FortiAnalyzer Lab Guide Online

DO NOT REPRINT
 Virtual Lab Basics
© FORTINET
FortiAnalyzer 5.4.2
Lab Guide
for FortiAnalyzer 5.4.2
DO NOT REPRINT
© FORTINET
FortiAnalyzer Lab Guide
for FortiAnalyzer 5.4.2
Last Updated: 20 April 2017
® ® ®
Fortinet , FortiGate , and FortiGuard are registered trademarks of Fortinet, Inc. in the U.S. and other
jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of
Fortinet. All other product or company names may be trademarks of their respective owners. Copyright
© 2002 - 2017 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet
without prior notice. No part of this publication may be reproduced in any form or by any means or
used to make any derivative such as translation, transformation, or adaptation without permission from
Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
DO NOT REPRINT
© FORTINET
Table of Contents
VIRTUAL LAB BASICS ...................................................................................6
Network Topology ...................................................................................................................6
Lab Environment .....................................................................................................................6
System Checker ......................................................................................................................7
Logging In ...............................................................................................................................8
Disconnections/Timeouts ........................................................................................................11
Transferring Files to the VM....................................................................................................11
Screen Resolution ...................................................................................................................11
International Keyboards ..........................................................................................................12
Student Tools: View Broadcast and Raise Hand....................................................................12
Troubleshooting Tips ..............................................................................................................13
LAB 1—INITIAL CONFIGURATION .................................................................15
Objectives ...............................................................................................................................15
Time to Complete ....................................................................................................................15
Prerequisites ...........................................................................................................................15
1 Examining the Network Settings ..........................................................................................18
LAB 2—ADMINISTRATION AND MANAGEMENT ..............................................24
Objectives ...............................................................................................................................24
Time to Complete ....................................................................................................................24
1 Configuring Administrative Domains....................................................................................25
Viewing ADOM Information.....................................................................................................26

DO NOT REPRINT
© FORTINET
Creating Custom ADOMs .......................................................................................................27
2 Configuring an External Server to Validate Administrators .................................................30
Configure an LDAP Server on FortiAnalyzer ..........................................................................30
Create a Wildcard LDAP Administrator ..................................................................................32
Testing External Administrator Access ...................................................................................33
Viewing the Event Logs ..........................................................................................................36
LAB 3—DEVICE REGISTRATION AND COMMUNICATION .................................37
Objectives ...............................................................................................................................37
Time to Complete ....................................................................................................................37
Prerequisites ...........................................................................................................................37
1 Registering Devices on FortiAnalyzer..................................................................................40
Registering a Device through the Device Registration Wizard ..............................................40
Accepting a Device Registration Request ..............................................................................42
2 Troubleshooting Device Communication .............................................................................45
Verifying Device Registration ..................................................................................................45
Verifying Device Communication ............................................................................................45
Troubleshooting Device Communication ................................................................................47
Resolving Down Connection ...................................................................................................49
LAB 4—LOGS .............................................................................................52
Objectives ...............................................................................................................................52
Time to Complete ....................................................................................................................52
1 Gathering Benchmark Diagnostics ......................................................................................53
Viewing System Resource Information ...................................................................................53
Gathering Data Policy and Disk Utilization Information ..........................................................54
2 Enabling Event Handlers .....................................................................................................56

DO NOT REPRINT
© FORTINET
3 Generating Traffic ................................................................................................................58
Generating Traffic with FIT .....................................................................................................58
Generating Traffic Through Nikto ...........................................................................................59
4 Examining Logs and Notifications........................................................................................61
Log View..................................................................................................................................61
Using Log Filters ..........................................................................................................................................64
FortiView .................................................................................................................................65
Viewing Event Notifications.....................................................................................................67
5 Viewing Log Statistics and Used Storage Space ................................................................71
Viewing the Raw Log Receiving Rate.....................................................................................71
Viewing the Insert Rate vs. Receive Rate ..............................................................................72
Viewing Used Storage Statistics .............................................................................................73
6 Modifying Disk Quotas .........................................................................................................75
Comparing Storage Space between ADOMs .........................................................................75
Modifying Disk Quota ..............................................................................................................75
7 Moving Device with Logs Between ADOMs ........................................................................77
Gathering Log and ADOM Information ...................................................................................77
Moving a Device to a Different ADOM ....................................................................................78
Rebuild ADOM Database to Migrate Device Logs .................................................................79
LAB 5—REPORTS .......................................................................................82
Objectives ...............................................................................................................................82
Time to Complete ....................................................................................................................82
1 Running a Default Report ....................................................................................................83
2 Building a Chart Based on Log Search ...............................................................................86

DO NOT REPRINT
© FORTINET
Virtual Lab Basics

In this class, you will use a virtual lab for hands-on exercises. This section explains how to connect to
the lab and its virtual machines. It also shows the topology of the virtual machines in the lab.
Note: If your trainer asks you to use a different lab, such as devices physically located in
your classroom, please ignore this section. This applies only to the virtual lab accessed
through the Internet. If you do not know which lab to use, please ask your trainer.
Network Topology
Lab Environment
Fortinet's virtual lab for hands-on exercises is hosted on remote datacenters that allow each student to
have their own training lab environment or PoD - point of deliveries.
FortiAnalyzer Lab Guide 6

DO NOT REPRINT
© FORTINET
System Checker
Before starting any class, check if your computer can successfully connect to the remote datacenters.
The System Checker fully verifies if your network connection and your web browser are reliable to
connect to the virtual lab.
You do not have to be logged into the lab portal in order to perform the System Checker.
To run the System Checker

1. Click the URL for your location:
Region System Checker
AMER - North and South https://remotelabs.training.fortinet.com/training/syscheck/?location=NAM-

America West
EMEA - Europe, Middle https://remotelabs.training.fortinet.com/training/syscheck/?location=Europe

East and Africa
APAC - Asia and Pacific https://remotelabs.training.fortinet.com/training/syscheck/?location=APAC
If your computer successfully connects to the virtual lab, the Browser Check and Network
Connection Check each display a check mark icon. You can then proceed to log in.
If any of the tests fail:
 Browser Check: This affects your ability to access the virtual lab environment.
 Network Connection Check: This affects the usability of the virtual lab environment.
For solutions, click the Support Knowledge Base link or ask your trainer.

DO NOT REPRINT
© FORTINET
Logging In
Once you confirm your system can successfully run the labs through System Checker, you can
proceed to log in.
To log in to the remote lab

1. With the user name and password provided by your trainer, you can either:
 Log in from the Login access at the bottom of the System Checker's result.
 Log into the URL for the virtual lab provided by your trainer:
https://remotelabs.training.fortinet.com/

DO NOT REPRINT
© FORTINET
 https://virtual.mclabs.com/
2. If prompted, select the time zone for your location, and then click Update.
This ensures that your class schedule is accurate.
3. Click Enter Lab.
Your system dashboard will appear, listing the virtual machines in accordance with your lab
topology.
4. From this page, open a connection to any virtual appliance by doing one of the following:
 Clicking the device’s square (thumbnail)

DO NOT REPRINT
© FORTINET
 Selecting Open from the System drop-down list associated to the VM you want to access.
Note: Follow the same procedure to access any of your virtual devices.
A new web browser tab opens, granting you access to the virtual device. When you open a
VM, your browser uses HTML5 to connect to it.
Depending on the virtual machine you select, the web browser provides access to either a text-
based CLI or the GUI.

DO NOT REPRINT
© FORTINET
Connections to the Local-Windows VM use a Remote Desktop-like GUI. The web-based connection
should automatically log in and then display the Windows desktop.
For most lab exercises, you will connect to this Local-Windows VM.
Disconnections/Timeouts
If your computer’s connection with the virtual machine times out, or if you are accidentally
disconnected, to regain access, return to the initial window/tab that contains your session’s list of VMs
and open the VM again.
If that does not succeed, see the Troubleshooting Tips section of this guide.
Transferring Files to the VM

If you store files in a cloud service such as Dropbox or SugarSync, you can use the web browser to
download them to your Local-Windows VM.
From there, if required, you can use a web browser to upload them to Fortinet VMs' GUI.
When connecting to a VM, your browser should then open a display in a new applet window.
Screen Resolution
Some Fortinet devices' user interfaces require a minimum screen size.
In the HTML 5 client, to configure screen resolution, open the System menu.

DO NOT REPRINT
© FORTINET
International Keyboards
If characters in your language don’t display correctly, keyboard mappings may not be correct.
To solve this, open the Keyboard menu at the top of the tab of any GUI-based VM, and choose to
display an on-screen keyboard.
Student Tools: View Broadcast and Raise Hand

Your instructor is able to broadcast his lab systems in order to allow students to see any on-going task
in real-time. When an instructor begins a broadcast, you will receive an alert at the top of all open lab
pages.
To accept and view the broadcast, you may either click on the notification message or click View
Broadcast on the left side panel.
If you have any question or issue, use the Raise Hand tool, your instructor will be notified and will
assist you.

DO NOT REPRINT
© FORTINET
Troubleshooting Tips
 Do not connect to the virtual lab environment through Wi-Fi, 3G, VPN tunnels, or other low-
bandwidth or high-latency connections.
 For best performance, use a stable broadband connection such as a LAN.
 Prepare your computer's settings by disabling screen savers and changing the power saving
scheme, so that your computer is always on, and does not go to sleep or hibernate.
 If disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal),
please attempt to reconnect. If unable to reconnect, please notify the instructor.
 If you can't connect to a VM, on the VM's icon, you can force the VM to start up and by clicking
System > Power Cycle. This fixes most problems. If that does not solve the problem, revert the
VM to its initial state by System > Revert to Initial State.
Note: Reverting to the VM's initial snapshot will undo all of your work. Try other solutions
first.

DO NOT REPRINT
© FORTINET
 If during the labs, particularly when reloading configuration files, you see a license message
similar to the below exhibit, the VM is waiting for a response to the authentication server.
To retry immediately, go to the console and enter the CLI command:
exec update-now

DO NOT REPRINT
 LAB 1—Initial Configuration
© FORTINET
LAB 1—Initial Configuration

In this lab, you will examine the network settings of the FortiAnalyzer from the CLI and GUI.
Objectives
 Examine the network settings
Time to Complete
Estimated: 20 minutes
Prerequisites
Before beginning this lab, you must update the firmware and initial configurations on Remote-
FortiGate and Local-FortiGate.
This lab environment is also used for FortiGate 5.4.1 training and initializes in a different state than is
required for FortiAnalyzer 5.4.2 training.
To update the FortiGate firmware on both FortiGates

1. From the Local-Windows VM, open a browser and log in as admin (blank password) to the
Remote-FortiGate GUI at 10.200.3.1.
2. Go to Dashboard, and from the System Information widget click Update.

DO NOT REPRINT
© FORTINET
3. Click Upload Firmware.
4. Browse to Desktop > Resources > FortiAnalyzer > FGT-firmware and select FGT_VM64-v5-
build1100-FORTINET.out.
5. Click Upgrade.
The system reboots.

6. Open another browser tab and log in as admin (blank password) to the Local-FortiGate GUI at
10.0.1.254.
7. Repeat the procedure to update the firmware for Local-FortiGate.
To restore the FortiGate configuration file on both FortiGates

1. Return to the Remote-FortiGate GUI at 10.200.3.1 and log back in.
2. Go to Dashboard, and from the System Information widget click Restore.

DO NOT REPRINT
© FORTINET
3. Select to restore from Local PC and click Upload.

4. Browse to Desktop > Resources > FortiAnalyzer > LAB1 and select Remote-FortiGate-
5.4.2-initial.conf.
5. Click OK.
6. Click OK.
The system reboots.
7. Return to the Local-FortiGate GUI at 10.0.1.254 and log back in.
8. Repeat the same procedure to restore the system configuration for Local-FortiGate, but select
Local-FortiGate-5.4.2-initial.conf from the LAB1 folder.
9. Once rebooted, close both browser tabs.

DO NOT REPRINT
 LAB 1—Initial Configuration 1 Examining the Network Settings
© FORTINET
1 Examining the Network Settings

In this exercise, you will examine the initial configuration of the FortiAnalyzer from the CLI and GUI.
To examine the network settings through the CLI

1. In Local-Windows, open PuTTY and connect to the FORTIANALYZER saved session (connect
over SSH).
2. At the login prompt, enter the username admin (all lower case).
3. Enter the following command to display basic status information about FortiAnalyzer:
CLI Command Data Result
# get system status What is the firmware version?

Knowing your FortiAnalyzer firmware
version is important, as it determines
what Fortinet products--and their
firmware versions--are supported.
What is the Administrative Domain

configuration?
By default, Administrative Domains
(ADOMs) are disabled.
What is the time zone?

For proper log correlation, it is
important that your system time on
FortiAnalyzer and all registered
devices are synced.
What is the license status

To ensure FortiAnalyzer continues to
collect and store logs, a valid license
is required.
4. Enter the following command to display information about the FortiAnalyzer interface
configuration:
CLI Command Diagnostic Result
# show system interface What is the IP for port1?

Port 1 is the management port
and is the IP of FortiAnalyzer.

DO NOT REPRINT
© FORTINET
What administrative access

protocols are configured for
port1?
This will help troubleshoot any
access issues you may
experience. For example, this
PuTTY session would not be
able to connect without the
SSH protocol enabled.
What is the IP for port3

According to the Network
Topology diagram, port3 is how
traffic is routed between
Remote-FortiGate and
FortiAnalyzer. Remote-
FortiGate, therefore, will
connect to FortiAnalyzer with
this port3 IP.
What administrative access

protocols are configured for
port3?
5. Enter the following command to display DNS setting information:
# show system dns What are the primary and secondary dns
settings?
Several FortiAnalyzer functions use
DNS, such as sending alert email and
resolving hostnames in the logs. By
default, FortiAnalyzer uses FortiGuard
DNS servers
6. Enter the following commands to display NTP setting information:
# get system ntp Is NTP enabled?

NTP is recommended on FortiAnalyzer
and all registered devices for proper
log correlation.
How often does FortiAnalyzer

synchronize its time with the NTP
server?

DO NOT REPRINT
© FORTINET
# show system ntp What server is configured for NTP?

By default, Fortinet servers are
configured.
7. Enter the following command to display information about the FortiAnalyzer routing configuration:
# show system route What is the gateway route associated

with port3?
According to the Network Topology
diagram, this IP is the default route to
go out to the Internet.
8. To test basic network connectivity, and to ensure the default route out to the Internet is working,
enter the following command to ping IP 4.2.2.2 (public IP that is highly available):
execute ping 4.2.2.2

Packets should transmit successfully.
9. Close your PuTTY session.
To examine the network settings through the GUI

1. On the Local-Windows VM, open a browser and log in as admin (blank password) to the
FortiAnalyzer GUI at 10.0.1.210.
2. Click System Settings from the main tiles.

DO NOT REPRINT
© FORTINET
The dashboard appears.

3. Examine the System Information and License Information widgets to display the below
information.
This displays the same information available from the CLI command get system status.
 Firmware version
 Administrative Domain status
 System time and time zone
 License status (VM)
4. From the System Information widget, edit the System Time to view the NTP information.
This displays the same information available from the CLI commands get system ntp and
show system ntp.
5. From the left menu, click Network.

This page displays information about the port1 management interface, including the IP
address, administrative access protocols, and DNS information. This displays the same
information available from the CLI commands show system interface and show system
dns.

DO NOT REPRINT
© FORTINET
6. Click All Interfaces to view other configured interfaces.

According to the CLI command show system interface, you should see that port3 is also
configured.
7. From the left menu, click Network, and from the main window, click Routing Table.
This page displays the network gateway and associated interface. This displays the same
information available from the CLI command show system route.
To examine the Local-FortiGate system time

1. Open a second browser tab, and log in as admin (blank password) to the Local-FortiGate GUI at
10.0.1.254.
2. From the System Information widget, locate System Time and click Change to view more
details about the system time.
Does Local-FortiGate have the same system time settings as FortiAnalyzer?

This is important to ensure log correlation between Local-FortiGate and FortiAnalyzer
Setting FortiAnalyzer Local-FortiGate
Time Zone (GMT-8:00) Pacific Time (US &

Canada)

DO NOT REPRINT
© FORTINET
Synchronize with NTP Yes

server?
NTP server ntp1.fortinet.net

(ie. FortiGuard)
3. Close the browser.
You have completed Lab 1.

DO NOT REPRINT
 LAB 2—Administration and Management
© FORTINET
LAB 2—Administration and Management

In this lab, you will configure FortiAnalyzer for Administrative Domains (ADOMs) as well as configure
an external server to validate non-local (external) administrators.
You will configure the external administrator to have access to a specific ADOM only.
Objectives
 Configure Administrative Domains (ADOMs)
 Configure an external server to validate administrators
Time to Complete

DO NOT REPRINT
 LAB 2—Administration and Management 1 Configuring Administrative Domains
© FORTINET
1 Configuring Administrative Domains

In this exercise, you will enable Administrative Domains (ADOMs), view default ADOM information,
and create two custom ADOMs.
One use case for employing ADOMs is to restrict other administrator's access privileges to a subset of
devices in the device list.
To enable ADOMs
2. Click System Settings.
3. On the dashboard, in the System Information widget, turn on the Administrative Domain
switch.
4. Click OK to confirm.
You are automatically logged out of the GUI.
5. Log back into the FortiAnalyzer GUI as admin.
Since ADOMs are now enabled, you must select an ADOM to log into. The ADOMs with which
you are presented are based on your administrator permissions.
6. Select the root ADOM.

7. Continue to the next procedure.

DO NOT REPRINT
© FORTINET
Viewing ADOM Information

Before creating new ADOMs, you should be aware of what ADOM types are available to you. You will
view ADOM information through both the GUI and CLI.
To view ADOM information

1. Once logged into the root ADOM on FortiAnalyzer, click System Settings.
2. From the left menu, click All ADOMs.
Note that this page is only available when ADOMs are enabled. This page lists all available
ADOMs and lists any devices added to those ADOMs.
3. Still working from the Local-Windows VM, open PuTTY and connect to the FORTIANALYZER
saved session (connect over SSH).
4. Log in as admin and execute the following command to view what ADOMs are currently enabled
on FortiAnalyzer and the type of device you can register to each ADOM:
Note: The CLI output formatting is easier to read if you maximize your PuTTY window. If
you've already executed the command, once the window is maximized, press the up arrow
to show the last command you entered and click Enter to re-run.
# diagnose dvm adom list

DO NOT REPRINT
© FORTINET
As you can see, there are 13 ADOMs that FortiAnalyzer supports, each associated with different
devices.
5. Close your PuTTY session.
Creating Custom ADOMs

Now that ADOMs are enabled on FortiAnalyzer, you can create your own custom ADOMs. In this
exercise, you will create two FortiGate 5.4 ADOMs (in Lab 3, you will add FortiGate devices to these
ADOMs).
Note: You do not have to create ADOMs prior to registering devices to FortiAnalyzer--you
can register devices to the default ADOMs first and then move those devices into custom
ADOMs later.
The benefit of creating custom ADOMs prior to device registration is that log collection for the device
you add to the ADOM is stored to the ADOM from the outset. If log collection begins in one ADOM,
and then you move the device to a different ADOM, the analytics (indexed) logs are not automatically
moved along with the device. We will explore this topic in Lab 4.
To create custom ADOMs for FortiGate devices

1. Still in the FortiAnalyzer GUI, click All ADOMs.
2. Click Create New to create a custom ADOM.
3. From the Create New ADOM window, complete the following:
Field Value
Name ADOM1
Type FortiGate
5.4

DO NOT REPRINT
© FORTINET
4. Click Select Device.

If you had any devices registered to FortiAnalyzer, you could select your device and add it to the
ADOM at this time. However, in this lab, you have not yet registered any devices, so the list is
empty.
5. Leave the default disk quotas, and click OK.

ADOM1, the FortiGate 5.4 ADOM you just created, now appears in the ADOMs list. No registered
devices are yet associated with ADOM1.
6. Repeat the procedure, but this time create a FortiGate 5.4 ADOM called ADOM2.
Your ADOMs should now appear as follows:

DO NOT REPRINT
© FORTINET
You will add FortiGate devices to these ADOMs in Lab 3.
Note: By default, FortiAnalyzer includes a root ADOM. Only FortiGate devices can register
to the root ADOM. As such, if you do not create custom ADOMs before device registration,
any FortiGate devices you register will automatically register to root.
Tip: You can switch between ADOMs within the GUI--you do not have to log out and log
back in. To switch within the GUI, click ADOM in the top right of the GUI. Your
administrator privileges determine which ADOMs you have access.

DO NOT REPRINT
 LAB 2—Administration and Management 2 Configuring an External Server to Validate
© FORTINET Administrators
2 Configuring an External Server to Validate

Administrators
In this exercise, you will configure an external LDAP server on FortiAnalyzer to validate administrator
logins. You will also create a new administrator account and permit LDAP group access by enabling
the wildcard administrator account feature. You will also configure the wildcard administrator account
for access to a specific ADOM only.
Most companies, especially mid- to -large sized, have employees located in a central database, with
employees as "members" of specific groups. As such, instead of managing employees designated as
FortiAnalyzer administrators locally on FortiAnalyzer across multiple administrator accounts (as well
managing these employees in the organization's central database), you can configure one wildcard
administrator account on FortiAnalyzer to point to an LDAP group of which those FortiAnalyzer
administrators are members. This allows you to have centralized control over your administrators.
Note: Your Local Windows VM is already configured with Active Directory and directory
users, as this is out of scope for FortiAnalyzer training.
Once complete, you will test your ability to access FortiAnalyzer and then check the Event logs for
details.
Configure an LDAP Server on FortiAnalyzer

In this step, you will configure FortiAnalyzer to point to a preconfigured LDAP server.
To configure an LDAP server on FortiAnalyzer

2. Click root.

DO NOT REPRINT

4. From the left menu, click Admin > Remote Auth Server.
5. Click Create New and select LDAP Server from the dialog box that appears.
6. Complete the following:
Note: For simplicity, the Distinguished Name and User DN as noted below can be copied
from the ADserver-info.txt file in Desktop > Resources > FortiAnalyzer > LAB2
and pasted directly into the fields.
Field Value
Name ADserver
Server Name/IP 10.0.1.10

This is the IP address of the Windows Server (Local-
Windows), where Active Directory is configured. For more
information, see Network Topology.
Distinguished Name ou=training,dc=trainingAD,dc=training,dc=lab

This is the domain name for Active Directory on Local-
Windows. Active Directory has already been pre-configured,
with all users located in the Training organizational unit (ou).
Bind Type Regular
User DN cn=FAZadmin,ou=Training,dc=trainingAD,dc=training,dc=lab
FAZadmin is the LDAP bind account. FortiAnalyzer uses these
account credentials to authenticate to the LDAP server.
Password Training!

DO NOT REPRINT
Administrative Domain All ADOMs

While this ensures that the LDAP server can provide
administrator's access to all ADOMs, it is ultimately the LDAP
administrator account that determines which ADOMs are
accessible.
7. Click the icon ( ) at the end of the Distinguished Name field to query the distinguished name
and test your LDAP connection.
If this connection is successful, you will see the DN in the dialog box. If you do not see the DN,
verify you have entered the correct LDAP server information as outlined in the previous step.
8. Click Close to close the LDAP Browser dialog box.

9. Click OK to accept your configuration.
Your remote LDAP authentication server is added to FortiAnalyzer.
Create a Wildcard LDAP Administrator

Create a new administrator account and permit LDAP group access by enabling the wildcard
administrator account feature.
To create a wildcard LDAP administrator

1. Still in the FortiAnalyzer GUI, go to Admin > Administrators.
2. Click Create New.
Field Value
User Name remote-admins
Admin Type LDAP
LDAP Server ADserver

This is the LDAP server you just created in the previous
procedure.

DO NOT REPRINT
Wildcard <enable>
This ensures that any user account located in the LDAP group
(ou) you specified in the LDAP server configuration can
authenticate.
Admin Profile Standard_User

This provides read/write access for all device privileges, but
disables system privileges.
4. From Administrative Domain, click Specify and select ADOM1 from the drop-down list.
Even though you configured the LDAP server for access to all ADOMs, this LDAP administrator
account limits access to ADOM1 only. This provides you with more flexibility and security, as you
can create additional LDAP administrator accounts for different ADOM access rights, if required.
5. Click OK.
You successfully created a wildcard LDAP administrator.
6. Log out from FortiAnalyzer.
Testing External Administrator Access

Now that you've configured an external server and created a wildcard administrator account that
points to that external server, you are ready to test your configuration.
Based on the preconfigured Active Directory server, you should be able to successfully
authenticate with the following two users:
 aduser1
 aduser2

DO NOT REPRINT
Also, since you gave this account the Standard_User profile and access to ADOM1 only, you will
notice a reduction in permissions (in comparison to the admin user account with the Super_User
profile).
To test external administrator account access

1. On the Local-Windows VM, open a browser and log in to the FortiAnalyzer GUI at 10.0.1.210
as the following user:
 Username: aduser1
 Password: Training!
You successfully logged in as an external administrator!
Stop and Think

As ADOMs are enabled, why do you not have to select an ADOM to log into after
authenticating?
Why do you not have access to System Settings?

DO NOT REPRINT
Discussion
You configured the remote-admins account with permission to access ADOM1 only. As
such, you are logged directly into ADOM1 (your only option).
You configured the remote-admins account with the Standard_User profile. This profile
does not provide system privileges.
2. Log out as aduser1 and log in with the following credentials:

 Username: aduser2
You successfully logged in as an external administrator.
Since you configured wildcard access on the remote-user administrator account, any user account
located in the LDAP group (ou) you specified in the LDAP server configuration can authenticate.
ADOM permissions and administrator privileges are the same for each user in the LDAP group.
3. Log out as aduser2.
4. Now try logging in as a user located in the same Active Directory server
(trainingAD.training.lab), but who is in the Users organizational unit, not the Training
organizational unit that you configured on FortiAnalyzer.
 Username: ADadmin
Access is denied, as ADadmin is not in a permitted LDAP group.

DO NOT REPRINT
You successfully tested external validation of administrators.

Viewing the Event Logs

FortiAnalyzer audits administrator activity, so changes can be sourced to an individual. View the Event
logs to see your recent administrative user activity.
To view the event logs

1. Log back in to the FortiAnalyzer GUI as admin (blank password).
2. Click root.
3. Go to System Settings.
4. From the left menu, select Event Log.
5. Examine your logins from aduser1, aduser2, ADadmin, and admin.
6. Close your browers.

DO NOT REPRINT
 LAB 3—Device Registration and Communication
© FORTINET
LAB 3—Device Registration and

Communication
In this lab, you will register the Local-FortiGate device with FortiAnalyzer for the purpose of log
collection. The Remote-FortiGate device has already requested registration for you.
Once registered, you will add the FortiGate devices to the custom ADOMs you created in Lab 2.
Finally, you will run some diagnostics to troubleshoot device connection issues.
Objectives
 Register devices to FortiAnalyzer
 Troubleshoot device communication
Time to Complete
Prerequisites
Before beginning this lab, you must restore a configuration file both FortiAnalyzer and Remote-
FortiGate.
The Remote-FortiGate configuration includes the request to register with FortiAnalyzer.
To restore the FortiAnalyzer configuration file

2. Click root.

DO NOT REPRINT
© FORTINET
5. Browse to Desktop > Resources > FortiAnalyzer > Lab3 and select FAZ-device-
registration.dat.
6. Click OK.
7. Click OK to reboot.
To restore the Remote-FortiGate configuration file

Remote-FortiGate GUI at 10.200.3.1.
3. Select to restore from Local PC and click Upload.

DO NOT REPRINT
© FORTINET
4. Browse to Desktop > Resources > FortiAnalyzer > Lab3 and select remote-device-
registration.conf.
5. Click OK.
6. Click OK to reboot.

DO NOT REPRINT
 LAB 3—Device Registration and Communication 1 Registering Devices on FortiAnalyzer
© FORTINET
1 Registering Devices on FortiAnalyzer

In this exercise, you will register Local-FortiGate to one ADOM, and Remote-FortiGate to a different
ADOM, using different methods of device registration.
One use case for adding FortiGate devices to different ADOMs is to more efficiently manage data
policies and disk space allocation--because these features are set for each ADOM and not for each
device.
For example, if you know (or have determined over time) that one of your FortiGates receives a higher
volume of traffic than another (such as a core FortiGate rather than an internal FortiGate), you may not
want both devices to share the default 1000MB ADOM disk space.
Registering a Device through the Device Registration

Wizard
Use the FortiAnalyzer device registration wizard to add the Local-FortiGate device to ADOM1 in
FortiAnalyzer.
Below is the Local-FortiGate information you require for the device registration wizard:
Note: You can also gather this information by logging in as admin (blank password) to the
Local-FortiGate GUI at 10.0.1.254.
To register Local-FortiGate from FortiAnalyzer

2. Click ADOM1.

DO NOT REPRINT
© FORTINET
This ensures that Local-FortiGate will be registered to ADOM1.

3. Click Device Manager.
4. Click Add Device.
5. Complete the fields as follows:
Field Value
IP Address 10.0.1.254
This is the IP address of Local-FortiGate. See Network
Topology for more information.
SN FGVM010000064692 (Hint: In case your eyes can't count

the number of zeros in a row, there are 5!)
This is the serial number of the FortiGate. You can find this
serial number on the Local-FortiGate dashboard.
Device Name Local-FortiGate
Device Model FortiGate-VM64
Firmware Version 5.4
6. Click Next.
A success message appears.

DO NOT REPRINT
© FORTINET
7. Click Finish.
The Device Manager indicates the Local-FortiGate is now a registered device.
8. Examine the Logs column.

FortiAnalyzer indicates it is not receiving logs (red circle).
You will diagnose this issue later in this lab.
Accepting a Device Registration Request

In this scenario, the Remote-FortiGate device has requested registration on FortiAnalyzer. You
need to review and accept the connection request. Once accepted, the device is registered.
Using this registration method, you do not need to use the device registration wizard to register a
device as you did in the previous procedure.

DO NOT REPRINT
© FORTINET
To accept a device registration request
1. Still in the FortiAnalyzer GUI, go to the root ADOM.
All FortiGate registration requests go to root.
2. Click the Unregistered tile that indicates one device is unregistered.
You will also see a notification in the top right of the GUI.
3. Select Remote-FortiGate and click Add.
The Add Device dialog box appears. As ADOMs are enabled, and you have created additional
FortiGate ADOMs, you now have the ability to select which ADOM you want to register the device
to.
4. Select ADOM2 and click OK.
5. Click Close on the dialog box when 100% is reached.

6. Switch to ADOM2 to confirm the registration.
You successfully registered Remote-FortiGate.

7. Examine the Logs column.
FortiAnalyzer indicates it is receiving logs (green circle).

DO NOT REPRINT
© FORTINET
Stop and Think

Why does FortiAnalyzer indicate it is receiving logs from Remote-FortiGate (green circle),
but not from Local-FortiGate (red circle)? You will diagnose this issue next.

DO NOT REPRINT
 LAB 3—Device Registration and Communication 2 Troubleshooting Device Communication
© FORTINET
2 Troubleshooting Device Communication

In the Device Manager of both registered devices, we saw an indication that Local-FortiGate and
Remote-FortiGate have different statuses with FortiAnalyzer.
FortiAnalyzer showed it was receiving logs successfully from Remote-FortiGate, but not Local-
FortiGate.
Let's troubleshoot!
Verifying Device Registration

A quick way to verify device registration with FortiAnalyzer is through the diagnose dvm device
list command. This provides the device serial number, IP address, name, and registered ADOM.
To verify device registration information

1. On the Local-Windows VM, open PuTTY and connect to the FORTIANALYZER saved session
(connect over SSH).
2. Log in as admin and execute the following command to view which ADOM your devices are
currently registered to:
Note: The CLI output formatting is easier to read if you maximize your PuTTY window.
# diagnose dvm device list
The output indicates that there are two devices currently registered: Local-FortiGate
(10.0.1.254) to ADOM1 and Remote-FortiGate (10.200.3.1) to ADOM2.
Verifying Device Communication

Just because a device successfully registers with FortiAnalyzer, it does not mean there is
successful communication between the devices. As you have determined, Local-FortiGate is
registered with FortiAnalyzer, but log communication is down.

DO NOT REPRINT
© FORTINET
To verify device communication
1. Still in your FORTIANALYZER PuTTY session, obtain the following information by using the
associated CLI command:
Diagnostic Command Result
Can the devices contact each exe ping <IP> Should indicate that
other? FortiAnalyzer can contact both
Where <IP> is the IP of the
Local-FortiGate and Remote-
registered device(s) FortiGate.
For example:
Local-FortiGate: 10.0.1.254
Remote-FortiGate: 10.200.3.1
What devices and IPs are diagnose test Should indicate Remote-
connected? application oftpd FortiGate is connected only.
<level>
Note: This is why Local-
Where <level> is 3 shows FortiGate appears in the
the connected device name FortiAnalyzer Device Manager
and IP. with a down connection.
Note: The oftpd process is
used for FortiAnalyzer-
FortiGate communication and
is responsible for file transfers
from FortiGate to
FortiAnalyzer.
2. Leave this FORTIANALYZER PuTTY session open, as you will use it again shortly.
To verify FortiAnalyzer log connectivity from FortiGate side

1. On the Local-Windows VM, open another PuTTY application and connect to the LOCAL-
FORTIGATE saved session (connect over SSH).
2. Log in as admin and execute the following command to view log connectivity to FortiAnalyzer
# execute log fortianalyzer test-connectivity

Output should indicate that logging to FortiAnalyzer is not enabled.
3. Leave the LOCAL-FORTIGATE PuTTY session open, as you will use it again shortly.
4. Open another PuTTY application and connect to the REMOTE-FORTIGATE saved session
(connect over SSH).
5. Perform the same log connectivity test on Remote-FortiGate.
Output should indicate that logging connectivity is allowed.

DO NOT REPRINT
© FORTINET
These results indicate that the issue probably exists on the Local-FortiGate side and not
FortiAnalyzer.
6. Leave the REMOTE-FORTIGATE PuTTY session open, as you will use it again shortly.
Troubleshooting Device Communication

So far, diagnostics indicate the following:
 Local-FortiGate and FortiAnalyzer can contact each other (ping)
 Communication required for file transfers (oftpd) is down on Local-FortiGate only
 Logging connectivity is not enabled on Local-FortiGate only
A quick way to verify whether the downed process is preventing logs being sent from Local-FortiGate
to FortiAnalyzer is to enable real-time debugging on the oftpd process and run some test traffic
through Local-FortiGate. This should also confirm the logging connectivity results.
To verify if FortiAnalyzer is receiving logs from FortiGate

1. Return to your FORTIANALYZER PuTTY session, enter the following command to enable the
real-time debugging on the oftpd process between FortiAnalyzer and Local-FortiGate:
# diagnose debug enable
# diagnose debug application oftpd 8 10.0.1.254

2. Return to the LOCAL-FORTIGATE session and enter the following command to create some test
logs:
Tip
It's helpful if you can have both PuTTY windows side by side, so you can see the output as
it occurs.
# diagnose log test

3. Return to your FORTIANALYZER PuTTY session.
Do you see any logs from IP 10.0.1.254 (the Local-FortiGate device)?

DO NOT REPRINT
© FORTINET
FortiAnalyzer did not receive any logs from Local-FortiGate.

4. Because diagnostics indicate the oftpd process is working on Remote-FortiGate, perform a log
test on Remote-FortiGate so you know what you should see when the connection is successful:
A. In the FortiAnalyzer PuTTY session, press the up arrow to retrieve the last command you
entered, delete the Local-FortiGate IP and type 10.200.3.1 (this is the IP for Remote-FortiGate).
B. Return to the REMOTE-FORTIGATE session and enter the following command to create some
test logs:
Tip
It's helpful if you can have both PuTTY windows side by side, so you can see the output as
it occurs.
# diagnose log test

D. Return to your FortiAnalyzer PuTTY session. Do you see any logs from IP 10.200.3.1 (the
Remote-FortiGate device)?
FortiAnalyzer received the test logs sent by Remote-FortiGate. The information we see here
aligns with what we see for the device communication: FortiAnalyzer is communicating with
Remote-FortiGate, but not with Local-FortiGate.
5. In the FORTIANALYZER PuTTY session, type the following to stop the debug:

DO NOT REPRINT
© FORTINET
Tip: Press Enter a few times to get a fresh prompt!
# diag debug disable
# diag debug application oftpd ""

6. Close all the PuTTY sessions.
Resolving Down Connection

FortiAnalyzer diagnostics indicate that logs are not being received from Local-FortiGate.
Since the Local-FortiGate device was the device you registered on the FortiAnalyzer side (using the
device registration wizard), you should check the following:
 Is FortiGate enabled for remote logging to FortiAnalyzer?
 What are the logging filters on Local-FortiGate?
To resolve a down connection

1. On the Local-Windows VM, open a new browser tab and log in as admin (blank password) to the
Local-FortiGate GUI at 10.0.1.254.
2. From the left menu, click Log & Report > Log Settings.
3. Examine the Remote Logging and Archiving section. Is remote logging to FortiAnalyzer enabled
and configured?
Remote logging is not enabled.

4. Enable Send Logs to FortiAnalyzer/FortiManager.
Field Setting
IP Address 10.0.1.210
This is the IP of FortiAnalyzer for Local-FortiGate.
Upload Option Realtime

For the purposes of this lab we are using real time so you
can see the logs instantly.

DO NOT REPRINT
© FORTINET
6. Click Apply.
Note the warning you receive about the local reports setting on FortiGate.
7. Click OK for the warning.

8. In the Local Log section, turn off the Enable Local Reports switch and click Apply.
9. In the Remote Logging and Archiving section, click Test Connectivity.
Are the devices connected?
10. Click Close.

11. Return to the FortiAnalyzer GUI and go to ADOM1.
12. Click (or refresh) Device Manager.
In the registered device Logs column, does FortiAnalyzer indicate it is receiving logs from Local-
FortiGate (green circle)?
Tip
You can run execute log fortianalyzer test-connectivity on Local-FortiGate
again to see that log connectivity is enabled.
13. Optional! It is always a good idea to check your logging filters on the FortiGate firewall policies
to ensure you get the logs you are expecting:
A. Return to the Local-FortiGate GUI, click Policy & Objects > IPv4 Policy.

DO NOT REPRINT
© FORTINET
B. Review the Logging Options section for both policies (IPS-traffic-policy and Full_Access).
You should see All Sessions enabled for both policies and some security profiles enabled. While
logging all sessions requires more system resources and storage space, it's always a good option
when you want to verify that logging has been set up successfully.

DO NOT REPRINT
 LAB 4—Logs
© FORTINET
LAB 4—Logs
In this lab, you will generate some traffic so you can see where logs are stored on FortiAnalyzer, what
information is included in logs, and different ways of viewing log data. But before you generate traffic,
you will gather information about your FortiAnalyzer performance benchmarks and log storage
policies.
You will also enable some event handlers so you can receive notifications when specific traffic passes
through the network.
After traffic has passed through the network for a while, you will examine your used storage statistics
and modify the ADOM disk quota based on those results.
Objectives
 Gather benchmark diagnostics
 Enable event handlers
 Examine logs and event handler notifications
 Gather logs statistics and used storage information
 Modify disk quota
 Move a device to a different ADOM
Time to Complete

DO NOT REPRINT
 LAB 4—Logs 1 Gathering Benchmark Diagnostics
© FORTINET
1 Gathering Benchmark Diagnostics

Before you start generating traffic, you should be aware of the system resources for FortiAnalyzer as
well as the log storage policies. This can help you properly manage your device and the logs being
stored.
Viewing System Resource Information

You can view the real-time and historical usage status of the CPU, memory, and hard disk on
FortiAnalyzer. You can monitor these statistics over time to see how your device is performing.
Note: You can also use the FortiAnalyzer CLI commands get system status and get
system performance to view this information.
To view system performance information

2. Click ADOM1.
4. On the dashboard, examine the System Resources widget.
You can click the refresh icon to get the latest statistics.
Diagnostic Result
What is the CPU usage?
What is the memory usage?
What is the disk usage?
5. Click the Edit icon to view the historical usage over the past hour.

DO NOT REPRINT
© FORTINET
Gathering Data Policy and Disk Utilization Information

You should also be aware of your disk quota for each ADOM. This can help prevent any log storage
issues that may occur, especially if some devices produce a high volume of logs.
Note: You can also use the FortiAnalyzer CLI command diagnose log device to
obtain this information.
To check log storage information

1. Still in the FortiAnalyzer GUI (ADOM1), click System Settings.
2. In the left menu, click Storage Info.
3. Double-click (or edit) ADOM1 and view the data policy and disk utilization policies.
How long are logs configured to be kept in the

SQL database (Keep Logs for Analytics)?
This is the number of days you can view
information about the logs on FortiView, Event
Management, and Reports. After the specified
amount of time expires, logs are automatically
purged from the SQL database.
How long are logs configured to be kept in the

compressed state (Keep Logs for Archive)?
When logs are in the compressed state, you
cannot view information about the log messages
on FortiView, Event Management, and Reports.
After the specified amount of time expires,
archive logs are automatically deleted from
FortiAnalyzer.
What is the maximum amount of FortiAnalyzer

disk space available to use for logs?
Note: The reserved space is already deducted
from this total.
How much is disk space is allotted to ADOM1?

(Out of Available)

DO NOT REPRINT
© FORTINET
What is the allotted disk space percentage

available for indexed (analytics) and compressed
(archive) logs?
Analytics logs require more space than archive
logs.
At what fullness are alert messages to be

generated and logs automatically deleted?
The oldest archive log files or analytics database
tables are deleted first.
The log storage information for ADOM2 is the same. It is the same ADOM type (FortiGate) as
ADOM1 and they are both in the default state.
4. Click Cancel to close the window.

DO NOT REPRINT
 LAB 4—Logs 2 Enabling Event Handlers
© FORTINET
2 Enabling Event Handlers

In this exercise, you will enable some of the default event handlers. Event handlers define what
messages to extract from the logs and display in Event Management. You will also configure an
event handler notification to send over email.
Later, after FortiAnalyzer starts collecting logs, you can see what event handlers are "hit" and
investigate one of the events.
To configure alerts for event handlers

2. Click ADOM1.
3. Click Event Management.
4. From the left menu, click Event Handler List.
5. Select IPS - High Severity and select Edit.

6. Toggle the Status switch to ON to enable the event handler.
This event handler creates events for any IPS log that has a severity level of Critical. It is also
configured for all devices in ADOM1 (event handlers are configured per-ADOM).
7. In the Notifications section, configure the following:
 Generate alert when at least 1 matches occurred over a period of 1 minutes.
Field Setting
Send Alert Email <enable>
To admin@training.lab
From admin@training.lab
Subject IPS High Severity Event Notification
Email Server Mail_Server: 10.200.1.254

Note: This mail server has been preconfigured for you

DO NOT REPRINT
 LAB 4—Logs 2 Enabling Event Handlers
© FORTINET
8. Click OK.
You successfully enabled this event handler and configured notifications to be sent over email.
9. Select the following event handlers and then click More > Enable:
 IPS - Critical Severity
 UTM App Ctrl Event
 UTM Web Filter Event
Note: You can double-click each event handler to view the settings. However, for the
purposes of this lab, we are using the default settings. These are also not configured to
send alerts over email.
Based on the traffic you will generate in the next exercise, these event handlers will return some
hits (only IPS - High Severity is configured to send notifications over email). In a real-world
situation, you would only enable those event handlers for which you want notifications.

DO NOT REPRINT
 LAB 4—Logs 3 Generating Traffic
© FORTINET
3 Generating Traffic
For the purposes of this lab, you need to generate traffic so you can see the logs received by
FortiAnalyzer.
Note: The traffic you generate will go through Local-FortiGate. The firewall policies have
been preconfigured for you and logging for all sessions is enabled. To view the firewall
policies in the Local-FortiGate GUI, click Policy & Objects > IPv4 Policy.
You will use two different tools to create different types of traffic.
Generating Traffic with FIT

The FIT (Firewall Inspection Tester) VM generates web browsing traffic, application control, botnet IP
hits, malware URLs, and malware downloads.
In this lab, you will direct FIT-generated traffic through the Local-FortiGate Full_Access firewall policy.
This firewall policy has been preconfigured for you and includes the following security policies and
logging options:
Note: Because FIT-generated traffic will originate from the IP of the FIT VM (10.0.1.20),
all these logs will show the same source IP in the FortiAnalyzer logs. This is a limitation of
the lab environment. In a real-world scenario, you will likely see many different source IPs
for your traffic.

DO NOT REPRINT
© FORTINET
To generate traffic through FIT
1. On the Local-Windows VM, open PuTTY and connect to the FIT saved session (connect over
SSH).
2. Log in as student with the password password.
3. Type the following commands:
# cd FIT
# ./fit.py all --repeat

Traffic will begin to generate and repeat the script each time it completes.
4. Leave the PuTTY session open (you can minimize it) so traffic continues to generate. This will run
throughout the remainder of the labs.
Caution: Do not close the FIT PuTTY session or traffic will stop generating.
Generating Traffic Through Nikto

Nikto generates intrusion prevention system (IPS) traffic.
You will direct the Nikto-generated traffic through the Local-FortiGate IPS-traffic-policy firewall policy.
This firewall policy has been preconfigured for you and includes the following security policies and
logging options:

DO NOT REPRINT
© FORTINET
Note: Because Nikto-generated traffic will originate from the IP of the Linux VM where
Nikto is installed (10.200.1.254), all these logs will show the same source IP in the
FortiAnalyzer logs. This is a limitation of the lab environment. In a real-world scenario, you
will likely see many different source IPs for your traffic.
To generate traffic through Nikto

1. Still in Local-Windows, open a second PuTTY application and connect to the LINUX saved
session (connect over SSH).
2. Log in as root with password password.
3. Type the following command:
nikto.pl -host 10.200.1.10

The vulnerability scanning will result in traffic beginning to generate.
The scan will continue for approximately 25 minutes. The dialog displays an End Time and
indication that 1 host is tested when complete.
You can run the command again once complete (press the up arrow and then press Enter) to
generate more logs, but it's not required. One cycle will provide enough logs for the purposes of
this lab.
4. Leave the PuTTY session open (you can minimize it) so traffic continues to generate. This will run
for the remainder of the labs.
Caution: Do not close the LINUX PuTTY session or traffic will stop generating.

DO NOT REPRINT
 LAB 4—Logs 4 Examining Logs and Notifications
© FORTINET
4 Examining Logs and Notifications

There are many ways to view logs in FortiAnalyzer. In order to get familiar with the options that are
available to you, in this exercise you will explore some different views:
 Log View
 FortiView
Note: Not all views will be populated because of the simulated traffic limitations in this lab.
Log View
Log View allows you to view traffic logs (also referred to as firewall policy logs), event logs, and
security logs per device (or for each log group, which is a feature we are not using in this lab).
When ADOMs are enabled, each ADOM has its own information displayed in Log View.
Log View displays log messages from analytics logs and archive logs:
 Historical logs and real-time logs in Log View are from analytics logs
 Log Browse can display logs from both the current, active log file and any of the compressed log
files
In this exercise, you will examine traffic logs and security logs only.
To view logs in Log View

2. Select ADOM 1.
3. Click Log View.
4. In the left menu, select Traffic.

DO NOT REPRINT
© FORTINET
5. Explore the different ways of viewing logs, such as real-time, historical, and raw:
 On the right side of the GUI, click Tools > Real-time Log.
You should see traffic logs in real time and in the formatted view.
Note that you can click Pause to stop the traffic if you want to look at one or more logs without
losing them among all the real-time logs constantly dropping in. Click Resume to resume.
Note: Real-time logs are temporarily considered compressed, but are indexed as soon as
FortiAnalyzer has available CPU and memory
 Click Tools > Historical Log.

You should see formatted, historical logs according to the filters that are set. For example, All
Devices, Last 1 hour. Historical logs are the default view. Double-click a log for more details.
Note: You can view details about historical logs, as they have been indexed in the SQL
database.
 Click Tools > Display Raw.

You should see the raw logs (not formatted).
Note: While logs are compressed, they are considered offline, and you cannot view details
about the logs in Log View (or FortiView).You also cannot customize the columns.

DO NOT REPRINT
© FORTINET
6. Return the view to formatted logs (Tools > Formatted Log).

7. Now, from the left menu, click Security to examine the security logs.
Security logs from FortiAnalyzer include antivirus, web filtering, application control, intrusion
prevention, email filtering, data leak prevention, vulnerability scan, and VoIP. The logs displayed
on FortiAnalyzer are dependent on the device type logging to it, the traffic, and the features
enabled. In this lab, only Web Filter, Application Control, and Intrusion Prevention logs are
triggered.
Note: You can also view security logs in real-time or historical, and in raw or formatted
format.
 In the left menu, click Security > Web Filter.

You should see all logs that match web filter traffic. Double-click a log for more details.
 Click Security > Application Control.

You should see all logs that match application control traffic. Double-click a log for more details.
 Click Security > Intrusion Prevention.

You should see all logs that match IPS traffic. Double-click a log for more details.

DO NOT REPRINT
© FORTINET
Using Log Filters

You can use log filters to narrow down search results and locate specific logs.
Tips:
 Check the filter drop-down list first to see if it contains the SQL column filter name on which you
want to filter. This way, you can select it from the list and ensure the filter name is properly formed.
 Add the column name on which you want to search from the Column Settings drop-down list if
you are unsure what the properly formed column name is.
 Ensure your time filter covers the logs for which you are searching.
 Ensure the device is set accordingly for the logs you want to return.
 Verify whether case sensitive search is enabled or disabled (Tools)
 Ensure you are searching on the appropriate log type for the logs you want to return (i.e. Traffic,
Web Filter, Application Control, IPS, etc.)
 Ensure you are not in the raw log view, as you cannot filter on raw logs (only historical and real-
time).
 Ensure you are not filtering in real-time logs if you want to search on historical logs.
 Ensure you click Go after you set your filters.
Use filters to find the following logs in ADOM1.
To use log filters

1. Still in the FortiAnalyzer GUI (ADOM1), go to Log View.
2. Locate the following logs:
 Web Filter logs on Local-FortiGate over the past 1 hour with a Category Description of
Phishing.
 Application Control logs on Local-FortiGate over the past 1 hour for the Application
Category: General.Interest.
 Intrusion Prevention logs on Local-FortiGate over the last 30 minutes with a Threat
Level of high.

DO NOT REPRINT
© FORTINET
Note: As you can see, the Threat Level filter string doesn't appear in the filter drop down
list. Try adding the Threat Level column and refreshing the page. The filter string now
appears in the filter drop-down list.
FortiView
You can view summaries of log data in FortiView in both tabular and graphical formats. For example,
you can view top threats to your network, top sources of network traffic, and top destinations of
network traffic, to name a few. For each summary view, you can drill down into details.
When ADOMs are enabled, each ADOM has its own data analysis in FortiView.
To view logs in FortiView

1. Click FortiView (Log View > FortiView).
2. Examine (and experiment with) the following views and feel free to add any notes:
Tip: Set your time filters appropriately!
Category View Notes
Summary Displays an overview of the most used

summary views (each summary view
is called a widget on the Summary
page).

DO NOT REPRINT
© FORTINET
Threats Top Threats

Displays a list of the top threats to your
network.
IOC
Displays any hits using fresh threat
intelligence against current logs.
Note: If there are no hits, try coming
back later after FortiAnalyzer has
collected more logs.
Traffic Top Sources

Displays information about the sources
of network traffic by source IP address
and interface.
Top Destinations
Displays information about the top
destinations of network traffic by
destination IP addresses and the
application used to access the
destination.
Top Countries
Displays information about top
countries in terms of traffic sessions,
including threat score and destination.
Policy Hits
Displays information about the
FortiGate policy hits. Displays the
name of the policy, the name of the
FortiGate device, and the number of
hits.

DO NOT REPRINT
© FORTINET
Applications & Websites Top Applications

applications being used on the
network, including the application
name, category, and risk level.
Top Web Sites

categories, browsing time, threat
score, and sessions.
Viewing Event Notifications

Now let's see your event notifications based on the event handlers you configured. These notifications
will allow you to act quickly on any threat to your network.
To view event notifications in Event Management

1. Still in the FortiAnalyzer GUI (ADOM1), go to Event Management.
You should see many different event types based on the event handlers you configured. This
includes IPS, Web Filter, and Application Control events.
2. Click the link in the Event Name column for any IPS log.
Tip: You can use the search field to narrow your results.
A dialog box appears that provides information about the specific exploit and a reference to
FortiGuard for more information about the exploit. For example:

DO NOT REPRINT
© FORTINET
3. Click anywhere outside of the dialog box to return to the event list.
4. Refresh the page to ensure any search filters are removed.
5. Double-click the number in the # column of any event notification to view more details about the
event.
Tip: Don't click on a hyperlink or you will only see details associated with that specific
piece of data.
The details include summary information about the event as well as all the corresponding logs.
6. After you examine the event notification, click Acknowledge to remove it from the event
notification list. Optionally, you can add a comment and click Save Comment before you
acknowledge it.

DO NOT REPRINT
© FORTINET
7. You can enable Show Acknowledged to view all acknowledged events.
To view event notifications in email

1. From the Local-Windows desktop, open the Mozilla Thunderbird application.
2. In the admin@training.lab inbox, you should see event notifications for the IPS - High Severity
event handler you configured.
3. View any email to see what details are included.

DO NOT REPRINT
© FORTINET
You can use the Log ID to search for this log in the FortiAnalyzer GUI. The Reference URL links
to the FortiGuard Threat Research and Response page for this particular vulnerability.
4. Close Mozilla Thunderbird.

DO NOT REPRINT
 LAB 4—Logs 5 Viewing Log Statistics and Used Storage Space
© FORTINET
5 Viewing Log Statistics and Used Storage

Space
Now that FortiAnalyzer is collecting logs, you should view your log statistics and used storage space to
determine whether your FortiAnalyzer is adequately configured to store the logs it receives from the
registered devices in your network.
In this exercise, you will:
 View the raw log receiving rate
 View the insert rate vs. receive rate
 View used storage statistics
Viewing the Raw Log Receiving Rate

The fortilogd daemon is the process responsible for receiving the raw logs at FortiAnalyzer. Multiple
diagnostic commands show the rate at which the logs and messages are received and the status of
the process.
This will allow you to identify and understand:
 The log rate
 The log message rate
 The log message volumes and whether they are well-balanced among the devices
 The log message type distribution (traffic, event, etc.)
To view the raw law receiving rate

1. In Local-Windows, open a PuTTY application and connect to the FORTIANALYZER saved
2. Enter the following commands to view fortilog daemon information:
Diagnostic Command
What is the log rate every second / 30 diagnose fortilogd lograte

seconds / 60 seconds?
What is the message log rate every diagnose fortilogd msgrate

second / 30 seconds / 60 seconds?
One log message can consist of multiple logs in
LZ4 format. As such, the rate should be lower for
msgrate than lograte.
What is the log message rate per diagnose fortilogd msgrate-device

device per second?
Since all traffic is going through Local-FortiGate,
the totals for the Local-FortiGate
(FGVM010000064692) should be higher than
Remote-FortiGate (FGVM010000065036)

DO NOT REPRINT
© FORTINET
What is the log type distribution per diagnose fortilogd msgrate-type

second?
FortiGate only sends two types of log files to
FortiAnalyzer: tlog (traffic) and elog (event). All
UTM logs are sent with tlog.
3. Close your FORTIANALYZER PuTTY session.
Viewing the Insert Rate vs. Receive Rate

The FortiAnalyzer dashboard includes a widget that shows the rate at which raw logs are reaching the
FortiAnalyzer (receive rate) and the rate at which they are indexed by the SQL database (insert rate)
by the sqlplugind daemon.
Another widget displays the log insert lag time (how many seconds the database is behind in
processing the logs).
Note: These widgets are not enabled by default, but have been added to the dashboard
for this lab. You can customize the dashboard using the Toggle Widgets option on the
dashboard.
To view log rates

2. Click ADOM1.
4. On the dashboard, view the information in the following widgets:
 Insert Rate vs. Receive Rate
At any point, is the log receive rate higher than the log insert rate? This indicates that the raw logs
are being received faster than they can be indexed (inserted) in the database.

DO NOT REPRINT
© FORTINET
 Log Insert Lag Time
At any point, is there a high lag time? This indicates how many seconds the database is behind in
processing the logs.
Viewing Used Storage Statistics

Earlier, you obtained your data policy and disk utilization information. Now that FortiAnalyzer has
collected some logs, let's see the current status for the used storage.
Note: You can also use the FortiAnalyzer CLI command diagnose log device to
obtain this information.
To view the current used storage

1. Still in the FortiAnalyzer GUI (ADOM1), go to Log View > Storage Statistics.
2. Hover your cursor over the analytic and archive quotas (which are rounded) to get more specific
statistics.

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
 LAB 4—Logs 6 Modifying Disk Quotas
© FORTINET
6 Modifying Disk Quotas

In this exercise, you will compare the storage space available on both ADOMs. Then you will modify
the disk quota on your ADOMs to reflect what is happening.
Comparing Storage Space between ADOMs

In this exercise, you will run a CLI command so you can compare the used storage space between
ADOM1 and ADOM2. Remember, you ran all your traffic through Local-FortiGate, which is located in
ADOM1.
To compare storage space

1. In Local-Windows, open a PuTTY application and connect to the FORTIANALYZER saved
2. Log in as admin and enter the following command to check the storage space for each ADOM:
Note: The CLI output formatting is easier to read if you maximize your PuTTY window.
# diagnose log device

You should see that ADOM1 is using more of its log storage and database storage than ADOM2.
Modifying Disk Quota

The diagnose log device output indicated that ADOM1 is receiving more traffic than ADOM2.
In the real world, if you were consistently seeing high log volume in a specific ADOM over a
reasonable amount of time, it might cause your disk to fill up and result in lost logs. In that case,
you would do one of the following:
 Modify your firewall policies to reduce the amount of traffic you are monitoring
 Modify your disk quotas
The easiest way to resolve this imbalance between ADOM disk usage is to modify your disk
quotas, as it allows you to keep your firewall policies intact.
As such, in this exercise you will increase the disk quota in ADOM1, which is the ADOM receiving
the most traffic.

DO NOT REPRINT
 LAB 4—Logs 6 Modifying Disk Quotas
© FORTINET
To modify the disk quota
2. Click ADOM1.
4. In the left menu, select All ADOMs and then edit ADOM1.
5. Modify the maximum allowed disk utilization from 1000 MB to 5000 MB.
6. Click OK.
You successfully increased your disk storage in ADOM1.

DO NOT REPRINT
 LAB 4—Logs 7 Moving Device with Logs Between ADOMs
© FORTINET
7 Moving Device with Logs Between ADOMs

As you expand your network, or as your organizational structure changes, you may need to re-
organize your devices in ADOMs. Accordingly, in this exercise, you will move a device out of one
ADOM and into another.
As mentioned in the Device Registration and Communication lesson, when you move a device into a
different ADOM, the archive (compressed) logs are migrated to that ADOM, but the analytics (indexed)
logs do not migrate.
As such, you need to rebuild the ADOMs to move the analytics logs into the new ADOM and delete
them from the old ADOM.
Note: In a real-world scenario, you would perform this procedure during a low
maintenance time, when little traffic is passing through the device you are moving.
Gathering Log and ADOM Information

Before you move a device out of an ADOM, there is some information of which you should first be
aware:
 The disk quota set on the current ADOM (System Settings > All ADOMs)
Since disk quota is set per ADOM and not per device, you do not necessarily need to match the
disk quota from the current ADOM to the new ADOM, because the new ADOM may contain less
devices then the current one, for example. However, you do need to ensure your new ADOM will
have enough space for the device you are moving into it.
In this lab environment, ADOM1 currently has a 5000 MB disk quota.
 The volume of logs (System Settings > Storage Info or # diagnose log device)
Although disk quota is set per ADOM, it is important to know the actual log volume associated with
the device you are moving. You need to ensure the new ADOM, at minimum, has enough space
to move the device's current logs. You will still need to select a disk quota with future logs in mind
though.

DO NOT REPRINT
© FORTINET
Moving a Device to a Different ADOM

Since the Local-FortiGate device in ADOM1 contains the logs from all the traffic you have been
generating through FIT and Nikto, you will move Local-FortiGate out of ADOM1 and into a new ADOM
call NEW.
To move a device to a different ADOM

2. Click ADOM1.
4. In the left menu, select All ADOMs and click Create New.
5. Complete the following to create a new ADOM for Local-FortiGate:
Field Value
Name NEW
Type FortiGate
5.4
6. Click Select Device and from the Select Device pane that appears, select Local-FortiGate.
The Local-FortiGate is added to the Devices list for the NEW ADOM.
7. Modify the disk quota if necessary.
Tip: At minimum, the disk quota should support the volume of logs you are moving into it.

DO NOT REPRINT
© FORTINET
8. Click OK.
Local-FortiGate moves from ADOM1 to NEW ADOM.
9. Switch into NEW ADOM, and under Device Manager, verify Local-FortiGate is registered and
still collecting logs.
Rebuild ADOM Database to Migrate Device Logs

Assuming you want the old logs (analytics logs) in the new ADOM so you can run reports against
them, and no longer want to see the device logs in the old ADOM, you need to rebuild the new ADOM
database and the old ADOM database.
Ensure you remember your log volume associated with your Local-FortiGate device (# diagnose
log device).
To verify location of Local-FortiGate logs

1. In the Local-Windows, open PuTTY and connect to the FORTIANALYZER saved session
(connect over SSH).
2. Log in as admin and enter the following command to display log information:
# diagnose test application logfiled 4

3. Confirm the location of the logs by examining the ADOM1 (the old ADOM) and NEW ADOM (the
new ADOM).

DO NOT REPRINT
© FORTINET
As you can see, the log-files (archive logs) have moved from ADOM1 to NEW, but ADOM1 still
contains the log-db (analytics logs) logs.
To rebuild the ADOM to transfer logs

1. Still in the FORTIANALYZER PuTTY session, execute the following command to rebuild the two
ADOMs and transfer the analytics logs.
# execute sql-local rebuild-adom NEW ADOM1

2. Click y to continue with the operation.
3. Wait a few minutes for the databases to rebuild.

The FortiAnalyzer GUI shows the rebuild progress.
4. Enter the following command to re-check log storage for both ADOM1 and NEW:
# diagnose test application logfiled 4
Note: If you do not see the logs move, wait a few minutes and try again.

DO NOT REPRINT
© FORTINET
The log-db (analytics logs) successfully migrated from ADOM1 to the NEW ADOM.
You can also see that the log-files (archive logs) in NEW were reduced. This is because the logs
were compressed.
You can also see that the log-db in ADOM1 still contains some data, even after the rebuild. This
small amount of data amounts to the system (management) tables.
5. Close your FORTIANALYZER PuTTY session.

DO NOT REPRINT
 LAB 5—Reports
© FORTINET
LAB 5—Reports
In this lab, you will generate a default report, build a chart based on a log search, and perform some
diagnostic checks.
Objectives
 Generate a report
 Build a chart based on a log search
 Run report diagnostics
Time to Complete

DO NOT REPRINT
 LAB 5—Reports 1 Running a Default Report
© FORTINET
1 Running a Default Report

In this exercise, you will run one of the default reports on demand. This will allow you to see the report
immediately.
You will also run diagnostics for this report.
To generate a default report

2. Click NEW.
3. Click Reports.
4. In the left menu, select All Reports.
This page provides all available default reports.
5. Double-click the 360-Degree Security Review report.
6. Click the Settings tab and, in the Time Period drop-down list, select Today.
7. Click Apply.
8. Return to the View Report tab and click Run Report to run the report on demand.
9. When the report is ready, view the report in HTML format.

10. Use the left menu to go to the Intrusion and Attacks section.

DO NOT REPRINT
© FORTINET
As you can see from the report, both code and SQL injection attacks are occurring in your
network.
11. Look for any severity 4 attacks.
12. Click the malware name for the severity 4 attack that has the highest count.
This takes you to FortiGuard to learn more information about the attack.
To run diagnostics on a report

1. Return to the FortiAnalyzer GUI, right-click the report you just ran and select Retrieve
Diagnostic.
2. Save the file.
3. When complete, view the rpt_status.log file saved to your Downloads folder in Notepad++.
4. Scroll down to the bottom of the file to the "Report Summary" section and record the following:
HCACHE building time
Rendering time
Total time
For example:

DO NOT REPRINT
© FORTINET
5. Return to the Settings tab for the report, and enable Enable Auto-cache.
The hcache is updated when new logs come in and new log tables generate. If you do not enable
auto-cache, the report only generates the hcache for the current log tables. Remember, you are
still generating traffic right now in your lab.
6. Click Apply.
7. Run the report again and then run diagnostics again. What is the output this time?
HCACHE building time
Rendering time
Total time
For example:
While your lab environment does not have a large number of logs, you can still see that by
enabling auto-cache, the report builds faster. This is more noticeable if you have higher log
volumes dropping in.

DO NOT REPRINT
 LAB 5—Reports 2 Building a Chart Based on Log Search
© FORTINET
2 Building a Chart Based on Log Search

As you were able to see in the 360-Degree Report, both code and SQL injection attacks are occurring
in your network.
Since injection attacks are one of the most common vulnerabilities in web applications, in this exercise
you will create a chart based on code and SQL injection attacks. You will then add this chart to a
report and run it.
To create a chart based on a log search

2. Click NEW.
3. Click Log View.
4. In the left menu, click Security > Intrusion Prevention.
5. Add two filters for Attack Name: *.Code.Injection,*.SQL.Injection (use “or” to add the
second filter)
Ensure your time filter is set appropriately (includes the time you have been generating traffic).
6. Click Go.
7. Click Tools and select Custom View.
Note: While this isn't required to build a chart, it is a nice feature that allows you to save
your filtered searches. Custom View is only available in historical log view.
8. Name your custom view SQL and Code Injections and click OK.
9. In your SQL and Code Injections custom view, select Tools > Chart Builder.

DO NOT REPRINT
© FORTINET
Note: Chart Builder is only available in historical log view.
The dataset query is pre-generated for you based on your search filters. The Preview window
indicates what the results will look like in a report.
10. Complete the following to fine tune your results:
Field Value
Name SQL-and-Code-Injections
Columns Enable:
 Date/Time
 Device ID
 Severity
 Source IP
 Attack Name
Order By Date/Time
Sort By Descending
Show Limit 500
11. Click Preview.

The dataset query updates based on your modifications.

DO NOT REPRINT
© FORTINET
12. View the preview and click Save.

Your dataset and chart are created.
To run a report on the custom chart

1. Still in the FortiAnalyzer GUI (NEW), click Reports, and then click Create New.
Field Value
Name SQL-and-Code-Injections-Report
Create from Blank
3. Click OK.
The Settings tab for the report appears.
4. In the Time Period drop-down list, select Today.
5. Click the Layout tab and click Insert Chart.
6. Click the Chart drop-down list, and in the text field start typing SQL-and-Code-Injections and
select it when it appears in the list.
7. Click OK.
8. Click Apply.
9. Optionally, try inserting one of the IPS macros:
A: Click to insert your cursor underneath the chart you just added to the layout.
B Click Insert Macro.
C. Scroll up to the Intrusion Prevention section and select any of the default macros.
D. Type in some text to add context to the macro you added. For example, if you selected the
Total Number of Attacks macro, type Total Number of IPS Attacks.
E: Click Apply.

DO NOT REPRINT
© FORTINET
10. Click the View Report tab, and then click Run Report.
11. View the HTML format.
You successfully created a report based on a chart and dataset created from a filtered search
result.
You've successfully completed the FortiAnalyzer 5.4.2 labs!
Stop your log generators by closing the FIT and LINUX PuTTY sessions!

FortiAnalyzer Lab Guide Online

Cargado por

Información del documento

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

FortiAnalyzer Lab Guide Online

Cargado por

Copyright:

Formatos disponibles

DO NOT REPRINT

 Virtual Lab Basics

VIRTUAL LAB BASICS ...................................................................................6

Network Topology ...................................................................................................................6

Lab Environment .....................................................................................................................6

System Checker ......................................................................................................................7

Transferring Files to the VM....................................................................................................11

Screen Resolution ...................................................................................................................11

International Keyboards ..........................................................................................................12

Student Tools: View Broadcast and Raise Hand....................................................................12

Troubleshooting Tips ..............................................................................................................13

LAB 1—INITIAL CONFIGURATION .................................................................15

Time to Complete ....................................................................................................................15

1 Examining the Network Settings ..........................................................................................18

LAB 2—ADMINISTRATION AND MANAGEMENT ..............................................24

Time to Complete ....................................................................................................................24

1 Configuring Administrative Domains....................................................................................25

Viewing ADOM Information.....................................................................................................26

2 Configuring an External Server to Validate Administrators .................................................30

Configure an LDAP Server on FortiAnalyzer ..........................................................................30

Create a Wildcard LDAP Administrator ..................................................................................32

Testing External Administrator Access ...................................................................................33

Viewing the Event Logs ..........................................................................................................36

LAB 3—DEVICE REGISTRATION AND COMMUNICATION .................................37

Time to Complete ....................................................................................................................37

1 Registering Devices on FortiAnalyzer..................................................................................40

Registering a Device through the Device Registration Wizard ..............................................40

Accepting a Device Registration Request ..............................................................................42

2 Troubleshooting Device Communication .............................................................................45

Verifying Device Registration ..................................................................................................45

Verifying Device Communication ............................................................................................45

Troubleshooting Device Communication ................................................................................47

Resolving Down Connection ...................................................................................................49

LAB 4—LOGS .............................................................................................52

Time to Complete ....................................................................................................................52

1 Gathering Benchmark Diagnostics ......................................................................................53

Viewing System Resource Information ...................................................................................53

Gathering Data Policy and Disk Utilization Information ..........................................................54

2 Enabling Event Handlers .....................................................................................................56

Generating Traffic with FIT .....................................................................................................58

Generating Traffic Through Nikto ...........................................................................................59

4 Examining Logs and Notifications........................................................................................61

Viewing Event Notifications.....................................................................................................67

5 Viewing Log Statistics and Used Storage Space ................................................................71

Viewing the Raw Log Receiving Rate.....................................................................................71

Viewing the Insert Rate vs. Receive Rate ..............................................................................72

Viewing Used Storage Statistics .............................................................................................73

6 Modifying Disk Quotas .........................................................................................................75

Comparing Storage Space between ADOMs .........................................................................75

Modifying Disk Quota ..............................................................................................................75

7 Moving Device with Logs Between ADOMs ........................................................................77

Gathering Log and ADOM Information ...................................................................................77

Moving a Device to a Different ADOM ....................................................................................78

Rebuild ADOM Database to Migrate Device Logs .................................................................79

LAB 5—REPORTS .......................................................................................82

Time to Complete ....................................................................................................................82

1 Running a Default Report ....................................................................................................83

2 Building a Chart Based on Log Search ...............................................................................86

Virtual Lab Basics

FortiAnalyzer Lab Guide 6

To run the System Checker

Region System Checker

AMER - North and South https://remotelabs.training.fortinet.com/training/syscheck/?location=NAM-

EMEA - Europe, Middle https://remotelabs.training.fortinet.com/training/syscheck/?location=Europe