Fortinet FortiAnalyzer 3.0 MR7 Administration Manual Download Page 151 | Manualshive

Page: 151 / 234

background image

Network Analyzer

Connecting the FortiAnalyzer unit to analyze network traffic

FortiAnalyzer Version 3.0 MR7 Administration Guide
05-30007-0082-20080908

141

Network Analyzer

Network Analyzer can be used as an enhanced local network traffic sniffer to
diagnose areas of the network where firewall policies may require adjustment, or
where traffic anomalies occur.

Network Analyzer logs all traffic seen by the interface for which it is enabled. If
that network interface is connected to the span port of a switch, observed traffic
will include all traffic sent through the switch by other hosts. You can then locate
traffic which should be blocked, or which contains other anomalies.

All captured traffic information is saved to the FortiAnalyzer hard disk. You can
then display this traffic information directly, search it, or generate reports from it.

This section describes how to enable and view traffic captured by the Network
Analyzer. It also describes Network Analyzer log storage configuration options.

Network Analyzer is not visible in

Tools

>

Network Analyzer

until enabled in the

CLI. To enable Network Analyzer, access the CLI and enter the commands:

config log settings

set enable_analyzer yes

end

If you are currently logged in to the web-based manager when enabling or
disabling Network Analyzer, you must log out and then log in again for the menu
changes to take effect.

This section includes the following topics:

•

Connecting the FortiAnalyzer unit to analyze network traffic

•

Viewing Network Analyzer log messages

•

Browsing Network Analyzer log files

•

Customizing the Network Analyzer log view

•

Searching the Network Analyzer logs

•

Rolling and uploading Network Analyzer logs

Connecting the FortiAnalyzer unit to analyze network traffic

You usually first connect the FortiAnalyzer unit to the span (or mirroring) port of an
Ethernet switch to sniff traffic with the FortiAnalyzer unit,. Both the management
and sniffing ports can be connected to the same switch.

Note:

Network Analyzer available all FortiAnalzyer units except the FortiAnalyzer-100.

«
...
149
150
151
152
153
...
»

Summary of Contents for FortiAnalyzer 3.0 MR7

Page 1: ...www fortinet com FortiAnalyzer Version 3 0 MR7 A D M I N I S T R A T I O N G U I D E...

Page 2: ...rtiBIOS FortiBridge FortiClient FortiGate FortiGate Unified Threat Management System FortiGuard FortiGuard Antispam FortiGuard Antivirus FortiGuard Intrusion FortiGuard Web FortiLog FortiAnalyzer Fort...

Page 3: ...5 Dashboard enhancements 15 Custom fields for log messages 16 Reports 16 Report configuration enhancements 16 VoIP reports 17 Alert email configuration changes 17 Administrative Domains ADOMs 19 About...

Page 4: ...n administrator account 49 Changing an administrator s password 50 Access Profile 50 Auth Group 51 RADIUS Server 51 Administrator Settings 52 Monitor 52 Network Sharing 53 Adding share users 53 Adding...

Page 5: ...onnection attempt handling 79 Manually adding a device 80 Classifying FortiGate network interfaces 84 Manually adding a FortiGate unit using the Fortinet Discovery Protocol FDP 85 Blocking device conn...

Page 6: ...ts 133 Adding an alert event 133 Output 135 Configuring alerts by email server 135 Testing the mail server configuration 136 Configuring SNMP traps and alerts 136 Adding an SNMP server 137 FortiAnalyz...

Page 7: ...king up your configuration 169 Backing up your configuration using the web based manager 170 Backing up your configuration using the CLI 170 Backing up your log files 170 Testing firmware before upgra...

Page 8: ...rk Activity 194 Web Activity 195 Mail Activity 196 FTP Activity 196 Terminal Activity 197 VPN Activity 197 Event Activity 198 P2P Activity 199 Audit Activity 200 Summary Reports 201 Forensic Reports 2...

Page 9: ...following chapters What s new for 3 0 MR7 describes what the new maintenance release contains Administrative Domains ADOMs describes how to enable and configure domain based access to data and config...

Page 10: ...unit Appendix FortiAnalyzer reports in 3 0 MR7 describes the FortiAnalyzer reports that changed or were moved to other categories or both This appendix also includes what reports were removed and wha...

Page 11: ...nowledge center contains short how to articles FAQs technical notes product and feature guides and much more Visit the Fortinet Knowledge Center at http kc forticare com Comments on Fortinet technical...

Page 12: ...FortiAnalyzer Version 3 0 MR7 Administration Guide 12 05 30007 0082 20080908 Customer service and technical support Introduction...

Page 13: ...ered device limits have increased See Maximum number of devices on page 76 for more information Web based manager change The Action column is now an unnamed column across all menus and tabs within the...

Page 14: ...r HA members Logs that are viewed on the FortiGate unit now contain device ID fields for HA members See the FortiGate Administration Guide and the FortiGate Log Message Reference for additional inform...

Page 15: ...arry forward The limit is now back to the maximum limit in FortiAnalyzer 3 0 MR4 This limit number prevents any loss of registered devices during upgrade You can view the limits for registered devices...

Page 16: ...e or all devices Reports Reports have been enhanced and modified for FortiAnalyzer 3 0 MR7 VoIP report charts were also included in FortiAnalyzer 3 0 MR7 These changes are also reflected in the CLI Se...

Page 17: ...nd view it in Report Browse You can also generate scheduled reports this way in Report Schedule When viewing generated reports in Report Browse the naming scheme is changed to the following On Demand...

Page 18: ...t you now are required to enter information in the following fields alert name destination or destinations device Another configuration change is a drop down list providing the destinations of syslog...

Page 19: ...es the following topics About administrative domains ADOMs Configuring ADOMs About administrative domains ADOMs Enabling ADOMs alters the structure and available functionality of the web based manager...

