This is an example of the default Top-Destinations-By-Sessions dataset.

FortiAnalyzer Administrato 7.2 Study Guide 7

 SQL and Datasets

DO NOT REPRINT
© FORTINET

When you are building your queries, you must use SQL syntax to interface with the database. When creating
or editing datasets, there is a Test button where you can test your query. If it is not formed correctly, an error
message appears. If it formed correctly, and the data you are querying is available in the database, the results
appear.

Note that SQL queries are not case-sensitive.

FortiAnalyzer Administrato 7.2 Study Guide 8

 SQL and Datasets

DO NOT REPRINT
© FORTINET

Now let’s take a closer look at the query itself. In order to understand this example dataset, and more
specifically, what it is querying, you need to understand SQL. SQL is what is known as a declarative
language—it describes what needs to be done rather then how to do it.

In an SQL database all information is represented as tables, each table consists of a set of rows and columns.
There are two types of tables:

• User tables, which contain information that is in the database, and

• System tables, which contain the database description.

FortiAnalyzer Administrato 7.2 Study Guide 9

 SQL and Datasets

DO NOT REPRINT
© FORTINET

In order to retrieve and manipulate data in the database, you need to use data manipulation language, which
is a family of syntax elements used by SQL. These syntax elements are SELECT, INSERT, UPDATE, and
DELETE. These are the first words used in a query—they are the declarative verbs describing what you want
done.

As far as FortiAnalyzer reports are concerned, only the SELECT statement is used. It is purely a read-only
query statement that is used to retrieve data from the database.

FortiAnalyzer Administrato 7.2 Study Guide 10

 SQL and Datasets

DO NOT REPRINT
© FORTINET

The SELECT statement is used to query the database and retrieve log data. In order to pull the data you want,
you must specify the criteria. For example, let’s say you want to query the database for a list of employees
who work in the IT department. In order to put this criteria into a language that SQL understands, you must
use a clause recognized by the SELECT statement.

The main clauses FortiAnalyzer reports use are:

• FROM, which specifies the table.

• WHERE, which specifies the conditions. All rows that do not satisfy the condition are eliminated from the
output.
• GROUP BY, which collects data across multiple records and groups the results by one or more columns.
• ORDER BY, which orders the results by rows. If ORDER BY is not given, the rows are returned in
whatever order the system finds the fastest to produce. And finally,
• LIMIT, which limits the number of records returned based on a specified value. OFFSET is another clause
often used along with LIMIT, which offset the results by the number specified. For example, if you place a
limit of 3 records and an offset of 1, the first record that would normally be returned is skipped and instead
the second, third, and fourth records (3 in total) are returned.

FROM is the only mandatory clause required to form a SELECT statement; the rest of the clauses are
optional and serve to filter or limit, aggregate or combine, and control the sort. It is also important to note that
the clauses must be coded in a specific sequence. This is to say that following the SELECT keyword, the
statement must be followed by one or more clauses in the order they appear in this table provided. For
example, you cannot use the WHERE clause before the FROM clause. You do not have to use all optional
clauses, but whichever ones you do use they have to be in the correct sequence.

FortiAnalyzer Administrato 7.2 Study Guide 11

 SQL and Datasets

DO NOT REPRINT
© FORTINET

SELECT is the first word used in any SQL query that involves FortiAnalyzer reports. This is a declarative
statement that instructs the program to query the column in the database for the information you want
returned. For example:

SELECT dstip

Dstip is the column name for destination IP in the SQL schema. Note that you can select more than one
column name and you can also have the column name appear under a more user friendly name in the results
table by appending the command with “as <friendly_name_of_column>. For example, SELECT dstip
as destination_ip. In the results table, the values for dstip will now appear under a column named
destination_ip.

If you want to return all data, you can use the * symbol. For example, SELECT *. Though most of the time
that is more information that you require.

At minimum, you must use the FROM clause with your SELECT statement. This instructs the program where
the information is located.

For example:

FROM $log

Here $log refers to the logs in the log type selected for the dataset, such as traffic logs or web filter logs to
name a few.

FortiAnalyzer Administrato 7.2 Study Guide 12

 SQL and Datasets

DO NOT REPRINT
© FORTINET

You can search multiple log types in order to combine the data so that you can compare and contrast
information. To do this, use the log type syntax associated with the specific log type. For example, if you want
to search both the traffic logs and web filter logs, use:

FROM $log-traffic, $log-webfilter

FortiAnalyzer Administrato 7.2 Study Guide 13

 SQL and Datasets

DO NOT REPRINT
© FORTINET

Out of all the optional clauses, the WHERE statement is really the heart of the query, because this is where
you specify the criteria.

The WHERE statement must always come after the FROM statement.

In this example, the first expression is $filter, which is used to restrict the results to the time period you
select. While the time period is not added to the query itself, it is specified by way of a drop-down box when
creating the dataset through the FortiAnalyzer GUI.

The second expression is dstip, which is the destination IP, while the third expression is NULL.

SQL supports logic operators as well, so you can use AND/OR/NOT statements in order to build out the
query. Operators will be discussed later in this lesson.

FortiAnalyzer Administrato 7.2 Study Guide 14

 SQL and Datasets

DO NOT REPRINT
© FORTINET

The GROUP BY clause is used to create one output row for each group. It is usually used with an aggregate
function within the SELECT statement. We will cover aggregate functions later, but essentially they perform a
calculation on a set of values and return a single value. If it is not used with an aggregate function, it is similar
to the DISTINCT clause, in that it removes duplicates from the result set of a SELECT statement.

In this example, the GROUP BY clause is use with an aggregate function. The aggregate function is
count(*), which selects all rows in a table, even if some columns contain a NULL value.

In this example, we are grouping by dstip (destination IP).

FortiAnalyzer Administrato 7.2 Study Guide 15

 SQL and Datasets

DO NOT REPRINT
© FORTINET

ORDER BY is a clause that allows you to sort queries by column name or column number. By default, rows of
an SQL query result table are not arranged in a particular order, so you can use the ORDER BY clause to sort
column values in either ascending (asc) or descending (desc) order. If you use this clause and do not specify
ascending or descending, the default is ascending.

You can order multiple columns and specify different sort orders for each. For example, you can sort one
column in ascending order and another column in descending order.

In this example, we are ordering by session in descending order.

FortiAnalyzer Administrato 7.2 Study Guide 16

 SQL and Datasets

DO NOT REPRINT
© FORTINET

By default, all results that satisfy the conditions specified in the query are returned. However, if you only want
to retrieve a subset of records, you can place a limit on the records returned. To do this, use the LIMIT clause
and specify the number of results you want. For example, LIMIT 7. This is a great way of making sure that
the query doesn’t use unnecessary CPU or memory, especially if you have a large scale deployment with lots
of devices logging to the FortiAnalyzer. You can also combine LIMIT with ORDER BY asc to get the “top <x>
results” (or desc for the “bottom <x> results”).

In conjunction with the LIMIT clause you can use the OFFSET clause. This offsets the results by a set value.
For example, if you place a limit of 7 records and an offset of 1, the first record that would normally be
returned is skipped and instead 2 through 8 are returned.

FortiAnalyzer Administrato 7.2 Study Guide 17

 SQL and Datasets

DO NOT REPRINT
© FORTINET

As we’ve been introducing and explaining the main SQL clauses, we’ve been forming a full dataset query
along the way. To visually see how it all ties together, we can use the dataset Test feature in the GUI. The
feature is intended to test or modify a query in order to get the specific output you want.

Ensure you select the log type for the query. The query uses the generic $log, but it references the log type
specified in the Log Type drop-down field (in this example, Traffic). You can enter the specific log type in the
query instead (for example, $log-traffic), but should you want to view this query on a different log type
later, it’s less risky and easier to change from the Log Type drop-down field than in the actual dataset query
itself.

On the right side of the dialog box, you must also specify the device or devices on which to use this query.
Here, we have specified All Devices.

You must also specify a time period for this query. As mentioned earlier, the $filter expression used with
our WHERE clause states that we want to limit the results to the time period we specify. The Time Period
drop-down box is where we specify this time period.

If there is an error in the query, the error message appears in the window below. If the query is correct, the
results appear in the window below. Since the results appear in the window below, we know our dataset has
been correctly formed.

FortiAnalyzer Administrato 7.2 Study Guide 18

 SQL and Datasets

DO NOT REPRINT
© FORTINET

Now let’s align the written query with the visual results to fully understand how the query is interpreted by
FortiAnalyzer.

SELECT dstip as destination_ip, count(*) as session: This says, select the destination IP
address and call the column “destination_ip”. Select the count (all data) and call the column “session”.

FROM $log: This says, query the traffic log for the data, which is specified in the Log Type drop-down list.

WHERE $filter and dstip is not null: This says, limit the results to the time period specified, which
is Today according to the selection in the Time Period drop-down list, and only provide destination IP
addresses that are not null. Note that “null” represents unknown data—it does not represent zero.

GROUP BY dstip: This says, group the results by destination IP. Remember, we specified we wanted dstip
put in a column called “destination_ip”.

ORDER BY session desc: This says, order the results by session in descending order. Note that the
results go from high (200) to low (4).

LIMIT 7: This says, only provide the first seven results.

OFFSET 1: This says, skip the first result, but still limit the results to the next 7 (i.e. 2 through 8).

FortiAnalyzer Administrato 7.2 Study Guide 19

 SQL and Datasets

DO NOT REPRINT
© FORTINET

Good job! You now understand datasets and SQL.

Now, let’s examine SQL functions and operators.

FortiAnalyzer Administrato 7.2 Study Guide 20

 SQL and Datasets

DO NOT REPRINT
© FORTINET

This section covers a few of the most common functions and operators used in FortiAnalyzer datasets—it is
not intended as a complete and exhaustive list.

FortiAnalyzer Administrato 7.2 Study Guide 21

 SQL and Datasets

DO NOT REPRINT
© FORTINET

SQL has two types of functions: “normal” functions and aggregate functions.

Aggregate functions use the entire column of data as their input and produce a single output, while the
“normal” functions operate on each element in the column of data.

FortiAnalyzer Administrato 7.2 Study Guide 22

 SQL and Datasets

DO NOT REPRINT
© FORTINET

One common function used in FortiAnalyzer datasets is NULLIF. The NULLIF function takes two arguments. If
the first two arguments are equal, then NULL is returned. Otherwise, the first argument is returned. Note that
NULL represents unknown data—it does not represent zero.

FortiAnalyzer Administrato 7.2 Study Guide 23

 SQL and Datasets

DO NOT REPRINT
© FORTINET

Another common function used in FortiAnalyzer datasets is COALSECE. The COALESCE function returns the
first non-NULL expression among its arguments. Null is returned only if all arguments are null. It is often used
to substitute a default value for null values when data is retrieved for display.

COALESCE is used with the SELECT statement. It takes one or more expressions as an argument. The
values do not have to be string data types—they can be any data type (and also different data types). The
syntax is:

COALESCE (expression 1, expression 2, …)

FortiAnalyzer Administrato 7.2 Study Guide 24

 SQL and Datasets

DO NOT REPRINT
© FORTINET

Aggregate functions are a special category with different rules, as they operate on entire columns of data
instead of discrete values. These functions perform a calculation on a set of values in a column and returns a
single value. Although aggregate functions are usually used in conjunction with the GROUP BY clause, these
functions can be used on their own in a SELECT statement.

This table includes a list of aggregate functions used in SQL. All can take an expression as an argument and
ignore null values, except for count. Count can take an asterisk as an argument. The asterisk in this case
means all rows are returned, even if some columns contain a NULL value.

An example of an expression used with an aggregate function is SELECT count(unauthuser). This would
return the number of unauthorized users.

FortiAnalyzer Administrato 7.2 Study Guide 25

 SQL and Datasets

DO NOT REPRINT
© FORTINET

Now let’s take a look at SQL operators. An operator is a reserved word or a character used primarily in an
SQL statement's WHERE clause to perform various operations.

There are three types of operators:

• Arithmetic operators
• Comparison operators
• Logical operators

FortiAnalyzer Administrato 7.2 Study Guide 26

 SQL and Datasets

DO NOT REPRINT
© FORTINET

Here are some examples of arithmetic operators. Arithmetic operators perform mathematical operations on
two expressions of one or more of the data types of the numeric data type category.

