Documentos de Académico
Documentos de Profesional
Documentos de Cultura
© FORTINET
FortiAnalyzer 5.4.2
Lab Guide
for FortiAnalyzer 5.4.2
DO NOT REPRINT
© FORTINET
FortiAnalyzer Lab Guide
for FortiAnalyzer 5.4.2
Last Updated: 20 April 2017
® ® ®
Fortinet , FortiGate , and FortiGuard are registered trademarks of Fortinet, Inc. in the U.S. and other
jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of
Fortinet. All other product or company names may be trademarks of their respective owners. Copyright
© 2002 - 2017 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet
without prior notice. No part of this publication may be reproduced in any form or by any means or
used to make any derivative such as translation, transformation, or adaptation without permission from
Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
DO NOT REPRINT
© FORTINET
Table of Contents
Logging In ...............................................................................................................................8
Disconnections/Timeouts ........................................................................................................11
Objectives ...............................................................................................................................15
Prerequisites ...........................................................................................................................15
Objectives ...............................................................................................................................24
Objectives ...............................................................................................................................37
Prerequisites ...........................................................................................................................37
Objectives ...............................................................................................................................52
Log View..................................................................................................................................61
Using Log Filters ..........................................................................................................................................64
FortiView .................................................................................................................................65
Objectives ...............................................................................................................................82
Note: If your trainer asks you to use a different lab, such as devices physically located in
your classroom, please ignore this section. This applies only to the virtual lab accessed
through the Internet. If you do not know which lab to use, please ask your trainer.
Network Topology
Lab Environment
Fortinet's virtual lab for hands-on exercises is hosted on remote datacenters that allow each student to
have their own training lab environment or PoD - point of deliveries.
System Checker
Before starting any class, check if your computer can successfully connect to the remote datacenters.
The System Checker fully verifies if your network connection and your web browser are reliable to
connect to the virtual lab.
You do not have to be logged into the lab portal in order to perform the System Checker.
If your computer successfully connects to the virtual lab, the Browser Check and Network
Connection Check each display a check mark icon. You can then proceed to log in.
If any of the tests fail:
Browser Check: This affects your ability to access the virtual lab environment.
Network Connection Check: This affects the usability of the virtual lab environment.
For solutions, click the Support Knowledge Base link or ask your trainer.
Logging In
Once you confirm your system can successfully run the labs through System Checker, you can
proceed to log in.
https://virtual.mclabs.com/
2. If prompted, select the time zone for your location, and then click Update.
This ensures that your class schedule is accurate.
3. Click Enter Lab.
Your system dashboard will appear, listing the virtual machines in accordance with your lab
topology.
4. From this page, open a connection to any virtual appliance by doing one of the following:
Clicking the device’s square (thumbnail)
Selecting Open from the System drop-down list associated to the VM you want to access.
Note: Follow the same procedure to access any of your virtual devices.
A new web browser tab opens, granting you access to the virtual device. When you open a
VM, your browser uses HTML5 to connect to it.
Depending on the virtual machine you select, the web browser provides access to either a text-
based CLI or the GUI.
Connections to the Local-Windows VM use a Remote Desktop-like GUI. The web-based connection
should automatically log in and then display the Windows desktop.
For most lab exercises, you will connect to this Local-Windows VM.
Disconnections/Timeouts
If your computer’s connection with the virtual machine times out, or if you are accidentally
disconnected, to regain access, return to the initial window/tab that contains your session’s list of VMs
and open the VM again.
If that does not succeed, see the Troubleshooting Tips section of this guide.
Screen Resolution
Some Fortinet devices' user interfaces require a minimum screen size.
In the HTML 5 client, to configure screen resolution, open the System menu.
International Keyboards
If characters in your language don’t display correctly, keyboard mappings may not be correct.
To solve this, open the Keyboard menu at the top of the tab of any GUI-based VM, and choose to
display an on-screen keyboard.
Troubleshooting Tips
Do not connect to the virtual lab environment through Wi-Fi, 3G, VPN tunnels, or other low-
bandwidth or high-latency connections.
For best performance, use a stable broadband connection such as a LAN.
Prepare your computer's settings by disabling screen savers and changing the power saving
scheme, so that your computer is always on, and does not go to sleep or hibernate.
If disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal),
please attempt to reconnect. If unable to reconnect, please notify the instructor.
If you can't connect to a VM, on the VM's icon, you can force the VM to start up and by clicking
System > Power Cycle. This fixes most problems. If that does not solve the problem, revert the
VM to its initial state by System > Revert to Initial State.
Note: Reverting to the VM's initial snapshot will undo all of your work. Try other solutions
first.
exec update-now
Objectives
Examine the network settings
Time to Complete
Estimated: 20 minutes
Prerequisites
Before beginning this lab, you must update the firmware and initial configurations on Remote-
FortiGate and Local-FortiGate.
This lab environment is also used for FortiGate 5.4.1 training and initializes in a different state than is
required for FortiAnalyzer 5.4.2 training.
4. Browse to Desktop > Resources > FortiAnalyzer > FGT-firmware and select FGT_VM64-v5-
build1100-FORTINET.out.
5. Click Upgrade.
4. Enter the following command to display information about the FortiAnalyzer interface
configuration:
# show system dns What are the primary and secondary dns
settings?
Several FortiAnalyzer functions use
DNS, such as sending alert email and
resolving hostnames in the logs. By
default, FortiAnalyzer uses FortiGuard
DNS servers
7. Enter the following command to display information about the FortiAnalyzer routing configuration:
8. To test basic network connectivity, and to ensure the default route out to the Internet is working,
enter the following command to ping IP 4.2.2.2 (public IP that is highly available):
7. From the left menu, click Network, and from the main window, click Routing Table.
This page displays the network gateway and associated interface. This displays the same
information available from the CLI command show system route.
Objectives
Configure Administrative Domains (ADOMs)
Configure an external server to validate administrators
Time to Complete
Estimated: 25 minutes
To enable ADOMs
1. On the Local-Windows VM, open a browser and log in as admin (blank password) to the
FortiAnalyzer GUI at 10.0.1.210.
2. Click System Settings.
3. On the dashboard, in the System Information widget, turn on the Administrative Domain
switch.
4. Click OK to confirm.
You are automatically logged out of the GUI.
5. Log back into the FortiAnalyzer GUI as admin.
Since ADOMs are now enabled, you must select an ADOM to log into. The ADOMs with which
you are presented are based on your administrator permissions.
3. Still working from the Local-Windows VM, open PuTTY and connect to the FORTIANALYZER
saved session (connect over SSH).
4. Log in as admin and execute the following command to view what ADOMs are currently enabled
on FortiAnalyzer and the type of device you can register to each ADOM:
Note: The CLI output formatting is easier to read if you maximize your PuTTY window. If
you've already executed the command, once the window is maximized, press the up arrow
to show the last command you entered and click Enter to re-run.
As you can see, there are 13 ADOMs that FortiAnalyzer supports, each associated with different
devices.
5. Close your PuTTY session.
Note: You do not have to create ADOMs prior to registering devices to FortiAnalyzer--you
can register devices to the default ADOMs first and then move those devices into custom
ADOMs later.
The benefit of creating custom ADOMs prior to device registration is that log collection for the device
you add to the ADOM is stored to the ADOM from the outset. If log collection begins in one ADOM,
and then you move the device to a different ADOM, the analytics (indexed) logs are not automatically
moved along with the device. We will explore this topic in Lab 4.
Field Value
Name ADOM1
Type FortiGate
5.4
6. Repeat the procedure, but this time create a FortiGate 5.4 ADOM called ADOM2.
Your ADOMs should now appear as follows:
Note: By default, FortiAnalyzer includes a root ADOM. Only FortiGate devices can register
to the root ADOM. As such, if you do not create custom ADOMs before device registration,
any FortiGate devices you register will automatically register to root.
Tip: You can switch between ADOMs within the GUI--you do not have to log out and log
back in. To switch within the GUI, click ADOM in the top right of the GUI. Your
administrator privileges determine which ADOMs you have access.
Note: Your Local Windows VM is already configured with Active Directory and directory
users, as this is out of scope for FortiAnalyzer training.
Once complete, you will test your ability to access FortiAnalyzer and then check the Event logs for
details.
Note: For simplicity, the Distinguished Name and User DN as noted below can be copied
from the ADserver-info.txt file in Desktop > Resources > FortiAnalyzer > LAB2
and pasted directly into the fields.
Field Value
Name ADserver
User DN cn=FAZadmin,ou=Training,dc=trainingAD,dc=training,dc=lab
FAZadmin is the LDAP bind account. FortiAnalyzer uses these
account credentials to authenticate to the LDAP server.
Password Training!
7. Click the icon ( ) at the end of the Distinguished Name field to query the distinguished name
and test your LDAP connection.
If this connection is successful, you will see the DN in the dialog box. If you do not see the DN,
verify you have entered the correct LDAP server information as outlined in the previous step.
Field Value
Wildcard <enable>
This ensures that any user account located in the LDAP group
(ou) you specified in the LDAP server configuration can
authenticate.
4. From Administrative Domain, click Specify and select ADOM1 from the drop-down list.
Even though you configured the LDAP server for access to all ADOMs, this LDAP administrator
account limits access to ADOM1 only. This provides you with more flexibility and security, as you
can create additional LDAP administrator accounts for different ADOM access rights, if required.
5. Click OK.
You successfully created a wildcard LDAP administrator.
Also, since you gave this account the Standard_User profile and access to ADOM1 only, you will
notice a reduction in permissions (in comparison to the admin user account with the Super_User
profile).
Discussion
You configured the remote-admins account with permission to access ADOM1 only. As
such, you are logged directly into ADOM1 (your only option).
You configured the remote-admins account with the Standard_User profile. This profile
does not provide system privileges.
Objectives
Register devices to FortiAnalyzer
Troubleshoot device communication
Time to Complete
Estimated: 30 minutes
Prerequisites
Before beginning this lab, you must restore a configuration file both FortiAnalyzer and Remote-
FortiGate.
The Remote-FortiGate configuration includes the request to register with FortiAnalyzer.
5. Browse to Desktop > Resources > FortiAnalyzer > Lab3 and select FAZ-device-
registration.dat.
6. Click OK.
7. Click OK to reboot.
Note: You can also gather this information by logging in as admin (blank password) to the
Local-FortiGate GUI at 10.0.1.254.
Field Value
IP Address 10.0.1.254
This is the IP address of Local-FortiGate. See Network
Topology for more information.
6. Click Next.
A success message appears.
7. Click Finish.
The Device Manager indicates the Local-FortiGate is now a registered device.
You will also see a notification in the top right of the GUI.
The Add Device dialog box appears. As ADOMs are enabled, and you have created additional
FortiGate ADOMs, you now have the ability to select which ADOM you want to register the device
to.
4. Select ADOM2 and click OK.
Note: The CLI output formatting is easier to read if you maximize your PuTTY window.
The output indicates that there are two devices currently registered: Local-FortiGate
(10.0.1.254) to ADOM1 and Remote-FortiGate (10.200.3.1) to ADOM2.
Can the devices contact each exe ping <IP> Should indicate that
other? FortiAnalyzer can contact both
Where <IP> is the IP of the
Local-FortiGate and Remote-
registered device(s) FortiGate.
For example:
Local-FortiGate: 10.0.1.254
Remote-FortiGate: 10.200.3.1
What devices and IPs are diagnose test Should indicate Remote-
connected? application oftpd FortiGate is connected only.
<level>
Note: This is why Local-
Where <level> is 3 shows FortiGate appears in the
the connected device name FortiAnalyzer Device Manager
and IP. with a down connection.
Note: The oftpd process is
used for FortiAnalyzer-
FortiGate communication and
is responsible for file transfers
from FortiGate to
FortiAnalyzer.
2. Leave this FORTIANALYZER PuTTY session open, as you will use it again shortly.
3. Leave the LOCAL-FORTIGATE PuTTY session open, as you will use it again shortly.
4. Open another PuTTY application and connect to the REMOTE-FORTIGATE saved session
(connect over SSH).
5. Perform the same log connectivity test on Remote-FortiGate.
Output should indicate that logging connectivity is allowed.
These results indicate that the issue probably exists on the Local-FortiGate side and not
FortiAnalyzer.
6. Leave the REMOTE-FORTIGATE PuTTY session open, as you will use it again shortly.
Tip
It's helpful if you can have both PuTTY windows side by side, so you can see the output as
it occurs.
Tip
It's helpful if you can have both PuTTY windows side by side, so you can see the output as
it occurs.
FortiAnalyzer received the test logs sent by Remote-FortiGate. The information we see here
aligns with what we see for the device communication: FortiAnalyzer is communicating with
Remote-FortiGate, but not with Local-FortiGate.
5. In the FORTIANALYZER PuTTY session, type the following to stop the debug:
Field Setting
IP Address 10.0.1.210
This is the IP of FortiAnalyzer for Local-FortiGate.
Tip
You can run execute log fortianalyzer test-connectivity on Local-FortiGate
again to see that log connectivity is enabled.
13. Optional! It is always a good idea to check your logging filters on the FortiGate firewall policies
to ensure you get the logs you are expecting:
A. Return to the Local-FortiGate GUI, click Policy & Objects > IPv4 Policy.
LAB 4—Logs
In this lab, you will generate some traffic so you can see where logs are stored on FortiAnalyzer, what
information is included in logs, and different ways of viewing log data. But before you generate traffic,
you will gather information about your FortiAnalyzer performance benchmarks and log storage
policies.
You will also enable some event handlers so you can receive notifications when specific traffic passes
through the network.
After traffic has passed through the network for a while, you will examine your used storage statistics
and modify the ADOM disk quota based on those results.
Objectives
Gather benchmark diagnostics
Enable event handlers
Examine logs and event handler notifications
Gather logs statistics and used storage information
Modify disk quota
Move a device to a different ADOM
Time to Complete
Estimated: 75 minutes
Note: You can also use the FortiAnalyzer CLI commands get system status and get
system performance to view this information.
Diagnostic Result
5. Click the Edit icon to view the historical usage over the past hour.
Note: You can also use the FortiAnalyzer CLI command diagnose log device to
obtain this information.
The log storage information for ADOM2 is the same. It is the same ADOM type (FortiGate) as
ADOM1 and they are both in the default state.
4. Click Cancel to close the window.
This event handler creates events for any IPS log that has a severity level of Critical. It is also
configured for all devices in ADOM1 (event handlers are configured per-ADOM).
7. In the Notifications section, configure the following:
Generate alert when at least 1 matches occurred over a period of 1 minutes.
Field Setting
To admin@training.lab
From admin@training.lab
Note: You can double-click each event handler to view the settings. However, for the
purposes of this lab, we are using the default settings. These are also not configured to
send alerts over email.
Based on the traffic you will generate in the next exercise, these event handlers will return some
hits (only IPS - High Severity is configured to send notifications over email). In a real-world
situation, you would only enable those event handlers for which you want notifications.
3 Generating Traffic
For the purposes of this lab, you need to generate traffic so you can see the logs received by
FortiAnalyzer.
Note: The traffic you generate will go through Local-FortiGate. The firewall policies have
been preconfigured for you and logging for all sessions is enabled. To view the firewall
policies in the Local-FortiGate GUI, click Policy & Objects > IPv4 Policy.
You will use two different tools to create different types of traffic.
Note: Because FIT-generated traffic will originate from the IP of the FIT VM (10.0.1.20),
all these logs will show the same source IP in the FortiAnalyzer logs. This is a limitation of
the lab environment. In a real-world scenario, you will likely see many different source IPs
for your traffic.
# cd FIT
4. Leave the PuTTY session open (you can minimize it) so traffic continues to generate. This will run
throughout the remainder of the labs.
Caution: Do not close the FIT PuTTY session or traffic will stop generating.
Note: Because Nikto-generated traffic will originate from the IP of the Linux VM where
Nikto is installed (10.200.1.254), all these logs will show the same source IP in the
FortiAnalyzer logs. This is a limitation of the lab environment. In a real-world scenario, you
will likely see many different source IPs for your traffic.
The scan will continue for approximately 25 minutes. The dialog displays an End Time and
indication that 1 host is tested when complete.
You can run the command again once complete (press the up arrow and then press Enter) to
generate more logs, but it's not required. One cycle will provide enough logs for the purposes of
this lab.
4. Leave the PuTTY session open (you can minimize it) so traffic continues to generate. This will run
for the remainder of the labs.
Caution: Do not close the LINUX PuTTY session or traffic will stop generating.
Note: Not all views will be populated because of the simulated traffic limitations in this lab.
Log View
Log View allows you to view traffic logs (also referred to as firewall policy logs), event logs, and
security logs per device (or for each log group, which is a feature we are not using in this lab).
When ADOMs are enabled, each ADOM has its own information displayed in Log View.
Log View displays log messages from analytics logs and archive logs:
Historical logs and real-time logs in Log View are from analytics logs
Log Browse can display logs from both the current, active log file and any of the compressed log
files
In this exercise, you will examine traffic logs and security logs only.
Note: Real-time logs are temporarily considered compressed, but are indexed as soon as
FortiAnalyzer has available CPU and memory
Note: You can view details about historical logs, as they have been indexed in the SQL
database.
Note: While logs are compressed, they are considered offline, and you cannot view details
about the logs in Log View (or FortiView).You also cannot customize the columns.
Note: You can also view security logs in real-time or historical, and in raw or formatted
format.
Application Control logs on Local-FortiGate over the past 1 hour for the Application
Category: General.Interest.
Intrusion Prevention logs on Local-FortiGate over the last 30 minutes with a Threat
Level of high.
Note: As you can see, the Threat Level filter string doesn't appear in the filter drop down
list. Try adding the Threat Level column and refreshing the page. The filter string now
appears in the filter drop-down list.
FortiView
You can view summaries of log data in FortiView in both tabular and graphical formats. For example,
you can view top threats to your network, top sources of network traffic, and top destinations of
network traffic, to name a few. For each summary view, you can drill down into details.
When ADOMs are enabled, each ADOM has its own data analysis in FortiView.
IOC
Displays any hits using fresh threat
intelligence against current logs.
Note: If there are no hits, try coming
back later after FortiAnalyzer has
collected more logs.
Top Destinations
Displays information about the top
destinations of network traffic by
destination IP addresses and the
application used to access the
destination.
Top Countries
Displays information about top
countries in terms of traffic sessions,
including threat score and destination.
Policy Hits
Displays information about the
FortiGate policy hits. Displays the
name of the policy, the name of the
FortiGate device, and the number of
hits.
You should see many different event types based on the event handlers you configured. This
includes IPS, Web Filter, and Application Control events.
2. Click the link in the Event Name column for any IPS log.
Tip: You can use the search field to narrow your results.
A dialog box appears that provides information about the specific exploit and a reference to
FortiGuard for more information about the exploit. For example:
3. Click anywhere outside of the dialog box to return to the event list.
4. Refresh the page to ensure any search filters are removed.
5. Double-click the number in the # column of any event notification to view more details about the
event.
Tip: Don't click on a hyperlink or you will only see details associated with that specific
piece of data.
The details include summary information about the event as well as all the corresponding logs.
6. After you examine the event notification, click Acknowledge to remove it from the event
notification list. Optionally, you can add a comment and click Save Comment before you
acknowledge it.
2. In the admin@training.lab inbox, you should see event notifications for the IPS - High Severity
event handler you configured.
You can use the Log ID to search for this log in the FortiAnalyzer GUI. The Reference URL links
to the FortiGuard Threat Research and Response page for this particular vulnerability.
4. Close Mozilla Thunderbird.
Diagnostic Command
Note: These widgets are not enabled by default, but have been added to the dashboard
for this lab. You can customize the dashboard using the Toggle Widgets option on the
dashboard.
Note: You can also use the FortiAnalyzer CLI command diagnose log device to
obtain this information.
Note: The CLI output formatting is easier to read if you maximize your PuTTY window.
6. Click OK.
You successfully increased your disk storage in ADOM1.
Note: In a real-world scenario, you would perform this procedure during a low
maintenance time, when little traffic is passing through the device you are moving.
The volume of logs (System Settings > Storage Info or # diagnose log device)
Although disk quota is set per ADOM, it is important to know the actual log volume associated with
the device you are moving. You need to ensure the new ADOM, at minimum, has enough space
to move the device's current logs. You will still need to select a disk quota with future logs in mind
though.
Field Value
Name NEW
Type FortiGate
5.4
6. Click Select Device and from the Select Device pane that appears, select Local-FortiGate.
The Local-FortiGate is added to the Devices list for the NEW ADOM.
Tip: At minimum, the disk quota should support the volume of logs you are moving into it.
As you can see, the log-files (archive logs) have moved from ADOM1 to NEW, but ADOM1 still
contains the log-db (analytics logs) logs.
4. Enter the following command to re-check log storage for both ADOM1 and NEW:
Note: If you do not see the logs move, wait a few minutes and try again.
The log-db (analytics logs) successfully migrated from ADOM1 to the NEW ADOM.
You can also see that the log-files (archive logs) in NEW were reduced. This is because the logs
were compressed.
You can also see that the log-db in ADOM1 still contains some data, even after the rebuild. This
small amount of data amounts to the system (management) tables.
5. Close your FORTIANALYZER PuTTY session.
6. Close the browser.
LAB 5—Reports
In this lab, you will generate a default report, build a chart based on a log search, and perform some
diagnostic checks.
Objectives
Generate a report
Build a chart based on a log search
Run report diagnostics
Time to Complete
Estimated: 20 minutes
7. Click Apply.
8. Return to the View Report tab and click Run Report to run the report on demand.
12. Click the malware name for the severity 4 attack that has the highest count.
This takes you to FortiGuard to learn more information about the attack.
Rendering time
Total time
For example:
5. Return to the Settings tab for the report, and enable Enable Auto-cache.
The hcache is updated when new logs come in and new log tables generate. If you do not enable
auto-cache, the report only generates the hcache for the current log tables. Remember, you are
still generating traffic right now in your lab.
6. Click Apply.
7. Run the report again and then run diagnostics again. What is the output this time?
Rendering time
Total time
For example:
While your lab environment does not have a large number of logs, you can still see that by
enabling auto-cache, the report builds faster. This is more noticeable if you have higher log
volumes dropping in.
Ensure your time filter is set appropriately (includes the time you have been generating traffic).
6. Click Go.
7. Click Tools and select Custom View.
Note: While this isn't required to build a chart, it is a nice feature that allows you to save
your filtered searches. Custom View is only available in historical log view.
8. Name your custom view SQL and Code Injections and click OK.
9. In your SQL and Code Injections custom view, select Tools > Chart Builder.
The dataset query is pre-generated for you based on your search filters. The Preview window
indicates what the results will look like in a report.
10. Complete the following to fine tune your results:
Field Value
Name SQL-and-Code-Injections
Columns Enable:
Date/Time
Device ID
Severity
Source IP
Attack Name
Order By Date/Time
Sort By Descending
Field Value
Name SQL-and-Code-Injections-Report
3. Click OK.
The Settings tab for the report appears.
4. In the Time Period drop-down list, select Today.
5. Click the Layout tab and click Insert Chart.
6. Click the Chart drop-down list, and in the text field start typing SQL-and-Code-Injections and
select it when it appears in the list.
7. Click OK.
8. Click Apply.
9. Optionally, try inserting one of the IPS macros:
A: Click to insert your cursor underneath the chart you just added to the layout.
B Click Insert Macro.
C. Scroll up to the Intrusion Prevention section and select any of the default macros.
D. Type in some text to add context to the macro you added. For example, if you selected the
Total Number of Attacks macro, type Total Number of IPS Attacks.
E: Click Apply.
10. Click the View Report tab, and then click Run Report.
11. View the HTML format.
You successfully created a report based on a chart and dataset created from a filtered search
result.
12. Close the browser.
Stop your log generators by closing the FIT and LINUX PuTTY sessions!