Page 20: ...nfigured System Network Interface System Network DNS System Network Routing System Admin Administrator System Admin Access Profile System Admin Auth Group System Admin RADIUS Server System Admin Setti...

Page 21: ...n a subset of devices in the device list and assigning them to administrator accounts you can restrict other administrator accounts to a subset of the FortiAnalyzer unit s total devices or VDOMs The a...

Page 22: ...dministrative Domain Configuration appears providing access to both Global Configuration and ADOM configuration See To add or edit an ADOM on page 22 to create ADOMs See Assigning administrators to an...

Page 23: ...restrict the ADOM to a specific VDOM enable Restrict to a FortiGate VDOM then enter the VDOM name 6 Select OK To disable ADOMs 1 Log in as admin Other administrators cannot enable disable or configur...

Page 24: ...this menu subset any changes you make affect this ADOM only and do not affect devices in other ADOMs or global FortiAnalyzer unit settings You can return to Administrative Domain Configuration by goin...

Page 25: ...mmary view of the current operating status of the FortiAnalyzer unit including any additional information happening on the network such as top attacks or what types of logs were received The Dashboard...

Page 26: ...widget a red dashed line outlines the widget s current destination and other widgets reposition themselves to display the resulting layout To refresh a Dashboard widget 1 Go to System Dashboard 2 Pla...

Page 27: ...e widget s title bar area Close appears on the right side of the title bar 3 Select Close A confirmation dialog appears 4 Select OK The widget is removed from the Dashboard layout Tabs Tabs provide a...

Page 28: ...of space in GB each has For example Disk 2 Ready 465 76GB You can configure RAID settings from the RAID Monitor area as well by selecting RAID Settings This option is only available when you move your...

Page 29: ...alized Disk space usage Displays the amount of disk used in both percentage and a fill line Used Free Total Displays the amount of used disk space available or free disk space and the total available...

Page 30: ...since the FortiAnalyzer was started or last rebooted System Time The current time according to the FortiAnalyzer internal clock Select Change to change the time or configure the FortiAnalyzer unit to...

Page 31: ...hboard displays information on features that vary by a purchased license or contract For more information about RVS remote vulnerability scanning updates see FortiGuard Center on page 70 Figure 7 Lice...

Page 32: ...device on page 80 CPU Usage The current CPU usage status The web based manager displays CPU usage for core processes only CPU usage for management processes for example for HTTPS connections to the we...

Page 33: ...session history for the previous minute Network Utilization The network use for the previous minute Note These operations are available only to users with the read and write access profile Reboot Res...

Page 34: ...select More alerts For more information about viewing alert messages see Viewing alert console messages on page 34 Viewing alert console messages Alert console messages provides a window on what is oc...

Page 35: ...a number of days lower than what you are currently viewing deletes the older alerts For example if you are viewing alerts for seven days and change the alerts to two days the FortiAnalyzer unit delete...

Page 36: ...ut on configuring IP address host names see Configuring IP aliases on page 60 Resolve Service Select to display network service names rather than port numbers such as HTTP rather than port 80 Refresh...

Page 37: ...Select OK Type Select either Log Type or Device If you choose Log Type the monitor displays the type of logs that are received from all registered devices and separates them into categories for examp...

Page 38: ...he devices This information is gathered from virus logs You can edit Virus Activity to display specific information The following procedure describes how to edit the Virus Activity widget Device Selec...

Page 39: ...widget Figure 16 Top FTP Traffic widget Device Select the registered device or device group from the drop down list Display by Select one of the following to filter the information Time Period filter...

Page 40: ...llowing procedure describes how to edit the Top Email Traffic widget Figure 17 Top Email Traffic widget To edit the information for Top Email Traffic 1 Go to System Dashboard 2 In Top Email Traffic se...

Page 41: ...P2P Traffic select Edit in the title bar area Device Select the registered device or device group from the drop down list Display by Select one of the following to filter the information Top Sources t...

Page 42: ...t Edit in the title bar area Type Select the type of program you want displayed either IM or P2P Device Select the registered device or device group from the drop down list Display by Select one of th...

Page 43: ...Dashboard 2 In Top Web Traffic select Edit Device Select the registered device or device group from the drop down list Display by Select one of the following to filter the information Top Sources to a...

Page 44: ...IP Address Enter the source IP address Filter Destination IP Address Enter the destination IP address Time Scope Select one of the following for the time range Hour filters the time by hour Day filter...

Page 45: ...t using the Fortinet Discovery Protocol FDP on page 85 IP Netmask Enter an IP address and network mask Administrative Access Select which methods of administrative access should be available on this i...

Page 46: ...ing unregistered device connection attempt handling on page 79 DNS Configure primary and secondary DNS servers to provide name resolution required by FortiAnalyzer features such as NFS shares To confi...

Page 47: ...inistrator accounts control the access level of each administrator account and control the IP address for connecting to the FortiAnalyzer unit This account is permanent and cannot be deleted from the...

Page 48: ...DIUS server on your network Delete Select to remove the administrator account You cannot delete the account named admin Edit Select to modify the account information Change Password Select to change t...

Page 49: ...ned an access profile Access profiles define administrator privileges to parts of the FortiAnalyzer configuration For example you can have a profile where the administrator only has read and write acc...

Page 50: ...you can create an authorization group To add a group 1 Go to System Admin Auth Group 2 Select Create New 3 Select the servers from Available Auth Servers to add to the group and select the right arro...

Page 51: ...and the PIN for the LCD panel You can also enable or disable administrative domains ADOMs To configure administrators go to System Admin Figure 25 Administrators Settings Name Enter a name to identify...

Page 52: ...mbfs could mount a FortiAnalyzer NFS network share Before a user can access files on the FortiAnalyzer network share network share user accounts and groups must be created network sharing Windows or N...

Page 53: ...using Windows sharing To view users with Windows share access to the FortiAnalyzer unit go to System Network Sharing Windows Share Figure 26 Windows network shares User name Enter a user name The nam...

