background image

FortiAnalyzer Version 3.0 MR7 Administration Guide

12

05-30007-0082-20080908

Customer service and technical support

Introduction

Содержание FortiAnalyzer 3.0 MR7

Страница 1: ...www fortinet com FortiAnalyzer Version 3 0 MR7 A D M I N I S T R A T I O N G U I D E...

Страница 2: ...rtiBIOS FortiBridge FortiClient FortiGate FortiGate Unified Threat Management System FortiGuard FortiGuard Antispam FortiGuard Antivirus FortiGuard Intrusion FortiGuard Web FortiLog FortiAnalyzer Fort...

Страница 3: ...5 Dashboard enhancements 15 Custom fields for log messages 16 Reports 16 Report configuration enhancements 16 VoIP reports 17 Alert email configuration changes 17 Administrative Domains ADOMs 19 About...

Страница 4: ...n administrator account 49 Changing an administrator s password 50 Access Profile 50 Auth Group 51 RADIUS Server 51 Administrator Settings 52 Monitor 52 Network Sharing 53 Adding share users 53 Adding...

Страница 5: ...onnection attempt handling 79 Manually adding a device 80 Classifying FortiGate network interfaces 84 Manually adding a FortiGate unit using the Fortinet Discovery Protocol FDP 85 Blocking device conn...

Страница 6: ...ts 133 Adding an alert event 133 Output 135 Configuring alerts by email server 135 Testing the mail server configuration 136 Configuring SNMP traps and alerts 136 Adding an SNMP server 137 FortiAnalyz...

Страница 7: ...king up your configuration 169 Backing up your configuration using the web based manager 170 Backing up your configuration using the CLI 170 Backing up your log files 170 Testing firmware before upgra...

Страница 8: ...rk Activity 194 Web Activity 195 Mail Activity 196 FTP Activity 196 Terminal Activity 197 VPN Activity 197 Event Activity 198 P2P Activity 199 Audit Activity 200 Summary Reports 201 Forensic Reports 2...

Страница 9: ...following chapters What s new for 3 0 MR7 describes what the new maintenance release contains Administrative Domains ADOMs describes how to enable and configure domain based access to data and config...

Страница 10: ...unit Appendix FortiAnalyzer reports in 3 0 MR7 describes the FortiAnalyzer reports that changed or were moved to other categories or both This appendix also includes what reports were removed and wha...

Страница 11: ...nowledge center contains short how to articles FAQs technical notes product and feature guides and much more Visit the Fortinet Knowledge Center at http kc forticare com Comments on Fortinet technical...

Страница 12: ...FortiAnalyzer Version 3 0 MR7 Administration Guide 12 05 30007 0082 20080908 Customer service and technical support Introduction...

Страница 13: ...ered device limits have increased See Maximum number of devices on page 76 for more information Web based manager change The Action column is now an unnamed column across all menus and tabs within the...

Страница 14: ...r HA members Logs that are viewed on the FortiGate unit now contain device ID fields for HA members See the FortiGate Administration Guide and the FortiGate Log Message Reference for additional inform...

Страница 15: ...arry forward The limit is now back to the maximum limit in FortiAnalyzer 3 0 MR4 This limit number prevents any loss of registered devices during upgrade You can view the limits for registered devices...

Страница 16: ...e or all devices Reports Reports have been enhanced and modified for FortiAnalyzer 3 0 MR7 VoIP report charts were also included in FortiAnalyzer 3 0 MR7 These changes are also reflected in the CLI Se...

Страница 17: ...nd view it in Report Browse You can also generate scheduled reports this way in Report Schedule When viewing generated reports in Report Browse the naming scheme is changed to the following On Demand...

Страница 18: ...t you now are required to enter information in the following fields alert name destination or destinations device Another configuration change is a drop down list providing the destinations of syslog...

Страница 19: ...es the following topics About administrative domains ADOMs Configuring ADOMs About administrative domains ADOMs Enabling ADOMs alters the structure and available functionality of the web based manager...

Страница 20: ...nfigured System Network Interface System Network DNS System Network Routing System Admin Administrator System Admin Access Profile System Admin Auth Group System Admin RADIUS Server System Admin Setti...

Страница 21: ...n a subset of devices in the device list and assigning them to administrator accounts you can restrict other administrator accounts to a subset of the FortiAnalyzer unit s total devices or VDOMs The a...

Страница 22: ...dministrative Domain Configuration appears providing access to both Global Configuration and ADOM configuration See To add or edit an ADOM on page 22 to create ADOMs See Assigning administrators to an...

Страница 23: ...restrict the ADOM to a specific VDOM enable Restrict to a FortiGate VDOM then enter the VDOM name 6 Select OK To disable ADOMs 1 Log in as admin Other administrators cannot enable disable or configur...

Страница 24: ...this menu subset any changes you make affect this ADOM only and do not affect devices in other ADOMs or global FortiAnalyzer unit settings You can return to Administrative Domain Configuration by goin...

Страница 25: ...mmary view of the current operating status of the FortiAnalyzer unit including any additional information happening on the network such as top attacks or what types of logs were received The Dashboard...

Страница 26: ...widget a red dashed line outlines the widget s current destination and other widgets reposition themselves to display the resulting layout To refresh a Dashboard widget 1 Go to System Dashboard 2 Pla...

Страница 27: ...e widget s title bar area Close appears on the right side of the title bar 3 Select Close A confirmation dialog appears 4 Select OK The widget is removed from the Dashboard layout Tabs Tabs provide a...

Страница 28: ...of space in GB each has For example Disk 2 Ready 465 76GB You can configure RAID settings from the RAID Monitor area as well by selecting RAID Settings This option is only available when you move your...

Страница 29: ...alized Disk space usage Displays the amount of disk used in both percentage and a fill line Used Free Total Displays the amount of used disk space available or free disk space and the total available...

Страница 30: ...since the FortiAnalyzer was started or last rebooted System Time The current time according to the FortiAnalyzer internal clock Select Change to change the time or configure the FortiAnalyzer unit to...

Страница 31: ...hboard displays information on features that vary by a purchased license or contract For more information about RVS remote vulnerability scanning updates see FortiGuard Center on page 70 Figure 7 Lice...

Страница 32: ...device on page 80 CPU Usage The current CPU usage status The web based manager displays CPU usage for core processes only CPU usage for management processes for example for HTTPS connections to the we...

Страница 33: ...session history for the previous minute Network Utilization The network use for the previous minute Note These operations are available only to users with the read and write access profile Reboot Res...

Страница 34: ...select More alerts For more information about viewing alert messages see Viewing alert console messages on page 34 Viewing alert console messages Alert console messages provides a window on what is oc...

Страница 35: ...a number of days lower than what you are currently viewing deletes the older alerts For example if you are viewing alerts for seven days and change the alerts to two days the FortiAnalyzer unit delete...

Страница 36: ...ut on configuring IP address host names see Configuring IP aliases on page 60 Resolve Service Select to display network service names rather than port numbers such as HTTP rather than port 80 Refresh...

Страница 37: ...Select OK Type Select either Log Type or Device If you choose Log Type the monitor displays the type of logs that are received from all registered devices and separates them into categories for examp...

Страница 38: ...he devices This information is gathered from virus logs You can edit Virus Activity to display specific information The following procedure describes how to edit the Virus Activity widget Device Selec...

Страница 39: ...widget Figure 16 Top FTP Traffic widget Device Select the registered device or device group from the drop down list Display by Select one of the following to filter the information Time Period filter...

Страница 40: ...llowing procedure describes how to edit the Top Email Traffic widget Figure 17 Top Email Traffic widget To edit the information for Top Email Traffic 1 Go to System Dashboard 2 In Top Email Traffic se...

Страница 41: ...P2P Traffic select Edit in the title bar area Device Select the registered device or device group from the drop down list Display by Select one of the following to filter the information Top Sources t...

Страница 42: ...t Edit in the title bar area Type Select the type of program you want displayed either IM or P2P Device Select the registered device or device group from the drop down list Display by Select one of th...

Страница 43: ...Dashboard 2 In Top Web Traffic select Edit Device Select the registered device or device group from the drop down list Display by Select one of the following to filter the information Top Sources to a...

Страница 44: ...IP Address Enter the source IP address Filter Destination IP Address Enter the destination IP address Time Scope Select one of the following for the time range Hour filters the time by hour Day filter...

Страница 45: ...t using the Fortinet Discovery Protocol FDP on page 85 IP Netmask Enter an IP address and network mask Administrative Access Select which methods of administrative access should be available on this i...

Страница 46: ...ing unregistered device connection attempt handling on page 79 DNS Configure primary and secondary DNS servers to provide name resolution required by FortiAnalyzer features such as NFS shares To confi...

Страница 47: ...inistrator accounts control the access level of each administrator account and control the IP address for connecting to the FortiAnalyzer unit This account is permanent and cannot be deleted from the...

Страница 48: ...DIUS server on your network Delete Select to remove the administrator account You cannot delete the account named admin Edit Select to modify the account information Change Password Select to change t...

Страница 49: ...ned an access profile Access profiles define administrator privileges to parts of the FortiAnalyzer configuration For example you can have a profile where the administrator only has read and write acc...

Страница 50: ...you can create an authorization group To add a group 1 Go to System Admin Auth Group 2 Select Create New 3 Select the servers from Available Auth Servers to add to the group and select the right arro...

Страница 51: ...and the PIN for the LCD panel You can also enable or disable administrative domains ADOMs To configure administrators go to System Admin Figure 25 Administrators Settings Name Enter a name to identify...

Страница 52: ...mbfs could mount a FortiAnalyzer NFS network share Before a user can access files on the FortiAnalyzer network share network share user accounts and groups must be created network sharing Windows or N...

Страница 53: ...using Windows sharing To view users with Windows share access to the FortiAnalyzer unit go to System Network Sharing Windows Share Figure 26 Windows network shares User name Enter a user name The nam...

Страница 54: ...twork Sharing Windows Share 2 Select Create New 3 Select the Local Path button to define which folder on the FortiAnalyzer unit hard disk to share 4 Select OK 5 Enter the Share Name to describe the sh...

Страница 55: ...privileges go to System Network Sharing NFS Export Figure 28 NFS shares To add a new NFS share configuration 1 Go to System Network Sharing NFS Export 2 Select Enable NFS Exports and select Apply 3 Se...

Страница 56: ...g to setup and maintain miscellaneous features such as local logging log aggregation log forwarding IP aliases and LDAP connections Automatic file deletion and local log settings The FortiAnalyzer uni...

Страница 57: ...e log file Log options when log disk is full The policy to follow for saving the current log and starting a new active log when the FortiAnalyzer disk is full Select Overwrite Oldest Files to delete t...

Страница 58: ...reached maximum file size Optional Roll log files only when the log file reaches the maximum file size regardless of time interval This option appears only when Use System Device Log Settings is disab...

Страница 59: ...the branch office log aggregation clients enabling headquarters to run reports that reflect all offices Figure 31 Example log aggregation topology All FortiAnalyzer models can be configured as a log a...

