Fortinet 3.0 MR7 manual

www.fortinet.com FortiA na l yz er V ersion 3.0 MR7 ADMINISTRA TION GUIDE[...]

FortiAnalyzer Administra tion Guide V ersion 3.0 MR7 08 September 200 8 05-30007-00 82-20080908 © Copyright 2008 Fortine t, Inc. All rights reserved. No part of this publication including text, examples , diagrams or illustrations may be reproduced, tra nsmitted, or translated in any form or by any means, electronic, mechanical, manual, op tical o[...]

Contents FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 3 Contents Introduction ............... ................................. .............................. .......... 9 About this document ............... ................ ................ ................ ............. ............. 9 Fortinet documentation.... ....[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 4 05-30007-0082-200809 08 Contents Viewing session information .......................... ................ ................ ....... 35 Filtering session informat ion ...... ................ ................. ............ .............. 36 Report Engine ..................... ............. ..........[...]

Contents FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 5 Hot swapping the FortiAnalyzer- 2000/2000A and FortiAnalyz- er-4000/4000A .............. ................ ............. ................ ................ ........ 66 Configuring RAID on the FortiAnalyze r-400 and FortiAnalyzer-80 0/800B . 67 Configuring RAID on th[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 6 05-30007-0082-200809 08 Contents Customizing the content archive view ...................... ................ .................. 108 Displaying and arranging log columns .... ...... ................ ............. ............... 109 Filtering logs ..... ................ ................ .........[...]

Contents FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 7 Searching the Netw ork Analyzer logs ................... ................ ................ ...... 150 Search tips .......... ................ ................ ............. ................ ................ ......... 152 Printing the search results ...............[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 8 05-30007-0082-200809 08 Contents Appendix: FortiAnalyzer re ports in 3.0 MR7 ......... .............. ........ 185 FortiGate reports ..... ................ ................. ............ ................. ............ ............ 185 Intrusion Activity ............ ................ .............[...]

Introduction About this document FortiAnalyzer Ve rsion 3.0 MR7 Admi nistration Guide 05-30007-0082-2008090 8 9 Introduction FortiAnalyzer unit s are network appliances that provide integra ted log collection and reporting tools. Report s analyze logs for ema il, FTP , web browsing, se curity events, an d other network activity to help identify sec[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 10 05-30007-0082-200809 08 Fortinet documentation Introduction • Report s describes how to co nfigure report pr ofiles for one-tim e or scheduled report s on your network devices, users, or group s. • Alert descr ibes how define log message criteria that signify critical network events. As log [...]

Introduction Customer service a nd technical su pport FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 11 Fortinet Tools and Documentation CD All Fortinet document ation is available from the Fortinet T ools and Documen tation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 12 05-30007-0082-200809 08 Customer service and technical support Introduction[...]

What’s new for 3.0 MR7 FortiAnalyzerV ersion 3.0 MR7 Administration Guide 05-30007-0082-2008090 8 13 What’ s new for 3.0 MR7 This section lists and de scribes the new features and changes in Fo rtiAnalyzer 3.0 MR7. Th e chapter , “Managing firmware version s” on page 169 , p rovides detailed informatio n about how t o properly upgrade to F [...]

FortiAnalyzerVersion 3.0 MR7 Administration Guide 14 05-30007-0082-200809 08 What’s new for 3.0 MR7 • Network Summary menu removed – The Network Summary menu was removed in FortiAnalyzer 3.0 MR7. This menu was removed because most of the informa tion that pr eviously displa yed, now dis plays as widg ets on the Dashboard . See “Dashboard”[...]

What’s new for 3.0 MR7 3.0 MR7 new features and changes FortiAnalyzerV ersion 3.0 MR7 Administr ation Guide 05-30007-0082-20080 908 15 3.0 MR7 new features and changes The following descriptions includes only menus containing new features, chang es to features, or both . Additional informat ion is provided within this document. Power supply monit[...]

FortiAnalyzerVersion 3.0 MR7 Administration Guide 16 05-30007-0082-200809 08 3.0 MR7 new features and changes What’s new for 3.0 MR7 For the Log Rece ive Monitor widget, a diagnose command will be introduced to provide information about to tal message rate, me ssage rate per-protocol, and message rate per-device in the CLI. See “System” on p [...]

What’s new for 3.0 MR7 3.0 MR7 new features and changes FortiAnalyzerV ersion 3.0 MR7 Administr ation Guide 05-30007-0082-20080 908 17 Fortinet recommends config uring a test report layout and report schedule to familiarize yourself with ho w reports are configured in FortiAnalyzer 3.0 MR7. See “Reports” on page 1 13 about how to configure re[...]

FortiAnalyzerVersion 3.0 MR7 Administration Guide 18 05-30007-0082-200809 08 3.0 MR7 new features and changes What’s new for 3.0 MR7 Alert email configuration changes When configuring an alert email in Alert > Alert Event , you now are requ ired to enter information in the following fields: •a l e r t n a m e • destination (or destinations[...]

Administrative Domain s (ADOMs) A bout administrative domain s (ADOMs) FortiAnalyzer Ve rsion 3.0 MR7 Admi nistration Guide 05-30007-0082-2008090 8 19 Administrative Domains (ADOMs) Administrative Do main s (ADOMs) enable the admin administrator to constrain other FortiAna lyzer unit adminis trators’ access privileges to a subs et of devices in t[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 20 05-30007-0082-200809 08 About administrati ve domains (ADOMs ) Administrative Domains (ADOMs) • If ADOMs are ena bled and you log in as admin , you first access Administration Domain Configuration. A superset of the typical menus and CLI commands appear , allowing unrestricted access and ADOM [...]

Administrative Domain s (ADOMs) A bout administrative domain s (ADOMs) FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 21 • If ADOMs are enabled an d you log in as any other administrator , you enter the ADOM assigned to your account. A subset of the typical men us or CLI commands appear , allowing access only to only l[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 22 05-30007-0082-200809 08 Configuring ADOMs Administrative Domains (ADOMs) Configuring ADOMs Administrativ e domains (ADOMs) ar e disabled by defa ult. T o use ad ministrative domains, the admin administrator must first enable the feature , create ADOMs, and assign other FortiA nalyzer ad ministra[...]

Administrative Domains (ADOMs) Configuring ADOMs FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 23 T o add or edit an ADOM 1 Log in as admin . Other administrators cannot enable, disable, or configur e ADOMs. 2 Select Create New , or se lect the check box next to an ADOM and select Edit. 3 Enter a Name for the ADOM. 4 Se[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 24 05-30007-0082-200809 08 Accessing ADOMs as the admin administrator Administra tive Domains (ADOMs) Accessing ADOMs as the admin administrator When ADOMs are enabled, additiona l ADOM items become available to the admin administrator and th e structure of the web-based manage r menu changes. Afte[...]

System Dashboard FortiAnalyzer Ve rsion 3.0 MR7 Admi nistration Guide 05-30007-0082-2008090 8 25 System The System menu contains basic FortiAna lyzer unit system se ttings , such as network inte rfaces, DN S, routing, loca l logging, ad ministrators , and network shares, and displays system statistics a nd provides basic system operations fr om the[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 26 05-30007-0082-200809 08 Dashboard System Figure 1: Dashboard of a FortiAnalyzer-100A u nit displaying one of the new widg ets Log Receive M onitor and a tab, Branch Office T o rearrange a Dashboard widget 1 Go to System > Dashboard . 2 Place your mouse cursor over th e widget’s title bar ar[...]

System Dashboard FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 27 3 Select Show or Hide. The widget toggles between showin g the full widget and being minimized to show only its title bar . T o include a Dashboard widget 1 Go to System > Dashboard . 2 Select “+ Widget”. 3 A widget sele ction overlay appears. 4 Se[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 28 05-30007-0082-200809 08 Dashboard System 3 Enter a new name an d press Enter . T o delete a t ab 1 Go to System > Dashboard . 2 Double-click on the name of the t ab and select the (X) symbol. RAID Monitor The RAID Monitor area of the Dashboard displays information about th e status of RAID di[...]

System Dashboard FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 29 Figure 4: RAID Monitor displaying a dis k that is being rebuilt System Information The System Information area of the Das hboard displa ys basic information about the FortiAnalyzer unit, such as up time and firmware version. Array St atus Displays the fol[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 30 05-30007-0082-200809 08 Dashboard System Figure 5: System Infor mation Setting the time Set the system time to ensu re correct report time ranges and scheduling and accurate logging. Y ou can either manually set the FortiAnalyze r system time or you can configure the FortiAnalyzer u nit to autom[...]

System Dashboard FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 31 Changing the host name Change the FortiAnalyzer host name to dif ferentiate the FortiAnalyze r from other FortiAnalyzer unit s or other devices on your network. T o change the host name 1 Go to System > Dashboard . 2 In the System Information area, sel[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 32 05-30007-0082-200809 08 Dashboard System System Resources The System Res ources area of the Das hboard displa ys use of the FortiAna lyzer unit’s resources, including CPU, memory (RAM) and hard disk. Figure 8: Sy stem Resources Viewing operational history The System resource history pag e disp[...]

System Dashboard FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 33 T o view the FortiAnalyz er operational history 1 Go to System > Dashboard . 2 Select History in th e upper right co rner of the System Resources area. System Operation Some basic operations can be p erformed directly from the Dashboard in the System O[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 34 05-30007-0082-200809 08 Dashboard System Resetting to the default configuration Y ou can reset the FortiAnalyzer unit to its defa ult configuration. Resetting the configura tion does not rest ore the original firmwar e. Configuration and firmware are distinct. Use th e procedures in “Managing [...]

System Dashboard FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 35 Figure 10: Alert messages Statistics The S tatistics area of the Dashboard co unts the numbers of sessions, logs, and reports ha ndled by the FortiAnalyzer unit. Figure 1 1: St atistics Viewing session information Session information displays informa tion[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 36 05-30007-0082-200809 08 Dashboard System T o view t he sessio n informa tion 1 Go to System > Dashboard . 2 In the S ta tistics area, next to Connections, select Det ails. Filtering session information Y ou can filter the conten ts to find specific content. Each column of data includes a gray[...]

System Dashboard FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 37 Log Receive Monitor The Log Receive Mon itor displays historical analysis of the rate at which logs are received. This widget displays this information in a graphical format. Y ou can display information by the type of logs or by device and you can also s[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 38 05-30007-0082-200809 08 Dashboard System Intrusion Activity Intrusion Activity displays the top att acks that occurr ed on the network. This information is gathered from att ack logs. Y ou ca n edit the I ntrusion Activit y widget to display specific information by using the followin g procedur [...]

System Dashboard FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 39 Figure 15: Virus Activity wi dget T o edit the inf ormation for Virus Activi ty 1 Go to System > Dashboard . 2 In Virus Activity , selec t Ed it in the title ba r area. 3 Enter the appropriate infor mation for the following: 4 Select OK. Top FTP Traffi[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 40 05-30007-0082-200809 08 Dashboard System T o edit the information for T op FTP T raffic 1 Go to System > Dashboard . 2 In T o p FTP Traf fic, select Edit in the tit le bar area . 3 Enter the appro priate informatio n for the following: 4 Select OK. Top Email Traffic T op Email Tr affic displa[...]

System Dashboard FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 41 3 Enter the appropriate infor mation for the following: 4 Select OK. Top IM/P2P Traffic T op IM/P2P Traf fic displays the top inst ant messaging and P2P programs used, using a bar c hart. The information displays each I M and P2P program separately by use[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 42 05-30007-0082-200809 08 Dashboard System 3 Enter the appro priate informatio n for the following: 4 Select OK. Top Traffic T op Tr affic displays the tot al amount of traffic for FortiGate unit s. T op Traf fic uses traf fic logs in determining the tota l amount of traf fic. This information dis[...]

System Dashboard FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 43 3 Enter the appropriate infor mation for the following: 4 Select OK. Top Web Traffic T op Web T raffic displays th e total web traf fic usage on the network. This information is displayed as a bart ch art. Inform ation for t his widget is gat hered from t[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 44 05-30007-0082-200809 08 Network System 3 Enter the appro priate informatio n for the following: 4 Select OK. Network Use the network settings to configure the For tiAnalyzer unit to operate in your network. Ba sic network s ettings incl ude co nfiguring interfaces, DNS settings and static routes[...]

System Network FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 45 Changing interface settings T o change the interfac e setting s 1 Go to System > Network > Interface . 2 In the row correspon ding to the interface you wa nt to change, select Mod ify . 3 Configure the following options: 4 Select OK. Stat us T he stat[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 46 05-30007-0082-200809 08 Network System About Fortinet Discovery Protocol FortiGate units running FortiOS version 3. 0 or greater can use Fo rtinet Discovery Protocol (FDP), a UDP protocol, to locate a FortiAnalyzer unit. When a FortiGa te administrator select s Automatic Discovery , the FortiGat[...]

System Admin FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 47 Adding a route S tatic routes provide the Fo rtiAnalyzer unit with the inform ation it need s to forward a packet to a particular destination other than the default gateway . T o add a static route 1 Go to System > Network > Routing . 2 Select Create Ne[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 48 05-30007-0082-200809 08 Admin System Adding or editing an administrator account Y ou can ad d, edit or delete a FortiA nalyzer adm inistrator acco unt, except th e default administrator admin administrator acco unt. When configuring the administrator ’s informatio n, you can add the @ symbol t[...]

System Admin FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 49 Changing an administrator’s password The admin administrator and adm inistrators with read and write permissions can change their own a ccount passwords. Administrato rs with read-only permis sions cannot cha nge their own password. Instead, the admin admin[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 50 05-30007-0082-200809 08 Admin System Figure 24: Acces s Profile T o create an access profile 1 Go to System > Admin > Acce ss Profile . 2 Select Create New . 3 Enter a name for the profile. 4 Select a filter for each option: Auth Group Auth Group enables you to group RADIUS server s in to [...]

System Admin FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 51 RADIUS Server RADIUS servers authenticate administra tors. The following procedure expla ins how to add a RADIUS server for authenticating administrato rs. T o add a RADIUS server 1 Go to System > Admin > RADIUS Server . 2 Select Create New . 3 Configur[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 52 05-30007-0082-200809 08 Network Sharing System Monitor The Monitor page e nables the admin administrator to view other administrato rs currently logged in to the FortiAnalyze r unit. The admin administra tor can disconnect other admini strators, should the need arise. T o monitor current adminis[...]

System Network Sharing FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 53 3 Enter the following information for th e user account and select OK: Adding share groups Y ou can create network share user groups to maintain access privileges for a large numbe r of users at once. T o add a user group 1 Go to System > Network[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 54 05-30007-0082-200809 08 Network Sharing System T o enable Windows sh ares 1 Go to System > Network Sharing > Windows Share . 2 Select Enable Windows Networ k Sharing. 3 Enter a W orkgroup name . 4 Select Apply . 5 Configure a share fo lder and us er permissio ns to access that share . For [...]

System Network Sharing FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 55 7 Select the type of access rights the users and groups will have and select the appropriate right ar row to move the user or group name to th e Read-Only Access or Read-Write Access boxes. 8 Select Ok. Configuring NFS shares Y ou can configure the [...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 56 05-30007-0082-200809 08 Config System 5 Select OK. 6 In Remote Clients, enter the IP address or domain name of the remote system or user ID. 7 Select the type of Permission required and select Add . 8 Select OK. Default file permi ssions on NFS shares By default, when a user adds a new file or f[...]

System Config FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 57 Figure 30 : FortiAnalyzer u nit log setting s Log Locally Select to save the Forti Analyzer log messages on the Fo rtiAnalyzer hard disk. Log Level Select the s everity level for th e log messages recorded to the FortiAnalyzer hard disk. The FortiAna lyzer u[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 58 05-30007-0082-200809 08 Config System Configuring log aggregation Log aggregation is a method of collecting log data from one or more Fo rtiAnalyzer units to a centra l FortiAnalyzer unit. Log aggr egation involve s one or m ore FortiAn alyzer units config ured to act as aggregation client s, an[...]

System Config FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 59 For example, a comp any may have a headquarter s and a number of branch offices. Each bran ch office has a FortiG ate un it and a FortiAnalyzer-100A/100B to collect local log information. Those branch office FortiAnalyzer unit s are configured as log aggreg [...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 60 05-30007-0082-200809 08 Config System Configuring an a ggregation client An aggregation client is a FortiAnalyzer unit that sends logs to a aggre gation server . These include models such as the Fort iAnalyzer-100A/100B and FortiAnalyzer-400. T o configure the aggrega tion client 1 Go to System [...]

System Config FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 61 3 Enter the IP address of the external syslog server in Remot e device IP . 4 Select whether to Forward all incoming logs or For ward only authorized logs (authorized according to a de vice’s permission s in the device list). 5 Select the Minimum Severity [...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 62 05-30007-0082-200809 08 Config System 3 Enter the path and file name or se lect Browse to locate the file. 4 Select OK. IP alias ranges When adding a n IP alias you can include an IP address range as we ll as individual addresses. For example: • 10.10.10.1 - 10.10.10.50 • 10.10.10.1 - 10.10.[...]

System Config FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 63 Linear A linear RAID level combines all hard disks into one large virtual disk. It is also known as concat enation or JBOD (Just a B unch of Disks). The total space available in this option is the capacity of all disks used . There is ve ry little performanc[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 64 05-30007-0082-200809 08 Config System RAID 10 RAID 10 ( or 1+0), inc ludes nes ted RAID lev els 1 and 0, or a stripe (RAID 0) o f mirrors (RAID 1). The total disk sp ace available is the total number of disks in the array (a minimum of 4) divided by 2. Any drive from a RAID 1 array can fail with[...]

System Config FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 65 Y ou can use any br and of hard disk to replace a failed hard disk, as long as it has the same capacity or greater . For example, if replac ing a 120 GB hard drive, you could use either a 120 GB or 250 GB hard drive. Hot swapping in the FortiAnalyzer -400 an[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 66 05-30007-0082-200809 08 Config System Hot swapping the Forti Analyzer-2000/2000A and FortiAnalyzer-4000/4000A The following diagram indicates the drive number a nd their location in the FortiAnalyzer unit when you are looking at the front of the unit. Refer to this diagram before removin g the d[...]

System Config FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 67 The options available here will depend on the RAID level selected. For most RAID levels, you can only add the new hard disk back into the RAID array . If you are running a RAID level with hot spare, you can also add the new hard disk as the hot spare. Config[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 68 05-30007-0082-200809 08 Config System RAID settings can be configured from the Dashb oard, in the RAID Monitor widget as well as from System > Conf ig > RAID . Figure 33: For tiAnalyzer-2000/2 000A RAID settings Configuring L DAP connections On the LDAP tab, you can configu re an LDAP quer[...]

System Config FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 69 Figure 34: LDAP settings T o define an LDAP server query 1 Go to System > Config > LDAP . 2 Select Create New . Co mplete the following: LDAP Distinguished Na me Query Name Enter the name for the LDAP server query . Server Name/IP Enter the LDAP server[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 70 05-30007-0082-200809 08 Maintenance System 3 Select OK. The LDAP query becomes an available option when configuring var iables for report pro files. For more informa tion, see “Configuring reports” on page 1 13 . Maintenance Maintenance enables you to backup and restore configuration files f[...]

System Maintenance FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 71 FortiGuard Center Y ou can update the engine and vulnerability scan modules in one of the following ways: • manually upload update package s to the FortiAnalyzer unit from your managem ent comp uter • configure the For tiAnalyzer unit to periodicall[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 72 05-30007-0082-200809 08 Maintenance System Figure 36: FortiGuard Center FortiGuard Subscription Services The RVS (remote vulnerability scan) engine and module version number , date of last upda te, and status of the connection to th e Fortinet Distribution Network (FDN). A green indicator means [...]

System Maintenance FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 73 Port Enter the port number of the web proxy . This is usually 8080 . Name If your web proxy requi res a login, ente r the user name that your FortiAnalyzer unit should use when connecting to the FDN through the web proxy . Password If your web proxy req[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 74 05-30007-0082-200809 08 Maintenance System[...]

Device Viewing the device list FortiAnalyzer Ve rsion 3.0 MR7 Admi nistration Guide 05-30007-0082-2008090 8 73 Device The Device menu controls connection a ttempt handling, permissions, disk space quota , and other aspect s of devices connecting to the For tiAnalyzer unit for remote logging, conten t archiving, quarantining, and/o r remote manageme[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 74 05-30007-0082-200809 08 Viewing the device list Device Devices may automatically app ear on the device list when the FortiAnalyzer receives a connection attempt, according to your configuration of Unregistered Device Options, but devices may also automatically appear as a result of importing log[...]

Device Viewing the device list FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 75 • Tx indicates logg ing access for all devices mana ged by the FortiManager system. • Rx indicates that the FortiManager system can remotely administer the FortiAna lyzer unit. For more information about on configuring de vice connection[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 76 05-30007-0082-200809 08 Viewing the device list Device T o delete a device 1 Go to Device > All > Device . 2 In the row corresponding to the device th at you want to delete, in the Action column, select Delete. A confirmation dialog appears. The Delete option may not appear if the device i[...]

Device Viewing the device list FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 77 For networks with more demandi ng logging scenarios, an appropriate device rati o may be less than the allowed maximum. Perfor mance will vary according to your network size, device types, logging thresholds, and many ot her factors. When ch[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 78 05-30007-0082-200809 08 Configuring unregistered device connection attempt hand ling Device Configuring unregistered device connection attempt handling Y ou can configure the FortiAnalyzer uni t to acce pt and handles connection attempts automatically , or to allow connections only from devices [...]

Device Configuring unregistered device conne ction attempt handli ng FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 79 Figure 2: Un registered Device Option s T o configure device connection attempt han dling 1 Go to Device > All > Device . 2 Select Unregistered Devices Options. 3 Select from the fo llowing options[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 80 05-30007-0082-200809 08 Manually adding a device Device Manually adding a device Y ou can add de vices to the FortiAnaly ze r unit’s device list either manually or automatically . If you have configured Unregistered Device Optio ns to automatically register know n-type devices, you may only ne[...]

Device Manually adding a device FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 81 Figure 3: Configuring a de vice Device T ype Select the device type. The type is automatically pre- selected if you are adding an unregistered device from the device list, or if you are editing an existing device. Other device options vary [...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 82 05-30007-0082-200809 08 Manually adding a device Device T o manually add a device or HA cluster 1 Go to Device > All > Device . 2 If the device appears in the d evice list but is unregistered, from Show , select Unregistered, then in row correspondin g to the device, in the Action column, [...]

Device Manually adding a device FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 83 13 Select the blue arrow to exp and Group Membership. This option does not appear if Device T ype is FortiClient. In t hat case, also s kip the following step. 14 From the Availa ble Groups area, select a device gr oup or groups, if any , t[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 84 05-30007-0082-200809 08 Manually adding a device Device T o classify network inter faces and VLAN subinterfaces of a Fo rtiGate unit 1 Go to Device > All > Device . 2 Configure the FortiGate device. For more information, see “Manually adding a device” on page 8 0 . 3 Select the blue ar[...]

Device Manually adding a device FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 85 T o enable the FortiAnalyzer unit to reply to FDP pac kets 1 On the FortiAn alyzer unit, go to Device > All . 2 Go to System > Network . 3 Select Modify for the ne twork interface that should reply to FDP p ackets. 4 Enable Fortinet D[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 86 05-30007-0082-200809 08 Blocking device connection attempts Device T est Connectivity does not verify connectivity by Syslog. Syslog is required to send log messages. T o verify Syslog connec tivity , trigger FortiGate logs, then go to Log&Repor t > Log Access > Remote . S teps re quir[...]

Device Configuring device groups FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 87 T o block a device 1 Go to Device > All > Device . 2 From Show , select U nregistered. If the device is currently registered, you must first delete the de vice before you can block it. For more information, se e “Vie wing the devic[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 88 05-30007-0082-200809 08 Configuring device groups Device Figure 5: List of device group s T o configure a device gro up 1 Go to Device > Group > Device G roup . 2 Select Create New to configure a new device group, or select Edit to reconfigure an existing device group. 3 In Group Name, e n[...]

Log Viewing log messages FortiAnalyzer Ve rsion 3.0 MR7 Admi nistration Guide 05-30007-0082-2008090 8 91 Log FortiAnalyzer units collect logs from netw ork hosts suc h as FortiGat e, FortiMail, FortiClient, FortiManager , and Syslog devices. By using the Log menu, you can view both device and FortiAnalyzer log files and message s, as well as conten[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 92 05-30007-0082-200809 08 Viewing log messages Log Figure 1: Vi ewing current logs Viewing historical log messages The Historical tab in Log > Log Vi ewer displays logs for a selected device and log type for a specific time range. When vi ewing lo g messages, you can filter the information to f[...]

Log Viewing log messages FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 93 Figure 2: Viewing historical lo gs Devices Select the type of device you want to view logs from. If you select All FortiGates, all log message s fr om all registered FortiGate units appear . Log T ype s Sel ect to view a different device’s logs,[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 94 05-30007-0082-200809 08 Browsing log files Log T o view historical logs 1 Go to Log > Log V iewer > Historical . 2 From Dev ices, select th e device who se logs you want to view . Unregistered devices wi ll not appear in the list. T o view a device’s logs, you must register the device fi[...]

Log Browsing log files FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 95 Viewing log file contents The Log Browser ta b enables you to view all log messages within local or device log files. If you displa y the log m essages in For matted view , you can display and arrange columns and/or filter log messages by co lumn co[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 96 05-30007-0082-200809 08 Browsing log files Log Importing a log file Y ou can import devices’ log files. This can be useful when restoring data or loading log dat a for temporary use. For example, if you have older log files from a device, you ca n import these logs onto the FortiAnalyzer unit [...]

Log Browsing log files FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 97 5 In Filename, enter the path and file name of the log file, or select Browse. 6 Select OK. A message appears, stating th at the upload is beginning, but will be cancelled if you leave the page. 7 Select OK. Upload time varies by the size of th e fi[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 98 05-30007-0082-200809 08 Customizing the log view Log 5 Select Download Current V iew . 6 Configure the following: 7 Select OK. 8 If prompted by your web browser , select a location to save the file, or open it without saving. Customizing the log view Log messages can be displayed in either Raw o[...]

Log Customizing the log view FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 99 Figure 5: Displayi ng and arranging l og columns T o display or hide columns 1 Go to a page which displays log messages, s uch as Log > Log Viewer > Real- time . 2 Select Column Settings. Lists of av ailable and displayed columns for the[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 100 05-30007-0082-200809 08 Customizing the log view Log Figure 6: Filter icon s T o filter log messages by co lumn content s 1 In the heading of the column that you wa nt to filter , select the filter icon. 2 Select Enable. 3 If you want to exclude log messages with matching cont ent in this colum[...]

Log Searching the logs FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 101 • 1.1.1.1 or 2.2.2.1-2.2.2.10 Most column filters require that you enter th e column’s entire content s to successfully match and filter content s; partial entrie s do not match the entire contents, and so will not create the intended column fi[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 102 05-30007-0082-200809 08 Searching the logs Log Device/Group Select to search logs from the Fo rtiAnalyzer unit (LocalLogs), a device , or a device group. Date Select to search logs from a time frame, or select S pecify and define a custom time frame b y selecting the From and T o date a nd time[...]

Log Searching the logs FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 103 T o search the logs 1 Go to Log > Search . 2 From Device/Group, select which device or device group’ s logs you want to search. 3 From Date, select Any time to search l og messages from all time periods, select a predefined time period, o r se[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 104 05-30007-0082-200809 08 Searching the logs Log • Some keywords will not match unless you include both the lo g field name and its value ( type=webfilter ). • Remove unnecessary keywords and search filters which can exclud e results. In More Options, if All Words is selected, for a log messa[...]

Log Rolling and u ploading logs FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 105 T o download log search results 1 Go to Log > Search . 2 Perform a search using either basic or advanced search. If your search finds one or more matchi ng log events, a Download Cu rrent View button appears next to the Printa ble V e r[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 106 05-30007-0082-200809 08 Rolling and uploadi ng logs Log Figure 8: D evice Log Settings Log file sho uld not exceed Enter the maximum size of each device log file. When the l og file reac hes th e specified maximum size, the FortiAnalyzer unit saves the current log file with an incremental numbe[...]

Log Rolling and u ploading logs FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 107 Upload rolled files in gzipped format Select to compress the log files in gzipped format before uploadin g to the server . Delete files af ter uploading Select to remove the log file from the FortiAnalyzer hard disk after the FortiAnalyzer[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 108 05-30007-0082-200809 08 Rolling and uploadi ng logs Log[...]

Content Archive Viewing content archives FortiAnalyzer Ve rsion 3.0 MR7 Admi nistration Guide 05-30007-0082-2008090 8 107 Content Archive Content archiving provides a method of simult aneously logging and archiving copies of content transmitted over your network, such as email and web pages. FortiGate u nits can log me tadata for common u ser conte[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 108 05-30007-0082-200809 08 View ing content arch ives Content Archi ve • whether the FortiAnalyzer unit has the c opy of the file or me ssage associated with the summary log message (that is, full co ntent archives do not appear if you have deleted the associated cop y of the file or message) Fo[...]

Content Archive Customizing the content archive view FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 109 Customizing the content archive view Log messages can be d isplayed in either Raw or Formatted view . • Raw view displays log messages exactly as they appear in the log file. • Formatted view d isplays log messages[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 11 0 05-30007-0082-20080908 Customizi ng the content archiv e view Content Archi ve 3 Select which columns to hide or displ ay . • In the Available Fields ar ea, select th e names of individual columns you want to display , then select the single right ar row to move them to the Display Fields ar[...]

Content Archive Customizing the content archive view FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 111 4 Enter the text that matching log messages must contain. Matching log messages will be excluded or included in your view based upon whether you have selected or deselecte d NOT . 5 Select OK. A column’ s filter icon[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 11 2 05-30007-0082-20080908 Searching full email content archives Content Archi ve Searching full email content archives Y ou can search full email content archives to quickly locate and view messages, such as those wh ose body contain s a specific term. Full email content archive se arches create [...]

Content Archive Searching full email content archives FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 11 3 To The recipient’s email address. Last activity The date and time that the FortiAnalyzer unit recei ved the content archive. Subject The subject line of the email. Select the subject line of the email to view the e[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 11 4 05-30007-0082-20080908 Searching full email content archives Content Archi ve[...]

Reports Configuring reports FortiAnalyzer Ve rsion 3.0 MR7 Admi nistration Guide 05-30007-0082-2008090 8 11 3 Report s FortiAnalyzer unit s can collate information collected from device log files and present the information in tabular and graphical report s, which provides quick analysis of what is occurring on the network. By using report s, you c[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 11 4 05-30007-0082-20080908 Configuring reports Reports Configuring report layout The Layout t ab enables you to configure an d de fine multiple repo rt layout s, which can then be applied to report sch edules or generated immediately . Figure 1: report layouts in Reports > Config > Layout No[...]

Reports Configuring reports FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 11 5 Figure 2: Layout There are also default repor t layouts for you to choose fro m as well, and they appear in the rep ort layout list with the repo rt layouts you created. The default layouts are: • Bandwidth _Analysis – is an overview of b[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 11 6 05-30007-0082-20080908 Configuring reports Reports 4 Select [Add Chart(s)]. 5 Enter the appro priate informatio n for the following: 6 Select OK. If you want to edit chart s immediately af ter configu ring them, go to the procedure “T o edit a chart” on page 1 17 . 7 Select [Add Section]. [...]

Reports Configuring reports FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 11 7 Editing charts in a report layout Y ou can edit charts at any time as well as rearra nge the charts from within the Chart List. Y ou can also edit T ext and Section as well. The following procedure assumes you have already selected the report[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 11 8 05-30007-0082-20080908 Configuring reports Reports T o edit a chart 1 Select Edit beside the chart name. 2 Enter the appro priate informatio n for the following: Chart Output Select one of the following to display chart informatio n: • T ab le & Graph – d isplays both a table and graph[...]

Reports Configuring reports FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 11 9 3 Select OK. If you want to rearrange the char ts so that they are presented in a dif ferent order , select and drag a chart (using your mouse) to above or below another chart. The order is reflected in the generated report. T o edit text 1 S[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 120 05-30007-0082-200809 08 Configuring reports Reports T o configure a report schedule 1 Go to Report > Schedule . 2 Select Create New . 3 Enter the appro priate informatio n for the following: Create New Select to create a new report schedul e and configure the settings. Delete Select to remov[...]

Reports Configuring reports FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 121 4 Select OK. Monthly Select to generate the report on a specific day or days of the month. Enter the days with a comma to separate the days. For example, you want to generate the report on the first day , the 2 1st day and 30th day: 1, 21, 30 [...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 122 05-30007-0082-200809 08 Configuring reports Reports Configuring data filter templates Y ou can configure multiple data filter templates for reports in Report > Config > Dat a Filter . These templates can be applied to any re port schedule you want. Figure 4: Data filter templates Data fil[...]

Reports Configuring reports FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 123 Figure 5: Configuring a dat a filter template T o configure data filters for a report 1 Go to Report > Config > Dat a Filter . 2 Select Create New . 3 Enter and/or select the appr opriate information for the fields and check boxes for th[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 124 05-30007-0082-200809 08 Configuring reports Reports Alias Select the appropriate alias from the drop-down list. See Configuring IP alias on page 50 for more information ab out configuring IP aliases. Y ou can filter on IP ranges or subnets. For example: • 172.20.1 10.0-255 matches all IP addr[...]

Reports Configuring reports FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 125 4 Select OK. Configuring report output templates Y ou can configure the FortiAnalyzer unit to output the report in one or more file formats, save the repo rts of selected file formats to th e FortiAnalyzer h ard disk, and email the report to r[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 126 05-30007-0082-200809 08 Configuring reports Reports When conf iguring the F ortiAnalyzer unit to ema il a report, y ou must fir st configure the FortiAnalyzer unit to connect to an ema il server . For more information, se e “Configuring alert s by email server” on p age 135 . If HTML report[...]

Reports Configuring reports FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 127 Send Report by Mail V erify this check box is selected. If you do not want to sen d a report by email, unselect the check box. If the check box is unselected, the availabl e options under Send Report by Mail are hidden. Email Output If you wan[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 128 05-30007-0082-200809 08 Configuring reports Reports 4 Select OK. Configuring language When creating a report la yout, you can select which language the report will be written in. If your preferred langu ages require modi fication, you can create your own report language customization, wh ich th[...]

Reports Configuring reports FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 129 Keys are required and must not be removed or changed. Keys map a string to a location in the report, and are the same in each language file. If you change or remove keys, the Fo rtiAnalyzer unit cannot associate your string with a location in [...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 130 05-30007-0082-200809 08 Configuring reports Reports Figure 8: Languages T o create a report la nguage customization 1 Go to Report > Config > Language . 2 Locate the de fault language th at you want to custom ize. In that languag e’s row , select Download Format F ile and Downloa d S tr[...]

Reports Configuring reports FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 131 6 If you changed the encoding of the string file, open the format file using a plain text editor that supp orts Unix-style line endings, suc h as jEdit , and edit the encoding and characte r set values for ea ch file format. If you have switch[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 132 05-30007-0082-200809 08 Browsing reports Reports T o change a report language cust omization 1 Go to Report > Config > Language . 2 Locate the customized language whose font, string, or format file you want to change and in that language’ s row , select Edit from the Action column. 3 Fo[...]

Reports Browsing reports FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 133 Figure 9: Viewi ng reports in Report > Browse Refresh Select to refresh the list. If the FortiAnalyzer unit is in the process of generating a report, use Refresh to update the status of the report generation. Delete Select the reports from the[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 134 05-30007-0082-200809 08 Browsing reports Reports[...]

Quarantine Viewing quarantined files FortiAnalyzer Ve rsion 3.0 MR7 Admi nistration Guide 05-30007-0082-2008090 8 131 Quarantine FortiAnalyzer unit s can act as a central repository for fi les that are suspicious or known to be infected b y a virus, and have therefor e be en quarantined by your FortiGate units. This sec tion describes how to view q[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 132 05-30007-0082-200809 08 Viewing quarantined files Quarantine Date & T ime The date and time the FortiGate q uaranti ned the file, in the format yyyy/mm/dd hh:mm:ss . The time and date indicates the time that the first file was quarantined, if dupli cate files are quarantin ed. Service The s[...]

Alert Alert Events FortiAnalyzer Ve rsion 3.0 MR7 Admi nistration Guide 05-30007-0082-2008090 8 133 Alert Alerts pro vide a method of informing you of issues arising o n a FortiGate unit, FortiClient installation, or th e FortiAnalyzer unit itself, such as system failures or network attacks, ena bling you to react in a timely manner to th e event. [...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 134 05-30007-0082-200809 08 Alert Events Alert Adding an alert event Adding an alert event e nables you to rece ive notification when ce rt ain types of log messages are received. T o add a new alert event 1 Go to Alert > Alert Event . 2 Select Create New . 3 Configure the following options: Ale[...]

Alert Output FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 135 4 Select OK. Output When the FortiAnalyzer unit receive s a log messages meeting the alert event conditions, it sends an alert message as an email, syslog mess age or SNMP T rap, informing an admin istrator of the issue and where it is occurring. Y ou can co[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 136 05-30007-0082-200809 08 Output Alert T o add a mail server for alert s 1 Go to Alert > Output > Mail Server . 2 Select Create New . 3 Configure the following options: 4 Select Apply . Testing the mail server configuration Y ou can send a test email message to verify that alert s can be se[...]

Alert Output FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 137 Figure 3: SNMP Ac cess List SNMP Agent Select to enable the SNMP agent. Description Enter a descriptive name fo r this FortiAnalyzer uni t. Location Enter the physical location of the FortiAnalyzer unit, such as a city or floor number. Contact Enter a contac[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 138 05-30007-0082-200809 08 Output Alert Adding an SNMP server Y ou ca n add an SN MP server to define a destination IP address that can be selected as the recipien t of FortiAnal yzer unit SNMP alert s. Defined SNMP servers are als o granted perm ission to reque st FortiAnalyzer unit system inform[...]

Alert Output FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 139 Fortinet MIB Sy stem T rap s • fnT rapCpuHigh • fnT rapMemLow • fnT rapIpChange Fortinet MIB Logging T rap s • fnT rapLogF ull Fortinet MIB VPN T raps • fnT rapVpnT unUp • fnT rapVpnTunDown • fnT rapFlgEventCount Fortinet MIB System fields • [...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 140 05-30007-0082-200809 08 Output Alert RFC-1213 (MIB II) • mib-2.system • mib-2.interface •m i b - 2 . a t •m i b - 2 . i p • mib-2.icmp • mib-2.tcp •m i b - 2 . u d p • mib-2.ifMIB RFC-2665 (Ethernet- like MIB) • .dot3S tatsT able • .dot3CollT able • .dot3ControlT able • [...]

Alert Output FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 141 3 Configure the following options, and select OK. Name Enter a name for the SNMP server . IP address (or FQDN) Enter the IP address or fully qual ified domain name for the SNMP server . Port Enter the Syslog server port number . The default Syslog port is 51[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 142 05-30007-0082-200809 08 Output Alert[...]

Network Analyzer Connecting the FortiAnalyz e r unit to analyze network traffic FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 141 Network Analyzer Network Analyzer can be used as an enhanced local network traf fic sniffer to diagnose areas of the ne twork where fire wall policies may requ ire ad justment, or where traff[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 142 05-30007-0082-200809 08 Connecting the FortiAnalyzer unit to anal yze network traffic Network Analyzer Figure 1: Ex ample network topology for Network Analyzer use T o connect the FortiAn alyzer unit for use with Network Analyzer 1 Connect an Ethernet cable to a port on the Fo rtiAnalyzer unit [...]

Network Analyzer Viewing Network Analyzer log messages FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 143 V iewing Network Analyzer log messages After att aching a FortiAnalyzer unit inte rface to the network and enabled the Network Analyzer for that interfac e, traffic information displays. The Network Analyzer ’s log[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 144 05-30007-0082-200809 08 View ing Network Analyzer log messages Network Analyzer Viewing historical Netw ork Analyzer log messages The Historical tab in To o l s > Network An alyzer displays Netw ork Analyzer logs for a specific time ran ge. When viewing log messages, you can filter the infor[...]

Network Analyzer Browsing Network Analyzer log files FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 145 Browsing Network Analyzer log files The Browse ta b in To o l s > Netwo rk Analyzer enables you to see all stored Network Analyzer log files, view the Ne twork Analyzer logs, download log files to your hard disk or [...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 146 05-30007-0082-200809 08 Browsing Network Analyzer log files Network Analyzer Figure 5: Viewing Network Analyzer logs Ty p e Th e type of log you are vi ewing an d the device where it originated. Change Select to view a dif ferent log file. Formatted | Raw Select a view of the log file. Selectin[...]

Network Analyzer Browsing Network Analyzer log files FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 147 Downloading a Networ k Analyzer log file Y ou can download a log file to save it as a backup or for use outside the FortiAnalyzer unit. Y ou can choose to download either the entire file or only log messages selected b[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 148 05-30007-0082-200809 08 Customizing the Network Analyzer log view Network Analyzer Customizing the Network Analyzer log view Log messages can be displayed in either Raw or Forma tted view . • Raw view displays log messages exac tly as they appear in the log file. • Formatted view displays l[...]

Network Analyzer Customizing the Network Analyzer lo g view FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 149 3 Select which columns to hide or display . • In the Availab le Fields area, select t he names of individual columns you want to display , then select the single right a rrow to move them to the Display Fields[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 150 05-30007-0082-200809 08 Customizing the Network Analyzer log view Network Analyzer 3 If you want to exclude log messages with matching cont ent in this column, select NOT . If you want to include log me ssages with matching content in this column, deselect NOT . 4 Enter the text that matching l[...]

Network Analyzer Searching the Network Analyzer logs FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 151 Searching the Network Analyzer logs Y ou can search the Network Analyzer log f iles for matching text using two search types: Quick Search and Full Se arch. Y ou can use Quick Search to find result s more quickly if yo[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 152 05-30007-0082-200809 08 Searching the Network Analyzer logs Network Analyzer T o search the logs 1 Go to To o l s > Network Analyzer > Search . 2 From Date, select Any time to search log messages from all time periods, select a predefined time p eriod, or select S pecif y and then define [...]

Network Analyzer Searching the Network Analyzer logs FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 153 • Y ou can search for IP ranges, including subn ets. For example: • 172.168.1.1/24 or 172.168.1.1/255.255.255.0 matches all IP addresses in the su bnet 172.168.1.1/ 255.255.255 .0 • 172.168.1.1-140.255 matches al[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 154 05-30007-0082-200809 08 Rolling and uploading Network Anal yzer logs Network Analyzer 4 Select the download options that you want, then select OK. 5 If prompted by your web browser , select a location to save the file, or open it without saving. Rolling and uploading Network Analyzer logs Y ou [...]

Network Analyzer Rolling and uploading Ne twork Analyzer logs FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 155 Figure 9: T raffic Log Settings Enable Netwo rk Analyzer on Select the port on which Network Analyzer observes traffic. If you disable thi s option and l og out, Network Analyzer will be hidden in the web-base[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 156 05-30007-0082-200809 08 Rolling and uploading Network Anal yzer logs Network Analyzer Enable log uploadin g Select to upload log files to an server when a log fi le rolls. Server type Select the protocol to use w hen uploading to the server: • File Transfer Protocol (FTP) • Secure File Tran[...]

To o l s Preparing for the vulnerability scan job FortiAnalyzer Ve rsion 3.0 MR7 Admi nistration Guide 05-30007-0082-2008090 8 157 To o l s The T ools menu provides vulnerability scann ing as well as viewing the files that are on your FortiAnalyzer un it. These tools help administr ators either when issues appear or when trying to determine if ther[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 158 05-30007-0082-200809 08 Preparing for the vulnerability scan job To o l s authenticating without r oot or admini strator credentials are typically not able to view sensitive areas of the system soft wa re or configuration; scans involving those part s cannot be accurately assessed without admin[...]

To o l s Preparing for the vulnerability scan job FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 159 Some vulnerability scan modu les , such as those that test file permissions or check installed patch and software versions , require full access to the t arget host. V ulnerability scan modules for Microsoft Windows hosts[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 160 05-30007-0082-200809 08 Preparing for the vulnerability scan job To o l s Figure 1: C onfiguring the security model for local acc ounts authenticating remotely 4 Select Local Computer Policy . 5 Select Computer Configuration. 6 Select Windows Settings. 7 Select Security Settings. 8 Select Local[...]

To o l s Viewing vulnerability scan modules FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 161 9 Select OK. 10 Select OK. 11 Select Close. 12 After the vuln erability scan job completes, revert the NetBIOS settings configured in this procedure. Preparing Unix target hosts V ulnerability scan modules ta rgeting Unix va ri[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 162 05-30007-0082-200809 08 Viewing vulnerability scan modules To o l s When configuring a full vulnerability scan, y ou can restrict the sc an job to use only those modules for vulnerabil ities that me et or e xceed your sp ecified sev erity threshold. For more infor mation, see “Configuring vul[...]

To o l s Configuring vulnerabi lity scan jobs FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 163 T o filter the module view by vulnerability thr eshold 1 Go to T ools > Vulnerability Scan > Module . 2 From View mo dules with severity , select the subset: • == : equal to • >= : greater than or equal to • &l[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 164 05-30007-0082-200809 08 Configuring vulnerability scan jobs To o l s Configuring a custom scan allows you to provide th e user name and password of an administrator or root account fo r modules that require full access, and to specify the severity threshold of vulnerabilities for which you wa n[...]

To o l s Configuring vulnerabi lity scan jobs FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 165 T o configure a vulnerability scan job 1 Go to T ools > Vulnerability Scan > Job . 2 Select Create New . 3 Complete the following: 4 Select the blue arrow to exp and Scan Option. 5 Complete the following: Job Name Enter[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 166 05-30007-0082-200809 08 Configuring vulnerability scan jobs To o l s 6 Select the blue arrow to expand Schedule Option. 7 From Schedule, select ei ther Run Now or Run Later . If you select Run Later , also select the Date or T ime when the FortiAnalyzer unit will run the scan. For example, you [...]

To o l s Viewing vulnerability scan reports FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 167 10 Select OK. V iewing vulnerability scan report s The Report t ab in T ools > Vulnerability Scan displays a list of the finished vulnerability scan reports. V ulnerability scan reports reflect the re sul ts of the vulnerabi[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 168 05-30007-0082-200809 08 File Explorer To o l s T o view a vulnerability scan report 1 Go to To o l s > V ulnerability Scan > Report . 2 T o view the report in HTML format, in the Job N ame column, select the nam e of the report. 3 T o view the report in PDF or MSWord (R TF) format, in the[...]

To o l s File Explorer FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 169 Figure 5: File Expl orer Figure 6: File Explorer with Storage directory expanded[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 170 05-30007-0082-200809 08 File Explorer To o l s[...]

Managing firmwa re versions Backing up your configurati on FortiAnalyzer Ve rsion 3.0 MR7 Admi nistration Guide 05-30007-0082-2008090 8 169 Managing firmware versions Before upgrading to For tiAnalyzer 3.0, it is recommended to review this chap ter so you can be fully aware of the procedures and issues when upgrading to FortiAnalyzer 3.0. This chap[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 170 05-30007-0082-200809 08 Backing up your configuratio n Managing firmware versions Backing up your configuration using the web-based manager The following procedures describe how to back up your cu rrent configuration using the web-based ma nager . T o back up your configurat ion file in FortiLo[...]

Managing firmwa re versions Backing up your configurati on FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 171 5 Select OK. 6 Select a location when prompted by your we b browser to save the file. T o back up log files using the CLI Enter the following to ba ck up all log files: execute backup logs all {ftp | sftp | scp| [...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 172 05-30007-0082-200809 08 T esting fi rmware before upgrading Managing firmware versions T esting firmware before upgrading Y ou may want to test the firmware you wa nt to install before upgrading to a new firmware ve rsion, main tenance or patch release. By testing the firmware im age, you can f[...]

Managing firmwa re versions T esting firmw are before upgrading FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 173 8 T ype G to get t he new fir mware imag e from the TFTP serv er . The following m essage appears: Enter TFTP server address [192.168.1.168]: 9 T ype the address of the TFTP ser ver and press Enter . The fol[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 174 05-30007-0082-200809 08 Upgrading your FortiAnalyzer unit Managing firmware versions Upgrading your FortiAnalyzer unit After backing up your current configu ration, you can now upgrade the firmware on your FortiAnalyzer unit. The following pr ocedures are used every time you are upgrading the f[...]

Managing firmwa re versions Upgrading your FortiAn alyzer unit FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 175 T o upgrade to FortiAnalyzer 3.0 using the web-based manager 1 Copy the firmware image file to your manage ment computer . 2 Log into the web-ba sed manager as th e administrative user . 3 Go to System > D[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 176 05-30007-0082-200809 08 Upgrading your FortiAnalyzer unit Managing firmware versions This operation will replace the current firmware version! Do you want to continue? (y/n) 6 Ty p e y . The FortiAnalyzer unit uplo ads the firmware image file, upgrades to the new firmware version, and rest arts[...]

Managing firmware versions Reverting to a previous firmware version FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 177 Reverting to a previous firmware version Y ou may need to revert to a previous firmware version if the upgrade did not install successfully . The following sections will help you to back up your current [...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 178 05-30007-0082-200809 08 Reverting to a previous firmware version Managing firmware versions Verifying the downgrade After succe ssfully downgrading to FortiLog 1.6, verify your connections and settings. If you are unable to con nect to the web-based manager , make sure your administration acces[...]

Managing firmware versions Reverting to a previous firmware version FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 179 8 Reconnect to the CLI. 9 Enter the following command to confirm th e firmware image installed successfully: get system status See “Restoring your configuration” on p age 180 to restore you FortiLog [...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 180 05-30007-0082-200809 08 Restoring your configuration Managing firmware versions Restoring your configuration Y our co nfiguration settings ma y not carry forward after do wngrading to FortiLog 1.6. Y ou can restore your configurat ion settings for FortiLog 1.6 with the configuration file(s) you[...]

Managing firmwa re versions Restoring your configurati on FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 181 6 When this message appears: Press any key to display configuration menu... immediately press a key to interrupt the system st artup. If you successfully int errupt the startup process, the followin g messages app[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 182 05-30007-0082-200809 08 Restoring your configuration Managing firmware versions Restoring your configur ation settings using the web-based manager The following restores your FortiLog 1.6 configur ation settings using the web-based manage r . T o restore configurat ion settings using the web-ba[...]

Managing firmwa re versions Restoring your configurati on FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 183 6 Ty p e y . The FortiAnalyzer unit uplo ads the backup configuration file. Af ter the file uploads, a message, similar to the following, is displayed: Getting file confall from tftp server 192.168.1.168 ## Restor[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 184 05-30007-0082-200809 08 Restoring your configuration Managing firmware versions[...]

Appendix: FortiAnalyzer reports in 3.0 MR7 FortiGate reports FortiAnalyzer Ve rsion 3.0 MR7 Admi nistration Guide 005-30007-0082-200809 08 185 Appendix: FortiAnalyzer report s in 3.0 MR7 Reports have changed dram atically in FortiAnalyzer 3.0 MR7, from how you configure them to the de fault naming scheme given when generated. For tinet recommends r[...]

FortiAnalyzer Ve rsion 3.0 MR7 Administrati on Guide 005-30007-0082-200809 08 FortiGate reports Appendix: FortiAnalyzer reports in 3.0 MR7 Intrusion Activity The following table expla ins what Intrus ion Activity report s have ch anged and what they were changed to in FortiAnalyze r 3.0 MR7. The FortiAnalyzer 3.0 MR6 report, T op Attack Source s, d[...]

Appendix: FortiAnalyzer reports in 3.0 MR7 FortiGate reports FortiAnalyzer Version 3.0 MR7 Administration Guide 005-30007-0082-2008 0908 187 T op Infected Files by Date T op Infected Files T op Infected Files by Month T op Infected Files T op Infected Files by Day of Week T op Infecte d Files T op Infected Files by Hour of Day T op Infected Files T[...]

FortiAnalyzer Ve rsion 3.0 MR7 Administrati on Guide 005-30007-0082-200809 08 FortiGate reports Appendix: FortiAnalyzer reports in 3.0 MR7 T o p Virus Destinations over IMAP by Date T op Virus Destinations over IMAP T o p Virus Destinations over IMAP by Month T o p Virus Destinations over IMAP T o p Infected File Extensions over POP3 by Month T o p[...]

Appendix: FortiAnalyzer reports in 3.0 MR7 FortiGate reports FortiAnalyzer Version 3.0 MR7 Administration Guide 005-30007-0082-2008 0908 189 The following report s were removed: • T op Virus Agent s by Virus Name • T op Virus Rece ivers over HTTP The following repor ts are unchanged : • T op Viruses • T op Infected Files Webfilter Activity [...]

FortiAnalyzer Ve rsion 3.0 MR7 Administrati on Guide 005-30007-0082-200809 08 FortiGate reports Appendix: FortiAnalyzer reports in 3.0 MR7 Antispam Activity The following table expla ins what Antisp am Activity report s have changed and what they were changed to in FortiAnalyze r 3.0 MR7. Web Hit s for each S tatus by Day of Wee k T otal Hits per S[...]

Appendix: FortiAnalyzer reports in 3.0 MR7 FortiGate reports FortiAnalyzer Version 3.0 MR7 Administration Guide 005-30007-0082-2008 0908 191 The following report s are unchanged: • T op S p am Sources • T op S pam Destinations The following report s were removed: • T op S pamm ers Senders by Date • T op S pammer s by Month • T op S pammer[...]

FortiAnalyzer Ve rsion 3.0 MR7 Administrati on Guide 005-30007-0082-200809 08 FortiGate reports Appendix: FortiAnalyzer reports in 3.0 MR7 VoIP reports The following table cont ains the new V oIP reports that are availa ble in FortiAnalyzer 3.0 MR7. T o p Blocked Remote IM Users by Month T o p Blocked Remote IM Users T o p Local IM Users by Date T [...]

Appendix: FortiAnalyzer reports in 3.0 MR7 FortiGate reports FortiAnalyzer Version 3.0 MR7 Administration Guide 005-30007-0082-2008 0908 193 Content Activity The following t able explains what Content Activity reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7. T op Blocke d SCCP Callers by Day of Week T op Blocke d SCCP Ca[...]

FortiAnalyzer Ve rsion 3.0 MR7 Administrati on Guide 005-30007-0082-200809 08 FortiGate reports Appendix: FortiAnalyzer reports in 3.0 MR7 Network Activity The following table expla ins what Network Activity reports have changed a nd what they were changed to in FortiAn alyzer 3.0 MR7. T able 16: Content Activity report s MR6 reports MR7 reports Un[...]

Appendix: FortiAnalyzer reports in 3.0 MR7 FortiGate reports FortiAnalyzer Version 3.0 MR7 Administration Guide 005-30007-0082-2008 0908 195 The following report s are unchanged: • T raffic V olume by Direction • T op Denied Policies • T op Denied Services • T op Denied Sources • T op Denied Destinations Web Activity The following t able [...]

FortiAnalyzer Ve rsion 3.0 MR7 Administrati on Guide 005-30007-0082-200809 08 FortiGate reports Appendix: FortiAnalyzer reports in 3.0 MR7 The following report s were removed: • T op Web Pages (Hits) • T op Web Pages (Traf fic) • T op Web Client s (Browse T ime) • T op Web Users (Brows e T ime) Mail Activity The following table expla ins wh[...]

Appendix: FortiAnalyzer reports in 3.0 MR7 FortiGate reports FortiAnalyzer Version 3.0 MR7 Administration Guide 005-30007-0082-2008 0908 197 Terminal Activity The following table explains what T erm inal Activity re ports have change d and what they were changed to in FortiAnalyzer 3.0 MR7. VPN Activity The following t able explains what VPN Activi[...]

FortiAnalyzer Ve rsion 3.0 MR7 Administrati on Guide 005-30007-0082-200809 08 FortiGate reports Appendix: FortiAnalyzer reports in 3.0 MR7 Event Activity The following table expla ins what Event Ac tivity reports ha ve changed and what they were changed to in FortiAn alyzer 3.0 MR7. T able 22: VPN Ac tivity report s MR6 reports MR7 reports VPN T ra[...]

Appendix: FortiAnalyzer reports in 3.0 MR7 FortiGate reports FortiAnalyzer Version 3.0 MR7 Administration Guide 005-30007-0082-2008 0908 199 The report, T op Event Categories by S tatus, was removed. P2P Activity The following t able explains what P2P Activity report s have changed and what they were changed to in FortiAnalyzer 3.0 MR7. T op Error [...]

FortiAnalyzer Ve rsion 3.0 MR7 Administrati on Guide 005-30007-0082-200809 08 FortiGate reports Appendix: FortiAnalyzer reports in 3.0 MR7 Audit Activity The following report s for Audit Activity are unchanged but were moved to a new category in Fort iAnalyzer 3.0 MR7. • System Administration Summary – is now in the Event Act ivity category •[...]

Appendix: FortiAnalyzer reports in 3.0 MR7 Summary Reports FortiAnalyzer Version 3.0 MR7 Administration Guide 005-30007-0082-2008 0908 201 Summary Report s The following t able explains what Summary repo rts have changed and wh at they were changed to in Fort iAnalyzer 3.0 MR7, including the category , if applicable, of where the re-named FortiAnal[...]

FortiAnalyzer Ve rsion 3.0 MR7 Administrati on Guide 005-30007-0082-200809 08 Forensic Reports Appendix: FortiAnalyzer reports in 3.0 MR7 • T op S pam Destina tions is now found in Ant iS pam Activity • T op S pam Sources is now found in the AntiS pam Activity Forensic Report s The following forensic report s explain what was changed for FortiA[...]

Appendix: FortiAnalyzer reports in 3.0 MR7 FortiMail Reports FortiAnalyzer Version 3.0 MR7 Administration Guide 005-30007-0082-2008 0908 203 Summary The following t able explains what Summary Foren sic reports have cha nged and what they were changed to in FortiAnalyzer 3.0 MR7, including the category , if applicable, of where th e re-named FortiAn[...]

FortiAnalyzer Ve rsion 3.0 MR7 Administrati on Guide 005-30007-0082-200809 08 FortiMail Reports Appendix: Fo rtiAnalyzer reports in 3.0 MR7 T o p Client IP by Hour of Day T o p Client IP T o p Client IP by Day of Week T o p Client IP T o p Client IP by Day of Month T op Client IP T o p Client IP by Week of Y ear T op Clien t IP T o p Client IP by M[...]

Appendix: FortiAnalyzer reports in 3.0 MR7 FortiMail Reports FortiAnalyzer Version 3.0 MR7 Administration Guide 005-30007-0082-2008 0908 205 Mail Sender The following t able explains what Mail Sender report s have changed and what they were changed to in FortiAnalyzer 3.0 MR7. Virus by Month T op Virus System User by Date System User System User by[...]

FortiAnalyzer Ve rsion 3.0 MR7 Administrati on Guide 005-30007-0082-200809 08 FortiMail Reports Appendix: Fo rtiAnalyzer reports in 3.0 MR7 Mail Recipient Activity The following table expla ins what Mail Re cipient Activity reports ha ve changed and what they were chan ged to in FortiAnalyze r 3.0 MR7. Mail Destination IP The following table expla [...]

Appendix: FortiAnalyzer reports in 3.0 MR7 FortiMail Reports FortiAnalyzer Version 3.0 MR7 Administration Guide 005-30007-0082-2008 0908 207 Spam Sender The following t able explains what S pam Sender report s have changed and wha t they were changed to in FortiAnalyzer 3.0 MR7. T able 32: Mail Destination IP report s MR6 reports MR7 reports T op M[...]

FortiAnalyzer Ve rsion 3.0 MR7 Administrati on Guide 005-30007-0082-200809 08 FortiMail Reports Appendix: Fo rtiAnalyzer reports in 3.0 MR7 Spam Recipient The followin g table explains what S pam Recipient reports have ch anged and w hat they were changed to in FortiAn alyzer 3.0 MR7. T o p Local S pam Sender by Month T op L ocal S pam Sender T o p[...]

Appendix: FortiAnalyzer reports in 3.0 MR7 FortiMail Reports FortiAnalyzer Version 3.0 MR7 Administration Guide 005-30007-0082-2008 0908 209 Spam Destination IP The following t able explains what S pam Destination IP report s have changed and what they were changed to in FortiAnalyzer 3.0 MR7. Virus Sender The following t able explains what V irus [...]

FortiAnalyzer Ve rsion 3.0 MR7 Administrati on Guide 005-30007-0082-200809 08 FortiMail Reports Appendix: Fo rtiAnalyzer reports in 3.0 MR7 T able 36: Virus Sen der reports MR6 reports MR7 reports T o p Virus Sender by Date T op Virus Sender T o p Virus Sender by Hour of Day T o p Virus Sender T o p Virus Sender by Day of W eek T op Virus Sender T [...]

Appendix: FortiAnalyzer reports in 3.0 MR7 FortiMail Reports FortiAnalyzer Version 3.0 MR7 Administration Guide 005-30007-0082-2008 0908 21 1 Virus Recipient The following t able explains what V irus Recipient reports have changed an d what they were changed to in FortiAnalyzer 3.0 MR7. T op Remote Virus Sender by Week of Y ear T op Remote Virus Se[...]

FortiAnalyzer Ve rsion 3.0 MR7 Administrati on Guide 005-30007-0082-200809 08 FortiClient Reports Appendix: FortiAnalyzer reports in 3.0 MR7 Virus Destination IP The following table expla ins what Virus Destin ation IP reports have changed and what they were changed to in FortiAnalyze r 3.0 MR7. FortiClient Report s The following FortiClient re por[...]

Index FortiAnalyzer Ve rsion 3.0 MR7 Admi nistration Guide 05-30007-0082-2008090 8 213 Index A access adminis trative ports 46 profile, administrator 4 8, 50 access privileges 19 accounts administrator 48 share users 53 Active Directory. See LDAP ActiveX. See web filtering adding tabs 27 admin access 46 authentication 51 disconnect 52 idle timeout [...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 214 05-30007-0082-200809 08 Index deleting tabs 27 denial of service (DoS) 158 device add 80 alerts 133 blocked 77, 79, 86 group 88 HA See also high availabi lity (HA) 76, 82 license 31, 76 maximum allowed 76 permissions 73, 74, 82, 8 3 registration and reports 79, 91, 114, 131 unregistered 77, 79,[...]

Index FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 215 Fortinet MIB 138 Fortinet Technical Support 11 , 138 FTP content archive 107 upload to 105, 155 G gateway 47 gid 54 Global Configu ration 20 group device 83 , 88 share users 54 group ID (gid) 161 Group Policy Object Editor 159 gzip 96, 97, 104, 10 5, 147, 153, 1 55[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 216 05-30007-0082-200809 08 Index M mail server 135 Main Menu 20 managing firmware backing up configuration using the CLI 170 backing up configuration usin g web-based manag- er 170 backing up log files 17 0 downgrading to FortiLog 1.6 177 downgrading to FortiLog 1.6 using the CLI 178 patch release[...]

Index FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 217 SFTP 105, 155 SNMP 73 SOAP 46 SSH 46, 58, 160 telnet 46 TFTP 180 UDP 47, 85 VoIP 107 PSK 75 See also IPSec VPN tunnel Q quarantine 131 duplicate count 132 from device 73 ticket number 131 quota. See disk space R RADIUS 49, 51 RAID 62, 64 hot swap 64 status 3 2 raid[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 218 05-30007-0082-200809 08 Index sniffer 141, 144 See also network an alyzer SNMP 73 manager 138 MIB 138 server, test 137 traps 136 SOAP 46 span port 141 SSH 46, 160 See also protocol stop logging 82 string file 126 striping 63 See also RAID subject 165 subnet 47, 85, 102, 152 subscription service[...]

Index FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080 908 219 registered device’s hard limits 15 report configuration enhance ments 16 voip reports 17 Windows AD. See LDAP Windows shares 53, 5 4 X XML. See WEBSERVICES[...]

FortiAnalyzer Version 3.0 MR7 Administration Guide 220 05-30007-0082-200809 08 Index[...]

www.fortinet.com[...]

www.fortinet.com[...]