Page 54: ...twork Sharing Windows Share 2 Select Create New 3 Select the Local Path button to define which folder on the FortiAnalyzer unit hard disk to share 4 Select OK 5 Enter the Share Name to describe the sh...

Page 55: ...privileges go to System Network Sharing NFS Export Figure 28 NFS shares To add a new NFS share configuration 1 Go to System Network Sharing NFS Export 2 Select Enable NFS Exports and select Apply 3 Se...

Page 56: ...g to setup and maintain miscellaneous features such as local logging log aggregation log forwarding IP aliases and LDAP connections Automatic file deletion and local log settings The FortiAnalyzer uni...

Page 57: ...e log file Log options when log disk is full The policy to follow for saving the current log and starting a new active log when the FortiAnalyzer disk is full Select Overwrite Oldest Files to delete t...

Page 58: ...reached maximum file size Optional Roll log files only when the log file reaches the maximum file size regardless of time interval This option appears only when Use System Device Log Settings is disab...

Page 59: ...the branch office log aggregation clients enabling headquarters to run reports that reflect all offices Figure 31 Example log aggregation topology All FortiAnalyzer models can be configured as a log a...

Page 60: ...tional log storage or processing The log forwarding destination Remote device IP may receive either a full duplicate or a subset of those log messages that are received by the FortiAnalyzer unit Log m...

Page 61: ...as rather than the IP address IP aliases can make logs and reports easier to read and interpret For example you could create an IP alias to display the label mailserver1 instead of its IP address 10 1...

Page 62: ...5 50 5 with hot spare If a hard disk fails and the selected RAID level cannot be accomplished using the number of remaining hard disks the FortiAnalyzer unit rebuilds the RAID using the default RAID...

Page 63: ...re solely used for mirroring This provides redundant data storage with no single point of failure Should any of the hard disks fail there are several backup hard disks available With a FortiAnalyzer 4...

Page 64: ...ata When you replace the failed hard disk the FortiAnalyzer unit uses the new hard disk as the new hot spare Hot swapping hard disks Hot swapping refers to removing a failed hard disk and replacing it...

Page 65: ...failed disk 2 Select Remove for the failed hard disk A message displays indicating it is safe to remove the disk from the drive 3 Remove the hard disk from the drive bay on the FortiAnalyzer unit On t...

Page 66: ...title bar area The RAID Monitor widget displays which hard disk has failed displaying a warning symbol next to the failed disk 2 Select Remove for the failed hard disk 3 Remove the hard disk from the...

Page 67: ...Configuring RAID on the FortiAnalyzer 2000 2000A and FortiAnalyzer 4000 4000A The FortiAnalyzer 2000 2000A has six hard disks and the FortiAnalyzer 4000 4000A has 12 hard disks For both units the dis...

Page 68: ...loss RAID Level Select a RAID level from the list The current RAID level is shown as the first RAID level in the list Total Disk Space The amount of disk space available within the RAID array Free Di...

Page 69: ...ttribute identifier used in the LDAP query filter By default the identifier is cn For example if the Base DN contains several objects and you want to include only objects whose cn Admins enter the Com...

Page 70: ...rtiAnalyzer unit s configuration upload and restore a FortiAnalyzer unit s configuration upload a firmware update Backup copies of the FortiAnalyzer unit configuration file can be encrypted with a pas...

Page 71: ...eduled RVS updates go to System Maintenance FortiGuard Center Encrypt configuration file Select to encrypt the backup file Enter a password in the Password field and enter it again in the Confirm fiel...

Page 72: ...e Manual updates are not a substitute for a connection to the FDN Like scheduled updates manual updates require that the FortiAnalyzer unit be able to connect to the FDN to validate its RVS license Re...

Page 73: ...hen connecting to the FDN through the web proxy Scheduled Update Enable scheduled updates then select the frequency of the update Every Daily or Weekly Every Select to update once every n hours then s...

Page 74: ...FortiAnalyzer Version 3 0 MR7 Administration Guide 74 05 30007 0082 20080908 Maintenance System...

Page 75: ...device to device list on the FortiAnalyzer unit FortiAnalyzer units either ignore the connection attempt or automatically add the device to its device list This connection attempt handling depends on...

Page 76: ...nfiguring unregistered device connection attempt handling on page 79 Name The name of the device in the device list This can be any descriptive name that you want assign to it and does not need to be...

Page 77: ...config fmsystem log fortianalyzer set secure_connection enable set psk presharedkey_str set localid devname_str end Caution The locked icon does not indicate successful secure transmission it only ind...

Page 78: ...istered devices the device may reappear in the device list Maximum number of devices Each FortiAnalyzer model is designed to support and provide effective logging and reporting capabilities for up to...

Page 79: ...ion about on blocked devices see Blocking device connection attempts on page 86 Once the FortiAnalyzer unit has exceeded its maximum number of allowed devices you will not be able to add devices to th...

Page 80: ...device s log data add devices automatically but do not keep data until you manually register them if the device is an unknown type allow the connection add as an unregistered device and keep a specif...

Page 81: ...ion register automatically and store up to N MB data Add the device to the registered device list for future configuration and addition to the FortiAnalyzer unit and save the log messages to the hard...

Page 82: ...ur Syslog server s documentation If there is no explicit option to log specifically to a FortiAnalyzer unit you can use options for remote logging to a Syslog server Due to the nature of connectivity...

Page 83: ...ce list or if you are editing an existing device This option does not appear if Device Type is Syslog or FortiClient Mode Select the high availability HA mode of the device If you are adding a single...

Page 84: ...ion privileges Tx and Rx of the device such as for sending and viewing log files content archives and quarantined files Available device connection privileges vary by Device Type Amounts following the...

Page 85: ...e Secure Connection on page 74 Classifying FortiGate network interfaces The FortiGate Interface Specification area enables you to functionally classify network interfaces and VLAN subinterfaces accord...

Page 86: ...FDP packets FortiGate units running FortiOS version 3 0 or greater can use FDP to locate a FortiAnalyzer unit To use FDP both units must be on the same subnet and they must be able to connect using U...

Page 87: ...ists on the subnet and is configured to reply to FDP packets it sends a reply and its IP address appears in the Connect To list If your FortiGate unit is connecting to a FortiAnalyzer unit from anothe...

Page 88: ...ed devices that you do not want in the FortiAnalyzer device list to free a spot in the device list Devices may automatically appear on your list of blocked devices This can occur when devices attempt...

Page 89: ...may appear in the device list as an Unregistered device according to your configuration of Unregistered Device Options For more information see Configuring unregistered device connection attempt handl...

Page 90: ...up 5 Select the devices to include in the group from the list of Available Devices and select the right pointing arrow 6 Select OK To delete a device group 1 Go to Device Group Device Group 2 In the r...

Page 91: ...elf focusing on specific log types and time frames The Log Viewer has two types of log viewing options The Real time tab displays the log messages most recently received by the FortiAnalyzer unit The...

Page 92: ...y when refreshing is started Start Select to start refreshing the log view This option appears only when refreshing is stopped Column Settings Select to change the columns to view and the order they a...

Page 93: ...page For more information see Displaying and arranging log columns on page 97 Search Enter a keyword to perform a simple search on the log information available Select Go to begin the search The numbe...

Page 94: ...evices and the FortiAnalyzer itself In this window you can view the log information download log files to your hard disk or delete unneeded files When a log file reaches its maximum size the FortiAnal...

Page 95: ...ctive log file appears as well as rolled log files Rolled log files include a number in the file name alog 2 log If you configure the FortiAnalyzer unit to upload rolled logs to an FTP site only the c...

Page 96: ...n IP addresses For more information about on configuring IP address host names see Configuring IP aliases on page 61 Resolve Service Select to display the network service names rather than the port nu...

Page 97: ...Log Files column locate a device and log type and then select blue arrows to expand and reveal the specific log file wlog log elog log etc that you want to download 3 In the Action column select Down...

Page 98: ...see To display logs in Raw or Formatted view 1 Go to a page which displays log messages such as Log Log Viewer Real time 2 Select Formatted or Raw If you select Formatted options appear that enable y...

Page 99: ...lds area Alternatively to hide all columns select the double left arrow To return all columns to their default displayed hidden status select Default 4 Select OK To change the order of the columns 1 G...

Page 100: ...ilter 1 In the heading of the column whose filter you want to disable select the filter icon A column s filter icon is green when the filter is currently enabled 2 To disable the filter on this column...

Page 101: ...column using a substring of the text contained by the column rather than the entire text contained by the column Searching the logs You can search the device log files for matching text using two sea...

Page 102: ...og messages which comprise search results All Words Select to require that matching log messages must contain all search keywords If a log message does not contain one or more keywords it will not be...

Page 103: ...tching text examine your keywords and filter criteria using the following search characteristics and recommendations Separate multiple keywords with a space type webfilter subtype activexfilter Keywor...

Page 104: ...ntains random substrings such as session IDs If your search keywords do not return enough results try one of the following Full Search shortening your keyword to the smallest necessary substring of th...

Page 105: ...or weekly occurrence and when the roll occurs When a log file reaches its maximum size or reaches the scheduled time the FortiAnalyzer unit saves the log files with an incremental number and starts a...

Page 106: ...et reached maximum file size Optional Roll log files only when the log file reaches the maximum file size regardless of time interval Enable log uploading Select to upload log files to an server when...

Page 107: ...30007 0082 20080908 107 Upload rolled files in gzipped format Select to compress the log files in gzipped format before uploading to the server Delete files after uploading Select to remove the log fi...

Page 108: ...FortiAnalyzer Version 3 0 MR7 Administration Guide 108 05 30007 0082 20080908 Rolling and uploading logs Log...

Page 109: ...e FortiGate unit to send content archives to the FortiAnalyzer unit see the FortiGate Administration Guide This section includes the following topics Viewing content archives Customizing the content a...

Page 110: ...default displays the content log messages in columnar format Selecting Raw displays the content log messages as they appear in the content log files View per page Select the number of rows of log ent...

Page 111: ...ve 2 Select Formatted or Raw Displaying and arranging log columns When viewing logs in formatted view you can display hide and re order columns to display only relevant categories of information in yo...

Page 112: ...umn Settings Lists of available and displayed columns for the log type appear 3 In the Display Fields area select a column name whose order of appearance you want to change 4 Select the up or down arr...

Page 113: ...1 2 2 100 You can also use the Boolean operator or to indicate multiple alternative matches 1 1 1 1 or 2 2 2 2 1 1 1 1 or 2 2 2 1 1 1 1 or 2 2 2 1 2 2 2 10 Most column filters require that you enter t...

Page 114: ...elimiting them with a comma and a space such as user1 example com user2 example com Subject Enter all or part of the subject line of the email Message Contains Enter all or part of a word or phrase in...

Page 115: ...08 113 To The recipient s email address Last activity The date and time that the FortiAnalyzer unit received the content archive Subject The subject line of the email Select the subject line of the em...

Page 116: ...FortiAnalyzer Version 3 0 MR7 Administration Guide 114 05 30007 0082 20080908 Searching full email content archives Content Archive...

Page 117: ...tiAnalyzer reports After logs are collected or uploaded you can then define the three basic components that make up a report report layout the layout and the contents output and data filter templates...

Page 118: ...ore reports select the check box next to their report name then select Delete To delete all reports select the column heading check box All reports check boxes become select and then select Delete You...

Page 119: ...ion on usage and behavior Web_Filtering User_Activity is an overview of user web site activity plus detailed audit of all blocked sites and all sites visited Forensic Analysis is an overview of detail...

Page 120: ...formats for headers also need to be compatible with the chosen file format The same logo formats for the title page also apply to headers Device Type Select one of the device types from the drop down...

Page 121: ...17 Editing charts in a report layout You can edit charts at any time as well as rearrange the charts from within the Chart List You can also edit Text and Section as well The following procedure assum...

Page 122: ...the five items that have less than one percent are considered under Other and only Other displays on the pie diagram This issue occurs only when the pie chart style is selected The bar chart style is...

Page 123: ...ules Report schedules are configured after you have configured report layouts If you do not have a report layout you cannot configure a report schedule When configuring report schedules you can specif...

Page 124: ...n Now to run a report schedule immediately on demand instead of waiting for the scheduled time Caution When configuring a report schedule which contains both an output template and selected file forma...

Page 125: ...on the local time of the FortiAnalyzer unit or the selected devices Log time stamps reflect when the FortiAnalyzer unit received the message not when the device generated the log message If you have...

Page 126: ...Data filter options operate on specific log message fields For information about log message fields see the FortiGate Log Message Reference Create New Select to create a new data filter template and c...

Page 127: ...not the report itself Description Enter a description for the report This is optional Filter logic Select all to include only logs in the report that match all filter criteria If any aspect of a log...

Page 128: ...20 110 0 255 255 255 0 or 172 20 120 110 24 172 20 110 0 140 255 matches all IP addresses from 172 20 110 0 to 172 20 140 255 172 16 0 0 20 255 255 matches all IP addresses from 172 16 0 to 172 20 255...

Page 129: ...en use the arrow to move the level to the Selected Levels column If you want to remove a severity level from the Selected Levels column select the level first and then use the arrow to move the level...

Page 130: ...To configure the output for a report 1 Go to Report Config Output 2 Select Create New 3 Enter and or select the appropriate information for the fields and check boxes for the following E Mail Destinat...

Page 131: ...ic name for the attached report in the field This name will appear as the attachment s name and is not the report s actual name Email From Enter a sender email address for the FortiAnalyzer unit or ad...

Page 132: ...Big5 AR PL SungtiL GB DFPHSGothic W5 and Verdana The string file specifies pieces of text that may be used in various places throughout the report Each string line consists of a key followed by an equ...

Page 133: ...or example in these lines Localization uses a Latin character set html html_charset iso 8859 1 The comment is Localization uses a Latin character set The output type label is html the variable name is...

Page 134: ...file Note Both format and string files use Unix style line endings LF characters not CR LF Create New Select to create a new report language customization Language The name of the report language cus...

Page 135: ...port graph titles and Y axis labels for Font File select Browse and locate your font If your font is located in the system font folder you may need to first copy the font from the system font folder t...

Page 136: ...there are any errors with your files correct the errors then return to step 3 After successfully uploading and verifying your custom language becomes available as a report output language To delete a...

Page 137: ...1 2006 at 9 12 PM Select the blue arrow to expand the report to view the individual reports in HTML format Started The date and time when the FortiAnalyzer unit generated the report Finished The date...

Page 138: ...FortiAnalyzer Version 3 0 MR7 Administration Guide 134 05 30007 0082 20080908 Browsing reports Reports...

Page 139: ...tined files Note Sending quarantine files to a FortiAnalyzer unit is available only on FortiGate units running FortiOS 3 0 or later FortiAnalyzer units do not accept quarantine files from devices that...

Page 140: ...t quarantined the file DC Duplicate count A count of how many duplicates of the same file were quarantined A rapidly increasing number can indicate a virus outbreak Size Bytes The file size of the qua...

Page 141: ...t if you want to receive an alert by email when your network detects an attack attempt You can choose to notify administrators by email SNMP or Syslog as well as the Alert Console Messages section of...

Page 142: ...essage filter text This text is used in conjunction with Trigger s and Device Selection to specify which log messages will trigger the FortiAnalyzer unit to send an alert message Enter an entire word...

Page 143: ...ng an email by SMTP fails the FortiAnalyzer unit will re attempt to send the message every ten seconds and never stop until it succeeds in sending the message or the administrator reboots the FortiAna...

Page 144: ...lerts You can configure the SNMP server where the FortiAnalyzer unit sends SNMP traps when an alert event occurs and which SNMP servers are permitted to access FortiAnalyzer SNMP system traps You must...

Page 145: ...and 28800 The default number is 600 seconds which is 10 minutes During the configured time period the SNMP agent evaluates the trap type for example CPU at every same frequency For example during 600...

Page 146: ...Analyzer traps RFC support includes most of RFC 2665 Ethernet like MIB and most of RFC 1213 MIB II FortiAnalyzer units also use object identifiers from the Fortinet proprietary MIB For your SNMP manag...

Page 147: ...apFlgEventCount Fortinet MIB System fields fnSysModel fnSysSerial fnSysVersion fnSysCpuUsage fnSysMemUsage fnSysSesCount fnSysDiskCapacity fnSysDiskUsage fnSysMemCapacity Fortinet MIB Administrator Ac...

Page 148: ...FortiAnalyzer unit to communicate an alert To view the SNMP servers go to Alert Output Syslog Server Figure 4 Syslog server list Adding a Syslog server You can add a Syslog server to send alerts by th...

Page 149: ...07 0082 20080908 141 3 Configure the following options and select OK Name Enter a name for the SNMP server IP address or FQDN Enter the IP address or fully qualified domain name for the SNMP server Po...

Page 150: ...FortiAnalyzer Version 3 0 MR7 Administration Guide 142 05 30007 0082 20080908 Output Alert...

Page 151: ...k Analyzer It also describes Network Analyzer log storage configuration options Network Analyzer is not visible in Tools Network Analyzer until enabled in the CLI To enable Network Analyzer access the...

Page 152: ...ernet cable to the span or mirroring port of an Ethernet switch If connected to the span or mirror port of a switch Network Analyzer will be able to observe all traffic passing through the switch 3 In...

Page 153: ...Network Analyzer To view the most recent traffic go to Tools Network Analyzer Real time Figure 2 Viewing current Network Analyzer logs Stop Select to stop the traffic sniffing When selected Stop chan...

Page 154: ...figuring IP aliases on page 61 Resolve Service Select to display the network service names rather than the port numbers such as HTTP rather than port 80 View n per page Select the number of rows of lo...

Page 155: ...r log file list Viewing Network Analyzer log file contents The Browse tab enables you to view all log messages within Network Analyzer log files If you display the log messages in Formatted view you c...

Page 156: ...umns to view and the order they appear on the page For more information see Displaying and arranging log columns on page 148 Search Enter a keyword to perform a simple search on the log information av...

Page 157: ...a then select OK Filtered columns now have a green filter icon and Download Current View appears next to Printable Version 5 Select Download Current View 6 Select any download options you want and sel...

Page 158: ...ant to see To display logs in Raw or Formatted view 1 Go to a page which displays log messages such as Tools Network Analyzer Real time 2 Select Formatted or Raw If you select Formatted options appear...

Page 159: ...able and displayed columns for the log type appear 3 In the Display Fields area select a column name whose order of appearance you want to change 4 Select the up or down arrow to move the column in th...

Page 160: ...n s filter icon is gray when the filter is currently disabled Filtering tips When filtering by source or destination IP you can use the following in the filtering criteria a single address 2 2 2 2 an...

Page 161: ...haracters or log fields not supported by Quick Search Full Search performs an exhaustive search of all log fields both indexed and unindexed but is often slower than Quick Search Figure 8 Network Anal...

Page 162: ...earch Keywords must literally match log message text with the exception of case insensitivity and wild cards resolved names and IP aliases will not match Some keywords will not match unless you includ...

Page 163: ...address appears in log messages the second keyword the protocol does not match UDP log messages and so the match fails for UDP log messages If the match fails the log message is not included in the s...

Page 164: ...it is time to roll the log file You configure the time to be either a daily or weekly occurrence and when the roll occurs When a log file reaches its maximum size or reaches the scheduled time the Fo...

Page 165: ...use the log rolling and uploading options Reuse settings from standard logs Select to use the same log rolling and uploading settings that you set for standard logs files configured in Logs Config Log...

Page 166: ...name Password Enter the password required to connect to the upload server Confirm Password Re enter the password to verify correct entry Directory Enter a location on the upload server where the log...

Page 167: ...ility checks supported by the scan modules see Viewing vulnerability scan modules on page 161 File Explorer provides information about what files are on your FortiAnalyzer unit Accessing these files h...

Page 168: ...You may want to consider temporarily removing obstacles that prevent the vulnerability scan from reliably connecting to the intended target hosts on the required standard port numbers If you do not re...

Page 169: ...cribes how to modify the local security policy of a Windows XP target host for which you have configured a local administrator account This procedure may vary for other versions of Windows or for targ...

Page 170: ...However if the target host is connected to a domain and this policy conflicts with the domain or other security model with higher precedence the policy may be overridden during the next Group Policy...

Page 171: ...account and assign it to the same user group as the root account Steps to enable the root account vary by Unix variant If you do not enable and provide the root account or an account with equivalent...

Page 172: ...ur preparation may differ For more information see Preparing for the vulnerability scan job on page 157 Update RVS modules before you begin the vulnerability scan job to ensure that your vulnerability...

Page 173: ...re the network and target hosts for the vulnerability scan job You may also want to update the RVS modules and engine to ensure that the report tests for the latest known security issues For more info...

Page 174: ...ak or default user account security policies without providing an administrator login or performing many of the other Windows related vulnerability scan modules To view current or scheduled vulnerabil...

Page 175: ...er selecting Remote Authentication Password Enter the password for the target host s This option is only available after selecting Remote Authentication Quick Scan Select to perform a quick port scan...

Page 176: ...from the following HTML PDF MS Word RTF See Viewing vulnerability scan reports on page 166 to view finished reports stored on the FortiAnalyzer unit s hard disk Email output If you want to email the...

Page 177: ...For more information see Preparing for the vulnerability scan job on page 157 Vulnerability scan job reports will not appear in the list of vulnerability scan job reports before the vulnerability scan...

Page 178: ...the vulnerability scan job on page 157 File Explorer The File Explorer menu allows administrators to view and browse through the files on their FortiAnalyzer unit To view and browse through these file...

Page 179: ...Tools File Explorer FortiAnalyzer Version 3 0 MR7 Administration Guide 05 30007 0082 20080908 169 Figure 5 File Explorer Figure 6 File Explorer with Storage directory expanded...

Page 180: ...FortiAnalyzer Version 3 0 MR7 Administration Guide 170 05 30007 0082 20080908 File Explorer Tools...

Page 181: ...s to your configuration Installing a patch release without reviewing release notes or testing the firmware may result in changes to settings or unexpected issues This chapter includes the following se...

Page 182: ...ou can enter a password if required To back up your configuration file using the CLI Enter the following to back up the configuration execute backup config filename address_ip passwd This may take a f...

Page 183: ...file To back up log files using the CLI Enter the following to back up all log files execute backup logs all ftp sftp scp tftp server_ipv4 username_str password_str directory_str If you are using a T...

Page 184: ...mware image before upgrading 1 Copy the new firmware image file to the root directory of the TFTP server 2 Start the TFTP server 3 Log into the CLI 4 Enter the following command to ping the computer r...

Page 185: ...as the TFTP server but make sure you do not use an IP address of another device on the network The following message appears Enter firmware image file name image out 11 Enter the firmware image file...

Page 186: ...Reiser to EXT3 The EXT3 file system provides better stability You can upgrade to the EXT3 file system if upgrading to FortiAnalyzer 3 0 MR3 and higher See the FortiAnalyzer CLI Reference for more inf...

Page 187: ...FortiLog 1 6 while others may not have such as the Destination in Alerts Event configuration Go to System Maintenance Backup Restore to save the configuration settings that carried forward Upgrading...

Page 188: ...d successfully get system status 9 Update AV NIDS definitions so that they are current with the new firmware Verifying the upgrade After logging back into the web based manager most of your FortiLog 1...

Page 189: ...ng to factory defaults or installing a patch release Downgrading to FortiLog 1 6 When downgrading to FortiLog 1 6 no settings are carried forward If you created additional settings in FortiAnalyzer 3...

Page 190: ...the FortiAnalyzer unit and TFTP server are successfully connected 5 Enter the following command to copy the firmware image from the TFTP server to the FortiAnalyzer unit execute restore image tftp na...

Page 191: ...ersion 3 0 MR7 Administration Guide 05 30007 0082 20080908 179 8 Reconnect to the CLI 9 Enter the following command to confirm the firmware image installed successfully get system status See Restoring...

Page 192: ...o factory defaults or may be corrupted Use the recovery procedure appropriate for your FortiAnalyzer unit model to restore the firmware from a TFTP server For more information about connecting to the...

Page 193: ...dress 192 168 1 188 9 Type an IP address for the FortiAnalyzer unit and press Enter The FortiAnalyzer unit will temporarily assign this IP address to the interface to connect to the TFTP server and do...

Page 194: ...The following restores your FortiLog 1 6 configurations settings using the CLI To restore configuration settings using the CLI 1 Copy the backup configuration file to the root directory of the TFTP s...

Page 195: ...he FortiAnalyzer unit uploads the backup configuration file After the file uploads a message similar to the following is displayed Getting file confall from tftp server 192 168 1 168 Restoring files A...

Page 196: ...FortiAnalyzer Version 3 0 MR7 Administration Guide 184 05 30007 0082 20080908 Restoring your configuration Managing firmware versions...

Page 197: ...ges The following explains the changes that occurred with the available reports that you can choose when configuring reports This section includes the following topics FortiGate reports Summary Report...

Page 198: ...ons for Most Common Attacks Top Attack Destinations by Type Top Attacks for Most Common Destinations Top Attack Destinations by Source Top Sources for Most Common Destinations Top Attack Types by Sour...

Page 199: ...rotocols with Antivirus Violations Breakdown Infected Oversize Filename Top AV Event Senders by Type Top Sources Email or IP with Antivirus Violations Breakdown Infected Oversize Filename Top AV Event...

Page 200: ...ources over FTP Top Virus Sources over FTP by Date Top Virus Sources over FTP Top Virus Sources over FTP by Month Top Virus Sources over FTP Top Virus Destinations over FTP by Hour of Day Top Virus De...

Page 201: ...irus Activity reports Table 12 WebFilter Activity reports MR6 reports MR7 reports Web Hits by Status Total Hits per Status allowed blocked etc Blocked Web Hits by Date Blocked Web Activity over Time P...

Page 202: ...s Top Blocked Web Risk Groups Top Web Risk Groups Hits Top Requested Web Risk Groups Top Web Clients by Web Site Hits Top Web Sites for Most Active Users Top Blocked Web Clients by Web Site Hits Top W...

Page 203: ...tatus and Date Mail Summary by Email Size Mail Count Status and Date Mail Summary by Email Count Table 13 Antispam Activity reports Table 14 IM reports MR6 reports MR7 reports IM Activity by Action an...

Page 204: ...per IM Protocol Table 14 IM reports Table 15 VoIP reports MR7 reports VoIP Traffic by Date VoIP Traffic by Month VoIP Traffic by Day of Week VoIP Traffic by Hour of Day VoIP Traffic by Direction Top V...

Page 205: ...Month SIP Call Registers by Day of Week SIP Call Registers by Hour of Day SIP Call Durations Top SIP Called Numbers by Date Top SIP Called Numbers by Month Top SIP Called Numbers by Day of Week Top SI...

Page 206: ...r of Inspected Messages per Application Table 17 Network Activity reports MR6 reports MR7 reports Traffic Volume by Direction and Date Traffic Volume by Direction Traffic Volume by Direction and Month...

Page 207: ...by Time Period Web Traffic by Month Web Volume by Time Period Web Traffic by Day of Week Web Volume by Time Period Web Traffic by Hour of Day Web Volume by Time Period Web Traffic by Direction Web Vo...

Page 208: ...me Size by Time Mail Traffic by Month Mail Volume Size by Time Mail Traffic by Day of Week Mail Volume Size by Time Mail Traffic by Hour by Day Mail Volume Size by Time Mail Traffic by Direction Mail...

Page 209: ...by Service and Date Terminal Traffic Volume per Service Telnet SSH Terminal Traffic by Service and Month Terminal Traffic Volume per Service Telnet SSH Terminal Traffic by Service and Day of Week Term...

Page 210: ...ces Top VPN Traffic Destinations Top VPN Destinations VPN Traffic by Direction VPN Traffic Volume per Direction Top VPN Tunnels Date Traffic Top VPN Tunnels Top VPN Tunnels by Month Traffic Top VPN Tu...

Page 211: ...ce Table 23 Event Activity reports Table 24 P2P Activity reports MR6 reports MR7 reports P2P Activity by Protocol Total Events per P2P Protocol P2P Activity by Action and Date Total Pass Block Events...

Page 212: ...Gnutella Local Peers Top Allowed Gnutella Local Peers by Month Top Allowed Gnutella Local Peers Top Blocked Gnutella Local Peers by Date Top Blocked Gnutella Local Peers Top Blocked Gnutella Local Pe...

Page 213: ...trusion Activity Total IPS Events Detected Top Destinations by Volume Network Analysis Total IPS by Attack ID Top Devices by Antivirus Violations AntiVirus Activity Total IPS by Source Top Attack Sour...

Page 214: ...ble Sites by Blocked Categories All Blocked Web Sites per Category AntiSpam Activity Sites by Permitted Categories All Allowed Web Sites per Category AntiSpam Activity Sites by Access Time All Request...

Page 215: ...locked Categories by Hits Top Blocked Web Risk Group WebFilter Activity Accessed Sub categories Top Allowed Sub Categories WebFilter Activity with time scale set to by date Blocked Sub categories by H...

Page 216: ...by Day of Month Top Remote Address Top Remote Address by Week of Year Top Remote Address Top Remote Address by Month Top Remote Address Spam Filter by Date Spam Filter Spam Filter by Hour of Day Spam...

Page 217: ...e 29 Mail High Level reports Table 30 Mail Sender reports MR6 reports MR7 reports Top Sender by Date Top Sender Top Sender by Hour of Day Top Sender Top Sender by Day of Week Top Sender Top Sender by...

Page 218: ...Sender MSISDN Top Sender MSISDN by Month Top Sender MSISDN Table 30 Mail Sender reports Table 31 Mail Recipient Activity reports MR6 reports MR7 reports Top Recipient by Date Top Recipient Top Recipie...

Page 219: ...ender by Hour of Day Top Spam Sender Top Spam Sender by Day of Week Top Spam Sender Top Spam Sender by Day of Month Top Spam Sender Top Spam Sender by Week of Year Top Spam Sender Top Spam Sender by M...

Page 220: ...er Top Remote Spam Sender by Day of Month Top Remote Spam Sender Top Remote Spam Sender by Week of Year Top Remote Spam Sender Top Remote Spam Sender by Month Top Remote Spam Sender Top Remote Spam Do...

Page 221: ...nth Top Local Spam Recipient Top Local Spam Recipient by Week of Year Top Local Spam Recipient Top Local Spam Recipient by Month Top Local Spam Recipient Top Remote Spam Recipient by Date Top Remote S...

Page 222: ...p Virus IP by Day of Month Top Virus IP Top Virus IP by Week of Year Top Virus IP Top Virus IP by Month Top Virus IP Top Local Virus Sender by Date Top Local Virus Sender Top Local Virus Sender by Hou...

Page 223: ...N by Day of Month Top Virus MSISDN Top Virus MSISDN by Week of Year Top Virus MSISDN Top Virus MSISDN by Month Top Virus MSISDN Table 36 Virus Sender reports Table 37 Virus Recipient reports MR6 repor...

Page 224: ...ed Web Sites by User Top Visited Web Sites by User FortiClient Antispam Activity Top Blocked Mail Senders Top Blocked Mail Receivers Top Remote Virus Recipient by Day of Month Top Remote Virus Recipie...

Page 225: ...up configuration using the CLI 170 using web based manager 170 backing up log files 170 backup 69 blocked devices 77 79 86 Boolean operator 99 111 150 browse log 93 network analyzer 144 sniffer 144 b...

Page 226: ...b proxy 71 connection 71 Fortinet Distribution Network 70 71 162 FDP Fortinet Discovery Protocol 47 85 icon 45 file extension 96 97 104 147 153 165 170 format 165 permissions 55 56 transfer 107 file e...

Page 227: ...atus 45 intrusion activity dashboard 38 intrusion prevention system IPS 158 IP address 45 46 IP alias 35 60 importing from file 61 resolve host names 108 IPSec VPN tunnel 74 86 log 57 K known device t...

Page 228: ...ystem NFS 53 mask 45 46 sniffer 144 time protocol 29 network analyzer browse 144 column view 143 delete after download 155 download logs 147 enable 141 154 filter 149 gzip 155 historical viewer 143 re...

Page 229: ...FortiMail reports 203 reset configuration 30 33 resolve host names 35 60 108 logs 94 143 network analyzer 143 145 See also IP alias restart 33 restore configuration file 69 default configuration 33 fi...

Page 230: ...email traffic dashboard 41 top ftp traffic dashboard 40 top im p2p traffic dashboard 42 top traffic dashboard 43 top web traffic dashboard 44 traffic sessions 32 35 traps SNMP 136 trusted host 48 49...

Page 231: ...er Version 3 0 MR7 Administration Guide 05 30007 0082 20080908 219 registered device s hard limits 15 report configuration enhancements 16 voip reports 17 Windows AD See LDAP Windows shares 53 54 X XM...

Page 232: ...FortiAnalyzer Version 3 0 MR7 Administration Guide 220 05 30007 0082 20080908 Index...

Page 233: ...www fortinet com...

Page 234: ...www fortinet com...

Reviews:

No comments

Related manuals for FortiAnalyzer 3.0 MR7

Brand: Canon Pages: 90

ZENworks 7.2 Linux Management

Brand: Novell Pages: 10

eXpress Altris eXpress Helpdesk Solution 5.6 SP1

Brand: altiris Pages: 143

Brand: Model Technology Pages: 37

Brand: NETGEAR Pages: 282

Brand: VERITEQ Pages: 112

18507-051452-9325 - UPG ARCH DESKTOP 2007

Brand: Autodesk Pages: 104

Brand: Valcom Pages: 8

Brand: Mackie Pages: 12

STUDIO 8-EXPLORING STUDIO 8

Brand: MACROMEDIA Pages: 350

Brand: Palm Pages: 46

Symposium TAPI Service Provider for Succession 3.0

Brand: Nortel Pages: 198

Brand: Quantum Pages: 304

NVX200 - Touch&Go - Automotive GPS Receiver

Brand: Jensen Pages: 86

TASCAM PCM Recorder

Brand: Tascam Pages: 12

551A1-05B111-1001 - Stitcher Unlimited 2009

Brand: Autodesk Pages: 217

22020737 - Acrobat Pro - PC

Brand: Adobe Pages: 496

Brand: Tandem Pages: 312

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands