FortiAnalyzer-7.4.0-Administration_Guide.pdf

Transcript

Administration Guide
FortiAnalyzer 7.4.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO LIBRARY
https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM
https://www.fortinet.com/training-certification

FORTINET TRAINING INSTITUTE
https://training.fortinet.com

FORTIGUARD LABS
https://www.fortiguard.com

END USER LICENSE AGREEMENT
https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

March 22, 2024
FortiAnalyzer 7.4.0 Administration Guide
05-740-890236-20240322
 TABLE OF CONTENTS

Change Log 11
Setting up FortiAnalyzer 12
Connecting to the GUI 12
FortiAnalyzer Setup wizard 13
Activating VM licenses 18
Security considerations 20
Restricting GUI access by trusted host 20
Trusted platform module support 20
Other security considerations 22
GUI overview 22
Panes 24
Color themes 25
Side menu open or closed 25
Switching between ADOMs 25
Using the right-click menu 26
Using the CLI console 26
Avatars 27
Using the Process Monitor 27
Showing and hiding passwords 28
Target audience and access level 29
Initial setup 29
FortiManager features 29
Next steps 30
Restarting and shutting down 30
FortiAnalyzer Key Concepts 31
Operation modes 31
Analyzer mode 31
Collector mode 32
Analyzer and Collector feature comparison 32
Analyzer–Collector collaboration 33
FortiAnalyzer Fabric 33
Administrative domains 33
Logs 34
Log encryption 34
Log storage 34
Log rolling 35
Log deletion 35
SQL database 35
Analytics and Archive logs 36
Data policy and automatic deletion 37
Disk utilization for Archive and Analytic logs 37
FortiView dashboard 37
Dashboard 39
Customizing the dashboard 40

FortiAnalyzer 7.4.0 Administration Guide 3
Fortinet Inc.
 System Information widget 41
Changing the host name 42
Configuring the system time 42
Updating the system firmware 43
Backing up the system 46
Restoring the configuration 48
Migrating the configuration 48
Configuring the operation mode 49
System Resources widget 49
License Information widget 49
Registering with FortiCloud 51
Enabling remote access from FortiCloud 52
Activating add-on licenses 53
Unit Operation widget 55
Alert Messages Console widget 55
Log Receive Monitor widget 56
Insert Rate vs Receive Rate widget 56
Log Insert Lag Time widget 57
Receive Rate vs Forwarding Rate widget 57
Disk I/O widget 57
Device widgets 58
Restart, shut down, or reset FortiAnalyzer 58
Restarting FortiAnalyzer 58
Shutting down FortiAnalyzer 59
Resetting system settings 59
Device Manager 60
ADOMs 62
FortiClient EMS devices 63
Unauthorized devices 63
Using FortiManager to manage FortiAnalyzer devices 63
Adding devices 64
Adding devices using the wizard 64
Authorizing devices 65
Hiding unauthorized devices 66
Adding an HA cluster 66
Adding a FortiGate using Security Fabric authorization 67
Managing devices 70
Using the toolbar 70
Editing device information 70
Displaying historical average log rates 72
Connecting to an authorized device GUI 72
Setting values for required meta fields 72
Device groups 73
Adding device groups 74
Managing device groups 74
FortiView 75
FortiView 76

FortiAnalyzer 7.4.0 Administration Guide 4
Fortinet Inc.
 How ADOMs affect FortiView 76
Logs used for FortiView 76
FortiView dashboards 76
Using FortiView 79
Viewing Compromised Hosts 83
Examples of using FortiView 90
Monitors 92
FortiView Monitors 92
Using the Monitors dashboard 105
Customizing the Monitors dashboard 106
Creating custom widgets 107
Enabling and disabling FortiView 109
Log View and Log Quota Management 110
Types of logs collected for each device 110
Log messages 113
Viewing the log message list of a specific log type 113
Viewing message details 113
Customizing displayed columns 115
Customizing default columns 115
Filtering messages 116
Monitoring all types of security and event logs from FortiGate devices 120
Viewing historical and real-time logs 121
Viewing raw and formatted logs 121
Custom views 121
Downloading log messages 122
Creating charts with Chart Builder 123
User and endpoint ID log fields 123
Log groups 124
Log browse 125
Importing a log file 126
Downloading a log file 126
Deleting log files 127
Log and file storage 127
Disk space allocation 127
Log and file workflow 128
Automatic deletion 129
Logs for deleted devices 130
Storage information 131
Configuring log rate receiving limits 133
Fabric View 135
Automation 135
Summary 135
Connectors 135
Playbooks 139
Playbook templates 142
Playbook triggers and tasks 143
Configuring tasks using variables 143
Importing and exporting playbooks 145

FortiAnalyzer 7.4.0 Administration Guide 5
Fortinet Inc.
 Playbook Monitor 147
Fabric Connectors 148
ITSM 148
Security fabric 151
Storage 153
Asset Identity Center 154
Asset Summary 155
Identity Summary 156
Asset List 157
Identity List 159
OT View 161
Configuring endpoint and end user data sources 161
Subnets 163
Creating a subnet list 164
Creating a subnet group 165
Assigning subnet filters to event handlers 165
Fortinet Security Fabric 168
Adding a Security Fabric group 168
Displaying Security Fabric topology 169
Security Fabric traffic log to UTM log correlation 169
Security Fabric ADOMs 171
Enabling SAML authentication in a Security Fabric 173
Incidents & Events 175
Event Monitor 175
All Events 175
Default event views 176
Filtering events 177
Viewing event details 178
Acknowledging events 178
Assigning events 179
Managing default views 180
Creating custom views 180
Understanding event statuses 182
Event handlers 182
Predefined event handlers 183
Predefined correlation handlers 209
Creating data selectors 213
Creating notification profiles 215
Creating a custom event handler 216
Creating a custom correlation handler 219
Using the Automation Stitch for event handlers 224
Using the Generic Text Filter 224
Managing event handlers 225
Enabling event handlers 226
Cloning event handlers 226
Resetting predefined event handlers to factory defaults 226
Importing and exporting event handlers 227
Incidents 228

FortiAnalyzer 7.4.0 Administration Guide 6
Fortinet Inc.
 Raising an incident 229
Analyzing an incident 229
Configuring incident settings 231
Adding reports to an incident 231
Threat Hunting 232
Using the log count chart 233
Using the SIEM log analytics table 233
SIEM log parsers 234
Log Parsers 234
Assigned Parsers 236
Outbreak Alerts 237
Viewing imported event handlers and reports 238
Reports 239
How ADOMs affect reports 239
Predefined reports, templates, charts, and macros 240
Logs used for reports 240
How charts and macros extract data from logs 240
How auto-cache works 240
Generating reports 241
Report guidance 241
Viewing completed reports 242
Enabling auto-cache 243
Grouping reports 243
Retrieving report diagnostic logs 244
Auto-Generated Reports 244
Scheduling reports 244
Creating reports 245
Creating reports from report templates 245
Creating reports by cloning and editing 246
Creating reports without using a template 246
Reports Settings tab 247
Customizing report cover pages 249
Reports Editor tab 251
Filtering report output 253
Managing reports 254
Organizing reports into folders 255
Importing and exporting reports 256
Report template library 257
Creating report templates 257
Viewing sample reports for predefined report templates 258
Managing report templates 258
List of report templates 258
Chart library 263
Creating charts 263
Managing charts 266
Macro library 267
Creating macros 267
Managing macros 268

FortiAnalyzer 7.4.0 Administration Guide 7
Fortinet Inc.
 Datasets 269
Creating datasets 269
Viewing the SQL query of an existing dataset 271
SQL query functions 271
Managing datasets 272
Aliases and metadata tables 272
Output profiles 275
Creating output profiles 275
Managing output profiles 276
Report languages 276
Exporting and modifying a language 277
Importing a language 277
Deleting a language 278
Report calendar 279
Viewing all scheduled reports 279
Managing report schedules 279
System Settings 281
Logging Topology 281
Network 282
Configuring network interfaces 282
Disabling ports 284
Changing administrative access 284
Static routes 284
Packet capture 285
Aggregate links 286
VLAN interfaces 287
SNMP 288
RAID Management 296
Supported RAID levels 296
Configuring the RAID level 299
Monitoring RAID status 299
Swapping hard disks 300
Adding hard disks 301
Administrative Domains (ADOMs) 302
Enabling and disabling the ADOM feature 304
ADOM device modes 305
Managing ADOMs 305
Deleting ADOMs 309
Certificates 310
Local certificates 310
CA certificates 313
Certificate revocation lists 314
Log Forwarding 315
Modes 315
Configuring log forwarding 316
Output profiles 319
Managing log forwarding 320
Log forwarding buffer 322

FortiAnalyzer 7.4.0 Administration Guide 8
Fortinet Inc.
 Log Fetching 322
Fetching profiles 323
Fetch requests 324
Synchronizing devices and ADOMs 326
Fetch monitoring 327
Event Log 327
Event log filtering 329
Task Monitor 329
Mail Server 331
Syslog Server 332
Send local logs to syslog server 334
Meta Fields 334
Device logs 335
Configuring rolling and uploading of logs using the GUI 336
Configuring rolling and uploading of logs using the CLI 337
Upload logs to cloud storage 339
File Management 339
Miscellaneous Settings 340
FortiGuard 340
Subscribing FortiAnalyzer to FortiGuard 341
Licensing in an air-gap environment 341
Administrators 346
Trusted hosts 346
Monitoring administrators 346
Disconnecting administrators 347
Managing administrator accounts 347
Creating administrators 348
Editing administrators 353
Deleting administrators 354
Override administrator attributes from profiles 354
Administrator profiles 355
Permissions 356
Privacy Masking 358
Creating administrator profiles 359
Creating administrator profiles for incident & event management 360
Editing administrator profiles 361
Cloning administrator profiles 361
Deleting administrator profiles 362
Authentication 362
Public Key Infrastructure 362
Managing remote authentication servers 364
LDAP servers 365
RADIUS servers 367
TACACS+ servers 369
Remote authentication server groups 369
SAML admin authentication 370
FortiCloud SSO admin authentication 373

FortiAnalyzer 7.4.0 Administration Guide 9
Fortinet Inc.
 Global administration settings 375
Password policy 377
Password lockout and retry attempts 378
GUI language 378
Idle timeout 379
Security Fabric authorization information for FortiOS 379
Control administrative access with a local-in policy 380
Two-factor authentication 380
Two-factor authentication with FortiAuthenticator 381
Two-factor authentication with FortiToken Cloud 384
High Availability 386
Configuring HA options 386
Log synchronization 388
Configuration synchronization 389
Geo-redundant HA 390
Monitoring HA status 393
If the primary unit fails 394
Load balancing 394
Upgrading the FortiAnalyzer firmware for an operating cluster 394
Collectors and Analyzers 395
Configuring the Collector 395
Configuring the Analyzer 396
Fetching logs from the Collector to the Analyzer 397
Management Extensions 398
FortiSIEM MEA 398
FortiSOAR MEA 398
Enabling management extension applications 399
CLI for management extensions 399
Accessing management extension logs 400
Checking for new versions and upgrading 401
Appendix A - Supported RFC Notes 402
Appendix B - Log Integrity and Secure Log Transfer 404
Log Integrity 404
Configuring log integrity settings 404
Verifying log-integrity 404
Secure Log Transfer 405
Configuring secure log transfer settings 405
Log caching with secure log transfer enabled 406
Supported ciphers 407
Maximum TLS/SSL version compatibility 412
Appendix C - FortiAnalyzer Ansible Collection documentation 414

FortiAnalyzer 7.4.0 Administration Guide 10
Fortinet Inc.
Change Log

Change Log

Date Change Description

2023-05-15 Initial release.

2023-05-18 Updated:
l Managing a Compromised Hosts rescan policy on page 85

l Modes on page 315

2023-05-31 Updated Management Extensions on page 398.

2023-06-08 Updated Creating macros on page 267.

2023-06-21 Updated Output profiles on page 319.

2023-06-29 Updated Licensing in an air-gap environment on page 341.

2023-07-06 Updated How ADOMs affect reports on page 239.

2023-08-01 Updated Migrating the configuration on page 48.

2023-08-21 Updated FortiAnalyzer Fabric on page 33.

2023-09-07 Updated Creating or editing ITSM connectors on page 148.

2023-09-11 Updated Configuring HA options on page 386.

2023-09-13 Updated SNMP on page 288.

2023-09-15 Updated Indicators of Compromise on page 87.

2023-09-26 Added Geo-redundant HA on page 390.

2023-10-11 Added Using the Template - Shadow IT Report on page 262.

2023-10-23 Updated Enabling and disabling the ADOM feature on page 304

2023-11-16 Updated Device Manager on page 60.

2024-01-18 Updated Configuring HA options on page 386.

2024-02-09 Updated:
l Creating a custom event handler on page 216

l Creating a custom correlation handler on page 219

2024-03-22 Updated Appendix B - Log Integrity and Secure Log Transfer on page 404.

FortiAnalyzer 7.4.0 Administration Guide 11
Fortinet Inc.
Setting up FortiAnalyzer

This chapter provides information about performing some basic setups for your FortiAnalyzer units.
This section contains the following topics:
l Connecting to the GUI on page 12
l Security considerations on page 20
l GUI overview on page 22
l Target audience and access level on page 29
l Initial setup on page 29
l FortiManager features on page 29
l Next steps on page 30
l Restarting and shutting down on page 30

Connecting to the GUI

The FortiAnalyzer unit can be configured and managed using the GUI or the CLI. This section will step you through
connecting to the unit via the GUI.

If you are connecting to the GUI for a FortiAnalyzer virtual machine (VM) for the first time, you
are required to activate a license. See Activating VM licenses on page 18.

To connect to the GUI:

1. Connect the FortiAnalyzer unit to a management computer using an Ethernet cable.
2. Configure the management computer to be on the same subnet as the internal interface of the FortiAnalyzer unit:
l IP address: 192.168.1.X

l Netmask: 255.255.255.0

3. On the management computer, start a supported web browser and browse to https://192.168.1.99.
The login dialog box is displayed.
4. Type admin in the Name field, leave the Password field blank, and click Login.
The FortiAnalyzer Setup wizard is displayed.
5. Click Begin to start the setup process. See FortiAnalyzer Setup wizard on page 13.
The Later option is available for certain steps in the wizard, allowing you to postone steps. The Register with
FortiCare step cannot be skipped and must be completed before you can access the FortiAnalyzer appliance or VM.
6. If ADOMs are enabled, the Select an ADOM pane is displayed. Click an ADOM to select it.
The FortiAnalyzer home page is displayed.
7. Click a tile to go to that pane. For example, click the Device Manager tile to go to the Device Manager pane.
See also GUI overview on page 22.

FortiAnalyzer 7.4.0 Administration Guide 12
Fortinet Inc.
 Setting up FortiAnalyzer

If the network interfaces have been configured differently during installation, the URL
and/or permitted administrative access protocols (such as HTTPS) may no longer be in
their default state.

For information on enabling administrative access protocols and configuring IP addresses, see Configuring network
interfaces on page 282.

If the URL is correct and you still cannot access the GUI, you may also need to configure static
routes. For details, see Static routes on page 284.

After logging in for the first time, you should create an administrator account for yourself and assign the Super_User
profile to it. Then you should log into the FortiAnalyzer unit by using the new administrator account. See Managing
administrator accounts on page 347 for information.

FortiAnalyzer Setup wizard

When you log in to FortiAnalyzer, the FortiAnalyzer Setup wizard is displayed to help you set up FortiAnalyzer by
performing the following actions:
l Registering with FortiCare and enabling FortiCare single sign-on
l Specifying the hostname
l Changing your password
l Upgrading firmware (when applicable)
You can choose whether to complete the wizard now or later.

The FortiAnalyzer Setup wizard requires that you complete the Register with FortiCare step
before you can access the FortiAnalyzer appliance or VM.

When actions are complete, a green checkmark displays beside them in the wizard, and the wizard no longer displays
after you log in to FortiAnalyzer.

FortiAnalyzer 7.4.0 Administration Guide 13
Fortinet Inc.
Setting up FortiAnalyzer

This topic describes how to use the FortiAnalyzer Setup wizard.

To use the FortiAnalyzer setup wizard:

1. Log in to FortiAnalyzer.
The FortiAnalyzer Setup dialog box is displayed.
2. Click Begin to start the setup process now.
Alternately, click Later to postpone the setup tasks. Some tasks cannot be postponed.
3. When prompted, register with FortiCare and enable FortiCare single sign-on. You must complete the Register with
FortiCare step before you can access the FortiAnalyzer appliance or VM.

When using FortiAnalyzer in an air-gapped environment, you must manually import your
Entitlement File. See Licensing in an air-gap environment on page 341.

FortiAnalyzer 7.4.0 Administration Guide 14
Fortinet Inc.
Setting up FortiAnalyzer

FortiAnalyzer 7.4.0 Administration Guide 15
Fortinet Inc.
Setting up FortiAnalyzer

4. When prompted, specify the hostname.

5. In the Hostname box, type a hostname.
6. Click Next.

FortiAnalyzer 7.4.0 Administration Guide 16
Fortinet Inc.
Setting up FortiAnalyzer

7. When prompted, change your password.

a. In the New Password box, type the new password.
b. In the Confirm Password box, type the new password again.
c. Click Next.
8. When a new firmware version is available for your device on FortiGuard, the Upgrade Firmware option in the wizard
indicates that a new version is available, and you can click Next to upgrade to the new firmware, or Later to upgrade
later.

FortiAnalyzer 7.4.0 Administration Guide 17
Fortinet Inc.
 Setting up FortiAnalyzer

9. Complete the setup by clicking Finish.

You are logged in to FortiAnalyzer.

Activating VM licenses

If you are logging in to a FortiAnalyzer VM for the first time by using the GUI, you are required to activate a purchased
license or activate a trial license for the VM.

To activate a license for FortiAnalyzer VM:

1. On the management computer, start a supported web browser and browse to https:// for the
FortiAnalyzer VM.
The login dialog box is displayed.

FortiAnalyzer 7.4.0 Administration Guide 18
Fortinet Inc.
Setting up FortiAnalyzer

2. Take one of the following actions:

Action Description

Free Trial If a valid license is not associated with the account, you can start a free trial license.
1. Select Free Trial, and click Login with FortiCloud.
2. Use your FortiCloud account credentials to log in, or create a new account.
FortiAnalyzer connects to FortiCloud to get the trial license. The system will restart to
apply the trial license.
3. Read and accept the license agreement.
For more information, see the FortiAnalyzer VM Trial License Guide.

Activate License If you have a license file, you can activate it.
1. Select Activate License, and click Login with FortiCloud.
2. Use your FortiCloud account credentials to log in.
FortiAnalyzer connects to FortiCloud, and the license agreement is displayed.
3. Read and accept the license agreement.

Upload License 1. Click Browse to upload the license file, or drag it onto the field.
2. Click Upload. After the license file is uploaded, the system will restart to verify it. This
may take a few moments.

To download the license file, go to the Fortinet Technical Support site
(https://support.fortinet.com/), and use your FortiCloud credentials to
log in. Go to Asset > Manage/View Products, then click the product
serial number.

FortiAnalyzer 7.4.0 Administration Guide 19
Fortinet Inc.
 Setting up FortiAnalyzer

Security considerations

You can take steps to prevent unauthorized access and restrict access to the GUI. This section includes the following
information:
l Restricting GUI access by trusted host on page 20
l Trusted platform module support on page 20
l Other security considerations on page 22

Restricting GUI access by trusted host

To prevent unauthorized access to the GUI you can configure administrator accounts with trusted hosts. With trusted
hosts configured, the administrator user can only log into the GUI when working on a computer with the trusted host as
defined in the administrator account. You can configure up to ten trusted hosts per administrator account. See
Administrators on page 346 for more details.

Trusted platform module support

On supported FortiAnalyzer hardware devices, the Trusted Platform Module (TPM) can be used to protect your
password and key against malicious software and phishing attacks. The dedicated module hardens the FortiAnalyzer by
generating, storing, and authenticating cryptographic keys.
For more information about which models feature TPM support, see the FortiAnalyzer Data Sheet.
By default, the TPM is disabled. To enable it, you must enable private-data-encryption and set the 32
hexadecimal digit master-encryption-password. This encrypts sensitive data on the FortiAnalyzer using AES128-CBC.
With the password, TPM generates a 2048-bit primary key to secure the master-encryption-password through RSA-
2048 encryption. The master-encryption-password protects the data. The primary key protects the master-encryption-
password.
The key is never displayed in the configuration file or the system CLI, thereby obscuring the information and leaving the
encrypted information in the TPM.

The TPM module does not encrypt the disk drive of eligible FortiAnalyzer.

The primary key binds the encrypted configuration file to a specific FortiAnalyzer unit and never leaves the TPM. When
backing up the configuration, the TPM uses the key to encrypt the master-encryption-password in the configuration file.
When restoring a configuration that includes a TPM protected master-encryption-password:
l If TPM is disabled, then the configuration cannot be restored.
l If TPM is enabled but has a different master-encryption-password than the configuration file, then the configuration
cannot be restored.
l If TPM is enabled and the master-encryption-password is the same in the configuration file, then the configuration
can be restored.
For information on backing up and restoring the configuration, see Backing up the system on page 46 and Restoring the
configuration on page 48.

FortiAnalyzer 7.4.0 Administration Guide 20
Fortinet Inc.
Setting up FortiAnalyzer

The master-encryption-password is also required when migrating the configuration, regardless if TPM is available on the
other FortiAnalyzer model. For more information, see Migrating the configuration on page 48.
Passwords and keys that can be encrypted by the master-encryption-key include:
l Admin password
l Alert email user's password
l BGP and other routing related configurations
l External resource
l FortiGuard proxy password
l FortiToken/FortiToken Mobile’s seed
l HA password
l IPsec pre-shared key
l Link Monitor, server side password
l Local certificate's private key
l Local, LDAP. RADIUS, FSSO, and other user category related passwords
l Modem/PPPoE
l NST password
l NTP Password
l SDN connector, server side password
l SNMP
l Wireless Security related password

In HA configurations, each cluster member must use the same master-encryption-key so that
the HA cluster can form and its members can synchronize their configurations.

To check if your FortiAnalyzer device has a TPM:

Enter the following command in the FortiAnalyzer CLI:
diagnose hardware info

The output in the CLI includes ### TPM info, which displays if the TPM is detected (enabled), not detected (disabled),
or not available.

To enable TPM and input the master-encryption-password:

Enter the following command in the FortiAnalyzer CLI:
config system global
set private-data-encryption enable
end
Please type your private data encryption key (32 hexadecimal numbers):
********************************
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
********************************
Your private data encryption key is accepted.

FortiAnalyzer 7.4.0 Administration Guide 21
Fortinet Inc.
 Setting up FortiAnalyzer

Other security considerations

Other security consideration for restricting access to the FortiAnalyzer GUI include the following:
l Configure administrator accounts using a complex passphrase for local accounts
l Configure administrator accounts using RADIUS, LDAP, TACACS+, or PKI
l Configure the administrator profile to only allow read/write permission as required and restrict access using read-
only or no permission to settings which are not applicable to that administrator
l Configure the administrator account to only allow access to specific ADOMs as required

When setting up FortiAnalyzer for the first time or after a factory reset, the password cannot be
left blank. You are required to set a password when the admin user tries to log in to
FortiManager from GUI or CLI for the first time. This is applicable to a hardware device as well
as a VM. This is to ensure that administrators do not forget to set a password when setting up
FortiAnalyzer for the first time.
After the initial setup, you can set a blank password from System Settings > Administrators.

GUI overview

When you log into the FortiAnalyzer GUI, the Dashboard pane is displayed. The Dashboard contains widgets that
provide performance and status information. For more information about the Dashboard, see Dashboard on page 39

Use the navigation menu on the left to open another pane. The available panes vary depending on the privileges of the
current user.

Device Manager Add and manage devices and VDOMs. See Device Manager on page 60.

FortiAnalyzer 7.4.0 Administration Guide 22
Fortinet Inc.
Setting up FortiAnalyzer

FortiView Summarizes SOC information in FortiView and Monitors dashboards, which
include widgets displaying log data in graphical formats, network security, WiFi
security, and system performance in real-time.
This pane is not available when the unit is in Collector mode.

Log View View logs for managed devices. You can display, download, import, and delete
logs on this page. You can also define custom views and create log groups. See
Log View and Log Quota Management on page 110.

Fabric View Configure fabric connectors and playbook automation. Playbook automation
requires a FortiSoC subscription service. See Fabric View on page 135.

Incidents & Events Configure and view events for logging devices. See Incidents & Events on page
175.
This pane is not available when the unit is in Collector mode.

Reports Generate reports. You can also configure report templates, schedules, and output
profiles, and manage charts and datasets. See Reports on page 239.
This pane is not available when the unit is in Collector mode.

Management Extensions Enable and use management extension applications that are released and signed
by Fortinet. See Management Extensions on page 398.

System Settings Configure system settings such as network interfaces, administrators, system
time, server settings, and others. You can also perform maintenance and
firmware operations. See System Settings on page 281.

The banner at the top of the screen is available in every pane.
The following options are available in the banner:

Menu Click to toggle the visibility of the navigation menu on the left.

ADOM If ADOMs are enabled, the required ADOM can be selected from the dropdown
list.
The ADOMs available from the ADOM menu will vary depending on the privileges
of the current user.

CLI Console Open the CLI console to configure the FortiAnalyzer unit using CLI commands
directly from the GUI, without making a separate SSH, or local console
connection to access the CLI.
For more information, see Using the CLI console on page 26.
Note: The CLI Console requires that your web browser support JavaScript.

Online Help Click to open the FortiAnalyzer online help.
You can also open the FortiAnalyzer basic setup video
(https://video.fortinet.com/products/fortianalyzer/6.2/).
This option is context-sensitive, so it will open to the relevant documentation for
the pane you are in.

Notifications Click to display a list of notifications. Select a notification from the list to take
action on the issue.

FortiAnalyzer 7.4.0 Administration Guide 23
Fortinet Inc.
Setting up FortiAnalyzer

admin From this dropdown, you can:
l view the current firmware build of your FortiAnalyzer device.

l upgrade the firmware.
l open the Process Monitor.
l change your password.
l update your profile information, including the avatar and theme.
l log out of the GUI.

Panes

In general, each pane four primary parts: the banner, toolbar, tree menu, and content pane.

Banner Along the top of the page.
The banner includes the device name (next to the Fortinet logo) and options to
open/close side menu, switch ADOMs (when enabled), open the CLI console,
view notifications, and access the admin menu. In some panes, further options
will be included in the banner.

Tree menu On the left side of the screen. In some panes, further navigation will be available
as tabs along the top of the content pane. This additional horizontal menu can be
toggled to a vertical menu, if preferred.
Use this navigation menu to open panes in the GUI.

Content pane Contains widgets, lists, configuration options, or other information, depending on
the pane, menu, or options that are selected. Most management tasks are
handled in the content pane.

Toolbar Directly above the content pane.
The toolbar includes options for managing content in the content pane, such as
Create New and Delete.

FortiAnalyzer 7.4.0 Administration Guide 24
Fortinet Inc.
 Setting up FortiAnalyzer

Color themes

You can choose a color theme for the FortiAnalyzer GUI. For example, you can choose a color, such as blue or plum, or
you can choose an image, such as summer or autumn.
By default, all users are assigned the global color theme. To change the global color theme, see Global administration
settings on page 375.

To change your color theme:

1. In the banner, open the dropdown for your account and click Change Profile.
The Change Profile dialog displays.
2. In the Theme Mode field, select Use Own Theme.
3. Enable the High Contrast Theme or select a color them from the list.

Side menu open or closed

After you choose a tile, such as Device Manager, you can close the side menu and view only the content pane.
Alternately you can view both the side menu and the content pane.
In the banner, click the Open/close side menu button to change between the views.

Switching between ADOMs

When ADOMs are enabled, you can move between ADOMs by selecting an ADOM from the ADOM button in the banner.
You are also prompted to select an ADOM when you log in.

ADOM access is controlled by administrator accounts and the profile assigned to the administrator account. Depending
on your account privileges, you might not have access to all ADOMs. See Managing administrator accounts on page 347
for more information.

FortiAnalyzer 7.4.0 Administration Guide 25
Fortinet Inc.
 Setting up FortiAnalyzer

To switch ADOMs:

1. In the banner, click the ADOM button.
The Select an ADOM diaolog displays.
2. Click the ADOM to switch to.
The ADOM you are in displays on the ADOM button in the banner.

Using the right-click menu

Options are sometimes available using the right-click menu. Right-click an item in the content pane to display the menu
of available options. This menu often includes actions available in the toolbar, as well as some unique actions depending
on the pane and its content.
In the following example on the Reports pane, you can right-click a report, and select Edit, Clone, Delete, and more.

Using the CLI console

The CLI console is a terminal window that enables you to configure the FortiAnalyzer unit using CLI commands directly
from the GUI, without making a separate SSH, or local console connection to access the CLI.
When using the CLI console, you are logged in with the same administrator account that you used to access the GUI.
You can enter commands by typing them, or you can copy and paste commands into or out of the console.
For more information about using the CLI, see the FortiAnalyzer CLI Reference on the Fortinet Documents Library.

The CLI Console requires that your web browser support JavaScript.

To open the CLI console in the GUI, click the CLI Console icon (>_) in the banner.
You can perform the following actions from the top of the CLI Console:

FortiAnalyzer 7.4.0 Administration Guide 26
Fortinet Inc.
 Setting up FortiAnalyzer

Option Description

Clear Console Clear previous text in the console.

Copy History to Clipboard Copy all text in the console.

Record CLI Commands Begin recording the next commands entered in the console; click again to finish
recording. The commands and outputs from the recording are copied to the
clipboard.

Download History Download all text in the console as a text file.

Reconnect Console Reconnect to the console, clearing the previous text in the console and returning
to the initial prompt.

Run CLI Script Drag and drop or select a script file to run in the CLI.

Detach Open the console in a new tab.

CLI of Current Page (if Go to the commands for the current page of the GUI, if they are available.
available)

Minimize Minimize the console in the GUI.

Full screen Expand the console to full screen within the GUI.

Close Close the console.

Avatars

When FortiClient sends logs to FortiAnalyzer, an avatar for each user can be displayed in the Source column in the
FortiView and Log View panes. FortiAnalyzer can display an avatar when FortiClient is managed by FortiGate or
FortiClient EMS with logging to FortiAnalyzer enabled.
l When FortiClient Telemetry connects to FortiGate, FortiClient sends logs (including avatars) to FortiGate, and the
logs display in FortiAnalyzer under the FortiGate device as a sub-type of security.
The avatar is synchronized from FortiGate to FortiAnalyzer by using the FortiOS REST API.
l When FortiClient Telemetry connects to FortiClient EMS, FortiClient sends logs (including avatars) directly to
FortiAnalyzer, and logs display in a FortiClient ADOM.
If FortiAnalyzer cannot find the defined picture, a generic, gray avatar is displayed.

You can also optionally define an avatar for FortiAnalyzer administrators. See
Creating administrators on page 348.

Using the Process Monitor

The Process Monitor displays running processes with their CPU and memory usage as well as their disk I/O levels.
Administrators can sort, filter, and terminate processes within the Process Monitor pane.

FortiAnalyzer 7.4.0 Administration Guide 27
Fortinet Inc.
 Setting up FortiAnalyzer

To use the Process Monitor:

1. In the banner, click [admin_name] > Process Monitor.
A line chart and a table view are available in the Process Monitor pane. Both the chart and the table refresh
automatically unless paused.
2. To change the line chart according to your needs, click CPU, Memory (Percentage), Memory (Bytes), or Disk I/O.
The table view will automatically sort by the selection as well.
3. To pause the chart and table from refreshing, click the pause button.
You can click the play button to resume the automatic refresh.
4. Use the search field to search for any field in the table view.
5. To terminate a process, select it in the table view and click Kill Process.

Showing and hiding passwords

In some fields, you can show and hide information by clicking the toggle icon.
For example, see the image of the Change Password dialog below. In this example, the Old Password is toggled to show
the password. The other fields are toggled to hide the password.

FortiAnalyzer 7.4.0 Administration Guide 28
Fortinet Inc.
 Setting up FortiAnalyzer

Target audience and access level

This guide is intended for administrators with full privileges, who can access all panes in the FortiAnalyzer GUI, including
the System Settings pane.
In FortiAnalyzer, administrator privileges are controlled by administrator profiles. Administrators who are assigned
profiles with limited privileges might be unable to view some panes in the GUI and might be unable to perform some
tasks described in this guide. For more information about administrator profiles, see Administrator profiles on page 355.

If you logged in by using the admin administrator account, you have the Super_User
administrator profile, which is assigned to the admin account by default and gives the admin
administrator full privileges.

Initial setup

This topic provides an overview of the tasks that you need to do to get your FortiAnalyzer unit up and running.

To set up FortiAnalyzer:

1. Connect to the GUI. See Connecting to the GUI on page 12.
2. Configure the RAID level, if the FortiAnalyzer unit supports RAID. See Configuring the RAID level on page 299.
3. Configure network settings. See Configuring network interfaces on page 282.

Once the IP address of the administrative port of FortiAnalyzer is changed, you will lose
connection to FortiAnalyzer. You will have to reconfigure the IP address of the
management computer to connect again to FortiAnalyzer and continue.

4. (Optional) Configure administrative domains. See Managing ADOMs on page 305.
5. Configure administrator accounts. See Managing administrator accounts on page 347.

After you configure the administrator accounts for the FortiAnalyzer unit, you should log in
again by using your new administrator account.

6. Add devices to the FortiAnalyzer unit so that the devices can send logs to the FortiAnalyzer unit. See Adding
devices on page 64.
7. Configure the operation mode. See Configuring the operation mode on page 49 and Operation modes on page 31.

FortiManager features

FortiManager features are not available in FortiAnalyzer 6.2.0 and up.
For information about FortiManager, see the FortiManager Administration Guide.

FortiAnalyzer 7.4.0 Administration Guide 29
Fortinet Inc.
Setting up FortiAnalyzer

If FortiManager features are enabled in FortiAnalyzer before upgrading to 6.2.0 and later, the
existing feature configurations will continue to be available after the upgrade.
FortiManager features carried over during an upgrade can be disabled through the CLI
console.

Next steps

Now that you have set up your FortiAnalyzer units and they have started receiving logs from the devices, you can start
monitoring and interpreting data. You can:
l View log messages collected by the FortiAnalyzer unit in Log View. See Types of logs collected for each device on
page 110.
l View multiple panes of network activity in FortiView > Monitors. See Monitors on page 92.
l View summaries of threats, traffic, and more in FortiView. See FortiView on page 76.
l Generate and view events in Incidents & Events. See Incidents & Events on page 175
l Generate and view reports in Reports. See Reports on page 239.

Restarting and shutting down

Always use the operation options in the GUI or the CLI commands to reboot and shut down the FortiAnalyzer system to
avoid potential configuration problems.
See Restart, shut down, or reset FortiAnalyzer on page 58 in System Settings on page 281.

FortiAnalyzer 7.4.0 Administration Guide 30
Fortinet Inc.
FortiAnalyzer Key Concepts

This section provides information about basic FortiAnalyzer concepts and terms. If you are new to FortiAnalyzer, use this
section to quickly understand this document and the FortiAnalyzer platform.
This section includes the following sections:
l Operation modes on page 31
l Administrative domains on page 33
l Logs on page 34
l Log storage on page 34
l FortiView dashboard on page 37

Operation modes

FortiAnalyzer can run in two operation modes: Analyzer and Collector. Choose the operation mode for your
FortiAnalyzer units based on your network topology and requirements.

Analyzer mode

Analyzer mode is the default mode that supports all FortiAnalyzer features. Use this mode to aggregate logs from one or
more Collectors.

FortiAnalyzer 7.4.0 Administration Guide 31
Fortinet Inc.
 FortiAnalyzer Key Concepts

The following diagram shows an example of deploying FortiAnalyzer in Analyzer mode.

Collector mode

When FortiAnalyzer is in Collector mode, its primary task is forwarding logs of the connected devices to an Analyzer and
archiving the logs. Instead of writing logs to the database, the Collector retains logs in their original binary format for
uploading. In this mode, most features are disabled.

Analyzer and Collector feature comparison

Feature Analyzer Mode Collector Mode

Device Manager Yes Yes

FortiView Yes No

FortiAnalyzer 7.4.0 Administration Guide 32
Fortinet Inc.
 FortiAnalyzer Key Concepts

Feature Analyzer Mode Collector Mode

Log View Yes Raw archive logs only

Incidents & Events Yes No

Monitoring devices Yes No

Reporting Yes No

System Settings Yes Yes

Log Forwarding Yes Yes

Analyzer–Collector collaboration

You can deploy Analyzer mode and Collector mode on different FortiAnalyzer units and make the units work together to
improve the overall performance of log receiving, analysis, and reporting. The Analyzer offloads the log receiving task to
the Collector so that the Analyzer can focus on data analysis and report generation. This maximizes the Collector’s log
receiving performance.
For an example of setting up Analyzer–Collector collaboration, see Collectors and Analyzers on page 395.

FortiAnalyzer Fabric

FortiAnalyzer can also join a FortiAnalyzer Fabric which enables centralized viewing of devices, incidents, and events
across multiple FortiAnalyzers acting as members.
The FortiAnalyzer Fabric is ideal for use in high volume environments with many FortiAnalyzers. For more information
about sizing and design considerations, see the FortiAnalyzer Architecture Guide.
In this mode, FortiAnalyzer Fabric members form a Fabric with one device operating in supervisor mode as the root
device. Incident, event, and log information is synced from members to the supervisor using the API.
See the FortiAnalyzer Fabric Deployment Guide for more information.

Administrative domains

Administrative domains (ADOMs) enable the admin administrator to constrain the access privileges of other
FortiAnalyzer unit administrators to a subset of devices in the device list. For Fortinet devices with virtual domains
(VDOMs), ADOMs can further restrict access to only data from a specific VDOM for a device.
Enabling ADOMs alters the available functions in the GUI and CLI. Access to the functions depends on whether you are
logged in as the admin administrator. If you are logged in as the admin administrator, you can access all ADOMs. If you
are not logged in as the admin administrator, the settings in your administrator account determines access to ADOMs.
For information on enabling and disabling ADOMs, see Enabling and disabling the ADOM feature on page 304. For
information on working with ADOMs, see Administrative Domains (ADOMs) on page 302. For information on configuring
administrator accounts, see Managing administrator accounts on page 347.

FortiAnalyzer 7.4.0 Administration Guide 33
Fortinet Inc.
 FortiAnalyzer Key Concepts

ADOMs must be enabled to support FortiCarrier, FortiClient EMS, FortiMail, FortiWeb,
FortiCache, and FortiSandbox logging and reporting. See Administrative Domains (ADOMs)
on page 302.

Logs

Logs in FortiAnalyzer are in one of the following phases.
l Real-time log: Log entries that have just arrived and have not been added to the SQL database. These logs are
stored in Archive in an uncompressed file.
l Archive logs: When a real-time log file in Archive has been completely inserted, that file is compressed and
considered to be offline.
l Analytics logs or historical logs: Indexed in the SQL database and online.
In order for FortiAnalyzer to accept logs, the sending device must be registered in FortiAnalyzer. You can add devices to
FortiAnalyzer by specifying the serial number and other details, or you may point the device’s log settings to the
FortiAnalyzer. If initiated by the remote device, the device must be authorized before logs can be received on
FortiAnalyzer. See Adding devices on page 64.
For more information on the types of logs collected for each device, see Types of logs collected for each device on page
110.

Log encryption

Beginning in FortiAnalyzer 6.2, all logs from Fortinet devices (using Fortinet's proprietary protocol: OFTP) must be
encrypted. FortiAnalyzer encryption level must be equal or less than the sending device’s level. For example, when
configuring logging from a FortiGate, FortiAnalyzer must have the same encryption level or lower than FortiGate in order
to accept logs from FortiGate.

To configure the encryption level on FortiAnalyzer:

1. In the FortiAnalyzer CLI, enter the following commands:
config system global
set enc-algorithm {high | low | medium}

To configure the encryption level on FortiGate:

1. In the FortiGate CLI, enter the following commands:
config log fortianalyzer setting
set enc-algorithm {high-medium | high | low}

See also Appendix B - Log Integrity and Secure Log Transfer on page 404.

Log storage

Logs and files are stored on the FortiAnalyzer disks. Logs are also temporarily stored in the SQL database.

FortiAnalyzer 7.4.0 Administration Guide 34
Fortinet Inc.
 FortiAnalyzer Key Concepts

You can configure data policy and disk utilization settings for devices. These are collectively called log storage settings.
You can configure global log and file storage settings. These apply to all logs and files in the FortiAnalyzer system
regardless of log storage settings.

Log rolling

When FortiAnalyzer receives a log, it is stored in a file. Logs will continue to populate this file until its limit is reached, at
which time the file is "rolled" which involves compressing the file and creating a new one for further logs of that type.
There are two settings that you can use to configure when log rolling occurs, and both may be used at the same time,
with rolling taking place when either condition is met.
l Log file size: This is enabled by default and set to 200 MB.
l At a scheduled time: Either daily or weekly at a set time.
Rolling the files daily is recommended to avoid a file from spanning more than 24 hours and masking the actual amount
of days you are storing logs for.
See also Configuring rolling and uploading of logs using the GUI on page 336.

Log deletion

When you reach your archive retention limit as defined by allocated storage size or specified days, FortiAnalyzer deletes
old logs to make room for new logs. FortiAnalyzer can only delete files, not logs within a file. Controlling file growth is
important because storage capacity is not infinite and it directly affects how old logs are deleted to make room for new
logs.
FortiAnalyzer will delete old files based on which condition is forcing the deletion:
l Days: Delete the log file that contains logs which are all outside the configured day retention period. Log files can
span several days, or even months. When this is the case, the file will not be considered eligible for deletion when
logs that are within the configured retention days would be deleted. This can lead to Archive indicating it is storing
more days than it is configured for (for example, 100/90 days). This is due to the number displaying the oldest log
date, and not specifically that it has logs for each day up to that number.
l Storage size: Delete the log file with the oldest last received log. This can lead to the administrator not seeing the
true amount of logs in analytics since there's no way to indicate that there are no logs for days 60 through 89, only
that there are some logs from 90 days ago.
See also Data policy and automatic deletion on page 37 and Disk utilization for Archive and Analytic logs on page 37.

SQL database

FortiAnalyzer supports Structured Query Language (SQL) for logging and reporting. The log data is inserted into the
SQL database to support data analysis in FortiView, Log View, and Reports. Remote SQL databases are not supported.
For more information, see FortiView on page 76, Types of logs collected for each device on page 110, and Reports on
page 239.
The log storage settings define how much FortiAnalyzer disk space to use for the SQL database.

FortiAnalyzer 7.4.0 Administration Guide 35
Fortinet Inc.
 FortiAnalyzer Key Concepts

When FortiAnalyzer is in Collector mode, the SQL database is disabled by default. If you want
to use logs that require SQL when FortiAnalyzer is in Collector mode, you must enable the
SQL database. See Operation modes on page 31.

Analytics and Archive logs

Logs in FortiAnalyzer are in one of the following phases.
l Real-time log: Log entries that have just arrived and have not been added to the SQL database. These logs are
stored in Archive in an uncompressed file.
l Archive logs: When a real-time log file in Archive has been completely inserted, that file is compressed and
considered to be offline.
l Analytics logs or historical logs: Indexed in the SQL database and online.
Use a data policy to control how long to retain Analytics and Archive logs.
l Archive logs on page 36
l Analytic logs on page 36

Archive logs

When FortiAnalyzer receives a log, it is stored in a file. Logs will continue to populate this file until its limit is reached, at
which time the file is "rolled" which involves compressing the file and creating a new one for further logs of that type.
These files (rollled or otherwise) count against the archive retention limits and are referred to as Archived or Offline logs.
You cannot immediately view details about these logs in the FortiView, Log View, and Incidents & Events panes. You
also cannot generate reports about the logs in the Reports pane.
Archive logs are stored unchanged and can be uploaded to a file server for use as backups.
l If you are using a FortiAnalyzer-VM, you may also choose to snapshot the data drive to backup your logs.
l If you are using a physical FortiAnalyzer which leverages RAID for storage, remember that RAID is not a backup
solution.
Log storage in Archive is important since it is used to rebuild the database in the event of database corruption, or in some
cases during upgrades.

Analytic logs

Immediately following the storage of a log in an archive, the same log is inserted into the SQL database. This function is
also known as being indexed, and these logs are referred to as Analytic or Online logs.
Analytic logs are the only logs which are used for analysis in FortiAnalyzerLog View (excluding Log Browse), Incidents
and Events, and Reports.
Analytic logs are dissected during insertion and any subtypes are stored as their own category. For example, security
profile logs such as web filtering logs are sent and stored as Traffic logs when archived, however, Analytics extracts the
relevant web filtering fields and stores them in a web filtering table.
Indexed logs take up significantly more space than the same amount of logs in Archive.

FortiAnalyzer 7.4.0 Administration Guide 36
Fortinet Inc.
 FortiAnalyzer Key Concepts

Most administrators may need to store between 30 and 60 days in Analytics, however, this should be configured for the
amount of time that you would typically need to explore the logs for.
If you need to run analytics for dates outside your Analytics retention, you may perform a database rebuild and load the
particular date range. A database rebuild involves purging all logs from Analytics and loading logs for the days of interest
from Archive. Once analysis is complete, you can then rebuild once more to load the most current logs into analytics
from the archive.

Data policy and automatic deletion

Use a data policy to control how long to keep compressed and indexed logs. When ADOMs are enabled, you can specify
settings for each ADOM and the settings apply to all devices in that ADOM. When ADOMs are disabled, settings apply to
all managed devices.
A data policy specifies:
l How long to keep Analytics logs indexed in the database
When the specified length of time in the data policy expires, logs are automatically purged from the database but
remain compressed in a log file on the FortiAnalyzer disks.
l How long to keep Archive logs on the FortiAnalyzer disks
When the specified length of time in the data policy expires, Archive logs are deleted from the FortiAnalyzer disks.
See also Log storage information on page 130.

Disk utilization for Archive and Analytic logs

You can specify how much of the total available FortiAnalyzer disk space to use for log storage. You can specify what
ratio of the allotted storage space to use for logs that are indexed in the SQL database and for logs that are stored in a
compressed format on the FortiAnalyzer disks. Then you can monitor how quickly device logs are filling up the allotted
disk space.

Analytic logs indexed in the SQL database require more disk space than Archive logs (purged
from the SQL database but remain compressed on the FortiAnalyzer disks).
An average Analytic log is 600 bytes, and an average Archive log is 80 bytes. By default, after
seven days Analytic logs are compressed and are an average of 150 bytes.
Keep this difference in mind when specifying the storage ratio for Analytics and Archive logs.

When ADOMs are enabled, you can specify settings for each ADOM and the settings apply to all devices in that ADOM.
When ADOMs are disabled, settings apply to all managed devices. See Log storage information on page 130.

FortiView dashboard

FortiAnalyzer provides dashboards for Security Operations Center (SOC) administrators. FortiView includes monitors
which enhance visualization for real-time activities and historical trends for analysts to effectively monitor network
activities and security alerts. See FortiView on page 75.

FortiAnalyzer 7.4.0 Administration Guide 37
Fortinet Inc.
FortiAnalyzer Key Concepts

In high capacity environments, the FortiView module can be disabled to improve performance. See Enabling and
disabling FortiView on page 109.

FortiAnalyzer 7.4.0 Administration Guide 38
Fortinet Inc.
Dashboard

Dashboard

The Dashboard contains widgets that provide performance and status information and enable you to configure basic
system settings.

The following widgets are available:

Widget Description

System Information Displays basic information about the FortiAnalyzer system, such as up time and
firmware version. You can also enable or disable Administrative Domains and
adjust the operation mode. For more information, see System Information widget
on page 41.
From this widget you can manually update the FortiAnalyzer firmware to a
different release. For more information, see Updating the system firmware on
page 43.
The widget fields will vary based on how the FortiAnalyzer is configured, for
example, if ADOMs are enabled.

System Resources Displays the real-time and historical usage status of the CPU, memory and hard
disk. For more information, see System Resources widget on page 49.

License Information Displays whether the unit license is registered to FortiCloud, and if remote access
from FortiCloud is enabled.
Displays how many devices of the supported maximum are connected to the
FortiAnalyzer unit. See License Information widget on page 49.
From this widget you can purchase a license, add a license, or manually upload a
license for VM systems.

FortiAnalyzer 7.4.0 Administration Guide 39
Fortinet Inc.
Dashboard

Widget Description

Unit Operation Displays status and connection information for the ports of the FortiAnalyzer unit.
It also enables you to shutdown and restart the FortiAnalyzer unit or reformat a
hard disk. For more information, see Unit Operation widget on page 55.

Alert Message Console Displays log-based alert messages for both the FortiAnalyzer unit and connected
devices. For more information, see Alert Messages Console widget on page 55.

Log Receive Monitor Displays a real-time monitor of logs received. You can view data per device or per
log type. For more information, see Log Receive Monitor widget on page 56.

Insert Rate vs Receive Rate Displays the log insert and receive rates. For more information, see Insert Rate vs
Receive Rate widget on page 56.
The Insert Rate vs Receive Rate widget is hidden when the FortiAnalyzer is
operating in Collector mode, and the SQL database is disabled.

Log Insert Lag Time Displays how many seconds the database is behind in processing the logs. For
more information, see Log Insert Lag Time widget on page 57.
The Log Insert Lag Time widget is hidden when the FortiAnalyzer is operating in
Collector mode, and the SQL database is disabled.

Receive Rate vs Forwarding Displays the Receive Rate, which is the rate at which FortiAnalyzer is receiving
Rate logs. When log forwarding is configured, the widget also displays the log
forwarding rate for each configured server. For more information, see Receive
Rate vs Forwarding Rate widget on page 57.

Disk I/O Displays the disk utilization, transaction rate, or throughput as a percentage over
time. For more information, see Disk I/O widget on page 57.

Device widgets For example, widgets such as Connectivity, Disk Quota Usage, and Last Log
Received Within.
These widgets display summary information for authorized devices.
For more inforamtion, see Device widgets on page 58.

Customizing the dashboard

The FortiAnalyzer system dashboard can be customized. You can select which widgets to display, where they are
located on the page, and whether they are minimized or maximized. It can also be viewed in full screen by selecting the
full screen button on the far right side of the toolbar.

Action Steps

Move a widget Move the widget by clicking and dragging its title bar, then dropping it in its new location

Add a widget Select Toggle Widgets from the toolbar, then select the name widget you need to add.

Delete a widget Click the Close icon in the widget's title bar.

FortiAnalyzer 7.4.0 Administration Guide 40
Fortinet Inc.
Dashboard

Action Steps

Customize a widget For widgets with an edit icon, you can customize the widget by clicking the Edit icon and
configuring the settings.

Reset the Select Toggle Widgets > Reset to Default from the toolbar. The dashboards will be reset to the
dashboard default view.

System Information widget

The information displayed in the System Information widget is dependent on the FortiAnalyzer model and device
settings. The following information is available on this widget:

Host Name The identifying name assigned to this FortiAnalyzer unit. Click the edit host name
button to change the host name. For more information, see Changing the host
name on page 42.

Serial Number The serial number of the FortiAnalyzer unit. The serial number is unique to the
FortiAnalyzer unit and does not change with firmware upgrades. The serial
number is used for identification when connecting to the FortiGuard server.

Platform Type Displays the FortiAnalyzer platform type, for example FAZVM64 (virtual
machine).

HA Status Displays if FortiAnalyzer unit is in High Availability mode and whether it is the
Primary or Secondary unit in the HA cluster.

System Time The current time on the FortiAnalyzer internal clock. Click the edit system time
button to change system time settings. For more information, see Configuring the
system time on page 42.

Firmware Version The version number and build number of the firmware installed on the
FortiAnalyzer unit.
You can access the latest firmware version available on FortiGuard from
FortiAnalyzer.
Alternately you can manually download the latest firmware from the Customer
Service & Support website at https://support.fortinet.com. Click the update button,
then select the firmware image to load from the local hard disk or network volume.
For more information, see Updating the system firmware on page 43.

System Configuration The date of the last system configuration backup. The following actions are
available:
l Click the backup button to backup the system configuration to a file; see
Backing up the system on page 46.
l Click the restore to restore the configuration from a backup file; see
Restoring the configuration on page 48. You can also migrate the
configuration to a different FortiAnalyzer model by using the CLI. See
Migrating the configuration on page 48.

FortiAnalyzer 7.4.0 Administration Guide 41
Fortinet Inc.
 Dashboard

Current Administrators The number of administrators currently logged in. Click the current session list
button to view the session details for all currently logged in administrators.

Up Time The duration of time the FortiAnalyzer unit has been running since it was last
started or restarted.

Administrative Domain Displays whether ADOMs are enabled. Toggle the switch to change the
Administrative Domain state. See Enabling and disabling the ADOM feature on
page 304.

Operation Mode Displays the current operation mode of the FortiAnalyzer. Click the other mode to
change to it. For more information on operation modes, see Operation modes on
page 31.

Changing the host name

The host name of the FortiAnalyzer unit is used in several places.
l It appears in the System Information widget on the dashboard.
l It is used in the command prompt of the CLI.
l It is used as the SNMP system name.
The System Information widget and the get system status CLI command will display the full host name. However, if
the host name is longer than 16 characters, the CLI and other places display the host name in a truncated form ending
with a tilde ( ~ ) to indicate that additional characters exist, but are not displayed. For example, if the host name is
FortiAnalyzer1234567890, the CLI prompt would be FortiAnalyzer123456~#.

To change the host name:

1. Go to Dashboard.
2. In the System Information widget, click the edit host name button next to the Host Name field.
3. In the Host Name box, type a new host name.
The host name may be up to 35 characters in length. It may include US-ASCII letters, numbers, hyphens, and
underscores. Spaces and special characters are not allowed.
4. Click the checkmark to change the host name.

Configuring the system time

You can either manually set the FortiAnalyzer system time or configure the FortiAnalyzer unit to automatically keep its
system time correct by synchronizing with a Network Time Protocol (NTP) server.

For many features to work, including scheduling, logging, and SSL-dependent features, the
FortiAnalyzer system time must be accurate.

FortiAnalyzer 7.4.0 Administration Guide 42
Fortinet Inc.
 Dashboard

To configure the date and time:

1. Go to Dashboard.
2. In the System Information widget, click the edit system time button next to the System Time field.
3. Configure the following settings to either manually configure the system time, or to automatically synchronize the
FortiAnalyzer unit’s clock with an NTP server:

System Time The date and time according to the FortiAnalyzer unit’s clock at the time that
this pane was loaded or when you last clicked the Refresh button.

Time Zone Select the time zone in which the FortiAnalyzer unit is located and whether or
not the system automatically adjusts for daylight savings time.

Update Time By Select Set time to manually set the time, or Synchronize with NTP Server to
automatically synchronize the time.

Set Time Manually set the data and time.

Select Date Set the date from the calendar or by manually entering it in the format:
YYYY/MM/DD.

Select Time Select the time.

Synchronize with NTP Server Automatically synchronize the date and time.

Server Enter the IP address or domain name of an NTP server. Click the plus icon to
add more servers. To find an NTP server that you can use, go to
http://www.ntp.org.

Min Minimum poll interval in seconds as power of 2 (e.g. 6 means 64 seconds,
default = 6).

Max Maximum poll interval in seconds as power of 2 (e.g. 6 means 64 seconds,
default = 10).

4. Click the checkmark to apply your changes.

Updating the system firmware

To take advantage of the latest features and fixes, you can update FortiAnalyzer firmware. From the Dashboard menu in
FortiAnalyzer, you can access firmware images on FortiGuard and update FortiAnalyzer. Alternately you can manually
download the firmware image from the Customer Service & Support site, and then upload the image to FortiAnalyzer.
For information about upgrading your FortiAnalyzer device, see the FortiAnalyzer Upgrade Guide or contact Fortinet
Customer Service & Support.

Back up the configuration and database before changing the firmware of FortiAnalyzer.
Changing the firmware to an older or incompatible version may reset the configuration and
database to the default values for that firmware version, resulting in data loss. For information
on backing up the configuration, see