Страница 60: ...tional log storage or processing The log forwarding destination Remote device IP may receive either a full duplicate or a subset of those log messages that are received by the FortiAnalyzer unit Log m...

Страница 61: ...as rather than the IP address IP aliases can make logs and reports easier to read and interpret For example you could create an IP alias to display the label mailserver1 instead of its IP address 10 1...

Страница 62: ...5 50 5 with hot spare If a hard disk fails and the selected RAID level cannot be accomplished using the number of remaining hard disks the FortiAnalyzer unit rebuilds the RAID using the default RAID...

Страница 63: ...re solely used for mirroring This provides redundant data storage with no single point of failure Should any of the hard disks fail there are several backup hard disks available With a FortiAnalyzer 4...

Страница 64: ...ata When you replace the failed hard disk the FortiAnalyzer unit uses the new hard disk as the new hot spare Hot swapping hard disks Hot swapping refers to removing a failed hard disk and replacing it...

Страница 65: ...failed disk 2 Select Remove for the failed hard disk A message displays indicating it is safe to remove the disk from the drive 3 Remove the hard disk from the drive bay on the FortiAnalyzer unit On t...

Страница 66: ...title bar area The RAID Monitor widget displays which hard disk has failed displaying a warning symbol next to the failed disk 2 Select Remove for the failed hard disk 3 Remove the hard disk from the...

Страница 67: ...Configuring RAID on the FortiAnalyzer 2000 2000A and FortiAnalyzer 4000 4000A The FortiAnalyzer 2000 2000A has six hard disks and the FortiAnalyzer 4000 4000A has 12 hard disks For both units the dis...

Страница 68: ...loss RAID Level Select a RAID level from the list The current RAID level is shown as the first RAID level in the list Total Disk Space The amount of disk space available within the RAID array Free Di...

Страница 69: ...ttribute identifier used in the LDAP query filter By default the identifier is cn For example if the Base DN contains several objects and you want to include only objects whose cn Admins enter the Com...

Страница 70: ...rtiAnalyzer unit s configuration upload and restore a FortiAnalyzer unit s configuration upload a firmware update Backup copies of the FortiAnalyzer unit configuration file can be encrypted with a pas...

Страница 71: ...eduled RVS updates go to System Maintenance FortiGuard Center Encrypt configuration file Select to encrypt the backup file Enter a password in the Password field and enter it again in the Confirm fiel...

Страница 72: ...e Manual updates are not a substitute for a connection to the FDN Like scheduled updates manual updates require that the FortiAnalyzer unit be able to connect to the FDN to validate its RVS license Re...

Страница 73: ...hen connecting to the FDN through the web proxy Scheduled Update Enable scheduled updates then select the frequency of the update Every Daily or Weekly Every Select to update once every n hours then s...

Страница 74: ...FortiAnalyzer Version 3 0 MR7 Administration Guide 74 05 30007 0082 20080908 Maintenance System...

Страница 75: ...device to device list on the FortiAnalyzer unit FortiAnalyzer units either ignore the connection attempt or automatically add the device to its device list This connection attempt handling depends on...

Страница 76: ...nfiguring unregistered device connection attempt handling on page 79 Name The name of the device in the device list This can be any descriptive name that you want assign to it and does not need to be...

Страница 77: ...config fmsystem log fortianalyzer set secure_connection enable set psk presharedkey_str set localid devname_str end Caution The locked icon does not indicate successful secure transmission it only ind...

Страница 78: ...istered devices the device may reappear in the device list Maximum number of devices Each FortiAnalyzer model is designed to support and provide effective logging and reporting capabilities for up to...

Страница 79: ...ion about on blocked devices see Blocking device connection attempts on page 86 Once the FortiAnalyzer unit has exceeded its maximum number of allowed devices you will not be able to add devices to th...

Страница 80: ...device s log data add devices automatically but do not keep data until you manually register them if the device is an unknown type allow the connection add as an unregistered device and keep a specif...

Страница 81: ...ion register automatically and store up to N MB data Add the device to the registered device list for future configuration and addition to the FortiAnalyzer unit and save the log messages to the hard...

Страница 82: ...ur Syslog server s documentation If there is no explicit option to log specifically to a FortiAnalyzer unit you can use options for remote logging to a Syslog server Due to the nature of connectivity...

Страница 83: ...ce list or if you are editing an existing device This option does not appear if Device Type is Syslog or FortiClient Mode Select the high availability HA mode of the device If you are adding a single...

Страница 84: ...ion privileges Tx and Rx of the device such as for sending and viewing log files content archives and quarantined files Available device connection privileges vary by Device Type Amounts following the...

Страница 85: ...e Secure Connection on page 74 Classifying FortiGate network interfaces The FortiGate Interface Specification area enables you to functionally classify network interfaces and VLAN subinterfaces accord...

Страница 86: ...FDP packets FortiGate units running FortiOS version 3 0 or greater can use FDP to locate a FortiAnalyzer unit To use FDP both units must be on the same subnet and they must be able to connect using U...

Страница 87: ...ists on the subnet and is configured to reply to FDP packets it sends a reply and its IP address appears in the Connect To list If your FortiGate unit is connecting to a FortiAnalyzer unit from anothe...

Страница 88: ...ed devices that you do not want in the FortiAnalyzer device list to free a spot in the device list Devices may automatically appear on your list of blocked devices This can occur when devices attempt...

Страница 89: ...may appear in the device list as an Unregistered device according to your configuration of Unregistered Device Options For more information see Configuring unregistered device connection attempt handl...

Страница 90: ...up 5 Select the devices to include in the group from the list of Available Devices and select the right pointing arrow 6 Select OK To delete a device group 1 Go to Device Group Device Group 2 In the r...

Страница 91: ...elf focusing on specific log types and time frames The Log Viewer has two types of log viewing options The Real time tab displays the log messages most recently received by the FortiAnalyzer unit The...

Страница 92: ...y when refreshing is started Start Select to start refreshing the log view This option appears only when refreshing is stopped Column Settings Select to change the columns to view and the order they a...

Страница 93: ...page For more information see Displaying and arranging log columns on page 97 Search Enter a keyword to perform a simple search on the log information available Select Go to begin the search The numbe...

Страница 94: ...evices and the FortiAnalyzer itself In this window you can view the log information download log files to your hard disk or delete unneeded files When a log file reaches its maximum size the FortiAnal...

Страница 95: ...ctive log file appears as well as rolled log files Rolled log files include a number in the file name alog 2 log If you configure the FortiAnalyzer unit to upload rolled logs to an FTP site only the c...

Страница 96: ...n IP addresses For more information about on configuring IP address host names see Configuring IP aliases on page 61 Resolve Service Select to display the network service names rather than the port nu...

Страница 97: ...Log Files column locate a device and log type and then select blue arrows to expand and reveal the specific log file wlog log elog log etc that you want to download 3 In the Action column select Down...

Страница 98: ...see To display logs in Raw or Formatted view 1 Go to a page which displays log messages such as Log Log Viewer Real time 2 Select Formatted or Raw If you select Formatted options appear that enable y...

Страница 99: ...lds area Alternatively to hide all columns select the double left arrow To return all columns to their default displayed hidden status select Default 4 Select OK To change the order of the columns 1 G...

Страница 100: ...ilter 1 In the heading of the column whose filter you want to disable select the filter icon A column s filter icon is green when the filter is currently enabled 2 To disable the filter on this column...

Страница 101: ...column using a substring of the text contained by the column rather than the entire text contained by the column Searching the logs You can search the device log files for matching text using two sea...

Страница 102: ...og messages which comprise search results All Words Select to require that matching log messages must contain all search keywords If a log message does not contain one or more keywords it will not be...

Страница 103: ...tching text examine your keywords and filter criteria using the following search characteristics and recommendations Separate multiple keywords with a space type webfilter subtype activexfilter Keywor...

Страница 104: ...ntains random substrings such as session IDs If your search keywords do not return enough results try one of the following Full Search shortening your keyword to the smallest necessary substring of th...

Страница 105: ...or weekly occurrence and when the roll occurs When a log file reaches its maximum size or reaches the scheduled time the FortiAnalyzer unit saves the log files with an incremental number and starts a...

Страница 106: ...et reached maximum file size Optional Roll log files only when the log file reaches the maximum file size regardless of time interval Enable log uploading Select to upload log files to an server when...

Страница 107: ...30007 0082 20080908 107 Upload rolled files in gzipped format Select to compress the log files in gzipped format before uploading to the server Delete files after uploading Select to remove the log fi...

Страница 108: ...FortiAnalyzer Version 3 0 MR7 Administration Guide 108 05 30007 0082 20080908 Rolling and uploading logs Log...

Страница 109: ...e FortiGate unit to send content archives to the FortiAnalyzer unit see the FortiGate Administration Guide This section includes the following topics Viewing content archives Customizing the content a...

Страница 110: ...default displays the content log messages in columnar format Selecting Raw displays the content log messages as they appear in the content log files View per page Select the number of rows of log ent...

Страница 111: ...ve 2 Select Formatted or Raw Displaying and arranging log columns When viewing logs in formatted view you can display hide and re order columns to display only relevant categories of information in yo...

Страница 112: ...umn Settings Lists of available and displayed columns for the log type appear 3 In the Display Fields area select a column name whose order of appearance you want to change 4 Select the up or down arr...

Страница 113: ...1 2 2 100 You can also use the Boolean operator or to indicate multiple alternative matches 1 1 1 1 or 2 2 2 2 1 1 1 1 or 2 2 2 1 1 1 1 or 2 2 2 1 2 2 2 10 Most column filters require that you enter t...

Страница 114: ...elimiting them with a comma and a space such as user1 example com user2 example com Subject Enter all or part of the subject line of the email Message Contains Enter all or part of a word or phrase in...

Страница 115: ...08 113 To The recipient s email address Last activity The date and time that the FortiAnalyzer unit received the content archive Subject The subject line of the email Select the subject line of the em...

Страница 116: ...FortiAnalyzer Version 3 0 MR7 Administration Guide 114 05 30007 0082 20080908 Searching full email content archives Content Archive...

Страница 117: ...tiAnalyzer reports After logs are collected or uploaded you can then define the three basic components that make up a report report layout the layout and the contents output and data filter templates...

Страница 118: ...ore reports select the check box next to their report name then select Delete To delete all reports select the column heading check box All reports check boxes become select and then select Delete You...

Страница 119: ...ion on usage and behavior Web_Filtering User_Activity is an overview of user web site activity plus detailed audit of all blocked sites and all sites visited Forensic Analysis is an overview of detail...

Страница 120: ...formats for headers also need to be compatible with the chosen file format The same logo formats for the title page also apply to headers Device Type Select one of the device types from the drop down...

Страница 121: ...17 Editing charts in a report layout You can edit charts at any time as well as rearrange the charts from within the Chart List You can also edit Text and Section as well The following procedure assum...

Страница 122: ...the five items that have less than one percent are considered under Other and only Other displays on the pie diagram This issue occurs only when the pie chart style is selected The bar chart style is...

Страница 123: ...ules Report schedules are configured after you have configured report layouts If you do not have a report layout you cannot configure a report schedule When configuring report schedules you can specif...

Страница 124: ...n Now to run a report schedule immediately on demand instead of waiting for the scheduled time Caution When configuring a report schedule which contains both an output template and selected file forma...

Страница 125: ...on the local time of the FortiAnalyzer unit or the selected devices Log time stamps reflect when the FortiAnalyzer unit received the message not when the device generated the log message If you have...

Страница 126: ...Data filter options operate on specific log message fields For information about log message fields see the FortiGate Log Message Reference Create New Select to create a new data filter template and c...

Страница 127: ...not the report itself Description Enter a description for the report This is optional Filter logic Select all to include only logs in the report that match all filter criteria If any aspect of a log...

Страница 128: ...20 110 0 255 255 255 0 or 172 20 120 110 24 172 20 110 0 140 255 matches all IP addresses from 172 20 110 0 to 172 20 140 255 172 16 0 0 20 255 255 matches all IP addresses from 172 16 0 to 172 20 255...

Страница 129: ...en use the arrow to move the level to the Selected Levels column If you want to remove a severity level from the Selected Levels column select the level first and then use the arrow to move the level...

Страница 130: ...To configure the output for a report 1 Go to Report Config Output 2 Select Create New 3 Enter and or select the appropriate information for the fields and check boxes for the following E Mail Destinat...

Страница 131: ...ic name for the attached report in the field This name will appear as the attachment s name and is not the report s actual name Email From Enter a sender email address for the FortiAnalyzer unit or ad...

Страница 132: ...Big5 AR PL SungtiL GB DFPHSGothic W5 and Verdana The string file specifies pieces of text that may be used in various places throughout the report Each string line consists of a key followed by an equ...

Страница 133: ...or example in these lines Localization uses a Latin character set html html_charset iso 8859 1 The comment is Localization uses a Latin character set The output type label is html the variable name is...

Страница 134: ...file Note Both format and string files use Unix style line endings LF characters not CR LF Create New Select to create a new report language customization Language The name of the report language cus...

Страница 135: ...port graph titles and Y axis labels for Font File select Browse and locate your font If your font is located in the system font folder you may need to first copy the font from the system font folder t...

Страница 136: ...there are any errors with your files correct the errors then return to step 3 After successfully uploading and verifying your custom language becomes available as a report output language To delete a...

Страница 137: ...1 2006 at 9 12 PM Select the blue arrow to expand the report to view the individual reports in HTML format Started The date and time when the FortiAnalyzer unit generated the report Finished The date...

Страница 138: ...FortiAnalyzer Version 3 0 MR7 Administration Guide 134 05 30007 0082 20080908 Browsing reports Reports...

Страница 139: ...tined files Note Sending quarantine files to a FortiAnalyzer unit is available only on FortiGate units running FortiOS 3 0 or later FortiAnalyzer units do not accept quarantine files from devices that...

Страница 140: ...t quarantined the file DC Duplicate count A count of how many duplicates of the same file were quarantined A rapidly increasing number can indicate a virus outbreak Size Bytes The file size of the qua...

Страница 141: ...t if you want to receive an alert by email when your network detects an attack attempt You can choose to notify administrators by email SNMP or Syslog as well as the Alert Console Messages section of...

Страница 142: ...essage filter text This text is used in conjunction with Trigger s and Device Selection to specify which log messages will trigger the FortiAnalyzer unit to send an alert message Enter an entire word...

Страница 143: ...ng an email by SMTP fails the FortiAnalyzer unit will re attempt to send the message every ten seconds and never stop until it succeeds in sending the message or the administrator reboots the FortiAna...

Страница 144: ...lerts You can configure the SNMP server where the FortiAnalyzer unit sends SNMP traps when an alert event occurs and which SNMP servers are permitted to access FortiAnalyzer SNMP system traps You must...

Страница 145: ...and 28800 The default number is 600 seconds which is 10 minutes During the configured time period the SNMP agent evaluates the trap type for example CPU at every same frequency For example during 600...

Страница 146: ...Analyzer traps RFC support includes most of RFC 2665 Ethernet like MIB and most of RFC 1213 MIB II FortiAnalyzer units also use object identifiers from the Fortinet proprietary MIB For your SNMP manag...

Страница 147: ...apFlgEventCount Fortinet MIB System fields fnSysModel fnSysSerial fnSysVersion fnSysCpuUsage fnSysMemUsage fnSysSesCount fnSysDiskCapacity fnSysDiskUsage fnSysMemCapacity Fortinet MIB Administrator Ac...

Страница 148: ...FortiAnalyzer unit to communicate an alert To view the SNMP servers go to Alert Output Syslog Server Figure 4 Syslog server list Adding a Syslog server You can add a Syslog server to send alerts by th...

Страница 149: ...07 0082 20080908 141 3 Configure the following options and select OK Name Enter a name for the SNMP server IP address or FQDN Enter the IP address or fully qualified domain name for the SNMP server Po...

Страница 150: ...FortiAnalyzer Version 3 0 MR7 Administration Guide 142 05 30007 0082 20080908 Output Alert...

Страница 151: ...k Analyzer It also describes Network Analyzer log storage configuration options Network Analyzer is not visible in Tools Network Analyzer until enabled in the CLI To enable Network Analyzer access the...

Страница 152: ...ernet cable to the span or mirroring port of an Ethernet switch If connected to the span or mirror port of a switch Network Analyzer will be able to observe all traffic passing through the switch 3 In...

Страница 153: ...Network Analyzer To view the most recent traffic go to Tools Network Analyzer Real time Figure 2 Viewing current Network Analyzer logs Stop Select to stop the traffic sniffing When selected Stop chan...

Страница 154: ...figuring IP aliases on page 61 Resolve Service Select to display the network service names rather than the port numbers such as HTTP rather than port 80 View n per page Select the number of rows of lo...

Страница 155: ...r log file list Viewing Network Analyzer log file contents The Browse tab enables you to view all log messages within Network Analyzer log files If you display the log messages in Formatted view you c...

Страница 156: ...umns to view and the order they appear on the page For more information see Displaying and arranging log columns on page 148 Search Enter a keyword to perform a simple search on the log information av...

Страница 157: ...a then select OK Filtered columns now have a green filter icon and Download Current View appears next to Printable Version 5 Select Download Current View 6 Select any download options you want and sel...

Страница 158: ...ant to see To display logs in Raw or Formatted view 1 Go to a page which displays log messages such as Tools Network Analyzer Real time 2 Select Formatted or Raw If you select Formatted options appear...

Страница 159: ...able and displayed columns for the log type appear 3 In the Display Fields area select a column name whose order of appearance you want to change 4 Select the up or down arrow to move the column in th...

Страница 160: ...n s filter icon is gray when the filter is currently disabled Filtering tips When filtering by source or destination IP you can use the following in the filtering criteria a single address 2 2 2 2 an...

Страница 161: ...haracters or log fields not supported by Quick Search Full Search performs an exhaustive search of all log fields both indexed and unindexed but is often slower than Quick Search Figure 8 Network Anal...

Страница 162: ...earch Keywords must literally match log message text with the exception of case insensitivity and wild cards resolved names and IP aliases will not match Some keywords will not match unless you includ...

Страница 163: ...address appears in log messages the second keyword the protocol does not match UDP log messages and so the match fails for UDP log messages If the match fails the log message is not included in the s...

Страница 164: ...it is time to roll the log file You configure the time to be either a daily or weekly occurrence and when the roll occurs When a log file reaches its maximum size or reaches the scheduled time the Fo...

Страница 165: ...use the log rolling and uploading options Reuse settings from standard logs Select to use the same log rolling and uploading settings that you set for standard logs files configured in Logs Config Log...

Страница 166: ...name Password Enter the password required to connect to the upload server Confirm Password Re enter the password to verify correct entry Directory Enter a location on the upload server where the log...

Страница 167: ...ility checks supported by the scan modules see Viewing vulnerability scan modules on page 161 File Explorer provides information about what files are on your FortiAnalyzer unit Accessing these files h...

Страница 168: ...You may want to consider temporarily removing obstacles that prevent the vulnerability scan from reliably connecting to the intended target hosts on the required standard port numbers If you do not re...

Страница 169: ...cribes how to modify the local security policy of a Windows XP target host for which you have configured a local administrator account This procedure may vary for other versions of Windows or for targ...

Страница 170: ...However if the target host is connected to a domain and this policy conflicts with the domain or other security model with higher precedence the policy may be overridden during the next Group Policy...

Страница 171: ...account and assign it to the same user group as the root account Steps to enable the root account vary by Unix variant If you do not enable and provide the root account or an account with equivalent...

Страница 172: ...ur preparation may differ For more information see Preparing for the vulnerability scan job on page 157 Update RVS modules before you begin the vulnerability scan job to ensure that your vulnerability...

Страница 173: ...re the network and target hosts for the vulnerability scan job You may also want to update the RVS modules and engine to ensure that the report tests for the latest known security issues For more info...

Страница 174: ...ak or default user account security policies without providing an administrator login or performing many of the other Windows related vulnerability scan modules To view current or scheduled vulnerabil...

Страница 175: ...er selecting Remote Authentication Password Enter the password for the target host s This option is only available after selecting Remote Authentication Quick Scan Select to perform a quick port scan...

Страница 176: ...from the following HTML PDF MS Word RTF See Viewing vulnerability scan reports on page 166 to view finished reports stored on the FortiAnalyzer unit s hard disk Email output If you want to email the...

Страница 177: ...For more information see Preparing for the vulnerability scan job on page 157 Vulnerability scan job reports will not appear in the list of vulnerability scan job reports before the vulnerability scan...

Страница 178: ...the vulnerability scan job on page 157 File Explorer The File Explorer menu allows administrators to view and browse through the files on their FortiAnalyzer unit To view and browse through these file...

Страница 179: ...Tools File Explorer FortiAnalyzer Version 3 0 MR7 Administration Guide 05 30007 0082 20080908 169 Figure 5 File Explorer Figure 6 File Explorer with Storage directory expanded...

Страница 180: ...FortiAnalyzer Version 3 0 MR7 Administration Guide 170 05 30007 0082 20080908 File Explorer Tools...

Страница 181: ...s to your configuration Installing a patch release without reviewing release notes or testing the firmware may result in changes to settings or unexpected issues This chapter includes the following se...

Страница 182: ...ou can enter a password if required To back up your configuration file using the CLI Enter the following to back up the configuration execute backup config filename address_ip passwd This may take a f...

Страница 183: ...file To back up log files using the CLI Enter the following to back up all log files execute backup logs all ftp sftp scp tftp server_ipv4 username_str password_str directory_str If you are using a T...

Страница 184: ...mware image before upgrading 1 Copy the new firmware image file to the root directory of the TFTP server 2 Start the TFTP server 3 Log into the CLI 4 Enter the following command to ping the computer r...

Страница 185: ...as the TFTP server but make sure you do not use an IP address of another device on the network The following message appears Enter firmware image file name image out 11 Enter the firmware image file...

Страница 186: ...Reiser to EXT3 The EXT3 file system provides better stability You can upgrade to the EXT3 file system if upgrading to FortiAnalyzer 3 0 MR3 and higher See the FortiAnalyzer CLI Reference for more inf...

Страница 187: ...FortiLog 1 6 while others may not have such as the Destination in Alerts Event configuration Go to System Maintenance Backup Restore to save the configuration settings that carried forward Upgrading...

Страница 188: ...d successfully get system status 9 Update AV NIDS definitions so that they are current with the new firmware Verifying the upgrade After logging back into the web based manager most of your FortiLog 1...

Страница 189: ...ng to factory defaults or installing a patch release Downgrading to FortiLog 1 6 When downgrading to FortiLog 1 6 no settings are carried forward If you created additional settings in FortiAnalyzer 3...

Страница 190: ...the FortiAnalyzer unit and TFTP server are successfully connected 5 Enter the following command to copy the firmware image from the TFTP server to the FortiAnalyzer unit execute restore image tftp na...

Страница 191: ...ersion 3 0 MR7 Administration Guide 05 30007 0082 20080908 179 8 Reconnect to the CLI 9 Enter the following command to confirm the firmware image installed successfully get system status See Restoring...

Страница 192: ...o factory defaults or may be corrupted Use the recovery procedure appropriate for your FortiAnalyzer unit model to restore the firmware from a TFTP server For more information about connecting to the...

Страница 193: ...dress 192 168 1 188 9 Type an IP address for the FortiAnalyzer unit and press Enter The FortiAnalyzer unit will temporarily assign this IP address to the interface to connect to the TFTP server and do...

Страница 194: ...The following restores your FortiLog 1 6 configurations settings using the CLI To restore configuration settings using the CLI 1 Copy the backup configuration file to the root directory of the TFTP s...

Страница 195: ...he FortiAnalyzer unit uploads the backup configuration file After the file uploads a message similar to the following is displayed Getting file confall from tftp server 192 168 1 168 Restoring files A...

Страница 196: ...FortiAnalyzer Version 3 0 MR7 Administration Guide 184 05 30007 0082 20080908 Restoring your configuration Managing firmware versions...

Страница 197: ...ges The following explains the changes that occurred with the available reports that you can choose when configuring reports This section includes the following topics FortiGate reports Summary Report...

Страница 198: ...ons for Most Common Attacks Top Attack Destinations by Type Top Attacks for Most Common Destinations Top Attack Destinations by Source Top Sources for Most Common Destinations Top Attack Types by Sour...

Страница 199: ...rotocols with Antivirus Violations Breakdown Infected Oversize Filename Top AV Event Senders by Type Top Sources Email or IP with Antivirus Violations Breakdown Infected Oversize Filename Top AV Event...

Страница 200: ...ources over FTP Top Virus Sources over FTP by Date Top Virus Sources over FTP Top Virus Sources over FTP by Month Top Virus Sources over FTP Top Virus Destinations over FTP by Hour of Day Top Virus De...

Страница 201: ...irus Activity reports Table 12 WebFilter Activity reports MR6 reports MR7 reports Web Hits by Status Total Hits per Status allowed blocked etc Blocked Web Hits by Date Blocked Web Activity over Time P...

Страница 202: ...s Top Blocked Web Risk Groups Top Web Risk Groups Hits Top Requested Web Risk Groups Top Web Clients by Web Site Hits Top Web Sites for Most Active Users Top Blocked Web Clients by Web Site Hits Top W...

Страница 203: ...tatus and Date Mail Summary by Email Size Mail Count Status and Date Mail Summary by Email Count Table 13 Antispam Activity reports Table 14 IM reports MR6 reports MR7 reports IM Activity by Action an...

Страница 204: ...per IM Protocol Table 14 IM reports Table 15 VoIP reports MR7 reports VoIP Traffic by Date VoIP Traffic by Month VoIP Traffic by Day of Week VoIP Traffic by Hour of Day VoIP Traffic by Direction Top V...

Страница 205: ...Month SIP Call Registers by Day of Week SIP Call Registers by Hour of Day SIP Call Durations Top SIP Called Numbers by Date Top SIP Called Numbers by Month Top SIP Called Numbers by Day of Week Top SI...

Страница 206: ...r of Inspected Messages per Application Table 17 Network Activity reports MR6 reports MR7 reports Traffic Volume by Direction and Date Traffic Volume by Direction Traffic Volume by Direction and Month...

Страница 207: ...by Time Period Web Traffic by Month Web Volume by Time Period Web Traffic by Day of Week Web Volume by Time Period Web Traffic by Hour of Day Web Volume by Time Period Web Traffic by Direction Web Vo...

Страница 208: ...me Size by Time Mail Traffic by Month Mail Volume Size by Time Mail Traffic by Day of Week Mail Volume Size by Time Mail Traffic by Hour by Day Mail Volume Size by Time Mail Traffic by Direction Mail...

Страница 209: ...by Service and Date Terminal Traffic Volume per Service Telnet SSH Terminal Traffic by Service and Month Terminal Traffic Volume per Service Telnet SSH Terminal Traffic by Service and Day of Week Term...

Страница 210: ...ces Top VPN Traffic Destinations Top VPN Destinations VPN Traffic by Direction VPN Traffic Volume per Direction Top VPN Tunnels Date Traffic Top VPN Tunnels Top VPN Tunnels by Month Traffic Top VPN Tu...

Страница 211: ...ce Table 23 Event Activity reports Table 24 P2P Activity reports MR6 reports MR7 reports P2P Activity by Protocol Total Events per P2P Protocol P2P Activity by Action and Date Total Pass Block Events...

Страница 212: ...Gnutella Local Peers Top Allowed Gnutella Local Peers by Month Top Allowed Gnutella Local Peers Top Blocked Gnutella Local Peers by Date Top Blocked Gnutella Local Peers Top Blocked Gnutella Local Pe...

Страница 213: ...trusion Activity Total IPS Events Detected Top Destinations by Volume Network Analysis Total IPS by Attack ID Top Devices by Antivirus Violations AntiVirus Activity Total IPS by Source Top Attack Sour...

Страница 214: ...ble Sites by Blocked Categories All Blocked Web Sites per Category AntiSpam Activity Sites by Permitted Categories All Allowed Web Sites per Category AntiSpam Activity Sites by Access Time All Request...

Страница 215: ...locked Categories by Hits Top Blocked Web Risk Group WebFilter Activity Accessed Sub categories Top Allowed Sub Categories WebFilter Activity with time scale set to by date Blocked Sub categories by H...

Страница 216: ...by Day of Month Top Remote Address Top Remote Address by Week of Year Top Remote Address Top Remote Address by Month Top Remote Address Spam Filter by Date Spam Filter Spam Filter by Hour of Day Spam...

Страница 217: ...e 29 Mail High Level reports Table 30 Mail Sender reports MR6 reports MR7 reports Top Sender by Date Top Sender Top Sender by Hour of Day Top Sender Top Sender by Day of Week Top Sender Top Sender by...

Страница 218: ...Sender MSISDN Top Sender MSISDN by Month Top Sender MSISDN Table 30 Mail Sender reports Table 31 Mail Recipient Activity reports MR6 reports MR7 reports Top Recipient by Date Top Recipient Top Recipie...

Страница 219: ...ender by Hour of Day Top Spam Sender Top Spam Sender by Day of Week Top Spam Sender Top Spam Sender by Day of Month Top Spam Sender Top Spam Sender by Week of Year Top Spam Sender Top Spam Sender by M...

Страница 220: ...er Top Remote Spam Sender by Day of Month Top Remote Spam Sender Top Remote Spam Sender by Week of Year Top Remote Spam Sender Top Remote Spam Sender by Month Top Remote Spam Sender Top Remote Spam Do...

Страница 221: ...nth Top Local Spam Recipient Top Local Spam Recipient by Week of Year Top Local Spam Recipient Top Local Spam Recipient by Month Top Local Spam Recipient Top Remote Spam Recipient by Date Top Remote S...

Страница 222: ...p Virus IP by Day of Month Top Virus IP Top Virus IP by Week of Year Top Virus IP Top Virus IP by Month Top Virus IP Top Local Virus Sender by Date Top Local Virus Sender Top Local Virus Sender by Hou...

Страница 223: ...N by Day of Month Top Virus MSISDN Top Virus MSISDN by Week of Year Top Virus MSISDN Top Virus MSISDN by Month Top Virus MSISDN Table 36 Virus Sender reports Table 37 Virus Recipient reports MR6 repor...

Страница 224: ...ed Web Sites by User Top Visited Web Sites by User FortiClient Antispam Activity Top Blocked Mail Senders Top Blocked Mail Receivers Top Remote Virus Recipient by Day of Month Top Remote Virus Recipie...

Страница 225: ...up configuration using the CLI 170 using web based manager 170 backing up log files 170 backup 69 blocked devices 77 79 86 Boolean operator 99 111 150 browse log 93 network analyzer 144 sniffer 144 b...

Страница 226: ...b proxy 71 connection 71 Fortinet Distribution Network 70 71 162 FDP Fortinet Discovery Protocol 47 85 icon 45 file extension 96 97 104 147 153 165 170 format 165 permissions 55 56 transfer 107 file e...

Страница 227: ...atus 45 intrusion activity dashboard 38 intrusion prevention system IPS 158 IP address 45 46 IP alias 35 60 importing from file 61 resolve host names 108 IPSec VPN tunnel 74 86 log 57 K known device t...

Страница 228: ...ystem NFS 53 mask 45 46 sniffer 144 time protocol 29 network analyzer browse 144 column view 143 delete after download 155 download logs 147 enable 141 154 filter 149 gzip 155 historical viewer 143 re...

Страница 229: ...FortiMail reports 203 reset configuration 30 33 resolve host names 35 60 108 logs 94 143 network analyzer 143 145 See also IP alias restart 33 restore configuration file 69 default configuration 33 fi...

Страница 230: ...email traffic dashboard 41 top ftp traffic dashboard 40 top im p2p traffic dashboard 42 top traffic dashboard 43 top web traffic dashboard 44 traffic sessions 32 35 traps SNMP 136 trusted host 48 49...

Страница 231: ...er Version 3 0 MR7 Administration Guide 05 30007 0082 20080908 219 registered device s hard limits 15 report configuration enhancements 16 voip reports 17 Windows AD See LDAP Windows shares 53 54 X XM...

Страница 232: ...FortiAnalyzer Version 3 0 MR7 Administration Guide 220 05 30007 0082 20080908 Index...

Страница 233: ...www fortinet com...

Страница 234: ...www fortinet com...

Отзывы: