FortiAnalyzer Administration Guide

VERSION 5.2.1
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com

FORTINET VIDEO GUIDE

http://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTIGATE COOKBOOK
http://cookbook.fortinet.com

FORTINET TRAINING SERVICES

http://www.fortinet.com/training

FORTIGUARD CENTER
http://www.fortiguard.com

END USER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: techdocs@fortinet.com

December-29-14

FortiAnalyzer 5.2.1 Administration Guide

05-521-232167-20141212
TABLE OF CONTENTS

Change Log 8
Introduction 9
Feature support 9
FortiAnalyzer documentation 10
What’s New in FortiAnalyzer 5.2.1 11
FortiAnalyzer v5.2.1 11
FortiAnalyzer v5.2.0 11
Event Management 11
FortiView 11
Logging 12
Reports 12
Other 12
Key Concepts 13
Administrative domains 13
Operation modes 13
Feature comparison between analyzer and collector mode 14
Analyzer mode 14
Analyzer and collector mode 15
Log storage 17
Workflow 17
Web-based Manager 18
System requirements 18
Web browser support 18
Screen resolution 18
Connecting to the Web-based Manager 19
Web-based Manager overview 20
Web-based Manager configuration 21
Language support 22
Administrative access 23
Restricting access by trusted hosts 24
Idle timeout 24
Reboot and shutdown the FortiAnalyzer unit 25
Administrative Domains 26
Adding an ADOM 27
Assigning devices to an ADOM 29
Assigning administrators to an ADOM 30
ADOM device modes 30
Device Manager 32
Devices 33
Devices and VDOMs 33
Unregistered devices 39
Device reports 39
Log forwarding 40
Disk space allocation 42
Log arrays in FortiAnalyzer v5.2.0 and later 42
System Settings 43
Dashboard 44
Customizing the dashboard 46
System Information widget 47
License Information widget 53
Unit Operation widget 54
System Resources widget 55
Alert Messages Console widget 57
CLI Console widget 58
Log Receive Monitor widget 59
Logs/Data Received widget 60
Statistics widget 61
All ADOMs 62
RAID management 65
Supported RAID levels 67
RAID disk status 70
Hot swapping hard disks 71
Adding new disks 71
Network 72
Network interfaces 73
Static routes 75
Diagnostic tools 77
Admin 77
Monitoring administrator sessions 78
Administrator 79
Profile 82
Remote authentication server 86
 Administrator settings 92
Configure two-factor authentication for administrator login 97
Certificates 104
Local certificates 104
CA certificates 108
Certificate revocation lists 109
Event log 110
Task monitor 112
Advanced 114
SNMP 114
Mail server 125
Syslog server 126
Meta fields 127
Device log settings 129
File management 131
Advanced settings 131
FortiView 134
FortiView 134
Top Sources 134
Top Applications 137
Top Destinations 140
Top Web Sites 142
Top Threats 144
Top Cloud Applications/Users 147
System Events 150
Admin Logins 151
SSL & Dialup IPsec 153
Site-to-Site IPsec 155
Rogue APs 156
Resource usage 161
Log view 162
Viewing log messages 164
Customizing the log view 167
Custom views 171
Searching log messages 172
Download log messages 173
Log arrays 173
Log details 175
Archive 175
Browsing log files 176
 FortiClient logs 179
FortiMail logs 180
FortiManager logs 182
FortiSandbox logs 183
FortiWeb logs 184
Syslog server logs 185
Configuring rolling and uploading of logs 186
Event Management 189
Events 189
Event details 191
Acknowledge events 193
Event handler 193
Manage event handlers 199
Reports 205
Reports 205
FortiGate reports 206
FortiMail reports 208
FortiWeb report 208
FortiCache report 208
Configuration tab 211
Advanced settings tab 213
View report tab 216
Report layouts 218
Inserting images 224
Creating a table 225
Link 226
Anchor 227
Charts 227
Macros 228
Chart library 228
Custom chart wizard 230
Managing charts 233
Macro library 236
Managing macros 238
Report calendar 240
Advanced 241
Dataset 241
Output profile 246
Language 248
Appendix A: Charts, Datasets, & Macros 251
 FortiGate 251
Predefined charts 251
Predefined datasets 262
Predefined macros 273
FortiMail 275
Predefined charts 275
Predefined datasets 277
FortiWeb 279
Predefined charts 279
Predefined datasets 280
FortiCache 281
Predefined charts 281
Predefined datasets 282
Appendix B: Port Numbers 283
Appendix C: Maximum Values Matrix 285
Appendix D: SNMP MIB Support 287
SNMP MIB Files 287
FORTINET-CORE-MIB 287
FORTINET-FORTIMANAGER-FORTIANALYZER-MIB 295
Change Log

Date Change Description

2014-08-25 Initial release.

2014-12-12 Updated for FortiAnalyzer v5.2.1.

8 Administration Guide
Fortinet Technologies Inc.
Introduction

FortiAnalyzer platforms integrate network logging, analysis, and reporting into a single system, delivering increased
knowledge of security events throughout your network. The FortiAnalyzer family minimizes the effort required to
monitor and maintain acceptable use policies, as well as identify attack patterns to help you fine-tune your policies.
Organizations of any size will benefit from centralized security event logging, forensic research, reporting, content
archiving, data mining and malicious file quarantining.

FortiAnalyzer offers enterprise class features to identify threats, while providing the flexibility to evolve along with your
ever-changing network. FortiAnalyzer can generate highly customized reports for your business requirements, while
aggregating logs in a hierarchical, tiered logging topology.

You can deploy FortiAnalyzer physical or virtual appliances to collect, correlate, and analyze geographically and
chronologically diverse security data. Aggregate alerts and log information from Fortinet appliances and third-party
devices in a single location, providing a simplified, consolidated view of your security posture. In addition,
FortiAnalyzer platforms provide detailed data capture for forensic purposes to comply with policies regarding privacy
and disclosure of information security breaches.

Feature support

The following table lists FortiAnalyzer feature support for log devices.

Feature support per platform

Platform Logging FortiView Event Management Reports

FortiGate a a a a

FortiCache a a a

FortiCarrier a a a a

FortiClient a

FortiMail a a a

FortiManager a a

FortiSandbox a a

FortiWeb a a a

Syslog a a

9 Administration Guide
Fortinet Technologies Inc.
FortiAnalyzer documentation Introduction

For more information on supported platforms, see the FortiAnalyzer Release Notes.

FortiAnalyzer documentation

The following FortiAnalyzer product documentation is available:

FortiAnalyzer Administration Guide

This document describes how to set up the FortiAnalyzer system and use it with supported Fortinet units.

FortiAnalyzer device QuickStart Guides

These documents are included with your FortiAnalyzer system package. Use this document to install and begin
working with the FortiAnalyzer system and FortiAnalyzer Web-based Manager.

FortiAnalyzer Online Help

You can get online help from the FortiAnalyzer Web-based Manager. FortiAnalyzer online help contains detailed
procedures for using the FortiAnalyzer Web-based Manager to configure and manage FortiGate units.

FortiAnalyzer CLI Reference

This document describes how to use the FortiAnalyzer Command Line Interface (CLI) and contains references for all
FortiAnalyzer CLI commands.

FortiAnalyzer Release Notes

This document describes new features and enhancements in the FortiAnalyzer system for the release, and lists
resolved and known issues. This document also defines supported platforms and firmware versions.

Administration Guide 10
Fortinet Technologies Inc.
What’s New in FortiAnalyzer 5.2.1

FortiAnalyzer v5.2 includes the following new features and enhancements.

FortiAnalyzer v5.2.1

FortiAnalyzer v5.2.1 includes the following new features and enhancements.

l New WYSIWYG report editor

l Tool for validating custom datasets
l Support reverse order in log viewer
l Multiple improvements for FortiView:
l View for SSL & Dialup IPSec Events
l View for System & Admin Login Events
l View for Rogue APs
l View for Site-to-Site IPsec VPN
l View for Firewall Resource Usage
l Stacked bar for Threat View
l Added a CLI command to erase data on disk
l New Application Risk and Control report

FortiAnalyzer v5.2.0

FortiAnalyzer v5.2.0 includes the following new features and enhancements.

Event Management
l Event Handler for local FortiAnalyzer event logs
l FortiOS v4.0 MR3 logs are now supported.
l Support subject customization of alert email.

FortiView
l New FortiView module

11 Administration Guide
Fortinet Technologies Inc.
 FortiAnalyzer v5.2.0 What’s New in FortiAnalyzer 5.2.1

Logging
l Updated compact log v3 format from FortiGate
l Explicit proxy traffic logging support
l Improved FortiAnalyzer insert rate performance
l Log filter improvements
l FortiSandbox logging support
l Syslog server logging support

Reports
l Improvements to report configuration
l Improvements to the Admin and System Events Report template
l Improvements to the VPN Report template
l Improvements to the Wireless PCI Compliance Report template
l Improvements to the Security Analysis Report template
l New Intrusion Prevention System (IPS) Report template
l New Detailed Application Usage and Risk Report template
l New FortiMail Analysis Report template
l New pre-defined Application and Websites report templates
l Macro library support
l Option to display or upload reports in HTML format
l FortiCache reporting support

Other
l HA cluster auto discover

Always review all sections in the FortiAnalyzer Release Notes prior to upgrading your device.

Administration Guide 12
Fortinet Technologies Inc.
Key Concepts

This chapter defines basic FortiAnalyzer concepts and terms.

If you are new to FortiAnalyzer, this chapter can help you to quickly understand this document and your FortiAnalyzer
platform.

This topic includes:

l Administrative domains
l Operation modes
l Log storage
l Workflow

Administrative domains

Administrative domains (ADOMs) enable the admin administrator to constrain other FortiAnalyzer unit administrators’
access privileges to a subset of devices in the device list. For Fortinet devices with virtual domains (VDOMs), ADOMs
can further restrict access to only data from a specific device’s VDOM.

Enabling ADOMs alters the structure of and the available functions in the Web-based Manager and CLI, according to
whether or not you are logging in as the admin administrator, and, if you are not logging in as the admin
administrator, the administrator account’s assigned access profile. See "System Settings" on page 47 for information
on enabling and disabling ADOMs.

For information on working with ADOMs, See Administrative Domains. For information on configuring administrators
and administrator settings, See Admin.

ADOMs must be enabled to support FortiCarrier, FortiMail, FortiWeb, FortiCache, and FortiSand-
box logging and reporting. See Administrative Domains.

Operation modes

The FortiAnalyzer unit has two operation modes:

l Analyzer: The default mode that supports all FortiAnalyzer features. This mode used for aggregating logs from one
or more log collectors. In this mode, the log aggregation configuration function is disabled.

13 Administration Guide
Fortinet Technologies Inc.
 Operation modes Key Concepts

l Collector: The mode used for saving and uploading logs. For example, instead of writing logs to the database, the
collector can retain the logs in their original (binary) format for uploading. In this mode, the report function and
some functions under the System Settings tab are disabled.

The analyzer and collector modes are used together to increase the analyzer’s performance. The collector provides a
buffer to the FortiAnalyzer by off-loading the log receiving task from the analyzer. Since log collection from the
connected devices is the dedicated task of the collector, its log receiving rate and speed are maximized.

The mode of operation that you choose will depend on your network topology and individual requirements. For
information on how to select an operation mode, see Changing the operation mode.

Feature comparison between analyzer and collector mode

The operation mode options have been simplified to two modes, Analyzer and Collector. Standalone mode has been
removed.

Feature comparison between Analyzer and Collector modes

Analyzer Mode Collector Mode

Event Management Yes No

Monitoring Yes No

Reporting Yes No

FortiView/Log View Yes Yes

Device Manager Yes Yes

System Settings Yes Yes

Log Forwarding Yes Yes

Analyzer mode

The analyzer mode is the default mode that supports all FortiAnalyzer features. If your network log volume does not
compromise the performance of your FortiAnalyzer unit, you can choose this mode.

Topology of the FortiAnalyzer unit in analyzer mode illustrates the network topology of the FortiAnalyzer unit in
analyzer mode.

Topology of the FortiAnalyzer unit in analyzer mode

Administration Guide 14
Fortinet Technologies Inc.
 Key Concepts Operation modes

Analyzer and collector mode

The analyzer and collector modes are used together to increase the analyzer’s performance. The collector provides a
buffer to the analyzer by off-loading the log receiving task from the analyzer. Since log collection from the connected
devices is the dedicated task of the collector, its log receiving rate and speed are maximized.

In most cases, the volume of logs fluctuates dramatically during a day or week. You can deploy a collector to receive
and store logs during the high traffic periods and transfer them to the analyzer during the low traffic periods. As a
result, the performance of the analyzer is guaranteed as it will only deal with log insertion and reporting when the log
transfer process is over.

As illustrated in Topology of the FortiAnalyzer units in analyzer/collector mode: company A has two remote branch
networks protected by multiple FortiGate units. The networks generate large volumes of logs which fluctuate
significantly during a day. It used to have a FortiAnalyzer 4000B in analyzer mode to collect logs from the FortiGate
units and generate reports. To further boost the performance of the FortiAnalyzer 4000B, the company deploys a
FortiAnalyzer 400C in collector mode in each branch to receive logs from the FortiGate units during the high traffic
period and transfer bulk logs to the FortiAnalyzer 4000B during the low traffic period.

Topology of the FortiAnalyzer units in analyzer/collector mode

15 Administration Guide
Fortinet Technologies Inc.
Operation modes Key Concepts

To set up the analyzer/collector configuration:

1. On the FortiAnalyzer unit, go to System Settings > Dashboard.

2. In the System Information widget, in the Operation Mode field, select Change.
3. Select Analyzer in the Change Operation Mode dialog box.
4. Select OK.
5. On the first collector unit, go to System Settings > Dashboard.
6. In the System Information widget, in the Operation Mode field, select Change.
7. Select Collector the Change Operation Mode dialog box.
8. Select OK.

For more information on configuring log forwarding, Log forwarding.

Administration Guide 16
Fortinet Technologies Inc.
Key Concepts Log storage

Log storage

The FortiAnalyzer unit supports Structured Query Language (SQL) logging and reporting. The log data is inserted into
the SQL database for generating reports. Both local and remote SQL database options are supported.

For more information, Reports.

Workflow

Once you have successfully deployed the FortiAnalyzer platform in your network, using and maintaining your
FortiAnalyzer unit involves the following:

l Configuration of optional features, and re-configuration of required features if required by changes to your network
l Backups
l Updates
l Monitoring reports, logs, and alerts

17 Administration Guide
Fortinet Technologies Inc.
Web-based Manager

This section describes general information about using the Web-based Manager to access the FortiAnalyzer system
with a web browser.

This section includes the following topics:

l System requirements
l Connecting to the Web-based Manager
l Web-based Manager overview
l Web-based Manager configuration
l Reboot and shutdown the FortiAnalyzer unit

Additional configuration options and short-cuts are sometimes available through right-click
menus. Right-clicking the mouse in various locations in the Web-based Manager accesses these
options.

System requirements

Web browser support

The FortiAnalyzer Web-based Manager supports the following web browsers:

l Microsoft Internet Explorer versions 10 and 11

l Mozilla Firefox version 33
l Google Chrome version 38

Other web browsers may function correctly, but are not supported by Fortinet.

Screen resolution

Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all the objects in the
Web-based Manager to be properly viewed.

18 Administration Guide
Fortinet Technologies Inc.
Connecting to the Web-based Manager Web-based Manager

Please refer to the FortiAnalyzer Release Notes for product integration and support information.

Connecting to the Web-based Manager

The FortiAnalyzer unit can be configured and managed using the Web-based Manager or the CLI. This section will
step you through connecting to the unit via the Web-based Manager.

For more information on connecting your specific FortiAnalyzer unit, read that device’s Quick Start guide.

To connect to the Web-based Manager:

1. Connect the unit to a management computer using an Ethernet cable.

2. Configure the management computer to be on the same subnet as the internal interface of the FortiAnalyzer
unit:

l IP address: 192.168.1.2
l Netmask: 255.255.255.0
3. On the management computer, start a supported web browser and browse to https://192.168.1.99.
4. Type admin in the User Name field, leave the Password field blank, and select Login.

You should now be able to use the FortiAnalyzer Web-based Manager.

If the network interfaces have been configured differently during installation, the URL and/or per-
mitted administrative access protocols (such as HTTPS) may no longer be in their default state.

For information on enabling administrative access protocols and configuring IP addresses, see To edit a network
interface:.

If the URL is correct and you still cannot access the Web-based Manager, you may also need to
configure static routes. For details, see Static routes.

Administration Guide 19
Fortinet Technologies Inc.
Web-based Manager Web-based Manager overview

Web-based Manager overview

The FortiAnalyzer Web-based Manager consists of four primary parts: the tab bar, the main menu bar, the tree menu,
and the content pane. The content pane includes a toolbar and, in some tabs, is horizontally split into two sections.
The main menu bar is only visible in certain tabs when ADOMs are disabled (see System Information widget).

You can use the Web-based Manager menus, lists, and configuration pages to configure most FortiAnalyzer settings.
Configuration changes made using the Web-based Manager take effect immediately without resetting the
FortiAnalyzer system or interrupting service.

The Web-based Manager also includes online help, accessed by selecting the help icon in the right side of the tab bar.

Tab bar
The Web-based Manager tab bar contains the device model, the available tabs, the Help button and the Log Out
button.

The tab bar

Device Manager Manage groups, devices, and VDOMs, and view real-time monitor data. See Device
Manager.

FortiView The following summary views are available: Top Sources, Top Applications, Top Destin-
ations, Top Websites, Top Threats, Top Cloud Applications, Top Cloud Users, System
Events, Admin Logins, SSL & Dialup IPsec, Site-Site IPsec, Rogue APs, and Resource
Usage.
This tab was implemented to match the FortiView implementation in FortiGate.The
Log View tab is found in the FortiView tab. View logs for managed devices. You can dis-
play, download, import, and delete logs on this page. You can also define Custom
Views.See FortiView.

Event Management Configure and view events for managed log devices.See Event Management. This tab
is not available when the unit is in Collector mode. See Operation modes for more
information.

20 Administration Guide
Fortinet Technologies Inc.
Web-based Manager configuration Web-based Manager

Reports Configure report templates, schedules, and output profiles, and manage charts
and datasets.

See Reports.

This tab is not available when the unit is in Collector mode. See Operation modes
for more information.

System Settings Configure system settings such as network interfaces, administrators, system
time, server settings, and others. You can also perform maintenance and firmware
operations.

See System Settings.

Change Password Select to change the password. Restricted_User and Standard_User admin profiles do
not have access to the System Settings tab. An administrator with either of these
admin profiles will see the change password icon in the navigation pane.

Help Open the FortiAnalyzer online help.

Log Out Log out of the Web-based Manager.

Tree menu
The Web-based Manager tree menu is on the left side of the window. The content in the menu varies depending on
which tab is selected and how your FortiAnalyzer unit is configured.

Some elements in the tree menu can be right-clicked to access different configuration options.

Content pane
The content pane is on the right side of the window. The information changes depending on which tab is being viewed
and what element is selected in the tree menu. The content pane of the Log View and Reports tabs are split
horizontally into two frames.

Web-based Manager configuration

Global settings for the Web-based Manager apply regardless of which administrator account you use to log in. Global
settings include the idle timeout, TCP port number on which the Web-based Manager listens for connection attempts,
the network interface(s) on which it listens, and the language of its display.

This section includes the following topics:

l Language support
l Administrative access
l Restricting access by trusted hosts
l Idle timeout

Administration Guide 21
Fortinet Technologies Inc.
 Web-based Manager Web-based Manager configuration

Language support

The Web-based Manager supports multiple languages; the default language setting is Auto Detect. Auto Detect uses
the language configured on your management computer. If that language is not supported, the Web-based Manager
will default to English.

You can change the Web-based Manager language to English, Simplified Chinese, Traditional Chinese, Japanese, or
Korean. For best results, you should select the language that the management computer operating system uses.

To change the Web-based Manager language:

1. Go to System Settings > Admin > Admin Settings.

Administration settings

2. In the Language field, select a language from the drop-down list, or select Auto Detect to use the same language
as configured for your management computer.
3. Select Apply.

The following table lists FortiAnalyzer language support information.

Language support

Language Web-based Manager Reports Documentation

English a a a

Chinese (Simplified) a a

Chinese (Traditional) a a

French a

Hebrew a

Hungarian a

22 Administration Guide
Fortinet Technologies Inc.
 Web-based Manager configuration Web-based Manager

Language Web-based Manager Reports Documentation

Japanese a a

Korean a a

Portuguese a

Russian a

Spanish a

To change the FortiAnalyzer language setting, go to System Settings > Admin > Admin Settings, in Administrative
Settings > Language select the desired language on the drop-down menu. The default value is Auto Detect.
Russian, Hebrew, and Hungarian are not included in the default report languages. You can import language
translation files for these languages via the command line interface using one of the following commands:
execute sql-report import-lang <language name> <ftp> <server IP
address> <user name> <password> <file name>
execute sql-report import-lang <language name> <sftp <server IP
address> <user name> <password> <file name>
execute sql-report import-lang <language name> <scp> <server IP
address> <user name> <password> <file name>
execute sql-report import-lang <language name> <tftp> <server IP
address> <file name>

For more information, see the FortiAnalyzer CLI Reference available from the Fortinet Document Library.

Administrative access

Administrative access enables an administrator to connect to the system to view and change configuration settings.
The default configuration of your system allows administrative access to one or more of the interfaces of the unit as
described in the QuickStart and installation guides for your device.

Administrative access can be configured in IPv4 or IPv6 and includes settings for: HTTPS, HTTP, PING, SSH (Secure
Shell), TELNET, SNMP, Web Service, and Aggregator.

To change administrative access:

1. Go to System Settings > Network. By default, port1 settings will be presented. To configure administrative
access for a different interface, select All Interfaces, and then select the interface from the list.
2. Set the IPv4 IP/Netmask or the IPv6 Address, select one or more Administrative Access types for the interface,
and set the default gateway and Domain Name System (DNS) servers.

Network management interface

Administration Guide 23
Fortinet Technologies Inc.
 Web-based Manager Web-based Manager configuration

3. Select Apply to finish changing the access settings.

For more information, see Network.

Restricting access by trusted hosts

To prevent unauthorized access to the Web-based Manager you can configure administrator accounts with trusted
hosts. With trusted hosts configured, the admin user can only log in to the Web-based Manager when working on a
computer with the trusted host as defined in the admin account.

For more information, see Administrator.

Idle timeout

By default, the Web-based Manager disconnects administrative sessions if no activity takes place for fifteen minutes.
This idle timeout is recommended to prevent someone from using the Web-based Manager from a PC that is logged in
and then left unattended.

To change the Web-based Manager idle timeout:

1. Go to System Settings > Admin > Admin Settings.

2. Change the Idle Timeout minutes as required.
3. Select Apply to save the setting.

For more information, see Administrator settings.

24 Administration Guide
Fortinet Technologies Inc.
Reboot and shutdown the FortiAnalyzer unit Web-based Manager

Reboot and shutdown the FortiAnalyzer unit

Always reboot and shutdown the FortiAnalyzer system using the unit operation options in the Web-based Manager or
the CLI to avoid potential configuration problems.

Unit operation actions in the Web-based Manager

To reboot the FortiAnalyzer unit:

1. In the Web-based Manager, go to System Settings > Dashboard.

2. In the Unit Operation widget, select Reboot or, in the CLI Console widget, enter:
execute reboot
The system will be rebooted.
Do you want to continue? (y/n)

3. Select y to continue. The FortiAnalyzer system will be rebooted.

To shutdown the FortiAnalyzer unit:

1. In the Web-based Manager, go to System Settings > Dashboard.

2. In the Unit Operation widget, select Shutdown or, in the CLI Console widget, enter:
execute shutdown
The system will be halted.
Do you want to continue? (y/n)
3. Select y to continue. The FortiAnalyzer system will be shut down.

To reset the FortiAnalyzer unit:

1. In the CLI Console widget, enter:

execute reset all-settings
This operation will reset all settings to factory defaults
Do you want to continue? (y/n)
2. Select y to continue. The device will reset to factory default settings and reboot.

To reset logs and re-transfer all logs into the database:

1. In the CLI Console widget, enter:

execute reset-sqllog-transfer
WARNING: This operation will re-transfer all logs into database.
Do you want to continue? (y/n)
2. Select y to continue.

Administration Guide 25
Fortinet Technologies Inc.
Administrative Domains

When ADOMs are enabled, you must select the ADOM from the drop-down list in the toolbar. The Device Manager,
FortiView, Event Management, and Reports tab are displayed per ADOM. The devices within each ADOM are shown
in the default All FortiGate group. When ADOMs are disabled, the tree menu simply displays All FortiGates and
Unregistered Devices, if there are any. Non-FortiGate devices are grouped into their own specific ADOMs.
ADOMs are not enabled by default, and enabling and configuring the domains can only be performed by the admin
administrator. The maximum number of ADOMs you can add depends on the specific FortiAnalyzer system model.
Please refer to the FortiAnalyzer data sheet for information on the maximum number of devices and ADOMs that your
model supports.

The number of devices within each group is shown in parentheses next to the group name.

ADOMs must be enabled to support non-FortiGate logging and reporting. When a non-
FortiGate device is promoted to the DVM table, the device is added to their respective default
ADOM and will be visible in the left tree menu. See Adding an ADOM below.

FortiGate and FortiCarrier devices cannot be grouped into the same ADOM. FortiCarrier
devices are added to a specific default FortiCarrier ADOM.

To enable the ADOM feature:

1. Log in as admin.
2. Go to System Settings > Dashboard.
3. In the System Information widget, select Enable next to Administrative Domain.
4. Select OK in the confirmation dialog box to enable ADOMs.

To disable the ADOM feature:

1. Remove all log devices from all non-root ADOMs.

2. Delete all non-root ADOMs, by right-clicking on the ADOM in the tree menu in the Device Manager tab and
selecting Delete from the pop-up menu.
3. Go to System Settings > Dashboard.
4. In the system information widget, select Disable next to Administrative Domain.
5. Select OK in the confirmation dialog box to disable ADOMs.

26 Administration Guide
Fortinet Technologies Inc.
Adding an ADOM Administrative Domains

Adding an ADOM
You can create both FortiGate and FortiCarrier ADOMs for versions 5.2, 5.0, and 4.3. FortiAnalyzer has default
ADOMs for all non-FortiGate devices. When one of these devices is promoted to the DVM table, the device is
added to their respective default ADOM and will be visible in the tree menu.

To add an ADOM:

1. Go to System Settings > All ADOMs and select Create New in the toolbar. Alternatively, in the Device
Manager tab, from the ADOM drop-down list, select Manage ADOMs. In the Manage ADOMs window that
opens, select Create New. The Create ADOM dialog box opens.

Create an ADOM

2. Enter the following information:

Name Enter an unique name that will allow you to distinguish this ADOM from your other ADOMs.

Device Type Select the device type from the drop-down list. Select one of the following options:
FortiGate, FortiCarrier, FortiAnalyzer, FortiMail, FortiSandbox, FortiWeb, FortiCache,
FortiManager, or Syslog.

Version Select the firmware version of the devices that will be in the ADOM. The available options
is dependent on the device type selected.

Search Enter a search term to find a specific device (optional).

Administration Guide 27
Fortinet Technologies Inc.
Administrative Domains Adding an ADOM

Devices Transfer devices, VDOMs, and groups from the available member list on the left to the
Groups selected member list on the right to assign those devices to the ADOM.

3. Select OK to create the ADOM.

To edit an ADOM:

1. Go to System Settings > All ADOMs, right-click on the ADOM you need to edit, and select Edit in the right-
click menu. Alternatively, in the Device Manager tab, from the ADOM drop-down list, select Manage
ADOMs. In the Manage ADOMs window that opens, right-click on the ADOM you need to edit, and select
Edit in the right-click menu. The Edit ADOM dialog box opens.
Edit an ADOM

Edit the following information as required:

Name Edit the ADOM name.

Device Type This field cannot be edited.

Version This field cannot be edited.

Search Enter a search term to find a specific device (optional).

28 Administration Guide
Fortinet Technologies Inc.
Assigning devices to an ADOM Administrative Domains

Devices Transfer devices VDOMs, and groups from the available member list on the left to the
Groups selected member list on the right to assign those devices to the ADOM.

Status Enable or disable the ADOM.

2. Select OK to finish editing the ADOM.

To delete an ADOM:

1. Go to System Settings > All ADOMs, right-click on the ADOM you need to delete, and select Delete in the
right-click menu.Alternatively, in the Device Manager tab, from the ADOM drop-down list, select Manage
ADOMs. In the Manage ADOMs window that opens, right-click on the ADOM you need to delete, and select
Delete in the right-click menu.

The root ADOM and ADOMs which contains user(s) or device(s) cannot be deleted.

2. Select OK in the confirmation dialog box to delete the ADOM.

Assigning devices to an ADOM

The admin administrator selects the devices to be included in an ADOM. You cannot assign the same device to
two different ADOMs.

To assign devices to an ADOM:

1. Open the Edit ADOM dialog box (see To edit an ADOM:).

2. From the Available member list, select which devices you want to associate with the ADOM and select the
right arrow to move them to the Selected member list. If the administrative device mode is Advanced, you
can add separate FortiGate VDOMs to the ADOM as well as FortiGate units.
3. When done, select OK. The selected devices appear in the device list for that ADOM.

You can move multiple devices at once. To select multiple devices, select the first device,
then hold the Shift key while selecting the last device in a continuous range, or hold the
control key while selecting each additional device.

Administration Guide 29
Fortinet Technologies Inc.
Administrative Domains Assigning administrators to an ADOM

Assigning administrators to an ADOM

The admin administrator can create other administrators and assign an ADOM to their account, constraining
them to configurations and data that apply only to devices in their ADOM.

By default, when ADOMs are enabled, existing administrator accounts other than admin are
assigned to the root domain, which contains all devices in the device list. For more
information about creating other ADOMs, see Adding an ADOM.

To assign an administrator to an ADOM:

1. Log in as admin. Other administrators cannot configure administrator accounts when ADOMs are enabled.
2. Go to System Settings > Admin > Administrator.
3. Configure the administrator account, and select the Admin Domains that the administrator account will be
able to use to access the FortiManager system.

Do not select Edit for the admin account. The admin administrator account cannot be
restricted to an ADOM.

4. Select OK to save the setting.

See Administrator for more information.

ADOM device modes

An ADOM has two device modes: normal and advanced. In normal mode, you cannot assign different FortiGate
VDOMs to multiple FortiManager ADOMs. The FortiGate unit can only be added to a single ADOM.

In advanced mode, you can assign different VDOMs from the same FortiGate unit to multiple ADOMs.

Advanced ADOM mode will allow users to assign VDOMs from a single device to different
ADOMs, but will result in a reduced operation mode and more complicated management
scenarios. It is recommended for advanced users only.

To change the ADOM mode, go to System Settings > Advanced > Advanced Settings and change the selection
in the ADOM Mode field.

Alternatively, use the following command in the CLI:

config system global

30 Administration Guide
Fortinet Technologies Inc.
ADOM device modes Administrative Domains

set adom-mode {normal | advanced}

end

Normal mode is the default setting. To change from advanced back to normal, you must ensure no FortiGate
VDOMs are assigned to an ADOM.

Administration Guide 31
Fortinet Technologies Inc.
Device Manager

The Device Manager tab allows you to add and edit devices and VDOMs, and view completed reports for devices and
VDOMs.

See Device manager tab.

Device manager tab

The tree menu shows the devices and VDOMs within the selected ADOM. If ADOMs are disabled, the tree menu
simply shows the devices. When ADOMs are enabled, the ADOM is selected using the drop-down list in the toolbar.

The device and VDOM list can be searched using the search box in the content pane toolbar. The columns shown in
the list can be customized, and the list can be sorted by selecting a column header.

To change the column settings:

1. Right-click on a column heading in the content pane. Columns currently included in the content pane table have a
green check mark next them.

Column right-click menu

32 Administration Guide
Fortinet Technologies Inc.
Devices Device Manager

2. Select a column from the list to add or remove that column from the table.
3. Select Reset to Default to reset the table to its default state

Devices

Devices are organized by device type. VDOMs and model devices can be created and deleted.

Devices and VDOMs

Device models can be added and deleted, devices can be edited, and VDOMs can be deleted. The Add Device wizard
is used to add model devices.

To add a model device:

1. Right-click on a group in the tree menu or in the content pane and, from the right-click menu, select Add Device,
or, if ADOMs are not enabled, select Add Device from the toolbar. The Add Device wizard opens.

Add device wizard login screen

Administration Guide 33
Fortinet Technologies Inc.
Device Manager Devices

2. Enter the device IP address, user name, and password in the requisite fields.
3. Select Next to continue to the next page of the wizard: Add Device.

Add device wizard add device screen

4. Enter the following information:

34 Administration Guide
Fortinet Technologies Inc.
Devices Device Manager

Name Enter a name for the device.

Description Enter a description for the device (optional).

Device Type Select the device type from the drop-down list. Select FortiGate for FortiGate ADOMs,
FortiSwitch for FortiSwitch ADOMs, etc.

Device Model Select the device model from the drop-down list.

Firmware Version Select the firmware version from the drop-down list.

HA Cluster Select if the device is part of a high availability cluster.

Serial Number Enter the device serial number. This value must match the device model selected.
When HA Cluster is enabled, you can enter the serial numbers of all members of the
cluster.

Disk Log Quota (min. Enter the disk log quota in MB.
100MB) This option is only available for certain device types.

When Allocated Disk Select to overwrite the oldest logs or to stop logging when the allocated disk space is full.
Space is Full

Device Permissions Select the device permissions from: Logs, DLP Archive, Quarantine, and IPS Packet Log.

Other Device Information Enter other device information (optional), including: Company/Organization, Contact,
City, Province/State, and Country.

5. Select Next to proceed to the next add device page.

Add device wizard add device screen two

Administration Guide 35
Fortinet Technologies Inc.
Device Manager Devices

6. After the device has been created successfully, select Next to proceed to the summary page.

Add device wizard summary screen

7. Select Finish to add the device model.

36 Administration Guide
Fortinet Technologies Inc.
Devices Device Manager

To edit a device:

1. In the Device Manager tab, in the tree menu, select the group that contains the device you need to edit.
2. In the content pane, right-click on the on the device and select Edit from the right-click menu. The Edit Device
dialog box opens.

Edit a device

3. Edit the following information as needed:

Name The name of the device.

Description Descriptive information about the device.

Company/Organization Company or organization information.

Country Enter the country.

Administration Guide 37
Fortinet Technologies Inc.
Device Manager Devices

Province/State Enter the province or state.

City Enter the city.

Contact Enter the contact name.

IP Address The IP address of the device.

Admin User The administrator username.

Password The administrator password.

Device Information Information about the device, including serial number, device model,
firmware version, connected interface.

HA Cluster Select if the device is part of a high availability cluster.

Serial No. When HA Cluster is enabled, you can enter the serial numbers of all
members of the cluster.

Disk Log Quota (min. 100MB) The amount of space that the disk log is allowed to use, in MB.

When Allocated Disk Space is Full The action for the system to take when the disk log quota is filled, either
Overwrite Oldest Logs, or Stop Logging.

Secure Connection Select check box to enable this feature. Secure Connection secures
Odette File Transfer Protocol (OFTP) traffic through an IPsec tunnel.

ID The device serial number.

Pre-Shared Key The pre-shared key for the IPsec connection between the FortiGate and
FortiAnalyzer.

Device Permissions The device’s permissions. Select any of: Logs, DLP Archive, Quar-
antine, and IPS Packet Log.

4. Select OK to finish editing the device.

To delete a device or VDOM:

1. In the Device Manager tab, in the tree menu, select the group that contains the device or VDOM you need to
delete.
2. In the content pane, right-click on the on the device or VDOM and select Delete in the right-click menu.
3. Select OK in the confirmation window to delete the device or VDOM.

38 Administration Guide
Fortinet Technologies Inc.
 Device reports Device Manager

Unregistered devices

In FortiAnalyzer v5.2.0 and later, the config system global set unregister-pop-up command is
disabled by default. When a device is configured to send logs to FortiAnalyzer, the unregistered device table will not be
displayed. Instead, a new entry named Unregistered Devices will appear in the Device Manager tab tree menu. You
can then add devices to specific ADOMs or delete devices using the toolbar buttons or right-click menu.

Unregistered devices

Device reports

You can view, download, and delete device reports in the Device Manager content pane. Selecting a device or VDOM
in the tree menu will display all reports associated with that device or VDOM in the content pane. For more
information, see "Reports" on page 216.

To view latest reports from the Device Manager tab:

1. In the Device Manager tab select the ADOM that contains the device whose reports you would like to view from
the drop-down list.
2. Select the device or VDOM from the tree menu.
3. The report history is shown in the content pane, showing a list of all the reports that have been run for that device
or VDOM.

Report history

Administration Guide 39
Fortinet Technologies Inc.
 Device Manager Log forwarding

In the Format column, select HTML to display the report in a browser window, or select PDF to download the report as
a PDF file to your management computer.

Log forwarding

You can configure log forwarding in the Device Manager tab. You can configure to forward logs for selected devices to
another FortiAnalyzer, a syslog server, or a Common Event Format (CEF) server.

To enable log forwarding:

1. Go to System Settings > Dashboard.
2. In the CLI Console widget enter the following CLI commands:
config system admin setting
set show-log-forwarding enable
end

To configure log forwarding:

1. Go to the Device Manager tab and select Log Forwarding.
2. Select Create New from the toolbar. The Add log forwarding page is displayed.

Add log forwarding dialog box

40 Administration Guide
Fortinet Technologies Inc.
Log forwarding Device Manager

3. Configure the following settings:

Server Name Enter a name to identify the remote server.

Remote Server Type Select the remote server type. Select one of the following: FortiAnalyzer, Sys-
log, Common Event Format (CEF).

Server IP Enter the server IP address.

Select Devices Select the add icon to select devices. Select devices and select OK to add the
devices.

Enable Log Aggregation Select to enable log aggregation. This option is only available when Remote
Server Type is set to FortiAnalyzer.

Password Enter the server password.

Confirm Password Re-enter the server password.

Upload Daily at Select a time from the drop-down list.

Enable Real-time Forwarding Select to enable real-time log forwarding.

Level Select the logging level from the drop-down list. Select one of the following:
Emergency, Alert, Critical, Error, Warning, Notification, Information, or
Debug.

Server Port Enter the server port. When Remote Server Type is FortiAnalyzer, the port
cannot be changed. The default port is 514.

4. Select OK to save the setting.

Administration Guide 41
Fortinet Technologies Inc.
 Device Manager Disk space allocation

Disk space allocation

In FortiAnalyzer, the system reserves 5% to 25% disk space for system usage and unexpected quota overflow. Only
75% to 95% disk space is available for allocation to devices.

The following table lists the

Disk Size Reserved Disk Quota

Small Disk(less than The system reserves either 20% or 50GB of disk space, which ever is smaller.
500GB)

Medium Disk(less than The system reserves either 15% or 100GB of disk space, which ever is smaller.
1000GB)

Large Disk(less than The system reserves either 10% or 200GB of disk space, which ever is smaller.
3000GB)

Very Large Disk(less than The system reserves either 5% or 500GB of disk space, which ever is smaller.
5000GB)

Note: The RAID level selected will impact the determination of the disk dize and reserved disk quota level. For example,
a FAZ-1000C with four 1TB hard drives configured in RAID 10 will be considered a large disk and 10% or 200GB disk
space will be reserved.

Log arrays in FortiAnalyzer v5.2.0 and later

The concept of log array changed between FortiAnalyzer v5.0.6 and FortiAnalyzer v5.2.0.

In FortiAnalyzer v5.0.6 and earlier, log arrays can be treated as a single device which has its own SQL database. The
size of its database is enforced by the log array quota.

In FortiAnalyzer v5.2.0 and later, log array is only a grouping concept which is used to display logs or generate reports
for a group of devices. It has no SQL database and does not occupy additional disk space.

42 Administration Guide
Fortinet Technologies Inc.
System Settings

The System Settings tab enables you to manage and configure system options for the FortiAnalyzer unit. This
includes the basic network settings to connect the device to the corporate network, the configuration of administrators
and their access privileges, and managing and updating firmware for the device.

Additional configuration options and short-cuts are available using the right-click menu. Right-click
the mouse on different navigation panes on the Web-based Manager page to access these
options.

The System Settings tab provides access to the following menus and sub-menus:

Dashboard Select this menu to configure, monitor, and troubleshoot your FortiAna-
lyzer device. Dashboard widgets include: System Information, License
Information, Unit Operation, System Resources, Alert Message Console,
CLI Console, Log Receive Monitor, Logs/Data Received, and Statistics.

All ADOMs Select this menu to create new ADOMs and monitor all existing ADOMs.

RAID management Select this menu to configure and monitor your Redundant Array of
Independent Disks (RAID) setup. This page displays information about
the status of RAID disks as well as what RAID level has been selected. It
also displays how much disk space is currently consumed.

Network Select this menu to configure your FortiAnalyzer interfaces. You can also
view the IPv4/IPv6 Routing Table and access Diagnostic Tools.

Admin Select this menu to configure administrator user accounts, as well as con-
figure global administrative settings for the FortiAnalyzer unit.
l Administrator
l Profile
l Remote authentication server
l Administrator settings

Certificates Select this menu to configure the following:

l Local certificates
l CA certificates
l Certificate revocation lists

43 Administration Guide
Fortinet Technologies Inc.
Dashboard System Settings

Event log Select this menu to view FortiAnalyzer event log messages. On this page
you can:
l Download the logs in .log or .csv formats
l View raw logs or logs in a formatted table
l Browse the event log, FDS upload log, and FDS download log

Task monitor Select this menu to monitor FortiAnalyzer tasks.

Advanced Select to configure advanced settings.

l SNMP
l Mail server
l Syslog server
l Meta fields
l Device log settings
l File management
l Advanced settings

Dashboard

When you select the System Settings tab, it automatically opens at the System Settings > Dashboard page; see
Dashboard.

The Dashboard page displays widgets that provide performance and status information and enable you to configure
basic system settings. The dashboard also contains a CLI widget that enables you to use the command line through
the Web-based Manager. These widgets appear on a single dashboard.

FortiAnalyzer system settings dashboard

Administration Guide 44
Fortinet Technologies Inc.
System Settings Dashboard

The following widgets are available:

System Information Displays and allow editing of some basic information about the FortiAna-
lyzer system, including host name, serial number, platform type, system
time, firmware version, system configuration, current administrators, up
time, administrative domains, and operation mode.
From this widget you can manually update the FortiAnalyzer firmware to
a different release. For more information, see System Information wid-
get.

License Information Displays the devices being managed by the FortiAnalyzer unit, the max-
imum numbers of devices allowed, the maximum number of ADOMs
allowed, GB/Day of logs allowed, and GB/Day of logs used. FortiAna-
lyzer VM also includes device quota allowed, device quota used, and
management IP address fields. For more information, see License
Information widget.

Unit Operation Displays status and connection information for the ports of the FortiAna-
lyzer unit. It also enables you to shutdown and reboot the FortiAnalyzer
unit. For more information, see Unit Operation widget.

System Resources Displays the real-time and historical usage status of the CPU, memory
and hard disk. For more information, see System Resources widget.

45 Administration Guide
Fortinet Technologies Inc.
 Dashboard System Settings

Alert Message Console Displays log-based alert messages for both the FortiAnalyzer unit itself
and connected devices. For more information, see Alert Messages Con-
sole widget.

CLI Console Opens a terminal window that enables you to configure the FortiAna-
lyzer unit using CLI commands directly from the Web-based Manager.
For more information, see CLI Console widget.

Log Receive Monitor Displays a real-time graph of logs received. You can select to view data
per device or per log type. For more information, see Log Receive Mon-
itor widget.

Logs/Data Received Displays the real-time or historical usage status of logs received and
data received. For more information, see Logs/Data Received widget.

Statistics Displays statistics for logs and reports since last reset. For more inform-
ation, see Statistics widget.

Customizing the dashboard

The FortiAnalyzer system settings dashboard is customizable. You can select which widgets to display, where they are
located on the page, and whether they are minimized or maximized.

To move a widget
Position your mouse cursor on the widget’s title bar, then click and drag the widget to its new location.

To add a widget
In the dashboard toolbar, select Add Widget, then select the names of widgets that you want to show. To remove a
widget, select the Close icon in the widget title bar.

Add a widget

To reset the dashboard

In the dashboard toolbar, select Dashboard > Reset Dashboards, and select OK in the confirmation dialog box. The
dashboards will be reset to the default view, which includes everything except the CLI Console widget.

Administration Guide 46
Fortinet Technologies Inc.
 System Settings Dashboard

To see the available options for a widget

Position your mouse cursor over the widget’s title bar. Options vary slightly from widget to widget, but always include
options to close or show/hide the widget.

The following table lists the widget options.

Show/Hide arrow Display or minimize the widget.

Widget Title The name of the widget.

More Alerts Show the Alert Messages dialog box.

This option appears only in the Alert Message Console widget.

Edit Select to change settings for the widget.

This option appears only in certain widgets.

Detach Detach the CLI Console widget from the dashboard and open it in a sep-
arate window.
This option appears only in the CLI Console widget.

Reset Select to reset the information shown in the widget.

This option appears only in the Statistics widget.

Refresh Select to update the displayed information.

Close Select to remove the widget from the dashboard. You will be prompted to
confirm the action.

System Information widget

The System Information widget, shown below, displays the current status of the FortiAnalyzer unit and enables you to
configure basic system settings.

System information widget

The following information is available on this widget:

47 Administration Guide
Fortinet Technologies Inc.
Dashboard System Settings

Host Name The identifying name assigned to this FortiAnalyzer unit. For more
information, see Changing the host name.

Serial Number The serial number of the FortiAnalyzer unit. The serial number is
unique to the FortiAnalyzer unit and does not change with firmware
upgrades. The serial number is used for identification when con-
necting to the FortiGuard server.

Platform Type This field is displayed for FortiAnalyzer VM and shows the VM platform
type on which the FortiAnalyzer is installed.

System Time The current date, time, and time zone on the FortiAnalyzer internal
clock or NTP server. For more information, see Setting the date and
time.

Firmware Version The version number and build number of the firmware installed on the
FortiAnalyzer unit. To update the firmware, you must download the
latest version from the Customer Service & Support portal at
https://support.fortinet.com. Select Update and select the firmware
image to load from your management computer. For more inform-
ation, see the FortiAnalyzer Release Notes in the Fortinet Document
Library.

System Configuration The date of the last system configuration backup. The following
actions are available:
Select Backup to backup the system configuration to a file; see "Sys-
tem Settings" on page 51.
Select Restore to restore the configuration from a backup file; see
"System Settings" on page 52.

Current Administrators The number of administrators that are currently logged in. The fol-
lowing actions are available:
Select Change Password to change your own password.
Select Details to view the session details for all currently logged in
administrators. See "System Settings" on page 78 for more inform-
ation.

Up Time The duration of time the FortiAnalyzer unit has been running since it
was last started or restarted.

Administrative Domain Displays whether ADOMs are enabled, and allows for enabling and dis-
abling ADOMs. See "Administrative Domains" on page 26 for more
information.

Administration Guide 48
Fortinet Technologies Inc.
System Settings Dashboard

Operation Mode Display and change the current operating mode. Note that not all mod-
els support all operation modes. See "System Settings" on page 53.

Changing the host name

The host name of the FortiAnalyzer unit is used in several places.

l It appears in the System Information widget on the Dashboard. For more information about the System
Information widget, see System Information widget.

l It is used in the command prompt of the CLI.

l It is used as the SNMP system name. .

The System Information widget and the get system status CLI command will display the full host name.
However, if the host name is longer than 16 characters, the CLI and other places display the host name in a truncated
form ending with a tilde ( ~ ) to indicate that additional characters exist, but are not displayed.

For example, if the host name is Fortinet1234567890, the CLI prompt would be Fortinet123456~#.

To change the host name:

1. Go to System Settings > Dashboard.

2. In the System Information widget, in the Host Name field, select Change. The Change Host Name dialog box
appears.

Change host name dialog box

3. In the Host Name field, type a new host name. The host name may be up to 35 characters in length. It may
include US-ASCII letters, numbers, hyphens, and underscores. Spaces and special characters are not allowed.
4. Select OK to save the setting.

Setting the date and time

You can either manually set the FortiAnalyzer system time and date, or configure the FortiAnalyzer unit to
automatically keep its system time correct by synchronizing with a Network Time Protocol (NTP) server.

For many features to work, including scheduling, logging, and SSL-dependent features, the
FortiAnalyzer system time must be accurate.

49 Administration Guide
Fortinet Technologies Inc.
Dashboard System Settings

To configure the date and time:

1. Go to System Settings > Dashboard.

2. In the System Information widget, in the System Time field, select Change. The Change System Time Settings
dialog box appears.

Change system time settings dialog box

3. Configure the following settings to either manually set the system time, or to automatically synchronize the
FortiAnalyzer unit’s clock with an NTP server:

System Time The date and time according to the FortiAnalyzer unit’s clock at
the time that this tab was loaded, or when you last selected the
Refresh button for the System Information widget.

Time Zone Select the time zone in which the FortiAnalyzer unit is located
and whether or not the system automatically adjusts for daylight
savings time.

Set Time Select this option to manually set the date and time of the
FortiAnalyzer unit’s clock, then select the Hour, Minute, Second,
Year, Month, and Day fields before you select OK.

Synchronize with NTP Select this option to automatically synchronize the date and time
Server of the FortiAnalyzer unit’s clock with an NTP server, then con-
figure the Syn Interval and Server fields before you select OK.
Select the add icon to add multiple NTP servers. Select the
delete icon to remove servers.

Administration Guide 50
Fortinet Technologies Inc.
System Settings Dashboard

Sync Interval Enter how often in minutes the FortiAnalyzer unit should syn-
chronize its time with the NTP server. For example, entering
1440 causes the Fortinet unit to synchronize its time once a day.

Server Enter the IP address or domain name of an NTP server. To find

an NTP server that you can use, go to http://www.ntp.org.

4. Select OK to apply your changes.

Updating the system firmware

To take advantage of the latest features and fixes, the device firmware can be upgraded. For information about a
specific firmware version, see the FortiAnalyzer Release Notes in the Fortinet Document Library.

Backing up the system

Fortinet recommends that you back up your FortiAnalyzer configuration to your management computer on a regular
basis to ensure that, should the system fail, you can quickly get the system back to its original state with minimal effect
to the network. You should also perform a back up after making any changes to the FortiAnalyzer configuration or
settings that affect the log devices.

You can perform backups manually. Fortinet recommends backing up all configuration settings from your
FortiAnalyzer unit before upgrading the FortiAnalyzer firmware.

To back up the FortiAnalyzer configuration:

1. Go to System Settings > Dashboard.

2. In the System Information widget, in the System Configuration field, select Backup. The Backup dialog box
appears.

Backup dialog box

3. Configure the following settings:

Encryption Select to encrypt the backup file with a password. The password is
required to restore the configuration. The check box is selected by
default.

51 Administration Guide
Fortinet Technologies Inc.
Dashboard System Settings

Password Select a password. This password is used to encrypt the backup

file, and is required to restore the file. (This option is available only
when the encryption check box is selected.)

Confirm Password Re-enter the password to confirm it.

4. If you want to encrypt the backup file, select the Encryption check box, then enter and confirm the password you
want to use.
5. Select OK and save the backup file on your management computer.

Restoring the configuration

You can use the following procedure to restore your FortiAnalyzer configuration from a backup file on your
management computer.

To restore the FortiAnalyzer configuration:

1. Go to System Settings > Dashboard.

2. In the System Information widget, in the System Configuration field, select Restore. The Restore dialog box
appears. The Restore dialog box appears.

Restore dialog box

3. Configure the following settings:

From Local Select Browse to find the configuration backup file you want to
restore on your management computer.

Password Enter the encryption password, if applicable.

Overwrite current IP, Select the check box if you need to overwrite the current IP and
routing routing settings.

4. Select OK to proceed with the configuration restore.

Administration Guide 52
Fortinet Technologies Inc.
 System Settings Dashboard

Changing the operation mode

The FortiAnalyzer unit has two operation modes: analyzer and collector. For more information, see "Key Concepts" on
page 13.

Not all FortiAnalyzer models support all operation modes.

To change the operation mode:

1. On the FortiAnalyzer unit, go to System Settings > Dashboard.

2. In the System Information widget, in the Operation Mode field, select Change. The Change Operation Mode
dialog box opens.

Change operation mode

3. Configure the following settings:

Analyzer Select to configure FortiAnalyzer in analyzer mode.

Collector Select to configure FortiAnalyzer in collector mode.

4. Select OK to change the operation mode.

License Information widget

The license information displayed on the dashboard shows information on features that vary by a purchased license or
contract, such as FortiGuard subscription services. It also displays how many devices are connected or attempting to
connect to the FortiAnalyzer unit.

53 Administration Guide
Fortinet Technologies Inc.
 Dashboard System Settings

The information displayed in the license information widget will vary between physical and VM
FortiAnalyzer units.

License information widget

The VM license information widget displays similar information but includes the VM license information and
management IP address, as well as the ability to upload a VM license.

VM license information widget

To upload a FortiAnalyzer VM license:

1. Go to System Settings > Dashboard.

2. In the License Information widget, in the VM License field, select Upload License.
3. Browse to the VM license file on your management computer.
4. Select OK to load the license file.

Unit Operation widget

The Unit Operation widget on the dashboard is a graphical representation of the FortiAnalyzer unit. It displays status
and connection information for the ports on the FortiAnalyzer unit. It also enables you to quickly reboot or shutdown

Administration Guide 54
Fortinet Technologies Inc.
 System Settings Dashboard

the FortiAnalyzer device.

Unit operation widget

The following information is available on this widget:

Port numbers The image below the port name indicates its status by its color. Green indic-
(vary depending ates the port is connected. Grey indicates there is no connection.
on model)
For more information about a port’s configuration and throughput, position
your mouse over the icon for that port. A pop-up box displays the full name of
the interface, the IP address and netmask, the status of the link, the speed of
the interface, and the number of sent and received packets.

Reboot Select to restart the FortiAnalyzer unit. You are prompted to confirm before
the reboot is executed.

Shutdown Select to shutdown the FortiAnalyzer unit. You are prompted to confirm
before the shutdown is executed.

System Resources widget

The System Resources widget on the dashboard displays the usage status of the CPU, memory and hard disk. You
can view system resource information in real-time or historical format, and either the average CPU usage or the usage
for each individual processor core.

System resources widget (real time display)

System resources widget (historical display)

55 Administration Guide
Fortinet Technologies Inc.
Dashboard System Settings

The following information is available:

CPUx Usage The current CPU utilization for each processor core.
The Web-based Manager displays CPU usage for core processes only.
CPU usage for management processes (for example, for HTTPS con-
nections to the Web-based Manager) is excluded.

Average CPU Usage The current average CPU utilization.

The Web-based Manager displays CPU usage for core processes only.
CPU usage for management processes (for example, for HTTPS con-
nections to the Web-based Manager) is excluded.

Memory Usage The current memory utilization.

The Web-based Manager displays memory usage for core processes only.
Memory usage for management processes (for example, for HTTPS con-
nections to the web-based manager) is excluded.

Hard Disk Usage The current hard disk usage, shown on a pie chart as a percentage of total
hard disk space.
This item does not appear when viewing historical system resources.

To change the system resource widget display settings:

1. Go to System Settings > Dashboard.

2. In the System Resources widget, hover the mouse over the title bar and select the Edit icon. The Edit System
Resources Settings dialog box appears.

Edit system resources settings window

Administration Guide 56
Fortinet Technologies Inc.
 System Settings Dashboard

3. You can configure the following settings:

Multi-core CPU Dis- Select Each Core to view the CPU usage for each processor core
play (default). Select Average to view only the average CPU usage.

View Type Select Real Time to view the most current information about system
resources (default). Select Historical to view historical information
about system resources.

Time Period Select one of the following: Last 10 minutes, Last 1 hour, or Last 24
hours. This option is only available when Historical is selected.

Refresh Interval To automatically refresh the widget at intervals, enter a number

between 10 and 240 seconds. To disable the refresh interval feature,
enter 0.

4. Select OK to apply your settings.

Alert Messages Console widget

The Alert Message Console widget displays log-based alert messages for both the FortiAnalyzer unit itself and
connected devices.

Alert messages help you track system events on your FortiAnalyzer unit such as firmware changes, and network events
such as detected attacks. Each message shows the date and time that the event occurred.

Alert message console widget

57 Administration Guide
Fortinet Technologies Inc.
 Dashboard System Settings

The widget displays only the most recent alerts. For a complete list of unacknowledged alert messages, select the
More Alerts icon in the widget’s title bar. A popup window appears. To clear the list, select Clear Alert Messages.
List of all alert messages

Select the Edit icon in the title bar to open the Edit Alert Message Console Settings dialog box so that you can adjust
the number of entries that are visible, and their refresh interval.

CLI Console widget

The CLI Console widget enables you to enter CLI commands through the Web-based Manager without making a
separate Telnet, SSH, or local console connection.

The CLI Console widget requires that your web browser support JavaScript.

Administration Guide 58
Fortinet Technologies Inc.
 System Settings Dashboard

To use the console, click within the console area. Doing so will automatically log you in using the same administrator
account that you used to access the Web-based Manager. You can then enter commands by typing them. You can
also copy and paste commands in to or out of the console.

The command prompt contains the host name of the Fortinet unit (by default, the model number
such as Fortinet-800B #). To change the host name, see "System Settings" on page 49.

For information on available CLI commands, see the FortiAnalyzer CLI Reference.

CLI console widget

Log Receive Monitor widget

The Log Receive Monitor widget displays the rate at which logs are received over time. You can select to display log
data by log type or per device.

Log receive monitor widget (log type)

To configure settings for the widget, select Edit from the title bar.

Edit log receive monitor settings

59 Administration Guide
Fortinet Technologies Inc.
 Dashboard System Settings

Configure the following settings:

Type From the drop-down menu, select either:

l Log Type: Display the type of logs that are received from all registered
devices separated into the following categories: Event, Email Filter,
Mail Statistics, Traffic, Web Filter, and Other.
l Device: Display the logs that received by each registered device
separated into the top number of devices.

Number of Select the number of either log types or devices shown in the widget’s graph.
Entries

Time Period Select one of the following time ranges over which to monitor the rate at which
log messages are received: Hour, Day, Week.

Refresh Interval Automatically refresh the widget. Enter a number between 10 and 240
seconds. To disable automatic refresh, enter 0.

Logs/Data Received widget

The Logs/Data Received widget displays the rate over time of the logs and data, such as Traffic, Web Filter, and
Event logs, received by the FortiAnalyzer unit.

Logs/data received widget (real-time)

Logs/data received widget (historical)

Administration Guide 60
Fortinet Technologies Inc.
 System Settings Dashboard

The widget displays the following information:

Logs Received Number of logs received per second.

Data Received Volume of data received.

To configure settings for the widget, select Edit from the title bar.

Edit logs/data received settings window

The following settings can be configured:

View Type Select Real Time to view current information about system resources.
Select Historical to view historical information.

Time Period Select one of the following time ranges: Last 10 Minutes, Last 1 Hour, or
Last 24 Hours.

Refresh Interval Automatically refresh the widget. Enter a number between 10 and 240
seconds. To disable automatic refresh, enter 0.

Statistics widget

The Statistics widget displays the numbers of sessions, volume of log files, and number of reports handled by the
FortiAnalyzer unit.

Statistics widget

61 Administration Guide
Fortinet Technologies Inc.
All ADOMs System Settings

The widget displays the following information:

Logs & Reports

Logs The number of new log files received from a number of devices since the statistics were last reset.

Log Volume The average log file volume received per day over the past seven days.

Reports The number of reports generated for a number of devices.

Reset Select Reset to reset the aforementioned statistics back to zero.

All ADOMs

The All ADOMs menu item displays all the ADOMs configured on the device, and provides the option to create new
ADOMs. It is only visible if ADOMs are enabled, see "System Settings" on page 47.

FortiAnalyzer v5.2.0 and later supports FortiGate, FortiCache, FortiCarrier, FortiClient, FortiMail,
FortiSandbox, FortiWeb, Syslog, and others ADOM types.

All ADOMs list

Administration Guide 62
Fortinet Technologies Inc.
System Settings All ADOMs

The following information and options are available:

Create New Select to create a new ADOM. See To create a new ADOM:.

Search Enter a keyword to search your ADOMs.

Name The names of the current ADOMs.

Version The firmware release version of the ADOM.

Device The devices currently in the ADOM.

Right-click on an ADOM in the list to open the right-click menu. The following options are available:

Delete Select Delete in the right-click menu to delete the ADOM.

Edit Select Edit in the right-click menu to edit the ADOM.

Select All Select Select All in the right-click menu to select all ADOMs in the list.

To create a new ADOM:

1. Select Create New from the ADOM list toolbar. The Create ADOM dialog box opens.

Create a new ADOM

63 Administration Guide
Fortinet Technologies Inc.
All ADOMs System Settings

2. Enter a name for the ADOM in the Name field.

3. Select the device type and firmware version from the drop-down lists.
4. Select the devices to be added to the ADOM from the device list on the left, then select the arrow button to
transfer them into the selected devices list on the right.
5. Select OK to create the ADOM.

To edit an ADOM:

1. Right-click on the ADOM you need to edit and select Edit from the right-click menu, or double-click anywhere in
the ADOM’s row. The Edit ADOM dialog box opens.
2. Edit the ADOM information as required and then select OK.

The device type and version cannot be edited.

The default ADOMs cannot be edited.

Administration Guide 64
Fortinet Technologies Inc.
System Settings RAID management

To disable an ADOM:

1. Right-click on the ADOM you need to disable and select Edit from the right-click menu, or double-click anywhere in
the ADOM’s row. The Edit ADOM dialog box opens.
2. Uncheck the Status checkbox and then select OK.

You must remove all devices before disabling the ADOM.

The default ADOMs cannot be disabled.

To delete an ADOM:

1. Right-click on the ADOM you would like to delete and select Delete from the right-click menu.
2. Select OK in the confirmation dialog box to delete the ADOM.

The default ADOMs cannot be deleted.

RAID management

RAID helps to divide data storage over multiple disks, providing increased data reliability. FortiAnalyzer units that
contain multiple hard disks can have their RAID array configured for capacity, performance, and availability.

This menu is only available on devices that support RAID.

You can view the status of the RAID array from the RAID menu in System Settings > RAID Management. The RAID
Management page displays the status of each disk in the RAID array, including the disk’s RAID level. This menu also
displays how much disk space is being used.

Under Disk Management the following information is displayed: Disk Number, Member of RAID , Disk Status, Size
(GB), and Disk Model. See RAID management menu page.
The Alert Message Console widget, located in System Settings> Dashboard, will provides detailed information
about any RAID array failures. For more information see Alert Messages Console widget.

If you need to remove a disk from the FortiAnalyzer unit, you might be able to hot swap it. Hot swapping means that
you remove a failed hard disk and replace it with a new one while the FortiAnalyzer unit is in operation. Hot swapping is

65 Administration Guide
Fortinet Technologies Inc.
RAID management System Settings

a quick and efficient way to replace hard disks. For more information about hot swapping, see Hot swapping hard
disks.

RAID management menu page

To configure the RAID level:

1. Go to System Settings > RAID Management, in the RAID Level field, select Change. The RAID Settings dialog
box opens.

RAID settings dialog box

2. From the RAID Level drop-down list, select the RAID level you want to use, then select OK. Once selected,
depending on the RAID level, it may take a significant amount of time to generate the RAID array.

If the RAID settings is changed, all data will be deleted.

Administration Guide 66
Fortinet Technologies Inc.
 System Settings RAID management

Supported RAID levels

FortiAnalyzer units with multiple hard drives can support the following RAID levels:

Linear
l Linear RAID combines all hard disks into one large virtual disk. The total space available in this option is the
capacity of all disks used. There is very little performance change when using this RAID format. If any of the drives
fails, the entire set of drives is unusable until the faulty drive is replaced. All data will be lost.

RAID 0

l A RAID 0 array is also referred to as striping. The FortiAnalyzer unit writes information evenly across all hard disks.
The total space available is that of all the disks in the RAID array. There is no redundancy available. If any single
drive fails, the data on that drive cannot be recovered. This RAID level is beneficial because it provides better
performance, since the FortiAnalyzer unit can distribute disk writing across multiple disks.
l Minimum number of drives: 2
l Data protection: No protection

RAID 0 is not recommended for mission critical environments as it is not fault-tolerant.

RAID 1
l A RAID 1 array is also referred to as mirroring. The FortiAnalyzer unit writes information to one hard disk, and writes
a copy (a mirror image) of all information to all the other hard disks. The total disk space available is that of only one
hard disk, as the others are solely used for mirroring. This provides redundant data storage with no single point of
failure. Should any of the hard disks fail, there are backup hard disks available.
l Minimum number of drives: 2
l Data protection: Single-drive failure

One write or two reads are possible per mirrored pair. RAID 1 offers redundancy of data. A re-build
is not required in the event of a drive failure. This is the simplest RAID storage design with the
highest disk overhead.

RAID 1 +Spare
l A RAID 1 with hot spare (or RAID 1s) array uses one of the hard disks as a hot spare (a stand-by disk for the RAID).
If a hard disk fails, within a minute of the failure, the hot spare is substituted for the failed drive, integrating it into

67 Administration Guide
Fortinet Technologies Inc.
RAID management System Settings

the RAID array, and rebuilding the RAID’s data. When you replace the failed hard disk, the new hard disk becomes
the new hot spare.

RAID 5
l A RAID 5 array employs striping with a parity check. Similar to RAID 0, the FortiAnalyzer unit writes information
evenly across all drives but additional parity blocks are written on the same stripes. The parity block is staggered for
each stripe. The total disk space is the total number of disks in the array, minus one disk for parity storage. For
example, with four hard disks, the total capacity available is actually the total for three hard disks. RAID 5
performance is typically better with reading than with writing, although performance is degraded when one disk has
failed or is missing. With RAID 5, one disk can fail without the loss of data. If a drive fails, it can be replaced and the
FortiAnalyzer unit will restore the data on the new disk by using reference information from the parity volume.
l Minimum number of drives: 3
l Data protection: Single-drive failure

RAID 5 +Spare

l A RAID 5 with hot spare array uses one of the hard disks as a hot spare (a stand-by disk for the RAID). If a hard disk
fails, within a minute of the failure, the hot spare is substituted for the failed drive, integrating it into the RAID array,
and rebuilding the RAID’s data. When you replace the failed hard disk, the new hard disk becomes the new hot
spare.

RAID 6

l A RAID 6 array is the same as a RAID 5 array with an additional parity block. It uses block-level striping with two
parity blocks distributed across all member disks.
l Minimum number of drives: 4
l Data protection: Up to two disk failures.

RAID 6 +Spare

l A RAID 6 with hot spare array is the same as a RAID 5 with hot spare array with an additional parity block.

RAID 10
l RAID 10 (or 1+0), includes nested RAID levels 1 and 0, or a stripe (RAID 0) of mirrors (RAID 1). The total disk space
available is the total number of disks in the array (a minimum of 4) divided by 2, for example:
l two RAID 1 arrays of two disks each
l three RAID 1 arrays of two disks each
l six RAID1 arrays of two disks each.

One drive from a RAID 1 array can fail without the loss of data; however, should the other drive in the RAID 1 array fail,
all data will be lost. In this situation, it is important to replace a failed drive as quickly as possible.

l Minimum number of drives: 4

l Data protection: Up to two disk failures in each sub-array.

Administration Guide 68
Fortinet Technologies Inc.
System Settings RAID management

Alternative to RAID 1 when additional performance is required.

RAID 50

l RAID 50 (or 5+0) includes nested RAID levels 5 and 0, or a stripe (RAID 0) and stripe with parity (RAID 5). The total
disk space available is the total number of disks minus the number of RAID 5 sub-arrays. RAID 50 provides
increased performance and also ensures no data loss for the same reasons as RAID 5. One drive in each RAID 5
array can fail without the loss of data.
l Minimum number of drives: 6
l Data protection: Up to one disk failure in each sub-array.

Higher fault tolerance than RAID 5 and higher efficiency than RAID 0.

RAID 50 is only available on models with 9 or more disks. By default, two groups are used unless
otherwise configured via the CLI. Use the diagnose system raid status CLI command
to view your current RAID level, status, size, groups, and hard disk drive information.

RAID 60

l A RAID 60 (6+0) array combines the straight, block-level striping of RAID 0 with the distributed double parity of
RAID 6.
l Minimum number of drives: 8
l Data protection: Up to two disk failures in each sub-array.

High read data transaction rate, medium write data transaction rate, and slightly lower per-
formance than RAID 50.

RAID support per FortiAnalyzer model

RAID support per model

Model RAID Type RAID Level Hot Swappable

FAZ-100C - - -

69 Administration Guide
Fortinet Technologies Inc.
 RAID management System Settings

Model RAID Type RAID Level Hot Swappable

FAZ-200D - - -

FAZ-300D Software RAID Linear, 0, 1 No

FAZ-400C - - -

FAZ-1000C Software RAID Linear, 0, 1, 10 No

FAZ-1000D Software RAID Linear, 0, 1, 10 No

FAZ-3000D Hardware RAID 0, 1, 1 +Spare, 5, 5 +Spare, 6, 6 +Spare, Yes

10, 50, 60

FAZ-3000E Hardware RAID Yes

FAZ-3500E Hardware RAID Yes

FAZ-3900E Hardware RAID Yes

FAZ-4000B Hardware RAID 0, 5, 5 +Spare, 6, 6 +Spare, 10, 50, 60 Yes

FAZ-VM - - -

FAZ-VM64, - - -
FAZ-VM64-HV

RAID disk status

The RAID management page displays the status of each disk in the RAID array. The possible disk states are:

l OK: The hard drive is functioning normally.

l Rebuilding: The FortiAnalyzer unit is writing data to a newly added hard drive in order to restore the hard drive to an
optimal state. The FortiAnalyzer unit is not fully fault tolerant until rebuilding is complete.
l Initializing: The FortiAnalyzer unit is writing to all the hard drives in the device in order to make the array fault
tolerant.
l Verifying: The FortiAnalyzer unit is ensuring that the parity data of a redundant drive is valid.
l Degraded: The hard drive is no longer being used by the RAID controller.
l Inoperable: One or more drives are missing from the FortiAnalyzer unit. The drive is no longer available to the
operating system. Data on an inoperable drive cannot be accessed.

Administration Guide 70
Fortinet Technologies Inc.
 System Settings RAID management

Hot swapping hard disks

If a hard disk on a FortiAnalyzer unit fails, it must be replaced. On FortiAnalyzer devices that support hardware RAID,
the hard disk can be replaced while the FortiAnalyzer unit is still running, known as hot swapping. On FortiAnalyzer
units with software RAID, the device must be shutdown prior to exchanging the hard disk.

To identify which hard disk failed, read the relevant log message in the Alert Message Console widget (see Alert
Messages Console widget).

To hot-swap a hard disk on a device that supports hardware RAID, simply remove the faulty hard disk and replace it
with a new one.

Electrostatic discharge (ESD) can damage FortiAnalyzer equipment. Only perform the procedures
described in this document from an ESD workstation. If no such station is available, you can
provide some ESD protection by wearing an anti-static wrist or ankle strap and attaching it to an
ESD connector or to a metal part of a FortiAnalyzer chassis.
When replacing a hard disk, you need to first verify that the new disk has the same size as those
supplied by Fortinet and has at least the same capacity as the old one in the FortiAnalyzer unit.
Installing a smaller hard disk will affect the RAID setup and may cause data loss. Due to possible
differences in sector layout between disks, the only way to guarantee that two disks have the
same size is to use the same brand and model.
The size provided by the hard drive manufacturer for a given disk model is only an approximation.
The exact size is determined by the number of sectors present on the disk.

The FortiAnalyzer unit will automatically add the new disk to the current RAID array. The status appears on the
console. The RAID management page will display a green check mark icon for all disks and the RAID Status area will
display the progress of the RAID re-synchronization/rebuild.

Once a RAID array is built, adding another disk with the same capacity will not affect the array size
until you rebuild the array by restarting the FortiAnalyzer unit.

Adding new disks

Some FortiAnalyzer units have space to add more hard disks to increase your storage capacity.

71 Administration Guide
Fortinet Technologies Inc.
Network System Settings

Fortinet recommends that you use the same disks as those supplied by Fortinet. Disks of other
brands will not be supported by Fortinet. For information on purchasing extra hard disks, contact
your Fortinet reseller.

To add more hard disks:

1. Obtain the same disks as those supplied by Fortinet.

2. Back up the log data on the FortiAnalyzer unit. You can also migrate the data to another FortiAnalyzer. unit if you
have one. Data migration reduces system down time and risk of data loss. For information on data backup, see
Backing up the system
3. If your device has hardware RAID, install the disks in the FortiAnalyzer unit while the FortiAnalyzer unit is running.
If your device has software RAID, shutdown the device (see Shutdown), install the disk or disks, then restart the
device.
4. Configure the RAID level. If you have backed up the log data, restore the data. For more information, see
Restoring the configuration.

Network

The FortiAnalyzer unit can manage Fortinet devices connected to any of its interfaces. The DNS servers must be on
the networks to which the FortiAnalyzer unit connects, and should have two different addresses.

To view the configured network interfaces, go to System Settings > Network. The network screen is displayed.

Network page

Administration Guide 72
Fortinet Technologies Inc.
 System Settings Network

Configure the following settings:

Management Interface

IP/Netmask The IP address and netmask associated with this interface.

IPv6 Address The IPv6 address and netmask associated with this interface.

Administrative Access Select the allowed administrative service protocols from: HTTPS, HTTP, PING, SSH ,
TELNET, SNMP, Web Service, and Aggregator.

IPv6 Administrative Select the allowed IPv6 administrative service protocols from: HTTPS, HTTP, PING,
Access SSH, TELNET, SNMP, Web Service, and Aggregator.

Default Gateway The default gateway associated with this interface

DNS

Primary DNS Server Enter the primary DNS server IP address.

Secondary DNS Server Enter the secondary DNS server IP address.

All Interfaces Click to open the network interface list. See Network interfaces.

Routing Table Click to open the routing table. See Static routes.

IPv6 Routing Table Click to open the IPv6 routing table. See Static routes.

Diagnostic Tools Select to run available diagnostic tools, including Ping, Traceroute, and View logs. See
Diagnostic tools.

Network interfaces

To view the Network interface list, select the All Interfaces button.

Network interface list

The following information is displayed:

73 Administration Guide
Fortinet Technologies Inc.
Network System Settings

Name The names of the physical interfaces on your FortiAnalyzer unit. The
name of a physical interface depends on the model. Unlike FortiGate,
you cannot set alias names for the interfaces. For more information,
on configuring the interface, see To edit a network interface:.

If HA operation is enabled, the HA interface has /HA appended to its

name.

IP / Netmask The IP address and netmask associated with this interface.

IPv6 Address The IPv6 address associated with this interface.

Description A description of the interface.

Administrative The list of allowed administrative service protocols on this interface.

Access

IPv6 Administrative The list of allowed IPv6 administrative service protocols on this interface.
access

Enable Displays an enabled icon if the interface is enabled or a disabled icon if the
interface is disabled.

The following options are available:

Edit Right-click on an interface and select Edit in the in the pop-up menu. Altern-
atively, double-click the entry to open the Edit Interface page. See To edit a
network interface:.

Delete Right-click on an interface and select Delete in the pop-up menu to remove
the entry. Select OK in the confirmation dialog box to complete the delete
action.

To edit a network interface:

Either right-click on an interface and select Edit in the in the pop-up menu, or double-click the entry to open the Edit
Interface page. The Edit Interface window opens.
Configure network interfaces

Administration Guide 74
Fortinet Technologies Inc.
 System Settings Network

Configure the following settings, then select OK to apply your changes:

Enable Select to enable this interface. An enabled icon appears in the interface
list to indicate the interface is accepting network traffic.
When not selected, a disabled icon appears in the interface list to indicate
the interface is down and not accepting network traffic.

Alias Enter an alias for the port to make it easily recognizable.

IP Address/Netmask Enter the IP address and netmask for the interface.

IPv6 Address Enter the IPv6 address for the interface.

Administrative Select the services to allow on this interface. Any interface that is used to
Access provide administration access to the FortiAnalyzer unit will require at least
HTTPS or HTTP for Web-based Manager access, or SSH for CLI access.

IPv6 Administrative Select the services to allow on this interface. Any interface that is used to
Access provide administration access to the FortiAnalyzer unit will require at least
HTTPS or HTTP for Web-based Manager access, or SSH for CLI access.

Description Enter a brief description of the interface (optional).

Static routes

From System Settings > Network, select Routing Table to manage IPv4 static routes, or select IPv6 Routing Table
to manage IPv6 static routes.

Routing table

75 Administration Guide
Fortinet Technologies Inc.
Network System Settings

The following information is displayed:

ID The route number.

IP/Netmask The destination IPv4 or IPv6 address and netmask for this route.

Gateway The address of the next hop router to which this route directs traffic.

Interface The network interface that connects to the gateway.

The following options are available:

Create New Select Create New to add a new route. See To add a static route:.

Delete Select the check box next to the route number then select Delete to remove the route from
the table. Delete is also available in the right-click menu.

View Select from the right-click menu to open the Create Route window.

To add a static route:

From the routing table, select Create New, double-click on a current route, or right-click and select View, to open the
Create Route or Create IPv6 Route window.
Create new route

Configure the following settings, then select OK to create the new static route:

Destination IP/Mask Enter the destination IP address and netmask, or IPv6 prefix, for this route.

Gateway Enter the address of the next hop router to which this route directs traffic.

Interface Select the network interface that connects to the gateway.

Administration Guide 76
Fortinet Technologies Inc.
 System Settings Admin

Diagnostic tools

Diagnostic tools allows you to run available diagnostic tools, including Ping, Traceroute, and View logs.

Diagnostic tools

"System Settings" on page 77 provides an example Ping diagnostic output of an internal network device.

Example ping diagnostics output

Admin

The System Settings > Admin menu enables you to configure administrator accounts, access profiles, and adjust
global administrative settings for the FortiAnalyzer unit. The following sub-menu options are available:

Administrator Select to configure administrative users accounts. For more information,

see Administrator.

Profile Select to set up access profiles for the administrative users. For more
information, see Profile.

Remote Auth Server Select to configure authentication server settings for administrative log in.
For more information, see Remote authentication server.

Admin Settings Select to configure connection options for the administrator including port
number, language of the Web-based Manager and idle timeout. For more
information, see Administrator settings.

77 Administration Guide
Fortinet Technologies Inc.
 Admin System Settings

Monitoring administrator sessions

The Current Administrators view enables you to view the list of administrators logged into the
FortiAnalyzer unit. From this window you can also disconnect users if necessary.
To view logged in administrators on the FortiAnalyzer unit, go to System Settings > Dashboard. In the
System Information widget, under Current Administrators, select Detail.
The list of current administrator sessions opens.

Administrator session list

The following information is displayed:

User Name The name of the administrator account. Your session is indicated by (current).

IP Address The login type (GUI, jsconsole, SSH, telnet) and IP address where the administrator is log-
ging in from.

Start Time The date and time the administrator logged in.

Time Out (mins) The maximum duration of the session in minutes (1 to 480 minutes).

The following option is available in the toolbar:

Delete Select the check box next to the user and select Delete to drop their connection to the
FortiAnalyzer unit. Select OK in the confirmation dialog box to proceed with the delete
action.

To disconnect an administrator:

1. Go to System Settings > Dashboard.

2. In the System Information widget, in the Current Administrators field, select Detail. The list of current
administrator sessions appears; see Administrator session list.

Administration Guide 78
Fortinet Technologies Inc.
 System Settings Admin

3. Select the check box for each administrator session that you want to disconnect, and select Delete.
4. Select OK to confirm deletion of the session.

The disconnected administrator will see the FortiAnalyzer login screen when disconnected. They will not have any
additional warning. If possible, it is advisable to inform the administrator before disconnecting them, in case they are
in the middle of important configurations for the FortiAnalyzer or another device.

Administrator

Go to System Settings > Admin > Administrator to view the list of administrators and configure administrator
accounts. Only the default admin administrator account can see the complete administrators list. If you do not have
certain viewing privileges, you will not see the administrator list.

Administrator list

The following information is displayed:

User Name The name this administrator uses to log in. Select the administrator name to edit the admin-
istrator settings.

Type The type of administrator account, one of: LOCAL, RADIUS, LDAP, TACACS+, or PKI.

Profile The administrator profile for this user that determines the privileges of this administrator.
The profile can be one of: Restricted_User, Standard_User, Super_User, or a custom
defined profile. For information on administrator profiles, see Profile.

ADOM The ADOMs to which the user has access. ADOM access can be to all ADOMs or specific
ADOMs which are assigned to the profile.

Status Indicates whether the administrator is currently logged into the FortiAnalyzer unit not. A
green circle with an up arrow indicates that the administrator is logged in, a red circle with a
down arrow indicates that they are not.

Comments Descriptive text about the administrator account.

The following options are available:

79 Administration Guide
Fortinet Technologies Inc.
Admin System Settings

Create New Select to create a new administrator. For more information, see To create a new admin-
istrator account:.

Delete Select the check box next to the administrator you want to remove from the list and select
Delete. Delete is also available in the right-click menu.

Edit Select the administrator in the table, right-click, and select Edit in the right-click menu to
edit the entry. Alternatively, you can double-click the entry to open the Edit Administrator
page.

To create a new administrator account:

1. Go to System Settings > Admin > Administrator and select Create New. The New Administrator dialog box
appears.

New administrator

2. Configure the following settings:

User Name Enter the name that this administrator uses to log in.

Administration Guide 80
Fortinet Technologies Inc.
System Settings Admin

Description Optionally, enter a description of this administrator’s role, location or reason for their
account. This field adds an easy reference for the administrator account.

Type Select the type of authentication the administrator will use when logging into the
FortiAnalyzer unit. Select one of: LOCAL, RADIUS, LDAP, TACACS+, or PKI. If you
select LOCAL, you will need to add a password.

Subject If Type is set to PKI, enter a description.

CA If Type is set to PKI, select a certificate in the drop-down list.

Require two-factor authen- If Type is set to PKI, you can select the checkbox to enforce two-factor authentication.
tication Enter a password and confirm.

New Password Enter the password.

Confirm Password Enter the password again to confirm it.

Server Select the RADIUS, LDAP, or TACACS+ server, as appropriate. This option is only
available if Type is not LOCAL or PKI.

wildcard Select this option to set the password as a wildcard. This option is only available if Type
is not LOCAL or PKI.

Admin Profile Select a profile from the list. The profile selected determines the administrator’s access
to the FortiAnalyzer unit’s features.
Restricted_User and Standard_User admin profiles do not have access to the System
Settings tab. An administrator with either of these admin profiles will see a change pass-
word icon in the navigation pane.
To create a new profile see Configuring administrator profiles.

Admin Domain Choose the ADOMs this administrator will be able to access, or select All ADOMs.
Select Specify and then select the add icon to add Administrative Domains. Select the
remove icon to remove an Administrative Domain.
This field is available only if ADOMs are enabled (see Administrative Domains).The
Super_User profile defaults to All ADOMs access.

Trusted Host Optionally, enter the trusted host IPv4 or IPv6 address and network mask from which the
administrator can log in to the FortiAnalyzer unit. You can specify up to ten trusted hosts
in the Web-based Manager or in the CLI.
Setting trusted hosts for all of your administrators can enhance the security of your sys-
tem. For more information, see Using trusted hosts.

3. Select OK to create the new administrator account.

81 Administration Guide
Fortinet Technologies Inc.
 Admin System Settings

To edit an administrator account:

1. From the administrator list, either double-click on an administrator, or right-click and select Edit. The Edit
Administrator window opens.
2. Edit the settings as required.
3. Optionally, select Change Password to change the password associated with the account.
4. Select OK to save your changes.

To delete an existing administrator account:

1. From the administrator list, select the check box of the administrator account or accounts that you need to delete,
then select Delete in the toolbar.
2. Select OK in the confirmation dialog box to delete the administrator account.

The default admin administrator account cannot be deleted.

Using trusted hosts

Setting trusted hosts for all of your administrators increases the security of your network by further restricting
administrative access. In addition to knowing the password, an administrator must connect only through the subnet or
subnets you specify. You can even restrict an administrator to a single IP address if you define only one trusted host IP
address with a netmask of 255.255.255.255.

When you set trusted hosts for all administrators, the FortiAnalyzer unit does not respond to administrative access
attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the
unit accepts administrative access attempts on any interface that has administrative access enabled, potentially
exposing the unit to attempts to gain unauthorized access.

The trusted hosts you define apply both to the Web-based Manager and to the CLI when accessed through SSH. CLI
access through the console connector is not affected.

If you set trusted hosts and want to use the Console Access feature of the Web-based Manager,
you must also set 127.0.0.1/255.255.255.255 as a trusted host. By default, Trusted Host 3 is set
to this address.

Profile

The profile list allows you to create and edit administrator profiles. Administrator profiles are used to limit administrator
access privileges to devices or system features. The administrator profiles restrict access to both the Web-based
Manager and CLI.

Administration Guide 82
Fortinet Technologies Inc.
System Settings Admin

To view the list of administrator profiles, go to the System Settings > Admin > Profile page.

Administrator profile list

The following information is displayed:

Profile The administrator profile name. Select the profile name to view or modify existing settings. For
more information about profile settings, see Configuring administrator profiles.

Description Provides a brief description of the system and device access privileges allowed for the selected
profile.

The following options are available:

Create New Select to create a custom administrator profile. See To create a new profile:.

Delete Select the check box next to the profile you want to delete and select Delete. Predefined pro-
files cannot be deleted. You can only delete custom profiles when they are not applied to
any administrators. Delete is also available in the right-click menu.

Edit Right-click on a profile and select Edit in the right-click menu, or double-click on a profile to
open the Edit Profile page. See To edit a profile:.

Predefined profiles
There are three predefined profiles:

Restricted_User Restricted user profiles have no System Privileges enabled, and have read-only access for
all Device Privileges.

Standard_User Standard user profiles have no System Privileges enabled, but have read/write access for all
Device Privileges.

Super_User Super user profiles have all system and device privileges enabled.

83 Administration Guide
Fortinet Technologies Inc.
Admin System Settings

Restricted_User and Standard_User admin profiles do not have access to the System Settings
tab. An administrator with either of these admin profiles will see a change password icon in the
navigation pane.

"System Settings" on page 84 lists permissions for the three predefined administrator profiles.

When Read-Write is selected, the user can view and make changes to the FortiAnalyzer system. When Read-Only is
selected, the user can only view information. When None is selected, the user can neither view or make changes to
the FortiAnalyzer system.

Predefined profiles, FortiAnalyzer features, and permissions

Feature Predefined Administrator Profiles

Super User Standard User Restricted User

System Settings / system-setting Read-Write None None

Administrator Domain / adom-switch Read-Write Read-Write None

Device Manager / device-manager Read-Write Read-Write Read-Only

Add/Delete Devices/Groups / device-op Read-Write Read-Write None

FortiView / realtime-monitor Read-Write Read-Write Read-Only

Log View / log-viewer Read-Write Read-Write Read-Only

Reports / report-viewer Read-Write Read-Write Read-Only

Event Management / event-management Read-Write Read-Write Read-Only

CLI Only Settings

profileid Super_User Standard_ Restricted_

User User

scope global global global

You cannot delete these profiles, but you can edit them. You can also create new profiles as required.

This guide is intended for default users with full privileges. If you create a profile with limited priv-
ileges it will limit the ability of any administrator using that profile to follow the procedures in this
guide.

Administration Guide 84
Fortinet Technologies Inc.
System Settings Admin

Configuring administrator profiles

You can create custom profiles, and edit existing profiles, including the predefined profiles, as required. Only
administrators with full system privileges can edit the administrator profiles.

To create a new profile:

1. Go to System Settings > Admin > Profile and select Create New. The Create Profile dialog box opens.

Create new administrator profile

2. Configure the following settings:

Profile Name Enter a name for this profile.

Description Enter a description for this profile. While not a requirement, a description can help to know what
the profiles is for or the levels it is set to.

Type This field is cannot be changed. The default type is System Admin.

Other Settings Select None, Read Only, or Read-Write access for the categories as required.

3. Select OK to save the new profile.

To edit a profile:

1. From the profile list, right-click on a profile and select Edit, or double-click on a profile. The Edit Profile dialog box
opens.
2. Edit the following settings as required:

Profile Name Enter a name for this profile.

Description Enter a description for this profile. While not a requirement, a description can help to know what
the profiles is for or the levels it is set to.

85 Administration Guide
Fortinet Technologies Inc.
 Admin System Settings

Type This field is cannot be changed. The default type is System Admin.

Other Settings Select None, Read Only, or Read-Write access for the categories as required.

3. Select OK to save your changes.

The Name field cannot be changed when editing a profile in the Web-based Manager.

To delete a profile:

1. From the profile list, select the check box of the custom profile or profiles that you need to delete, then select
Delete in the toolbar, or right-click on a profile and select Delete. You can only delete custom profiles that are not
applied to any administrators.
2. Select OK in the confirmation dialog box to delete the profile.

Remote authentication server

The FortiAnalyzer system supports remote authentication of administrators using Remote Authentication Dial-in User
(RADIUS), Lightweight Directory Access Protocol (LDAP), and Terminal Access Controller Access-Control System
(TACACS+) servers. To use this feature, you must configure the appropriate server entries in the FortiAnalyzer unit for
each authentication server in your network. LDAP servers can be linked to all ADOMs or to specific ADOMs.

1. Go to System Settings > Admin > Remote Auth Server to view the server list.

Server list

The following information is displayed:

Name The server name. Select the server name to edit the settings.

Type The type of server, either LDAP, RADIUS, or TACACS+.

ADOM The ADOM(s) that are associated with this server. This field is only applicable to LDAP servers.

Details The IP address or DNS resolvable domain name of the server.

Administration Guide 86
Fortinet Technologies Inc.
System Settings Admin

The following options are available:

Create New Add a new LDAP, RADIUS, or TACACS+ server entry. See To add a LDAP server:, To add a
RADIUS server configuration:, and To add a TACACS+ server:.

Delete Select the check box next to a server or servers then select Delete. You cannot delete a
server entry if there are administrator accounts using it. Delete is also available in the right-
click menu.

Edit Right-click on a server and select Edit, or double-click on a server, to open the Edit Server
page.

To edit a remote authentication server:

1. From the remote authentication server list, right-click on a server and select Edit, or double-click on a server, to
open the Edit Server page. The appropriate edit window opens, depending on the server type selected.
2. Change the settings as required and select OK to apply your changes.

The Name field cannot be changed when editing a server configuration in the Web-based Man-
ager.

To delete a server:

1. From the remote authentication server list, select the check box beside the server or servers that you need to
delete and then select Delete from the toolbar, or right-click on a server and select Delete.
2. Select OK in the confirmation dialog box to delete the server entry.

Y ou cannot delete a server entry if there are administrator accounts using it.

LDAP server
LDAP is an Internet protocol used to maintain authentication data that may include departments, people, groups of
people, passwords, email addresses, and printers. LDAP consists of a data-representation scheme, a set of defined
operations, and a request/response network.

If you have configured LDAP support and require a user to authenticate using an LDAP server, the FortiAnalyzer unit
contacts the LDAP server for authentication. To authenticate with the FortiAnalyzer unit, the user enters a user name
and password. The FortiAnalyzer unit sends this user name and password to the LDAP server. If the LDAP server can
authenticate the user, the FortiAnalyzer unit successfully authenticates the user. If the LDAP server cannot
authenticate the user, the FortiAnalyzer unit refuses the connection.

87 Administration Guide
Fortinet Technologies Inc.
Admin System Settings

To add a LDAP server:

1. Go to System Settings > Admin > Remote Auth Server.

2. Select the Create New toolbar and select LDAP in the drop-down list. The New LDAP Server dialog box opens.

New LDAP server

3. Configure the following information:

Name Enter a name to identify

the LDAP server.

Server Name/IP Enter the IP address or

fully qualified domain
name of the LDAP server.

Port Enter the port for LDAP

traffic. The default port is
389.

Common Name Identifier The common name iden-

tifier for the LDAP server.
Most LDAP servers use
cn. However, some serv-
ers use other common
name identifiers such as
uid.

Administration Guide 88
Fortinet Technologies Inc.
System Settings Admin

Distinguished Name The distinguished name

used to look up entries on
the LDAP servers use.
The distinguished name
reflects the hierarchy of
LDAP database object
classes above the com-
mon name identifier.
Select the query icon to
query the distinguished
name.

Bind Type Select the type of binding

for LDAP authentication
from the drop-down list.
One of: Simple, Anonym-
ous, or Regular.

User DN Enter the user dis-

tinguished name. This
option is available when
the Bind Type is set to
Regular.

Password Enter the user password.

This option is available
when the Bind Type is set
to Regular.

Secure Connection Select to use a secure

LDAP server connection
for authentication.

Protocol Select either LDAPS or

STARTTLS in the pro-
tocol field.

Certificate Select the certificate in

the drop-down list.

89 Administration Guide
Fortinet Technologies Inc.
Admin System Settings

Administrative Domain Select either All ADOMs

or Specify to select which
ADOMs to link to the
LDAP server. Select Spe-
cify and then select the
add icon to add Admin-
istrative Domains. Select
the remove icon to
remove an Administrative
Domain.

4. Select OK to save the new LDAP server entry.

RADIUS server
RADIUS is a user authentication and network-usage accounting system. When users connect to a server they enter a
user name and password. This information is passed to a RADIUS server, which authenticates the user and authorizes
access to the network.

You can create or edit RADIUS server entries in the RADIUS server list to support authentication of administrators.
When an administrator account’s type is set to RADIUS, the FortiAnalyzer unit uses the RADIUS server to verify the
administrator password at logon. The password is not stored on the FortiAnalyzer unit.

To add a RADIUS server configuration:

1. Go to System Settings > Admin > Remote Auth Server.

2. Select the Create New in the toolbar and select RADIUS in the drop-down list. The New RADIUS Server dialog
box appears.

New RADIUS server

3. Configure the following settings:

Name Enter a name to identify the RADIUS server.

Administration Guide 90
Fortinet Technologies Inc.
System Settings Admin

Server Name/IP Enter the IP address or fully qualified domain name of the RADIUS server.

Server Secret Enter the RADIUS server secret.

Secondary Server Enter the IP address or fully qualified domain name of the secondary RADIUS server.
Name/IP

Secondary Server Enter the secondary RADIUS server secret.

Secret

Port Enter the port for RADIUS traffic. The default port is 1812. Some RADIUS servers use port
1645.

Auth-Type Enter the authentication type the RADIUS server requires. Select from ANY, PAP, CHAP, or
MSv2 (MSCHAPv2). The default setting of ANY has the FortiAnalyzer unit try all the authen-
tication types.

4. Select OK to save the new RADIUS server configuration.

TACACS+ server
TACACS+ is a remote authentication protocol that provides access control for routers, network access servers, and
other networked computing devices via one or more centralized servers. TACACS allows a client to accept a user
name and password and send a query to a TACACS authentication server. The server host determines whether to
accept or deny the request and sends a response back that allows or denies network access to the user. The default
TCP port for a TACACS server is 49.

For more information about TACACS+ servers, see the FortiGate documentation.

To add a TACACS+ server:

1. Go to System Settings > Admin > Remote Auth Server.

2. Select Create New in the toolbar and select TACACS+ in the drop-down list.

New TACACS+ server

3. Configure the following information:

Name Enter a name to identify the TACACS+ server.

91 Administration Guide
Fortinet Technologies Inc.
 Admin System Settings

Server Name/IP Enter the IP address or fully qualified domain name of the TACACS+ server.

Port Enter the port for TACACS+ traffic. The default port is 49.

Server Key Enter the key to access the TACACS+ server. The server key can be a maximum of 16 char-
acters in length.

Auth-Type Enter the authentication type the TACACS+ server requires. Select one of: auto, ASCII, PAP,
CHAP, or MSCHAP. The default value is auto.

4. Select OK to save the new TACACS+ server entry.

Administrator settings

The Admin Settings page allows you to configure global settings for administrator access to the FortiAnalyzer unit,
including:

l Ports for HTTPS and HTTP administrative access

l HTTPS & Web Service server certificate
l Idle Timeout settings
l Language of the web-based manager
l Password Policy

Only the admin administrator can configure these system options, which apply to all administrators logging onto the
FortiAnalyzer unit.

To configure administrative settings:

1. Go to System Settings > Admin > Admin Settings. The Settings dialog box opens.

Settings dialog box

Administration Guide 92
Fortinet Technologies Inc.
System Settings Admin

2. Configure the following settings:

Administration Settings

HTTP Port Enter the TCP

port to be
used for
administrative
HTTP access.

Redirect to HTTPS Select this

option to auto-
matically redir-
ect to HTTPS
from admin-
istrative
HTTP access.

HTTPS Port Enter the TCP

port to be
used for
administrative
HTTPS
access.

93 Administration Guide
Fortinet Technologies Inc.
Admin System Settings

Administration Settings

HTTPS & Web Service Server Certificate Select a cer-

tificate from
the drop-
down list.

Administration Guide 94
Fortinet Technologies Inc.
System Settings Admin

Administration Settings

Idle Timeout Enter the num-

ber of
minutes that
an admin-
istrative con-
nection can
be idle before
the admin-
istrator must
log in again.
The max-
imum is 480
minutes (8
hours). To
ensure secur-
ity, the idle
timeout
should be a
short period
of time to
avoid the
administrator
inadvertently
leaving the
management
computer
logged in to
the FortiAna-
lyzer unit, cre-
ating the
possibility of
someone
walking up
and modifying
the network
options.

95 Administration Guide
Fortinet Technologies Inc.
Admin System Settings

Administration Settings

Language Select a lan-

guage from
the drop-
down list.
Select either
English, Sim-
plified
Chinese, Tra-
ditional
Chinese,
Japanese,
Korean, or
Auto Detect.
The default
value is Auto
Detect.

Password Policy

Enable Select to
enable admin-
istrator pass-
words.

Minimum Length Select the

minimum
length for a
password.
The default is
eight char-
acters.

Must Contain Select the

types of char-
acters that a
password
must contain.

Administration Guide 96
Fortinet Technologies Inc.
 System Settings Admin

Administration Settings

Admin Password Expires after Select the

number of
days that a
password is
valid for, after
which time it
must be
changed.

3. Select Apply to save your settings. The settings are applied to all administrator accounts.

Configure two-factor authentication for administrator login

To configure two-factor authentication for administrator login you will need the following:

l FortiAnalyzer
l FortiAuthenticator
l FortiToken

FortiAuthenticator side configuration

The following instructions describes the steps required on your FortiAuthenticator device.

Before proceeding, ensure that you have configured your FortiAuthenticator and that you have cre-
ated a NAS entry for your FortiAnalyzer and created/imported FortiTokens. For more information,
see the FortiAuthenticator Interoperability Guide and FortiAuthenticator Administration Guide
available in the Fortinet Document Library.

To create a new local user:

1. Go to Authentication > User Management > Local Users.

2. Select Create New in the toolbar. The Create New User page opens.

Create a new user

97 Administration Guide
Fortinet Technologies Inc.
Admin System Settings

3. Configure the following settings:

Username Enter a user name for the local user.

Password creation Select Specify a password from the drop-down list.

Password Enter a password. The password must be a minimum of 8 characters.

Password con- Re-enter the password.

firmation

Enable account Optionally, select to enable account expiration. For more information
expiration see the FortiAuthenticator Administration Guide.

4. Select OK to continue. The Change user page opens.

Change user

Administration Guide 98
Fortinet Technologies Inc.
System Settings Admin

5. Configure the following settings:

Password-based authentication Leave this option selected. Select [Change Password] to change the password
for this local user.

Token-based authentication Select to enable token-based authentication.

Deliver token code by Select to deliver token by FortiToken.

FortiToken 200 Select the FortiToken from the drop-down list.

Enable account expiration Optionally, select to enable account expiration. For more information see the
FortiAuthenticator Administration Guide.

User Role

Role Select either Administrator or User.

Allow RADIUS authentication Select to allow RADIUS authentication.

Allow LDAP browsing Optionally, select to allow LDAP browsing. For more information see the
FortiAuthenticator Administration Guide.

6. Select OK to save the setting.

99 Administration Guide
Fortinet Technologies Inc.
Admin System Settings

To create a new RADIUS client:

1. Go to Authentication > RADIUS Service > Clients.

2. Select Create New in the toolbar. The Create New RADIUS Client page opens.

Create new RADIUS client

3. Configure the following settings:

Name Enter a name for the RADIUS client entry.

Client name/IP Enter the IP address or Fully Qualified Domain Name (FQDN) of the FortiAna-
lyzer.

Secret Enter the server secret. This value must match the FortiAnalyzer RADIUS server
setting at System Settings > Admin > Remote Auth Server.

Description Enter an option description for the RADIUS client entry.

Authentication method Select Enforce two-factor authentication from the list of options.

Username input format Select the username input format.

Administration Guide 100

Fortinet Technologies Inc.
System Settings Admin

Realms Create and define the Realm. For more information see the FortiAuthenticator
Administration Guide.

Allow MAC-based authentication Optional configuration. For more information see the FortiAuthenticator Admin-
istration Guide.

EAP types Optional configuration. For more information see the FortiAuthenticator Admin-
istration Guide.

4. Select OK to save the setting.

FortiAnalyzer side configuration

The following instructions describes the steps required on your FortiAnalyzer device.

To configure the RADIUS server:

1. Go to System Settings > Admin > Remote Auth Server.

2. Select Create New in the toolbar and select RADIUS from the drop-down list. The New RADIUS Server page
opens.

New RADIUS server page

1. Configure the following settings:

Name Enter a name to identify the FortiAuthenticator.

Server Name/IP Enter the IP address or fully qualified domain name of your FortiAuthentic-
ator.

Server Secret Enter the FortiAuthenticator secret.

Secondary Enter the IP address or fully qualified domain name of the secondary
Server Name/IP FortiAuthenticator, if applicable.

101 Administration Guide

Fortinet Technologies Inc.
Admin System Settings

Secondary Enter the secondary FortiAuthenticator secret, if applicable.

Server Secret

Port Enter the port for FortiAuthenticator traffic. The default port is 1812.

Auth-Type Enter the authentication type the FortiAuthenticator requires. The default
setting of ANY has the FortiAnalyzer unit try all the authentication types.
Select one of: ANY, PAP, CHAP, or MSv2.

2. Select OK to save the setting.

To create the admin users:

1. Go to System Settings > Admin > Administrator.

2. Select Create New in the toolbar. The New Administrator page opens.

New administrator page

3. Configure the following settings:

User Name Enter the name that this administrator uses to log in.

Administration Guide 102

Fortinet Technologies Inc.
System Settings Admin

Description Optionally, enter a description of this administrator’s role, location or

reason for their account. This field adds an easy reference for the
administrator account.

Type Select RADIUS from the drop-down list.

RADIUS Server Select the RADIUS server from the drop-down menu.

Wildcard Select to enable wildcard. Wildcard authentication will allow authen-

tication from any local user account on the FortiAuthenticator. To
restrict authentication, RADIUS service clients can be configured to
only authenticate specific user groups.

New Password Enter the password. This field is available if Type is RADIUS and Wild-
card is not selected.

Confirm Password Enter the password again to confirm it. This field is available if Type is
RADIUS and Wildcard is not selected.

Admin Profile Select a profile from the drop-down menu. The profile selected determ-
ines the administrator’s access to the FortiAnalyzer unit’s features.To
create a new profile see Configuring administrator profiles.

Administrative Choose the ADOMs this administrator will be able to access, or select
Domain All ADOMs. Select Specify and then select the add icon to add Admin-
istrative Domains. Select the remove icon to remove an Administrative
Domain.This field is available only if ADOMs are enabled (see Admin-
istrative Domains).The Super_User profile defaults to All ADOMs
access.

Trusted Host Optionally, enter the trusted host IPv4 or IPv6 address and
netmask from which the administrator can log in to the
FortiAnalyzer unit. Select the add icon to add trusted hosts. You
can specify up to ten trusted hosts. Select the delete icon to
remove trusted hosts.

Setting trusted hosts for all of your administrators can enhance

the security of your system. For more information, see Using
trusted hosts.

4. Select OK to save the setting.

To test the configuration:

1. Attempt to log into the FortiAnalyzer Web-based Manager with your new credentials.

103 Administration Guide

Fortinet Technologies Inc.
 Certificates System Settings

FortiAnalyzer login page

2. Enter your user name and password and select Login. The FortiToken page is displayed.

FortiToken page

3. Enter your FortiToken pin code and select Submit to finish logging in to FortiAnalyzer.

Certificates

The FortiAnalyzer unit generates a certificate request based on the information you enter to identify the FortiAnalyzer
unit. After you generate a certificate request, you can download the request to a computer that has management
access to the FortiAnalyzer unit and then forward the request to a CA.

The certificate window also enables you to export certificates for authentication, importing and viewing.

Local certificates

The FortiAnalyzer has one default local certificate, Fortinet_Local. From this menu you can create, delete, import,
view, and download local certificates.

Local certificates sub-menu

Administration Guide 104

Fortinet Technologies Inc.
System Settings Certificates

The following information is displayed:

Certificate Name Displays the certificate name.

Subject Displays the certificate subject information.

Status Displays the certificate status. Select View Certificate Detail to view additional certificate
status information.

The following options are available:

Create New Select to create a new certificate request.

View Select the checkbox next to the certificate, right-click, and select View in the right-click
menu to view the entry.

Delete Select the checkbox next to a certificate entry and select Delete to remove the certificate
selected. Select OK in the confirmation dialog box to proceed with the delete action. Delete
is also available in the right-click menu.

Import Select to import a local certificate. Browse for the local certificate on the management com-
puter and select OK to complete the import.

View Certificate Detail Select the checkbox next to a certificate entry and select View Certificate Detail to view cer-
tificate details.

Download Select the checkbox next to a certificate entry and select Download to download the cer-
tificate to your local computer.

To create a local certificate request:

1. Go to System Settings > Certificates > Local Certificates.

2. Select Create New in the toolbar. The New Certificate window opens.

New local certificate

105 Administration Guide

Fortinet Technologies Inc.
Certificates System Settings

3. Configure the following settings:

Certificate Name The name of the certificate.

Key Size Select the key size from the drop-down list. Select one of: 512 Bit,
1024 Bit, 1536 Bit, or 2048 Bit.

Common Name (CN) Enter the common name of the certificate.

Country (C) Select the country from the drop-down list.

State/Province (ST) Enter the state or province.

Locality (L) Enter the locality.

Organization (O) Enter the organization for the certificate.

Organization Unit (OU) Enter the organization unit.

E-mail Address (EA) Enter the email address.

4. Select OK to save the setting. The request is sent and the status is listed as pending.

Only Local Certificates can be created. CA Certificates can only be imported

To import a local certificate:

1. Go to System Settings > Certificates > Local Certificates.

2. Select Import in the toolbar. The Import dialog box opens.
3. Select Choose File, browse to the location of the certificate, and select OK.

Administration Guide 106

Fortinet Technologies Inc.
System Settings Certificates

To view a local certificate:

1. Go to System Settings > Certificates > Local Certificates.

2. Select the certificates that you would like to see details about and select View Certificate Detail in the toolbar.
The Result page opens.

Local certificate details

The following information is displayed:

Certificate Name The name of the certificate.

Issuer The issuer of the certificate.

Subject The subject of the certificate.

Valid From The date from which the certificate is valid.

Valid To The last day that the certificate is valid. The certificate should be
renewed before this date.

Version The certificate’s version.

Serial Number The serial number of the certificate.

Extension The certificate extension information.

3. Select OK to return to the local certificates list.

To download a local certificate:

1. Go to System Settings > Certificates > Local Certificates.

2. Select the certificates that you would like to download, select Download in the toolbar, and save the certificate to
the desired location.

107 Administration Guide

Fortinet Technologies Inc.
 Certificates System Settings

To delete a local certificate:

1. Go to System Settings > Certificates > Local Certificates.

2. Select the certificate or certificates that you would like to delete and select Delete in the toolbar.
3. Select OK in the confirmation dialog box to delete the certificate.

CA certificates

The FortiAnalyzer has one default CA certificate, Fortinet_CA. In this sub-menu you can:

l Delete CA certificates
l Import CA certificates
l View certificate details
l Download CA certificates

To import a CA certificate:

1. Go to System Settings > Certificates > CA Certificates.

2. Select Import in the toolbar. The Import dialog box opens.
3. Select Choose File, browse to the location of the certificate, and select OK.

To view a CA certificate:

1. Go to System Settings > Certificates > CA Certificates.

2. Select the certificates that you would like to see details about, then select View Certificate Detail in the toolbar.
The Result page opens.

CA certificate details

The following information is displayed:

Certificate Name The name of the certificate.

Issuer The issuer of the certificate.

Administration Guide 108

Fortinet Technologies Inc.
 System Settings Certificates

Subject The subject of the certificate.

Valid From The date from which the certificate is valid.

Valid To The last day that the certificate is valid. The certificate should be
renewed before this date.

Version The certificate’s version.

Serial Number The serial number of the certificate.

Extension The certificate extension information.

3. Select OK to return to the CA certificates list.

To download a CA certificate:

1. Go to System Settings > Certificates > CA Certificates.

2. Select the certificates that you would like to download, select Download in the toolbar, and save the certificate to
the desired location.

To delete a CA certificate:

1. Go to System Settings > Certificates > CA Certificates.

2. Select the certificate or certificates that you would like to delete and select Delete in the toolbar.
3. Select OK in the confirmation dialog box to delete the certificate.

Certificate revocation lists

When you apply for a signed personal or group certificate to install on remote clients, you can obtain the corresponding
root certificate and Certificate Revocation List (CRL) from the issuing CA. When you receive the signed personal or
group certificate, install the signed certificate on the remote client(s) according to the browser documentation. Install
the corresponding root certificate (and CRL) from the issuing CA on the FortiAnalyzer unit according to the procedures
given below.

To import a CRL:

1. Go to System Settings > Certificates > CRL.

2. Select Import in the toolbar. The Import dialog box opens.
3. Select Choose File, browse to the location of the CRL, and select OK.
4. Select Choose File, browse to the location of the certificate, and select OK.

109 Administration Guide

Fortinet Technologies Inc.
Event log System Settings

To view a CRL:

1. Go to System Settings > Certificates > CRL.

2. Select the CRL that you would like to see details about, then select View Certificate Detail in the toolbar. The
Result page opens.
3. When you are finished viewing the CRL details, select OK to return to the CRL list.

To delete a CRL:

1. Go to System Settings > Certificates > CRL.

2. Select the CRL or CRLs that you would like to delete and select Delete in the toolbar.
3. Select OK in the confirmation dialog box to delete the CRL.

Event log

The logs created by Fortinet are viewable within the Web-based Manager. You can use the FortiAnalyzer Log
Message Reference, available in the Fortinet Document Library to interpret the messages. You can view log
messages in the FortiAnalyzer Web-based Manager that are stored in memory or on the internal hard disk, and use the
column filters to filter the event logs that are displayed.

Go to System Settings > Event Log to view the local log list.

Event log list

The following information is displayed:

Administration Guide 110

Fortinet Technologies Inc.
System Settings Event log

Type Select the type from the drop down list. Select one of the following: Event
Log, FDS Upload Log, or FDS Download Log.
When selecting FDS Upload Log, select the device from the drop-down list,
and select Go to browse logs.
When selecting FDS Download Log, select the service (FDS, FCT) from
the Service drop-down list, select the event type (All Event, Push Update,
Poll Update, Manual Update) from the Event drop-down list, and Go to
browse logs.

# The log number.

Date The date that the log file was generated. Select the filter icon to create a fil-
ter for this column.
Select the checkbox to enable this filter and specify the from and to date in
the format YYYY-MM-DD. Select Apply to apply the filter, the filter. When
the filter is enabled, the green filter enabled icon is displayed. You can also
clear all filters.

Time The time that the log file was generated. Select the filter icon to create a fil-
ter for this column.
Select the checkbox to enable this filter and specify the from and to time in
the format HH:MM:SS.
Select Apply to apply the filter. When the filter is enabled, the green filter
enabled icon is displayed. You can also clear all filters.

Level The log level. Select the filter icon to create a filter for this column. The fol-
lowing log levels are displayed:
l Debug
l Information
l Notice
l Warning
l Error
l Critical
l Alert
Emergency
l

Select the checkbox to enable this filter. Select a value for the field from the
drop-down list, select the checkbox (NOT) if required, and select the level
from the drop-down list. Select Apply to apply the filter. When the filter is
enabled, the green filter enabled icon is displayed. You can also clear all fil-
ters.

111 Administration Guide

Fortinet Technologies Inc.
Task monitor System Settings

User User information. Select the filter icon to create a filter for this column.
Select the checkbox to enable this filter. Select a value for the field from the
drop-down list, select the checkbox (NOT) if required, and enter the user-
name in the text field. Select Apply to apply the filter. When the filter is
enabled, the green filter enabled icon is displayed. You can also clear all fil-
ters.

Sub Type Log sub-type information. Select the filter icon, to create a filter for this
column. Select the checkbox to enable this filter, then select one or more of
the event types. Select Apply to apply the filter. When the filter is enabled,
the green filter enabled icon is displayed. You can also clear all filters.
The available event types are: System manager event, FG-FM protocol
event, Device configuration event, Deployment manager event, Real-time
monitor event, Log and report manager event, Firmware manager event,
FortiGuard service event, FortiClient manager event, FortiMail manager
event, Debug I/O log event, Device manager event, Web service event,
FortiAnalyzer event, Log daemon event, and Device manager event.

Message Log message details. Select the filter icon to create a filter for this column.
Select the checkbox to enable this filter. Select a value for the field from the
drop-down list, select the checkbox (NOT) if required, and enter a message
in the text field. Select Apply to apply the filter. When the filter is enabled,
the green filter enabled icon is displayed. You can also clear all filters.

Pagination Use these page options to browse logs. You can select to display 50, 100, or
200 logs from the drop-down list.

The following options are available in the toolbar:

Historical Log Select to view the historical log.

Download Select to download the event log elog. You can download the file as a
comma separated value (CSV) file or in a normal format. Select OK to save
the file to your management computer.

Raw Log/Formatted Select to display either raw logs for a formatted table.
Table

Refresh Select to refresh the information displayed in the log table.

Task monitor

Using the task monitor, you can view the status of the tasks that you have performed.

Administration Guide 112

Fortinet Technologies Inc.
System Settings Task monitor

Go to System Settings > Task Monitor, then select a task category in the View field. Select the history icon for task
details.

Task monitor window

The following information is displayed:

ID The identification number for a task.

Source The platform from where the task is performed.

Expand Arrow Select to display the specific actions taken under this task.

Description The nature of the task.

User The users who have performed the tasks.

Status The status of the task (hover over the icon to view the description):

l All: All types of tasks.

l Done: Completed with success.
l Error: Completed without success.
l Cancelled: User cancelled the task.
l Cancelling: User is cancelling the task.
l Aborted: The FortiAnalyzer system stopped performing this task.
l Aborting: The FortiAnalyzer system is stopping performing this task.
l Running: Being processed. In this status, a percentage bar appears in the Status
column.

Start Time The time that the task was performed.

113 Administration Guide

Fortinet Technologies Inc.
Advanced System Settings

ADOM The ADOM associated with the task.

History Select the history icon to view task details.

The following options are available in the toolbar:

Delete Remove the selected task or tasks from the list.

View Select which tasks to view from the drop-down list, based on their status.
Select one of the following: Running, Pending, Done, Error, Cancelling,
Cancelled, Aborting, Aborted, Warning, or All.

Advanced

The advanced tree menu enables you to configure SNMP, meta field data, and other settings. The following options
are available:

SNMP Select to configure FortiGate and FortiAnalyzer reporting through SNMP

traps.

Mail Server Select to configure mail server settings. See Mail server.

Syslog Server Select to configure syslog server settings. See Syslog server.

Meta Fields Select to configure meta-fields. See Meta fields.

Device Log Set- Select to configure log settings and access and to view the task monitor.
tings See Device log settings

File Management Select to configure automatic deletion settings for file and reports. See File
management.

Advanced settings Select to configure ADOM mode, download the WSDL file, and configure
the task list size. See Advanced settings.

SNMP

SNMP is a method for a FortiAnalyzer system to monitor and report on FortiGate devices. It also can allow you to
monitor a FortiAnalyzer system on your local computer. You will need an SNMP agent on your computer to read the
SNMP information.

Using SNMP, your FortiAnalyzer system checks the attached FortiGate devices for their system health, traffic levels,
and many other details. By default when a FortiGate device is initially configured on your FortiAnalyzer system, that
FortiGate device’s SNMP settings are configured to report to the FortiAnalyzer system.

Administration Guide 114

Fortinet Technologies Inc.
System Settings Advanced

Go to System Settings > Advanced > SNMP to configure your FortiAnalyzer system’s SNMP settings.

SNMP has two parts - the SNMP agent or the device that is sending traps, and the SNMP manager that monitors those
traps. The SNMP communities on the monitored FortiGate devices are hard coded and configured by the
FortiAnalyzer system - they are not user configurable.

The FortiAnalyzer SNMP implementation is read-only — SNMP v1, v2c, and v3 compliant SNMP manager
applications, such as those on your local computer, have read-only access to FortiAnalyzer system information and
can receive FortiAnalyzer system traps.

Configuring the SNMP agent

The SNMP agent sends SNMP traps that originate on the FortiAnalyzer system to an external monitoring SNMP
manager defined in one of the FortiAnalyzer SNMP communities. Typically an SNMP manager is an application on a
local computer that can read the SNMP traps and generate reports or graphs from them.

The SNMP manager can monitor the FortiAnalyzer system to determine if it is operating properly, or if there are any
critical events occurring. The description, location, and contact information for this FortiAnalyzer system will be part of
the information an SNMP manager will have — this information is useful if the SNMP manager is monitoring many
devices, and it will enable faster responses when the FortiAnalyzer system requires attention.

Go to System Settings > Advanced > SNMP to configure the SNMP agent.

SNMP configuration

The following information and options are available:

SNMP

SNMP Agent Select to enable the FortiAnalyzer SNMP agent. When this is enabled, it sends
FortiAnalyzer SNMP traps.

115 Administration Guide

Fortinet Technologies Inc.
Advanced System Settings

Description Type a description of this FortiAnalyzer system to help uniquely identify this unit.

Location Type the location of this FortiAnalyzer system to help find it in the event it requires
attention.

Contact Type the contact information for the person in charge of this FortiAnalyzer system.

SNMP
v1/2c

Communities The list of SNMP v1/v2c communities added to the FortiAnalyzer configuration.

Create New Select Create New to add a new SNMP community. If SNMP agent is not selected,
this control will not be visible.
For more information, see Configuring an SNMP v1/v2c community.

Community Name The name of the SNMP community.

Queries The status of SNMP queries for each SNMP community.

The enabled icon indicates that at least one query is enabled. The disabled icon
indicates that all queries are disabled.

Traps The status of SNMP traps for each SNMP community. The enabled icon indicates
that at least one trap is enabled. The disabled icon indicates that all traps are dis-
abled.

Enable Select to enable or deselect to disable the SNMP community.

Action Select the delete icon to remove an SNMP community.

Select the edit icon to edit an SNMP community.

SNMP v3

Users The list of SNMPv3 users added to the FortiAnalyzer configuration.

Create New Select Create New to add a new SNMP community. If SNMP agent is not selected,
this control will not be visible.
For more information, see "System Settings" on page 119.

User Name The user name for the SNMPv3 user.

Security Level The security level assigned to the SNMPv3 user.

Notification Hosts The notification host or hosts assigned to the SNMPv3 user.

Administration Guide 116

Fortinet Technologies Inc.
System Settings Advanced

Queries The status of SNMP queries for each SNMP user. The enabled icon indicates that
query is enabled. The disabled icon indicates query is disabled.

Action Select the delete icon to remove an SNMP community.

Select the edit icon to edit an SNMP community.

Configuring an SNMP v1/v2c community

An SNMP community is a grouping of equipment for network administration purposes. Add SNMP communities so that
the FortiAnalyzer system (the SNMP agent in this case) can connect to the SNMP manager that is monitoring.

These SNMP communities do not refer to the FortiGate devices the FortiAnalyzer system is man-
aging.

Each community can have a different configuration for SNMP traps and can be configured to monitor different events.
You can add the IP addresses of up to eight hosts to each community. Hosts can receive SNMP device traps and
information.

Select Create New in the SNMP v1/v2c toolbar to open the New SNMP Community page, where you can configure a
new SNMP community.

When you create a new SNMP community, there are no host entries. Selecting Add creates an entry that broadcasts
the SNMP traps and information to the network connected to the specified interface.

SNMP v1/v2c community

117 Administration Guide

Fortinet Technologies Inc.
Advanced System Settings

Configure the following settings:

Community Name Type a name to identify the SNMP community. If you are editing an exist-
ing community, you will be unable to change the name.

Hosts The list of hosts that can use the settings in this SNMP community to
monitor the FortiAnalyzer system. Select Add to create a new entry that
you can edit.

IP Address Type the IP address of an SNMP manager. By default, the IP address is

0.0.0.0 so that any SNMP manager can use this SNMP community.

Administration Guide 118

Fortinet Technologies Inc.
System Settings Advanced

Interface Select the name of the interface that connects to the network where this
SNMP manager is located from the drop-down list. You need to do this if
the SNMP manager is on the Internet or behind a router.

Delete Select the delete icon to remove this SNMP manager entry.

Add Select to add a new default entry to the Hosts list that you can edit as
needed. You can have up to eight SNMP manager entries for a single
community.

Queries Type the port number (161 by default) that the FortiAnalyzer system uses
to send SNMPv1 and SNMPv2c queries to the FortiAnalyzer in this com-
munity. Enable queries for each SNMP version that the FortiAnalyzer sys-
tem uses.

Traps Type the Remote port number (162 by default) that the FortiAnalyzer sys-
tem uses to send SNMPv1 and SNMPv2c traps to the FortiAnalyzer in this
community. Enable traps for each SNMP version that the FortiAnalyzer
system uses.

SNMP Event Enable the events that will cause the FortiAnalyzer unit to send
SNMP traps to the community.

FortiAnalyzer SNMP events:

l Interface IP changed
l Log disk space low
l CPU Overusage
l Memory Low
l System Restart
l CPU usage exclude NICE threshold
l RAID Event
l This SNMP event is available for devices which support RAID.
l High licensed device quota
l High licensed log GB/day
l Log Alert
l Log Rate
l Data Rate

Configuring a SNMPv3 user

The FortiAnalyzer SNMPv3 implementation includes support for queries, traps, authentication, and privacy. Select
Create New in the SNMPv3 toolbar to open the New SNMP User page, where you can configure a new SNMP user.
SNMPv3 user

119 Administration Guide

Fortinet Technologies Inc.
Advanced System Settings

Configure the following settings:

New SNMP User

User Name The name of the SNMPv3

user.

Administration Guide 120

Fortinet Technologies Inc.
System Settings Advanced

Security Level The security level of the

user. Select one of the fol-
lowing:
l No Authentication, No

Privacy
l Authentication, No
Privacy
Select the authentication
algorithm (SHA1, MD5)
and enter the password.
lAuthentication, Privacy
Select the authentication
algorithm (SHA1, MD5),
the private algorithm (AES,
DES) and enter the pass-
word.

Notification Hosts The IP address or

addresses of the host.
Select the add icon to add
multiple IP addresses.

Queries

Enable Select to enable queries.

Port Type the port number. The

default port is 161.

121 Administration Guide

Fortinet Technologies Inc.
Advanced System Settings

SNMP Event Enable the events that will

cause the FortiAnalyzer
unit to send SNMP traps to
the community.

FortiAnalyzer SNMP
events:

l Interface IP
changed
l Log disk space low
l CPU Overusage
l Memory Low
l System Restart
l CPU usage
exclude NICE
threshold
l RAID Event
l This SNMP event
is available for
devices which
support RAID.
l High licensed
device quota
l High licensed log
GB/day
l Log Alert
l Log Rate
l Data Rate

You can edit and delete existing SNMPv3 users.

SNMP MIBs
Fortinet device SNMP agents support Fortinet proprietary MIBs as well as standard RFC 1213 and RFC 2665 MIBs.
RFC support includes support for the parts of RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that
apply to FortiAnalyzer unit configuration.

RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411), and partial support of User-based
Security Model (RFC 3414).

The Fortinet and FortiAnalyzer MIBs are listed in "System Settings" on page 123 along with the two RFC MIBs. You
can obtain these MIB files from Customer Service & Support. To be able to communicate with the SNMP agent, you
must compile all of these MIBs into your SNMP manager. Generally your SNMP manager will be an application on
your local computer.

Administration Guide 122

Fortinet Technologies Inc.
System Settings Advanced

Your SNMP manager might already include standard and private MIBs in a compiled database that is ready to use.
You must add the Fortinet and FortiAnalyzer proprietary MIBs to this database.

You can download the FortiAnalyzer MIB file in the firmware image file folder. The Fortinet Core MIB file is located in
the main FortiAnalyzer 5.00 file folder.

SNMP MIBs

MIB file name or RFC Description

FORTINET-CORE-MIB.mib The proprietary Fortinet MIB includes all system configuration

information and trap information that is common to all Fortinet
products.
Your SNMP manager requires this information to monitor
Fortinet unit configuration settings and receive traps from the
Fortinet SNMP agent.

FORTINET-FORTIMANAGER- The proprietary FortiAnalyzer MIB includes system information

MIB.mib and trap information for FortiAnalyzer units.

RFC-1213 (MIB II) The Fortinet SNMP agent supports MIB II groups with the fol-
lowing exceptions.
l No support for the EGP group from MIB II (RFC 1213, section
3.11 and 6.10).
l Protocol statistics returned for MIB II groups
(IP/ICMP/TCP/UDP/etc.) do not accurately capture all Fortinet
traffic activity. More accurate information can be obtained from
the information reported by the Fortinet MIB.

RFC-2665 (Ethernet-like MIB) The Fortinet SNMP agent supports Ethernet-like MIB information
with the following exception.

No support for the dot3Tests and dot3Errors groups.

SNMP traps
Fortinet devices share SNMP traps, but each type of device also has traps specific to that device. For example
FortiAnalyzer units have FortiAnalyzer specific SNMP traps. To receive Fortinet device SNMP traps, you must load and
compile the FORTINET-CORE-MIB into your SNMP manager.

Traps sent include the trap message as well as the unit serial number (fnSysSerial) and host name (sysName). The
Trap Message column includes the message included with the trap as well as the SNMP MIB field name to help locate
the information about the trap.

Generic SNMP traps

Trap message Description

ColdStart, WarmStart, Standard traps as described in RFC 1215.

LinkUp, LinkDown

123 Administration Guide

Fortinet Technologies Inc.
Advanced System Settings

SNMP system traps

Trap message Description

CPU usage high CPU usage exceeds the set percent. This threshold can be set in
(fnTrapCpuThreshold) the CLI using the following commands:
config system snmp sysinfo
set trap-high-cpu-threshold <percentage
value>
end

CPU usage excluding NICE pro- CPU usage excluding NICE processes exceeds the set per-
cesses (fmSysCpuUsageEx- centage. This threshold can be set in the CLI using the following
cludedNice) commands:
config system snmp sysinfo
set trap-cpu-high-exclude-nice-threshold
<percentage value>
end

Memory low Memory usage exceeds 90 percent. This threshold can be set in
(fnTrapMemThreshold) the CLI using the following commands:
config system snmp sysinfo
set trap-low-memory-threshold <percentage
value>
end

Log disk too full Log disk usage has exceeded the configured threshold. Only avail-
(fnTrapLogDiskThreshold) able on devices with log disks.

Temperature too high A temperature sensor on the device has exceeded its threshold.
(fnTrapTempHigh) Not all devices have thermal sensors. See manual for spe-
cifications.

Voltage outside acceptable Power levels have fluctuated outside of normal levels. Not all
range devices have voltage monitoring instrumentation.
(fnTrapVoltageOutOfRange)

Power supply failure Power supply failure detected. Not available on all models. Avail-
(fnTrapPowerSupplyFailure) able on some devices which support redundant power supplies.

Interface IP change The IP address for an interface has changed. The trap message
(fnTrapIpChange) includes the name of the interface, the new IP address and the
serial number of the Fortinet unit. You can use this trap to track
interface IP address changes for interfaces with dynamic IP
addresses set using DHCP or PPPoE.

Administration Guide 124

Fortinet Technologies Inc.
 System Settings Advanced

Fortinet & FortiAnalyzer MIB fields

The Fortinet MIB contains fields reporting current Fortinet unit status information. The tables below list the names of
the MIB fields and describe the status information available for each one. You can view more details about the
information available from all Fortinet MIB fields by compiling the fortinet.3.00.mib file into your SNMP manager and
browsing the Fortinet MIB fields.

System MIB fields

MIB field Description

fnSysSerial Fortinet unit serial number.

Administrator accounts

MIB field Description

fnAdminNumber The number of administrators on the Fortinet unit.

fnAdminTable Table of administrators.

fnAdminIndex Administrator account index number.

fnAdminName The user name of the administrator account.

fnAdminAddr An address of a trusted host or subnet from which this

administrator account can be used.

fnAdminMask The netmask for fnAdminAddr.

Custom messages

MIB field Description

fnMessages The number of custom messages on the Fortinet unit.

FortiAnalyzer MIB fields and traps

MIB field Description

fmModel A table of all FortiAnalyzer models.

Mail server

Configure SMTP mail server settings for alerts, edit existing settings, or delete mail servers.

125 Administration Guide

Fortinet Technologies Inc.
 Advanced System Settings

If an existing mail server is set in an Event Handler configuration, the delete icon is removed and
the mail server entry cannot be deleted.

Mail server window

Select Create New in the toolbar to configure mail server settings.

Mail server settings

Configure the following settings and then select OK:

SMTP Server Enter the SMTP server domain information, e.g. mail@company.com.

SMTP Server Port Enter the SMTP server port number. The default port is 25.

Enable Authentication Select to enable authentication.

Email Account Enter an email account, e.g. admin@company.com.

Password Enter the email account password.

Syslog server

Configure syslog server settings for alerts, edit existing settings, or delete syslog servers. Select Create New in the
toolbar to add a new syslog server.

If an existing syslog server is set in an Event Handler configuration, the delete icon is removed
and the syslog server entry cannot be deleted.

Administration Guide 126

Fortinet Technologies Inc.
 System Settings Advanced

Syslog server window

Select Create New to configure a new syslog server.

Syslog server settings

Configure the following settings and then select OK:

Name Enter a name for the syslog server.

IP address (or FQDN) Enter the IP address or FQDN of the syslog server.

Port Enter the syslog server port number. The default port is 514.

Meta fields

Meta fields allow administrators to add extra information when configuring, adding, or maintaining FortiGate units.
You can make the fields mandatory or optional, and set the length of the field.

With the fields set as mandatory, administrators must supply additional information when they create a new FortiGate
object, such as an administrator account or firewall policy. Fields for this new information are added to the FortiGate
unit dialog boxes in the locations where you create these objects. You can also provide fields for optional additional
information.

Go to System Settings > Advanced > Meta Fields to configure meta fields.

System metadata

127 Administration Guide

Fortinet Technologies Inc.
Advanced System Settings

The following information is displayed:

Meta Fields The name of this meta data field. Select the name to edit this field. See To
edit a metadata field:.

Length The maximum length of this metadata field.

Importance Indicates whether this field is required or optional.

Status Indicates whether this field is enabled or disabled.

The following options are available in the toolbar:

Create New Create a new meta data field for this object. See To create a new metadata
field:.

Delete Delete the selected meta data field. See To delete metadata fields:.

To create a new metadata field:

1. Go to System Settings > Advanced > Meta Fields.

2. Select Create New in the toolbar. The Add Meta-field window opens.

Add a meta-field

3. Configure the following settings:

Object The system object to which this metadata field applies. Select either
Devices, Device Groups, or Administrative Domains.

Name Enter the label to use for the field.

Length Select the maximum number of characters allowed for the field from the
drop-down list (20, 50, or 255).

Importance Select Required to make the field compulsory, otherwise select Optional.

Status Select Disabled to disable this field. The default selection is Enabled.

4. Select OK to create the new field.

Administration Guide 128

Fortinet Technologies Inc.
 System Settings Advanced

To edit a metadata field:

1. From the meta field list, either double-click a meta filed, or right-click on a meta field then select Edit. The Edit
Meta-field dialog box opens. Only the length, importance, and status of the meta field can be edited.
2. Edit the settings as required, then select OK to apply the changes.

To delete metadata fields:

1. From the meta field list, select the meta fields that you need to delete. The default meta fields cannot be deleted.
2. Select Delete, in the toolbar, then select OK in the confirmation box to delete the fields.

Device log settings

The device log settings menu allows you to configure event logging, log rollover, and upload options.

1. Go to System Settings > Advanced > Device Log Settings to configure device log settings.

Device log settings window

2. Configure the following settings and select Apply to apply your changes:

Registered Device Logs

129 Administration Guide

Fortinet Technologies Inc.
Advanced System Settings

Roll log file when size Enter the log file size.
exceeds Range: 50 to 500 MB

Roll log files at a regular time Select to roll logs daily or weekly. When selecting daily, select
the hour and minute value in the drop-down lists. When select-
ing weekly, select the day, hour, and minute value in the drop-
down lists.

Upload logs using a standard Select to upload logs and configure the following settings.
file transfer protocol

Upload Server Type Select one of FTP, SFTP, or SCP.

Upload Server IP Enter the IP address of the upload server.

Username Select the username that will be used to connect to the upload
server.

Password Select the password that will be used to connect to the upload
server.

Remote Directory Select the remote directory on the upload server where the log
will be uploaded.

Upload Log Files Select to upload log files when they are rolled according to set-
tings selected under Roll Logs or daily at a specific hour.

Upload rolled files in gzipped Select to gzip the logs before uploading. This will result in smal-
format ler logs, and faster upload times.

Delete files after uploading Select to remove device log files from the FortiAnalyzer system
after they have been uploaded to the Upload Server.

Local Device Log

Send the local event logs to Select to send local event logs to another FortiAnalyzer or
FortiAnalyzer / FortiManager FortiManager device.

Server IP Enter the IP address of the FortiAnalyzer or FortiManager.

Upload Option Select to upload logs realtime or at a scheduled time. When

selecting a scheduled time, you can specify the hour and
minute to upload logs

Administration Guide 130

Fortinet Technologies Inc.
 System Settings Advanced

Severity Level Select the minimum log severity level from the drop-down list.

Secure connection for log Select to use a secure connection for log transmission.
transmission

File management

FortiAnalyzer allows you to configure automatic deletion of device log files, quarantined files, reports, and content
archive files after a set period of time.

To configure automatic deletion settings, go to System Settings > Advanced > File Management.

File management

Configure the following settings:

Device log files older than Select to enable this feature, enter a value in the text field,
then select the time period from the drop-down list (Hours,
Days, Weeks, or Months)

Quarantined files older than Select to enable this feature, enter a value in the text field,
and select the time period from the drop-down list.

Reports older than Select to enable this feature, enter a value in the text field,
and select the time period from the drop-down list.

Content archive files older than Select to enable this feature, enter a value in the text field,
and select the time period from the drop-down list.

Advanced settings

To view and configure advanced settings options, go to the System Settings > Advanced > Advanced Settings page.

Advanced settings

131 Administration Guide

Fortinet Technologies Inc.
Advanced System Settings

Advanced ADOM mode will allow users to assign VDOMs from a single device to different
ADOMs, but will result in a reduced operation mode and more complicated management scen-
arios. It is recommended for advanced users only.

Configure the following settings and then select Apply:

ADOM Mode Select either Normal or Advanced.

In normal mode, you can only add FortiGate devices to an ADOM.
Advanced mode allows you to assign VDOMs from a single device to different
ADOMs. Note that this results in a reduced operation mode and more complicated
management and should therefore only be used by advanced users.

Download WSDL file Select the required WSDL functions and select the Download button to download the
WSDL file to your management computer.
When selecting Legacy Operations, no other options can be selected.
Web services is a standards-based, platform independent, access method for other
hardware and software application programming interfaces (APIs). The file itself
defines the format of commands the FortiAnalyzer unit will accept, as well as the
response to expect. Using the WSDL file, third-party or custom applications can com-
municate with the FortiAnalyzer unit and operate it or retrieve information just as an
admin user would from the Web-based Manager or CLI.

Task List Size Set a limit on the size of the task list.

Example WSDL file

Administration Guide 132

Fortinet Technologies Inc.
System Settings Advanced

133 Administration Guide

Fortinet Technologies Inc.
FortiView

The FortiView tab allows you to access both FortiView drill down and Log view menus. FortiView in FortiAnalyzer
collects data from FortiView in FortiGate. In order for information to appear in the FortiView dashboards in FortiGate,
disk logging must be selected for the FortiGate unit. Select the FortiView tab and select the ADOM from the drop-
down list.

When rebuilding the SQL database, FortiView will not be available until after the rebuild is com-
pleted. Select the Show Progress link in the message to view the status of the SQL rebuild.

FortiView

Use FortiView to drill down real-time and historical traffic from log devices by sources, applications, destinations, web
sites, threats, cloud applications, cloud users, system and admin events, SSL and dialup IPsec, site to site IPsec,
rogue APs, and resource usage. Each FortiView summary view can be filtered by a variety of attributes, as well as by
device and time period. These attributes can be selected using the right-click context menu. Results can also be
filtered using the various columns.

The following summary views are available:

l Top Sources
l Top Applications
l Top Destinations
l Top Web Sites
l Top Threats
l Top Cloud Applications/Users
l System Events
l Admin Logins
l SSL & Dialup IPsec
l Site-to-Site IPsec
l Rogue APs
l Resource usage

Top Sources

The Top Sources dashboard displays information about the sources of traffic on your unit. You can drill down the
displayed information, select the device and time period, and apply search filters.

Top sources

134 Administration Guide

Fortinet Technologies Inc.
FortiView FortiView

The following information is displayed:

Source Displays the source IP address and/or user name, if applicable. Select the column header to
sort entries by source. You can apply a search filter to the source (srcip) column.

Device Displays the device IP address or host name. Select the column header to sort entries by
device. You can apply a search filter to the device (dev_src) column.

Threat Score Displays the threat score for blocked and allowed traffic. Select the column header to sort
(Blocked/Allowed) entries by threat score.

Sessions (Blocked/Al- Displays the number of sessions blocked and allowed. Select the column header to sort
lowed) entries by sessions.

Bytes (Sent/Received) Displays the value for sent and received packets. Select the column header to sort entries by
bytes.

The following options are available:

Refresh Refresh the displayed information.

Search Click the search field to add a search and select the GO button to apply the search filter.
Alternatively, you can right-click the column entry to add the search filter.

Devices Select the device or log array from the drop-down list or select All Devices. Select the GO
button to apply the device filter.

Time Period Select the time period from the drop-down list. Select Custom from the list to specify the
start and end date and time. Select the GO button to apply the time period filter.

Administration Guide 135

Fortinet Technologies Inc.
FortiView FortiView

N When selecting a time period with last N in the entry, you can enter the value for N in this
text field.

Custom When Custom is selected the custom icon will be displayed. Select the icon to change the
custom time period.

Go Select the GO button to apply the filter.

Pagination Select the number of entries to display per page and browse pages.

Right-click menu

Application Select to drill down by application to view application related information including the
application, number of sessions (blocked/allowed), and bytes (sent/received).
You can select to sort entries displayed by selecting the column header. You can apply a
search filter in the application (app) column to further filter the information displayed.
Select the GO button to apply the search filter.
Select the return icon to return to the Top Sources page.

Destination Select to drill down by destination to view destination related information including the des-
tination IP address and geographic region, the threat score (blocked/allowed), number of
sessions (blocked/allowed), and bytes (sent/received).
You can select to sort entries displayed by selecting the column header. You can apply a
search filter in the destination (dstip) column to further filter the information displayed.
Select the GO button to apply the search filter.
Select the return icon to return to the Top Sources page.

Threat Select to drill down by threat to view threat related information including the threat type,
category, threat level, threat score (blocked/allowed), and number of incidents (blocked/al-
lowed).
You can select to sort entries displayed by selecting the column header. You can apply a
search filter in the threat (threat) or category (threattype) columns to further filter the
information displayed. Select the GO button to apply the search filter.
Select the return icon to return to the Top Sources page.

Domain Select to drill down by domain to view domain related information including domain, cat-
egory, browsing time, threat score (blocked/allowed), number of sessions (blocked/al-
lowed), and bytes (sent/received). You can select to sort entries displayed by selecting the
column header. Select the GO button to apply the search filter.Select the return icon to
return to the Top Sources page.

136 Administration Guide

Fortinet Technologies Inc.
 FortiView FortiView

Category Select to drill down by category to view category related information including category,
browsing time, threat score (blocked/allowed), number of sessions (blocked/allowed), and
bytes (sent/received).
You can select to sort entries displayed by selecting the column header. Select the GO but-
ton to apply the search filter.
Select the return icon to return to the Top Sources page.

Sessions Select to drill down by sessions to view session related information including date/time,
source/device, destination IP address and geographic region, service, bytes (sen-
t/received), user, application, and security action. You can select to sort entries displayed
by selecting the column header.
You can apply a search filter in the destination (dstip), service (service), user (user),
or application (app) columns to further filter the information displayed. Select the GO but-
ton to apply the search filter.
Select the return icon to return to the Top Sources page.

Search Add a search filter and select the GO button to apply the filter.

Top Applications

The Top Applications dashboard shows information about the applications being used on your network, including the
application name, category, and risk level. You can drill down the displayed information, select the device and time
period, and apply search filters.

Top applications

The following information is displayed:

Application Displays the application name and service. Select the column header to sort entries by
application. You can apply a search filter to the application (app) column.

Administration Guide 137

Fortinet Technologies Inc.
FortiView FortiView

Category Displays the application category. Select the column header to sort entries by category. You
can apply a search filter to the category (appcat) column.

Risk Displays the application risk level. Hover the mouse cursor over the entry in the column for
additional information. Select the column header to sort entries by risk. Risk uses a new 5-
point risk rating. The rating system is as follows:
l Critical: Applications that are used to conceal activity to evade detection.
l High: Applications that can cause data leakage, are prone to vulnerabilities, or
downloading malware.
l Medium: Applications that can be misused.
l Elevated: Applications that are used for personal communications or can lower
productivity.
l Low: Business related applications or other harmless applications.

Sessions (Blocked/Al- Displays the number of sessions blocked and allowed. Select the column header to sort
lowed) entries by sessions.

Bytes (Sent/Received) Displays the value for sent and received packets. Select the column header to sort entries by
bytes.

The following options are available:

Refresh Refresh the displayed information.

Search Click the search field to add a search filter and select the GO button to apply
the search filter. Alternatively, you can right-click the column entry to add the
search filter.

Devices Select the device or log array from the drop-down list or select All Devices.
Select the GO button to apply the device filter.

Time Period Select the time period from the drop-down list. Select Custom from the list to
specify the start and end date and time. Select the GO button to apply the time
period filter.

N When selecting a time period with last N in the entry, you can enter the value
for N in this text field.

Custom When Custom is selected the custom icon will be displayed. Select the icon to
change the custom time period.

Go Select the GO button to apply the filter.

138 Administration Guide

Fortinet Technologies Inc.
FortiView FortiView

Pagination Select the number of entries to display per page and browse pages.

Right-click menu

Source Select to drill down by source to view source related information including the
source IP address, device MAC address or FQDN, threat score (blocked/al-
lowed), number of sessions (blocked/allowed), and bytes (sent/received).
You can select to sort entries displayed by selecting the column header. You
can apply a search filter in the source (srcip) and device (dev_src) columns
to further filter the information displayed. Select the GO button to apply the
search filter.
Select the return icon to return to the Top Applications page.

Destination Select to drill down by destination to view destination related information includ-
ing the destination IP address and geographic region, the threat score
(blocked/allowed), number of sessions (blocked/allowed), and bytes (sen-
t/received). You can select to sort entries displayed by selecting the column
header.
You can apply a search filter in the destination (dstip) column to further filter
the information displayed. Select the GO button to apply the search filter.
Select the return icon to return to the Top Applications page.

Threat Select to drill down by threat to view threat related information including the
threat type, category, threat level, threat score (blocked/allowed), and number
of incidents (blocked/allowed).
You can select to sort entries displayed by selecting the column header. You
can apply a search filter in the threat (threat) or category (threattype)
columns to further filter the information displayed. Select the GO button to
apply the search filter.
Select the return icon to return to the Top Applications page.

Sessions Select to drill down by sessions to view session related information including
date/time, source/device, destination IP address and geographic region, ser-
vice, bytes (sent/received), user, application, and security action.
You can select to sort entries displayed by selecting the column header. You
can apply a search filter in the destination (dstip), service (service), user
(user), or application (app) columns to further filter the information displayed.
Select the GO button to apply the search filter.
Select the return icon to return to the Top Applications page.

Search Add a search filter and select the GO button to apply the filter.

Administration Guide 139

Fortinet Technologies Inc.
 FortiView FortiView

Top Destinations

The Top Destinations dashboard shows information about the destination IP addresses of traffic on your FortiGate
unit, as well as the application used. You can drill down the displayed information, select the device and time period,
and apply search filters.

Top destinations

The following information is displayed:

Destination Displays the destination IP address and geographic region. A flag icon is displayed to the
left of the IP address. Select the column header to sort entries by destination. You can apply
a search filter to the destination (dstip) column.

Application Displays the application port and service. When the information displayed exceeds the
column width, hover the mouse cursor over the entry in the column for a full list. Select the
column header to sort entries by application. You can apply a search filter to the application
(app) column.

Sessions (Blocked/Al- Displays the number of sessions blocked/allowed. Select the column header to sort entries
lowed) by sessions.

Bytes (Sent/Received) Displays the value for sent and received packets. Select the column header to sort entries by
bytes.

The following options are available:

Refresh Refresh the displayed information.

140 Administration Guide

Fortinet Technologies Inc.
FortiView FortiView

Search Click the search field to add a search filter and select the GO button to apply the search fil-
ter. Alternatively, you can right-click the column entry to add the search filter.

Devices Select the device or log array from the drop-down list or select All Devices. Select the GO
button to apply the device filter.

Time Period Select the time period from the drop-down list. Select Custom from the list to specify the
start and end date and time. Select the GO button to apply the time period filter.

N When selecting a time period with last N in the entry, you can enter the value for N in this
text field.

Custom When Custom is selected the custom icon will be displayed. Select the icon to change
the custom time period.

Go Select the GO button to apply the filter.

Pagination Select the number of entries to display per page and browse pages.

Right-click menu

Application Select to drill down by application to view application related information including the ser-
vice and port, number of sessions (blocked/allowed), and bytes (sent/received).
You can select to sort entries displayed by selecting the column header. You can apply a
search filter in the application (app) column to further filter the information displayed.
Select the GO button to apply the search filter.
Select the return icon to return to the Top Destinations page.

Source Select to drill down by source to view source related information including the source IP
address, device MAC address or FQDN, threat score (blocked/allowed), number of ses-
sions (blocked/allowed), and bytes (sent/received).
You can select to sort entries displayed by selecting the column header. You can apply a
search filter in the source (srcip) and device (dev_src) columns to further filter the
information displayed. Select the GO button to apply the search filter.
Select the return icon to return to the Top Destinations page.

Threat Select to drill down by threat to view threat related information including the threat type,
category, threat level, threat score (blocked/allowed), and number of incidents (blocked/al-
lowed). You can select to sort entries displayed by selecting the column header. You can
apply a search filter in the threat (threat) or category (threattype) columns to fur-
ther filter the information displayed. Select the GO button to apply the search filter.
Select the return icon to return to the Top Destinations page.

Administration Guide 141

Fortinet Technologies Inc.
 FortiView FortiView

Sessions Select to drill down by sessions to view session related information including date/time,
source/device, destination IP address and geographic region, service, bytes (sen-
t/received), user, application, and security action.
You can select to sort entries displayed by selecting the column header. You can apply a
search filter in the destination (dstip), service (service), user (user), or application
(app) columns to further filter the information displayed. Select the GO button to apply
the search filter.
Select the return icon to return to the Top Sources page.

Search Add a search filter and select the GO button to apply the filter.

Top Web Sites

The Top Web Sites dashboard lists the top allowed and top blocked web sites. You can drill down the displayed
information, select the device and time period, and apply search filters.

Top web sites

The following information is displayed:

Domain Displays the domain name. Select the column header to sort entries by domain. You can
apply a search filter to the domain (domain) column.
This column is only shown when Domain is selected in the domain/category drop-down list.

Category Displays the web site category. When the information displayed exceeds the column width,
hover the mouse cursor over the entry in the column for a full list. Select the column header
to sort entries by category.

Browsing Time Displays the web site browsing time. Select the column header to sort entries by browsing
time.

142 Administration Guide

Fortinet Technologies Inc.
FortiView FortiView

Threat Score Displays the web site threat score for blocked and allowed traffic. Select the column header
(Blocked/Allowed) to sort entries by threat score.

Sessions (Blocked/Al- Displays the number of sessions blocked and allowed. Select the column header to sort
lowed) entries by sessions.

Bytes (Sent/Received) Displays the value for sent and received packets. Select the column header to sort entries by
bytes.

The following options are available:

Refresh Refresh the displayed information.

Search Click the search field to add a search filter and select the GO button to apply the search
filter. Alternatively, you can right-click the column entry to add the search filter.

Devices Select the device or log array from the drop-down list or select All Devices. Select the
GO button to apply the device filter.

Time Period Select the time period from the drop-down list. Select Custom from the list to specify the
start and end date and time. Select the GO button to apply the time period filter.

N When selecting a time period with last N in the entry, you can enter the value for N in this
text field.

Custom When Custom is selected the custom icon will be displayed. Select the icon to change
the custom time period.

Domain/Category Select to view information based on either the domain or the category.

Go Select the GO button to apply the filter.

Pagination Select the number of entries to display per page and browse pages.

Right-click menu

Source Select to drill down by source to view source related information including the source IP
address, device IP address or FQDN, threat score (blocked/allowed), number of sessions
(blocked/allowed), and bytes (sent/received). You can select to sort entries displayed by
selecting the column header.
You can apply a search filter in the source (srcip) and device (dev_src) columns to
further filter the information displayed. Select the GO button to apply the search filter.
Select the return icon to return to the Top Web Sites page.

Administration Guide 143

Fortinet Technologies Inc.
 FortiView FortiView

Destination Select to drill down by destination to view destination related information including the
destination IP address and geographic region, the threat score (blocked/allowed), num-
ber of sessions (blocked/allowed), and bytes (sent/received).
You can select to sort entries displayed by selecting the column header. You can apply a
search filter in the destination (dstip) column to further filter the information displayed.
Select the GO button to apply the search filter.
Select the return icon to return to the Top Web Sites page.

Category Select to drill down by category to view category related information including category,
browsing time, threat score (blocked/allowed), number of sessions (blocked/allowed),
and bytes (sent/received).
You can select to sort entries displayed by selecting the column header. Select the GO
button to apply the search filter.
Select the return icon to return to the Top Web Sites page.

Threat Select to drill down by threat to view threat related information including the threat type,
category, threat level, threat score (blocked/allowed), and number of incidents
(blocked/allowed). You can select to sort entries displayed by selecting the column
header. You can apply a search filter in the threat (threat) or category (threattype)
columns to further filter the information displayed. Select the GO button to apply the
search filter.
Select the return icon to return to the Top Destinations page.

Sessions Select to drill down by sessions to view session related information including date/time,
source/device, destination IP address and geographic region, service, bytes (sen-
t/received), user, application, and security action.
You can select to sort entries displayed by selecting the column header. You can apply a
search filter in the destination (dstip), service (service), user (user), or application
(app) columns to further filter the information displayed. Select the GO button to apply
the search filter.
Select the return icon to return to the Top Sources page.

Search Add a search filter and select the GO button to apply the filter.

Top Threats

The Top Threats dashboard lists the top users involved in incidents, as well as information on the top threats to your
network. You can drill down the displayed information, select the device and time period, and apply search filters.

144 Administration Guide

Fortinet Technologies Inc.
FortiView FortiView

If you are running FortiOS v5.0.x, you must enable Client Reputation in the security profiles on
the FortiGate in order to view entries in the Top Threats section of FortiView in FortiAnalyzer.

The following incidents are considered threats:

l Risk applications detected by application control

l Intrusion incidents detected by IPS
l Malicious web sites detected by web filtering
l Malware/botnets detected by antivirus.

Top threats

The following information is displayed:

Threat Displays the threat type. Select the column header to sort entries by threat. You can apply a
search filter to the threat (threat) column.

Category Displays the threat category. Select the column header to sort entries by category. You can
apply a search filter to the category (threattype) column.

Threat Level Displays the threat level. Select the column header to sort entries by threat level.

Threat Score Displays the threat score for blocked and allowed traffic. Select the column header to sort
(Blocked/Allowed) entries by threat score.

Incidents (Blocked/Al- Displays the number of incidents blocked and allowed. Select the column header to sort
lowed) entries by incidents.

The following options are available:

Administration Guide 145

Fortinet Technologies Inc.
FortiView FortiView

Refresh Refresh the displayed information.

Search Click the search field to add a search filter and select the GO button to apply the search filter.
Alternatively, you can right-click the column entry to add the search filter.

Devices Select the device or log array from the drop-down list or select All Devices. Select the GO
button to apply the device filter.

Time Period Select the time period from the drop-down list. Select Custom from the list to specify the
start and end date and time. Select the GO button to apply the time period filter.

N When selecting a time period with last N in the entry, you can enter the value for N in this
text field.

Custom When Custom is selected the custom icon will be displayed. Select the icon to change the
custom time period.

Go Select the GO button to apply the filter.

Pagination Select the number of entries to display per page and browse pages.

Right-click menu

Source Select to drill down by source to view source related information including the source IP
address, device MAC address or FQDN, threat score (blocked/allowed), bytes (sen-
t/received), and incidents (blocked/allowed).
You can select to sort entries displayed by selecting the column header. You can apply a
search filter in the source (srcip) and device (dev_src) columns to further filter the inform-
ation displayed. Select the GO button to apply the search filter.
Select the return icon to return to the Top Threats page.

Destination Select to drill down by destination to view destination related information including the des-
tination IP address and geographic region, the threat score (blocked/allowed), bytes (sen-
t/received), and incidents (blocked/allowed).
You can select to sort entries displayed by selecting the column header. You can apply a
search filter in the destination (dstip) column to further filter the information displayed.
Select the GO button to apply the search filter.
Select the return icon to return to the Top Threats page.

146 Administration Guide

Fortinet Technologies Inc.
 FortiView FortiView

Sessions Select to drill down by sessions to view session related information including date/time,
source/device, destination IP address and geographic region, service, bytes (sent/received),
user, application, and security action.
You can select to sort entries displayed by selecting the column header. You can apply a
search filter in the destination (dstip), service (service), user (user), or application
(app) columns to further filter the information displayed. Select the GO button to apply the
search filter.
Select the return icon to return to the Top Threats page.

Search Add a search filter and select the GO button to apply the filter.

Top Cloud Applications/Users

The Top Cloud Applications/Users dashboard displays information about the cloud application/user traffic on your
FortiGate unit. You can drill down the displayed information, select the device and time period, and apply search
filters.

Top cloud applications

The following information is displayed:

Application Displays the application name. Select the column header to sort entries by application. You
can apply a search filter to the application (app) column.

User Displays the user name. Select the column header to sort entries by user. This column is
only shown when Cloud Users is selected in the applications/users drop-down list.

Category Displays the application category. Select the column header to sort entries by category. You
can apply a search filter to the category (appcat) column.
This column is only shown when Cloud Applications is selected in the applications/users
drop-down list.

Administration Guide 147

Fortinet Technologies Inc.
FortiView FortiView

Risk Displays the application risk level. Hover the mouse cursor over the entry in the column for
additional information. Select the column header to sort entries by risk. Risk uses a new 5-
point risk rating. The rating system is as follows:
l Critical: Applications that are used to conceal activity to evade detection.
l High: Applications that can cause data leakage, are prone to vulnerabilities, or
downloading malware.
l Medium: Applications that can be misused.
l Elevated: Applications that are used for personal communications or can lower
productivity.
l Low: Business related applications or other harmless applications.
This column is only shown when Cloud Applications is selected in the applications/users
drop-down list.

Login IDs Displays the number of login IDs associated with the application. Select the column header
to sort entries by login ID.
This column is only shown when Cloud Applications is selected in the applications/users
drop-down list.

Sessions (Blocked/Al- Displays the number of sessions associated with the application that are blocked or allowed.
lowed) Select the column header to sort entries by sessions.

File (Up/Down) Displays the number of files uploaded and downloaded. Hover the mouse cursor over the
entry in the column for additional information. Select the column header to sort entries by
file.

Videos Played Displays the number of videos played using the application. Select the column header to
sort entries by videos played.

Bytes (Sent/Received) Displays the value for sent and received packets. Select the column header to sort entries by
bytes.

The following options are available:

Search Click the search field to add a search filter and select the GO button to apply the search fil-
ter. Alternatively, you can right-click the column entry to add the search filter.

Devices Select the device or log array from the drop-down list or select All Devices. Select the GO
button to apply the device filter.

Time Period Select the time period from the drop-down list. Select Custom from the list to specify the
start and end date and time. Select the GO button to apply the time period filter.

148 Administration Guide

Fortinet Technologies Inc.
FortiView FortiView

N When selecting a time period with last N in the entry, you can enter the value for N in this
text field.

Custom When Custom is selected the custom icon will be displayed. Select the icon to change the
custom time period.

Cloud Applications / Select to view information based on either applications or users.

Cloud Users

Go Select the GO button to apply the filter.

Pagination Select the number of entries to display per page and browse pages.

Right-click menu

Cloud Users / Cloud Select to drill down by cloud users to view user related information including IP address,
Applications source IP address, number of files uploaded and downloaded, number of videos plays, num-
ber of sessions, and bytes (sent/received).
You can select to sort entries displayed by selecting the column header. You can apply a
search filter in the user (clouduser) and source (source) columns to further filter the
information displayed. Select the GO button to apply the search filter.
Select the return icon to return to the Top Cloud Applications page.

Files Select to drill down by files to view file related information including the user email address,
source IP address, file name, and file size.
You can select to sort entries displayed by selecting the column header. You can apply a
search filter in the user (clouduser) and source (srcip) columns to further filter the
information displayed. Select the GO button to apply the search filter.
Select the return icon to return to the Top Cloud Applications page.

Videos Select to drill down by videos to view video related information including the user email
address, source IP address, file name, and file size.
You can select to sort entries displayed by selecting the column header. You can apply a
search filter in the user (clouduser) and source (srcip) columns to further filter the
information displayed. Select the GO button to apply the search filter.
Select the return icon to return to the Top Cloud Applications page.

Administration Guide 149

Fortinet Technologies Inc.
 FortiView FortiView

Sessions Select to drill down by sessions to view session related information including the date and
time, source/device IP address, destination IP address, service, number of packets sent and
received, user, application, and security action.
You can select to sort entries displayed by selecting the column header. You can apply a
search filter in the destination (dstip), service (service), user (user), and application
(app) columns to further filter the information displayed.
Select the GO button to apply the search filter. Select the return icon to return to the Top
Cloud Applications page.

Search Add a search filter and select the GO button to apply the filter.

System Events

The System Events dashboard displays an aggregated view of system related events. You can drill down the
displayed information, select the device and time period, and apply search filters.

System events

The following information is displayed:

Event Name (Descrip- Displays the event log description. Select the column header to sort entries by event name.
tion) You can apply a search filter to the Event Name (event_name) column.

Severity Displays the severity level. Select the column header to sort entries by severity.

Counts Displays the number count. Select the column header to sort entries by count.

The following options are available:

150 Administration Guide

Fortinet Technologies Inc.
 FortiView FortiView

Refresh Refresh the displayed information.

Search Click the search field to add a search filter and select the GO button to apply the search filter.
Alternatively, you can right-click the column entry to add the search filter.

Devices Select the device or log array from the drop-down list or select All Devices. Select the GO
button to apply the device filter.

Time Period Select the time period from the drop-down list. Select Custom from the list to specify the
start and end date and time. Select the GO button to apply the time period filter.

N When selecting a time period with last N in the entry, you can enter the value for N in this
text field.

Custom When Custom is selected the custom icon will be displayed. Select the icon to change the
custom time period.

Severity Select the severity level from the drop-down list. Select one of the following options: >=Info,
>=Low, >=Medium, >=High, or >=Critical.

Go Select the GO button to apply the filter.

Pagination Select the number of entries to display per page and browse pages.

Right-click menu

Log View Right-click on a column and select Log View to view the log entries for the selected entry.
Alternatively, double-click the column entry to view the Log View page.
Select the return icon to return to the System and Admin page.

Search Add a search filter and select the GO button to apply the filter.

Admin Logins

The Admin Login dashboard displays an aggregated view of admin related events such as admin log in and failed log
in attempts. You can drill down the displayed information, select the device and time period, and apply search filters.

Admin Logins

Administration Guide 151

Fortinet Technologies Inc.
FortiView FortiView

The following information is displayed:

User Displays the administrator user name. Select the column header to sort entries by user. You
can apply a search filter to the User (f_user) column

Duration Displays the login duration in seconds. Select the column header to sort entries by duration.

Logins Displays the number of log ins. Select the column header to sort entries by logins.

Failed Logins Displays the number of failed log ins. Select the column header to sort entries by failed
logins.

Configuration Changes Displays the number of configuration changes made by the user. Select the column header
to sort entries by number of configuration changes.

The following options are available:

Refresh Refresh the displayed information.

Search Click the search field to add a search filter and select the GO button to apply the search filter.
Alternatively, you can right-click the column entry to add the search filter.

Devices Select the device or log array from the drop-down list or select All Devices. Select the GO but-
ton to apply the device filter.

Time Period Select the time period from the drop-down list. Select Custom from the list to specify the start
and end date and time. Select the GO button to apply the time period filter.

152 Administration Guide

Fortinet Technologies Inc.
 FortiView FortiView

N When selecting a time period with last N in the entry, you can enter the value for N in this text
field.

Custom When Custom is selected the custom icon will be displayed. Select the icon to change the cus-
tom time period.

Severity Select the severity level from the drop-down list. Select one of the following options: >=Info,
>=Low, >=Medium, >=High, or >=Critical.

Go Select the GO button to apply the filter.

Pagination Select the number of entries to display per page and browse pages.

Right-click menu

Log View Right-click on a column and select Log View to view the log entries for the selected entry.
Alternatively, double-click the column entry to view the Log View page. Select the return icon
to return to the System and Admin page.

Search Add a search filter and select the GO button to apply the filter.

SSL & Dialup IPsec

The SSL and Dialup IPsec dashboard displays SSL and dialup IPsec VPN events. You can drill down the displayed
information, select the device and time period, and apply search filters.

SSL & Dialup IPsec

The following information is displayed:

Administration Guide 153

Fortinet Technologies Inc.
FortiView FortiView

User Displays the user name connecting to the tunnel. Select the column header to sort entries
by user. You can apply a search filter to the user (f_user) column.

VPN Type Displays the VPN type, e.g. ssl-tunnel, ssl-web. You can apply a search filter to the VPN
Type (tunneltype) column.

Connected From Displays the connected from IP address.

Number of Connections Displays the number of connections. Select the column header to sort entries by number of
connections.

Duration Displays the duration the tunnel has been connected. Select the column header to sort
entries by duration.

Bytes (Sent/Received) Displays the value for sent and received packets. Select the column header to sort entries by
bytes.

The following options are available:

Refresh Refresh the displayed information.

Search Click the search field to add a search filter and select the GO button to apply the search
filter. Alternatively, you can right-click the column entry to add the search filter.

Devices Select the device or log array from the drop-down list or select All Devices. Select the
GO button to apply the device filter.

Time Period Select the time period from the drop-down list. Select Custom from the list to specify the
start and end date and time. Select the GO button to apply the time period filter.

N When selecting a time period with last N in the entry, you can enter the value for N in this
text field.

Custom When Custom is selected the custom icon will be displayed. Select the icon to change
the custom time period.

Go Select the GO button to apply the filter.

Pagination Select the number of entries to display per page and browse pages.

Right-click menu

154 Administration Guide

Fortinet Technologies Inc.
 FortiView FortiView

Dialup Session Right-click on a column and select Dialup Session to view the session related inform-
ation. Alternatively, double-click the column entry to view the Dialup Session page.
You can apply a search filter for the Tunnel ID (tunnelid) column.
Select the return icon to return to the SSL & Dialup IPsec page.

Search Add a search filter and select the GO button to apply the filter.

Site-to-Site IPsec

The Site-to-Site IPsec dashboard displays site-to-site IPsec VPN events. You can drill down the displayed
information, select the device and time period, and apply search filters.

Site-to-Site IPsec

The following information is displayed:

Site-to-Site IPSec Tun- Displays the site-to-site VPN tunnel name. You can apply a search filter to the Site-to-Site
nel IPSec Tunnel (vpntunnel) column.

Initiating FGT Displays the initiating IP address.

Connected From Displays the connected from IP address.

Duration Displays the duration the tunnel has been connected. Select the column header to sort
entries by duration.

Bytes (Sent/Received) Displays the value for sent and received packets. Select the column header to sort entries by
bytes.

Administration Guide 155

Fortinet Technologies Inc.
FortiView FortiView

The following options are available:

Refresh Refresh the displayed information.

Search Click the search field to add a search filter and select the GO button to apply the search filter.
Alternatively, you can right-click the column entry to add the search filter.

Devices Select the device or log array from the drop-down list or select All Devices. Select the GO but-
ton to apply the device filter.

Time Period Select the time period from the drop-down list. Select Custom from the list to specify the start
and end date and time. Select the GO button to apply the time period filter.

N When selecting a time period with last N in the entry, you can enter the value for N in this text
field.

Custom When Custom is selected the custom icon will be displayed. Select the icon to change the
custom time period.

Go Select the GO button to apply the filter.

Pagination Select the number of entries to display per page and browse pages.

Right-click menu

Log View Right-click on a column and select Log View to view the log entries for the selected entry.
Alternatively, double-click the column entry to view the Log View page.
Select the return icon to return to the Site-to-Site IPsec page.

Search Add a search filter and select the GO button to apply the filter.

Rogue APs

The Rogue APs dashboard displays rogue AP events. You can drill down the displayed information, select the device
and time period, and apply search filters.

Rogue APs

156 Administration Guide

Fortinet Technologies Inc.
FortiView FortiView

The following information is displayed:

SSID Displays the service set identification (SSID). You can apply a search filter to the SSID
(ssid) column.

Security Type Displays the security type, e.g. WPA, WPA2, WPA Auto, Open. You can apply a search filter
to the Security Type (securitymode) column.

Channel Displays the channel.

Radio Band Displays the radio band, e.g. 802.11n, 802.11g.

Vendor Info Displays the vendor information. You can apply a search filter to the Vendor Info (manuf)
column.

Total Live Time Displays the total live time in the format HH:MM:SS. Select the column header to sort
(HH:MM) entries by total live time.

The following options are available:

Refresh Refresh the

displayed
information.

Administration Guide 157

Fortinet Technologies Inc.
FortiView FortiView

Search Click the

search field
to add a
search filter
and select
the GO but-
ton to apply
the search fil-
ter. Altern-
atively, you
can right-
click the
column entry
to add the
search filter.

Devices Select the

device or log
array from
the drop-
down list or
select All
Devices.
Select the
GO button to
apply the
device filter.

158 Administration Guide

Fortinet Technologies Inc.
FortiView FortiView

Time Period Select the

time period
from the
drop-down
list. Select
Custom
from the list
to specify
the start and
end date and
time. Select
the GO but-
ton to apply
the time
period filter.

N When select-
ing a time
period with
last N in the
entry, you
can enter the
value for N in
this text
field.

Custom When Cus-

tom is selec-
ted the
custom icon
will be dis-
played.
Select the
icon to
change the
custom time
period.

Administration Guide 159

Fortinet Technologies Inc.
FortiView FortiView

Go Select the
GO button to
apply the fil-
ter.

Pagination Select the

number of
entries to dis-
play per
page and
browse
pages.

Right-click menu

Log View Right-click

on a column
and select
Log View to
view the log
entries for
the selected
entry. Altern-
atively,
double-click
the column
entry to view
the Log
View page.
Select the
return icon to
return to the
Rogue APs
page.

Search Add a search

filter and
select the
GO button to
apply the fil-
ter.

160 Administration Guide

Fortinet Technologies Inc.
 FortiView FortiView

Resource usage

The Resource Usage dashboard displays device CPU, memory, logging, and other performance information. You can
drill down the displayed information, select the device and time period, and apply search filters.

Resource usage

The following information is displayed:

Device Name Displays the device name. Select the column header to sort entries by device name.

IP Address Displays the IP address of the device.

CPU Usage Displays the device CPU usage as a percentage. Select the column header to sort entries by
CPU usage.

Memory Usage Displays the device memory usage as a percentage. Select the column header to sort
entries by memory usage.

Logs Per Second Displays the number of logs per second including the top 3 log types.

Sessions Displays the number of concurrent sessions for the device. Select the column header to sort
entries by sessions.

Bytes Displays the bytes for the device. Select the column header to sort entries by bytes.

The following options are available:

Refresh Refresh the displayed information.

Search Click the search field to add a search filter and select the GO button to apply the search fil-
ter. Alternatively, you can right-click the column entry to add the search filter.

Administration Guide 161

Fortinet Technologies Inc.
FortiView Log view

Devices Select the device or log array from the drop-down list or select All Devices. Select the GO
button to apply the device filter.

Time Period Select the time period from the drop-down list. Select Custom from the list to specify the
start and end date and time. Select the GO button to apply the time period filter.

N When selecting a time period with last N in the entry, you can enter the value for N in this
text field.

Custom When Custom is selected the custom icon will be displayed. Select the icon to change the
custom time period.

Go Select the GO button to apply the filter.

Pagination Select the number of entries to display per page and browse pages.

Right-click menu

Resource Usage Drill- Right-click on a column and select Resource Usage Drilldown to view a graphical rep-
down resentaion of resource usage. Alternatively, double-click the column entry to view the
Resource Usage Drilldown page.
Select the return icon to return to the Resource Usage page.

Search Add a search filter and select the GO button to apply the filter.

Log view

Logging and reporting can help you determine what is happening on your network, as well as informing you of certain
network activity, such as the detection of a virus, or IPsec VPN tunnel errors. Logging and reporting go hand in hand,
and can become a valuable tool for information gathering, as well as displaying the activity that is happening on the
network.

Your FortiAnalyzer device collects logs from managed FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager,
FortiSandbox, FortiWeb, FortiClient, and syslog servers.

162 Administration Guide

Fortinet Technologies Inc.
Log view FortiView

Collected logs

Device Type Log Type

FortiGate Traffic
Event: Endpoint, HA, System, Router, VPN, User, WAN Opt. & Cache, and
Wireless
Security: Vulnerability Scan, AntiVirus, Web Filter, Application Control, Intru-
sion Prevention, Email Filter, Data Leak Prevention
FortiClient
VoIP
Content logs are also collected for FortiOS 4.3 devices.

FortiCarrier Traffic, Event

FortiCache Traffic, Event, Antivirus, Web Filter

FortiClient Traffic , Event

FortiMail History, Event, Antivirus, Email Filter

FortiManager Event

FortiSandbox Malware, Network Alerts

FortiWeb Event, Intrusion Prevention, Traffic

Syslog Generic

Traffic logs record the traffic that is flowing through your FortiGate unit. Since traffic needs firewall policies to properly
flow through the unit, this type of logging is also referred to as firewall policy logging. Firewall policies control all traffic
that attempts to pass through the FortiGate unit, between FortiGate interfaces, zones and VLAN sub-interfaces.

The event log records administration management as well as Fortinet device system activity, such as when a
configuration has changed, or admin login or HA events occur. Event logs are important because they record Fortinet
device system activity, which provides valuable information about how your Fortinet unit is performing. The FortiGate
event logs includes System, Router, VPN , and User menu objects to provide you with more granularity when viewing
and searching log data.

Security logs (FortiGate) record all antivirus, web filtering, application control, intrusion prevention, email filtering, data
leak prevention, vulnerability scan, and VoIP activity on your managed devices.

The logs displayed on your FortiAnalyzer are dependent on the device type logging to it and the
features enabled. FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager, FortiWeb,
FortiSandbox, FortiClient and Syslog logging is supported. ADOMs must be enabled to support
non-FortiGate logging.

Administration Guide 163

Fortinet Technologies Inc.
 FortiView Log view

For more information on logging see the Logging and Reporting for FortiOS Handbook in the Fortinet Document
Library.
The Log View menu displays log messages for connected devices. You can also view, import, and export log files that
are stored for a given device, and browse logs for all devices.

When rebuilding the SQL database, Log View will not be available until after the rebuild is com-
pleted. Although you can view older logs, new logs will not be inserted into the database until after
the rebuild is completed. Select the Show Progress link in the message to voew the status of the
SQL rebuild.

Viewing log messages

To view log messages, select the FortiView tab, select Log View in the left tree menu, then browse to the ADOM
whose logs you would like to view in the tree menu. You can view the traffic log, event log, or security log information
per device or per log array. FortiMail and FortiWeb logs are found in their respective default ADOMs. For more
information on FortiGate raw logs, see the FortiGate Log Message Reference in the Fortinet Document Library. For
more information on other device raw logs, see the Log Message Reference for the platform type.

Log View (formatted display)

This page displays the following information and options:

164 Administration Guide

Fortinet Technologies Inc.
Log view FortiView

Refresh Select the icon to refresh the log view. This option is only available when view-
ing historical logs.

Search Enter a search term to search the log messages. See "FortiView" on page 172.
You can also right-click an entry in one of the columns and select to add a
search filter. Select GO in the toolbar to apply the filter. Not all columns sup-
port the search feature.

Latest Search Select the icon to repeat previous searches, select favorite searches, or quickly
add filters to your search. The filters available will vary based on device and log
type.

Clear Search Select the icon to clear search filters.

Help Hover your mouse over the help icon, for example search syntax. See
"FortiView" on page 172.

Device Select the device or log array in the drop-down list. Select Manage Log Arrays
in the Tools menu to create, edit, or delete log arrays.

Time Period Select a time period from the drop-down list. Options include: Last 30 mins,
Last 1 hour, Last 4 hours, Last 12 hours, Last 1 day, Last 7 days, Last N
hours, Last N days, or Custom. See "FortiView" on page 172.
This option is only available when viewing historical logs.

GO Select the icon to apply the time period and limit to the displayed log entries. A
progress bar is displayed in the lower toolbar.

Custom View Select to create a new custom view. You can select to create multiple custom
views in log view. Each custom view can display a select device or log array
with specific filters and time period. See "FortiView" on page 171. Custom
views are displayed under the Custom View menu.
This option is only available when viewing historical logs.

Pause | Resume Pause or resume real-time log display. These two options are only available
when viewing real-time logs.

Tools The tools button provides options for changing the manner in which the logs
are displayed, and search and column options. You can manage log arrays and
it also provides an option for downloading logs, see "FortiView" on page 173.

Real-time Log Select to change view from Real-time Log to Historical Log.
Historical Log

Administration Guide 165

Fortinet Technologies Inc.
FortiView Log view

Display Raw Select to change view from formatted display to raw log display.

Download Select to download logs. A download dialog box is displayed. Select the log file
format, compress with gzip, the pages to include and select Apply to save the
log file to the management computer.
This option is only available when viewing historical logs in formatted display.

Manage Log Arrays Select to create new, edit, and delete log arrays. Once you have created a log
array, you can select the log array in the Device drop-down menu in the Log
View toolbar.
In FortiAnalyzer v5.2.0 and later, when selecting to add a device with VDOMs,
all VDOMs are automatically added to the Log Array.

Case Sensitive Search Select to enable case sensitive search.

Enable Column Filter Select to enable column filters.

Logs The columns and information shown in the log message list will vary depend-
ing on the selected log type, the device type, and the view settings. Right-click
on various columns to add search filters to refine the logs displayed. When a
search filter is applied, the value is highlighted in the table and log details.

Log Details Detailed information on the log message selected in the log message list. The
item is not available when viewing raw logs. See Log details for more inform-
ation.
Log Details are only displayed when enabled in the Tools menu.

Status Bar Displays the log view status as a percentage.

Pagination Adjust the number of logs that are listed per page and browse through the
pages.

Limit Select the maximum number of log entries to be displayed from the drop-down
list. Options include: 1000, 5000, 10000, 50000, or All.

Display Log Details Select the icon to the right of Limit to display the log details window.

Archive Information about archived logs, when they are available. The item is not
available when viewing raw logs, or when the selected log message has
no archived logs. When an archive is available, the archive icon is
displayed. See Archive for more information.

This option is only available when viewing historical logs in formatted

display and when an archive is available.

166 Administration Guide

Fortinet Technologies Inc.
 Log view FortiView

Customizing the log view

The log message list can show raw or formatted, real time or historical logs. The columns in the log message list can
be customized to show only relevant information in your preferred order.

Log display
By default, historical formatted logs are shown in the log message list. You can change the view to show raw logs and
both raw and formatted real time logs.

To view real time logs, in the log message list, select Tools, then select Real-time Log from the drop-down menu. To
return to the historical log view, select Tools, then select Historical Log from the drop-down menu.

To view raw logs, in the log message list, select View , then select Display Raw from the drop-down menu, Log view
(raw display). To return to the formatted log view, select Tools, then select Display Formatted from the drop-down
menu.

Log view (raw display)

This page displays the following information and options:

Refresh Select to refresh the log view. This option is only available when viewing historical
logs.

Search Enter a search term to search the log messages. See To perform a text search:.
Select GO in the toolbar to apply the filter.

Latest Search Select the icon to repeat previous searches, select favorite searches, or quickly add
filters to your search. The filters available will vary based on device and log type.

Administration Guide 167

Fortinet Technologies Inc.
FortiView Log view

Clear Search Select the icon to clear search filters.

Help Hover your mouse over the help icon, for example search syntax. See Examples.

Device Select the device or log array in the drop-down list. Select Manage Log Arrays in the
Tools menu to create, edit, or delete log arrays.

Time Period Select a time period from the drop-down list. Options include: Last 30 mins, Last 1
hour, Last 4 hours, Last 12 hours, Last 1 day, Last 7 days, Last N hours, Last N
days, or Custom. See To customize the time period:.
This option is only available when viewing historical logs.

GO Select to apply the time period and limit to the displayed log entries. A progress bar
is displayed in the lower toolbar.

Create Custom View Select to create a new custom view. You can select to create multiple custom views
in log view. Each custom view can display a select device or log array with specific fil-
ters and time period. See To create a new custom view:.
This option is only available when viewing historical logs.

Pause | Resume Pause or resume real-time log display. These two options are only available when
viewing real-time logs.

Tools The tools button provides options for changing the manner in which the logs are dis-
played, and search options. You can manage log arrays and it also provides an
option for downloading logs, see Download log messages.

Real-time Log Select to change view from Real-time Log to Historical Log.
Historical Log

Display Formatted Select to change view from raw log display to formatted log display.

Download Select to download logs. A download dialog box is displayed. Select the log file
format, compress with gzip, the pages to include and select Apply to save the log file
to the management computer.
This option is only available when viewing historical logs in formatted display.

Manage Log Arrays Select to create new, edit, and delete log arrays. Once you have created a log array,
you can select the log array in the Device drop-down menu in the Log View toolbar.

Case Sensitive Search Select to enable case sensitive search.

Detailed Information Detailed information on the log message selected in the log message list. The item
is not available when viewing raw logs.

168 Administration Guide

Fortinet Technologies Inc.
Log view FortiView

Status Bar Displays the log view status as a percentage.

Pagination Adjust the number of logs that are listed per page and browse through the pages.

Limit Select the maximum number of log entries to be displayed from the drop-down list.
Options include: 1000, 5000, 10000, 50000, or All.

The selected log view will affect the other options that are available in the View drop-down menu. Real-time logs
cannot be downloaded, and raw logs to not have the option to customize the columns.

Columns
The columns displayed in the log message list can be customized and reordered as needed. Filters can also be applied
to the data in a column.

To customize the displayed columns:

1. In the log message list, right-click on a column heading. The Column Settings pop-up menu opens.

Column settings pop-up

2. Select a column to hide or display, select Reset to Default to reset to the default columns, or select More
Columns to open the Column Settings window.

The available column settings will vary based on the device and log type selected.

Column settings window

Administration Guide 169

Fortinet Technologies Inc.
FortiView Log view

a. In the Column Settings window, multiple columns can be added or removed as required, and the order of the
displayed columns can be adjusted by dragging and dropping the column names.
b. To reset to the default columns, select Reset to Default.
c. Select OK to apply your changes.

To filter column data:

1. In the log message list, select Tools, then select Enable Column Filter from the drop-down menu to enable
column filters.
2. In the heading of the column you need to filter, select the filter icon. The filter icon will only be shown on columns
that can filtered.

The Filter Settings dialog box opens.

Filter settings

3. Enable the filter, then enter the required information to filter the selected column. The filter settings will vary
based on the selected column.
4. Select Apply to apply the filter to the data.

The column’s filter icon will turn green when the filter is enabled, Downloading the current view will only download the
log messages that meet the current filter criteria.

170 Administration Guide

Fortinet Technologies Inc.
 Log view FortiView

Custom views

Select Create Custom View in the toolbar to create a new custom log view. Use Custom View to save a custom
search, device selection, and time period so that you can select this view at any time to view results without having to
re-select these criteria. Custom views are listed under the Custom View menu and allow you to quickly view log data
based on specific time and content filters without having to re-configure filters.

To create a new custom view:

1. In the Log View pane, select a log type.

2. Enter a search term, select a device or devices, select a time period, limit the number of logs to display as needed,
then select Custom View . The Create New Custom View dialog box is displayed.

Create new custom view

3. Enter a name for the new custom view. All other fields are read-only. The new custom view is saved to the Custom
View folder in the ADOM.

To edit a custom view:

1. In the Log View pane, select the Custom View folder in the tree menu.
2. Select the custom view you would like to edit.
3. Edit the custom search, devices, time period, limit the number of logs to display, and select GO.
4. Right-click the name of the custom view and select Save to save your changes.

To rename a custom view:

1. In the Log View pane, select an ADOM, and select the Custom View folder.
2. Right-click the name of the custom view and select Rename in the menu. The Rename Custom View dialog box
opens.
3. Edit the name and select OK to save your changes.

To delete a custom view:

1. In the Log View pane, select an ADOM, and select the Custom View folder.
2. Right-click the name of the custom view and select Delete in the menu.
3. Select OK in the confirmation dialog box to delete the view.

Administration Guide 171

Fortinet Technologies Inc.
 FortiView Log view

Searching log messages

Log messages can be searched based on a text string and/or time period. Recent searches can be quickly repeated, a
time period can be specified or customized, and the number of displayed logs can be limited. A text string search can
be case sensitive or not as required.

To perform a text search:

1. In the log message list, select Tools, then either select or deselect Case Sensitive Search from the drop-down
menu to enable or disable case sensitivity in the search string.
2. In the log message list, enter a text string in the search field in the following ways:
l Manually type in the text that you are searching for. Wildcard characters are accepted.
l Right-click on the element in the list that you would like to add to the search and select to search for strings that
either match or don’t match that value.
l Select a previous search or default filter, using the history icon. The available filters will vary depending on the
selected log type and displayed columns.

Search history

l Paste a saved search into the search field.

3. Select GO to search the log message list.

To customize the time period:

1. In the log message list, open the time period drop-down menu, and select Custom....The Custom Timeframe
dialog box opens.
2. Specify the desired time period using the From and To fields, or select Any Time to remove any time period from
the displayed data.
3. Select Apply to create the custom time period. A calendar icon will be shown next to the time period drop-down
list. Select it to adjust the custom time period settings.
4. Select GO to apply your settings to the log message list.

Examples
To view example text search strings, hover your cursor over the help icon.

Example searches

172 Administration Guide

Fortinet Technologies Inc.
 Log view FortiView

The first example will search for log messages with a source IP address of 172.16.86.11 and a service of HTTP.
Because it is not specified, the and operator is assumed, meaning that both conditions must be met for the log
message to be included in the search results.

The second example will search for any log messages with source IP addresses that start with either 172.16 or 172.18.
Notice the use of the * wildcard. The use of the or operator means that either condition can be met for the log
message to be included in the search results.

The third example will search for any log message that do not have a source IP address of 172.16.86.11 and a service
of HTTP. The use of the and operator means that both conditions must be met for the log message to be excluded
from the search results.

Download log messages

Log messages can be downloaded to the management computer as a text or CSV file. Real time logs cannot be
downloaded.

To download log messages:

1. In the log message list, select Tools, then select Download. The Download dialog box opens.
2. Select a log format from the drop down list, either Text or CSV.
3. Select Compress with gzip to compress the downloaded file.
4. Select Current Page to download only the current log message page, or All Pages to download all of the pages in
the log message list.
5. Select Apply to download the log messages to the management computer.

Log arrays

Log Array has been relocated to Log View in the FortiView tab from the Device Manager tab. Upon upgrading to
FortiAnalyzer v5.2.0 and later, all previously configured log arrays will be imported. In FortiAnalyzer v5.0.6 and earlier,
when creating a Log Array with both devices and VDOMs, you need to select each device and VDOM to add it to the
Log Array. In FortiAnalyzer v5.2.0 and later, when selecting to add a device with VDOMs, all VDOMs are automatically
added to the Log Array.

To create a new log array:

1. In the Log View pane, select the Tools button, and select Manage Log Arrays. The Manage Log Arrays dialog
box opens.
2. Select Create New in the dialog box toolbar. The Create New Log Array dialog box opens.

Administration Guide 173

Fortinet Technologies Inc.
FortiView Log view

Create new log array

3. Enter the following:

Name Enter a unique name for the log array.

Comments Enter optional comments for the log array.

Devices Select the add icon and select devices and VDOMs to add to the log array. Select OK in the
device selection window.

4. Select OK to create the new log array.

5. Select the close icon to close the Manage Log Arrays dialog box.

To edit a log array:

1. In the Log View pane, select Tools, and select Manage Log Arrays. The Manage Log Arrays dialog box is
displayed.
2. Select a log array entry and select Edit in the toolbar. The Edit Log Array dialog box is displayed.
3. Edit the log array name, comments, and devices as needed.
4. Select OK to save the log array.
5. Select the close icon to close the Manage Log Arrays dialog box.

To delete a log array:

1. In the Log View pane, select Tools, and select Manage Log Arrays. The Manage Log Arrays dialog box is
displayed.
2. Select the log array entry and select Delete in the toolbar.
3. Select OK in he confirmation dialog box to delete the log array.
4. Select the close icon to close the Manage Log Arrays dialog box.

174 Administration Guide

Fortinet Technologies Inc.
 Log view FortiView

Log details

Log details can be viewed for any of the collected logs. The details provided in vary depending on the device and type
of log selected. The fields available in the this pane cannot be edited or re-organized.

To view log details, select the log in the log message list. Click the log details icon to the left of the limit field, the log
details frame will be displayed in the lower frame of the content pane. Log details are not available when viewing raw
logs.

In the Log View pane, select the Tools button, and select Display Log Details to enable log details display.

Log details

Archive

The Archive tab is displayed next to the Log Details tab in the lower content pane when archived logs are available.
The archive icon is displayed in the log entry line to identify that an archive file is available.

Log archive

The name and size of the archived log files are listed in the table. Selecting the download button next to the file name
allows you to save the file to your computer.

Depending on the file type of the archived log file, the View Packet Log button may also be available next to the
download button. Select this button to open the View Packet Log dialog box, which displays the path and content of
the log file.

View packet log

Administration Guide 175

Fortinet Technologies Inc.
 FortiView Log view

Browsing log files

Go to FortiView > Log View > Log Browse to view log files stored for devices. In this page you can display, download,
delete, and import log files.

When a log file reaches its maximum size or a scheduled time, the FortiAnalyzer rolls the active log file by renaming
the file. The file name will be in the form of xlog.N.log, where x is a letter indicating the log type, and N is a unique
number corresponding to the time the first log entry was received.

For information about setting the maximum file size and log rolling options, see Configuring rolling and uploading of
logs.

If you display the log messages in formatted view, you can perform all the same actions as with the log message list.
See Viewing log messages.

Log file list window

176 Administration Guide

Fortinet Technologies Inc.
Log view FortiView

This page displays the following:

Delete Select the file of files whose log messages you want to delete, then select Delete, and
then select OK in the confirmation dialog box.

Display Select the file whose log messages you want to view, then select Display to open the
log message list. For more information, see Viewing log messages

Download Download a log file. See Downloading a log file.

Import Import log files. See Importing a log file.

Search Search the log files by entering a text value in the search window, such as a device
serial number.

Log file list A list of the log files.

Device The device host name.

Serial Number The device serial number.

Type The log type. For example: Email Filter, Event, Traffic, Web Filter, Virus, Application
Control, Data Leak Prevention, etc.

Administration Guide 177

Fortinet Technologies Inc.
FortiView Log view

Log Files A list of available log files for each device.

The current, or active, log file appears as well as rolled log files. Rolled log files include
a number in the file name, such as vlog.1267852112.log.
If you configure the FortiAnalyzer unit to delete the original log files after uploading
rolled logs to an FTP server, only the current log will exist.

From The time when the log file began to be generated.

To The time when the log file generation ended.

Size (bytes) The size of the log file, in bytes.

Pagination Adjust the number of logs that are listed per page and browse through the pages.

Importing a log file

Imported log files can be useful when restoring data or loading log data for temporary use. For example, if you have
older log files from a device, you can import these logs to the FortiAnalyzer unit so that you can generate reports
containing older data.

Importing log files is also useful when changing your RAID configuration. Changing your RAID configuration reformats
the hard disk, erasing the log files. If you back up the log files, after changing the RAID configuration, you can import
the logs to restore them to the FortiAnalyzer unit.

To import a log file:

1. Go to FortiView > Log View > Log Browse.

2. Select Import in the toolbar. The Import Log File dialog box opens.
3. Select the device to which the imported log file belongs from the Device field drop-down list, or select [Take From
Imported File] to read the device ID from the log file. If you select [Take From Imported File] your log file must
contain a device_id field in its log messages.
4. In the File field, select Browse. and find to the log file on the management computer.
5. Select OK. A message appears, stating that the upload is beginning, but will be cancelled if you leave the page.
6. Select OK. The upload time varies depending on the size of the file and the speed of the connection.

After the log file has been successfully uploaded, the FortiAnalyzer unit will inspect the file:

l If the device_id field in the uploaded log file does not match the device, the import will fail. Select Return to
attempt another import.
l If you selected [Take From Imported File], and the FortiAnalyzer unit’s device list does not currently contain
that device, a message appears after the upload. Select OK to import the log file and automatically add the
device to the device list.

Downloading a log file

You can download a log file to save it as a backup or for use outside the FortiAnalyzer unit. The download consists of
either the entire log file, or a partial log file, as selected by your current log view filter settings and, if downloading a

178 Administration Guide

Fortinet Technologies Inc.
 Log view FortiView

raw file, the time span specified.

To download a log file:

1. Go to FortiView > Log View > Log Browse.

2. Select the specific log file that you need to download, then select Download from the toolbar. The Download Log
File dialog box opens.
3. Select the log file format, either text, Native, or CSV.
4. Select Compress with gzip to compress the log file.
5. Select Apply to download the log file.

If prompted by your web browser, select a location to where save the file, or open the file without saving.

FortiClient logs

The FortiAnalyzer unit can receive FortiClient logs uploaded through TCP port 514. FortiClient logs can be viewed in
FortiView > Log View under the FortiGate device that FortiClient is registered to. Both traffic and event logs are
available. Logs can be viewed in both historical and real-time views and in both formatted and raw log views.

In FortiAnalyzer v5.2.1 and later, log injection into the SQL database is supported for v5.2 or later licensed endpoints.
Clients with the v5.0 license are able to send logs to FortiAnalyzer, but these logs will not be inserted into the SQL
database.

FortiClient logs

The following information is displayed:

Administration Guide 179

Fortinet Technologies Inc.
 FortiView Log view

Traffic logs The following columns are supported by default for event logs: Date/Time, Device ID, FGT
Serial, Source, Source IP, Remote IP, Remote Name, URL, User, and Security Action. Click
the log details icon to the left of the limit field to view additional log information.
Click the column header to set column settings. Select More Columns for additional
columns.
Right-click the column field to apply a search filter. Not all columns support this feature.

Event logs The following columns are supported by default for event logs: Date/Time, Device ID, FGT
Serial, User, Client Feature, Action, and Message. Click the log details icon to the left of the
limit field to view additional log information.
Click the column header to set column settings. Select More Columns for additional
columns.
Right-click the column field to apply a search filter. Not all columns support this feature.

Vulnerability Scan logs The following columns are supported by default for event logs: Date/Time, UID, Device ID,
User, vulnname, vulnseverity, and Vulnerability Category. Click the log details icon to the
left of the limit field to view additional log information.
Click the column header to set column settings. Select More Columns for additional
columns.
Right-click the column field to apply a search filter. Not all columns support this feature.

To download a FortiClient log file, select the desired log from the list, then select Download from the Tools menu. In
the confirmation dialog box, select if you want to compress the log file with gzip, then select Apply to download the log
file.

For more information, see the FortiClient Administration Guide.

FortiMail logs

The FortiAnalyzer unit can receive logs from a FortiMail. FortiMail logs can be viewed in FortiView > Log View . Logs
can be viewed in both historical view and in both formatted and raw log views.

FortiMail logs

180 Administration Guide

Fortinet Technologies Inc.
Log view FortiView

The following information is displayed:

History logs The following columns are supported by default for event logs: Date/Time, Device ID, Dir-
ection, Mailer, From To, Virus, Client Name, Destination IP, Disposition, Classifier, Session
ID, Subject, Message Length, Resolved, Policy ID, and Domain. Click the log details icon to
the left of the limit field to view additional log information.
Click the column header to set column settings. Select More Columns for additional
columns.
Right-click the column field to apply a search filter. Not all columns support this feature.

Event logs The following columns are supported by default for event logs: Date/Time, Device ID, Sub
Type, Session ID, and Message. Click the log details icon to the left of the limit field to view
additional log information.
Click the column header to set column settings. Select More Columns for additional
columns.
Right-click the column field to apply a search filter. Not all columns support this feature.

Administration Guide 181

Fortinet Technologies Inc.
 FortiView Log view

AntiVirus logs The following columns are supported by default for event logs: Date/Time, Device ID, From,
To, Source, Message, and Session ID. Click the log details icon to the left of the limit field to
view additional log information.
Click the column header to set column settings. Select More Columns for additional
columns.
Right-click the column field to apply a search filter. Not all columns support this feature.

Email Filterlogs The following columns are supported by default for event logs: Date/Time, Device ID, From,
To, Message, Client Name, Subject, Destination IP, and Session ID. Click the log details
icon to the left of the limit field to view additional log information.
Click the column header to set column settings. Select More Columns for additional
columns.
Right-click the column field to apply a search filter. Not all columns support this feature.

FortiManager logs

The FortiAnalyzer unit can receive logs from a FortiManager. FortiManager logs can be viewed in FortiView > Log
View. Logs can be viewed in both historical view and in both formatted and raw log views.
FortiManager logs

The following information is displayed:

182 Administration Guide

Fortinet Technologies Inc.
 Log view FortiView

Event logs The following columns are supported by default for event logs: Date/Time, Device ID, Sub
Type, Level, User, and Message. Click the log details icon to the left of the limit field to view
additional log information.
Click the column header to set column settings. Select More Columns for additional
columns.
Right-click the column field to apply a search filter. Not all columns support this feature.

FortiSandbox logs

The FortiAnalyzer unit can receive logs from a FortiSandbox. FortiSandbox logs can be viewed in FortiView > Log
View. Logs can be viewed in both historical view and in both formatted and raw log views.
FortiSandbox logs

The following information is displayed:

Malware logs The following columns are supported by default for event logs: Date/Time, Level, Risk, Mal-
ware Name, Source IP, and Destination IP. Click the log details icon to the left of the limit
field to view additional log information.
Click the column header to set column settings. Select More Columns for additional
columns.
Right-click the column field to apply a search filter. Not all columns support this feature.

Administration Guide 183

Fortinet Technologies Inc.
 FortiView Log view

Network Alerts logs The following columns are supported by default for event logs: Date/Time, Level, Destin-
ation IP:Port, Attack Name, and Host. Click the log details icon to the left of the limit field to
view additional log information.
Click the column header to set column settings. Select More Columns for additional
columns.
Right-click the column field to apply a search filter. Not all columns support this feature.

FortiWeb logs

The FortiAnalyzer unit can receive logs from a FortiWeb. FortiWeb logs can be viewed in FortiView > Log View . Logs
can be viewed in both historical view and in both formatted and raw log views.

FortiWeb logs

The following information is displayed:

184 Administration Guide

Fortinet Technologies Inc.
 Log view FortiView

Event logs The following columns are supported by default for event logs: Date/Time, Device ID, Level,
User Interface, Action, and Message. Click the log details icon to the left of the limit field to
view additional log information.
Click the column header to set column settings. Select More Columns for additional
columns.
Right-click the column field to apply a search filter. Not all columns support this feature.

Intrusion Prevention logs The following columns are supported by default for event logs: Date/Time, Device ID,
Source, Destination, Policy, Action, HTTP URL, HTTP Host, and Message. Click the log
details icon to the left of the limit field to view additional log information.
Click the column header to set column settings. Select More Columns for additional
columns.
Right-click the column field to apply a search filter. Not all columns support this feature.

Traffic logs The following columns are supported by default for event logs: Date/Time, Device ID, Ser-
vice, Source, Destination, Policy, HTTP Method, HTTP RETCODE, and Message. Click the
log details icon to the left of the limit field to view additional log information.
Click the column header to set column settings. Select More Columns for additional
columns.
Right-click the column field to apply a search filter. Not all columns support this feature.

Syslog server logs

The FortiAnalyzer unit can receive logs from a syslog server. Syslog logs can be viewed in FortiView > Log View >
Syslog. Event logs are available. Logs can be viewed in both historical and real-time views and in both formatted and
raw log views.

Syslog server logs

Administration Guide 185

Fortinet Technologies Inc.
 FortiView Log view

The following information is displayed:

Syslog logs The following columns are supported by default for event logs: Date/Time, Device ID, Level,
and Message. Click the log details icon to the left of the limit field to view additional log
information.
Click the column header to set column settings. Select More Columns for additional
columns.
Right-click the column field to apply a search filter. Not all columns support this feature.

Configuring rolling and uploading of logs

You can control device log file size and use of the FortiAnalyzer unit’s disk space by configuring log rolling and
scheduled uploads to a server.

As the FortiAnalyzer unit receives new log items, it performs the following tasks:

verifies whether the log file has exceeded its file size limit

checks to see if it is time to roll the log file if the file size is not exceeded.

Configure the time to be either a daily or weekly occurrence, and when the roll occurs. When a current log file
(tlog.log) reaches its maximum size, or reaches the scheduled time, the FortiAnalyzer unit rolls the active log file
by renaming the file. The file name will be in the form of xlog.N.log (for example, tlog.1252929496.log),
where x is a letter indicating the log type and N is a unique number corresponding to the time the first log entry was
received. The file modification time will match the time when the last log was received in the log file.

Once the current log file is rolled into a numbered log file, it will not be changed. New logs will be stored in the new
current log called tlog.log. If log uploading is enabled, once logs are uploaded to the remote server or downloaded
via the Web-based Manager, they are in the following format:
FG3K6A3406600001-tlog.1252929496.log-2012-09-29-08-03-54.gz

186 Administration Guide

Fortinet Technologies Inc.
Log view FortiView

If you have enabled log uploading, you can choose to automatically delete the rolled log file after uploading, thereby
freeing the amount of disk space used by rolled log files. If the log upload fails, such as when the FTP server is
unavailable, the logs are uploaded during the next scheduled upload.

Log rolling and uploading can be enabled and configured in the Web-based Manager in System Settings > Advanced
> Device Log Settings. For more information, see Device log settings. Log rolling and uploading can also be enabled
and configured using the CLI. For more information, see the FortiAnalyzer CLI Reference.

To enable or disable log file uploads:

To enable log uploads, enter the following CLI commands:

config system log settings
config rolling-regular
set upload enable
end
end

To disable log uploads, enter the following CLI commands:

config system log settings
config rolling-regular
set upload disable
end
end

To roll logs when they reach a specific size:

Enter the following CLI commands:

config system log settings
config rolling-regular
set file-size <integer>
end
end

where <integer> is the size at which the logs will roll, in MB.

To roll logs on a schedule:

To disable log rolling, enter the following CLI commands:

config system log settings
config rolling-regular
set when none
end
end

To enable daily log rolling, enter the following CLI commands:

config system log settings
config rolling-regular
set upload enble
set when daily
set hour <integer>
set min <integer>
set file-size <integer>
end
end

Administration Guide 187

Fortinet Technologies Inc.
FortiView Log view

where:

hour The hour of the day when the when the FortiAnalyzer rolls the
<integer> traffic analyzer logs.

The minute when the FortiAnalyzer rolls the traffic analyzer

min <integer>
logs.
file-size
<integer> Roll log files when they reach this size (MB).

To enable weekly log rolling, enter the following CLI commands:

config system log settings
config rolling-regular
set when weekly
set days {mon | tue | wed | thu | fri | sat | sun}
set hour <integer>
set min <integer>
end
end

where:

days {mon | tue | wed | The days week when the FortiAnalyzer rolls the
thu | fri | sat | sun} traffic analyzer logs.

The hour of the day when the when the

hour <integer>
FortiAnalyzer rolls the traffic analyzer logs.

The minute when the FortiAnalyzer rolls the traffic

min <integer>
analyzer logs.

188 Administration Guide

Fortinet Technologies Inc.
Event Management

In the Event Management tab you can configure events handlers based on log type and logging filters. You can select
to send the event to an email address, SNMP community, or syslog server. Events can be configured per device, for all
devices, or for the local FortiAnalyzer. You can create event handlers for FortiGate, FortiCarrier, FortiCache, FortiMail,
FortiManager, FortiWeb, FortiSandbox devices, and syslog servers. In v5.2.0 or later, Event Management supports
local FortiAnalyzer event logs.

Events can also be monitored, and the logs associated with a given event can be viewed.

When rebuilding the SQL database, Event Management will not be available until after the rebuild
is completed. Select the Show Progress link in the message to view the status of the SQL rebuild.

Events

The events page provides a list of the generated events. Right-clicking on an event in the table gives you the option of
viewing event details including the raw log entries associated with that event, adding review notes, and acknowledging
the event.

To view events, go to the Event Management tab and select Event Management > All Events. You can also view
events by severity and by handler. When ADOMs are enabled, select the ADOM, and then select All Events.
Events page

189 Administration Guide

Fortinet Technologies Inc.
Events Event Management

The following information is displayed:

Count The number of log entries associated with the event. Click the heading to sort events by
count.

Event Name The name of the event. Click the heading to sort events by event name.

Severity The severity level of the event. Event severity level is a user configured variable. The sever-
ity can be Critical, High, Medium, or Low. Click the heading to sort events by severity.

Event Type The event type. For example, Traffic or Event. Click the heading to sort events by event
type. IPS and Application Control event names are links. Select the link to view additional
information.

Additional Info Additional information about the event. Click the heading to sort events by additional inform-
ation.

Last Occurrence The date and time that the event was created and added to the events page. Click the head-
ing to sort events by last occurrence.

Pagination Adjust the number of logs that are listed per page and browse through the pages.

The following options are available:

Administration Guide 190

Fortinet Technologies Inc.
 Event Management Events

Refresh Select to refresh the entries displayed.

Time Period Select a time period from the drop-down list. Select one of: Last 30 mins, Last 1 hour, Last
4 hours, Last 12 hours, Last 1 day, Last 7 days, Last N hours, Last N days, All.
If applicable, enter the number of days or hours for N in the N text box.

Show Acknowledged Select to show or hide acknowledged events. Acknowledged events are greyed out in the
list.

Search Search for a specific event.

View Details The Event Details page is displayed. This option is available in the right-click menu. See
Event details.

Acknowledge Acknowledge an event. If Show Acknowledge is not selected, the event will be hidden. This
option is available in the right-click menu. See Acknowledge events.

Event details

Event details provides a summary of the event including the event name, severity, type, count, additional information,
last occurrence, device, event handler, raw log entries, and review notes. You can also acknowledge and print events
in this page.

To view log messages associated with an event:

1. In the events list, either double-click on an event or right-click on an event then select View Details in the right-
click menu. The Event Details page opens.

Event details page

191 Administration Guide

Fortinet Technologies Inc.
Events Event Management

The following information and options are available:

Print Select the print icon to print the event details page. The log details pane is not printed.

Return Select the return icon to return to the All Events page.

Event Name The name of the event, also displayed in the title bar.

Severity The severity level configured for the event handler.

Type The event category of the event handler.

Count The number of logged events associated with the event.

Additional Info This field either displays additional information for the event or a link to the FortiGuard
Encyclopedia. A link will be displayed for AntiVirus, Application Control, and IPS event
types.

Last Occurrence The date and time of the last occurrence.

Device The device hostname associated with the event.

Event Handler The name of the event handler associated with the event. Select the link to edit the event
handler. See Event handler.

Text box Optionally, you can enter a 1023 character comment in the text field. Select the save icon
to save the comment, or cancel to cancel your changes.

Administration Guide 192

Fortinet Technologies Inc.
 Event Management Event handler

Logs The logs associated with the log event are displayed. The columns and log fields are
dependent on the event type.

Pagination Adjust the number of logs that are listed per page and browse through the pages.

Log details Log details are shown in the lower content pane for the selected log. The details will vary
based on the log type.

2. Select the return icon to return to the All Events page.

Acknowledge events

You can select to acknowledge events to remove them from the event list. An option has been added to this page to
allow you to show or hide these acknowledged events.

To acknowledge events:

1. From the event list, select the event or events that you would like to acknowledge.
2. Right-click and select Acknowledge in the right-click menu.
3. Select the Show Acknowledge checkbox in the toolbar to view acknowledged events.

Event handler

The event handler allows you to view, create new, edit, delete, clone, and search event handlers. You can select these
options in the toolbar. The right-click menu includes these options and also includes the ability to enable or disable
configured event handlers. You can create event handlers for a specific device, multiple devices, or the local
FortiAnalyzer. You can select to create event handlers for traffic logs or event logs.

FortiAnalyzer v5.2.0 or later includes default event handlers for FortiGate and FortiCarrier devices. Click on the event
handler name to enable or disable the event handler and to assign devices to the event handler.

Default event handlers

Event Handler Description

Antivirus Event Severity: High

Log Type: Traffic Log
Event Category: AntiVirus
Group by: Virus Name
Log messages that match all conditions:
l Level Greater Than or Equal To Information

193 Administration Guide

Fortinet Technologies Inc.
Event handler Event Management

Event Handler Description

App Ctrl Event Severity: Medium

Log Type: Traffic Log
Event Category: Application ControlGroup by: Application Name
Log messages that match any of the following conditions:
l Application Category Equal To Botnet
l Application Category Equal To Proxy

Conserve Mode Severity: Critical

Log Type: Event Log
Event Category: System
Group by: Message
Log messages that match all conditions:
l Log Description Equal To System services entered conserve mode

DLP Event Severity: Medium

Log Type: Traffic Log
Event Category: DLP
Group by: DLP Rule Name
Log messages that match all conditions:
l Security Action Equal To Blocked

HA Failover Severity: Medium

Log Type: Event Log
Event Category: HA
Group by: Log Description
Log messages that match all conditions:
l Log Description Equal To Virtual cluster move member

Interface Down Severity: High

Log Type: Event Log
Event Category: System
Group by: Message
Log messages that match all conditions:
l Action Equal To interface-stat-change
l Status Equal To DOWN

Administration Guide 194

Fortinet Technologies Inc.
Event Management Event handler

Event Handler Description

Interface Up Severity: Medium

Log Type: Event Log
Event Category: System
Group by: Message
Log messages that match all conditions:
l Action Equal To interface-stat-change
l Status Equal To UP

IPS - Critical Severity Severity: Critical

Log Type: IPS
Group by: Attack Name
Log messages that match all conditions:
l Severity Equal To Critical

IPS - High Severity Severity: High

Log Type: IPS
Group by: Attack Name
Log messages that match all conditions:
l Severity Equal To High

IPS - Medium Severity Severity: Medium

Log Type: IPS
Group by: Attack Name
Log messages that match all conditions:
l Severity Equal To Medium

IPS - Low Severity Severity: Low

Log Type: IPS
Group by: Attack Name
Log messages that match all conditions:
l Severity Equal To Low

IPsec Phase2 Down Severity: Medium

Log Type: Event Log
Event Category: VPN
Group By: VPN Tunnel
Log messages that match all conditions:
l Action Equal To phase2-down

195 Administration Guide

Fortinet Technologies Inc.
Event handler Event Management

Event Handler Description

IPsec Phase2 Up Severity: Medium

Log Type: Event Log
Event Category: VPN
Group By: VPN TunnelLog messages that match all conditions:
l Action Equal To phase2-up

Local Device Event Devices: Local FortiAnalyzerSeverity: Medium

Log Type: Event Log
Event Category: Endpoint
Log messages that match all conditions:
l Level Greater Than or Equal To Warning

Power Supply Failure Severity: Critical

Log Type: Event Log
Event Category: System
Group by: Message
Log messages that match any of the following conditions:
l Action Equal To power-supply-monitor
l Status Equal To failure

UTM Antivirus Event Severity: High

Log Type: Virus
Group by: Virus Name
Log messages that match all conditions:
l Level Greater Than or Equal To Information

UTM App Ctrl Event Severity: Medium

Log Type: Application Control
Group by: Application Name
Log messages that match any of the following conditions:
l Application Category Equal To Botnet
l Application Category Equal To Proxy

UTM DLP Event Severity: Medium

Log Type: DLP
Group by: DLP Rule Name
Log messages that match all conditions:
l Action Equal To Block

Administration Guide 196

Fortinet Technologies Inc.
Event Management Event handler

Event Handler Description

UTM Web Filter Event Severity: Medium

Log Type: Web Filter
Group by: Category
Log messages that match any of the following conditions:
l Web Category Equal To Child Abuse, Discrimination, Drug Abuse,
Explicit Violence, Extremist Groups, Hacking, Illegal or Unethical,
Plagiarism, Proxy Avoidance, Malicious Websites, Phishing, Spam
URLs

Web Filter Event Severity: Medium

Log Type: Traffic Log
Event Category: WebFilter
Group by: Category
Log messages that match any of the following conditions:
l Web Category Equal To Child Abuse, Discrimination, Drug Abuse,
Explicit Violence, Extremist Groups, Hacking, Illegal or Unethical,
Plagiarism, Proxy Avoidance, Malicious Websites, Phishing, Spam
URLs

Go to the Event Management tab and select Event Handler in the tree menu.

Event handler page

197 Administration Guide

Fortinet Technologies Inc.
Event handler Event Management

The following information is displayed:

Status The status of the event handler (enabled or disabled).

Name The name of the event handler.

Filters The filters that are configured for the event handler.

Event Type The event category of the event handler. The information displayed is dependent on the plat-
form type.

Devices The devices that you have configured for the event handler. This field will either display All
Devices or list each device. When you have configured an event handler for local logs,
Local FortiAnalyzer will be displayed. Local FortiAnalyzer is available in the root ADOM
only and is used to query FortiAnalyzer event logs.

Severity The severity that you configured for the event handler. This field will display Critical, High,
Medium, or Low.

Send Alert to The email address, SNMP server, or syslog server that has been configured for the event
handler.

Right-click on an event handler in the list to open the right-click menu. The following options are available:

Create New Select to create a new event handler. This option is available in the toolbar and right-click
menu. See To create a new event handler:.

Edit Select an event handler and select edit to make changes to the entry. This option is avail-
able in the toolbar and right-click menu. See To edit an event handler:.

Delete Select one or all event handlers and select delete to remove the entry or entries. This option
is available in the toolbar and right-click menu. The default event handlers cannot be
deleted. See To delete an event handler:.

Clone Select an event handler in this page and click to clone the entry. A cloned entry will have
Copy added to its name field. You can rename the cloned entry while editing the event hand-
ler. This option is available in the toolbar and right-click menu. See To clone an event hand-
ler:.

Enable Select to enable the event handler.

Disable Select to disable the event handler.

Administration Guide 198

Fortinet Technologies Inc.
 Event Management Event handler

Manage event handlers

You can create traffic, event, and extended log handlers to monitor network traffic and events based on specific log
filters. These log handlers can then be edited, deleted, cloned, and enabled or disabled as needed.

To create a new event handler:

1. Go to Event Management > Event Handler.

2. Select Create New in the toolbar, or right-click on an the entry and select Create New in the right-click menu. The
Create New Event Handler dialog box is displayed.

Create new event handler dialog box

3. Enter a name for the new event handler and select OK. The Event Handler page opens with the Definition tab
displayed.

Create event handler definition page

4. Configure the following settings:

199 Administration Guide

Fortinet Technologies Inc.
Event handler Event Management

Status Enable or disable the event handler.

l Enabled
l Disabled

Name Edit the name if required.

Description Enter a description for the event handler.

Devices Select All Devices,select Specify and use the add icon to add devices. Select Local
FortiAnalyzer if the event handler is for local FortiAnalyzer event logs.
Local FortiAnalyzer is available in the root ADOM only and is used to query
FortiAnalyzer event logs.

Severity Select the severity from the drop-down list. Select one of the following:
l Critical
l High
l Medium
l Low

Filters

Log Type Select the log type from the drop-down list. The available options are: Traffic Log,
Event Log, Application Control, DLP, IPS, Virus, and Web Filter.
The Log Type is Event Log when Devices is Local FortiAnalyzer.

Event Category Select the category of event that this handler will monitor from the drop-down list.
The available options is dependent on the platform type.
This option is only available when Log Type is set to Traffic Log and Devices is
set to All Devices or Specify.

Group by Select the criterium by which the information will be grouped.

This option is not available when Log Type is set to Traffic Log.

Log message that match Select either All or Any of the Following Conditions.
When Devices is Local FortiAnalyzer, this option is not available.

Add Filter Select the add icon to add log filters.

When Devices is Local FortiAnalyzer, this option is not available. You can
only set one log field filter.

Log Field Select a log field to filter from the drop-down list. The available options will vary
depending on the selected log type.

Administration Guide 200

Fortinet Technologies Inc.
Event Management Event handler

Match Criteria Select a match criteria from the drop-down list. The available options will vary
depending on the selected log field.

Value Either select a value from the drop-down list, or enter a value in the text box. The
available options will vary depending on the selected log field.

Delete Select the delete icon, to delete the filter. A minimum of one filter is required.

Generic Text Filter Enter a generic text filter. For more information on creating a text filter, hover the
cursor over the help icon.

Event Details Only available when you have one Security Event filter or the Log Type is Event
Log.

Event Name Select an event name from the drop-down list. The options in the list are depend-
ent on the specific security event selected.

Additional Info Select additional information from the drop-down list. The options in the list are
dependent on the specific security event selected.

5. Select Apply to save the Definition settings.

6. Select the Notification tab.

Notification tab

7. Configure the following settings:

Event Details Only available when

you have one Security
Event filter or the Log
Type is Event Log.

201 Administration Guide

Fortinet Technologies Inc.
Event handler Event Management

Event Name Select an event name

from the drop-down list.
The options in the list
are dependent on the
specific security event
selected.

Additional Info Select additional inform-

ation from the drop-
down list. The options
in the list are depend-
ent on the specific
security event selected.

Generate alert when at least Enter threshold values

to generate alerts.
Enter the number, in
the first text box, of
each type of event that
can occur in the number
of minutes entered in
the second text box.

Send Alert Email Select the checkbox to

enable. Enter an email
address in the To and
From text fields, enter a
subject in the Subject
field, and select the
email server from the
drop-down list. Select
the add icon to add an
email server. For inform-
ation on creating a new
mail server, see Mail
server.

Administration Guide 202

Fortinet Technologies Inc.
Event Management Event handler

Send SNMP Trap to Select the checkbox to

enable this feature.
Select an SNMP com-
munity from the drop-
down list. Select the
add icon to add a
SNMP community

Send Alert to Syslog Server Select the checkbox to

enable this feature.
Select a syslog server
from the drop-down list.
Select the add icon to
add a syslog server. For
information on creating
a new syslog server,
see Syslog server

8. Select Apply to create the new event handler.

9. Select Return to return to the Event Handler page.

To edit an event handler:

1. Go to Event Management > Event Handler.

2. Select an event handler entry and either select Edit in the toolbar, or right-click on the entry and select Edit in the
pop-up menu. The Edit Event Handler page opens.
3. Edit the settings as required.
4. Select Apply to save the configuration.
5. Select Return to return to the Event Handler page.

To clone an event handler:

1. Go to Event Management > Event Handler.

2. Select an event handler entry and either select Clone in the toolbar, or right-click on the entry and select Clone in
the pop-up menu. The Clone Event Handler window opens.
3. Edit the settings as required.
4. Select Apply to save the configuration.
5. Select Return to return to the Event Handler page.

203 Administration Guide

Fortinet Technologies Inc.
Event handler Event Management

To delete an event handler:

1. Go to Event Management > Event Handler.

2. Select an event handler entry and either select Delete in the toolbar, or right-click on the entry and select Delete in
the pop-up menu.
3. Select OK in the confirmation dialog box to delete the event handler.

The default event handlers cannot be deleted. Use the right-click menu to enable or disable these
event handlers. You can also select to clone the default event handlers.

To enable an event handler:

1. Go to Event Management > Event Handler.

2. Select an event handler entry, right-click and select Enable in the pop-up menu. The status field will display a
enabled icon.

To disable an event handler:

1. Go to Event Management > Event Handler.

2. Select an event handler entry, right-click and select Disable in the pop-up menu. The status field will display a
disabled icon.

Administration Guide 204

Fortinet Technologies Inc.
Reports

FortiAnalyzer units can analyze information collected from the log files of managed log devices. It then presents the
information in tabular and graphical reports that provide a quick and detailed analysis of activity on your networks.

To reduce the number of reports needed, reports are independent from devices, and contain layout information in the
form of a report template. The devices, and any other required information, can be added as parameters to the report
at the time of report generation.

Additional configuration options and short-cuts are available using the right-click menu. Right-click
the mouse on different navigation panes on the Web-based Manager page to access these
options.

The Reports tab allows you to configure reports using the predefined report templates, configure report schedules,
view report history and the report calendar, and configure and view charts, macros, datasets, and output profiles.

If ADOMs are enabled, each ADOM will have its own report settings including chart library,
macro library, dataset library, and output profiles.

FortiCarrier, FortiCache, FortiMail and FortiWeb reports are available when ADOMs are
enabled. Reports for these devices are configured within their respective default ADOM.
These devices also have device specific charts and datasets.

When rebuilding the SQL database, Reports will not be available until after the rebuild is com-
pleted. Select the Show Progress link in the message to view the status of the SQL rebuild.

This chapter contains the following sections:

l Reports
l Report layouts
l Chart library
l Macro library
l Report calendar
l Advanced

Reports

FortiAnalyzer includes preconfigured reports and report templates for FortiGate, FortiMail, and FortiWeb log devices.
These report templates can be used as is, or you can clone and edit the templates. You can also create new reports
and report templates that can be customized to your requirements.

205 Administration Guide

Fortinet Technologies Inc.
 Reports Reports

Predefined report templates are identified by a blue report icon and custom report templates are
identified by a green report icon. When a schedule has been enabled, the schedule icon will
appear to the left of the report template name.

FortiAnalyzer includes preconfigured reports and report templates for FortiGate, FortiMail, and FortiWeb log devices.
These report templates can be used as is, or you can clone and edit the templates. You can also create new reports
and report templates that can be customized to your requirements.

Predefined report templates are identified by a blue report icon and custom report templates are
identified by a green report icon. When a schedule has been enabled, the schedule icon will
appear to the left of the report template name.

FortiGate reports

The following tables list the default report templates.

FortiGate general report templates

Report Template

Admin and System Events Report

Application Risk and Control

Application and Risk Analysis

Bandwidth and Applications Report

Client Reputation

Detailed Application Usage and Risk

Email Report

IPS Report

Security Analysis

Threat Report

User Report

Administration Guide 206

Fortinet Technologies Inc.
Reports Reports

Report Template

User Security Analysis

VPN Report

Web Usage Report

WiFi Network Summary

Wireless PCI Compliance

The following report template can be found in the Application folder.

FortiGate application report templates

Report Template

Applications - Top 20 Categories and Applications (Bandwidth)

Applications - Top 20 Categories and Applications (Session)

Applications - Top Allowed and Blocked with Timestamps

The following report templates can be found in the Detailed User Report folder.
FortiGate detailed user report templates

Report Template

User Detailed Browsing Log

User Top 500 Websites by Bandwidth

User Top 500 Websites by Session

The following report templates can be found in the Web report folder.
FortiGate web report templates

Report Template

Websites - Hourly Website Hits

Websites - Top 20 Category And Websites (Bandwidth)

Websites - Top 20 Category And Websites (Hits)

Websites - Top 500 Sessions by Bandwidth

207 Administration Guide

Fortinet Technologies Inc.
 Reports Reports

FortiMail reports

The following table lists report templates exclusive to FortiMail devices.

FortiMail report templates

Report Template

FortiMail Analysis Report

FortiMail Default Report

FortiWeb report

The following table lists report templates exclusive to FortiWeb devices.

FortiWeb report templates

Report Template

FortiWeb Default Report

FortiCache report

The following table lists report templates exclusive to FortiCache devices.

FortiCache report templates

Report Template

FortiCache Default Report

In the Reports tab, go to Reports > [report] to view and configure the report configuration, advanced settings, and
layout, and to view completed reports. The currently running reports and completed reports are shown in the View
Report tab, see View report tab.
Report page

Administration Guide 208

Fortinet Technologies Inc.
Reports Reports

Right-clicking on a template in the tree menu opens a pop-up menu with the following options:

Report

Create New Create a new report. See To create a new report:. Custom report templates are identified by the
green custom report icon beside the report name. Predefined report templates are identified by
the blue predefined report icon.

Rename Rename a report.

Clone Clone the selected report. See To clone a report:.

Delete Delete the report. The default reports cannot be deleted. See To delete a report:

Import Import a report. See Import and export.

Export Export a report. See Import and export.

Folder

Create New Create a new report folder. See To create a new report folder:

209 Administration Guide

Fortinet Technologies Inc.
Reports Reports

Report

Rename Rename a report folder. See To rename a report folder:

Delete Delete a report folder. Any report templates in the folder will be deleted. See To delete a report
folder:

Reports and report templates can be created, edited, cloned, and deleted. You can also import and export report
templates. New content can be added to and organized on a template, including: new sections, three levels of
headings, text boxes, images, charts, and line and page breaks.

To create a new report:

1. In the Reports tab, right-click on Reports in the tree menu.

2. Under the Report heading, select Create New. The Create New Report dialog box opens.
3. Enter a name for the new report and select OK.
4. Configure report settings in the Configuration tab. The configuration tab includes time period, device selection,
report type, schedule, and notifications.

To create a custom cover page, you must select Print Cover Page in the Advanced Settings
menu in the Advanced Settings tab.

5. Select the Layout tab to configure the report template.

6. Select the Advanced settings tab to configure report filters and other advanced settings.
7. Select Apply to save the report template.

To clone a report:

1. Right-click on the report you would like to clone in the tree menu and select Clone. The Clone Report Template
dialog box opens.
2. Enter a name for the new template, then select OK.

A new template with the same information as the original template is created with the given name. You can then
modify the cloned report as required.

To delete a report:

1. Right-click on the report template that you would like to delete in the tree menu, and select Delete under the
Report heading.
2. In the confirmation dialog box, select OK to delete the report template.

Import and export

Report templates can be imported from and exported to the management computer.

Administration Guide 210

Fortinet Technologies Inc.
 Reports Reports

To import a report template:

1. Right-click on Reports, and select Import. The Import Report Template dialog box opens.
2. Select Browse, locate the report template (.dat) file on your management computer, and select OK.

The report template will be loaded into the FortiAnalyzer unit.

To export a report template:

1. Right-click on the report you would like to export in the tree menu and select Export.
2. If a dialog box opens, select to save the file (.dat) to your management computer, and select OK.

The report template can now be imported to another FortiAnalyzer device.

Report folders
Report folders can be used to help organize your reports.

To create a new report folder:

1. In the Reports tab, right-click on Reports in the tree menu. Under the Folder heading, select Create New.Under
the Folder heading, select Create New.
2. In the Create New Folder dialog box, enter a name for the folder, and select OK.

A new folder is created with the given name.

To rename a report folder:

1. Right-click on the report folder that you need to rename in the tree menu.
2. Under the Folder heading, select Rename.
3. In the Rename Folder dialog box, enter a new name for the folder, and select OK.

To delete a report folder:

1. Right-click on the report folder that you would like to delete in the tree menu, and select Delete under the Folder
heading.
2. In the confirmation dialog box, select OK to delete the report folder.

Configuration tab

In FortiAnalyzer v5.2.0 and later, the Reports tab layout has changed. When creating a new report, the Configuration
tab is the first tab that is displayed. In this tab you can configure the time period, select devices, enable schedules, and
enable notification.

Report schedules provide a way to schedule an hourly, daily, weekly, or monthly report so that the report will be
generated at a specific time. You can also manually run a report schedule at any time, and enable or disable report
schedules. Report schedules can also be edited and disabled from the Report Calendar. See Report calendar for more
information.

Configuration tab

211 Administration Guide

Fortinet Technologies Inc.
Reports Reports

The following settings are available in the Configuration tab:

Time Period The time period that the report will cover. Select a time period, or select Other to
manually specify the start and end date and time.

Devices The devices that the report will include. Select either All Devices or Specify to
add specific devices. Select the add icon to select devices.

User or IP Enter the user name or the IP address of the user on whom the report will be
based.This field is only available for the three predefined report templates in the
Detailed User Report folder.

Type Select either Single Report (Group Report) or Multiple Reports (Per-Device).
This option is only available if multiple devices are selected.

Enable Schedule Select to enable report template schedules.

Generate PDF Report Every Select when the report is generated.

Enter a number for the frequency of the report based on the time period selected
from the drop-down list.

Starts On Enter a starting date and time for the file generation.

Ends Enter an ending date and time for the file generation, or set it for never ending.

Enable Notification Select to enable report notification.

Output Profile Select the output profile from the drop-down list, or select Create New to create a
new output profile. See Output profile.

Administration Guide 212

Fortinet Technologies Inc.
 Reports Reports

Advanced settings tab

After configuring the report configuration, select the Advanced Settings tab. In this tab you can configure report filters,
LDAP query, and other advanced settings. In the filters section of the Configuration tab, you can create and apply log
message filters, and add an LDAP query to the report. The Advanced Settings section allows you to configure
language and print options, and other settings.In this section of the report, you can configure report language, print
and customize the cover page, print the table of contents, print a device list, and obfuscate users.

Advanced settings tab

The following settings are available in the Advanced Settings tab:

Filters In the filters section of the Configuration tab, you can create and apply log message fil-
ters, and add an LDAP query to the report.

Log messages that match Select All to filter log messages based on all of the added conditions, or select Any of
the following conditions to filter log messages based on any one of the conditions.

213 Administration Guide

Fortinet Technologies Inc.
Reports Reports

Add Filter Select to add filters. For each filter, select the field, and operator from the drop-down
lists, then enter or select the values as applicable.
Filters vary based on device type.

LDAP Query Select to add an LDAP query, then select the LDAP server and the case change value
from the drop-down lists.

Advanced Settings Configure advanced report settings.

Language Select the report language. Select one of the following: Default, English, French,
Japanese, Korean, Portuguese, Simplified_Chinese, Spanish, or Traditional_
Chinese.

Layout Header Enter header text and select the header image. The default image is fortinet_logo.png.

Layout Footer Select either a default footer or custom footer. When selecting Custom, enter the footer
text in the text field.

Print Cover Page Select to print the report cover page. Select Customize to customize the cover page.
See Report cover pages.

Print Table of Contents Select to include a table of contents.

Print Device List Select to print the device list. Select Compact, Count, or Detailed from the drop-down
list.

Print Report Filters Select to print the filters applied to the report.

Obfuscate User Select to hide user information in the report.

Resolve Hostname Select to resolve hostnames in the report. The default status is enabled.

Allow save maximum Select a value between 1-1000 for the maximum number of reports to save.

Color Code The color used to identify the report on the calendar. Select a color code from the drop-
down list to apply to the report schedule. Color options include: Bold Blue, Blue, Tur-
quoise, Green, Bold Green, Yellow, Orange, Red, Bold Red, Purple, and Gray.

Report cover pages

The report cover page is only included in the report when enabled in the Advanced Settings menu in the Advanced
Settings tab. See Advanced settings tab.
When enabled, the cover page can be edited to contain the desired information and imagery.

Administration Guide 214

Fortinet Technologies Inc.
Reports Reports

To edit cover page settings:

1. In the Reports tab, select the report in the tree menu whose cover page you are editing, then select the Advanced
Settings tab.
2. In the Advanced Settings section, select Customize next to the Print Cover Page option. The Cover Page
Settings page opens.

Cover page settings

3. Configure the following settings:

Background Image Select Choose to open the Choose a graphic dialog box.
Select an image, or select Upload to find an image on the management computer,
then select OK to add the image as the background image of the cover page.

Top Image Select Choose to open the Choose a graphic dialog box.
Select an image, or select Upload to find an image on the management computer,
then select OK to add the image at the top of the cover page.

Top Image Position Select the top image position from the drop-down menu. Select one of the following:
Right, Center, Left.

Text Color Select the text color from the drop-down menu. Select one of the following: Black, Bold
Blue, Blue, Turquoise, Green, Bold Green, Yellow, Orange, Red, Bold Red, Purple,
While, Gray.

215 Administration Guide

Fortinet Technologies Inc.
 Reports Reports

Show Creation Time Select to print the report date on the cover page.

Show Data Range Select to print the data range on the cover page.

Custom Text 1 Enter custom text for the Custom Text 1 field.

Custom Text 2 Enter custom text for the Custom Text 2 field.

Bottom Image Select Choose to open the Choose a graphic dialog box.
Select an image, or select Upload to find an image on the management computer,
then select OK to add the image at the bottom of the cover page.

Footer Left Text Edit the text printed in the left hand footer of the cover page.

Footer Right Text Edit the text printed in the left hand footer of the cover page. {default} prints the
report creation date and time.

Footer Background Color Select the cover page footer background color from the drop-down list. Select one of
the following: Black, Bold Blue, Blue, Turquoise, Green, Bold Green, Yellow, Orange,
Red, Bold Red, Purple, While, Gray, Transparent.

Reset to Default Select to reset the cover page settings to their default settings.

4. Select Save in the toolbar, to save your changes.

5. Select Return in the toolbar, to return to Advanced Settings tab.

View report tab

A report can be manually run at any time by selecting Run Report Now.

Competed reports are displayed in the View Report tab of the Reports tab. The report name, available formats, and
completion time or status are shown in the table. Reports can be viewed in HTML or as PDFs.

The toolbar and the right-click menu provide options to delete or download the selected reports, as well as to run the
report.

Completed reports can be viewed for specific devices from the Device Manager tab. See To view device reports:.

Completed reports can also be downloaded and deleted from the Report Calendar page. See Report calendar.

View completed reports

Administration Guide 216

Fortinet Technologies Inc.
Reports Reports

The following options are available:

Report Name The name of the report.

Click the column header to sort entries in the table by report name.

Format Select HTML to open the report in HTML format in a new web browser tab or window,
depending on your browser settings.
Select PDF to open or download the report in PDF format.

Completion Time/Status The completion status of the report, or, if the report is complete, the data, and time (includ-
ing time zone) that the report completed.
Click the column header to sort entries in the table by completion time.

Right-click on an report in the list to open the right-click menu. The following options are available:

Run Report Now Select to run the report now.

Delete Select one or more reports in the completed reports list, then select Delete from the toolbar
or right-click menu. Select OK in the confirmation dialog box to delete the selected report or
reports.

Download Select one reports in the completed reports list, then select Download from the toolbar or
right-click menu to download the selected report or reports.
Each report will be saved individually as a PDF file on the management computer.
Reports that are not done cannot be downloaded.

To view device reports:

1. In the Device Manager tab, select the ADOM that contains the device whose report you would like to view, and
select the device. You can select to view reports by device or by VDOM.

All of the reports that have been run for the selected device are shown in the left content pane. See Device
reports.

Device reports

217 Administration Guide

Fortinet Technologies Inc.
Report layouts Reports

2. Select a format from the Format column to open the report in that format in a new browser window or tab.
3. Select a report, then select Download from the right-click menu to download the selected report. See Download.
4. Select one or more reports, then select Delete to delete the selected reports. See Delete.

Report layouts

In the Layout tab, you can configure report template layout. Various content can be added to a report template, such
as charts, images, and typographic elements, using the layout toolbar. The template color scheme, fonts, and layout
can be controlled, and all the report elements can be edited and customized as needed.

Layout tab

Administration Guide 218

Fortinet Technologies Inc.
Reports Report layouts

Because the cut, copy and paste functions need access to the clipboard of your operating system,
some Internet browsers either block it when called from layout editor toolbar, or ask you to expli-
citly agree to that. Should accessing the clipboard by clicking the respective cut, copy and paste
buttons from toolbar or context menu options be blocked, you can always perform these oper-
ations with keyboard shortcuts.

The following options are available in the layout editor:

Source Select to view and configure the report layout in XML format.

Save Select to save changes to the report layout.

219 Administration Guide

Fortinet Technologies Inc.
Report layouts Reports

Templates Select to choose the template to open in the editor. Select one of the following:
l Image and Title: One main image with a title and text that surround the image.
l Strange Template: A template that defines two columns, each one with a different
title, and some text.
l Text and Table: A title with some text and a table.

You can select to replace actual contents.

Cut To cut a text fragment, start with selecting it. When the text is selected, you can cut it using
one of the following methods:
l Select the cut button in the toolbar
l Right-click and select cut in the menu
l Use the Ctrl+X shortcut on your keyboard.

Copy To cut a text fragment, start with selecting it. When the text is selected, you can cut it using
one of the following methods:
l Select the cut button in the toolbar
l Right-click and select cut in the menu
l Use the Ctrl+C shortcut on your keyboard.

Paste To paste a text fragment, start with cutting it or copying from another source. Depending on
the security settings of your browser, you may either paste directly from the clipboard or use
Paste dialog window.

Paste as plain text If you want to paste an already formatted text, but without preserving the formatting, you
can paste it as plain text. To achieve this, copy the formatted text and select the Paste as
plain text button in the toolbar. If the browser blocks the editor toolbar's access to clipboard,
a Paste as Plain Text dialog window will appear and you will be asked to paste the frag-
ment into the text box using the Ctrl+V keyboard shortcut.

Paste from Word You can preserve basic formatting when you paste a text fragment from Microsoft Word. To
achieve this, copy the text in a Word document and paste it using one of the following meth-
ods:
l Select the Paste from Word button in the toolbar
l Use the Ctrl+V shortcut on your keyboard.

Undo Select to undo the last action. Alternatively, use the Ctrl+Z keyboard shortcut to perform the
undo operation.

Redo Select to redo the last action. Alternatively, use the Ctrl+Y keyboard shortcut to perform the
redo operation.

Administration Guide 220

Fortinet Technologies Inc.
Reports Report layouts

Find Select to find text in the report layout editor. Find consists of the following elements:
l Find what: Is the text field where you enter the word or phrase that you want to find.
l Match case: Checking this option limits the search operation to words whose case
matches the spelling (uppercase and lowercase letters) given in the search field.
This means that the search becomes case-sensitive.
l Match whole word: Checking this option limits the search operation to whole words.
l Match cyclic: Checking this option means that after editor reaches the end of the
document, the search continues from the beginning of the text. This option is
checked by default.

Replace Select to replace text in the report layout editor. Replace consists of the following elements:
l Find what: Is the text field where you enter the word or phrase that you want to find.
l Replace with: Is the text field where you enter the word or phrase that will replace
the search term in the document.
l Match case: Checking this option limits the search operation to words whose case
matches the spelling (uppercase and lowercase letters) given in the search field.
This means that the search becomes case-sensitive.
l Match whole word: Checking this option limits the search operation to whole words.
l Match cyclic: Checking this option means that after editor reaches the end of the
document, the search continues from the beginning of the text. This option is
checked by default.

Image Select the Image button in the toolbar to insert an image into the report layout. See Insert-
ing images for more information. Right-click an existing image to edit image properties.

Table Select the Table button in the toolbar to insert a table into the report layout. See Creating a
table for more information. Right-click an existing table to edit a cell, row, column, table
properties or delete the table.

Insert Horizontal Line Select to insert a horizontal line.

Insert Page Break for Select to insert a page break for printing.
Printing

Link Select the Link button in the toolbar to open the Link dialog window. You can select to insert
a URL, a link to an anchor in the text, or an email address. Alternatively, use the Ctrl+L key-
board shortcut to open the Link dialog window. See Link for more information.

221 Administration Guide

Fortinet Technologies Inc.
Report layouts Reports

Anchor Select the Anchor button in the toolbar to insert an anchor in the report layout. See Anchor
for more information.

FortiAnalyzer Chart Select to insert a FortiAnalyzer chart. See Charts for more information.

FortiAnalyzer Macro Select to insert a FortiAnalyzer macro. See Macros for more information.

Paragraph Format Select the paragraph format from the drop-down list. Select one of the following: Normal,
Heading 1, Heading 2, Heading 3, Heading 4, Heading 5, Heading 6, Formatted, or
Address.

Font Name Select the font from the drop-down list. Select one of the following: Arial, Comic Sans MS,
Courier New, Georgia, Lucida Sans Unicode, Tahoma, Times New Roman, Trebuchet MS,
or Verdana.

Font Size Select the font size from the drop-down list. Select a size ranging from 8 to 72.

Bold Select the text fragment and then select the Bold button in the toolbar. Alternatively, use
the Ctrl+B keyboard shortcut to apply bold formatting to a text fragment.

Italic Select the text fragment and then select the Italic button in the toolbar. Alternatively, use
the Ctrl+I keyboard shortcut to apply italics formatting to a text fragment.

Underline Select the text fragment and then select the Underline button in the toolbar. Alternatively,
use the Ctrl+U keyboard shortcut to apply underline formatting to a text fragment.

Strike Through Select the text fragment and then select the Strike Through button in the toolbar.

Subscript Select the text fragment and then select the Subscript button in the toolbar.

Superscript Select the text fragment and then select the Superscript button in the toolbar.

Text Color You can change the color of text in the report by using a color palette. To choose a
color, select a text fragment and press the Text Color toolbar button. The Text Color
drop-down menu that will open lets you select a color from a basic palette of 40
shades.

If the color that you are after is not included in the basic palette, click the More Colors
option in the drop-down menu. The Select Color dialog window that will open lets you
choose a color from an extended palette.

Background Color You can also change the color of the text background.

Insert/Remove Select to insert or remove a numbered list.

Numbered List

Administration Guide 222

Fortinet Technologies Inc.
Reports Report layouts

Insert/Remove Bulleted Select to insert or remove a bulleted list.

List

Decrease Indent To decrease the indentation of the element, select the Decrease Indent toolbar button. The
indentation of a block-level element containing the cursor will decrease by one tabulator
length.

Increase Indent To increase the indentation of the element, select the Increase Indent toolbar button. The
block-level element containing the cursor will be indented with one tabulator length.

Block Quote Block quote is used for longer quotations that are distinguished from the main text by left
and right indentation. It is recommended to use this type of formatting when the quoted text
consists of several lines or at least 100 words.

Align Left When you align your text left, the paragraph is aligned with the left margin and the text is
ragged on the right side. This is usually the default text alignment setting for the languages
with left to right direction.

Center When you center your text, the paragraph is aligned symmetrically along the vertical axis
and the text is ragged on the both sides. This setting is often used in titles or table cells.

Align Right When you align your text right, the paragraph is aligned with the right margin and the text is
ragged on the left side. This is usually the default text alignment setting for the languages
with right to left direction.

Justify When you justify your text, the paragraph is aligned with both left and right margin; the text
is not ragged on any side. Instead of this, additional spacing is realized through flexible
amount of space between letters and words that can stretch or contract according to the
needs.

Remove Format Select to remove formatting.

The following options are available in the right-click menu:

Cut Select text or a report element, right-click and select cut in the menu.

Copy Select text or a report element, right-click and select copy in the menu.

Paste Select a location in the report layout, right-click and select paste in the menu.

Cell Right-click a table in the layout and select to edit cell settings including: inserting cells, delet-
ing cells, merge, split, and cell properties.

223 Administration Guide

Fortinet Technologies Inc.
 Report layouts Reports

Row Right-click a table in the layout and select to edit row settings including: inserting rows and
deleting rows.

Column Right-click a table in the layout and select to edit column settings including: inserting
columns and deleting columns.

Delete Table Right-click a table in the layout and select to delete the table.

Chart Properties Right-click a chart in the layout to edit the chart properties including: chart selection, title,
width, and filters.

Table Properties Right-click a table in the layout to edit the table properties including the following: rows,
width, columns, height, headers, cell spacing, border size, cell pading, alignment, caption,
and summary.

Image Properties Right-click an image in the layout to edit the image properties including: image selection,
width, height, lock ratio, reset size, and alternative text.

Macro Properties Right-click a macro in the layout to edit the macro.

Edit Link Right-click a link in the layout to edit the link properties including: link type, protocol, and
URL.

Unlink Right-click a link in the layout and select to remove the link.

Edit Anchor Right-click an anchor in the layout and select to edit anchor properties.

Remove Anchor Right-click an anchor in the layout and select to remove the anchor.

Inserting images

To insert an image in the report layout, select the Image button in the toolbar. The Image Properties dialog window
opens and you can set configuration options that define image source, its size, display properties, and other advanced
properties.

Image properties

Administration Guide 224

Fortinet Technologies Inc.
 Reports Report layouts

The following options are available:

Browse Select and browse to the image you want to insert into the report layout.

Width Enter the width of the image in pixels.

Height Enter the height of the image in pixels.

Lock Ratio Select to lock the ratio.

Reset Size Select to reset the size.

Alternative Text Enter a short textual description of the image that tells users with assistive devices (like
screen readers) what the image is about.

Creating a table

To create a table in the report layout, select the Table button in the toolbar. The Table Properties dialog window
opens and you can set configuration options that define table size, its display properties, and other advanced
properties.

Table properties

The following options are available:

Rows Enter the number of rows in the table.

Width Enter the width of the table in pixels or a percent value

225 Administration Guide

Fortinet Technologies Inc.
 Report layouts Reports

Columns Enter the number of columns in the table.

Height Enter the height of the table in pixels.

Headers Select the header from the drop-down list. Select one of: None, First Row, First Column,
Both.

Cell spacing Enter a value for the space between individual cells as well as cells and table borders, in
pixels.

Border size Enter a value for the thickness of the table border in pixels.

Cell padding Enter a value for the space between the cell border and its contents, in pixels.

Alignment Select the alignment from the drop-down list. Select one of: Left, Center, Right.

Caption Enter the label of the table that will displayed at the top of the table.

Summary Enter a short textual summary of the table that tells users with assistive devices (like
screen readers) what the table is about.

Link

Select the Link button in the toolbar to open the Link dialog window. You can select to insert a URL, a link to an anchor
in the text, or an email address.

Links

The following options are available:

Link Type Select the link type from the drop-down list. Select one of: URL, Link to anchor in text, E-
mail.

Administration Guide 226

Fortinet Technologies Inc.
 Reports Report layouts

URL Select the protocol (http://, https://, ftp://, news://, <other>) and enter the URL in text field.

Link to anchor in text Select an anchor by anchor name or by element ID.

E-mail Enter the email address, message subject, and message body.

Anchor
1. Select the Anchor button in the toolbar. The Anchor Properties dialog windows will appear. Enter an anchor name
in the text field. Once you select OK, an anchor icon will appear in the report layout. You can then create a link to
the anchor by select the Link button.
2. Right-click an anchor to edit or delete the anchor.

Charts

Chart elements can be placed in the report template. The chart content can be filtered, and the chart content can be
edited.

To add a chart:

1. Click the FortiAnalyzer chart icon. The Chart Properties dialog box will open.

Add a new chart

The following options are available:

Chart Select the chart from the drop-down list. Search for the chart by entering all or part of the chart
name into the Search field.

Title Optionally, change the chart title.

227 Administration Guide

Fortinet Technologies Inc.
 Chart library Reports

Width Select the chart width. Type a value between 280 and 720.

Filters Select to add filters. For each filter, select the field, and operator from the drop-down lists, then
enter or select the values as applicable.
Filters vary based on device type.

2. Select OK once you have found and selected the chart you would like to add.

The chart’s placeholder will appear. You can drag-and-drop the chart to a new location in the report layout.

To add additional chart filters:

1. Select the chart, right-click, and select Chart Properties in the menu. Alternatively, double-click on the chart. The
Chart Properties dialog box will open.
2. Add charts filters to the chart as needed.
3. Select OK to apply the filters to the chart and return to the report layout page.

To edit a chart:

1. Select the chart, right-click, and select Chart Properties in the menu. Alternatively, double-click on the chart. The
Chart Properties dialog box will open.
2. Edit the chart as needed.
3. Select OK to apply your changes.

Macros

FortiAnalyzer macro elements can be added to the report template. Select the Macro button in the toolbar and select
the macro from the drop-down list. Right-click an existing macro to open macro properties.

Chart library

The FortiAnalyzer unit provides a selection of predefined charts. New charts can be created using the custom chart
wizard, by cloning and editing an existing chart, or by using the advanced chart creation option. You can select to
display predefined chart, custom charts, or both.

To view a listing of the available predefined charts, see Appendix A: Charts, Datasets, & Macros.

For advanced users, right-click the right content pane and select Create New to create SQL based charts. See To
create a new chart:.

Charts are predefined to show specific information in an appropriate format, such as pie charts or tables. They are
organized into categories, and can be added to, removed from, and organized in reports.

To view the chart library, go to Reports > Chart Library.

Chart library

Administration Guide 228

Fortinet Technologies Inc.
Reports Chart library

The following information is displayed:

Name The name of the chart. Click the column header to sort entries in the table by name.

Description The chart description. Click the column header to sort entries in the table by description.

Category The chart category. Click the column header to sort entries in the table by category.

Search Enter a search term in the search field to find a specific chart.

Pagination Adjust the number of entries that are listed per page and browse through the pages.

The following options are available in the toolbar:

Wizard Launch the custom chart wizard. This option is only available for FortiGate and FortiCarrier
ADOMs. See Custom chart wizard.

Create New Create a new chart. For FortiGate and FortiCarrier ADOMs, this option is only available
from the right-click menu. See To create a new chart:.

Edit Select to edit a chart. This option is only available for custom charts. See To edit a chart:.

View Select to view chart details. This option is only available for predefined charts, as they can-
not be edited.

Delete Select to delete a chart. This option is only available for custom charts. See To delete
charts:.

229 Administration Guide

Fortinet Technologies Inc.
 Chart library Reports

Clone Select to clone an existing chart. See To clone a chart:.

Show Predefined Select to display predefined charts.

Show Custom Select to display custom charts.

Custom chart wizard

The custom chart wizard is a step by step guide to help you create custom charts. It is only available for FortiGate and
FortiCarrier ADOMs.

To start the custom chart wizard, go to Reports > Chart Library, and select Wizard in the toolbar. Follow the steps in
the chart wizard, outlined below, to create a custom chart.

Select the Tutorial icon on any of the wizard windows to view the online chart wizard video.

Step 1 of 3 - Choose data

Configure the data that the custom chart will use.

Choose data

Configure the following settings, then select Next to proceed to the next step:

Log Type Select either Traffic Log or Event Log.

Administration Guide 230

Fortinet Technologies Inc.
Reports Chart library

Group by Select how the data are grouped. Depending on the chart type selected in step 3, this selec-
tion will relate to Column 1 (Table), the Y-axis (Bar and Line graphs), or the Legend (Pie
chart). See Step 3 of 3 - Preview.
The available options will vary depending on the selected log type:
l Traffic log: Application Category, Application ID, Application Name, Attack,
Destination Country, Destination Interface, Destination IP, Device Type, Source
Interface, Source IP, Source SSID, User, Virus, VPN, VPN Type, Web Category,
or Website (Hostname).
l Event log: VPN Tunnel, or Remote IP.

Aggregate by Select how the data is aggregated. Depending on the chart type selected in step 3, this
selection will relate to Column 2 (Table), the X-axis (Bar and Line graphs), or the Value (Pie
chart). See Step 3 of 3 - Preview.
The following options are available: Duration, Received Bytes, Sent Bytes, Total Bytes,
Total Sessions or Total Blocked Sessions (Traffic log only).

Show Select how much data to show in the chart from the drop-down list. One of the following:
Top 5, Top 10, Top 25, Top 50, or Top 100.

Step 2 of 3 - Add filters

You can add one or more filters to the chart. These filters will be permanently saved to the dataset query.

Add filters page

Configure the following settings:

231 Administration Guide

Fortinet Technologies Inc.
Chart library Reports

Match Select All to filter data based on all of the added conditions, or select Any of the Fol-
lowing Conditions to filter the data based on any one of the conditions.

Add Select to add filters. For each filter, select the field, and operator from the drop-down
lists, then enter or select the value as applicable.
Filters vary based on device type.
The available filters vary depending on the log type selected.
Select the delete icon to remove a filter.

Destination Interface This filter is available for traffic logs only.

The available operators are: Equals, Not Equal, Contains, and Not Contain.

Destination IP This filter is available for traffic logs only.

The available operators are: Equals, Not Equal, and Range. If Range is selected, enter
the starting and ending IP address in the value fields.

Security Action This filter is available for traffic logs only.

The available operators are: Equals and Not Equal. The value is always Pass Through.

Security Event Select Equals or Not Equal from the second drop-down list. Select one of the below
options from the third drop-down list.This filter is available for traffic logs only.
The value can be one of the following: Analytics, Application Control, AV Error, Banned
Word, Command Block, DLP, File Filter, General Mail Log, HTML Script Virus, IPS,
MIME Fragmented, MMS Checksum, MMS Dupe, MMS Endpoint, MMS Flood, MAC
Quarantine, Oversize, Script Filter, Spam Filter, SSH Block, SSH Log, Switching Pro-
tocols, Virus, VOIP, Web Content, Web Filter, or Worm.

Service This filter is available for both traffic and event logs.
The available operators are: Equals, Not Equal, Contains, and Not Contain.

Source Interface This filter is available for traffic logs only.

The available operators are: Equals, Not Equal, Contains, and Not Contain.

Source IP This filter is available for traffic logs only.

The available operators are: Equals, Not Equal, and Range. If Range is selected, enter
the starting and ending IP address in the value fields.

User This filter is available for both traffic and event logs.
The available operators are: Equals, Not Equal, Contains, and Not Contain.

Step 3 of 3 - Preview
The preview page allows you to select the chart type and rename the custom chart.

Preview page

Administration Guide 232

Fortinet Technologies Inc.
 Reports Chart library

Configure the following settings:

Chart Type Select the chart type in the drop-down list; one of the following: Bar, Line, Pie, or Table.
Depending on the chart settings configured in the previous two steps, the available options
may be limited.

Column 1 / Y-axis / Displays the Group by selection. See Group by. The field varies depending on the chart
Legend type.

Column 2 / X-axis / Displays the Aggregate by selection. See Aggregate by. The field varies depending on the
Value chart type.

Name Displays the default name of the custom chart. This field can be edited.

Select Finish to finish the wizard and create the custom chart. The custom chart will be added to the chart table and
will be available for use in report templates.

Managing charts

Predefined charts can be viewed and cloned. Custom charts can be created, edited, cloned, and deleted.

To create a new chart:

1. In the chart library:

l If you are creating a chart in a FortiGate or FortiCarrier ADOM: right-click in the content pane and select Create
New.

233 Administration Guide

Fortinet Technologies Inc.
Chart library Reports

l If you are creating a chart in any other ADOM: select Create New in the toolbar.

The New Chart dialog box opens.

Create new chart

2. Select the Tutorial icon to view the online chart creation video.
3. Enter the required information for the new chart.

Name Enter a name for the chart.

Description Enter a description of the chart.

Dataset Select a dataset from the drop-down list. See Dataset for more inform-
ation. The options will vary based on device type.

Graph Type Select a graph type from the drop-down list; one of: table, bar, pie, or
line. This selection will affect the rest of the available selections.

Line Subtype Select one of the following options: basic, stacked, or back-to-back.
This option is only available when creating a line graph.

Resolve Hostname Select to resolve the hostname. Select one of the following: Inherit,
Enabled, or Disabled.

Data Bindings The data bindings vary depending on the chart type selected.

bar, pie, or line graphs

Administration Guide 234

Fortinet Technologies Inc.
Reports Chart library

X-Axis Data Binding: Select a value from the drop-down list. The available
options will vary depending on the selected dataset.
Only Show First: Enter a numerical value. Only the first ‘X’ items will be
displayed. Other items are bundled into the Others category.
Overwrite label: Enter a label for the axis.

Y-axis Data Binding: Select a value from the drop-down list. The available
options will vary depending on the selected dataset.
Overwrite label: Enter a label for the axis.
Group by: Select a value from the drop-down list. The available options
will vary depending on the selected dataset. This option is only available
when creating a bar graph.

Order By Select to order by the X-Axis or Y-Axis. This option is only available when
creating a line or bar graph.

table

Only Show First Items Enter a numerical value. Only the first ‘X’ items will be displayed. Other
items are bundled into the Others category. This option is available for all
columns when Data Type is set to raw. When Data Type is set to ranked,
this option is available in Column 1.

Data Type Select either ranked or raw.

Add Column Select add column icon to add a column.

Columns Up to fifteen columns can be added. The following column settings must
be set: Header: Enter header information.
l Data Binding: Select a value from the drop-down list. The options
vary depending on the selected dataset.
l Display: Select a value from the drop-down list.
l Merge Columns: Select a value from the drop-down list. This
option is only available when Data Type is raw. If applicable,
enter a Merge Header.
l Order by this column: Select to order the table by this column.
This option is only available in Column 1 when Data Type is
ranked.

Select OK to create the new chart.

235 Administration Guide

Fortinet Technologies Inc.
 Macro library Reports

To clone a chart:

1. In the chart library, select the chart that you would like to clone and select Clone from either the toolbar or right-
click menu. The Clone Chart dialog box opens.
2. Edit the information as needed, then select OK to clone the chart.

To edit a chart:

1. In the chart library, double-click on the custom chart you need to edit, or select the chart then select Edit from
either the toolbar or right-click menu. The Edit Chart dialog box opens.
2. Edit the information as required, then select OK to finish editing the chart.

Predefined charts cannot be edited, the information is read-only. A predefined chart can be
cloned, and changes can then be made to said clone. See To clone a chart:.

To delete charts:

1. In the chart library, select the custom chart or charts that you would like to delete and select Delete from either the
toolbar or right-click menu.
2. Select OK in the confirmation dialog box to delete the chart or charts.

Predefined charts cannot be deleted.

Macro library

The FortiAnalyzer unit provides a selection of predefined macros. You can create new macros and clone existing
macros. You can select to display predefined macros, custom macros, or both.

To view a listing of the available predefined macros, see Appendix A: Charts, Datasets, & Macros.

Macros are predefined to use specific datasets and queries. They are organized into categories, and can be added to,
removed from, and organized in reports.

Administration Guide 236

Fortinet Technologies Inc.
Reports Macro library

Macros are currently supported in FortiGate and FortiCarrier ADOMs only.

To view the macro library, go to Reports > Macro Library.

Macro library

The following information is available:

Name The name of the macro.

Description The macro description.

Category The macro category.

Pagination Adjust the number of entries that are listed per page and browse through the pages.

The following options are available in the toolbar:

Create New Create a new macro. This option is only available from the right-click menu. See To create a
new macro:.

Edit Select to edit a macro. This option is only available for custom macros. See To view a pre-
defined macro:.

237 Administration Guide

Fortinet Technologies Inc.
Macro library Reports

View Select to view macro details. This option is only available for predefined macros, as they can-
not be edited.

Delete Select to delete a macro. This option is only available for custom macros. See To delete
macros:.

Clone Select to clone an existing macro. See To clone a macro:.

Show Predefined Select to display predefined macros.

Show Custom Select to display custom macros.

Search Enter a search term in the search field to find a specific macros.

Managing macros

Predefined macros can be viewed and cloned. Custom macros can be created, edited, cloned, and deleted. You can
insert macros into text elements in the report layout.

To create a new macro:

1. In the macro library, select Create New in the toolbar or right-click in the content pane and select Create New.

The New Macro dialog box opens.

Create new macro

2. Enter the required information for the new macro.

Name Enter a name for the macro.

Description Enter a description of the macro.

Administration Guide 238

Fortinet Technologies Inc.
Reports Macro library

Dataset Select a dataset from the drop-down list. See Dataset for more information. The
options will vary based on device type.

Query Displays the query statement for the dataset selected.

Data Binding The data bindings vary depending on the dataset selected. Select a data binding from
the drop-down list.

Display Select a value from the drop-down list.

3. Select OK to create the new macro.

To clone a macro:

1. In the macro library, select the macro that you would like to clone and select Clone from either the toolbar or right-
click menu. The Clone Macro dialog box opens.
2. Edit the information as needed, then select OK to clone the macro.

To view a predefined macro:

1. In the macro library, double-click on the predefined macro you would like to view, or select the macro then select
View from either the toolbar or right-click menu. The View Macro dialog box opens. All fields are read-only.
2. Select Close when you are finished.

To edit a macro:

1. In the macro library, double-click on the custom macro you need to edit, or select the macro then select Edit from
either the toolbar or right-click menu. The Edit Macro dialog box opens.

Edit macro

2. Edit the information as required, then select OK to finish editing the macro.

239 Administration Guide

Fortinet Technologies Inc.
Report calendar Reports

To delete macros:

1. In the macro library, select the custom macro or macros that you would like to delete and select Delete from either
the toolbar or right-click menu.
2. Select OK in the confirmation dialog box to delete the macro or macros.

Predefined macros cannot be deleted.

Report calendar

The report calendar provides an overview of scheduled reports. You can view all reports scheduled for the selected
month. From the calendar page, you can edit and disable upcoming reports, and delete or download completed
reports.

To view the report calendar, go to Reports > Report Calendar.

Report calendar

Hovering the mouse cursor over a scheduled report on the calendar opens a notification box that shows the report’s
name and status, as well as the device type.

Selecting the left and right arrows at the top of the calendar page will adjust the month that is shown. Select Today to
return to the current month.

Administration Guide 240

Fortinet Technologies Inc.
 Reports Advanced

To edit a report schedule:

1. Right-click on the scheduled report in the report calendar and select Edit. The Edit Report window will open. See
Report page.
2. Edit the report settings as required, then select Apply to apply the changes.

To disable a scheduled report:

1. Right-click the scheduled report and select Disable from the right-click menu.
2. In the confirmation box, select OK.

Disabling a report will remove all scheduled instances of the report from the report calendar. Completed reports will
remain in the report calendar.

To delete a scheduled report:

1. Right-click the scheduled report that you would like to delete and select Delete. Only scheduled reports that have
already been run can be deleted.
2. Select OK in the confirmation dialog box to delete the scheduled report.

To download a report:

1. Right-click the scheduled report that you would like to download and select Download. Only scheduled reports
that have already been run can be downloaded.
2. Depending on your web browser and management computer settings, save the file to your computer, or open the
file in an applicable program.

Reports are downloaded as PDF files.

Advanced

The advanced menu allows you to view, configure and test datasets, create output profiles, and manage report
languages.

Dataset

FortiAnalyzer datasets are collections of log files from monitored devices. Reports are generated based on these
datasets.

To view a listing of the available predefined datasets, see Appendix A: Charts, Datasets, & Macros.

Predefined datasets for each supported device type are provided, and new datasets can be created and configured.
Both predefined and custom datasets can be cloned, but only custom datasets can be deleted. You can also view the
SQL query for a dataset, and test the query against specific devices or all devices.

To view and configure datasets, go to Reports > Advanced > Dataset in the tree menu.

Datasets

241 Administration Guide

Fortinet Technologies Inc.
Advanced Reports

The following information is displayed:

Name The name of the dataset.

Device Type The device type that the dataset applies to.

Log Type The type of log that the dataset applies to.

Pagination Adjust the number of logs that are listed per page and browse through the pages.

The following options are available in the toolbar:

Create New Select to create a new dataset. See To create a new dataset:.

View Select to view the dataset. View is only available for pre-defined datasets.

Edit Select to edit an existing dataset. See To edit a dataset:.

Delete Select to delete a dataset. See To delete datasets:.

Clone Select to clone an existing dataset. See To clone a dataset:.

Search Use the search field to find a specific dataset.

The following options are available in the right-click menu:

Administration Guide 242

Fortinet Technologies Inc.
Reports Advanced

Create New Select to create a new dataset. See "Reports" on page 243.

View Select a dataset, right-click, and select View to view the dataset selected. View is only avail-
able for pre-defined datasets.

Delete Select a custom dataset, right-click, and select Delete to remove the custom dataset. You
cannot delete pre-defined datasets.

Clone Select a custom dataset, right-click, and select Clone to clone the dataset.

Validate Select a custom dataset, right-click, and select Validate to validate the selected dataset. A
validation result dialog box will be displayed with the results.

Validate All Custom Right-click in the right pane and select Validate All Custom to validate all custom datasets.
A validation result dialog box will be displayed with the results.

To create a new dataset:

1. In the dataset list, either select Create New from the toolbar, or right-click in the dataset list and select Create
New from the pop-up menu. The New Dataset dialog box opens.

Create a new dataset

2. Enter the required information for the new dataset.

Name Enter a name for the dataset.

243 Administration Guide

Fortinet Technologies Inc.
Advanced Reports

Log Type Select a log type from the drop-down list.

l The following log types are available for FortiGate: Application Control, Attack,
DLP Archive, DLP, Email Filter, Event, Traffic, Virus, Web Filter, and Network
Scan.
l The following log types are available for FortiMail: Email Filter, Event, History,
and Virus.
l The following log types are available for FortiWeb: Attack, Event, and Traffic.

Query Enter the SQL query used for the dataset.

Add Variable Select the add variable icon to add a variable, expression, and description information.

Test query with specified devices and time period

Devices Select All Devices or Specify to select specific devices to run the SQL query against. Use
the add device icon to add multiple devices to the query.

Time Period Use the drop-down list to select a time period. When selecting Other, enter the start date,
time, end date, and time.

Test Select Test to test the SQL query before saving the dataset configuration.

3. Test the query to ensure that the dataset functions as expected, then select OK to create the new dataset.

To clone a dataset:

1. In the dataset list, either select a dataset then select Clone from the toolbar, or right-click on the dataset then
select Clone from the pop-up menu. The Clone Dataset dialog box opens.
2. Edit the information as required, then test the query to ensure that the dataset functions as expected.
3. Select OK to create a new, cloned dataset.

To edit a dataset:

1. In the dataset list double-click on the dataset, or select the dataset then select Edit from the toolbar or right-click
menu. The Edit Dataset dialog box opens.

Edit a dataset

Administration Guide 244

Fortinet Technologies Inc.
Reports Advanced

2. Edit the information as required, then test the query to ensure that the dataset functions as expected.
3. Select OK to finish editing the dataset.

Predefined datasets cannot be edited, the information is read-only. You can view the SQL query
and variables used in the dataset and test against specific devices.

To delete datasets:

1. Select the dataset or datasets that you would like to delete, then select Delete from the toolbar or right-click
menu.
2. Select OK in the confirmation dialog box to delete the selected datasets or datasets.

Predefined datasets cannot be deleted, the information is read-only.

To view the SQL query for an existing dataset:

Hover the mouse cursor over one of the datasets in the dataset list. The SQL query is displayed in a persistent pop-up
dialog box.

SQL query pop-up window

245 Administration Guide

Fortinet Technologies Inc.
 Advanced Reports

Output profile

Output profiles allow you to define email addresses to which generated reports are sent, and provides an option to
upload the reports to FTP, SFTP, or SCP servers. Once created, an output profile can be specified for a report; see
Reports.

To view and manage output profiles, go to Reports > Advanced > Output Profile.

Output profile page

You must configure a mail server before you can configure an output profile. SeeMail server.

To create a new output profile:

1. In the output profile list, select Create New from either the toolbar or right-click menu. The New Output Profile
dialog box opens.

Create new output profile dialog box

Administration Guide 246

Fortinet Technologies Inc.
Reports Advanced

2. Enter the following information:

Name Enter a name for the new output profile.

Description Enter a description for the output profile (optional).

Email Generated Reports Enable email generated reports.

Subject Enter a subject for the report email.

Body Enter body text for the report email.

Email Recipients Select the email server from the drop-down list and enter to and from email
addresses.Select Add New to add another entry so that you can specify multiple recip-
ients.

Upload Report to Server Enable uploading the reports to a server.

Report Format Select the report format or formats. The options include PDF and HTML.

247 Administration Guide

Fortinet Technologies Inc.
Advanced Reports

Server Type Select FTP, SFTP, or SCP from the drop-down list.

Server Enter the server IP address.

User Enter the username.

Password Enter the password.

Directory Specify the directory where the report will be saved.

Delete file(s) after uploading Select to delete the report after it has been uploaded to the selected.

3. Select OK to create the new output profile.

To edit an output profile:

1. In the output profile list, double-click on the output profile that you would like to edit, or select the output profile
and select Edit from the toolbar or right-click menu. The Edit Output Profile dialog box opens.
2. Edit the information as required, then select OK to apply your changes.

To delete output profiles:

1. In the output profile list, select the output profile or profiles that you would like to delete, then select Delete from
the toolbar or right-click menu.
2. Select OK in the confirmation dialog box to delete the selected output profile or profiles.

Language

The language of the reports can be specified when creating a report (see "Reports" on page 213). New languages can
be added, and the name and description of the languages can be changed. The predefined languages cannot be
edited.

To view and manage report languages, go to Reports > Advanced > Language.

Report language

The available, pre-configured report languages include:

Administration Guide 248

Fortinet Technologies Inc.
Reports Advanced

English (default report language) Portuguese

French Simplified Chinese

Japanese Spanish

Korean Traditional Chinese

To add a language:

1. In the report language list, select Create New from the toolbar or right-click menu. The New Language dialog box
opens.

Create a new language

2. Enter a name and description for the language in the requisite fields.
3. Select OK to add the language.

Adding a new language does not create that language. It only adds a placeholder for that lan-
guage that contains the language name and description.

To edit a language:

1. In the report language list, double-click on the language that you would like to edit, or select the language and
select Edit from the toolbar or right-click menu. The Edit Language dialog box opens.
2. Edit the information as required, then select OK to apply your changes.

Predefined languages cannot be edited; the information is read-only.

249 Administration Guide

Fortinet Technologies Inc.
Advanced Reports

To delete languages:

1. In the report language list, select the language or languages that you would like to delete and select Delete from
the toolbar or right-click menu.
2. Select OK in the confirmation dialog box to delete the selected language or languages.

Predefined languages cannot be deleted; the information is read-only.

Administration Guide 250

Fortinet Technologies Inc.
Appendix A: Charts, Datasets, & Macros

FortiGate

Predefined charts

The following table lists the predefined charts for FortiGate.

FortiGate predefined charts

Name Description Category

Active Traffic Users List of active traffic users Traffic

Admin Login Summary by Date Administrator login summary by date Event

Adware Timeline Adware timeline Virus

Application Bandwidth Usage Application bandwidth usage details Traffic

Application Risk Distribution Application risk distribution Traffic

Applications Running over HTTP Applications running over HTTP protocol Traffic

Attack Summary Intrusion events summary Attack

Attacks Over HTTP/HTTPs Intrusions over HTTP or HTTPs Attack

Bandwidth Summary Traffic bandwidth usage summary Traffic

Botnet Timeline Botnet timeline Traffic

Botnet Victims Botnet victims Traffic

Browsing Time Summary Browsing time summary Traffic

Browsing Time Summary Enhanced Enhanced browsing time summary Traffic

CPU Session Usage CPU session usage Event

CPU Usage CPU usage Event

Detailed Web Browsing Log Detailed browsing log of web Traffic

251 Administration Guide

Fortinet Technologies Inc.
FortiGate Appendix A: Charts, Datasets, & Macros

Name Description Category

Detected Botnets Detected botnets Traffic

Detected OS Count Detected operating system count Traffic

Distribution of SIP Calls by Duration Distribution of SIP calls by duration DLP Archive

Hourly Category and Website Hits Hourly category and website hits Traffic

Intrusions Timeline Intrusions timeline by severity Attack

Managed AP Summary Pie Chart Managed wireless access point summary by Event
status pie chart

Memory Usage Memory usage Event

Number of Applications by Risk Behaviour Number of applications by risk behaviour Traffic

Number of Distinct WiFi Clients Number of distinct WiFi clients Traffic

Number of SCCP Call Registrations by Hour-of- Number of SCCP call registrations by hour of DLP Archive
Day day

Number of SCCP Calls by Status Number of SCCP calls by status DLP Archive

Number of SIP Call Registrations by Hour-of- Number of SIP call registrations by hour of day DLP Archive
Day

Number of SIP Calls by Status Number of SIP calls by status DLP Archive

Off-Wire Rogue APs Rogue off-wire wireless access points Event

SCCP Call Duration by Hour-of-Day SCCP call duration by hour of day DLP Archive

Session History Graph Session history graph Traffic

Session Summary Session summary Traffic

Session Usage Session usage Event

Spyware Timeline Spyware timeline Virus

System Events Summary by Date System events summary by date Event

Threat Incident Summary Number of incidents for all users and devices Traffic

Administration Guide 252

Fortinet Technologies Inc.
Appendix A: Charts, Datasets, & Macros FortiGate

Name Description Category

Threat Score Summary Threat score summary for all users and devices Traffic

Top 10 Destination Countries by Browsing Time Top 10 destination countries by enhanced brows- Traffic
Enhanced ing time

Top 100 Critical Severity System Events Top 100 critical severity system events Event

Top 100 High Severity System Events Top 100 high severity system events Event

Top 100 Medium Severity System Events Top 100 medium severity system events Event

Top 100 Off-Wire Accepted APs Top 100 off-wire accepted wireless access Event
points

Top 100 Off-Wire Suppressed APs Top 100 suppressed off-wire wireless access Event
points

Top 100 Off-Wire Unclassified APs Top 100 unclassified off-wire wireless access Event
points

Top 100 On-Wire Accepted APs Top 100 on-wire accepted wireless access Event
points

Top 100 On-Wire Rogue APs Top 100 rogue on-wire wireless access points Event

Top 100 On-Wire Suppressed APs Top 100 suppressed on-wire wireless access Event
points

Top 100 On-Wire Unclassified APs Top 100 unclassified on-wire wireless access Event
points

Top 100 WiFi Client Details Top 100 details of client event of wireless Event
access point

Top 15 Destination Countries by Browsing Time Top 15 destination countries by browsing time Traffic

Top 15 Websites by Browsing Time Top 15 websites by browsing time Traffic

Top 20 Admin Login Summary Top 20 login summary of administrator Event

Top 20 Allowed Web Categories Top 20 allowed web filtering categories Web Filter

Top 20 Application Categories by Bandwidth Top 20 application categories by bandwidth Web Filter
usage

253 Administration Guide

Fortinet Technologies Inc.
FortiGate Appendix A: Charts, Datasets, & Macros

Name Description Category

Top 20 Bandwidth Users Top 20 web users by bandwidth users Web Filter

Top 20 Blocked Intrusions Top 20 blocked intrusions Attack

Top 20 Blocked Web Categories Top 20 blocked web filtering categories Web Filter

Top 20 Category and Applications by Bandwidth Top 20 category and applications by bandwidth Traffic
usage

Top 20 Category and Applications by Sessions Top 20 category and applications by session Traffic
count

Top 20 Category and Websites by Bandwidth Top 20 category and websites by bandwidth Traffic
usage

Top 20 Category and Websites by Sessions Top 20 category and websites by session count Traffic

Top 20 Critical Severity Intrusions Top 20 critical severity intrusions Attack

Top 20 Failed Admin Logins Top 20 failed logins of administrator Event

Top 20 High Risk Applications Top 20 high risk applications Traffic

Top 20 High Severity Intrusions Top 20 high severity intrusions Attack

Top 20 Intrusion Sources Top 20 intrusion sources Attack

Top 20 Intrusion Victims Top 20 intrusion victims Attack

Top 20 Intrusions by Types Top 20 intrusions by types Attack

Top 20 Low Severity Intrusions Top 20 low severity intrusions Attack

Top 20 Medium Severity Intrusions Top 20 medium severity intrusions Attack

Top 20 Monitored Intrusions Top 20 monitored intrusions Attack

Top 20 Users by Bandwidth Top 20 users by bandwidth usage Traffic

Top 20 Users or Sources by Sessions Top 20 users or sources by session count Traffic

Top 20 Virus Victims Top 20 virus victims Traffic

Top 20 Viruses Top 20 viruses detected Traffic

Administration Guide 254

Fortinet Technologies Inc.
Appendix A: Charts, Datasets, & Macros FortiGate

Name Description Category

Top 20 Web Categories by Bandwidth and Ses- Top 20 web filtering categories by bandwidth Traffic
sions usage and session count

Top 20 Web Domains by Visits Top 20 visited web domains by number of visits Traffic

Top 20 Web Users by Requests Top 20 web users by number of requests Traffic

Top 30 Application Categories by Bandwidth Top 30 application categories by bandwidth Traffic

usage

Top 30 Applications by Bandwidth and Sessions Top 30 applications by bandwidth usage and Traffic
session count

Top 30 Destinations by Bandwidth and Sessions Top 30 destinations by bandwidth usage and Traffic
session count

Top 30 Key Applications Top 30 key applications crossing the network Traffic

Top 30 Users by Bandwidth and Sessions Top 30 users by bandwidth usage and session Traffic
count

Top 5 Attacks by Severity Top 5 attacks by severity Attack

Top 5 IPS Events by Severity Top 5 intrusion protection events by severity Attack

Top 5 System Events by Severity Top 5 system events summary by severity Event

Top 5 Users by Bandwidth Top 5 users by bandwidth usage Traffic

Top 50 Allowed Websites Top 50 allowed websites by number of requests Web Filter

Top 50 Allowed Websites by Requests Top 50 allowed websites by number of requests Traffic

Top 50 Websites and Category by Bandwidth Top 50 websites and web filtering categories by Web Filter
bandwidth usage

Top 50 Websites by Browsing Time Top 50 websites by browsing time Traffic

Top 50 Websites by Browsing Time Enhanced Top 50 websites by enhanced browsing time Traffic

Top 500 Allowed Applications by Bandwidth Top 500 allowed applications by bandwidth Traffic
usage

Top 500 Blocked Applications by Sessions Top 500 blocked applications by session count Traffic

255 Administration Guide

Fortinet Technologies Inc.
FortiGate Appendix A: Charts, Datasets, & Macros

Name Description Category

Top 500 Websites by Bandwidth Top 500 website sessions by bandwidth usage Traffic

Top Adware Top 10 adware Virus

Top Adware Sources Top 10 adware sources Traffic

Top Adware Victims Top 10 adware victims Virus

Top Allowed Websites by Bandwidth Top 10 allowed websites by bandwidth usage Traffic

Top Application Categories Bandwidth Pie Chart Top 10 application categories by bandwidth Traffic
usage pie chart

Top Application Categories by Bandwidth Top 10 application categories by bandwidth Traffic

usage

Top Application Vulnerabilities Top 10 application vulnerabilities discovered Network Scan

Top Applications by Bandwidth Top 10 applications by bandwidth usage Traffic

Top Applications by Sessions Top 10 applications by session count Traffic

Top Applications by WiFi Traffic Top 10 applications by WiFi bandwidth usage Traffic

Top APs by Bandwidth Top 10 wireless access points by WiFi band- Traffic
width usage

Top APs by WiFi Clients Top 10 wireless access points by number of cli- Traffic
ents via WiFi

Top Attack Sources Top 10 attack sources Attack

Top Attack Victims Top 10 attack victims Attack

Top Attacks Top 10 intrusions Attack

Top Authenticated VPN Logins Top 10 authenticated VPN logins Event

Top Blocked Attacks Top 10 blocked intrusions Attack

Top Blocked SCCP Callers Top 10 blocked SCCP callers Application

Control

Administration Guide 256

Fortinet Technologies Inc.
Appendix A: Charts, Datasets, & Macros FortiGate

Name Description Category

Top Blocked SIP Callers Top 10 blocked SIP callers Application

Control

Top Blocked Web Users Top 10 blocked web users Traffic

Top Blocked Websites Top 10 blocked websites by number of requests Traffic

Top Blocked Websites and Categories Top 10 blocked web filtering websites and cat- Web Filter
egories by number of requests

Top Botnet Infected Hosts Top 10 botnet infected hosts Traffic

Top Botnet Sources Top 10 botnet sources Traffic

Top Botnets by Sources Top 10 botnets by sources Traffic

Top Critical Severity IPS Events Top 10 critical severity intrusion protection Attack
events

Top Destination Countries by Browsing Time Top 10 destination countries by browsing time Traffic

Top Destination Countries by Browsing Time Top destination countries by browsing time Traffic
Enhanced

Top Destinations by Bandwidth Top 10 destination addresses by bandwidth Traffic

usage

Top Destinations by Sessions Top 10 destination addresses by session count Traffic

Top Device Types by WiFi Clients Top 10 device types by number of clients via Traffic
WiFi

Top Device Types by WiFi Traffic Top 10 device types by WiFi bandwidth usage Traffic

Top Devices by Increased Threat Scores Top 10 devices by increased threat scores for Traffic
last two periods

Top Devices by Threat Score Top 10 devices by threat score in risk Traffic

Top Devices by Threat Scores Top 10 devices by threat scores Traffic

Top DHCP Summary by Interfaces Top 10 DHCP summary by interfaces Event

257 Administration Guide

Fortinet Technologies Inc.
FortiGate Appendix A: Charts, Datasets, & Macros

Name Description Category

Top Dial-up IPsec Tunnels by Bandwidth Top 10 dial-up IPsec VPN tunnels by bandwidth Event
usage

Top Dial-up IPsec Users by Bandwidth Top 10 users of dial-up IPsec VPN by bandwidth Event
usage

Top Dial-up IPsec Users by Bandwidth and Avail- Top 10 users of dial-up IPsec VPN tunnel by Event
ability bandwidth usage and availability

Top Dial-up IPsec Users by Duration Top 10 users of dial-up IPsec VPN by duration Event

Top Dial-up VPN Users by Duration Top 10 users of dial-up SSL and IPsec VPN by Event
duration

Top DLP Events Top 10 data leak prevention events Traffic

Top Email Recipients Top 10 recipients by number of emails Traffic

Top Email Senders Top 10 senders by number of emails Traffic

Top Failed VPN Logins Top 10 failed VPN login attempts Event

Top High Severity IPS Events Top 10 high severity intrusion protection events Attack

Top Informational Severity IPS Events Top 10 informational severity intrusion pro- Attack
tection events

Top IPsec Dial-up User by Bandwidth Top 10 users of IPsec VPN dial-up tunnel by Event
bandwidth usage

Top Low Severity IPS Events Top 10 low severity intrusion protection events Attack

Top Malware Top malware detected by malware type Traffic

Top Malware Sources Top 10 malware sources by host name or IP Traffic

address

Top Managed AP Summary Top 10 managed wireless access point sum- Event
mary by status

Top Medium Severity IPS Events Top 10 medium severity intrusion protection Attack
events

Top Off-Wire AP Details Top 10 details of off-wire wireless access point Event

Administration Guide 258

Fortinet Technologies Inc.
Appendix A: Charts, Datasets, & Macros FortiGate

Name Description Category

Top Off-Wire AP Summary Top 10 default off-wire wireless access point Event
detection summary by status

Top Off-Wire AP Summary Pie Chart Top 10 off-wire wireless access point detection Event
summary by status pie chart

Top On-Wire AP Details Top 10 details of on-wire wireless access point Event

Top On-Wire AP Summary Top 10 default on-wire wireless access point Event
detection summary by status

Top On-Wire AP Summary Pie Chart Top 10 default on-wire wireless access point Event
detection summary by status pie chart

Top OS by WiFi Clients Top 10 operating systems by number of clients Traffic

via WiFi

Top OS by WiFi Traffic Top 10 operating systems by WiFi bandwidth Traffic

usage

Top Recipients by Aggregated Email Size Top 10 recipients by aggregated email size Traffic

Top Search Phrases Top 10 search filtering phrases Web Filter

Top Senders by Aggregated Email Size Top 10 senders by aggregated email size Traffic

Top Site-to-Site IPsec Tunnels by Bandwidth Top 10 site-to-site IPsec VPN tunnels by band- Event
width usage

Top Site-to-Site IPsec Tunnels by Bandwidth Top 10 Site-to-Site IPsec tunnels by bandwidth Event
and Availability usage and availability

Top Spyware Top 10 spyware Virus

Top Spyware Sources Top 10 spyware sources Traffic

Top Spyware Victims Top 10 spyware victims Virus

Top SSIDs by Bandwidth Top 10 SSIDs by WiFi bandwidth usage Traffic

Top SSIDs by WiFi Clients Top 10 SSIDs by number of clients via WiFi Traffic

Top SSL Tunnel Users by Bandwidth Top 10 users of SSL VPN tunnel by bandwidth Event
usage

259 Administration Guide

Fortinet Technologies Inc.
FortiGate Appendix A: Charts, Datasets, & Macros

Name Description Category

Top SSL Tunnel Users by Bandwidth and Avail- Top 10 users of SSL VPN tunnel by bandwidth Event
ability usage and availability

Top SSL Users by Duration Top 10 users of SSL VPN web portal and tunnel Event
by duration

Top SSL VPN Sources by Bandwidth Top 10 users of SSL VPN tunnel by bandwidth Event
usage

Top SSL Web Portal Users by Bandwidth Top 10 users of SSL VPN web portal by band- Event
width usage

Top SSL Web Portal Users by Bandwidth and Top 10 users of SSL web portal by bandwidth Event
Availability usage and availability

Top Unclassified AP Summary Top 10 unclassified wireless access point sum- Event
mary by status

Top Users Browsing Time Bar Chart Top 10 users by estimated web browsing time Traffic
bar chart

Top Users Browsing Time Enhanced Top 10 users by enhanced estimated web brows- Traffic
ing time

Top Users by Bandwidth Top 10 users by bandwidth usage Traffic

Top Users by Browsing Time Top 10 users by estimated web browsing time Traffic

Top Users by Browsing Time Enhanced Top users by enhanced estimated web browsing Traffic
time

Top Users by Increased Threat Scores Top 10 users by increased threat scores for last Traffic
2 periods

Top Users by Sessions Top 10 users by session count Traffic

Top Users by Threat Scores Top 10 users by threat scores Traffic

Top Users Threat Score Bar Chart Top 10 users by threat score bar chart Traffic

Top Video Streaming Applications and Websites Top 10 video streaming applications and web- Traffic
by Bandwidth sites by bandwidth usage

Administration Guide 260

Fortinet Technologies Inc.
Appendix A: Charts, Datasets, & Macros FortiGate

Name Description Category

Top Video Streaming Websites by Bandwidth Top 10 video streaming websites of web filter by Web Filter
bandwidth usage

Top Virus Victims Top virus victims Traffic

Top Viruses Top 10 viruses detected Traffic

Top Web Categories by Bandwidth and Ses- Top 10 web filtering categories by bandwidth Traffic
sions usage and session count

Top Web Categories by Browsing Time Top 10 web filtering categories by browsing time Traffic

Top Web Categories by Browsing Time Top 10 web filtering categories by enhanced Traffic
Enhanced browsing time

Top Web Users by Allowed Requests Top 10 web users by number of allowed Web Filter
requests

Top Web Users by Bandwidth Top 10 web users by bandwidth usage Traffic

Top Web Users by Blocked Requests Top 10 web users by number of blocked Web Filter
requests

Top Websites by Browsing Time Enhanced Top websites by enhanced browsing time Traffic

Top WiFi Clients Bandwidth Bar Chart Top 10 WiFi clients by bandwidth usage bar Traffic
chart

Top WiFi Clients by Bandwidth Top 10 clients by WiFi bandwidth usage Traffic

Traffic History Traffic history by number of active users Traffic

Traffic Statistics Top 10 traffic statistics summary Traffic

Unclassified AP Summary Pie Chart Unclassified wireless access point summary by Event
status pie chart

User Top 500 Websites by Bandwidth Top 500 user visted websites by bandwidth Traffic
usage

User Top 500 Websites by Sessions Top 500 user visted websites by session count Traffic

Virus Timeline Virus timeline Virus

261 Administration Guide

Fortinet Technologies Inc.
 FortiGate Appendix A: Charts, Datasets, & Macros

Name Description Category

Viruses Discovered Viruses discovered Traffic

VPN Logins List of VPN user logins Event

VPN Traffic Usage Trend Bandwidth usage trend for VPN traffic Event

Web Activity Summary Web activity summary by number of requests Web Filter

WiFi Traffic Bandwidth Overall WiFi traffic bandwidth usage Traffic

Predefined datasets

The following table lists the predefined datasets for FortiGate.

FortiGate predefined datasets

Name Device Type Log Type

App-Risk-App-Usage-By-Category FortiGate Traffic

App-Risk-Application-Activity-APP FortiGate Traffic

App-Risk-Applications-Running-Over-HTTP FortiGate Traffic

App-Risk-Breakdown-Of-Risk-Applications FortiGate Traffic

App-Risk-DLP-UTM-Event FortiGate Traffic

App-Risk-High-Risk-Application FortiGate Traffic

App-Risk-Number-Of-Applications-By-Risk-Behavior FortiGate Traffic

App-Risk-Reputation-Top-Devices-By-Scores FortiGate Traffic

App-Risk-Reputation-Top-Users-By-Scores FortiGate Traffic

App-Risk-Top-Critical-Threat-Vectors FortiGate Attack

App-Risk-Top-High-Threat-Vectors FortiGate Attack

App-Risk-Top-Info-Threat-Vectors FortiGate Attack

App-Risk-Top-Low-Threat-Vectors FortiGate Attack

App-Risk-Top-Medium-Threat-Vectors FortiGate Attack

Administration Guide 262

Fortinet Technologies Inc.
Appendix A: Charts, Datasets, & Macros FortiGate

Name Device Type Log Type

App-Risk-Top-Threat-Vectors FortiGate Attack

App-Risk-Top-User-Source-By-Sessions FortiGate Traffic

App-Risk-Virus-Discovered FortiGate Traffic

App-Risk-Vulnerability-Discovered FortiGate Network Scan

App-Risk-Web-Browsing-Activity-Hostname-Category FortiGate Traffic

App-Risk-Web-Browsing-Summary-Category FortiGate Traffic

App-Sessions-By-Category FortiGate Traffic

app-Top-Allowed-Applications-by-Bandwidth FortiGate Traffic

app-Top-Blocked-Applications-by-Session FortiGate Traffic

app-Top-Category-and-Applications-by-Bandwidth FortiGate Traffic

app-Top-Category-and-Applications-by-Session FortiGate Traffic

appctrl-Top-Blocked-SCCP-Callers FortiGate Application Control

appctrl-Top-Blocked-SIP-Callers FortiGate Application Control

Application-Session-History FortiGate Traffic

bandwidth-app-Top-Dest-By-Bandwidth-Sessions FortiGate Traffic

bandwidth-app-Top-Users-By-Bandwidth FortiGate Traffic

bandwidth-app-Traffic-By-Active-User-Number FortiGate Traffic

bandwidth-app-Traffic-Statistics FortiGate Traffic

Botnet-Activity-By-Sources FortiGate Traffic

Botnet-Infected-Hosts FortiGate Traffic

Botnet-Sources FortiGate Traffic

Botnet-Timeline FortiGate Traffic

Botnet-Victims FortiGate Traffic

263 Administration Guide

Fortinet Technologies Inc.
FortiGate Appendix A: Charts, Datasets, & Macros

Name Device Type Log Type

content-Count-Total-SCCP-Call-Registrations-by-Hour-of-Day FortiGate DLP Archive

content-Count-Total-SCCP-Calls-Duration-by-Hour-of-Day FortiGate DLP Archive

content-Count-Total-SCCP-Calls-per-Status FortiGate DLP Archive

content-Count-Total-SIP-Call-Registrations-by-Hour-of-Day FortiGate DLP Archive

content-Count-Total-SIP-Calls-per-Status FortiGate DLP Archive

content-Dist-Total-SIP-Calls-by-Duration FortiGate DLP Archive

default-AP-Detection-Summary-by-Status-OffWire FortiGate Event

default-AP-Detection-Summary-by-Status-OnWire FortiGate Event

default-Email-Top-Receivers-By-Bandwidth FortiGate Traffic

default-Email-Top-Receivers-By-Count FortiGate Traffic

default-Email-Top-Senders-By-Bandwidth FortiGate Traffic

default-Managed-AP-Summary FortiGate Event

default-selected-AP-Details-OffWire FortiGate Event

default-selected-AP-Details-OnWire FortiGate Event

default-Top-Dial-Up-User-Of-Vpn-Tunnel-By-Bandwidth FortiGate Traffic

default-Top-Email-Senders-By-Count FortiGate Traffic

default-Top-IPSEC-Vpn-Dial-Up-User-By-Bandwidth FortiGate Event

default-Top-Sources-Of-SSL-VPN-Tunnels-By-Bandwidth FortiGate Event

default-Unclassified-AP-Summary FortiGate Event

Detailed-Application-Usage FortiGate Traffic

Detected-Botnet FortiGate Traffic

drilldown-Top-App-By-Bandwidth FortiGate Traffic

drilldown-Top-App-By-Sessions FortiGate Traffic

Administration Guide 264

Fortinet Technologies Inc.
Appendix A: Charts, Datasets, & Macros FortiGate

Name Device Type Log Type

drilldown-Top-Attack-Dest FortiGate Attack

drilldown-Top-Attack-List FortiGate Attack

drilldown-Top-Attack-Source FortiGate Attack

drilldown-Top-Destination-By-Bandwidth FortiGate Traffic

drilldown-Top-Destination-By-Sessions FortiGate Traffic

drilldown-Top-Email-Receive-Sender-By-Count FortiGate Traffic

drilldown-Top-Email-Receive-Sender-By-Volume FortiGate Traffic

drilldown-Top-Email-Receiver-By-Count FortiGate Traffic

drilldown-Top-Email-Receiver-By-Volume FortiGate Traffic

drilldown-Top-Email-Send-Recipient-By-Count FortiGate Traffic

drilldown-Top-Email-Send-Recipient-By-Volume FortiGate Traffic

drilldown-Top-Email-Sender-By-Count FortiGate Traffic

drilldown-Top-Email-Sender-By-Volume FortiGate Traffic

drilldown-Top-User-By-Bandwidth FortiGate Traffic

drilldown-Top-User-By-Sessions FortiGate Traffic

drilldown-Top-Web-User-By-Visit FortiGate Traffic

drilldown-Top-Website-By-Request FortiGate Traffic

drilldown-Virus-Detail FortiGate Traffic

Estimated-Browsing-Time FortiGate Traffic

event-Admin-Failed-Login-Summary FortiGate Event

event-Admin-Login-Summary FortiGate Event

event-Admin-Login-Summary-By-Date FortiGate Event

event-System-Critical-Severity-Events FortiGate Event

265 Administration Guide

Fortinet Technologies Inc.
FortiGate Appendix A: Charts, Datasets, & Macros

Name Device Type Log Type

event-System-High-Severity-Events FortiGate Event

event-System-Medium-Severity-Events FortiGate Event

event-System-Summary-By-Date FortiGate Event

event-System-Summary-By-Severity FortiGate Event

event-Top-DHCP-Summary FortiGate Event

event-Usage-CPU FortiGate Event

event-Usage-CPU-Sessions FortiGate Event

event-Usage-Mem FortiGate Event

event-Usage-Sessions FortiGate Event

event-Wireless-Accepted-Offwire FortiGate Event

event-Wireless-Accepted-Onwire FortiGate Event

event-Wireless-Client-Details FortiGate Event

event-Wireless-Rogue-Offwire FortiGate Event

event-Wireless-Rogue-Onwire FortiGate Event

event-Wireless-Suppressed-Offwire FortiGate Event

event-Wireless-Suppressed-Onwire FortiGate Event

event-Wireless-Unclassified-Offwire FortiGate Event

event-Wireless-Unclassified-Onwire FortiGate Event

High-Risk-Application-By-Bandwidth FortiGate Traffic

High-Risk-Application-By-Sessions FortiGate Traffic

number-of-session-timeline FortiGate Traffic

os-Detect-OS-Count FortiGate Traffic

reputation-Number-Of-Incidents-For-All-Users-Devices FortiGate Traffic

Administration Guide 266

Fortinet Technologies Inc.
Appendix A: Charts, Datasets, & Macros FortiGate

Name Device Type Log Type

reputation-Score-Summary-For-All-Users-Devices FortiGate Traffic

reputation-Top-Devices-By-Scores FortiGate Traffic

reputation-Top-Devices-With-Increased-Scores FortiGate Traffic

reputation-Top-Users-By-Scores FortiGate Traffic

reputation-Top-Users-With-Increased-Scores FortiGate Traffic

threat-Adware-Timeline FortiGate Virus

threat-Attacks-By-Severity FortiGate Attack

threat-Attacks-Over-HTTP-HTTPs FortiGate Attack

threat-Critical-Severity-Intrusions FortiGate Attack

threat-High-Severity-Intrusions FortiGate Attack

threat-Intrusion-Timeline FortiGate Attack

threat-Intrusions-Timeline-By-Severity FortiGate Attack

threat-Low-Severity-Intrusions FortiGate Attack

threat-Medium-Severity-Intrusions FortiGate Attack

threat-Spyware-Timeline FortiGate Virus

threat-Top-Adware-by-Name FortiGate Virus

threat-Top-Adware-Source FortiGate Traffic

threat-Top-Adware-Victims FortiGate Virus

threat-Top-Attacks-Blocked FortiGate Attack

threat-Top-Attacks-Detected FortiGate Attack

threat-Top-Blocked-Intrusions FortiGate Attack

threat-Top-Intrusion-Sources FortiGate Attack

threat-Top-Intrusion-Victims FortiGate Attack

267 Administration Guide

Fortinet Technologies Inc.
FortiGate Appendix A: Charts, Datasets, & Macros

Name Device Type Log Type

threat-Top-Intrusions-By-Types FortiGate Attack

threat-Top-Monitored-Intrusions FortiGate Attack

threat-Top-Spyware-by-Name FortiGate Virus

threat-Top-Spyware-Source FortiGate Traffic

threat-Top-Spyware-Victims FortiGate Virus

threat-Top-Virus-Source FortiGate Traffic

threat-Virus-Timeline FortiGate Virus

Top-App-By-Bandwidth FortiGate Traffic

Top-App-By-Sessions FortiGate Traffic

Top-Destinations-By-Bandwidth FortiGate Traffic

Top-Destinations-By-Sessions FortiGate Traffic

Top-P2P-App-By-Bandwidth FortiGate Traffic

Top-P2P-App-By-Sessions FortiGate Traffic

Top-User-By-Sessions FortiGate Traffic

Top-User-Source-By-Sessions FortiGate Traffic

Top-Users-By-Bandwidth FortiGate Traffic

Top-Web-Category-by-Bandwidth FortiGate Web Filter

Top-Web-Category-by-Sessions FortiGate Web Filter

Top-Web-Sites-by-Bandwidth FortiGate Web Filter

Top-Web-Sites-by-Sessions FortiGate Web Filter

Total-Attack-Source FortiGate Attack

Total-Number-of-Botnet-Events FortiGate Traffic

Total-Number-of-Viruses FortiGate Traffic

Administration Guide 268

Fortinet Technologies Inc.
Appendix A: Charts, Datasets, & Macros FortiGate

Name Device Type Log Type

traffic-bandwidth-timeline FortiGate Traffic

traffic-Browsing-Time-Summary FortiGate Traffic

Traffic-History-By-Active-User FortiGate Traffic

traffic-Top-Category-By-Browsing-Time FortiGate Traffic

traffic-Top-Destination-Countries-By-Browsing-Time FortiGate Traffic

traffic-Top-Domains-By-Browsing-Time FortiGate Traffic

traffic-Top-Sites-By-Browsing-Time FortiGate Traffic

traffic-Top-Users-By-Bandwidth FortiGate Traffic

traffic-Top-WiFi-Client-By-Bandwidth FortiGate Traffic

user-drilldown-Count-Spam-Activity-by-Hour-of-Day FortiGate Email Filter

user-drilldown-Top-Allowed-Web-Categories FortiGate Web Filter

user-drilldown-Top-Allowed-Web-Sites-By-Requests FortiGate Web Filter

user-drilldown-Top-Attacks-By-Name FortiGate Attack

user-drilldown-Top-Attacks-High-Severity FortiGate Attack

user-drilldown-Top-Blocked-Web-Categories FortiGate Web Filter

user-drilldown-Top-Blocked-Web-Sites-By-Requests FortiGate Web Filter

user-drilldown-Top-Spam-Sources FortiGate Email Filter

user-drilldown-Top-Virus FortiGate Virus

user-drilldown-Top-Virus-Receivers-Over-Email FortiGate Virus

utm-drilldown-Email-Receivers-Summary FortiGate Traffic

utm-drilldown-Email-Senders-Summary FortiGate Traffic

utm-drilldown-Top-Allowed-Web-Sites-By-Request FortiGate Traffic

utm-drilldown-Top-App-By-Bandwidth FortiGate Traffic

269 Administration Guide

Fortinet Technologies Inc.
FortiGate Appendix A: Charts, Datasets, & Macros

Name Device Type Log Type

utm-drilldown-Top-App-By-Sessions FortiGate Traffic

utm-drilldown-Top-Attacks-By-Name FortiGate Attack

utm-drilldown-Top-Blocked-Web-Sites-By-Request FortiGate Traffic

utm-drilldown-Top-Email-Recipients FortiGate Traffic

utm-drilldown-Top-Email-Senders FortiGate Traffic

utm-drilldown-Top-User-Destination FortiGate Traffic

utm-drilldown-Top-Users-By-Bandwidth FortiGate Traffic

utm-drilldown-Top-Virus FortiGate Traffic

utm-drilldown-Top-Vulnerability-By-Name FortiGate Network Scan

utm-drilldown-Traffic-Summary FortiGate Traffic

utm-Top-Allowed-Web-Sites-By-Request FortiGate Traffic

utm-Top-Allowed-Websites-By-Bandwidth FortiGate Traffic

utm-Top-Attack-Dest FortiGate Attack

utm-Top-Attack-Source FortiGate Attack

utm-Top-Blocked-Web-Sites-By-Request FortiGate Traffic

utm-Top-Blocked-Web-Users FortiGate Traffic

utm-Top-Video-Streaming-Websites-By-Bandwidth FortiGate Traffic

utm-Top-Virus FortiGate Traffic

utm-Top-Virus-User FortiGate Traffic

utm-Top-Web-Users-By-Bandwidth FortiGate Traffic

utm-Top-Web-Users-By-Request FortiGate Traffic

vpn-Authenticated-Logins FortiGate Event

vpn-Failed-Logins FortiGate Event

Administration Guide 270

Fortinet Technologies Inc.
Appendix A: Charts, Datasets, & Macros FortiGate

Name Device Type Log Type

vpn-Top-Dial-Up-IPSEC-Tunnels-By-Bandwidth FortiGate Event

vpn-Top-Dial-Up-IPSEC-Users-By-Bandwidth FortiGate Event

vpn-Top-Dial-Up-IPSEC-Users-By-Duration FortiGate Event

vpn-Top-Dial-Up-VPN-Users-By-Duration FortiGate Event

vpn-Top-Dialup-IPSEC-Users-By-Bandwidth-and-Avail FortiGate Event

vpn-Top-S2S-IPSEC-Tunnels-By-Bandwidth-and-Avail FortiGate Event

vpn-Top-SSL-Tunnel-Users-By-Bandwidth-and-Avail FortiGate Event

vpn-Top-SSL-VPN-Tunnel-Users-By-Bandwidth FortiGate Event

vpn-Top-SSL-VPN-Users-By-Bandwidth FortiGate Event

vpn-Top-SSL-VPN-Users-By-Duration FortiGate Event

vpn-Top-SSL-VPN-Web-Mode-Users-By-Bandwidth FortiGate Event

vpn-Top-SSL-Web-Users-By-Bandwidth-and-Avail FortiGate Event

vpn-Top-Static-IPSEC-Tunnels-By-Bandwidth FortiGate Traffic

vpn-Traffic-Usage-Trend-VPN FortiGate Event

vpn-User-Login-history FortiGate Event

web-Detailed-Website-Browsing-Log FortiGate Traffic

web-Hourly-Category-and-Website-Hits-Action FortiGate Traffic

web-Top-Category-and-Websites-by-Bandwidth FortiGate Traffic

web-Top-Category-and-Websites-by-Session FortiGate Traffic

web-Top-User-Visted-Websites-by-Bandwidth FortiGate Traffic

web-Top-User-Visted-Websites-by-Session FortiGate Traffic

web-Top-Website-Sessions-by-Bandwidth FortiGate Traffic

webfilter-Categories-By-Bandwidth FortiGate Web Filter

271 Administration Guide

Fortinet Technologies Inc.
FortiGate Appendix A: Charts, Datasets, & Macros

Name Device Type Log Type

webfilter-Top-Allowed-Web-Categories FortiGate Web Filter

webfilter-Top-Allowed-Web-Sites-by-Bandwidth FortiGate Web Filter

webfilter-Top-Allowed-Web-Sites-By-Requests FortiGate Web Filter

webfilter-Top-Blocked-Web-Categories FortiGate Web Filter

webfilter-Top-Blocked-Web-Sites-By-Requests FortiGate Web Filter

webfilter-Top-Search-Phrases FortiGate Web Filter

webfilter-Top-Video-Streaming-Websites-By-Bandwidth FortiGate Web Filter

webfilter-Top-Web-Users-By-Allowed-Requests FortiGate Web Filter

webfilter-Top-Web-Users-By-Bandwidth FortiGate Web Filter

webfilter-Top-Web-Users-By-Blocked-Requests FortiGate Web Filter

webfilter-Web-Activity-Summary-By-Requests FortiGate Web Filter

wifi-Num-Distinct-Client FortiGate Traffic

wifi-Overall-Traffic FortiGate Traffic

wifi-Top-AP-By-Bandwidth FortiGate Traffic

wifi-Top-AP-By-Client FortiGate Traffic

wifi-Top-App-By-Bandwidth FortiGate Traffic

wifi-Top-Client-By-Bandwidth FortiGate Traffic

wifi-Top-Device-By-Bandwidth FortiGate Traffic

wifi-Top-Device-By-Client FortiGate Traffic

wifi-Top-OS-By-Bandwidth FortiGate Traffic

wifi-Top-OS-By-WiFi-Client FortiGate Traffic

wifi-Top-SSID-By-Bandwidth FortiGate Traffic

wifi-Top-SSID-By-Client FortiGate Traffic

Administration Guide 272

Fortinet Technologies Inc.
 Appendix A: Charts, Datasets, & Macros FortiGate

Predefined macros

The following table lists the predefined macros for FortiGate.

FortiGate predefined macros

Name Description Category

App Category with Highest Session Count App Category with Highest Session Count Traffic

Application with Highest Bandwidth Application with Highest Bandwidth Traffic

Application with Highest Session Count Application with Highest Session Count Traffic

Attack with Highest Session Count Attack with Highest Session Count Attack

Botnet with Highest Session Count Botnet with Highest Session Count Traffic

Destination with Highest Bandwidth Destination with Highest Bandwidth Traffic

Destination with Highest Session Count Destination with Highest Session Count Traffic

Highest Bandwidth Consumed (App Category) Highest Bandwidth Consumed (App Category) Traffic

Highest Bandwidth Consumed (Application) Highest Bandwidth Consumed (Application) Traffic

Highest Bandwidth Consumed (Destination) Highest Bandwidth Consumed (Destination) Traffic

Highest Bandwidth Consumed (P2P Application) Highest Bandwidth Consumed (P2P Application) Traffic

Highest Bandwidth Consumed (Source) Highest Bandwidth Consumed (Source) Traffic

Highest Bandwidth Consumed (Web Category) Highest Bandwidth Consumed (Web Category) Web Filter

Highest Bandwidth Consumed (Website) Highest Bandwidth Consumed (Website) Web Filter

Highest Risk Application with Highest Bandwidth Highest Risk Application with Highest Bandwidth Traffic

Highest Risk Application with Highest Session Highest Risk Application with Highest Session Traffic
Count Count

Highest Session Count (App Category) Highest Session Count (App Category) Traffic

Highest Session Count (Application) Highest Session Count (Application) Traffic

Highest Session Count (Attack) Highest Session Count (Attack) Attack

Highest Session Count (Botnet) Highest Session Count (Botnet) Traffic

273 Administration Guide

Fortinet Technologies Inc.
FortiGate Appendix A: Charts, Datasets, & Macros

Name Description Category

Highest Session Count (Destination) Highest Session Count (Destination) Traffic

Highest Session Count (Highest Severity Attack) Highest Session Count (Highest Severity Attack) Attack

Highest Session Count (P2P Application) Highest Session Count (P2P Application) Traffic

Highest Session Count (Source) Highest Session Count (Source) Traffic

Highest Session Count (Virus) Highest Session Count (Virus) Traffic

Highest Session Count (Web Category) Highest Session Count (Web Category) Web Filter

Highest Session Count (Website) Highest Session Count (Website) Web Filter

Highest Severity Attack with Highest Session Highest Severity Attack with Highest Session Attack
Count Count

P2P Application with Highest Bandwidth P2P Application with Highest Bandwidth Traffic

P2P Application with Highest Session Count P2P Application with Highest Session Count Traffic

Source with Highest Bandwidth Source with Highest Bandwidth Traffic

Source with Highest Session Count Source with Highest Session Count Traffic

Total Number of Attacks Total Number of Attacks Attack

Total Number of Botnet Events Total Number of Botnet Events Traffic

Total Number of Viruses Total Number of Viruses Traffic

Virus with Highest Session Count Virus with Highest Session Count Traffic

Web Category with Highest Bandwidth Web Category with Highest Bandwidth Web Filter

Web Category with Highest Session Count Web Category with Highest Session Count Web Filter

Website with Highest Bandwidth Website with Highest Bandwidth Web Filter

Website with Highest Session Count Website with Highest Session Count Web Filter

Administration Guide 274

Fortinet Technologies Inc.
 Appendix A: Charts, Datasets, & Macros FortiMail

FortiMail

Predefined charts

The following table lists the predefined charts for FortiMail.

FortiMail predefined charts

Name Description Category

Average Size of Mails Average size of mails in FortiMail history History

History Average Size by Hour Average size of messages per hour in FortiMail his- History
tory

History Connections per Hour Number of connections per hour in FortiMail his- History
tory

History Messages per Hour Number of mails per hour in FortiMail history History

History Total Size by Hour Total size of exchanged mails per hour in FortiMail History
history

Number of Mail Connections Number of mail connections in FortiMail history History

Number of Mails Number of mails in FortiMail history History

Top 20 Access List Top 20 access list in FortiMail history History

Top 20 IP Policy Top 20 IP policy in FortiMail history History

Top 20 Recipient Policy Top 20 recipient policy in FortiMail history History

Top 20 Subjects Top 20 subjects in FortiMail history History

Top Classifiers by Hour Top classifiers by hour in FortiMail history History

Top Disposition Classifiers Top disposition classifiers in FortiMail history History

Top History Client Endpoint Top 10 clients endpoint in FortiMail history History

Top History Client IP Top 10 client IP in FortiMail history History

Top History Client MSISDN Top 10 clients MSISDN in FortiMail history History

275 Administration Guide

Fortinet Technologies Inc.
FortiMail Appendix A: Charts, Datasets, & Macros

Name Description Category

Top History Local Recipient Top 10 local recipients in FortiMail history History

Top History Local Sender Top 10 local senders in FortiMail history History

Top History Local User Top 10 local users in FortiMail history History

Top History Local Virus Recipient Top 10 local virus recipients in FortiMail history History

Top History Local Virus Sender Top 10 local virus senders in FortiMail history History

Top History Mail Dest IP Top 10 mail destination IP in FortiMail history History

Top History Recipient Top 10 recipients in FortiMail history History

Top History Remote Address Top 10 remote address in FortiMail history History

Top History Remote Recipient Top 10 remote recipients in FortiMail history History

Top History Remote Sender Top 10 remote senders in FortiMail history History

Top History Remote Virus Recipient Top 10 remote virus recipients in FortiMail history History

Top History Remote Virus Sender Top 10 remote virus senders in FortiMail history History

Top History Sender Top 10 senders in FortiMail history History

Top History Sender Endpoint Top 10 senders Endpoint in FortiMail history History

Top History Sender IP Top 10 sender IP in FortiMail history History

Top History Sender MSISDN Top 10 senders MSISDN in FortiMail history History

Top History Total Active EmailAddress Top 10 total active email address per domain History

Top History Total Sent Received Top 10 total sent received in FortiMail history History

Top History Virus Top 10 viruses in FortiMail history History

Top History Virus Dest IP Top 10 virus destination IP in FortiMail history History

Top History Virus Endpoint Top 10 viruses endpoint in FortiMail history History

Top History Virus IP Top 10 virus IP in FortiMail history History

Top History Virus MSISDN Top 10 viruses MSISDN in FortiMail history History

Administration Guide 276

Fortinet Technologies Inc.
 Appendix A: Charts, Datasets, & Macros FortiMail

Name Description Category

Top History Virus Recipient Top 10 virus recipients in FortiMail history History

Top History Virus Sender Top 10 virus senders in FortiMail history History

Top Spammed Domains Top spammed domains in FortiMail history History

Top Spammed Users Top spammed users in FortiMail history History

Total Message Delay Total message delay in FortiMail history Event

Total Message TransmissionDelay Total message transmissionDelay in FortiMail his- Event

tory

Total Size of Mails Total size of mails in FortiMail history History

Predefined datasets

The following table lists the predefined datasets for FortiMail.

FortiMail predefined datasets

Name Device Type Log Type

fml-Active-EmailAddress-Summary FortiMail History

fml-Average-Size-by-Hour FortiMail History

fml-Connections-per-Hour FortiMail History

fml-history-Average-Size-of-Mails FortiMail History

fml-History-Count-Total-Sent-Received FortiMail History

fml-history-Number-of-Mail-Connections FortiMail History

fml-history-Number-of-Mails FortiMail History

fml-history-Top-Access-List FortiMail History

fml-history-Top-Classifiers-By-Hour FortiMail History

fml-History-Top-Client-Endpoint FortiMail History

fml-History-Top-Client-IP FortiMail History

277 Administration Guide

Fortinet Technologies Inc.
FortiMail Appendix A: Charts, Datasets, & Macros

Name Device Type Log Type

fml-History-Top-Client-MSISDN FortiMail History

fml-history-Top-Disposition-Classifiers FortiMail History

fml-history-Top-IP-Policy FortiMail History

fml-History-Top-Local-Recipient FortiMail History

fml-History-Top-Local-Sender FortiMail History

fml-History-Top-Local-User FortiMail History

fml-History-Top-Local-Virus-Recipient FortiMail History

fml-History-Top-Local-Virus-Sender FortiMail History

fml-History-Top-Mail-Dest-IP FortiMail History

fml-History-Top-Recipient FortiMail History

fml-history-Top-Recipient-Policy FortiMail History

fml-History-Top-Remote-Address FortiMail History

fml-History-Top-Remote-Recipient FortiMail History

fml-History-Top-Remote-Sender FortiMail History

fml-History-Top-Remote-Virus-Recipient FortiMail History

fml-History-Top-Remote-Virus-Sender FortiMail History

fml-History-Top-Sender FortiMail History

fml-History-Top-Sender-Endpoint FortiMail History

fml-History-Top-Sender-IP FortiMail History

fml-History-Top-Sender-MSISDN FortiMail History

fml-history-Top-Spammed-Domains FortiMail History

fml-history-Top-Spammed-Users FortiMail History

fml-history-Top-Subjects FortiMail History

Administration Guide 278

Fortinet Technologies Inc.
 Appendix A: Charts, Datasets, & Macros FortiWeb

Name Device Type Log Type

fml-History-Top-Virus FortiMail History

fml-History-Top-Virus-Dest-IP FortiMail History

fml-History-Top-Virus-Endpoint FortiMail History

fml-History-Top-Virus-IP FortiMail History

fml-History-Top-Virus-MSISDN FortiMail History

fml-History-Top-Virus-Recipient FortiMail History

fml-History-Top-Virus-Sender FortiMail History

fml-history-Total-Message-Delay FortiMail Event

fml-history-Total-Message-Transmission-Delay FortiMail Event

fml-history-Total-Size-of-Mails FortiMail History

fml-Messages-per-Hour FortiMail History

fml-Total-Size-by-Hour FortiMail History

FortiWeb

Predefined charts

The following table lists the predefined charts for FortiWeb.

FortiWeb predefined charts

Name Description Category

Top Attack Destinations by Source Top 10 attacked destinations by source Attack

Top Attack Destinations by Type Top 10 attacked destinations by type Attack

Top Attack Protocols by Type Top 10 attack protocols by type Attack

Top Attack Severity by Action Top 10 detected attack severities by action Attack

Top Attack Sources Top 10 sources of attacks Attack

279 Administration Guide

Fortinet Technologies Inc.
 FortiWeb Appendix A: Charts, Datasets, & Macros

Name Description Category

Top Attack Types Top 10 detected attack types Attack

Top Attack Types by Source Top 10 detected attack types by source Attack

Top Attack URLs Top 10 detected attack URLs Attack

Top Attacked Destinations Top 10 attacked destinations Attack

Top Attacked HTTP Methods by Type Top 10 attacked HTTP methods by attack type Attack

Top Attacked User Identifications Top 10 Attacked User identifications Attack

Top Attacks by Policy Top 10 attacks used by policies Attack

Top Event Categories Top 10 event categories Event

Top Event Categories by Status Top 10 event categories by status Event

Top Event Login by User Top 10 login events by user Event

Top Event Types Top 10 event types Event

Top Traffic Destinations Top 10 destinations in FortiWeb traffic Traffic

Top Traffic Policies Top 10 policies in FortiWeb traffic Traffic

Top Traffic Services Top 10 services in FortiWeb traffic Traffic

Top Traffic Sources Top 10 sources in FortiWeb traffic Traffic

Predefined datasets

The following table lists the predefined datasets for FortiWeb.

FortiWeb predefined datasets

Name Device Type Log Type

fwb-attack-Top-Attack-Destinations-By-Source FortiWeb Attack

fwb-attack-Top-Attack-Destinations-By-Type FortiWeb Attack

fwb-attack-Top-Attack-Protocols-By-Type FortiWeb Attack

fwb-attack-Top-Attack-Severities-By-Action FortiWeb Attack

Administration Guide 280

Fortinet Technologies Inc.
 Appendix A: Charts, Datasets, & Macros FortiCache

Name Device Type Log Type

fwb-attack-Top-Attack-Sources FortiWeb Attack

fwb-attack-Top-Attack-Types FortiWeb Attack

fwb-attack-Top-Attack-Types-By-Source FortiWeb Attack

fwb-attack-Top-Attack-URLs FortiWeb Attack

fwb-attack-Top-Attacked-Destinations FortiWeb Attack

fwb-attack-Top-Attacked-Http-Methods-By-Type FortiWeb Attack

fwb-attack-Top-Attacked-User-Identifications FortiWeb Attack

fwb-attack-Top-Attacks-By-Policy FortiWeb Attack

fwb-event-Top-event-categories FortiWeb Event

fwb-event-Top-Event-Categories-By-Status FortiWeb Event

fwb-event-Top-event-types FortiWeb Event

fwb-event-Top-login-by-user FortiWeb Event

fwb-traffic-Top-Destinations FortiWeb Traffic

fwb-traffic-Top-Policies FortiWeb Traffic

fwb-traffic-Top-Services FortiWeb Traffic

fwb-traffic-Top-Sources FortiWeb Traffic

FortiCache

Predefined charts

The following table lists the predefined charts for FortiCache.

FortiCache predefined charts

Name Description Category

Top 20 Websites by Bandwidth Savings Top 20 Websites by Bandwidth Savings Traffic

281 Administration Guide

Fortinet Technologies Inc.
 FortiCache Appendix A: Charts, Datasets, & Macros

Name Description Category

Top 20 Websites by Cache Rate Top 20 Websites by Cache Rate Traffic

Top 20 Websites by Response Time Improvement Top 20 Websites by Response Time Improvement Traffic

Predefined datasets

The following table lists the predefined datasets for FortiCache.

FortiCache predefined datasets

Name Device Type Log Type

fch-Top-Websites-by-Bandwidth-Savings FortiCache Traffic

fch-Top-Websites-by-Cache-Rate FortiCache Traffic

fch-Top-Webistes-by-Response-Time-Improvement FortiCache Traffic

Administration Guide 282

Fortinet Technologies Inc.
Appendix B: Port Numbers

The following tables describe the port numbers that the FortiAnalyzer unit uses:

l ports for traffic originating from units (outbound ports)

l ports for traffic receivable by units (listening ports)
l ports used to connect to the FortiGuard Distribution Network (FDN).

Traffic varies by enabled options and configured ports. Only default ports are listed.
FortiAnalyzer outbound ports
Functionality Port(s)

DNS lookup UDP 53

FDN connection TCP 443

NTP synchronization UDP 123

SNMP traps UDP 162

Syslog, log forwarding UDP 514

If a secure connection has been configured between a FortiGate device and a
FortiAnalyzer device, syslog traffic will be sent into an IPsec tunnel. Data will
be exchanged over UDP 500/4500, Protocol IP/50.

Log and report upload TCP 21 or TCP 22

SMTP alert email TCP 25

User name LDAP queries for reports TCP 389 or TCP 636

RADIUS authentication TCP 1812

TACACS+ authentication TCP 49

Log aggregation client TCP 3000

Device registration of FortiGate or TCP 514

FortiManager units; remote access to
quarantine, logs and reports from a
FortiGate unit; remote management
from a FortiManager unit (configuration
retrieval) (OFTP)

283 Administration Guide

Fortinet Technologies Inc.
 Appendix B: Port Numbers

FortiAnalyzer listening ports

Functionality Port(s)

Syslog, log forwarding UDP 514

If a secure connection has been configured
between a FortiGate and a FortiAnalyzer, sys-
log traffic will be sent into an IPsec tunnel. Data
will be exchanged over UDP 500/4500, Protocol
IP/50.

SSH administrative access to the CLI TCP 22

Telnet administrative access to the CLI TCP 23

HTTP administrative access to the Web-based Manager TCP 80

HTTPS administrative access to the Web-based Manager; remote man- TCP 443
agement from a FortiManager unit

Device registration of FortiGate or FortiManager units; remote access TCP 514

to quarantine, logs and reports from a FortiGate unit; remote man-
agement from a FortiManager unit (configuration retrieval) (OFTP)

HTTP or HTTPS administrative access to the Web-based Manager's TCP 2032

CLI dashboard widget.
Protocol used will match the protocol used by the administrator when
logging in to the Web-based Manager.

Log aggregation server TCP 3000

Log aggregation server support requires model FortiAnalyzer 800
series or greater.

Web Service TCP 8080

Ping ICMP protocol

Administration Guide 284

Fortinet Technologies Inc.
Appendix C: Maximum Values Matrix

"Appendix C: Maximum Values Matrix" on page 285 lists maximum values per FortiAnalyzer model.

Maximum values of FortiAnalyzer models

Feature FAZ- FAZ- FAZ- FAZ- FAZ- FAZ- FAZ- FAZ- FAZ- FAZ-
100C, 300D, 1000C, 3000D, 3500E, VM- VM- VM- VM- VM-
FAZ- FAZ- FAZ- FAZ- FAZ- BASE GB1 GB5 GB25 GB100
200D 400C 1000D 4000B 3900E

Administrative Domains 100, 175, 2000 2000 4000 10000 10000 10000 10000 10000
(ADOMS) 150 200,
300

Administrators 256 256 256 256 256 256 256 256 256 256

Administrator access pro- 256 256 256 256 256 256 256 256 256 256
files

SNMP community 256 256 256 256 256 256 256 256 256 256

SNMP managers per com- 256 256 256 256 256 256 256 256 256 256
munity

Email servers 256 256 256 256 256 256 256 256 256 256

Syslog servers 256 256 256 256 256 256 256 256 256 256

TACACS+ servers 256 256 256 256 256 256 256 256 256 256

Administrator RADIUS serv- 256 256 256 256 256 256 256 256 256 256
ers

Administrator LDAP serv- 256 256 256 256 256 256 256 256 256 256
ers

Static routes 256 256 256 256 256 256 256 256 256 256

Log devices 100, 175, 2000 2000 256 10000 10000 10000 10000 10000
150 200,
300

285 Administration Guide

Fortinet Technologies Inc.
 Appendix C: Maximum Values Matrix

Feature FAZ- FAZ- FAZ- FAZ- FAZ- FAZ- FAZ- FAZ- FAZ- FAZ-
100C, 300D, 1000C, 3000D, 3500E, VM- VM- VM- VM- VM-
FAZ- FAZ- FAZ- FAZ- FAZ- BASE GB1 GB5 GB25 GB100
200D 400C 1000D 4000B 3900E

Devices per ADOM 100, 175, 2000 2000 4000 10000 10000 10000 10000 10000
150 200,
300

Device Group Man- 100, 175, 2000 2000 4000 10000 10000 10000 10000 10000
agement 150 200,
300

Report output profiles 250 250 500 1000 1000 1000 1000 1000 1000 1000

SQL report templates 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000

SQL report charts 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000

SQL report datasets 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000

SQL database size (GB) 1000 4000, 1000, 16K, 200 +200 +1000 +8K +16K
1000, 8000 6K,
2000 24K

Administration Guide 286

Fortinet Technologies Inc.
Appendix D: SNMP MIB Support

The FortiAnalyzer SNMP agent supports the following MIBs:

FortiAnalyzer MIBs

MIB or RFC Description

FORTINET-CORE-MIB This Fortinet-proprietary MIB enables your SNMP manager to query for system
information and to receive traps that are common to multiple Fortinet devices.

FORTINET-FORTIMANAGER- This Fortinet-proprietary MIB enables your SNMP manager to query for FortiAna-
FORTIANALYZER-MIB lyzer-specific information and to receive FortiAnalyzer-specific traps.

RFC-1213 (MIB II) The FortiAnalyzer SNMP agent supports MIB II groups, except:
There is no support for the EGP group from MIB II (RFC 1213, section 3.11 and
6.10).
Protocol statistics returned for MIB II groups (IP, ICMP, TCP, UDP, etc.) do not
accurately capture all FortiAnalyzer traffic activity.
More accurate information can be obtained from the information reported by the
FortiAnalyzer MIB.

RFC-2665 (Ethernet-like MIB) The FortiAnalyzer SNMP agent supports Ethernet-like MIB information except the
dot3Tests and dot3Errors groups.

You can obtain these MIB files from the Customer Service & Support portal: https://support.fortinet.com.

To be able to communicate with your FortiAnalyzer unit’s SNMP agent, you must first compile these MIBs into your
SNMP manager. If the standard MIBs used by the SNMP agent are already compiled into your SNMP manager, you do
not have to compile them again.

To view a trap or query’s name, object identifier (OID), and description, open its MIB file in a plain text editor.

All traps that are sent include the message, the FortiAnalyzer unit’s serial number, and the host name.

SNMP MIB Files

You can download the FORTINET-FORTIMANAGER-FORTIANALYZER-MIB.mib MIB file in the firmware image
file folder. The FORTINET-CORE-MIB.mib file is located in the main FortiAnalyzer v5.00 file folder.

FORTINET-CORE-MIB

-- FORTINET-CORE-MIB.mib: Main MIB for Fortinet enterprise OID tree

--
-- MODULE-IDENTITY

287 Administration Guide

Fortinet Technologies Inc.
FORTINET-CORE-MIB Appendix D: SNMP MIB Support

-- OrgName
-- Fortinet Technologies, Inc.
-- ContactInfo
-- Technical Support
-- e-mail: support@fortinet.com
-- http://www.fortinet.com
--

FORTINET-CORE-MIB DEFINITIONS ::= BEGIN

IMPORTS
ifIndex
FROM IF-MIB
InetAddress, InetAddressPrefixLength, InetAddressType
FROM INET-ADDRESS-MIB
MODULE-COMPLIANCE, NOTIFICATION-GROUP, OBJECT-GROUP
FROM SNMPv2-CONF
sysName
FROM SNMPv2-MIB
Integer32, MODULE-IDENTITY, NOTIFICATION-TYPE, OBJECT-TYPE,
enterprises
FROM SNMPv2-SMI
DisplayString, TEXTUAL-CONVENTION
FROM SNMPv2-TC;

fortinet MODULE-IDENTITY
LAST-UPDATED "201205090000Z"
ORGANIZATION
"Fortinet Technologies, Inc."
CONTACT-INFO
"Technical Support
email: support@fortinet.com
http://www.fortinet.com
"
DESCRIPTION
"Added fan failure and AMC bypass traps"
REVISION "201205090000Z"
DESCRIPTION
"Registered FortiDDoSMib OID"
REVISION "201204230000Z"
DESCRIPTION
"Registered FortiDNSMib OID"
REVISION "201112230000Z"
DESCRIPTION
"Registered FortiCacheMib OID"
REVISION "201104250000Z"
DESCRIPTION
"Supporting portuguese language"
REVISION "201005140000Z"
DESCRIPTION
"Registered FortiScanMib OID"
REVISION "200905200000Z"
DESCRIPTION
"MIB module for Fortinet network devices."
REVISION "200811190000Z"
DESCRIPTION
"Registered FortiWebMib OID"
REVISION "200810210000Z"

Administration Guide 288

Fortinet Technologies Inc.
Appendix D: SNMP MIB Support FORTINET-CORE-MIB

DESCRIPTION
"Added SMI comments"
REVISION "200806250000Z"
DESCRIPTION
"Adjusted fnAdmin tree to start at .1"
REVISION "200806160000Z"
DESCRIPTION
"Spelling corrections."
REVISION "200804170000Z"
DESCRIPTION
"Initial version of fortinet core MIB."
::= { enterprises 12356 } -- assigned by IANA

--
-- Fortinet MIB Textual Conventions (TC)
--

FnBoolState ::= TEXTUAL-CONVENTION

STATUS current
DESCRIPTION
"Boolean data type representing enabled/disabled"
SYNTAX INTEGER {
disabled (1),
enabled (2)
}

FnLanguage ::= TEXTUAL-CONVENTION

STATUS current
DESCRIPTION
"Enumerated type for user interface languages"
SYNTAX INTEGER {
english (1),
simplifiedChinese (2),
japanese (3),
korean (4),
spanish (5),
traditionalChinese (6),
french (7),
portuguese (8),
undefined (255)
}

FnIndex ::= TEXTUAL-CONVENTION

DISPLAY-HINT "d"
STATUS current
DESCRIPTION
"Data type for table index values"
SYNTAX Integer32 (0..2147483647)

FnSessionProto ::= TEXTUAL-CONVENTION

STATUS current
DESCRIPTION
"Data type for session protocols"
SYNTAX INTEGER {
ip (0),
icmp (1),
igmp (2),

289 Administration Guide

Fortinet Technologies Inc.
FORTINET-CORE-MIB Appendix D: SNMP MIB Support

ipip (4),
tcp (6),
egp (8),
pup (12),
udp (17),
idp (22),
ipv6 (41),
rsvp (46),
gre (47),
esp (50),
ah (51),
ospf (89),
pim (103),
comp (108),
raw (255)
}

--
-- Fortinet Enterprise Structure of Management Information (SMI)
--

fnCoreMib OBJECT IDENTIFIER ::= { fortinet 100 }

--
-- Fortinet Product Family MIB Object Identifier Assignments
--
-- fnFortiGateMib OBJECT IDENTIFIER ::= { fortinet 101 }
-- fnFortiAnalyzerMib OBJECT IDENTIFIER ::= { fortinet 102 }
-- fnFortiManagerMib OBJECT IDENTIFIER ::= { fortinet 103 }
-- fnFortiDefenderMib OBJECT IDENTIFIER ::= { fortinet 104 }
-- fnFortiMailMib OBJECT IDENTIFIER ::= { fortinet 105 }
-- fnFortiSwitchMib OBJECT IDENTIFIER ::= { fortinet 106 }
-- fnFortiWebMib OBJECT IDENTIFIER ::= { fortinet 107 }
-- fnFortiScanMib OBJECT IDENTIFIER ::= { fortinet 108 }
-- fnFortiCacheMib OBJECT IDENTIFIER ::= { fortinet 109 }
-- fnFortiDNSMib OBJECT IDENTIFIER ::= { fortinet 110 }
-- fnFortiDDoSMib OBJECT IDENTIFIER ::= { fortinet 111 }
--

--
-- fnCoreMib.fnCommon
--
fnCommon OBJECT IDENTIFIER ::= { fnCoreMib 1 }

--
-- fnCoreMib.fnCommon.fnSystem
--
fnSystem OBJECT IDENTIFIER ::= { fnCommon 1 }

fnSysSerial OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Device serial number. This is the same serial number as given
in the ENTITY-MIB tables for the base entity."
::= { fnSystem 1 }

Administration Guide 290

Fortinet Technologies Inc.
Appendix D: SNMP MIB Support FORTINET-CORE-MIB

--
-- fnCoreMib.fnCommon.fnMgmt
--
fnMgmt OBJECT IDENTIFIER ::= { fnCommon 2 }

fnMgmtLanguage OBJECT-TYPE
SYNTAX FnLanguage
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Language used for administration interfaces"
::= { fnMgmt 1 }

fnAdmin OBJECT IDENTIFIER ::= { fnMgmt 100 }

fnAdminNumber OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of admin accounts in fnAdminTable"
::= { fnAdmin 1 }

fnAdminTable OBJECT-TYPE
SYNTAX SEQUENCE OF FnAdminEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table of administrator accounts on the device. This table is
intended to be extended with platform specific information."
::= { fnAdmin 2 }

fnAdminEntry OBJECT-TYPE
SYNTAX FnAdminEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry containing information applicable to a particular admin account"
INDEX { fnAdminIndex }
::= { fnAdminTable 1 }

FnAdminEntry ::= SEQUENCE {

fnAdminIndex Integer32,
fnAdminName DisplayString,
fnAdminAddrType InetAddressType,
fnAdminAddr InetAddress,
fnAdminMask InetAddressPrefixLength
}

fnAdminIndex OBJECT-TYPE
SYNTAX Integer32 (1..2147483647)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An index uniquely defining an administrator account within the fnAdminTable"
::= { fnAdminEntry 1 }

291 Administration Guide

Fortinet Technologies Inc.
FORTINET-CORE-MIB Appendix D: SNMP MIB Support

fnAdminName OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The user-name of the specified administrator account"
::= { fnAdminEntry 2 }

fnAdminAddrType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of address stored in fnAdminAddr, in compliance with INET-ADDRESS-
MIB"
::= { fnAdminEntry 3 }

fnAdminAddr OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The address prefix identifying where the administrator account can be used
from, typically an IPv4 address. The address type/format is determined by
fnAdminAddrType."
::= { fnAdminEntry 4 }

fnAdminMask OBJECT-TYPE
SYNTAX InetAddressPrefixLength
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The address prefix length (or network mask) applied to the fgAdminAddr to
determine the subnet or host the administrator can access the device from"
::= { fnAdminEntry 5 }

--
-- fnCoreMib.fnCommon.fnTraps
--
fnTraps OBJECT IDENTIFIER ::= { fnCommon 3 }

fnTrapsPrefix OBJECT IDENTIFIER ::= { fnTraps 0 }

fnTrapObjects OBJECT IDENTIFIER ::= { fnTraps 1 }

fnGenTrapMsg OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"Generic message associated with an event. The content will depend on the
nature of the trap."
::= { fnTrapObjects 1 }

fnTrapCpuThreshold NOTIFICATION-TYPE
OBJECTS { fnSysSerial, sysName }
STATUS current

Administration Guide 292

Fortinet Technologies Inc.
Appendix D: SNMP MIB Support FORTINET-CORE-MIB

DESCRIPTION
"Indicates that the CPU usage has exceeded the configured threshold."
::= { fnTrapsPrefix 101 }

fnTrapMemThreshold NOTIFICATION-TYPE
OBJECTS { fnSysSerial, sysName }
STATUS current
DESCRIPTION
"Indicates memory usage has exceeded the configured threshold."
::= { fnTrapsPrefix 102 }

fnTrapLogDiskThreshold NOTIFICATION-TYPE
OBJECTS { fnSysSerial, sysName }
STATUS current
DESCRIPTION
"Log disk usage has exceeded the configured threshold. Only available on
devices with log disks."
::= { fnTrapsPrefix 103 }

fnTrapTempHigh NOTIFICATION-TYPE
OBJECTS { fnSysSerial, sysName }
STATUS current
DESCRIPTION
"A temperature sensor on the device has exceeded its threshold. Not all
devices have thermal sensors. See manual for specifications."
::= { fnTrapsPrefix 104 }

fnTrapVoltageOutOfRange NOTIFICATION-TYPE
OBJECTS { fnSysSerial, sysName }
STATUS current
DESCRIPTION
"Power levels have fluctuated outside of normal levels. Not all devices have
voltage monitoring instrumentation. See manual for specifications."
::= { fnTrapsPrefix 105 }

fnTrapPowerSupplyFailure NOTIFICATION-TYPE
OBJECTS { fnSysSerial, sysName }
STATUS current
DESCRIPTION
"Power supply failure detected. Not available on all models. Available on
some devices which support redundant power supplies. See manual for
specifications."
::= { fnTrapsPrefix 106 }

fnTrapAmcIfBypassMode NOTIFICATION-TYPE
OBJECTS { fnSysSerial, sysName }
STATUS current
DESCRIPTION
"An AMC interface entered bypass mode. Available on models with an AMC
expansion slot. Used with the ASM-CX4 and ASM-FX2 cards."
::= { fnTrapsPrefix 107 }

fnTrapFanFailure NOTIFICATION-TYPE
OBJECTS { fnSysSerial, sysName }
STATUS current
DESCRIPTION
"A fan failure has been detected. Not all devices have fan sensors. See
manual for specifications."

293 Administration Guide

Fortinet Technologies Inc.
FORTINET-CORE-MIB Appendix D: SNMP MIB Support

::= { fnTrapsPrefix 108 }

fnTrapIpChange NOTIFICATION-TYPE
OBJECTS { fnSysSerial, sysName, ifIndex }
STATUS current
DESCRIPTION
"Indicates that the IP address of the specified interface has been changed."
::= { fnTrapsPrefix 201 }

fnTrapTest NOTIFICATION-TYPE
OBJECTS { fnSysSerial, sysName }
STATUS current
DESCRIPTION
"Trap sent for diagnostic purposes by an administrator."
::= { fnTrapsPrefix 999 }

--
-- fnCoreMib.fnCommon.fnMIBConformance
--
fnMIBConformance OBJECT IDENTIFIER ::= { fnCoreMib 10 }

fnSystemComplianceGroup OBJECT-GROUP
OBJECTS { fnSysSerial }
STATUS current
DESCRIPTION
"Objects relating to the physical device."
::= { fnMIBConformance 1 }

fnMgmtComplianceGroup OBJECT-GROUP
OBJECTS { fnMgmtLanguage }
STATUS current
DESCRIPTION
"Objects relating the management of a device."
::= { fnMIBConformance 2 }

fnAdminComplianceGroup OBJECT-GROUP
OBJECTS { fnAdminNumber, fnAdminName, fnAdminAddrType,
fnAdminAddr, fnAdminMask }
STATUS current
DESCRIPTION
"Administration access control objects."
::= { fnMIBConformance 3 }

fnTrapsComplianceGroup NOTIFICATION-GROUP
NOTIFICATIONS { fnTrapCpuThreshold, fnTrapMemThreshold,
fnTrapLogDiskThreshold, fnTrapTempHigh,
fnTrapVoltageOutOfRange, fnTrapPowerSupplyFailure,
fnTrapAmcIfBypassMode, fnTrapFanFailure,
fnTrapIpChange, fnTrapTest }
STATUS current
DESCRIPTION
"Event notifications"
::= { fnMIBConformance 4 }

fnNotifObjectsComplianceGroup OBJECT-GROUP
OBJECTS { fnGenTrapMsg }
STATUS current

Administration Guide 294

Fortinet Technologies Inc.
Appendix D: SNMP MIB Support FORTINET-FORTIMANAGER-FORTIANALYZER-MIB

DESCRIPTION
"Object identifiers used in notifications"
::= { fnMIBConformance 5 }

fnMIBCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for the application MIB."

MODULE -- this module

GROUP fnSystemComplianceGroup
DESCRIPTION
"This group is mandatory for all Fortinet network appliances supporting this
MIB."

GROUP fnMgmtComplianceGroup
DESCRIPTION
"This group is optional for devices that do not support common management
interface options such as multiple languages."

GROUP fnAdminComplianceGroup
DESCRIPTION
"This group should be accessible on any device supporting administrator
authentication."

GROUP fnTrapsComplianceGroup
DESCRIPTION
"Traps are optional. Not all models support all traps. Consult product
literature to see which traps are supported."

GROUP fnNotifObjectsComplianceGroup
DESCRIPTION
"Object identifiers used in notifications. Objects are required if their
containing trap is implemented."

::= { fnMIBConformance 100 }

END

FORTINET-FORTIMANAGER-FORTIANALYZER-MIB

FORTINET-FORTIMANAGER-FORTIANALYZER-MIB DEFINITIONS ::= BEGIN

IMPORTS
fnSysSerial, fortinet, FnIndex, fnGenTrapMsg
FROM FORTINET-CORE-MIB
sysName
FROM SNMPv2-MIB
InetPortNumber
FROM INET-ADDRESS-MIB
MODULE-COMPLIANCE, NOTIFICATION-GROUP, OBJECT-GROUP
FROM SNMPv2-CONF
MODULE-IDENTITY, NOTIFICATION-TYPE, OBJECT-TYPE,
Integer32, Gauge32, Counter32, IpAddress

295 Administration Guide

Fortinet Technologies Inc.
FORTINET-FORTIMANAGER-FORTIANALYZER-MIB Appendix D: SNMP MIB Support

FROM SNMPv2-SMI
DisplayString, TEXTUAL-CONVENTION
FROM SNMPv2-TC;

fnFortiManagerMib MODULE-IDENTITY
LAST-UPDATED "201306100000Z"
ORGANIZATION
"Fortinet Technologies, Inc."
CONTACT-INFO
"
Technical Support
email: support@fortinet.com
http://www.fortinet.com"
DESCRIPTION
"Added fmSysCpuUsageExcludedNice.
Added fmTrapCpuThresholdExcludeNice."
REVISION "201306100000Z"
DESCRIPTION
"Add support for FortiAnalyzer."
REVISION "201303270000Z"
DESCRIPTION
"Added license gb/day and device quota trap. fmTrapLicGbDayThreshold
and fmTrapLicDevQuotaThreshold"
REVISION "201211260000Z"
DESCRIPTION
"Added commas between notifications in NOTIFICATION-GROUP.
Added imports from SNMPv2-SMI and SNMPv2-TC.
imported `OBJECT-GROUP' from module SNMPv2-CONF"
REVISION "201204200000Z"
DESCRIPTION
"Added RAID trap fmTrapRAIDStatusChange."
REVISION "201103250000Z"
DESCRIPTION
"Added fmSysMemUsed,fmSysMemCapacity,fmSysCpuUsage.
Added new FortiManager models."
REVISION "201101190000Z"
DESCRIPTION
"MIB module for Fortinet FortiManager devices."
REVISION "200807180000Z"
DESCRIPTION
"Add sysName to fmTrapHASwitch."
REVISION "200806260000Z"
DESCRIPTION
"OID correction for fnFortiManagerMib."
REVISION "200806160000Z"
DESCRIPTION
"Spelling corrections."
REVISION "200806100000Z"
DESCRIPTION
"Initial version of FORTINET-FORTIMANAGER-MIB."
::= { fortinet 103 }

--
-- fortinet.fnFortiManagerMib.fmTraps
--

Administration Guide 296

Fortinet Technologies Inc.
Appendix D: SNMP MIB Support FORTINET-FORTIMANAGER-FORTIANALYZER-MIB

FmRAIDStatusCode ::= TEXTUAL-CONVENTION

STATUS current
DESCRIPTION
"Enumerated list of RAID status codes."
SYNTAX INTEGER { arrayOK(1), arrayDegraded(2), arrayFailed(3),
arrayRebuilding(4), arrayRebuildingStarted(5),
arrayRebuildingFinished(6), arrayInitializing(7),
arrayInitializingStarted(8), arrayInitializingFinished(9),
diskOK(10), diskDegraded(11), diskFailEvent(12) }

FmSessProto ::= TEXTUAL-CONVENTION

STATUS current
DESCRIPTION
"data type for session protocols"
SYNTAX INTEGER { ip(0), icmp(1), igmp(2), ipip(4), tcp(6),
egp(8), pup(12), udp(17), idp(22), ipv6(41),
rsvp(46), gre(47), esp(50), ah(51), ospf(89),
pim(103), comp(108), raw(255) }

fmTraps OBJECT IDENTIFIER

::= { fnFortiManagerMib 0 }

fmTrapPrefix OBJECT IDENTIFIER

::= { fmTraps 0 }

fmTrapObject OBJECT IDENTIFIER

::= { fmTraps 1 }

fmRAIDStatus OBJECT-TYPE
SYNTAX FmRAIDStatusCode
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"New RAID state associated with a RAID status change event."
::= { fmTrapObject 1 }

fmRAIDDevIndex OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..32))
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"Name/index of a RAID device relating to the event."
::= { fmTrapObject 2 }

fmLogRate OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"Log receiving rate in number of logs per second."
::= { fmTrapObject 3 }

fmLogRateThreshold OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS accessible-for-notify

297 Administration Guide

Fortinet Technologies Inc.
FORTINET-FORTIMANAGER-FORTIANALYZER-MIB Appendix D: SNMP MIB Support

STATUS current
DESCRIPTION
"Threshold for log rate in number of logs per second."
::= { fmTrapObject 4 }

fmLogDataRate OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"Log receiving data rate in number of KB per second."
::= { fmTrapObject 5 }

fmLogDataRateThreshold OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"Threshold for log data rate in number of KB per second."
::= { fmTrapObject 6 }

fmLicGbDay OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"Log data used in number of GB per day."
::= { fmTrapObject 7 }

fmLicGbDayThreshold OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"Licensed threshold for log data in number of GB per day."
::= { fmTrapObject 8 }

fmLicDevQuota OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"Device quota used in number of GB."
::= { fmTrapObject 9 }

fmLicDevQuotaThreshold OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"Licensed threshold for device quota in number of GB."
::= { fmTrapObject 10 }

--
-- fortinet.fnFortiManagerMib.fmModel
--

Administration Guide 298

Fortinet Technologies Inc.
Appendix D: SNMP MIB Support FORTINET-FORTIMANAGER-FORTIANALYZER-MIB

fmModel OBJECT IDENTIFIER

::= { fnFortiManagerMib 1 }

fmg100 OBJECT IDENTIFIER

::= { fmModel 1000 }

fmgvm OBJECT IDENTIFIER

::= { fmModel 1001 }

fmg100C OBJECT IDENTIFIER

::= { fmModel 1003 }

fmg200D OBJECT IDENTIFIER

::= { fmModel 2004 }

fmg300D OBJECT IDENTIFIER

::= { fmModel 3004 }

fmg400 OBJECT IDENTIFIER

::= { fmModel 4000 }

fmg400A OBJECT IDENTIFIER

::= { fmModel 4001 }

fmg400B OBJECT IDENTIFIER

::= { fmModel 4002 }

fmg400C OBJECT IDENTIFIER

::= { fmModel 4003 }

fmg1000C OBJECT IDENTIFIER

::= { fmModel 10003 }

fmg2000XL OBJECT IDENTIFIER

::= { fmModel 20000 }

fmg3000 OBJECT IDENTIFIER

::= { fmModel 30000 }

fmg3000B OBJECT IDENTIFIER

::= { fmModel 30002 }

fmg3000C OBJECT IDENTIFIER

::= { fmModel 30003 }

fmg4000D OBJECT IDENTIFIER

::= { fmModel 40004 }

fmg5001A OBJECT IDENTIFIER

::= { fmModel 50011 }

--
-- fortinet.fnFortiManagerMib.fmSystem
--

fmSystem OBJECT IDENTIFIER

::= { fnFortiManagerMib 2 }

299 Administration Guide

Fortinet Technologies Inc.
FORTINET-FORTIMANAGER-FORTIANALYZER-MIB Appendix D: SNMP MIB Support

--
-- fortinet.fnFortiManagerMib.fmSystem.fmSystemInfo
--

fmSystemInfo OBJECT IDENTIFIER

::= { fmSystem 1 }

fmSysCpuUsage OBJECT-TYPE
SYNTAX Integer32 (0..100)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Current CPU usage (percentage)"
::= { fmSystemInfo 1 }

fmSysMemUsed OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Current memory used (KB)"
::= { fmSystemInfo 2 }

fmSysMemCapacity OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Total physical and swap memory installed (KB)"
::= { fmSystemInfo 3 }

fmSysDiskUsage OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Current hard disk usage (MB)"
::= { fmSystemInfo 4 }

fmSysDiskCapacity OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Total hard disk capacity (MB)"
::= { fmSystemInfo 5 }

fmSysCpuUsageExcludedNice OBJECT-TYPE
SYNTAX Gauge32 (0..100)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Current CPU usage excluded nice processes usage (percentage)"
::= { fmSystemInfo 6 }

fmTrapHASwitch NOTIFICATION-TYPE

Administration Guide 300

Fortinet Technologies Inc.
Appendix D: SNMP MIB Support FORTINET-FORTIMANAGER-FORTIANALYZER-MIB

OBJECTS { fnSysSerial, sysName }

STATUS current
DESCRIPTION
"FortiManager HA cluster has been re-arranged. A new master has been selected
and asserted."
::= { fmTrapPrefix 401 }

fmTrapRAIDStatusChange NOTIFICATION-TYPE
OBJECTS { fnSysSerial, sysName,
fmRAIDStatus, fmRAIDDevIndex }
STATUS current
DESCRIPTION
"Trap is sent when there is a change in the status of the RAID array, if
present."
::= { fmTrapPrefix 402 }

fmTrapLogAlert NOTIFICATION-TYPE
OBJECTS { fnSysSerial, sysName, fnGenTrapMsg }
STATUS current
DESCRIPTION
"Trap is sent when a log based alert has been triggered. Alert description
included in trap."
::= { fmTrapPrefix 403 }

fmTrapLogRateThreshold NOTIFICATION-TYPE
OBJECTS { fnSysSerial, sysName, fmLogRate, fmLogRateThreshold }
STATUS current
DESCRIPTION
"Indicates that the incoming log rate has exceeded the threshold"
::= { fmTrapPrefix 404 }

fmTrapLogDataRateThreshold NOTIFICATION-TYPE
OBJECTS { fnSysSerial, sysName, fmLogDataRate, fmLogDataRateThreshold }
STATUS current
DESCRIPTION
"Indicates that the incoming log data rate has exceeded the threshold"
::= { fmTrapPrefix 405 }

fmTrapLicGbDayThreshold NOTIFICATION-TYPE
OBJECTS { fnSysSerial, sysName, fmLicGbDay, fmLicGbDayThreshold }
STATUS current
DESCRIPTION
"Indicates that the used log has exceeded the licensed GB/Day"
::= { fmTrapPrefix 407 }

fmTrapLicDevQuotaThreshold NOTIFICATION-TYPE
OBJECTS { fnSysSerial, sysName, fmLicDevQuota, fmLicDevQuotaThreshold }
STATUS current
DESCRIPTION
"Indicates that the used device quota has exceeded the licensed device quota"
::= { fmTrapPrefix 408 }

fmTrapCpuThresholdExcludeNice NOTIFICATION-TYPE
OBJECTS { fnSysSerial, sysName }
STATUS current
DESCRIPTION

301 Administration Guide

Fortinet Technologies Inc.
FORTINET-FORTIMANAGER-FORTIANALYZER-MIB Appendix D: SNMP MIB Support

"Indicates that the CPU usage excluding nice processes has exceeded the
threshold"
::= { fmTrapPrefix 409 }

--
-- fortinet.fnFortiManagerMib.faModel
--

faModel OBJECT IDENTIFIER

::= { fnFortiManagerMib 3 }

faz100 OBJECT IDENTIFIER

::= { faModel 1000 }

faz100A OBJECT IDENTIFIER

::= { faModel 1001 }

faz100B OBJECT IDENTIFIER

::= { faModel 1002 }

faz100C OBJECT IDENTIFIER

::= { faModel 1003 }

faz200D OBJECT IDENTIFIER

::= { faModel 2004 }

faz300D OBJECT IDENTIFIER

::= { faModel 3004 }

faz400 OBJECT IDENTIFIER

::= { faModel 4000 }

faz400B OBJECT IDENTIFIER

::= { faModel 4002 }

faz400C OBJECT IDENTIFIER

::= { faModel 4003 }

fazvm OBJECT IDENTIFIER

::= { faModel 20 }

faz800 OBJECT IDENTIFIER

::= { faModel 8000 }

faz800B OBJECT IDENTIFIER

::= { faModel 8002 }

faz1000B OBJECT IDENTIFIER

::= { faModel 10002 }

faz1000C OBJECT IDENTIFIER

::= { faModel 10003 }

faz2000 OBJECT IDENTIFIER

::= { faModel 20000 }

faz2000A OBJECT IDENTIFIER

Administration Guide 302

Fortinet Technologies Inc.
Appendix D: SNMP MIB Support FORTINET-FORTIMANAGER-FORTIANALYZER-MIB

::= { faModel 20001 }

faz2000B OBJECT IDENTIFIER

::= { faModel 20002 }

faz3000D OBJECT IDENTIFIER

::= { faModel 30004 }

faz4000 OBJECT IDENTIFIER

::= { faModel 40000 }

faz4000A OBJECT IDENTIFIER

::= { faModel 40001 }

faz4000B OBJECT IDENTIFIER

::= { faModel 40002 }

--
-- fortinet.fnFortiManagerMib.fmInetProto
--

fmInetProto OBJECT IDENTIFIER

::= { fnFortiManagerMib 4 }

fmInetProtoInfo OBJECT IDENTIFIER

::= { fmInetProto 1 }

fmInetProtoTables OBJECT IDENTIFIER

::= { fmInetProto 2 }

fmIpSessTable OBJECT-TYPE
SYNTAX SEQUENCE OF FmIpSessEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Information on the IP sessions active on the device"
::= { fmInetProtoTables 1 }

fmIpSessEntry OBJECT-TYPE
SYNTAX FmIpSessEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Information on a specific session, including source and destination"
INDEX { fmIpSessIndex }
::= { fmIpSessTable 1 }

FmIpSessEntry ::= SEQUENCE {

fmIpSessIndex FnIndex,
fmIpSessProto FmSessProto,
fmIpSessFromAddr IpAddress,
fmIpSessFromPort InetPortNumber,
fmIpSessToAddr IpAddress,
fmIpSessToPort InetPortNumber,
fmIpSessExp Counter32
}

303 Administration Guide

Fortinet Technologies Inc.
FORTINET-FORTIMANAGER-FORTIANALYZER-MIB Appendix D: SNMP MIB Support

fmIpSessIndex OBJECT-TYPE
SYNTAX FnIndex
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An index value that uniquely identifies an IP session within the
fmIpSessTable"
::= { fmIpSessEntry 1 }

fmIpSessProto OBJECT-TYPE
SYNTAX FmSessProto
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The protocol the session is using (IP, TCP, UDP, etc.)"
::= { fmIpSessEntry 2 }

fmIpSessFromAddr OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Source IP address (IPv4 only) of the session"
::= { fmIpSessEntry 3 }

fmIpSessFromPort OBJECT-TYPE
SYNTAX InetPortNumber
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Source port number (UDP and TCP only) of the session"
::= { fmIpSessEntry 4 }

fmIpSessToAddr OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Destination IP address (IPv4 only) of the session"
::= { fmIpSessEntry 5 }

fmIpSessToPort OBJECT-TYPE
SYNTAX InetPortNumber
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Destination Port number (UDP and TCP only) of the session"
::= { fmIpSessEntry 6 }

fmIpSessExp OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of seconds remaining before the session expires (if idle)"
::= { fmIpSessEntry 7 }

Administration Guide 304

Fortinet Technologies Inc.
Appendix D: SNMP MIB Support FORTINET-FORTIMANAGER-FORTIANALYZER-MIB

--
-- fortinet.fnFortiManagerMib.fmMibConformance
--

fmMIBConformance OBJECT IDENTIFIER

::= { fnFortiManagerMib 10 }

fmTrapsComplianceGroup NOTIFICATION-GROUP
NOTIFICATIONS { fmTrapHASwitch, fmTrapRAIDStatusChange,
fmTrapLogAlert, fmTrapLogRateThreshold,
fmTrapLogDataRateThreshold,
fmTrapLicGbDayThreshold,
fmTrapLicDevQuotaThreshold,
fmTrapCpuThresholdExcludeNice }
STATUS current
DESCRIPTION
"Event notifications"
::= { fmMIBConformance 1 }

fmSystemObjectGroup OBJECT-GROUP
OBJECTS { fmSysMemUsed, fmSysMemCapacity,
fmSysCpuUsage, fmSysDiskCapacity,
fmSysDiskUsage, fmSysCpuUsageExcludedNice }
STATUS current
DESCRIPTION
"Objects pertaining to the system status of the device."
::= { fmMIBConformance 2 }

fmNotificationObjComplianceGroup OBJECT-GROUP
OBJECTS { fmRAIDStatus, fmRAIDDevIndex,
fmLogRate, fmLogRateThreshold,
fmLogDataRate, fmLogDataRateThreshold,
fmLicGbDay, fmLicGbDayThreshold,
fmLicDevQuota, fmLicDevQuotaThreshold }
STATUS current
DESCRIPTION
"Object identifiers used in notifications"
::= { fmMIBConformance 3 }

fmSessionComplianceGroup OBJECT-GROUP
OBJECTS {
fmIpSessProto,
fmIpSessFromAddr,
fmIpSessFromPort,
fmIpSessToAddr,
fmIpSessToPort,
fmIpSessExp
}
STATUS current
DESCRIPTION "Session related instrumentation"
::= { fmMIBConformance 4 }

fmMIBCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for the FortiManager FortiAnalyzer MIB."

305 Administration Guide

Fortinet Technologies Inc.
FORTINET-FORTIMANAGER-FORTIANALYZER-MIB Appendix D: SNMP MIB Support

MODULE -- this module

GROUP fmTrapsComplianceGroup
DESCRIPTION
"Traps are optional. Not all models support all traps. Consult product
literature to see which traps are supported."

GROUP fmSystemObjectGroup
DESCRIPTION
"Model and feature specific."

GROUP fmNotificationObjComplianceGroup
DESCRIPTION
"Object identifiers used in notifications. Objects are required if their
containing trap is implemented."

GROUP fmSessionComplianceGroup
DESCRIPTION
"IP session related implementation."

::= { fmMIBConformance 100 }

END -- end of module FORTINET-FORTIMANAGER-FORTIANALYZER-MIB.

Administration Guide 306

Fortinet Technologies Inc.
- 307 -
Copyright© (Undefined variable: FortinetVariables.CopyrightYear) Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other
marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or
company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance
metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such
warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations,and guarantees
pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current
version of the publication shall be applicable.