FortiAnalyzer Administrato 7.2 Study Guide 27

 SQL and Datasets

DO NOT REPRINT
© FORTINET

Here are some examples of comparison operators. Comparison operators test whether two expressions are
the same and can be used on all expressions except expressions of the text, ntext, or image data types.

FortiAnalyzer Administrato 7.2 Study Guide 28

 SQL and Datasets

DO NOT REPRINT
© FORTINET

Here are some examples of logical operators. Logical operators test for the truth of some condition. Like
comparison operators, they return a Boolean data type with a value of TRUE, FALSE, or UNKNOWN.

FortiAnalyzer Administrato 7.2 Study Guide 29

 SQL and Datasets

DO NOT REPRINT
© FORTINET

Good job! You now understand SQL functions and operators.

Now, let’s examine FortiAnalyzer functions and macros.

FortiAnalyzer Administrato 7.2 Study Guide 30

 SQL and Datasets

DO NOT REPRINT
© FORTINET

This section covers FortiAnalyzer functions and macros.

FortiAnalyzer includes some built-in functions that are based on known SQL functions, but scripted differently.

FortiAnalyzer also includes macros, which are best described as lengthy or complex SQL statements scripted
more simplistically. An SQL macro can be used anywhere in a query where an ordinary SQL expression can
be used.

FortiAnalyzer Administrato 7.2 Study Guide 31

 SQL and Datasets

DO NOT REPRINT
© FORTINET

One FortiAnalyzer-specific function is root_domain(hostname). This provides the root domain of the fully
qualified domain name. As per the query, in this example root_domain(hostname) is listed under the website
column in ascending order (the default for the ORDER BY clause if not specified).

FortiAnalyzer Administrato 7.2 Study Guide 32

 SQL and Datasets

DO NOT REPRINT
© FORTINET

Another FortiAnalyzer-specific function is nullifna, which takes an expression as an argument. The actual SQL
syntax this is based on is SELECT NULLIF(NULLIF(expression, 'N/A'), 'n/a').

In this example, if the user is n/a the source IP is displayed, otherwise it returns the user name. It performs the
inverse operation of the COALESCE function. As you can see in the user_src column, there are some IP
address and some user names.

FortiAnalyzer Administrato 7.2 Study Guide 33

 SQL and Datasets

DO NOT REPRINT
© FORTINET

email_domain and email_user are other FortiAnalyzer-specific functions. email_domain retrieves anything that
is after the @ symbol in an email address—the domain. email_user retrieves anything that is before the @
symbol in an email address.

As per the query, in this example email_user displays in the column e_user, while email_domain displays in
the column e_domain.

FortiAnalyzer Administrato 7.2 Study Guide 34

 SQL and Datasets

DO NOT REPRINT
© FORTINET

from_dtime and from_itime are other FortiAnalyzer-specific functions. from_dtime returns the device
timestamp without the time zone, while from_itime returns FortiAnalyzer’s timestamp without the time zone.

As per this query, from_itime appears in the column faz_local_time, while from_dtime appears in the column
dev_local_time.

FortiAnalyzer Administrato 7.2 Study Guide 35

 SQL and Datasets

DO NOT REPRINT
© FORTINET

Here are some common date and time macros used in FortiAnalyzer. Macros are simple substitutions for
more complex SQL statements—usually created for SQL statements that are frequently used.

FortiAnalyzer Administrato 7.2 Study Guide 36

 SQL and Datasets

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

FortiAnalyzer Administrato 7.2 Study Guide 37

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the key features and concepts of FortiAnalyzer, and how to initially
configure FortiAnalyzer.

FortiAnalyzer integrates logging, analytics, and reporting into one system so you can quickly identify and react
to network security threats.

FortiAnalyzer Administrato 7.2 Study Guide 38

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

In this lesson, you will explore the topics shown on this slide.

FortiAnalyzer Administrato 7.2 Study Guide 39

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in FortiAnalyzer key features and concepts, you will be able to use the device
effectively in your own network.

FortiAnalyzer Administrato 7.2 Study Guide 40

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

FortiAnalyzer aggregates log data from one or more Fortinet devices, thereby acting as a centralized log
repository. Log aggregation provides a single channel for accessing your complete network data, so you don’t
need to access multiple devices several times a day.

The logging and reporting workflow operates as follows:

1. Registered devices send logs to FortiAnalyzer.

2. FortiAnalyzer collates and stores those logs in a way that makes it easy to search and run reports.

3. Administrators can connect to FortiAnalyzer using the GUI to view the logs manually, or generate reports to
look at the data. You can also use the CLI to perform administrative tasks.

FortiAnalyzer Administrato 7.2 Study Guide 41

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Some key features of FortiAnalyzer include reporting, alert generation, and content archiving.

Reports provide a clear picture of network events, activities, and trends occurring on supported devices.
FortiAnalyzer reports collate the information in the logs so that you can interpret the information and, if
necessary, take the required actions. You can archive and filter the network knowledge you glean from these
reports, as well as mine it for compliance or historical analysis purposes.

FortiAnalyzer events allow you to react quickly to threats, because it’s not realistic to physically monitor your
network around the clock. The system can generate events when specific conditions in the logs are met—
conditions you have configured FortiAnalyzer to monitor for registered devices. You can see your events on
the GUI, and you can also send them to multiple recipients by email, SNMP, or syslog. Additionally, events
that required further investigation can be used to generate new incidents

Content archiving provides a way to simultaneously log and archive full or summary copies of the content
transmitted over the network. You typically use content archiving to prevent sensitive information from getting
out of your organization's network. You can also use it to record network use. The data loss prevention (DLP)
engine can examine email, FTP, NNTP, and web traffic, but you must configure the archive setting for each
rule in a DLP sensor on FortiGate, so you can specify what you want to archive.

FortiAnalyzer Administrato 7.2 Study Guide 42

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

SQL is the database language that FortiAnalyzer uses for logging and reporting.

Advanced reporting capabilities require some knowledge of SQL and databases. For example, you may need
to compose custom SQL queries, known as datasets, to extract the data you require from the database.

FortiAnalyzer Administrato 7.2 Study Guide 43

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

FortiAnalyzer has two modes of operation: analyzer and collector. The mode of operation you choose
depends on your network topology and individual requirements.

When operating in analyzer mode, the device acts as a central log aggregator for one or more log collectors,
such as a FortiAnalyzer device operating in collector mode, or any other supported device sending logs.
Analyzer is the default operating mode.

When operating in collector mode, the device collects logs from multiple devices and then forwards those
logs, in their original binary format, to another device, such as a FortiAnalyzer operating in analyzer mode. It
can also send them to a syslog server or a common event format (CEF) server, depending on the forwarding
mode. A collector does not have the same feature-rich options as an analyzer, because its only purpose is to
collect and forward logs. It does not allow event management or reporting.

You can change the operating mode in the System Information widget on the dashboard.

FortiAnalyzer Administrato 7.2 Study Guide 44

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

By using both analyzer and collector modes, you increase FortiAnalyzer performance: Collectors offload the
task of receiving logs from multiple devices from the analyzer. This allows the analyzer to focus on data
analysis and reporting tasks.

Furthermore, because a collector is strictly dedicated to log collection, its log receiving rate and speed are
maximized. If bandwidth is an issue, like in the case of slow WAN links, you can use the store and upload
option to send logs only during low-bandwidth periods.

Since the collector does not perform any analytics tasks, it should have most of the disk space allocated for
archive logs.

FortiAnalyzer Administrato 7.2 Study Guide 45

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

FortiAnalyzer supports the Security Fabric by storing and analyzing the logs from the units in a Security Fabric
group as if the logs are from a single device. FortiAnalyzer correlates traffic logs to corresponding UTM logs
so that it can report sessions and bandwidth together with its UTM threats.

A session’s traffic logging is always done by the first FortiGate that handled it in the Security Fabric. FortiGate
devices in the Security Fabric know the MAC addresses of their upstream and downstream peers. If FortiGate
receives a packet from a MAC address that belongs to another FortiGate in the Security Fabric, it does not
generate a new traffic log for that session. This helps to eliminate the repeated logging of a session by
multiple FortiGate devices.

One exception to this behavior is that if the upstream FortiGate performs NAT, then another log is generated.
The additional log is needed to record NAT details such as translated ports and addresses.

Upstream devices complete UTM logging, if configured, and FortiAnalyzer performs UTM and traffic log
correlation for the Security Fabric, in order to provide a concise and accurate record of any UTM events that
may occur. No additional configuration is required for this to take place because FortiAnalyzer performs this
function automatically.

Note that each FortiGate in the Security Fabric logs traffic to FortiAnalyzer independent of the root or other
leaf devices. If the root FortiGate is down, logging from leaf FortiGate devices to FortiAnalyzer continues to
function.

FortiAnalyzer Administrato 7.2 Study Guide 46

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

This slide shows how logging functions in the Security Fabric to give full visibility while eliminating duplicate
logs throughout the environment.

There are three FortiGate devices configured in a Security Fabric along with a FortiAnalyzer device.
• FGT-A is installed between the corporate network and its internet service provider where it performs SNAT
on outbound communications for RFC-1918 hosts, as well as web filtering for HTTP/HTTPS sessions.
• FGT-B is installed in the access layer providing device detection, breach isolation, and basic DoS
protection from the attached end-user LANs.
• FGT-C is installed in the data center where it runs IPS for all inbound communications to the servers
behind it.

All traffic from Client-1 is received by FGT-B, which creates traffic logs for the initial session.

The web session is forwarded to FGT-A, which doesn’t duplicate the initial traffic log but does generate a
traffic log as a result of SNAT being applied to the session. Additionally, FGT-A applies a web filtering policy
to this session and generates the relevant UTM logs, if appropriate.

The SMB session is forwarded to FGT-A, which does not duplicate the initial traffic log. FGT-A doesn’t need to
perform NAT or apply web filtering, so it forwards the traffic to FGT-C. FGT-C also does not generate a
duplicate traffic log, but it performs IPS inspection based on its configuration and, should a signature match be
triggered that results in an action generating a log, logs the event.

FortiAnalyzer receives the various traffic and UTM logs and correlates them automatically so that they are
linked for proper viewing, reporting, and automation actions.

FortiAnalyzer Administrato 7.2 Study Guide 47

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

The FortiAnalyzer Fabric enables centralized viewing of devices, incidents, and events across multiple
FortiAnalyzers.

FortiAnalyzer Fabric includes two operation modes: supervisor and member.

Supervisors act as the root device in the FortiAnalyzer Fabric. SOC administrators can use the supervisor to
view member devices and their ADOMs, authorized logging devices, as well as incidents and events created
on members. Incident and event information is synced from members to the supervisor using the API.

Members are devices in the FortiAnalyzer Fabric that send information to the supervisor for centralized
viewing. When configured as a member, FortiAnalyzer devices continue to have access to the FortiAnalyzer
features identified in the FortiAnalyzer Administration Guide. Incidents and events are created or raised from
each member.

FortiAnalyzers configured with high availability (HA) can become members. However, HA is not supported for
FortiAnalyzers acting as the fabric supervisor.

All FortiAnalyzer Fabric members must be configured with the same time zone settings as the supervisor.

FortiAnalyzer Administrato 7.2 Study Guide 48

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

ADOMs allow you to group devices to monitor and manage. For example, administrators can manage devices
that are grouped based on their geographical location or business division.

The purpose of ADOMs is to:

• Divide administration of devices by ADOM and to control (restrict) administrator access. If your network
uses virtual domains (VDOMs), ADOMs can further restrict access to data that comes from the VDOM of a
specific device.
• More efficiently manage data policies and disk space allocation, which are set per ADOM

ADOMs are not enabled by default and can be configured only by the default admin administrator (or an
administrator who has the super user profile).

All Fortinet devices included in a Security Fabric can be placed into an ADOM of the Fabric type, allowing for
fast data processing and log correlation.

You will learn more about ADOMs later in this course.

FortiAnalyzer Administrato 7.2 Study Guide 49

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

FortiAnalyzer Administrato 7.2 Study Guide 50

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will learn to perform the most common initial configurations on FortiAnalyzer.

FortiAnalyzer Administrato 7.2 Study Guide 51

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in the initial configuration of FortiAnalyzer, you will be able to add FortiAnalyzer
to your network, and perform basic administrative tasks.

FortiAnalyzer Administrato 7.2 Study Guide 52

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

It is important to know the factory default settings, such as the default username and password, the port1 IP
address, the netmask, and the default supported management access protocols, so you can initially connect
to the management interface and configure FortiAnalyzer for your network.

You can find the default settings in your model-specific QuickStart Guide. Different FortiAnalyzer models have
different numbers of ports, but port1 is the management port and always has the same default IP address.

If you are deploying the FortiAnalyzer VM, the management IP address and its assignment depend on the
virtualization platform you are using. Visit visit https://docs.fortinet.com/product/fortianalyzer-public-cloud/7.0
for more details.

You can also configure your management IP on the CLI with the config system interface command.

FortiAnalyzer Administrato 7.2 Study Guide 53

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Just like with FortiGate, the GUI and CLI are the two configuration tools you can use to manage FortiAnalyzer.
You can use both tools locally, by connecting directly to FortiAnalyzer, and remotely, based on your
configured settings. You can deny or permit access based on IP address.

When you use the CLI, you can run commands through the CLI Console widget, available on the GUI
dashboard, and through a terminal emulation application, such as PuTTY. Using PuTTY requires a separate
Telnet, SSH, or local console (DB-9) connection.

The FortiAnalyzer features available on the GUI and CLI depend on the profile of the administrator logged in
and the operation mode of FortiAnalyzer. For example, when operating in collector mode, the GUI doesn’t
include FortiView, Fabric View, Report, or FortiSOC. Also, if you are logged in with the Standard_User or
Restricted_User administrator profiles, full access privileges, like those granted to the Super_User profile,
are not available. The CLI also includes some settings that are not available through the GUI.

Any configuration changes you make using the GUI and CLI take effect immediately, without resetting the
FortiAnalyzer system or interrupting services.

Note that the SQL database is disabled by default when FortiAnalyzer is in collector mode, so logs that
require the SQL database are not available in collector mode unless the SQL database is enabled on the CLI.

FortiAnalyzer Administrato 7.2 Study Guide 54

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

To log in to the FortiAnalyzer GUI for the first time, open a browser and enter the URL https:// followed by
<the management IP address>. After the login screen opens, use the factory default administrator
credentials to log in. Type the username admin (in lower case) and leave the password field empty.

To log in to the CLI for the first time, you can use one of two methods:

• Integrated CLI Console: Log in to the GUI and click on the CLI icon located on the upper-right corner. You
are automatically logged in to the console.
• Terminal emulation application (such as PuTTY): Enter the FortiAnalyzer port1 IP address and select a
supported management access protocol, such as SSH. When connected and prompted to log in, use the
factory default administrator credentials.

FortiAnalyzer Administrato 7.2 Study Guide 55

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

The FortiAnalyzer Setup Wizard appears after you log in for the first time.

You can use it to register your FortiAnalyzer device with FortiCare, change the default password, set the
correct time zone, and set the device hostname.

You can choose to complete all or some of the steps now or at a later time.

Completed steps display a green check mark beside them.

FortiAnalyzer Administrato 7.2 Study Guide 56

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

The initial configuration of FortiAnalyzer is very similar to FortiGate.

In order to configure FortiAnalyzer for your network, you must set the IP address and netmask, select
supported administrative access protocols, and specify a default gateway for routing packets. You can do all
this on the Network page.

FortiAnalyzer Administrato 7.2 Study Guide 57

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Setting your own IP address and netmask provides more security than using the default address and, if more
than one FortiAnalyzer is in the same network, different network settings are mandatory. The management
interface must have a dedicated (unique) address.

There are a few non-standard administrative access protocols that are worth mentioning as well:

• Web service: Allows access to FortiAnalyzer from a web service such as SOAP, a messaging protocol that
allows programs that run on disparate operating systems (such as Windows and Linux). The FortiAnalyzer
server runs on Linux.
• FortiManager: Allows FortiAnalyzer to be managed by a FortiManager.

FortiAnalyzer Administrato 7.2 Study Guide 58

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

If you want to configure another port on FortiAnalyzer, you can assign specific IPv4 or IPv6 static routes to a
different gateway, so that packets are delivered by a different route.

If you want to be able to resolve hostnames in the logs, you need a DNS server. The default primary and
secondary DNS server addresses are the FortiGuard DNS servers. You can use these addresses, or change
them to some other servers of your preference. It is a best practice to have both a primary and secondary
servers. Furthermore, response times are a consideration for DNS, so choose DNS servers as close as
possible to your network, such as your internet provider’s DNS.

FortiAnalyzer Administrato 7.2 Study Guide 59

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Many FortiAnalyzer features require an accurate system time to work properly. It is highly recommended to
synchronize the system time with a reliable NTP server. This can be done under the System Information
widget included on the default dashboard.

To increase the bandwidth available to receive logs, and to add network redundancy to FortiAnalyzer, you can
configure one or more aggregate links. These are logical links that combine two or more physical interfaces,
effectively combining their bandwidth. Additionally, these links will remain active if there is at least one
working physical interface, hence adding network redundancy to your device.

VLANs are used to isolate different types of traffic in your network. This adds security and, if needed, allows
the application of different policies or priorities to that traffic. You can configure VLAN interfaces in
FortiAnalyzer to make use of the existing VLANs in your environment.

FortiAnalyzer Administrato 7.2 Study Guide 60

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

If you need to reset your configuration, you can use these commands:

• The execute reset all-settings command erases the show configuration on flash, which contains
the IP addresses and routes, while the execute reset all-except-ip command leaves the settings
for IP addresses and routes.

• The execute format disk command erases all device settings, images, databases, and log data on
disk, while preserving the IP addresses and routing info. You should always run this command after
resetting the configuration.

• If your environment requires it, you can use the execute format disk deep-erase command to
perform a low-level format of the disk one or more times. Keep in mind that this process can take a very
long time, even days, depending on the size of the disk being formatted and the number of rounds you
specify.

It is a best practice to run these commands while connected directly using the console port to avoid losing
access after the configuration is reset.

FortiAnalyzer Administrato 7.2 Study Guide 61

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

You can use the CLI commands shown on this slide to examine or troubleshoot system and network settings
on FortiAnalyzer.

FortiAnalyzer Administrato 7.2 Study Guide 62

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

To access and view system-related information, use the diagnose system print commands.

For a complete list of arguments, refer to the FortiAnalyzer CLI Reference, which you can obtain from
https://docs.fortinet.com.

FortiAnalyzer Administrato 7.2 Study Guide 63

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

FortiAnalyzer Administrato 7.2 Study Guide 64

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiAnalyzer Administrato 7.2 Study Guide 65

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

FortiAnalyzer Administrato 7.2 Study Guide 66

 Administration and Management

DO NOT REPRINT
© FORTINET

In this lesson, you will learn some administration and management functions you can use to better protect
FortiAnalyzer—and the sensitive log data it stores—against external or internal threats.

FortiAnalyzer Administrato 7.2 Study Guide 67

 Administration and Management

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiAnalyzer Administrato 7.2 Study Guide 68

 Administration and Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in using administrative access controls, you will be able to better safeguard the
administration of your FortiAnalyzer device and the sensitive data it collects.

FortiAnalyzer Administrato 7.2 Study Guide 69

 Administration and Management

DO NOT REPRINT
© FORTINET

For security reasons, one of the first tasks you should perform is to change the default admin password. It is
recommended that you do this during the Setup Wizard. You can also change it at any time on the
Administrators page by right-clicking the administrator user, and then selecting Change Password. Make
sure you enter a secure, strong password.

Be aware that there is no password recovery option for FortiAnalyzer!

If you forget your password and lose access to FortiAnalyzer, one option is to use the execute migrate
command that allows you to load a backup of the configuration.

Follow these steps:

1. Perform a factory reset on the VM or device.
2. Run the execute migrate command.
3. Use the default admin account and password (system settings are not restored).

The other option is to format the flash and reload the image (from the BIOS configuration menu). This erases
the system settings, including the administrative accounts.

So, make sure you remember your password or store it in a secure location.

FortiAnalyzer Administrato 7.2 Study Guide 70

 Administration and Management

DO NOT REPRINT
© FORTINET

You can increase the security of your administrator accounts by configuring a global password policy for all
administrators on the Admin Settings page. By default, the password policy is disabled.

The policy allows you to set a minimum password length, specify if characters or numbers must be included in
the password, and specify the number of days for which a password remains valid.

If you do set a password expiry, ensure you adhere to the policy and change the password before it expires
because there is no password recovery option.

FortiAnalyzer Administrato 7.2 Study Guide 71

 Administration and Management

DO NOT REPRINT
© FORTINET

Before reviewing the configuration settings, it is necessary to discuss the importance of security. FortiAnalyzer
stores your network log information, so it is vital that you protect your data correctly.

Here are some security recommendations:

• Deploy FortiAnalyzer in a protected and trusted private network. You should never deploy it outside the
network.
• Always use secure connection methods for administration: HTTPS for the GUI, or SSH for the CLI.
Methods like HTTP and Telnet use plain text, and are not secure, so an attacker can use packet-sniffing
tools to obtain information useful for breaching your network.
• Use trusted hosts on your users to allow logins only from specific locations. If you do need to open outside
access to the device so that remote FortiGate devices can connect, open only the ports necessary for this.
Additional open ports increase your security risk. If you need to open direct login access from the outside,
be sure to set up special user accounts for this and open only protocols that are secure. Use a secure
password because they are important if you start transmitting traffic over connections that anyone (that is,
the internet) could be listening to.
• Make sure you store your administrator password in a secure place because FortiAnalyzer does not
support password recovery.

FortiAnalyzer Administrato 7.2 Study Guide 72

 Administration and Management

DO NOT REPRINT
© FORTINET

Depending on your deployment, you may want to divide FortiAnalyzer administrative tasks among multiple
employees by creating additional administrative accounts. However, every additional individual to which you
give administrator access causes linear-to-exponential growth in risk.

In order to protect your network, you can control and restrict administrative access using the following
methods:

• Administrative profiles: Determine the level of access, or privileges, granted

• Trusted hosts: Determine from where a connection can be established
• ADOMs: Determine to which devices the administrator will have access to view and manage logs

By giving administrative access to multiple people, and employing methods of control, you can better protect
your network.

FortiAnalyzer Administrato 7.2 Study Guide 73

 Administration and Management

DO NOT REPRINT
© FORTINET

You should never give administrators more privileges than they need to fulfill their role. FortiAnalyzer comes
with four preinstalled default profiles that you can assign to other administrative users. Administrator profiles
define administrator privileges and are required for each administrative account. The four default profiles are:

• Super_User, which, like in FortiGate, provides access to all device and system privileges.
• Standard_User, which provides read and write access to device privileges, but not system privileges.
• Restricted_User, which provides read access only to device privileges, but not system privileges. Access
to the Management extensions is also removed.
• No_Permissions_User, which provides no system or device privileges. Can be used, for example, to
temporarily remove access granted to existing admins.

You can assign the default profiles to administrative accounts, or you can modify the individual privileges
associated with each default profile. Alternatively, you can create your own custom profiles.

FortiAnalyzer Administrato 7.2 Study Guide 74

 Administration and Management

DO NOT REPRINT
© FORTINET

In addition to controlling administrative access through administrator profiles, you can further control access
by setting up trusted hosts for each administrative user. This restricts administrators to logins from only
specific IPs or subnets. You can even restrict an administrator to a single IP address, if you define only one
trusted host IP.

The trusted hosts you define apply to both the GUI and the CLI when accessed through SSH.

FortiAnalyzer Administrato 7.2 Study Guide 75

 Administration and Management

DO NOT REPRINT
© FORTINET

Another way you can control administrative access is through ADOMs. Using ADOMs makes device
management more effective, because administrators need only to monitor and manage devices in their
assigned ADOMs. It also makes the network more secure, because administrators are restricted to only those
devices to which they should have access.

Administrators who have the Super_User profile have full access to all ADOMs. Administrators with any other
profile have access to only those ADOMs to which they are assigned—this can be one or more.

FortiAnalyzer Administrato 7.2 Study Guide 76

 Administration and Management

DO NOT REPRINT
© FORTINET

Instead of creating local administrators, where logins are validated by FortiAnalyzer, you can configure
external servers to validate your administrator logins. RADIUS, LDAP, TACACS+, and PKI can all be used to
authenticate administrators.

The image on this slide shows an example of an LDAP server configuration.

FortiAnalyzer Administrato 7.2 Study Guide 77

 Administration and Management

DO NOT REPRINT
© FORTINET

You can use the Match all users on remote server option to enable administrators to log in to FortiAnalyzer
using their credentials on a remote authentication server, such as RADIUS, TACACS+, and LDAP. This
option is useful for creating wildcard administrators and removes the need for FortiAnalyzer to store local
credentials, because a remote authentication server is being used. This simplifies administration. For
example, if an employee leaves the company, their account does not exist on FortiAnalyzer––they exist only
as a user on a remote authentication server. If you do not select this option, you must provide a password that
is used only if FortiAnalyzer is unable to connect to the authentication server.

You can set remote authentication server groups, which are listed as GROUP in the Admin Type drop-down
list, to extend administrator access. Usually, you create a wildcard administrator only for a single server.
However, if you group multiple servers, you can apply a wildcard administrator to all the servers in the group.
If you added an LDAP and RADIUS server to your authentication group and the administrator had login
credentials on both servers, then the administrator could authenticate on FortiAnalyzer using either their
LDAP or RADIUS credentials.

You can group multiple servers of the same type to act as backup—if one server fails, the administrator can
still be authenticated by another server in the group. You can add remote authentication server groups using
the CLI only. In the example shown on the slide, two existing LDAP servers were added. On the CLI (not
shown in the slide), an authentication server group was added and named AuthServers and the servers were
added to this group.

FortiAnalyzer Administrato 7.2 Study Guide 78

 Administration and Management

DO NOT REPRINT
© FORTINET

To add additional security to external administrators, you can configure two-factor authentication. To do this,
you need to use FortiAuthenticator and FortiToken.

On the FortiAnalyzer side, you need to create a RADIUS server that points to FortiAuthenticator and then
create an administrator account that points to the RADIUS server.

For more information about configuring external servers and two-factor authentication, see the FortiAnalyzer
Administration Guide.

FortiAnalyzer Administrato 7.2 Study Guide 79

 Administration and Management

DO NOT REPRINT
© FORTINET

In FortiAnalyzer, SAML can be enabled across all Security Fabric devices, enabling smooth movement
between devices for the administrator by means of single sign-on (SSO).

FortiAnalyzer can play the role of the identity provider (IdP), the service provider (SP), or Fabric SP, when an
external identity provider is available.

FortiAnalyzer Administrato 7.2 Study Guide 80

 Administration and Management

DO NOT REPRINT
© FORTINET

FortiAnalyzer Administrato 7.2 Study Guide 81

 Administration and Management

DO NOT REPRINT
© FORTINET

Good job! You now understand administrative access controls.

Now, you will learn how to monitor administrative events.

FortiAnalyzer Administrato 7.2 Study Guide 82

 Administration and Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in monitoring administrative events and tasks, you will be able to ensure
administrators are operating within their assigned role, thereby mitigating risk to your organization.

FortiAnalyzer Administrato 7.2 Study Guide 83

 Administration and Management

DO NOT REPRINT
© FORTINET

You can track administrator user sessions, including who is currently logged in and on what trusted host,
through the Administrators page. By default, only administrators with Super_User access can see the
complete list of administrators.

Administrators who are logged in are indicated by a green check mark.

FortiAnalyzer Administrato 7.2 Study Guide 84

 Administration and Management

DO NOT REPRINT
© FORTINET

FortiAnalyzer audits administrator activity, so you can source changes to an individual.

You can view the local event log messages, such as configuration changes and logins, on the Event Log
page. To fine-tune the results, you can add filters. For example, to view local events performed by a specific
administrative user, filter by user name.

FortiAnalyzer Administrato 7.2 Study Guide 85

 Administration and Management

DO NOT REPRINT
© FORTINET

The Task Monitor page allows you to view administrator tasks, as well as the progress and status of those
tasks.

FortiAnalyzer Administrato 7.2 Study Guide 86

 Administration and Management

DO NOT REPRINT
© FORTINET

FortiAnalyzer also allows you to monitor FortiGate administrative login activity through FortiView.

The Failed Authentication Attempts page shows failed login attempts, and includes the source IP of the
login, the login type, the interface, the protocol used, and the number of failed login attempts.

The FortiView > System > Admin Logins page (not shown on this slide) shows logins, failed logins, login
duration, and configuration changes.

FortiAnalyzer Administrato 7.2 Study Guide 87

 Administration and Management

DO NOT REPRINT
© FORTINET

Finally, FortiAnalyzer allows you to monitor FortiGate administrative activity using FortiView.

The System Events page shows all system and administrator-invoked events. To see more details about an
event type, right click on it and select View Related Logs to go to the corresponding section in LogView
where more information is available.

FortiAnalyzer Administrato 7.2 Study Guide 88

 Administration and Management

DO NOT REPRINT
© FORTINET

FortiAnalyzer Administrato 7.2 Study Guide 89

 Administration and Management

DO NOT REPRINT
© FORTINET

Good job! You now understand how to monitor administrative events and tasks.

Now, you will learn about administrative domains, known as ADOMs.

FortiAnalyzer Administrato 7.2 Study Guide 90

 Administration and Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objective shown in the slide.

By demonstrating competence in ADOMs, you will be able to group devices for administrators to monitor and
manage. You will also be able to manage data policies and disk space allocation more efficiently.

FortiAnalyzer Administrato 7.2 Study Guide 91

 Administration and Management

DO NOT REPRINT
© FORTINET

ADOMs are not enabled by default. By default, only administrators with Super_User access can enable and
configure ADOMs.

You can enable or disable ADOMs in the GUI through System Settings or the CLI with the command
config system global.

After you enable ADOMs, the system logs you out so it can reinitialize with the new settings. The maximum
number of ADOMs you can enable varies by FortiAnalyzer model.

After you log in with ADOMs enabled, you must select the ADOM you want to view from the list of configured
ADOMs.

FortiAnalyzer Administrato 7.2 Study Guide 92

 Administration and Management

DO NOT REPRINT
© FORTINET

A global ADOM configuration can operate in either Normal mode, which is the default mode, or Advanced
mode.

In Normal mode, you cannot assign virtual domains (VDOMs) from the same FortiGate device to multiple
FortiAnalyzer ADOMs. You must assign the FortiGate device, and all of its VDOMs, to a single ADOM.

In Advanced mode, you can assign VDOMs from the same FortiGate device to multiple FortiAnalyzer
ADOMs. This mode allows you to use the FortiView, Event Management, and Reports functions to analyze
data for individual VDOMs. Advanced mode results in more complicated management scenarios.

FortiAnalyzer Administrato 7.2 Study Guide 93

 Administration and Management

DO NOT REPRINT
© FORTINET

The image on this slide shows two scenarios, each consisting of a FortiGate unit with three VDOMs
configured.

On the top, when using normal mode, is not possible to assign different VDOMs to different ADOMs.

On the bottom, when using advanced mode, each VDOM can be assigned to different ADOMs.

FortiAnalyzer Administrato 7.2 Study Guide 94

 Administration and Management

DO NOT REPRINT
© FORTINET

On the All ADOMs page, you can see all configured ADOMs, as well as the default ADOMs for all non-
FortiGate devices. If the default ADOMs do not fit your requirements, you can create your own.

The ADOM type you create must match the device type you are planning to add. For example, if you want to
create an ADOM for a FortiGate, you must select FortiGate as the ADOM type. By default, the ADOM type is
set to Fabric for the root ADOM or when creating new ADOM.

During the creation of a new ADOM, you can set the disk quota. This quota is assigned to the ADOM, and not
the individual devices added to it. By default, the Maximum Allowed disk quota is set to 50 GB.

Note that you cannot delete default ADOMs. You also cannot delete custom ADOMs with assigned devices
until you remove all devices from that ADOM.

FortiAnalyzer Administrato 7.2 Study Guide 95

 Administration and Management

DO NOT REPRINT
© FORTINET

In FortiAnalyzer, all Fortinet devices in a Security Fabric can be placed in the same ADOM.

This allows for fast data processing, log correlation and enables combined results to be presented in Device
Manager, LogView, FortiView, Incidents & Events/FortiSoC, and Reports panes.

After a Fabric ADOM is created, it is listed under the Security Fabric section of All ADOMs.

FortiAnalyzer Administrato 7.2 Study Guide 96

 Administration and Management

DO NOT REPRINT
© FORTINET

FortiAnalyzer Administrato 7.2 Study Guide 97

 Administration and Management

DO NOT REPRINT
© FORTINET

Good job! You now understand ADOMs.

Now, you will learn how to manage disk quotas.

FortiAnalyzer Administrato 7.2 Study Guide 98

 Administration and Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding disk quota and how to modify it, you will be able to use disk
quotas more effectively in your network.

FortiAnalyzer Administrato 7.2 Study Guide 99

 Administration and Management

DO NOT REPRINT
© FORTINET

FortiAnalyzer devices have finite disk space. When the allotted log disk space is full, the following occurs:

• An alert message automatically generates on the Alert Message Console as an event log with the level
warning.
• The oldest logs are overwritten. This is the default setting, but you can adjust this behavior to stop logging
when the disk is full instead.

No administrator wants to lose valuable log data and run the risk of noncompliance with regard to data
retention. As such, it is vital you know your FortiAnalyzer disk quota, how it is enforced, and what space is
reserved and thus not available for storing logs.

FortiAnalyzer Administrato 7.2 Study Guide 100

 Administration and Management

DO NOT REPRINT
© FORTINET

Disk quota includes:

• Archive logs: These are logs compressed on hard disks and offline.

• Analytics Logs: These are the logs stored and indexed in the SQL database and online.

Analytic logs indexed in the SQL database require more disk space than Archive logs. The only exception to
this rule is when FortiAnalyzer is working in collector mode because the SQL database is not running.

An average indexed log is 600 bytes in size, and an average compressed log is only 80 bytes in size. Keep
this difference in mind when specifying the storage ratio for Analytics and Archive logs. The default ratio is
70%-30%.

FortiAnalyzer Administrato 7.2 Study Guide 101

 Administration and Management

DO NOT REPRINT
© FORTINET

By default, each ADOM is allowed 1000 MB (or just under 1 GB) worth of drive space on FortiAnalyzer in
order to store log data. However, this number is configurable. You can’t set the minimum below 100 MB, and
the maximum depends on the disk space allocation of the specific FortiAnalyzer device.

The FortiAnalyzer system reserves between 5% to 20% disk space for compression files, upload files, and
temporary report files, leaving about 80% to 95% disk space for allocation to devices.

It is important to note that if using RAID, the RAID level determines the disk size and reserved quota level.
See the table on the slide for more details.

FortiAnalyzer Administrato 7.2 Study Guide 102

 Administration and Management

DO NOT REPRINT
© FORTINET

You can obtain your disk log usage, including usage for each ADOM, using the CLI command diagnose
log device.

The total quota value is determined by subtracting the reserved space from the total system storage.

The allocated space is determined by adding the archive and analytics quota for all ADOMs.

The used space is determined by adding the archive and analytics logs and all the system files mounted on
the drive. You can receive the system file value by using the CLI command diagnose system print df.

FortiAnalyzer Administrato 7.2 Study Guide 103

 Administration and Management

DO NOT REPRINT
© FORTINET

Note that the License Information widget shows a lower value than the quota. This is because it reports only
on the number of logs pushed to FortiAnalyzer on that day. Furthermore, it reports only on the ingress traffic,
which is limited to the raw log portion. It doesn’t include the log archive, FortiGate store and upload logs,
FortiAnalyzer aggregated logs, or FortiClient logs.
The SQL database tables are not included either, because this indexing is done by FortiAnalyzer after the log
has been received.

FortiAnalyzer Administrato 7.2 Study Guide 104

 Administration and Management

DO NOT REPRINT
© FORTINET

Disk quota enforcement is performed by different processes:

• The logfiled process enforces the log file size and is also responsible for disk quota enforcement by
monitoring the other processes
• The sqlplugind process enforces the SQL database size
• The oftpd process enforces the archive file size

logfiled checks the processes every two minutes (unless system resources are high) and estimates the
space used by the SQL database. If the disk quota is estimated to be above 95%, FortiAnalyzer removes files
as needed until they are down to 85%.

FortiAnalyzer Administrato 7.2 Study Guide 105

 Administration and Management

DO NOT REPRINT
© FORTINET

Based on your log rate and device usage statistics, you may need to adjust your ADOM disk quota so you
don’t lose valuable log data.

Always monitor your log rate for each device in the ADOM. If you have a high volume of logs, increase the
ADOM quota so the oldest logs are not lost prematurely.

Allocating insufficient quota to an ADOM can cause many problems. It can:

• Prevent you from reaching your log retention objective

• Cause unnecessary CPU resources enforcing quota with log deletion and database trims
• Adversely affect reporting if the quota enforcement acts on analytical data before a report is complete

FortiAnalyzer Administrato 7.2 Study Guide 106

 Administration and Management

DO NOT REPRINT
© FORTINET

If increasing the disk quota is insufficient based on your monitored log rate, you may need to increase your
overall disk space.

With FortiAnalyzer VMs, you can dynamically add more disk space to your FortiAnalyzer by using the
procedure shown on this slide.

With a hardware FortiAnalyzer, you must add one or more disks. If you are using RAID, you will also have to
rebuild your RAID array if you add another disk. So, it is important to account for future growth and size
correctly from the outset.

FortiAnalyzer Administrato 7.2 Study Guide 107

 Administration and Management

DO NOT REPRINT
© FORTINET

FortiAnalyzer Administrato 7.2 Study Guide 108

 Administration and Management

DO NOT REPRINT
© FORTINET

Good job! You now understand disk quotas.

Now, you will learn how to back up your FortiAnalyzer and some general best practices.

FortiAnalyzer Administrato 7.2 Study Guide 109

 Administration and Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown in this slide.

By demonstrating competence in performing a system configuration backup and following best practices, you
will be able to minimize the downtime in the case of a system failure or accidental misconfiguration.

FortiAnalyzer Administrato 7.2 Study Guide 110

 Administration and Management

DO NOT REPRINT
© FORTINET

After you have completed your initial configuration, you should back it up as a best practice. You can perform
a backup directly on the GUI using the System Information widget.

The System Configuration backups contain everything except the actual logs and generated reports. You
can backup logs and reports using the GUI (Log View, Reports) or using the CLI with the command
execute backup.

What does the System Configuration backup include?

• System information, such as the device IP address and administrative user information
• Device list, such as any devices you configured to allow log access
• Report information, such as any configured report settings, as well as all your custom report details. These
are not the actual reports.

You can save the backup file as an encrypted file for additional security. Be aware that you can restore a
backup only to the same model and firmware version. Furthermore, if you require assistance from Fortinet
Support and your configuration is required to assist with troubleshooting, your backup should not be
encrypted.

If changes are made to FortiAnalyzer that affect your network negatively, you can restore the configuration
from any of your backups.

If your FortiAnalyzer is a VM, you can also use VM snapshots.

FortiAnalyzer Administrato 7.2 Study Guide 111

 Administration and Management

DO NOT REPRINT
© FORTINET

You can schedule your backups and have them stored in a remote server. FortiAnalyzer supports sending its
backup files to FTP, SCP and SFTP servers. The destination server must be preconfigured before you can
send the files. You must have valid credentials with read-write permissions in the destination folder.

This slide shows the commands used to schedule the backup jobs.

FortiAnalyzer Administrato 7.2 Study Guide 112

 Administration and Management

DO NOT REPRINT
© FORTINET

The following are some best practices for operating FortiAnalyzer:

• Always turn off FortiAnalyzer gracefully because not doing so can damage the databases.
• Have FortiAnalyzer running on an uninterruptable power supply (UPS) to prevent unexpected power-off
events. Also ensure your UPS is stable and has sufficient current to ensure expected behavior.
• For ease of use, save an unencrypted backup to a secure location. You should use an unencrypted backup
when dealing with Fortinet Support because it allows for offline access to the database configuration file.
• Synchronize the time on FortiAnalyzer and all registered devices with an NTP server for correct log
correlation.
• Implement a comprehensive backup plan that includes the configuration and the logs.
• Increase reliability by configuring high availability (HA) and link aggregation (available on models 2000E
and higher, and VMs).

FortiAnalyzer Administrato 7.2 Study Guide 113

 Administration and Management

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiAnalyzer Administrato 7.2 Study Guide 114

 Administration and Management

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to use administration and management
functions to better defend FortiAnalyzer—and the sensitive log data it stores—against external or internal
threats.

FortiAnalyzer Administrato 7.2 Study Guide 115

 RAID and HA

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to use RAID and high availability (HA) to make your FortiAnalyzer device
more resilient to hardware failures.

FortiAnalyzer Administrato 7.2 Study Guide 116

 RAID and HA

DO NOT REPRINT
© FORTINET

In this lesson, you will explore the topics shown on this slide.

FortiAnalyzer Administrato 7.2 Study Guide 117

 RAID and HA

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve objectives shown on this slide.

By demonstrating competence in RAID, you will be able to better safeguard your logs while they are stored
locally on FortiAnalyzer.

FortiAnalyzer Administrato 7.2 Study Guide 118

 RAID and HA

DO NOT REPRINT
© FORTINET

You can protect your logs by using a fault tolerant RAID solution. This improves your log availability should a
critical event on your FortiAnalyzer occur.

RAID is not supported on all FortiAnalyzer models.

FortiAnalyzer Administrato 7.2 Study Guide 119

 RAID and HA

DO NOT REPRINT
© FORTINET

Administering and managing your system also includes protecting your log information. This can include
introducing redundancy for your log data by making a copy of your logs to act as a backup should your system
stops running. The most commonly used method for high performance storage is RAID.

You can protect your logs by using a fault tolerant RAID solution. This improves your log availability should a
critical event on your FortiAnalyzer occur. However, keep in mind that not all FortiAnalyzer models support
RAID. Check your device specifications to verify if RAID is supported.

RAID combines two or more physical drives into a single logical drive.

RAID enables you to distribute your data among multiple hard drives. RAID distributes data across drives in
different ways, referred to as RAID levels. The level you select depends on your goal. Each level provides a
different balance of reliability, availability, performance, and capacity.

You can configure most devices in many types of RAID arrays. To set up a RAID array, you must have
multiple (at least two) drives that are the same size.

Note that RAID is not a replacement for backing up your logs. You should still back up your logs, even if you
employ RAID.

FortiAnalyzer Administrato 7.2 Study Guide 120

 RAID and HA

DO NOT REPRINT
© FORTINET

Basic RAID has two types of operation: mirroring and striping.

With mirroring, instead of writing the files to a single hard drive, it writes them to another hard drive as well.
This way you have a real-time copy of the data.

With striping, two or more drives are combined into a single logical drive. When data is stored on the logical
drive, it gets split into pieces and distributed across all the physical drives in the array.

It is important to note that not all RAID levels operate the same way. Some do only mirroring, others do only
striping, and some do both.

There are also versions that include distributed parity, which is a way to achieve data redundancy. With
distributed parity, parity data is distributed among multiple drives and requires three or more disks (RAID 5
and above). Also, the number of drives that can fail depends on the RAID level. Regardless of the level, too
many failed drives results in the loss of data.

Depending on the device model, you can build hardware RAID and/or software RAID.

Hardware RAID is always recommended because a dedicated controller card handles all the RAID operations
faster and more efficiently.

Software RAID means that the OS needs to handle all RAID operations on top of all its regular functions. This
affects performance; therefore it is not recommended unless it is the only option.

FortiAnalyzer Administrato 7.2 Study Guide 121

 RAID and HA

DO NOT REPRINT
© FORTINET

Not all FortiAnalyzer models support RAID, so the menu option to configure RAID may not appear on the GUI.
Be sure to check the model specifications to see if RAID is supported, and to what level.

If RAID is supported, you can configure RAID on the RAID Management page. Supported levels include
Linear, RAID 0, RAID 1, RAID 1 + spare, RAID 5, RAID 5 + spare, RAID 6, RAID 6 + spare, RAID 10, RAID
50, and RAID 60.

FortiAnalyzer Administrato 7.2 Study Guide 122

 RAID and HA

DO NOT REPRINT
© FORTINET

Some common RAID levels are: RAID 0 (striping), RAID 1 (mirroring) and its variants, RAID 5 (distributed
parity), RAID 6 (double parity), RAID 50 (striping and distributed parity), and RAID 60 (striping and distributed
double parity):

• RAID 0 consists of data split evenly across two or more disks. Speed and performance are the main goals.
There is no parity information or data redundancy. This means that there is no fault tolerance; if one disk
fails, it affects the entire array and the data is lost.
• RAID 1 consists of an exact copy of a set of data on two (most common) or more disks. Read performance
and reliability are the main goals. RAID 1 includes fault tolerance, so if one disk fails the other one can
keep working since it contains a complete copy of the data.
• RAID 5 consists of block-level striping with distributed parity. Data and parity are striped across three or
more disks. This RAID level provides better performance than mirroring as well as fault tolerance. It can
withstand the failure of a single drive, as subsequent reads can be calculated from the distributed parity, so
that no data is lost.
• RAID 6 extends RAID 5 by adding another parity block. Accordingly, it consists of block-level striping with
two parity blocks distributed across all member disks. It’s more robust than RAID 5, as the system can
remain operational even if two disks fail.

FortiAnalyzer Administrato 7.2 Study Guide 123

 RAID and HA

DO NOT REPRINT
© FORTINET

• RAID 10 combines the features of RAID 1 and RAID 0, making sure data is mirrored and spread across
multiple disks. RAID 10 balances performance and data security. It's possible to recover data if two
drives in a RAID 10 configuration fail, but it's dependent upon which two drives fail.
• RAID 50 combines block-level striping of RAID 0 with the distributed parity of RAID 5. Write performance is
improved over RAID 5 and it provides better fault tolerance than a single RAID 5 level. With this level, one
drive from each of the RAID 5 sets can fail.
• RAID 60 combines block-level striping of RAID 0 with the distributed double parity of RAID 6. Write
performance is affected, but the enhanced redundancy provides peace of mind. Dual parity allows the
failure of two disks in each RAID 6 array.

For more information about RAID levels, see the FortiAnalyzer Administration Guide.

Source: Wikipedia, standard RAID levels, and nested RAID levels

FortiAnalyzer Administrato 7.2 Study Guide 124

 RAID and HA

DO NOT REPRINT
© FORTINET

On the RAID Management page, you can also view the status of each disk in the RAID array and disk space
usage.

Disk status can be one of the following:

• Ready
• Rebuilding
• Initializing
• Verifying
• Degraded
• Inoperable

FortiAnalyzer Administrato 7.2 Study Guide 125

 RAID and HA

DO NOT REPRINT
© FORTINET

You can view any RAID failures on the Alert Message Console widget on the dashboard. A log message
appears in this widget if there are any failures.

If a hard disk on a FortiAnalyzer fails, you must replace it. On FortiAnalyzer models that support hardware
RAID, you can replace the disk while FortiAnalyzer is still running. This is known as hot swapping. Fortinet
supports hot swapping on hardware RAID only. On FortiAnalyzer devices with software RAID you must shut
down FortiAnalyzer before exchanging the hard disk.

FortiAnalyzer Administrato 7.2 Study Guide 126

 RAID and HA

DO NOT REPRINT
© FORTINET

Use the CLI command diagnose system raid status to view the health of the RAID array as well as
the health of the individual disks.

Use the command diagnose system raid hwinfo to view detailed information about the hardware for
the individual disks on FortiAnalyzer.

On FortiAnalyzer-VM, only the diagnose system disk usage command is available.

FortiAnalyzer Administrato 7.2 Study Guide 127

 RAID and HA

DO NOT REPRINT
© FORTINET

FortiAnalyzer Administrato 7.2 Study Guide 128

 RAID and HA

DO NOT REPRINT
© FORTINET

Good job! You now know how to use RAID to protect the log data.

Now, you will learn about using high availability (HA).

FortiAnalyzer Administrato 7.2 Study Guide 129

 RAID and HA

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve objectives shown on this slide.

By demonstrating competence in the configuration and troubleshooting of HA, you will be able to increase the
availability of your FortiAnalyzer implementation.

FortiAnalyzer Administrato 7.2 Study Guide 130

 RAID and HA

DO NOT REPRINT
© FORTINET

A FortiAnalyzer HA cluster provides the following:

• Provides real-time redundancy when the FortiAnalyzer primary device fails. If the primary device fails,
another device in the cluster is selected as the primary device.
• Synchronizes logs and data securely among multiple FortiAnalyzer devices. System and configuration
settings applicable to HA are also synchronized.
• Alleviates the load on the primary device by using secondary devices for processes such as running
reports.

A FortiAnalyzer HA cluster can have a maximum of four devices: one primary device with up to three
secondary devices. All devices in the cluster must be of the same FortiAnalyzer series and firmware and be
visible to each other on the network. All devices must run in the same operation mode: analyzer or collector.

Although the available disk space doesn’t need to match, it is important to ensure all cluster members have
enough storage for the expected logs. It’s recommended that all members have the same available storage.

When using FortiAnalyzer VMs as cluster members, all VMs must be running on the same platform. For
example, a VM running on VMware can’t form a cluster with a VM running in KVM.

FortiAnalyzer HA implementation works only in networks where Virtual Router Redundancy Protocol (VRRP)
is permitted. Therefore, it may not be supported by some public cloud infrastructures.

When FortiAnalyzer devices with different licenses are used to create an HA cluster, the license that allows
for the smallest number of managed devices is used.

FortiAnalyzer Administrato 7.2 Study Guide 131

 RAID and HA

DO NOT REPRINT
© FORTINET

In System Settings > HA, use the Cluster Settings section to create or change the HA configuration.

To configure a cluster, set the Operation Mode of the primary device to High Availability, and then select
the preferred role for the device when it joins the HA cluster.

In the Cluster Virtual IP section, you need to select the interface, and type the IP address for which the
FortiAnalyzer device is to provide redundancy. Once the cluster is up, the devices sending their logs must
point to this IP.

By default, the VRRP heartbeat packets are sent to the multicast address 224.0.0.18, and sourced from the
primary IP address of the first virtual IP interface configured. From the CLI, you can configure a different
interface to send the heartbeats, as well as set it to use unicast.

Next, you add the IP addresses and serial numbers of each secondary device to the primary device peer list.
The IP address and serial number of the primary device and all secondary devices must be added to each
secondary device. Cluster members need to be reachable at these IP addresses for the log synchronization
traffic. As shown on this slide and the previous one, these IP addresses don’t have to be on the same subnet
as the cluster virtual IP. On the contrary, it is recommended they are on separate subnets.

The primary device and all secondary devices must have the same Group Name, Group ID, and Password.
The Priority setting is used during the selection of the primary device in the cluster. You can assign a value
from 80 to 120, where a higher number has higher priority. The Log Data Sync option is enabled by default. It
provides real-time log synchronization among cluster members, after the initial log synchronization.

FortiAnalyzer Administrato 7.2 Study Guide 132

 RAID and HA

DO NOT REPRINT
© FORTINET

The initial selection of the primary device is based on the preferred rode configured. If the preferred role
is Primary, then this device becomes the primary device if it is configured first in a new HA cluster. If there is
an existing primary device, then this device becomes a secondary device. The default role is Secondary, so
that the device can synchronize with the primary device. A secondary device cannot become a primary device
until it is synchronized with the current primary device.

In the case of a primary device failure, FortiAnalyzer HA uses the following rules to select a new primary:

• All cluster devices are assigned a priority from 80 to 120. The default priority is 100. If the primary device
becomes unavailable, the device with the highest priority is selected as the new primary device. For
example, a device with a priority of 110 is selected over a device with a priority of 100.
• If multiple devices have the same priority, the device whose primary IP address has the greatest value is
selected as the new primary device. For example, 123.45.67.124 is selected over 123.45.67.123.
• If a new device with a higher priority or a greater value IP address joins the cluster, the new device does
not replace (or pre-empt) the current primary device automatically.

By default, the only parameter checked to trigger an automatic failover is the network reachability among the
cluster members. You can optionally configure HA to check the status of the Postgres database process to
initiate a failover if that process stops working. This is done from the CLI with the command set
healthcheck DB, under the system ha configuration mode.

FortiAnalyzer Administrato 7.2 Study Guide 133

 RAID and HA

DO NOT REPRINT
© FORTINET

To ensure logs are synchronized among all HA devices, FortiAnalyzer HA synchronizes logs in two states:
initial synchronization and real-time synchronization.

Initial synchronization: The primary device synchronizes its logs with new devices added to the cluster.
After initial synchronization is complete, the secondary device automatically reboots and rebuilds its log
database with the synchronized logs. You can see the status in the Cluster Status pane Initial Logs Sync
column

Real-time synchronization: After the initial log synchronization, the HA cluster goes into the real-time log
synchronization state. Log Data Sync is enabled by default for all devices in the HA cluster. When Log Data
Sync is enabled in the primary device, the primary device forwards logs in real time to all secondary devices.
This ensures that the logs in the primary and secondary devices are synchronized. If the primary device fails,
the secondary device selected to be the new primary device continues to synchronize logs with secondary
devices. If you want to use a FortiAnalyzer device as a standby device (not as a secondary), then you don't
need real-time log synchronization, so you can disable Log Data Sync.

Configuration synchronization provides redundancy and load balancing among the cluster devices. A
FortiAnalyzer HA cluster synchronizes the configuration of the following modules to all cluster devices:
• Device Manager
• Incidents and Events
• Reports
• Most System Settings

FortiAnalyzer HA synchronizes most system settings in the HA cluster. The table on this slide shows some of
the settings that are synchronized. Refer to the FortiAnalyzer Administration Guide for the complete list.

FortiAnalyzer Administrato 7.2 Study Guide 134

 RAID and HA

DO NOT REPRINT
© FORTINET

The FortiAnalyzer HA cluster can also balance the load and improve overall performance. Load balancing
enhances the following modules:
• Reports
• FortiView

When generating multiple reports, the loads are distributed to all HA cluster devices in a round-robin fashion.
When a report is generated, the report is synchronized with other devices so that the report is visible on all HA
device members. Similarly, for FortiView, cluster devices share some of the load when these modules
generate output for their widgets.

Like upgrading the firmware of a standalone FortiAnalyzer device, normal FortiAnalyzer operations may cause
temporary interruptions while the cluster firmware upgrades. Because of these interruptions, you should
upgrade the cluster firmware during a maintenance period. The steps to upgrade HA cluster firmware are
shown on this slide.

Note that you might not be able to connect to the FortiAnalyzer GUI until the upgrade synchronization process
is complete. During the upgrade, using SSH or Telnet to connect to the CLI might be slow. If necessary, use
the console to connect to the CLI.

FortiAnalyzer Administrato 7.2 Study Guide 135

 RAID and HA

DO NOT REPRINT
© FORTINET

The Cluster Status pane monitors the status of FortiAnalyzer devices in an HA cluster. This pane displays
information about the role of each cluster device, the HA status of the cluster, and the HA configuration of the
cluster. The following information is displayed:
• Role
• Serial Number
• IP
• Host Name
• Uptime/Downtime
• Initial Logs Sync
• Configuration Sync
• Message

You can use the CLI command diagnose ha status to display the same HA status information. This slide
also shows other useful CLI diagnosis commands to monitor and troubleshoot HA.

The image on the slide is only for demonstration purposes. It was intentionally taken on a misconfigured HA
cluster to illustrate some errors you might experience in a similar case.

FortiAnalyzer Administrato 7.2 Study Guide 136

 RAID and HA

DO NOT REPRINT
© FORTINET

FortiAnalyzer Administrato 7.2 Study Guide 137

 RAID and HA

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiAnalyzer Administrato 7.2 Study Guide 138

 RAID and HA

DO NOT REPRINT
© FORTINET

This slide show the objectives that you covered in this lesson.

You learned how to use RAID and high availability (HA) to make your FortiAnalyzer device more resilient
against hardware failures.

FortiAnalyzer Administrato 7.2 Study Guide 139

 Device Management

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to register devices on FortiAnalyzer for log collection, as well as how to
troubleshoot communication between FortiAnalyzer and its registered devices.

FortiAnalyzer Administrato 7.2 Study Guide 140

 Device Management

DO NOT REPRINT
© FORTINET

In this lesson, you will explore the topics shown on this slide.

FortiAnalyzer Administrato 7.2 Study Guide 141

 Device Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in device registration, you will be able to configure FortiAnalyzer to collect logs
from registered devices.

FortiAnalyzer Administrato 7.2 Study Guide 142

 Device Management

DO NOT REPRINT
© FORTINET

For FortiAnalyzer to start collecting logs from a device, that device must become a registered device on
FortiAnalyzer.

To FortiAnalyzer, there are only two types of devices: those that are registered and those that are
unregistered.

A registered device is one that has been authorized to store logs on FortiAnalyzer, whereas an unregistered
device is one that is requesting to store logs on FortiAnalyzer.

There are four ways you can register a device with FortiAnalyzer.

The first method involves a request for registration from a supported device. When the FortiAnalyzer
administrator receives that request, the request is accepted (though it can be denied).

The second method involves the FortiAnalyzer Add Device wizard. The device can be added based on its
serial number. If the device is supported, and all the details of the device are correct, the device becomes
registered.

FortiAnalyzer Administrato 7.2 Study Guide 143

 Device Management

DO NOT REPRINT
© FORTINET

The third method also involves the FortiAnalyzer Add Device wizard. The device is added using a pre-shared
key. After the device is configured and the correct pre-shared key is added, it is automatically registered. The
pre-shared key needs to be added from the device CLI.

Note that only FortiGate devices can be added using this method.

FortiAnalyzer Administrato 7.2 Study Guide 144

 Device Management

DO NOT REPRINT
© FORTINET

The fourth method uses the Fortinet Security Fabric authorization process.

This method requires that both FortiGate and FortiAnalyzer are running version 7.0.1 or higher. It is also
required that the FortiGate administrator has valid credentials to log in on FortiAnalyzer and complete the
registration.

FortiAnalyzer Administrato 7.2 Study Guide 145

 Device Management

DO NOT REPRINT
© FORTINET

There are two ways to initiate a request from a FortiGate device.

In the first method, FortiGate requests registration on FortiAnalyzer by enabling remote logging and specifying
the FortiAnalyzer IP. This is done from the Log & Report section as shown on this slide.

After clicking Apply, and if the request reaches the FortiAnalyzer successfully, you receive a warning asking
you to confirm the serial number of the FortiAnalyzer to verify it is the correct one.

Note that if you click Test Connectivity, you see the connection status as Unauthorized. This is because the
FortiAnalyzer administrator has not yet accepted the request to register. At this stage, FortiGate is still an
unregistered device.

After the request is made by the supported device, it automatically appears under the root ADOM in Device
Manager. The FortiAnalyzer administrator should review the details of the unauthorized device and, if
satisfied, authorize the device.

During acceptance of the registration request, if ADOMs are enabled, you have the option of keeping
FortiGate in the root ADOM, or adding it to any custom FortiGate ADOMs you may have configured, as
illustrated on this slide.

FortiAnalyzer Administrato 7.2 Study Guide 146

 Device Management

DO NOT REPRINT
© FORTINET

Using this method, the FortiGate administrator enables the Security Fabric. By enabling the Security Fabric,
FortiAnalyzer Logging is enabled by default. By configuring the FortiAnalyzer IP on the upstream FortiGate,
all the FortiGate devices connected to the upstream FortiGate through the Security Fabric receive the
configuration for FortiAnalyzer, and all the FortiGate devices connected through the Security Fabric request
registration on FortiAnalyzer.

Like in the previous method, after clicking Apply you receive a warning asking you to confirm the serial
number of the FortiAnalyzer to verify it is the correct one.

Note that if you click Test Connectivity, you see the connection status as Unauthorized. This is because the
FortiAnalyzer administrator has not yet accepted the request to register. At this stage, FortiGate is still an
unregistered device.

After the request is made by the supported device, it automatically appears under the root ADOM in Device
Manager. The FortiAnalyzer administrator should review the details of the unauthorized device and, if
satisfied, authorize the device.

During acceptance of the registration request, if ADOMs are enabled, you have the option of keeping
FortiGate in the root ADOM or adding it to any custom FortiGate ADOMs you may have configured. This was
illustrated on the previous slide.

Note that it is recommended to add all the FortiGate devices connected through the Security Fabric under one
ADOM. However, it is possible to separate the FortiGate devices and assign them to different ADOMs.

FortiAnalyzer Administrato 7.2 Study Guide 147

 Device Management

DO NOT REPRINT
© FORTINET

With this method, you use the device registration wizard in the FortiAnalyzer Device Manager. The
FortiAnalyzer administrator proactively initiates, and ultimately performs, the registration. The administrator
must have the specific serial number of the device that is to be registered. If the device information is verified,
the status reads “Device is added successfully”, and the device appears under Device Manager.

If ADOMs are enabled, the device is automatically registered to its device-specific ADOM. However, if you’ve
already created a custom ADOM and want to add the device directly to that ADOM instead, switch to the
ADOM before adding a device using the wizard.

FortiAnalyzer Administrato 7.2 Study Guide 148

 Device Management

DO NOT REPRINT
© FORTINET

With this method, you also use the Add Device wizard in the FortiAnalyzer Device Manager. The
FortiAnalyzer administrator proactively initiates, and ultimately performs, the registration. The administrator
must set a pre-shared key and fill in the other details about the device that is to be registered, such as the
device model. If the device information is verified, the status reads “Device is added successfully”, and the
device appears under Device Manager.

If ADOMs are enabled, the device is automatically registered to its device-specific ADOM. However, if you’ve
already created a custom ADOM and want to add the device directly to that ADOM instead, switch to the
ADOM before adding a device using the wizard.

The pre-shared key needs to be added from the device CLI to finish the process.

FortiAnalyzer Administrato 7.2 Study Guide 149

 Device Management

DO NOT REPRINT
© FORTINET

To use this method, you first configure FortiAnalyzer to accept authorizations through fabric connectors. You
must type which IP and port are to be used to receive the requests. By default, port 443 is used.

Next, the FortiGate administrator enables the Security Fabric to use FortiAnalyzer for logging, and then
initiates the authorization process from the FortiAnalyzer Status window.

The FortiGate administrator must have valid credentials on FortiAnalyzer to complete the registration process.
This is done by clicking Approve in the Fortinet Security Fabric window.

FortiAnalyzer Administrato 7.2 Study Guide 150

 Device Management

DO NOT REPRINT
© FORTINET

After you register various Fortinet devices, they appear on the Device Manager tab for that ADOM. You can
also view details about the log status and used storage for that ADOM.

Unregistered devices appear under the root ADOM only until they are registered and assigned to an ADOM.

FortiAnalyzer Administrato 7.2 Study Guide 151

 Device Management

DO NOT REPRINT
© FORTINET

By default, all registered devices are included in a default device group. You can create custom device groups
for better organization and more efficient management of those devices. For example, you can create custom
groups based on physical location and functionality.

Additionally, if your environment justifies it, device groups can be nested. For example, a device group named
Canada_Offices, can contain a nested group for each one of the locations in your network.

Spaces are not allowed in the names of custom device groups.

FortiAnalyzer Administrato 7.2 Study Guide 152

 Device Management

DO NOT REPRINT
© FORTINET

When a FortiGate device is registered, FortiAnalyzer automatically has permission to collect the following
types of logs, if they are enabled on FortiGate:

• Logs: This log type details information about traffic, events, and security.
• DLP Archive: This log type details information about any sensitive data trying to get in or out of your
network.
• Quarantine: This log type details files that have been placed into quarantine by the device sending the logs.
• IPS Packet Log: This log type details information about network packets containing the traffic matching IPS
signatures.

FortiAnalyzer Administrato 7.2 Study Guide 153

 Device Management

DO NOT REPRINT
© FORTINET

FortiAnalyzer Administrato 7.2 Study Guide 154

 Device Management

DO NOT REPRINT
© FORTINET

Good job! You now understand how to register a device.

Now, you will learn about ways to troubleshoot communication issues between FortiAnalyzer and your
registered devices.

FortiAnalyzer Administrato 7.2 Study Guide 155

 Device Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objective shown on this slide.

By demonstrating competence in communication troubleshooting, you will be able to efficiently troubleshoot

issues that could prevent log collection.

FortiAnalyzer Administrato 7.2 Study Guide 156

 Device Management

DO NOT REPRINT
© FORTINET

This slide shows some basic CLI commands that you can use to check system status, performance, and
hardware statistics.

FortiAnalyzer Administrato 7.2 Study Guide 157

 Device Management

DO NOT REPRINT
© FORTINET

When using the get system status command to troubleshoot system issues, the following information
can be helpful:

• Version: Ensure the FortiAnalyzer firmware version is compatible with the device you are registering (see
the FortiAnalyzer Release Notes for supported firmware versions).
• Admin Domain Configuration: Ensure ADOMs are enabled if attempting to register a non-FortiGate
device.
• Current Time: Ensure your date and time is set according to your needs. For many features to work,
including scheduling, logging, and SSL-dependent features, the FortiAnalyzer system time must be
accurate. While you can manually set the date and time, it is recommended that you synchronize with a
Network Time Protocol (NTP) server.
• Disk Usage: Ensure you have enough free disk space to accept and store logs from registered devices.
• License Status: Ensure you have a valid licence. This is for a VM only.

FortiAnalyzer Administrato 7.2 Study Guide 158

 Device Management

DO NOT REPRINT
© FORTINET

When using the get system performance command to troubleshoot system issues, look at the used
space for CPU, memory, hard disk, and flash disk. If any of these are nearing capacity, you may experience
issues with log collection. The used capacity need not be 100% before you experience problems. For
example, the space assigned to a hard disk quota is not fully available for logs, because some of it is reserved
for system usage and unexpected quota overflow.

For FortiAnalyzer VMs, note that a minimum of 8 GB is recommended for the memory.

FortiAnalyzer Administrato 7.2 Study Guide 159

 Device Management

DO NOT REPRINT
© FORTINET

The diagnose hardware info command provides useful details about CPU, memory (RAM), and disks.

The memory and RAID sections can be very useful while troubleshooting system issues.

The Memory info section provides a more granular breakdown of the memory than what is provided by the
get system performance command. For example, the total memory from get system performance
includes the total memory plus the swap memory. The diagnose hardware information command
shows a more detailed breakdown of all memory components.

Swap memory refers to the disk space available to use when the physical memory is full, and the system
requires more memory. For a temporary period, inactive pages in memory are moved to the swap space.

If RAID is enabled and being used as a high-performance storage solution, the RAID level impacts the
determination of disk size and reserved quota level.

FortiAnalyzer Administrato 7.2 Study Guide 160

 Device Management

DO NOT REPRINT
© FORTINET

This slide shows the FortiAnalyzer CLI commands you can run to discover which devices and IPs are
connecting to FortiAnalyzer, which ADOMs are enabled and configured, and which devices are currently
registered and unregistered.

FortiAnalyzer Administrato 7.2 Study Guide 161

 Device Management

DO NOT REPRINT
© FORTINET

If you are experiencing communication issues between other devices and FortiAnalyzer, first ensure that both
devices can reach each other. Use the execute ping CLI command on either device to verify reachability
(ping must be enabled and allowed by all intermediate firewalls).

You can also run sniffers on both devices to see if packets that leave FortiGate are reaching FortiAnalyzer. If
packets are leaving FortiGate, but not reaching FortiAnalyzer, look at other devices in the network, because
an intermediate router or firewall may be blocking the traffic or routing it inappropriately.

Other areas to check:

• Is FortiGate configured for remote logging to FortiAnalyzer?

• Is the FortiAnalyzer source IP set on FortiGate? This is important if FortiAnalyzer is accessed over a VPN
that only allows a specific subnet.
• Are the logging filters for logs sent to FortiAnalyzer enabled on FortiGate?
• Is FortiGate capable of generating logs and can FortiAnalyzer receive them? If you don’t see any logs on
FortiGate, you must examine the logging issue on FortiGate before proceeding with troubleshooting the
FortiAnalyzer side.

FortiAnalyzer Administrato 7.2 Study Guide 162

 Device Management

DO NOT REPRINT
© FORTINET

You can use the following commands at the same time to troubleshoot communication issues:

Step one:
Run the diagnose debug application oftpd 8 command on FortiAnalyzer to view current log activity

Step Two:
Run the diagnose log test command on FortiGate to send some test logs to FortiAnalyzer:

Step Three:
Review the output shown on this slide. If everything is working as expected and logs are being received, you
should see some entries on the FortiAnalyzer side.

FortiAnalyzer Administrato 7.2 Study Guide 163

 Device Management

DO NOT REPRINT
© FORTINET

If FortiAnalyzer becomes unavailable to a FortiGate device for any reason, the FortiGate uses its miglogd
process to cache the logs. There is a maximum value to the cache size, and the miglogd process drops
cached logs starting with the oldest ones first.

When the connection between the two devices is restored, the miglogd process begins to send the cached
logs to FortiAnalyzer. The FortiGate buffer keeps logs long enough to sustain a reboot of your FortiAnalyzer (if
you are upgrading the firmware, for example). This is not intended for a lengthy FortiAnalyzer outage.

On FortiGate, the CLI command diagnose test application miglogd 6 displays statistics for the
miglogd process, including the maximum cache size, and current cache size.

The CLI command diagnose log kernel-stats shows an increase in failed-log if the cache is full
and needs to drop logs.

FortiGate devices with an SSD disk have a configurable log buffer. When the connection to FortiAnalyzer is
unreachable, FortiGate can buffer logs on disk if the memory log buffer is full. The logs queued on the disk
buffer can be sent successfully once the connection to FortiAnalyzer is restored.

FortiAnalyzer Administrato 7.2 Study Guide 164

 Device Management

DO NOT REPRINT
© FORTINET

FortiAnalyzer Administrato 7.2 Study Guide 165

 Device Management

DO NOT REPRINT
© FORTINET

Good job! You now understand how to troubleshoot communication issues.

Now, you will learn how to manage registered devices.

FortiAnalyzer Administrato 7.2 Study Guide 166

 Device Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in moving devices between ADOMs and adding FortiGate devices members of
HA clusters, you will be able to manage registered devices effectively in your network.

FortiAnalyzer Administrato 7.2 Study Guide 167

 Device Management

DO NOT REPRINT
© FORTINET

You can move devices between ADOMs after registration on the All ADOMs page.

While you shouldn’t move devices between ADOMs unless you have to, one such use case is if you have a
mix of low-volume and high-volume log rates in one ADOM. In this situation, it is recommended that you place
low-volume log rate devices in one ADOM and high-volume log rate devices in another ADOM. This prevents
quota enforcement from adversely affecting low-volume log devices.

You can move devices between ADOMs by editing the custom ADOM you want to add the device to, and then
selecting the device(s) to add to it.

Note that you do not need to move devices into a new ADOM if you upgrade your FortiGate firmware.

FortiAnalyzer Administrato 7.2 Study Guide 168

 Device Management

DO NOT REPRINT
© FORTINET

There are some important considerations when moving devices between ADOMs, especially if logs are
already being collected for the device you are moving:

• What is the disk quota of the new ADOM? Ensure the new ADOM has enough space.
• Are the device analytics logs required for reports in the new ADOM? If so, you must rebuild the new ADOM
SQL database. When you move a device, only the archive logs (compressed logs) are migrated to the new
ADOM. The analytics logs (indexed logs) stay in the old ADOM until you rebuild the database.
• Do you want to see the device analytics logs in the old ADOM? If no, you need to rebuild the old ADOM
SQL database. Otherwise, they are removed according to the data policy.

FortiAnalyzer Administrato 7.2 Study Guide 169

 Device Management

DO NOT REPRINT
© FORTINET

FortiAnalyzer automatically discovers if a FortiGate device is in an HA cluster (this is also true for some other
Fortinet devices). However, if you register your device with FortiAnalyzer before adding it to a cluster, you can
manually add the cluster within FortiAnalyzer.

With an HA cluster, the only device that communicates with FortiAnalyzer is the primary device in the cluster.
The other devices send their logs to the primary, which then forwards them to FortiAnalyzer.

To enable a cluster, edit the registered device on FortiAnalyzer in Device Manager and enable the HA Cluster
option. You can either add existing devices to the cluster, or manually enter the serial numbers associated
with each device.

FortiAnalyzer distinguishes different devices by their serial numbers, which are found in the headers of all the
different log messages it receives.

FortiAnalyzer Administrato 7.2 Study Guide 170

 Device Management

DO NOT REPRINT
© FORTINET

FortiAnalyzer Administrato 7.2 Study Guide 171

 Device Management

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiAnalyzer Administrato 7.2 Study Guide 172

 Device Management

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to add, manage, and maintain devices in
your network.

FortiAnalyzer Administrato 7.2 Study Guide 173

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to protect and manage logs on FortiAnalyzer. You will also learn about basic
report concepts and common report management tasks.

FortiAnalyzer Administrato 7.2 Study Guide 174

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

In this lesson you will explore the topics shown on this slide.

FortiAnalyzer Administrato 7.2 Study Guide 175

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding the log file workflow, and the different ways you can protect
your log data, you will be able to meet organizational and legal requirements for logs..

FortiAnalyzer Administrato 7.2 Study Guide 176

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

When registered devices send logs to FortiAnalyzer, logs enter the following automatic workflow:

1. Logs received are decompressed and saved in a log file on the FortiAnalyzer disk. The log file has the
extension .log. For example, FortiGate logs are saved with the names tlog.log and elog.log, for traffic and
event logs respectively. Note that FortiGate security logs are included in the tlog.log file.

2. The saved logs are simultaneously indexed in the SQL database to support analysis. Logs in the indexed
phase are known as analytics logs. These logs are considered online and offer immediate analytic
support. You can view these logs using Log View, FortiView, FortiSoC, and Reports. Analytics logs are
purged from the SQL database as specified in the ADOM data policy.

3. Eventually, when the log file reaches a configured size, or at a set schedule, it is rolled over. The process
of rolling over consists of renaming the file adding a timestamp, and then compressing it, which adds the
.gz extension. These files are known as archive logs and are considered offline so they don’t offer
immediate analytic support. Combined, they count toward the archive quota and retention limits, and they
are deleted based on the ADOM data policy. You can view these logs using Log Browse.

FortiAnalyzer Administrato 7.2 Study Guide 177

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

RAID should not be considered a replacement for backing up your logs. You can back up your logs through
the GUI or CLI.

• Log View allows you to download a specific filtered view.

• Log Browse allows you to download rolled logs. FortiAnalyzer also provides the option to upload logs to
an FTP, SFTP, or SCP server on a scheduled basis.
• The CLI command execute backup logs sends everything to whatever device or devices you specify.
The data is compressed before being sent, so the transfer doesn’t begin instantaneously. The device
needs to process the logs and store them in an archive, which can take some time. This bulk data dump
may include a lot of data, so make sure your server has enough disk space.

You can restore logs using the GUI and the CLI.

FortiAnalyzer Administrato 7.2 Study Guide 178

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

Storage connectors allow you to back up data (rolled logs) to public cloud accounts in Amazon S3, Microsoft
Azure, and Google Cloud.

Support for this feature requires you to configure the following components on FortiAnalyzer:
• Create a fabric connector for Amazon S3, Microsoft Azure, or Google Cloud.
• Configure cloud storage.

Fabric connectors also enable FortiAnalyzer to send notifications to ITSM platforms when a new incident is
created or for any subsequent updates. This approach is more efficient than third-party platforms polling
information from the FortiAnalyzer API at predefined intervals, which could result in FortiAnalyzer
performance degradation.

Security Fabric connectors enrich incident response-related actions available on FortiSOC.

FortiAnalyzer Administrato 7.2 Study Guide 179

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

In order to send logs to cloud platforms, you must buy a separate license for the Storage Connector Service.
This license includes:
• Storage limitation: amount of data that can be uploaded to the cloud platform.
• Expiry date: the date up to which the storage data can be sent. Normally valid for one year.

This license does not include the storage used on the cloud provider. It includes only the amount of data that
you can transfer. To configure this feature, you must have an account with permissions to access the cloud
storage. Refer to the FortiAnalyzer Administration Guide for more details.

Note that if uploaded logs reach data storage limitations before the license expires, you must renew the
license in order to continue to use this service.

After the license is uploaded, you can enable the Upload logs to cloud storage feature under System
Settings > Device Log Settings, and then select the cloud storage platforms that the data will be sent to.

You can use the diagnose fmupdate dbcontract fds command to find out about the license validity
and expiry details.

The diagnose test application uploadd 63 command gives details, such as usage quota, total
data upload in GB, total number of files uploaded, number of days remaining until license expiry, and number
of uploaded requests that were dropped.

FortiAnalyzer Administrato 7.2 Study Guide 180

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

To protect your logs during log delivery, you can add redundancy to your environment. In a FortiGate-
FortiAnalyzer environment, there are a few options.

One option is to configure a FortiAnalyzer HA cluster. FortiAnalyzer HA provides real-time redundancy when a
FortiAnalyzer primary device fails. If the primary device fails, another device in the cluster is selected as the
primary device. It synchronizes logs and data securely among multiple FortiAnalyzer devices. System and
configuration settings applicable to HA are also synchronized. It also provides load balancing for processes,
such as running reports.

The second option is to configure FortiGate to send an identical set of logs to a second logging server, such
as a second FortiAnalyzer or a syslog. Note that this increases the load on the FortiGate device because the
log daemon must handle an additional TCP connection to the second log device. However, with proper
system sizing, this additional load is not a factor. This option is not available for smaller FortiGate devices that
do not support a second device.

Another option is to set up log forwarding in aggregation mode. Generally, your central (aggregating) device is
going to be a larger FortiAnalyzer, but this is not a requirement. The collector sends a delta (incremental
changes) of the logs to the aggregation server. The two devices compare what they have stored, and the
collector sends only what the analyzer doesn’t have. This not only reduces the amount of traffic that is sent,
but it also provides a level of redundancy. If there’s a catastrophic failure of the analyzer device, the collector
sends all the data it has and repopulates the restored analyzer automatically. Aggregation mode is only
supported between two FortiAnalyzer devices.

FortiAnalyzer Administrato 7.2 Study Guide 181

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

Log forwarding can run in modes other than aggregation mode, which is only applicable between two
FortiAnalyzer devices. FortiAnalyzer can also forward logs in real-time mode to a syslog server, a Common
Event Format (CEF) server, or another FortiAnalyzer. The FortiAnalyzer that forwards logs to another plays
the role of the client, while the recipient plays the role of the server.

To configure log forwarding, you must complete the following:

1. Set the log forwarding mode: aggregation or forwarding.

• Forwarding mode forwards logs as they are received. It does not forward content files (DLP,
antivirus quarantine, and IPS).
• Aggregation mode stores logs and content files and uploads them to the FortiAnalyzer server at a
scheduled time.
2. Configure the server (the log recipient).
3. Configure the client (the FortiAnalyzer forwarding the logs). Here you can also specify which device logs
to forward and set log filters to only send logs that match filter criteria.

In addition to forwarding logs, the FortiAnalyzer client retains a local copy of the logs. The local copy of logs
are subject to the data policy settings for archive logs on the FortiAnalyzer client.

FortiAnalyzer Administrato 7.2 Study Guide 182

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

In the default configuration, there are two communication streams between FortiGate and FortiAnalyzer. One
is the OFTP communication, which is encrypted, and the other is the log communication, which is not.

OFTP is used over SSL when information is synchronized between FortiAnalyzer and FortiGate. OFTP listens
on port TCP/514. Port UDP/514 is used for unencrypted log communication.

The log communication between devices can be protected by encryption, with the desired encryption level,
using the commands shown on the slide.

SSL communications are auto-negotiated between FortiAnalyzer and FortiGate, so the OFTP server uses
SSL-encrypted FTP, only if it is being used by the connecting FortiGate. By default, FortiGate uses the high
encryption level and FortiAnalyzer uses the high encryption level. The FortiAnalyzer encryption level must be
equal to, or less than, the FortiGate device.

FortiAnalyzer Administrato 7.2 Study Guide 183

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

To prevent logs from being tampered with while in storage, you can add a log checksum using the config
system global command. You can configure FortiAnalyzer to record a log file hash value, timestamp, and
authentication code when the log is rolled and archived and when the log is uploaded (if that feature is
enabled). This can also help against man-in-the-middle only for the transmission from FortiAnalyzer to an
SSH File Transfer Protocol (SFTP) server during log upload.

The following log checksums are available:

• md5: Record log file MD5 hash value only.

• md5-auth: Record log file MD5 hash value and authentication code.
• none: Do not record the log file checksum.

You can also change the OFTP certificate to a custom one using the config system certificate oftp
command. You require a Privacy-Enhanced Mail (PEM) formatted certificate and associated PEM-formatted
private key.

FortiAnalyzer Administrato 7.2 Study Guide 184

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

Aside from increasing your disk log quota, what can you do to better manage your logs on disk?

You can:

• Specify a global log roll policy to roll or upload logs when the size exceeds a set threshold
• Specify a global automatic deletion policy for all log files, quarantined files, reports, and content archive
files on FortiAnalyzer

FortiAnalyzer Administrato 7.2 Study Guide 185

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

FortiAnalyzer Administrato 7.2 Study Guide 186

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

Good job! You now understand how to manage your log data.

Now you will learn about basic report concepts.

FortiAnalyzer Administrato 7.2 Study Guide 187

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding report concepts, you will be able to use reports more
effectively to extract collected log data from your database.

FortiAnalyzer Administrato 7.2 Study Guide 188

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

The purpose of a report is to summarize large amounts of logged data. Based on configured report
parameters, FortiAnalyzer extracts data and presents it in a graphical manner that makes it easier—and
quicker—to digest. The patterns and trends that reports reveal already exist as several points of data within
your database, but it would be difficult and time consuming to manually locate, cross-reference, and analyze
multiple log files, especially if you don’t know what trend or pattern you are looking for. Once configured,
reports do the investigation for you and provide a quick and detailed analysis of activity on your network. You
can then use that information to better understand your network or improve your network security.

Note that reports do not provide any recommendations or give any indication of problems. Administrators
must be able to look beyond the data and charts to see what is happening within their network.

FortiAnalyzer Administrato 7.2 Study Guide 189

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

A FortiAnalyzer report is a set of data organized in charts. Charts consist of two elements:

• Datasets: Structured Query Language (SQL) SELECT queries that extract specific data from the database
• Format: how the data is displayed (for example, pie charts, bar charts, or tables)

FortiAnalyzer Administrato 7.2 Study Guide 190

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

As the graphic on this slide shows, the SQL database contains all the logs. A SQL SELECT query polls the
database for specific information. Based on the query, a subset of information stored in the logs is extracted.

This subset of data populates a chart, and one or more charts exist within a report.

FortiAnalyzer Administrato 7.2 Study Guide 191

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

When ADOMs are enabled, each ADOM has its own reports, libraries, and advanced settings. As such, make
sure that you are in the correct ADOM before selecting a report.

Additional reports for specific Fortinet devices are available only when ADOMs are enabled. You can
configure and generate reports for these devices within their respective ADOMs. These devices also have
device-specific charts and datasets.

FortiAnalyzer Administrato 7.2 Study Guide 192

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

FortiAnalyzer Administrato 7.2 Study Guide 193

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

Good job! You now understand the basic concepts of reports in FortiAnalyzer.

Now you will learn how to mange reports.

FortiAnalyzer Administrato 7.2 Study Guide 194

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in report management, you will be able to handle, store, and more efficiently
control reports and report generation.

FortiAnalyzer Administrato 7.2 Study Guide 195

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

You can configure FortiAnalyzer to email generated reports to specific administrators, or to upload generated
reports to a syslog server. This allows reports to exist externally, instead of remaining locally on FortiAnalyzer.

In order to use any of these external storage methods, you must first set up the back end. This includes
configuring a mail server (for emailed reports only) and an output profile. If ADOMs are enabled, each ADOM
has its own output profiles.

The output profile specifies the following:

• The format of the report, such as PDF, HTML, XML, CSV, and JSON
• Whether to email generated reports or upload to a server. You can specify one option, both, or create
multiple outlook profiles. Server options include FTP, SFTP, and SCP.
• Whether to delete the report locally after uploading to the server

FortiAnalyzer Administrato 7.2 Study Guide 196

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

When a report generates, the system builds the charts from precompiled SQL hard-cache data, known as
hcache. If the hcache is not built when you run the report, the system must create the hcache first and then
build the report. This adds time to the report generation. However, if no new logs are received for the reporting
period, when you run the report a second time it is much faster because the hcache data is already
precompiled.

To boost the report performance and reduce report generation time, you can enable auto-cache in the settings
of the report. In this case, the hcache is automatically updated when new logs come in and new log tables are
generated.

Note that hcache is automatically enabled for scheduled reports. If you are not scheduling a report, you may
want to consider enabling hcache. This ensures reports are efficiently generated. However, be aware that this
process uses system resources (especially for reports that require a long time to assemble datasets), so you
should monitor your system to ensure it can handle it.

Additionally, you can opt for enabling Extended Log Filtering to cache specific log fields for faster filtering.

FortiAnalyzer Administrato 7.2 Study Guide 197

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

FortiAnalyzer Administrato 7.2 Study Guide 198

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiAnalyzer Administrato 7.2 Study Guide 199

 Logs and Reports Management

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to manage the log data and reports in
FortiAnalyzer.

FortiAnalyzer Administrato 7.2 Study Guide 200

DO NOT REPRINT
© FORTINET

No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.