Fortinet FortiLog-100 User's Manual
Contents
1. 92 05 16000 0082 20050115 configuration lt return gt alertemail setting lt return gt config lt return gt lt keyword_str gt lt return gt console lt return gt resolve report alias client lt return gt elog lt return gt logsetting lt return gt query lt return gt name lt string gt querysets log devicesets report lt return gt filters schedules get otuputs raid lt return gt policy lt return gt destination syslog local console lt return gt event lt return gt status lt return gt serialno lt return gt performance lt return gt interface lt return gt dns lt return gt route table lt return gt system time lt return gt time ntp lt return gt session_ttl option lt return gt mainregpage lt return gt admin lt return gt Commands Description get alertemail configuration Display alert email configuration get alertemail setting Display alert email setting status get config Display system configuration get console Display console information including page number mode and baudrate Fortinet Inc FortiLog CLI reference CLI commands get report resolve Display the settings what is turned on for resolving host and service names get report aliases get log client Display a list of IP aliases and their IP address Display the FortiGate units connected to the FortiLog unit get log2. Commands Description set system admin username lt name_str gt password lt password_str gt permission readonly readwrite Enter system administrator user name password and access permission lt name_str gt is the administrator user name lt password_str gt is the password set system admin username lt name_str gt trusthost lt trusthost_str gt or lt 0 0 0 0 gt lt netmask_str gt or lt 0 0 0 0 gt Enter the administrator trusted host IP address and netmask The trusted host IP address is the location from which the administrator can log into the web based nee If trusted host is 0 0 0 0 the administrator can log in from any IP address he trusted host netmask is the location from which the administrator can log into the web based manager If netmask is 0 0 0 0 there is no restriction on the netmask e lt trusthost_str gt is trusted host IP address e lt netmask_str gt is the netmask set system admin username status lt enable disable gt set system dns primary XXX XXX XXX XXX None Enter the primary DNS server IP address Enter none to delete the primary DNS Server e lt XXX XXX XXX XXX gt is the primary DNS server IP address set system dns secondary XXX XXX XXX XXX none Enter the secondary DNS server IP address Enter none to delete the secondary DNS server b lt XXX XXX XXX XXX gt is the secondary DNS server IP address set system hostname lt hostnam
3. 5 For Secure Connection select Yes If you select secure connection between the FortiLog unit and the FortiGate unit the device name must match the local ID you entered on the FortiGate unit For information about how to configure the FortiGate unit see Configuring FortiGate unit running FortiOS 2 8 and Configuring FortiGate devices running FortiOS 2 5 on page 24 6 If you select Secure connection enter the Pre shared Key The preshared key must be the same as what you entered on the device You must enter the key in the exact same way including upper and lower case 7 Enter the Allocated Disk Space Set disk quota from 0 to 4000 MB A disk quota of 0 is unlimited 8 Enter the size limit for the log files 9 For Max Logfile Age enter the time limit for the FortiLog unit to keep the log files 10 Select what the FortiLog unit should do when the allocated disk space for the FortiGate device is used up 11 When adding a FortiGate unit expand the device Interface Specification to set the default port settings for the device Define the port interface options using the arrow buttons For details on port interface settings see Defining device port interfaces on page 27 If you want to add a VLAN or other interface type the name of the interface and select Add 12 Select Apply Defining device port interfaces FortiLog Network activity log reports include information on inbound and outbound traffic flow Traf
4. Use Alert Email to configure the FortiLog unit to monitor logs for specific alert messages and to send an email to inform an Administrator of the problem encountered You can apply these settings to the local FortiLog unit and selected registered devices FortiLog will also monitor its own log as well e Server e Local e Device Active mode Set the mail server options so the FortiLog unit can connect to and use the SMTP mail facilities to alert a user of any attack issues You must configure at least one DNS server The FortiLog unit uses the SMTP server name to connect to the mail server and must look up this name on your DNS server To set the mail server options go to System gt Alert Email gt Server Set the SMTP mail server connection information for sending alert messages to specified recipients Figure 23 Alert email settings Alert Email Settings Authentication T Enable SMTP Server tts SMTP User OO Password ee amy Testing E mail Address ee Authentication Enable or disable SMTP authentication for sending alert email SMTP Server Enter the IP address of the SMTP server for sending alert email SMTP User Enter the user name for logging on to the SMTP server to send alert mails You only need to do this if you have enabled the SMTP authentication Password Enter the password for logging on to the SMTP server to send alert email You only need to do this if you selected SMTP authentication 05 16000 0082 200501
5. If you set your console to batch mode use this command to flush the current configuration from system memory and reload the configuration from a saved configuration file execute restore config lt string gt KXXX XXX XXX XXX gt Restore system settings from tftp server e lt string gt is the configuration file name on the tftp server b lt xxx xxx xxx xxx gt is the IP address of the tftp server execute restore image lt string gt KXXX XXX XXX XXX gt Restore system images from tftp server e lt string gt is the image file name on the tftp server P lt XXX XXX XXX XXX S the IP address of the tftp server execute backup config lt name_str gt KXXX XXX XXX XXX gt Backup system settings to tftp server lt name_str gt is the system configuration file name b lt XXX XXX XXX XXX is the IP address of the tftp server execute reboot Restart the FortiLog system execute factoryreset execute save config Set the FortiLog system back to factory defaults Save the FortiLog system configuration execute shutdown Shut down the FortiLog system execute formatlogdisk Format the local log hard disk FortiLog Administration Guide 05 16000 0082 20050115 91 CLI commands get branch Use get to display settings logs or system information Table 5 get command architecture FortiLog CLI reference
6. Report Description Total AV Events By Date And AV Event Type Antivirus events by antivirus event and number of events for a specified date or range of days Total AV Events By Day Of Week And AAV Event Type Daily antivirus events and number of events for a pecified week Total AV Events By Hour Of Day And IAV Event Type Hourly antivirus events by antivirus event and number of antivirus events for a specified period Total AV Events By Device And AV Event Type Antivirus events by Fortinet device and number of antivirus events Total AV Events By Service And AV Event Type Antivirus events by Internet service and number of antivirus events AV Events By Top Senders And AV Event Type Antivirus events by senders and number of antivirus events AV Events By Top Receivers And AV Event Type Antivirus events by recipients and number of antivirus events AV Events By Top Virus Types Web Filter Activity Listing of top viruses by antivirus events Web filter activity reports record top web filter activities and total web filter activities by a specific time and status Report Description Web Filter Events By Date And Top Destinations Web site destinations for a specified day or range of days Web Filter Events By Day Of Week And Top Destinations Daily web events by top web site destinations for a specified week 05 16000 0082 2005
7. Sending device logs to the FortiLog unit Figure 8 FortiGate 2 5 Log settings V Log to Remote Host IP 172 20 140 13 Port 514 Level Information v Config Policy CSV format Tl Enable I Login WebTrends Enhanced Log Format IF Level Config Policy V Logto Local Disk Free disk space 38092 MB The log file will rotate when either the file size or log time is reached Log file size 10 M Log time 10 day Level Information v Config Policy Log options when disk is full Overwrite Blocktrafic Do notlog Select Log to Remote Host to send the logs to a syslog server Enter the IP address of the FortiLog unit Enter the port number of the FortiLog unit Select the severity level for which you want to record log messages The FortiGate device logs all messages at and above the logging severity you select For example if you select Error the device logs Error Critical Alert and Emergency level messages For a list of severity levels see Log policy on page 45 Select Config Policy to select log types and activities Select Apply Configuring FortiMail devices kh O N FortiLog Administration Guide To configure a FortiMail device to send log files to a FortiLog unit On the FortiMail web based manager go to Log amp Report gt Log Setting Select the Log to Remote Host check box Enter the FortiLog IP address Select the severity level for which you want to record log messages The
8. Set the period the FortiLog unit pulls the data from the logs set log devtype lt string gt report lt report name gt period this year quarter month week Set the period the FortiLog unit pulls the data from the logs set log devtype lt string gt report lt report name gt period last year quarter month week Set the period the FortiLog unit pulls the data from the logs set log devtype lt string gt report lt report name gt results vdom dev all Set the devices or virtual domains to include in the report e all all available devices e dev display results per device e vdom display results per virtual domain set log devtype lt string gt report lt report name gt top x y lt integer gt Set the top values for specific log reports where the top values are reported This can be useful when you have many email clients yet you only need to report on the top ten set log devtype lt string gt report lt report name gt resolve ip port Set the resolving of IP addresses and port numbers to meaningful names You must first add IP aliases to use this option For details see the report alias command on page 92 set log devtype lt string gt report lt report name gt queryset lt string gt Select a defined query profile to use in the report set log devtype lt string gt report lt report name gt deviceset lt string gt Select a defined device profile to use in the repo
9. System Settings Reports Status Select to control how often the web based manager updates the system status display Select to set the selected automatic refresh interval Select to manually update the system status display Provides immediate information on any system alerts from connected devices Select More when available to view the details of the alerts for the FortiLog unit and connected devices For details on the alert messages see Alerts on page 54 Select Password to change the password for administrative access See To change the admin account password on page 49 The time in days hours and minutes since the FortiLog unit was last started The current time according to the FortiLog unit internal clock The current RAID status Select Intact to set automatic refresh interval and view the detailed log device configuration and status information See RAID on page 41 The current host name of the FortiLog unit See Changing the FortiLog host name on page 31 The current mode for the FortiLog unit The mode is either Active or Passive For details on the different modes see Operational Modes on page 8 To change the operating mode for the FortiLog unit see To change the operating mode in the CLI on page 31 The current FortiLog firmware version To upgrade the firmware see Changing the firmware on page 32 The serial number of the FortiLog unit The serial number is a uni
10. To install a backup firmware image For all three FortiLog models use a terminal emulation software to access the unit s CLI For the FortiLog 800 unit you can also access the unit s CLI by connecting the null modem cable provided to the unit s console port Make sure that the TFTP server is running Copy the new firmware image file to the root directory of your TFTP server To confirm that the FortiLog unit can connect to the TFTP server use the following command to ping the computer running the TFTP server For example if the IP address of the TFTP server is 192 168 1 168 execute ping 192 168 1 168 Enter the following command to restart the FortiLog unit execute reboot As the FortiLog unit starts a series of system startup messages are displayed When the following message appears Press any key to enter configuration menu Immediately press any key to interrupt the system startup Note You have only 3 seconds to press any key If you do not press a key soon enough the FortiLog unit reboots and you must log in and repeat the execute reboot command If you successfully interrupt the startup process the following message appears G Get firmware image from TFTP server F Format boot device B Boot with backup firmware and set as default Q Quit menu and continue to boot with default firmware H Display this list of options Enter G F B Q or H Type G to get the new firmware
11. Copy the new firmware image file to the root directory of the TFTP server Log into the CLI as the admin administrative user Make sure the FortiLog unit can connect to the TFTP server Use the following command to ping the computer running the TFTP server For example if the IP address of the TFTP server is 192 168 1 168 execute ping 192 168 1 168 Enter the following command to copy the firmware image from the TFTP server to the FortiLog unit xecute restore image lt name_str gt lt tftp_ ip gt Where lt name_str gt is the name of the firmware image file on the TFTP server and lt tftp_ip gt is the IP address of the TFTP server For example if the firmware image file name is FortiLog 400 v120 out and the IP address of the TFTP server is 192 168 1 168 enter xecute restore image FortiLog 400 v120 out 192 168 1 168 e If you upgrade the firmware the FortiLog unit uploads the firmware image file upgrades to the new firmware version resets the configuration restarts and displays the FortiLog login This process takes a few minutes e If you revert to a previous firmware version the FortiLog unit uploads the firmware image file reverts to the old firmware version resets the configuration restarts and displays the FortiLog unit login This process takes a few minutes Reconnect to the CLI To confirm that the new firmware image is successfully installed enter get system status Restore your previous configur
12. Select the severity for which you want to record log messages locally The FortiLog unit logs all levels of severity down to but not lower than the level you select For example if you want to record emergency critical and error messages select Error Log policy on page 45 lists the log message levels Select Config policy for which activities you want the FortiLog unit to record log messages Select Log to Host to configure the FortiLog unit to send log messages to a remote syslog server The IP address of the remote syslog server The port that the remote syslog server uses to receive log messages The default port is 514 05 16000 0082 20050115 Fortinet Inc Managing the FortiLog unit FortiLog Administration Guide Level Config Policy CSV format Log policy Levels 0 Emergency 1 Alert 2 Critical 3 Error 4 Warning 5 Notice 6 Information Config Select the severity level for which you want to record log messages to a remote syslog server The FortiLog unit logs all levels of severity down to but not lower than the level you select For example if you want to record emergency alert critical and error messages select Error Log policy on page 45 lists the log message levels Select Config policy for which activities you want the FortiLog unit to record log messages Enable CSV format to record log messages in comma separated value CSV formatted files Log message
13. set nas user lt username gt name lt display name gt password lt password gt Set up a user to have access to file sharing by setting their user name display name and password set nas group lt group name gt gid lt gid gt members lt members gt Set up a user group to have access to file sharing by setting the group name group ID number and including members set nas group lt group name gt members lt members gt Set up a user group to have access to file sharing by setting the group name and adding members set nas share lt share name gt path lt local path gt Set a Windows share name and path to the shared directory set nas share lt share name gt path lt local path gt ro lt ro list gt rw lt rw list gt Set user permissions either read only or read and write for a specified Windows share name and path set nas share lt share name gt path lt local path gt rw lt rw list gt Set user read amp write permissions for a specified Windows share name and path set nas nfs path lt local path gt Set a directory path for the network file system directory set nas nfs path lt local path gt ro lt ro list gt rw lt rw list gt Set the users and their permissions either read only or read and write for a specified network file share path set nas nfs path lt local path gt rw lt rw list gt Set the user read amp write permissions for a specified networ
14. By selecting the History link under System Resources you can also view the statistics for the previous minute If CPU and memory use is low the FortiLog unit is able to process much more traffic than is currently running If CPU and memory use is high the FortiLog unit is performing near its full capacity Putting additional demands on the system might cause log message processing delays firmware Use the following procedure to upgrade the FortiLog unit to a newer firmware version or revert to a previous firmware version If you are reverting to a previous firmware version the procedure reverts the FortiLog unit to its factory default configuration and deletes all configuration on the unit When you upgrade the firmware the FortiLog unit maintains the configurations you define Back up the FortiLog unit configuration before beginning this procedure For information see Backing up system settings on page 39 Note If you revert to a previous firmware version because the configuration is reset you will need to reconfigure the IP address from the front panel of the FortiLog 100 and FortiLog 400 and the console for the FortiLog 800 To change the firmware using the web based manager Copy the firmware image file to your management computer Log on to the web based manager as the administrative user Go to System gt Status gt Status Select Update Type the path and filename of the firmware image file or select Browse an
15. Config gt Network You can configure the FortiLog unit IP address netmask DNS server and default gateway Figure 13 Network settings IP Address Netmask Primary DNS Server Second DNS Server Default Gateway Network Settings 172 20 120 138 255 255 255 0 207 194 200 1 207 194 200 129 apply 05 16000 0082 20050115 Fortinet Inc Managing the FortiLog unit RAID FortiLog Administration Guide IP Address Netmask Primary DNS Server Second DNS Server Default Gateway To configure the Fo Config gt RAID Figure 14 RAID sett Config Enter the static IP address required by the FortiLog unit to be able to connect to your network Enter the netmask required by the FortiLog unit to connect to your network Enter the primary DNS server IP address Several FortiLog functions use DNS Add the IP address of the DNS servers that your FortiLog unit can connect to Enter the secondary DNS server IP address Enter the IP address of the default gateway for the network that your FortiLog is connected to rtiLog RAID level and check the RAID disk space go to System gt ings RAID Settings C linear Co RAID Level e Oil C5 Free Disk Space 114304 MB Total Disk Space 114467 MB Note RAID functionality is only available on the FortiLog 400 and 800 These units have four hard disks and suppo RAID Level Linear Level 0 05 rt RAID level 0 1 and 5 Select the RAID level Th
16. Display system route table information including table number destination gateway and interface get system time time Display current system time get system time ntp Display NTP server name and information get system session_ttl Display the idle time length for a session get system option Display system options including system idle timeout authentication timeout and language for the web base manager get system mainregpage Display main registration message get system admin Display admin user information FortiLog Administration Guide 05 16000 0082 20050115 93 CLI commands set branch FortiLog CLI reference Use set to configure settings logs or system information set alertemail Use set alertemail to configure alert mails Table 6 set alertemail command architecture set alertemail configuration auth enable disable lt return gt mailto lt string gt lt string gt lt string gt lt return gt none lt return gt passwd lt string gt lt return gt server lt server_address gt lt return gt user lt name_str gt lt return gt setting option critical lt return gt diskfull lt return gt none lt return gt local alert enable disable lt return gt localmailaddr lt string gt lt return gt level emergency alert critical error warning notification i
17. Of Day Hourly attempts to access blocked web sites for a specified period Top Web Sites Connections Most visited web sites by volume of web events Top Web Sites Traffic Most popular web sites by traffic in kilobytes Top Pages Most visited web pages by volume of web events Top Pages By Top Sources Most visited web pages by source IP and web events Top Sources By Top Pages Web activity by source IP and most visited web pages by web events op Web Clients Connections Source IP connections by web events Top Web Clients Traffic Web client source IP by total traffic volume in megabytes Top Clients By Top Web Sites Connections Web client source IP connections and destination web site IP by web events Top Clients By Top Web Sites Traffic Web client source IP traffic by destination in kilobytes Top Blocked Web Sites Most commonly blocked web sites Top Client Attempts To Blocked Web Sites Most commonly blocked web sites by source IP FTP Activity FTP reports record total FTP acce connections ss activities including traffic direction sites and Report Description FTP traffic by date FTP traffic by day of week FTP traffic in kilobytes for a specified day or range of Records total FTP access activities including traffic direction sites and connections dates FTP traffic by hour of day Daily FTP tr
18. Start a terminal emulation program such as HyperTerminal on the management computer Use these settings e Baud Rate bps 9600 e Data bits 8 e Parity None e Stop bits 1 Flow Control None At the login prompt type admin and press Enter twice The login prompt is preceded by the server IP address After connecting to the CLI you can configure the FortiLog 800 unit IP address DNS server IP address and default gateway to connect the FortiLog 800 unit to the network To configure the FortiLog unit using the CLI Set the IP address and netmask of the LAN interface set system interface portl mode static ip lt IP address gt lt netmask gt Confirm that the address is correct get system interface 05 16000 0082 20050115 Fortinet Inc Setting up the FortiLog unit Configuring the FortiLog unit 3 Set the primary DNS server IP address set system dns primary lt IP_address gt 4 Optionally set the secondary DNS server IP address set system dns secondary lt IP_address gt 5 Set the default gateway set system route number lt route_ no gt dst 0 0 0 0 0 0 0 0 gwl lt gw_ip gt Using the front panel buttons and LCD You can use the front panel buttons to set up the FortiLog unit s IP address netmask and default gateway FortiLog Administration Guide 05 16000 0082 20050115 21 Configuring the FortiLog unit 22 05 16000 0082 20050115 Setting up the FortiLog unit Fortinet Inc RAT MET Con
19. T Not Service s I T Not URL s Poo T Not Day of Week Tsun L mon L tue L wed F thu L fri C sat L apy To set the filtering on a log report Go to Reports gt Config Select a report from the list Select Filter 05 16000 0082 20050115 61 Creating and generating a report Reports 62 Select the type of matching for the filter criteria e Select Any to find any matches for the criteria specified e Select All to find all criteria All criteria must match to display in the results Select whether to have log messages less than and equal equal or greater than and equal to the level you selected For a list of log policies levels and how they relate to each other see Log policy on page 42 Select the filtering criteria for the remaining fields The number of fields and the information you can filter on depends on the type of log you are filtering Select the Not option when you want to exclude specific information For example for the Source IP field do not include any information from a specific source IP address in the log report Creating a filter profile You can save the filter options as a filter profile After creating a filter profile you can select the profile for use in other reports To create a report filter profile Select New or Start with an existing profile by selecting the profile and selecting Clone Enter a name for the profile and select OK Select the filter options for the repor
20. depending on the output configuration For details on setting output options see Choosing the report destination and format on page 63 There are two ways of viewing reports from the web based manager a roll up of all reports selected or individual reports Reports are categorized by the date and time the FortiLog unit generated the reports The report appears in the reports list with the report name date and time the report was generated For example a report name of Report 1 2004 12 15 2112 is a report called Report 1 generated on December 15 2004 at 9 12pm To view a generated report 1 Go to File Browse gt Reports Figure 34 Viewing reports Sample Reports Report Files Action Started Size bytes Other Formats M F Mr Big s VPN report Ft it Wed Dec 8 10 43 50 2004 Report _ _ F amp penort 1 20n4 12 01 1138 PT Wed Dec 1 14 38 53 2004 categories MailFilter Activity html i 3 350 MS Word PDF Text PN_Activity html T 4 786 MS Word PDF Text Content Activity html fi 8 445 MS Word PDF Text AntiVirus Activity html it 2 666 MS Word PDF Text Network Activity html a 3 393 MS Word PDF Text FIP Activity html fq 2 782 MS Word PDF Text Web Activity html a 4 832 MS Word PDF Text Report Terminal Activity html 3 964 MS Word PDF Text A i ivi jm 2 741 MS Word PDF Text sub categories WebFilter Activity htm fi 4 166 MS Word PDF Text Intrusion _Activity html T 2 353 MS Word PDF Text I F Report 1 2
21. http lt return gt telnet lt return gt 104 05 16000 0082 20050115 Fortinet Inc FortiLog CLI reference Table 11 set system command architecture CLI commands denyaccess ping lt return gt https lt return gt ssh lt return gt snmp lt return gt http lt return gt telnet lt return gt WINS lt XXX XXX XXX XXX gt lt return gt macaddr XXX XXX XXX XXX factorydefault lt return gt log enable disable lt return gt mtu lt mtu_integer gt lt return gt speed lt speed_str gt lt return gt status down up lt return gt FortiLog Administration Guide config interface SECIP lt XXX XXX XXX XXX gt lt XXX XXX XXX XXX gt lt intf_ str gt secondary interface ip netmask of secondary ip lt return gt ping lt return gt set system https lt return gt ssh lt return gt secallowaccess snmp lt return gt http lt return gt telnet lt return gt ping lt return gt https lt return gt ssh lt return gt secdenyaccess snmp lt return gt http lt return gt telnet lt return gt stp passthrough enable disable mode static P lt XXX XXX XXX XXX gt lt XXX XXX XXX XXX gt interface ip ip netmask lt return gt port timeout lt timeout_int gt session ttl lt port_num gt lt return gt mainregpage default lt default_val gt
22. port lt port_integer gt loglevel lt severity_level gt csv Enable or disable CSV format to record log messages to the remote syslog server in comma separated value CSV formatted files Log message fields are separated by commas set log policy destination lt syslog local console gt Set the destination where log policy information will reside set log policy destination lt syslog local console gt event status lt enable disable gt Enable or disable the event log recording of management and activity events Management events include changes to the FortiLog and administrator login logout System activities include activities such as IPSec negotiation set log policy destination lt syslog local lt configuration ipsec login ipmac system routegateway none gt console gt event lt enable disable gt configuration Set the management events and system activities to log set log devtype lt string gt report name lt report name gt Define the report name for a device e devtype lt string gt is one of FortiGate FortiMail FortiManager and Syslog e lt report name gt define a name for the report set log devtype lt string gt report lt report name gt period from lt YY MM DD HH gt to lt YY MM DD HH gt pe the start and ending period the FortiLog unit pulls the data from the ogs set log devtype lt string gt report lt report name gt period today yesterday
23. 05 16000 0082 20050115 87 Connecting to the CLI FortiLog CLI reference Connecting to the CLI The FortiLog 800 model has serial port and you can use the null modem cable to connect it to your management computer The FortiLog 100 and 400 models do not support serial cable connections You can use a terminal emulation software such as HyperTerminal for Windows to access the CLI e Connecting to the FortiLog 800 console e Setting administrative access for SSH or Telnet e Connecting to the FortiLog CLI using SSH e Connecting to the FortiLog CLI using Telnet Connecting to the FortiLog 800 console You require e A computer with an available communications port A null modem cable to connect the Forti_og console port and a communications port on your computer e Terminal emulation software such as HyperTerminal for Windows Note The following procedure describes how to connect to the FortiLog CLI using lt gt Windows HyperTerminal software You can use any terminal emulation program To connect to the FortiLog 800 console 1 Connect the FortiLog console port to the available communications port on your computer Make sure the FortiLog unit is powered on Start HyperTerminal enter a name for the connection and select OK Configure HyperTerminal to connect directly to the communications port on the computer to which you have connected the FortiLog console port Select OK Select the following port settings and select O
24. 188 Type the address of the LAN port and press Enter Note The local IP address is used only to download the firmware image After the firmware is installed the address of this interface is changed back to the default IP address for this interface The following message appears Enter File Name image out Enter the firmware image file name and press Enter The TFTP server uploads the firmware image file to the FortiLog unit and a message similar to the following appears Save as Default firmware Run image without saving D R Type R The FortiLog unit image is installed to system memory and the FortiLog unit starts running the new firmware image but with its current configuration You can log into the CLI or the web based manager using any administrative account To confirm that the new firmware image has been loaded from the CLI enter get system status You can test the new firmware image as required Installing a backup firmware image If the FortiLog unit is running BIOS version v3 x you can install a backup firmware image Once the backup firmware image is installed you can switch to this backup image when required To run this procedure you need to install a TFTP server that you can connect to from the FortiLog unit LAN port The TFTP server should be on the same subnet as the LAN port 05 16000 0082 20050115 Fortinet Inc Managing the FortiLog unit 10 11 FortiLog Administration Guide Status
25. Client requests IP address configuration parameters 10 2004 11 22 12 56 33 information Client requests IP address configuration parameters 11 2004 11 22 12 56 35 information Client requests IP address configuration parameters 12 2004 11 22 12 56 36 information Client requests IP address configuration parameters 13 2004 11 22 12 56 37 information Client requests IP address configuration parameters i4 2004 11 22 12 56 33 information Client requests IP address configuration parameters 15 2004 11 22 12 56 39 information Client requests IP address configuration parameters To view the device log files Go to File Browse gt Logs Select a device tab Expand the group name and device name to see the list of available logs In the Action column select Display for the desired log file Do one of the following to change the views of the log information Page Select Page forward or Page back to move through the log entries Enter the page number to jump to a specific page Raw Select to view the log information as it appears in the log Select Formatted to return to the column view Column Select the column header to change the sort order between headers ascending and descending order For information about log messages see the FortiGate Log Message Reference Guide Finding log information A A OO N FortiLog Administration Guide You can filter the contents of the log file to find specific information within a lar
26. Command Restart or shutdown the FortiLog unit Changing the FortiLog host name The FortiLog host name appears on the Status page and in the FortiLog CLI prompt To change the FortiLog unit host name Go to System gt Status gt Status Select Change Enter a new host name Select OK Changing operating modes The FortiLog unit can operate in two modes Active mode and Passive mode The default is Active mode For details see Operational Modes on page 8 To change the operating mode in the web based manager Go to System gt Status gt Status Select Change Select the desired mode Select OK To change the operating mode in the CLI For all three FortiLog models use a terminal emulation software to access the unit s CLI For the FortiLog 800 unit you can also access the unit s CLI by connecting the null modem cable provided to the unit s console port Enter the following command set system opmode active passive where active passive is the mode you want to use The FortiLog unit informs you that log collection and reporting will not be available in Passive mode Enter y to change the mode or n to leave the FortiLog unit in its current mode 05 16000 0082 20050115 31 Status 32 Changing the e A a A OO N Managing the FortiLog unit Viewing system resources information On the Status page you can view the CPU memory and hard disk usage information and the session information
27. Copy the new firmware image file to the root directory of the TFTP server Make sure that the LAN port is connected to the same network as the TFTP server You can use the following command to ping the computer running the TFTP server For example if the TFTP server s IP address is 192 168 1 168 execute ping 192 168 1 168 Enter the following command to restart the FortiLog unit execute reboot As the FortiLog unit reboots press any key to interrupt the system startup As the FortiLog unit starts a series of system startup messages are displayed When the following message appears Press any key to enter configuration menu 05 16000 0082 20050115 35 FortiLog Administration Guide Status 36 e 11 12 13 14 Managing the FortiLog unit Immediately press any key to interrupt the system startup Note You have only 3 seconds to press any key If you do not press a key soon enough the FortiLog unit reboots and you must log in and repeat the execute reboot command If you successfully interrupt the startup process the following message appears G Get firmware image from TFTP server F Format boot device Q Quit menu and continue to boot with default firmware H Display this list of options Enter G F Q or H Type G to get the new firmware image from the TFTP server Type the address of the TFTP server and press Enter The following message appears Enter Local Address 192 168 1
28. Queries 05 16000 0082 20050115 59 Creating and generating a report Reports 60 Select the plus sign next to a category to expand and view the sub categories Select the content from the sub categories to include in the reports Select Apply Creating a query profile You can save the selections as a query profile After creating a query profile you can select the profile for use in other reports To create a query profile Select New or Start with an existing profile by selecting the profile and selecting Clone Enter a name for the profile and select OK Select the log information to include in the query profile Select Apply Selecting the devices for the report a Ff WO N Specify the devices to include in the report If you have many devices sending log files to the FortiLog unit you can to run reports for specific devices or groups of devices The default is to run a report for all devices You can save the device selections to use in other reports Figure 30 Selecting devices Report Queries Devices Filter Schedule Output Report 1 weekly query Jal E fa None Daily 6pm Disk HTML Run now Select devices All gt New Clone Rename D Edit it sways all C These EIT Does Tl FortiGate WiFi J Forticate 300 Finance MIS cli no group L apy AO CU U HCI To select the devices Go to Reports gt Config Select a report from the list S
29. Rack Mount ile Brackets Hard Disk_ LED indicators LCD Setting Hard Disk Switches LEDs Power Error Network Panel LED 3 and Disk Access Aand B gt Back E m E nmn E mI OS ower LSJ LU SJ o Suiten Power ATX Redundant RS 232 SCSI Connector LAN1 Connection Power Supplies Serial For Tape Drive Network Connection For Future Use Connection Hardware specifications Dimensions e FortiLog 100 38 x 17 x 31 cm e FortiLog 400 54 x 33 x 44 cm FortiLog 800 78 x 65 x 25 cm Weight e FortiLog 100 2 5 kg e FortiLog 400 11 kg FortiLog 800 14 kg 16 05 16000 0082 20050115 Back Accessories for each model For Future Use Ethernet Cables Orange Crossover Grey Straight through Null Modem Cable RS 232 for FortiLog 800 AC Adapter for FortiLog 100 Power Cable locumentation Fortinet Inc Setting up the FortiLog unit Planning the installation Power requirements FortiLog 100 e AC input voltage 100 to 240 VAC e AC input current 1 0 A e Frequency 47 to 63 Hz e FortiLog 400 and 800 e AC input voltage 115 to 230 VAC AC input current 4 to 2 A e Frequency 47 to 63 Hz Environmental specifications e Operating temperature 41 to 95 F 5 to 35 C If you install the FortiLog unit in a closed or multi unit rack assembly the operating ambient temperature of the rack environment may be greater than room ambient temperature Therefore make sure to install the equipmen
30. Set the system time by hour minute and second 05 16000 0082 20050115 109 CLI commands FortiLog CLI reference set system time manual zone lt No gt Set the system time zone by number enable set system time manual dst disable Enable or disable daylight saving time enable set system time ntp ntpsync disable Enable or disable FortiLog unit synchronization with NTP server set system time ntp ntpserver XXX XXX XXX XXX hostname Enter NTP server IP or hostname P lt XXX XXX XXX XXX gt s the NTP server IP address lt sync_interval gt set system time ntp syncinterval Set system synchronization time interval from 1 to 1440 minutes e lt sync_interval gt is the system synchronization time interval set system time ntp zone lt No gt Set NTP server time zone by number enable set system time ntp dst disable Enable or disable daylight saving time unset branch Table 12 unset command architecture Use unset to remove configuration of alert email log and system admin username lt name_str gt lt return gt route number lt xxx gt lt return gt system hostname lt return gt session_ttl lt number gt log client lt string gt lt return gt alertemail configuration lt return gt nfs unset protocol share user lt user name gt nas group lt group name gt sha
31. To enable user access to the FortiLog hard disk to store and access files you need to add user and group accounts to the FortiLog unit Along with user and group accounts you define the write or read write access to files and folders Selecting a file sharing protocol 3 Enable sharing protocols before providing user and group access to the FortiLog hard disk folders and files To set the file sharing for the FortiLog unit Go to Network Sharing gt Protocols Select Enable for a file sharing protocol Windows A means of file sharing native to Microsoft Windows Networking Workgroup Enter a workgroup name that the users can identify on the Windows network NFS A means file sharing native to Unix and Linux Select Apply Adding and modifying user accounts When you add user accounts you add the user name and set a password You can then add the user to a group or set specific access rights to folders on the FortiLog hard disk The users you add will not have administrative access to the FortiLog hard disk or FortiLog unit To add administrative users see Configure Administrator access on page 47 To add a user account Go to Network Sharing gt Users Select Create New Enter the following information for the user account User name Enter a user name For example twhite The name cannot include spaces UID Enter a user ID Use this field only if you are using the NFS protocol The NFS protocol uses the UID
32. Warning The log levels will be up to but not higher than the value you set get system alert_table alert_period lt period_integer gt Set the length of time to keep unacknowledged alerts in number of days between 1 and 7 set system route lt number gt dst lt ipaddress_str gt lt ipaddressmask_str gt Set the FortiLog system route destination IP address and IP address mask e lt ipaddress_str gt is the destination IP address e lt ipaddressmask_str gt is the IP address mask set system route lt number gt gw1 lt XXX XXX XXX XXX gt Set the FortiLog system route primary gateway IP address b lt XXX XXX XXX XXX gt is the primary gateway IP address set system route lt number gt dev1 lt intf_name gt Set the FortiLog system route primary device FortiGate unit interface name e lt intf_name gt is the primary device interface name set system route lt number gt gw2 lt XXX XXX XXX XXX gt Set the FortiLog system route secondary gateway IP address e lt XXX XXX XXX XXX gt is the secondary gateway IP address set system route lt number gt dev2 lt intf_name gt Set the FortiLog system route secondary device FortiGate unit interface name lt intf_name gt is the secondary device interface name set system time manual date lt mm dd yyyy gt Set the system time by month day and year set system time manual clock lt hh mm ss gt FortiLog Administration Guide
33. disk Select Download to save the log file to your local hard disk Select Display to view the contents of the log file For details on viewing the log file see Viewing logs on page 74 Select Watch to view the log file updates in real time For details on watching log files see Log watch Active mode on page 78 Provides quick access to a specific device s logs The log viewer interface provides a display of log data that you can organize and format 74 05 16000 0082 20050115 Fortinet Inc Using Logs a Fk WO N Viewing logs Figure 43 Viewing a device log i Device Name FGT 60M Log File elog log Page q 1 13 p gt HF Row From Nov 12 2004 13 02 To Dec 08 2004 13 53 tv Y LogTime Y Level Y User Interface Y Action Y Message 2 2004 11 12 13 03 25 information GUI 172 20 120 81 login User admin login successfully from GUI 172 20 120 81 3 2004 11 12 13 13 23 information Client requests IP address configuration parameters 4 2004 11 12 13 13 24 information Client requests IP address configuration parameters 5 2004 11 15 12 51 49 information Client requests IP address configuration parameters 2004 11 15 12 51 50 information Client requests IP address configuration parameters 7 2004 11 18 12 52 30 information Client requests IP address configuration parameters 8 2004 11 19 13 10 03 information Client requests IP address configuration parameters 9 2004 11 19 13 10 05 information
34. elog Display event logs get log logsetting Display log settings get log query Display log queries get log report Display a matrix of all set reports get log report name lt string gt Display information on a specific report name get log report querysets Display information on the queries set for each report get log report devicesets get log report filters Display information on the devices sets for each report Display the information on the filtering options for the reports get log report schedules get log report outputs Display the scheduling information for the reports Display the output options for the reports get log raid get log policy destination syslog local console Display RAID levels Display log policies of the remote syslog server the FortiLog hard disk or the console get log policy destination event Display log policy event setting of the selected destination get system status Display system status get system serialno Display the FortiLog unit serial number get system performance Display the FortiLog unit system performance including CPU memory and if the system is up get system interface Display port1 interface information get system dns Display domain name server configuration get system brctl Display system interface information and MAC address get system route table
35. fields are separated by commas Description The system has become unstable Immediate action is required Functionality is affected Generated by Emergency messages not available NIDS attack log messages DHCP An error condition exists and functionality Error messages not available could be affected Functionality could be affected Information about normal events General information about system operations Antivirus Web filter email filter and system event log messages Antivirus Web filter and email filter log messages Antivirus Web filter email filter log messages and other event log messages Select Config Policy to configure the FortiLog unit to send event log messages toa local or remote syslog server Enable Event Log to record management and activity events Management events include changes to the FortiLog unit configuration as well as administrator and user logins and logouts Activity events include system activities such as IPSec negotiation events Figure 16 Config log policy M Event Log Remote Log Filter M When configuration has changed M psec negotiation event M admin login logout event M Ipymac binding event M system activity event Lok cancel 05 16000 0082 20050115 45 Config 46 Time Options Admin Managing the FortiLog unit To change the FortiLog unit time go to System gt Config gt Time For effective scheduling and logging the F
36. hide lt return gt show lt return gt 05 16000 0082 20050115 105 CLI commands Table 11 set system command architecture FortiLog CLI reference set 106 system denyaccess ping lt return gt https lt return gt ssh lt return gt snmp lt return gt http lt return gt telnet lt return gt WINS lt XXX XXX XXX XXX gt lt return gt macaddr XXX XXX XXX XXX factorydefault lt return gt log enable disable lt return gt mtu lt mtu_integer gt lt return gt speed lt speed_str gt lt return gt status down up lt return gt config interface SECIP lt XXX XXX XXX XXX gt lt XXX XXX XXX XXX gt lt intf_ str gt secondary interface ip netmask of secondary ip lt return gt ping lt return gt https lt return gt ssh lt return gt secallowaccess snmp lt return gt http lt return gt telnet lt return gt ping lt return gt https lt return gt ssh lt return gt secdenyaccess snmp lt return gt http lt return gt telnet lt return gt stp passthrough enable disable mode static ip lt XXX XXX XXX XXX gt lt XXX XXX XXX XXX gt interface ip ip netmask lt return gt port timeout lt timeout_int gt session ttl lt port_num gt lt return gt mainregpage default lt default_val gt hide lt return gt show lt return g
37. log file Import Log File Browse Import FGT 60M gt Log Files Last Access Time Size bytes Action E Does H FortiGate WiFi H FortiGate 300 El Finance H FGT 60M 9 660 1 654 8 026 100 947 100 947 reno To import a log file Go to File Browse gt Logs Enter the path and file name of the log file or select Browse Select the device name from the list above the Action column Select Import 05 16000 0082 20050115 77 Log Search Log Search Using Logs Use the Log Search to perform a simple search of all log files on the FortiLog unit The FortiLog unit maintains a search history for future use If you need to clean out a long search history select Clear History To search the log files for specific information Go to File Browse gt Log Search Enter the keywords for the search and select Search The search results appear below the search fields Log watch Active mode e eS 78 Log watch enables you to monitor a device log as it is updated to the FortiLog unit The FortiLog unit refreshes the view of the device log for the selected interval Note The feature is only available to active log files That is log files that are continually updated from a registered device To set log watching Go to File Browse gt Logs Select the device you wish to monitor from the device list Select Watch in the Action column Figure 47 Log watch settings Refresh none z E Refresh EJ Raw De
38. number of virus events that occur before the FortiLog unit sends an alert message Use this setting in conjunction with the setting below set alertmail device enable add virustime 0 5 1 0 3 0 6 0 12 0 24 0 72 0 168 0 Set the wait time for the number of virus events to occur within before sending an alert email for the specified level log messages Use this setting in conjunction with the setting above set alertmail device enable add virusdevice all per Set level setting to monitor each device separately or as a group set alertmail device enable add virussingle ty n Set to the FortiLog unit send and alert email only when the defined virus settings originate from a singe source IP set alertmail device enable add devicemailaddr lt string gt Set the email addresses of the recipients to receive the alert warning messages 96 05 16000 0082 20050115 Fortinet Inc FortiLog CLI reference set console Use set console to set console configuration Table 7 set console command architecture CLI commands baudrate 9600 19200 38400 57600 115200 lt return gt set console mode batch lt return gt line lt return gt page lt integer O gt lt return gt Commands 38400 57600 115200 set console baudrate 9600 19200 Description Set the console baudrate to one of the five values set console mode batc
39. satisfied For example if you set the alert to three events in one hour after three events within that time the FortiLog unit sends an alert email Attack Type Set the type of attack that the FortiLog device should look for Select any attack or specific attack identifiers Attack Type Entry When you select Just these for the attack type enter the names of the and listing virus and select Insert Level of wait Set the number of attacks and the time frame The FortiLog unit will not interval send an alert email until the conditions are met FortiLog Administration Guide 05 16000 0082 20050115 53 Alerts Alerts 54 kh OO N Managing the FortiLog unit Single Source Only Set to have the FortiLog unit send and alert email only when the defined Virus Type Virus Type Entry and listing Level of wait interval attack settings originate from a single source IP rather than many different sources A single source attack can indicate a targeted attack on the network Set the type of virus that the FortiLog device should look for Select any virus or specific virus identifiers When you select Just these for the virus type enter the names of the virus and select Insert Set the number of virus attacks and the time frame The FortiLog unit will send an alert email when the conditions are met Single Source Only Set to have the FortiLog unit send and alert email only when the defined Email Address es viru
40. the FortiLog unit The FortiLog unit monitors all log messages and when a device log contains specific alert messages the FortiLog unit sends an email to the specified recipients Creating a new device alert When you add a new device alert you can set the following options 05 16000 0082 20050115 Fortinet Inc Managing the FortiLog unit Alert Email Figure 25 Device alert settings New Edit Device Alert Alert Name l Devices to Monitor HI Docs I Finance M mis I cli I No_Group oponi I Level Level gt Emergency 7 when M a or more events occur in 0 5 _ hour s Per Device All I attack Type any Just These H mi when 1 z or more attacks occur inf0 5 _ hour s Per Device All I single source only I Virus Type Any Just These H i when 1 z or more viruses occur inf0 5 7 hour s Per Device C All I single source only E mail address es Look cancel Alert Name Enter a name to identify the alert settings Devices to Monitor Select the device logs the FortiLog unit monitors Expand the device groups to select individual devices Level Set the level of message that the FortiLog unit monitors for The FortiLog unit sends alert email for all messages at and above the logging severity level you select Level wait interval Set the number of events and the time frame The FortiLog unit will send an alert email when the conditions are
41. with this firmware image is restored To switch to the backup firmware image For all three FortiLog models use a terminal emulation software to access the unit s CLI For the FortiLog 800 unit you can also access the unit s CLI by connecting the null modem cable provided to the unit s console port Enter the following command to restart the FortiLog unit execute reboot As the FortiLog unit starts a series of system startup messages are displayed When the following message appears Press any key to enter configuration menu Immediately press any key to interrupt the system startup Note You have only 3 seconds to press any key If you do not press a key soon enough the FortiLog unit reboots and you must log in and repeat the execute reboot command If you successfully interrupt the startup process the following message appears G Get firmware image from TFTP server F Format boot device B Boot with backup firmware and set as default Q Quit menu and continue to boot with default firmware H Display this list of options Enter G F B Q or H Type B to load the backup firmware image The FortiLog unit loads the backup firmware image and restarts When the FortiLog unit restarts it is running the backup firmware version and the configuration is set to factory default Switching to the default firmware image Use this procedure to switch the FortiLog unit to operating with the bac
42. 00 1000 Set the attack types the Fortilog should monitor for in the device logs Use in conjunction with the command above Set the number of attack events that occur before the FortiLog unit sends an alert message Use this setting in conjunction with the setting below set alertmail device enable add attacktime 0 5 1 0 3 0 6 0 12 0 24 0 72 0 168 0 Set the wait time for the number of attack events to occur within before sending an alert email for the specified level log messages Use this setting in conjunction with the setting above set alertmail device enable add attackdevice all per Set level setting to monitor each device separately or as a group set alertmail device enable add attacksingle ty n Set to the FortiLog unit send and alert email only when the defined attack settings originate from a singe source IP set alertmail device enable add virusalert enable disable Enable or disable the monitoring of specific virus types set alertmail device enable add virusany any some Set the FortiLog to monitor for any virus types or specific attacks Use in conjunction with the next command set alertmail device enable add viruskeywords lt keyword1 keyword2 Set the virus types the Fortilog should monitor for in the device logs Use in conjunction with the command above set alertmail device enable add virusnum 1 5 10 20 50 100 500 1000 Set the
43. 000 0082 20050115 89 Connecting to the CLI 90 FortiLog CLI reference To confirm that you have configured SSH or Telnet access correctly enter the following command to view the access settings for the interface get system interface The CLI displays the settings including the management access settings for the port interface Connecting to the FortiLog CLI using SSH ye ae kh OO N Secure Shell SSH provides strong secure authentication and secure communications to the FortiLog CLI from your internal network or the internet Once the FortiLog unit is configured to accept SSH connections you can run an SSH client on your management computer and use this client to connect to the FortiLog CLI Note The Fortilog unit supports the following encryption algorithms for SSH access 3DES and Blowfish To connect to the CLI using SSH Install and start an SSH client Connect to the FortiLog port1 interface that is configured for SSH connections Type a valid administrator name and press Enter Type the password for this administrator and press Enter The FortiLog model name followed by a is displayed You have connected to the FortiLog CLI and you can enter CLI commands Connecting to the FortiLog CLI using Telnet A A OO N gt a You can use Telnet to connect to the FortiLog CLI from your internal network or the Internet Once the FortiLog unit is configured to accept Telnet connections you can run a Telnet clie
44. 004 12 01 1116 ot i Wed Dec 1 14 16 38 2004 M z004 10 07 0759 at it Thu Oct 7 10 59 07 2004 M Check All Check None 2 Doone of the following Report Files Select the report name to view a roll up of all reports in HTML format Select the Plus sign to expand the report to view the individual reports in HTML format Action Select Edit to rename the report Select Delete to remove the report from the FortiLog hard disk Check Select to select all reports for removal from the FortiLog hard disk All Check None Other Formats Select an alternate format to view the report FortiLog Administration Guide 05 16000 0082 20050115 65 Viewing reports Reports Roll up report The roll up report contains all reports that you selected for the FortiLog unit to generate Select the report name to view the report roll up in HTML format Figure 35 Roll up report Report title F MailFilter Activity we F VPN Activity Mail Traffic by Day of Week z RSNI Mail Traffic by Day of Week RKR URI Day of Week Traffic KB of Total Report information F FTP Activity compiled from F Web Activity 12 60 device logs Terminal Activity 13 78 Mail Activity Mail Traffic by Date Mail Traffic by Day of Week Mail Traffic by Hour of Day Mail Traffic by Direction Top Mail Servers Connections Top Mail Servers Traffic Top Mail Clients Connections Top Mail Cl
45. 0115 Fortinet Inc Appendix A Log Report Types FortiLog Administration Guide Web Filter Events By Hour Of Day And Top Destinations Fauny web events by top web site destinations for a pecified period Web Filter Events By Date And Top URLs Web events for a specified day or range of days by most visited URLs Web Filter Events By Day Of Week And Top URLs Web events for a specified week by most visited URLs Web Filter Events By Hour Of Day And Top URLs Hourly web events by most visited URLs Web Filter Events By Date And Status Web events by status for a specified date or range of days Web Filter Events By Day Of Week And Status Web events by status for a specified week Web Filter Events By Hour Of Day And Status Hourly web events by status for a specified period Web Filter Events By Device And Top Sources Web events by Fortinet device and source IPs Web Filter Events By Top Sources Destinations Web events by top source IP addresses Web Filter Events By Top Web events by top destination IP addresses Web Filter Events By Top URLs Web events by the most visited URLs Total Web Filter Events By Status List of web filter events by their status Mail Filter Activity Mail filter activity reports record total and top mail filter activities by device time and top senders and receivers Report Description Mail Filter Ev
46. 15 51 Alert Email 52 Local Managing the FortiLog unit Testing E mail Enter the email address where the FortiLog unit sends an email message Address to verify the mail server settings Test Select to verify that the SMTP information you entered is correct To set the email alert notification for the FortiLog unit go to System gt Alert Email gt Local Set the options when the FortiLog unit alerts an individual or group of individuals Figure 24 Local alert settings Local Alert Enable E mail address es Level gt Emergency X when io gt or more events occur in fos gt hour s apy Enable Select to toggle the FortiLog alert email settings on and off Email Address es Enter a recipient or number of recipients to receive alert email Level The FortiLog unit sends alert email for all messages at and above the logging severity level you select When N or more Select the number events at the specified level before the FortiLog unit events sends an alert email Use this setting in conjunction with the setting below In N hours Select the wait time for the number of events to occur within before sending an alert email for the specified level log messages Use this setting in conjunction with the setting above Device Active mode To set alert messages for specific FortiGate and FortiMail devices select System gt Alert Email gt Device You can define log alert messages for specific devices connected to
47. 16 10 9 0 0 e 10 1 0 0 16 10 9 0 0 16 Select OK 05 16000 0082 20050115 Fortinet Inc Reports RAT MET The FortiLog unit collates information collected from device log files and presents the information in tables and graphs There are over 130 different reports in 11 categories The reports provide detailed information on the type of traffic attacks and preventative actions occurred during a specific period on your network For a full list of report types see Appendix A Log Report Types on page 113 Using reports you can manage your network more effectively and to make informed decisions e view the network usage and security information e discover and address vulnerabilities across dispersed device installations minimize the effort required to monitor and maintain acceptable user policies identify attack patterns and prevent attacks e monitor Internet surfing patterns for compliance with company policy e identify visitors to your web site for potential customers Reports are available in multiple file formats including HTML PDF RTF and ASCII text Note In Passive mode the FortiLog unit does not receive logs or generate reports To create reports the FortiLog unit must be set to Active mode This chapter describes e Creating and generating a report e Viewing reports e Vulnerability reports Creating and generating a report FortiLog Administration Guide To generate a report begin by creati
48. 4 05 27 ia 4 1 of 16 gt M OO Vulnerability reports Vulnerability reports show any potential weaknesses to attacks that may exist for selected devices by displaying the available ports on a FortiGate device Rather than using the device logs for this report the FortiLog unit queries for open ports and where possible and gathers information about the services running Any known vulnerabilities that exist for the specific service or version of the service are included in the reports Creating and generating a report To generate a vulnerability report begin by creating and saving a report configuration You can use this report configuration for a scheduled report or for generating reports on demand To create a report 1 Go to Reports gt Config gt Vulnerability 2 Select New and enter a name for the report FortiLog Administration Guide 05 16000 0082 20050115 67 Vulnerability reports 3 4 Reports Set the following e Selecting report result parameters on page 68 e Selecting plug ins on page 68 Selecting the scan targets for the report on page 69 e Choosing the report destination and format on page 71 Select Run now Selecting report result parameters kh OO N 5 Report results parameters define how the FortiLog unit displays the vulnerability report results Report results parameters include the specific device or all device logs submitted to the FortiLog unit e
49. AN EAEAE NANANA ANAA EEEN 118 IOC enna erer ane Ser ners nr cr eee eee ene ree ener re eer ee nae eee eer rere nes 121 6 05 16000 0082 20050115 Fortinet Inc RAT MET Introduction FortiLog units are network appliances that provide integrated log collection analysis tools and data storage Detailed log reports provide historical as well as current analysis of network and email activity to help identify security issues and reduce network misuse and abuse FortiLog units operate in one of two modes In Active mode as a log collection and analysis tool to collect logs from FortiGate and FortiMail devices and generate reports based on log data e In Passive mode as a Network Attached Storage NAS server to act as an additional storage device The models in the FortiLog family e FortiLog 100 desktop model with one hard drive e FortiLog 400 desktop model with four hard drives e FortiLog 800 rackmount model with four hard drives Figure 1 FortiLog models FortiLog 400 FortiLog 100 ATINET FortiLog Administration Guide 05 16000 0082 20050115 7 Operational Modes Introduction Operational Modes Active Mode The FortiLog device can operate in two modes Active mode or Passive mode The web based interface provides an interface that reflects each models functionality Active mode is the default mode for the FortiLog unit In Active mode the FortiLog unit can receive log files from FortiGate Forti
50. Client FortiMail and syslog devices Using the reporting features you can use the FortiLog unit to view the log files and generate more than 130 different reports for hourly daily weekly monthly and even quarterly reviews of any device traffic Figure 2 FortiLog unit in Active mode FortiLog 400 WEB CONFIG H system Reports Automatic Refresh Interval none bd L Refresh System Status Reports Status e File Browse Alert FortiGate 400 im yshoo repested 2 times Finished Scheduled best 2005 01 03 1000 FortiGate 400 im yahooReference htons fp 4 notwork Sharing FortiGate 400 im yahoo Reference http unning Mora Pending Notifications Pasavrord up nme 6 day s 6 hour s 58 min s System Resources System Time Tue Jon 4 15 17 57 2005 si a 0 Log Hard Disk RAID 1 Intact Disk Space 114239 114457 MB 65 Format c vin oon 7 Hard Disk Usage Unit Information Host Name FortiLog 400 Change Active Sessions 4 Firmware Version FortiLog 00 1 60 build023 041222 Update History gt gt Serial Number FLG4002704000001 Operation Mode Active Change System Command Syctam Roctart Shutdown System Settings Settings Backup Restore Restore Factory Defaults Using FortiLog to analyze logs and generate reports enables you to proactively secure networks before threats arise avoid network abuses manage bandwidth requirements monitor Web site visits and ensure appropriate usage
51. FortiLog Administration Guide For antivirus and attack definition updates firmware updates updated product documentation technical support information and other resources please visit the Fortinet technical support web site at http support fortinet com You can also register FortiGate Antivirus Firewalls from http support fortinet com and change your registration information at any time Fortinet email support is available from the following addresses amer_support fortinet com For customers in the United States Canada Mexico Latin America and South America apac_support fortinet com For customers in Japan Korea China Hong Kong Singapore Malaysia all other Asian countries and Australia eu_support fortinet com For customers in the United Kingdom Scandinavia Mainland Europe Africa and the Middle East For information on Fortinet telephone support see http support fortinet com When requesting technical support please provide the following information Your name Company name Location Email address Telephone number FortiGate unit serial number FortiGate model FortiGate FortiOS firmware version Detailed description of the problem 05 16000 0082 20050115 13 Customer service and technical support Introduction 14 05 16000 0082 20050115 Fortinet Inc RAT MET Setting up the FortiLog unit This chapter includes Checking the package contents Hardware specifications Planning the instal
52. FortiMail device logs all messages at and above the logging severity you select For example if you select Error the device logs Error Critical Alert and Emergency level messages For a list of severity levels see Log policy on page 45 Select Config Policy e Select the Log type for which you want the FortiMail Server to record logs e For each Log type select the activities for which you want the FortiMail Server to record log messages Select OK Select Apply 05 16000 0082 20050115 25 Configuring the FortiLog unit Connecting to the FortiLog Unit Configuring the FortiLog unit When you configure a device to send logs to the FortiLog unit an entry for the device appears automatically in the Unregistered Devices tab Adding a device The Devices screen provides a easy access to all devices currently sending log files to the FortiLog unit It also provides a way to add unregistered or other new devices to the FortiLog unit so it can receive log files Figure 9 FortiLog device tabs Ail Groups Unresstered FortiGate Syston SS Secure Disk Space MB ms Name Hardware Firmware IP Address onneton T Action B rcrt com 172 20 120 123 CY 2 100 MB Pi E Forticato 300 0 0 0 0 CH 9 100 MB a il E FortiGate 400 172 20 140 25 CY 99 100 MB af EN 172 20 120 124 a 0 100 MB Zs I syslog 0 0 0 0 ry 0 100 MB a it ay All Displays all registered devices available to the FortiLog unit Groups Displays the groups available Y
53. K Bits persecond 9600 Data bits 8 Parity None Stop bits 1 Flow control None Press Enter to connect to the FortiLog CLI A prompt appears FortiLog 800 login 9 Type a valid administrator name and press Enter 88 05 16000 0082 20050115 Fortinet Inc FortiLog CLI reference 10 Connecting to the CLI Type the password for this administrator and press Enter The following prompt appears Welcome You have connected to the FortiLog CLI and you can enter CLI commands Setting administrative access for SSH or Telnet vo FortiLog Administration Guide To configure the FortiLog unit to accept SSH or Telnet connections you must set administrative access to SSH or Telnet for the FortiLog interface to which your management computer connects To use the web based manager to configure FortiLog interfaces for SSH or Telnet access see Admin on page 46 To use the CLI to configure SSH or Telnet access Connect and log into the CLI using the FortiLog console port and your terminal emulation software Use the following command to configure an interface to accept SSH connections set system interface portl config allowaccess ssh Use the following command to configure an interface to accept Telnet connections set system interface portl config allowaccess telnet Note Remember to press Enter at the end of command As well remember to type end and press Enter to commit the changes to the FortiLog configuration 05 16
54. Passive Mode n oersonninoncrarnii s i a ndietiias erica E 9 About this guide 000 0 eee eee ce eetee eee teeee eee eeeeeeaae eee ceeaaaeeeseeeaaeeeeeeeeaaeeeeeeeaaaeeeeseedaaeeeeeeenaeeeeeeeas 10 FOrtiLog documentato mo sessa E pehees eines dada 10 Related dOCUMOENMTATION ics seeleacieacepiectaten phd duacebesbededeaereuccucenevendusechenndesteuaesavedtenarbondedenereblcnds 11 FortiGate documentation esros oE E E E EAO 11 FortiManager documentation srra eaNL NANE RRENEAN 12 FortiClient documentation 0 0 eee ceettte ee te teeter teeeeaeeeeeeeeaaeeeeeeeaaaeeeeeeeaaeeeeeeeiaeeeeeenaas 12 FortiMail dOCUM NTALION cccsectisHistetaeiiesseiesineseeisdeteccnieievencieie eet ieeielaveieeesivecce 12 Fortinet Knowledge Center ccccceccseeceeeeeeeeeeseeneeeeeseenaaeeeeeeeneeeeeeeeneeeeseeeneeeeeneeaes 12 Comments on Fortinet technical documentation 0 cccccecceeeeeeeeeeeeeeetaeeeeeetneeeeeetea 12 Customer service and technical SUPPOTFt ceeeeeeeceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeteeeaaeeeeeeeaeeees 13 Setting UP the FortiLog UNE iisiscccisssesssasesccnsvoscsacsnascnisbinmsisaaasasarsacesenasasanasannacnnoins 15 Checking the package Content 0 cccccceceeeeeeteeeeeeeeeeneeee ee eaeeeeeeeeaeeeeeeeiaeeeeeesneeeeeee 15 Hardware Specifications siiin aden sda be teaceecsash a E a iaa deine 16 DIMENSIONS 222 cidacedenveecasccantiadededsnvandzcccavsdaad casvsiadeada E A 16 WOIGIM ssn A ce eaveenee aeration deeds 16 Power
55. Sources And Top Services Network traffic by the source IPs and Internet services in kilobytes Traffic By Top Sources And Top Destinations Network traffic by the source IPs and destination IPs in kilobytes Traffic By Top Destinations Network traffic by the destination IPs in kilobytes Traffic By Top Destinations And Top Services Network traffic by the destination IPs and Internet services in kilobytes Traffic By Top Destinations And Top Sources Network traffic of the top destination IPs and their source IPs in kilobytes Web Activity Web Activity reports record total web access activities including blocked site access attempts by a specific time and top web access activities Report Description Web Traffic By Date Web traffic in megabytes for a specified day or range of days Web Traffic By Day Of Week Daily web traffic in megabytes for a specified week Web Traffic By Hour Of Day Hourly web traffic in kilobytes for the specified period 05 16000 0082 20050115 113 Appendix A Log Report Types Web Traffic By Direction Total incoming and outgoing web traffic in kilobytes Blocked Web Site Attempts By Date Blocked Web Site Attempts By Day Of Week Attempts to access blocked web sties for a specific day or range of days Daily attempts to access blocked web sites for a specified week Blocked Web Site Attempts By Hour
56. The Log view interface Viewing logs Importing log files Log Search Log watch Active mode Event correlation Active mode 05 16000 0082 20050115 73 The Log view interface The Log view interface Using Logs The log viewer interface provides a means of viewing device log files Figure 42 Viewing the logs Import Log File Browse Import FGT 60M gt Log Files Last Access Time Size bytes Action HI Finance 1 99 631 FGT 60M 1 99 631 Traffic o 0 Event i 99 631 g elog log Wed Dec 8 13 53 13 2004 oes ID A EQ le Attack o D Anti Virus 0 0 Web Filter o D Email Filter 0 0 Content 0 D Device Tabs Access to the specific device logs Selecting a tab will display the available Import Log file Log files Last Access Time Size bytes Action Device List Viewing logs logs for any device within a group Use this field to import older log files to view and run log reports For details on importing log files see Importing log files on page 77 A list of log files on the FortiLog unit Any device groups you create also appear here Select the group name to expand the list of devices within the group Select the device name to see the available log files The number of devices in a group and the number of logs for a device The last time the log was updated from the device The size of the log file Select Delete to remove the log file from the FortiLog hard
57. This information may be incorrect if the FortiLog clock is changed after creating the RAID 05 16000 0082 20050115 41 FortiLog Administration Guide Config Config Network 42 Level Array Size Device Size RAID Disks Total Disks Update Time State Working Drives Active Drives Failed Drives Spare Drives Managing the FortiLog unit The RAID level See RAID on page 43 The total disk space available The disk space used on each drive of the array The number of disks used by the array for data storage Total Disks include spare and failed disks The time of the last status change State of the log device includes dirty clean no errors and errors Dirty means that parts of a redundant array RAID1 and RAID5 need to be synchronized which is automated No errors indicates that the log device is usable Active and spare drives Display color is black Drives used for data storage and are trusted Display color is green Drives used for data storage and are not trusted Display color is red Drives never used for data storage Display color is yellow Use system config to configure the FortiLog network settings RAID settings log message settings time settings and other options You can also add and remove FortiLog administrator accounts and change administrator passwords e Network e RAID Log settings e Time e Options e Admin To configure the FortiLog network settings go to System gt
58. WAVANVAAL ALLL WAAAAAAALAN ET AAANAALAALLALL AAAA ALN AMMAM FortiLog 400 FortiLog 100 amner o FoenLos 100 ii EES eo O S rcncnec 68 feo e658 67 FortiLog Administration Guide Version 1 6 January 15 2004 05 16000 0082 20050115 Copyright 2005 Fortinet Inc All rights reserved No part of this publication including text examples diagrams or illustrations may be reproduced transmitted or translated in any form or by any means electronic mechanical manual optical or otherwise for any purpose without prior written permission of Fortinet Inc FortiLog Administration Guide Version 1 6 January 15 2005 05 16000 0082 20050115 Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders Regulatory Compliance FCC Class A Part 15 UL CE CAUTION RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS For technical support please visit http www fortinet com Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc fortinet com Table of Contents ERE OMi na ranr en pEi esaad 7 Operational MOdES iii iceves ids cis cit sinsa ieia a sia aaa aiia e aE E NAA 8 Active Mode 000 eee eeceeeeeeeeeteee eee eeee eee ee eee aeee eee teaeeeeeeseeeeeeeeseneaeeeeseceeaeeeeseeeaeeeeesenaeeeeeeeaaeenes 8
59. _str gt Enter the transportation speed of this interface e lt speed_str gt is the speed type auto 10full 10half 100full or 100half set system interface lt intf_str gt config Status down up Set the interface down or up set system interface lt intf_str gt config sSecip lt XXX XXX XXX XXX gt Enter the secondary IP address of the interface e lt XXX XXX XXX XXX gt is the secondary IP address of the interface set system interface lt intf_str gt config secallowaccess ping https ssh snmp http telnet Select management access to the port1 interface with a secondary IP set system interface lt intf_str gt config secdenyaccess ping https ssh snmp http telnet 108 Select the management access with a secondary IP that you want to deny to the port interface 05 16000 0082 20050115 Fortinet Inc FortiLog CLI reference CLI commands set system interface config Stp_passthrough set system interface lt intf_str gt config mode static Set the interface mode to static set system mainregpage hide Hide main registration message set system session_ttl port lt port_num gt timeout lt timeout_int gt Set the session timeout maximum for the port set system session_ttl port lt port_num gt default lt default_val gt Set a default value for the session time for the port set system mainregpage show Show main registration mes
60. address lt name domain com gt bther reports formats lt html pdf rtf text gt 102 05 16000 0082 20050115 Fortinet Inc FortiLog CLI reference set NAS Use set NAS to configure the FortiLog NAS server settings when using the FortiLog unit in Passive mode Table 9 set NAS command architecture CLI commands nfs protocol share workgroup lt workgroup gt user lt user uid lt uid gt name lt display name gt password lt password gt name gt name lt display name gt password lt password gt group lt group gid lt gid gt members lt members gt set nas name gt lt return gt members lt members gt share lt share Path lt local path gt lt return gt ro lt ro list gt lt return gt rw lt rw list gt lt return gt name gt rw lt rw list gt P path lt local path gt lt return gt ro lt ro list gt lt return gt rw lt rw list gt lt return gt nfs rw lt rw list gt Commands Description set nas protocol nfs share Set the FortiLog unit s passive mode sharing to either Network File System or windows sharing set nas protocol share workgroup lt workgroup gt When using Windows sharing set the workgroup name set nas user lt username gt uid lt uid gt Iname lt display name gt password lt password gt Set up a user to have access to file sharing by setting their user name user ID number display name and password
61. aeeeeseenaaeees 48 Administrator Options ssania aiaa daaa baad a aai aiia 48 Changing the Administrator password sssssseesssesirsssetrrssteerrsssttrrrnnttennnsttennnnnen nn 49 Devices Active Mode arccsairronni en sbacievedeteudceeandpradiy see raged aeeebactieareseueds 49 Devico eee rer ane E TEE EE rere c rene er ee 50 Adding and registering a COVICE ceeceececeeeeeeeeeeeeeeeeeeeeeeseeeeeeeeeseneaeeeeeseeeaaeeeteeenaaees 50 Editing device informatio Meascann E A 50 Alert Emal essorer A as eee den 51 SeN arena a acteacestcesutcudl ce ehagicivenasutivceeds A 51 Eae es asc N E EATA E E E E E EE E E E T assis 52 Device Active Mde Josari nnan a A AE SA 52 Creating a new device alert cccccccecesecccceeecescceeeeenseeceetesseceeeeeecsenceeeeeneneceeteessenees 52 PIG INS sockets jpeohectiseceveehs neeonls Myedeciid a dee eee 54 Network Sharing cccecececceeeee erect ee eee eee ee eae seers eneeee eee eeeeeeeeeeeeeeeaeeeeeenaeeeeeentaa 55 Defining IP ANASCS eein a E A E N 55 4 05 16000 0082 20050115 Fortinet Inc Contents REPON S aann ep ete Re a o nner eben nt nARSE n Pepa RE is ronnar E 57 Creating and generating a report ee eceeeeeeeeeeeeeeeeeeeeeeeeeeseeeeeeeeeeeeeeeeeeeeteeeaaeeeeneenaeeees 57 Configuring report parameters cecceeeeeeeeeeeee eee eecneeeeeesaaeeeeeesaeeeeeeeseeeeeeetieeeeeeees 58 Conigunng arepor guely sesecccucsedeteeeecseeweetencdeett fen a E aan EN EA EANA S 59 Creatin
62. affic in kilobytes for a specified week FTP traffic by direction Hourly FTP traffic in kilobytes for a specified period Top FTP sites connection Total incoming and out going FTP traffic in kilobytes Top FTP sites traffic Most popular FTP sites by FTP events Top FTP clients connection Most popular FTP sites by traffic in kilobytes Top FTP clients traffic FTP source IP connections by FTP events Top clients by top FTP sites Connections FTP source IP connections by volume in kilobytes Top clients by top FTP sites traffic Top source IP by destination IP by volume in kilobytes 05 16000 0082 20050115 Fortinet Inc Appendix A Log Report Types FortiLog Administration Guide Terminal Activity Terminal activity reports record total Terminal CLI access activities Report Description Terminal Traffic By Date And Service Terminal activity by service for a specific day or range of dates Service Terminal Traffic By Day Of Week And Daily terminal activity by service for a specified week Service Terminal Traffic By Hour Of Day And Hourly terminal activity by service for a specified period Telnet Traffic By Direction Telnet traffic by direction in kilobytes ISSH Traffic By Direction SSH traffic by direction in megabytes Top Terminal Servers By Service Connections Top destination IPs by ser
63. alias gt Remove the alias association to a particular IP address lt alias gt is the name of the alias for the IP address The IP address will appear on the log report rather than the alias name FortiLog Administration Guide 05 16000 0082 20050115 111 CLI commands FortiLog CLI reference 112 05 16000 0082 20050115 Fortinet Inc SAT Ie T Appendix A Log Report Types Your FortiLog unit is can generate over 130 different types of log reports Listed here are the log reports and a short description FortiLog Administration Guide Network Activity Network activity log reports record total network traffic activities by a specific time and direction as well as top traffic activities Log report Description Traffic By Date And Direction Incoming and outgoing network traffic in kilobytes for a Specified day or range of days Traffic By Day Of Week And Direction Daily incoming and outgoing network traffic in kilobytes for a specified week Traffic By Hour Of Day And Direction Hourly incoming and outgoing network traffic in kilobytes for a specified period Traffic By Direction Report of total incoming and out going network traffic in kilobytes Traffic By Top Services And Direction Network traffic by Internet service by incoming and outgoing network traffic in kilobytes Traffic By Top Sources Network traffic volume in megabytes by source IPs Traffic By Top
64. all FortiGate CLI commands FortiGate Log Message Reference Guide Describes the structure of FortiGate log messages and provides information about the log messages that are generated by FortiGate units FortiGate High Availability Guide Contains in depth information about the FortiGate high availability feature and the FortiGate clustering protocol FortiGate IPS Guide Describes how to configure the FortiGate Intrusion Prevention System settings and how the FortiGate IPS deals with some common attacks FortiGate VPN Guide Explains how to configure VPNs using the web based manager 05 16000 0082 20050115 11 Related documentation Introduction FortiManager documentation e FortiManager QuickStart Guide Explains how to install the FortiManager Console set up the FortiManager Server and configure basic settings FortiManager System Administration Guide Describes how to use the FortiManager System to manage FortiGate devices e FortiManager System online help Provides a searchable version of the Administration Guide in HTML format You can access online help from the FortiManager Console as you work FortiClient documentation e FortiClient Host Security User Guide Describes how to use FortiClient Host Security software to set up a VPN connection from your computer to remote networks scan your computer for viruses and restrict access to your computer and applications by setting up firewall policies e FortiClient Ho
65. ate New Enter a name of the host network or IP address range in the Alias text box Enter the IP address of the host network or the IP range Select OK Select the device from the Available IP Aliases list Select the right arrow to move the device to the Selected IP Aliases list Select Apply Creating a scan target profile You can save the selections as a scan target profile After creating a scan target profile you can select the profile for use in other vulnerability reports To create a scan target profile Select New Enter a name for the profile and select OK Select the devices to include in the profile 05 16000 0082 20050115 Fortinet Inc Reports 4 Vulnerability reports Select Apply Choosing the report destination and format kh OO N kh OO N FortiLog Administration Guide Select destination and format for the vulnerability report Configure the FortiLog unit to either save the reports to the FortiLog hard disk or email the report to any number of recipients or both The default is to save the report to the FortiLog hard disk in HTML format You can save the output options for use in other reports Figure 40 Selecting report output Local Default Default Default v ca Run now Select report output Default New Edit it File Browse Reports V ptm I Text misl company com Email list Mpm D Text Lappy To select the report destination and format G
66. ation Use the following command xecute restore config Installing firmware from a system reboot This procedure installs a specified firmware image and resets the FortiLog unit to default settings You can use this procedure to upgrade to a new firmware version revert to an older firmware version or re install the current firmware version 05 16000 0082 20050115 33 Status 34 a Aa Q N re S 10 Managing the FortiLog unit To perform this procedure you need to install a TFTP server that you can connect to from the FortiLog unit LAN port The TFTP server should be on the same subnet as the LAN port Before beginning this procedure you can back up the FortiLog unit configuration For information see Backing up system settings on page 39 To install firmware from a system reboot For all three FortiLog models use a terminal emulation software to access the units CLI For the FortiLog 800 unit you can also access the units CLI by connecting the null modem cable provided to the unit s console port Make sure that the TFTP server is running Copy the new firmware image file to the root directory of the TFTP server Make sure that the LAN port is connected to the same network as the TFTP server To confirm that the FortiLog unit can connect to the TFTP server use the following command to ping the computer running the TFTP server For example if the IP address of the TFTP server is 192 168 1 168 enter exec
67. b traffic by URL in kilobytes Web Traffic By Status And Top Servers Web Traffic by Top URLs Web traffic by URL in kilobytes Web traffic by virus status and URL in kilobytes Web Traffic by Status and Top URLs Web traffic by virus status and URL in kilobytes Mail Traffic by Mail Service and Top Senders Email traffic by mail service and sender address in kilobytes Mail Traffic by Mail Service and Top Receivers Email traffic by mail service and recipient address in kilobytes Mail Traffic by Status and Top Senders Email traffic by email status and sender address Mail Traffic by Status and Top Receivers Email traffic by email status and recipient address 05 16000 0082 20050115 119 Appendix A Log Report Types 120 05 16000 0082 20050115 Fortinet Inc Index A access to files 82 account levels 48 active and passive mode 8 administrator account 48 read amp write access 48 read only access 48 settings 46 administrator account netmask 108 trusted host 49 Adobe Acrobat files 65 alerts 30 54 attack correlation 79 B backup installing firmware image 36 switching to firmware 38 system settings 39 Cc changing operating modes 31 CLI 10 19 20 CLI Structure 91 command line interface 10 19 20 config policy 45 configure FortiGate device 23 FortiMail device 25 connecting the FortiLog unit 18 to the CLI 88 to the FortiLog CLI using SSH 90 to the For
68. ble add virustime 0 5 1 0 3 0 6 0 12 0 24 0 72 0 168 0 lt return gt virusdevice all per lt return gt virussingle y n lt return devicemailaddr lt string gt Commands Description set alertemail configuration auth enable Enable or disable SMTP authentication for sending alert emails disable set alertemail configuration mailto lt string gt Enter the email addresses of three alert email recipients lt string gt lt string gt e lt string gt is the email address of an alert email recipient set alertemail configuration mailto none Clear all email addresses of the alert email recipients set alertemail configuration passwd lt string gt Set the password for logging on to the SMTP server to send alert emails e lt string gt is the password set alertemail configuration server Set the IP address of the SMTP server for sending alert emails lt server_address gt e lt server_address gt is the IP address of the SMTP server set alertemail configuration user lt name_str gt Set the user name for logging on to the SMTP server to send alert emails e lt name_str gt is the user name set alertemail setting option critical Configure the alertemail to report critical incidents set alertemail setting option diskfull Configure the alertemail to report if the FortiLog hard disk is full set alertemail setting option none Clear all alert email option configuration set alertmai
69. d locate the firmware image file Select OK If you are reverting to a previous version of the firmware a message appears informing you that the system configuration will be set to default and all the original configuration will be lost Select OK e If you upgrade the firmware the FortiLog unit uploads the firmware image file upgrades to the new firmware version resets the configuration restarts and displays the FortiLog login This process takes a few minutes e If you revert to a previous firmware version the FortiLog unit uploads the firmware image file reverts to the old firmware version resets the configuration restarts and displays the FortiLog unit login This process takes a few minutes Restore your configuration See Restoring system settings on page 40 05 16000 0082 20050115 Fortinet Inc Managing the FortiLog unit kh OND FortiLog Administration Guide Status To change the firmware using the CLI Use the following procedure to upgrade the FortiLog unit to a newer firmware version or revert to a previous firmware version To use the following procedure you must have a TFTP server that the FortiLog unit can connect to This procedure reverts your FortiLog unit to its factory default configuration and deletes all configuration on the unit Back up the FortiLog unit configuration before beginning this procedure using the command execute backup config Make sure that the TFTP server is running
70. e FortiLog administrators For information on FortiLog administrators see Devices Active mode on page 49 05 16000 0082 20050115 Fortinet Inc Managing the FortiLog unit FortiLog Administration Guide Config Figure 19 Admin Name Trusted Host Netmask Permission Modify admin 0 0 0 0 0 0 0 0 all if B Admin_2 0 0 0 0 0 0 0 0 Read Only a g if Administrative Access V yops V ping M prre M ssH TELNET Apply Create New Select Create New to add an administrator account Name The login name for the administrator account Trusted host The trusted host IP address for the location from which the administrator can log into the web based manager If Trusted Host is 0 0 0 0 the administrator can log in from any IP address Netmask The trusted host netmask for the location from which the administrator can log into the web based manager If Netmask is 0 0 0 0 there is no restriction on the netmask Permission The permission level for the administrator Permission can be all read amp write or read only Modify Select Edit to change an administrator account Select Change Password to change an administrator account password Administrative Configure administrative access to control how administrators access the Access FortiLog unit HTTPS To allow secure HTTPS connections to the FortiLog web based manager PING If you want the FortiLog unit to respond to pings Use this setting to verify your installation and for test
71. e FortiLog unit supports the linear 0 1 and 5 RAID levels The default RAID level is linear Changing the RAID level deletes all log messages from the FortiLog hard disk Linear disk volume Combines two or more disks into one larger disk During file saving the files are saved on physical disks sequentially but do not have a disk failure file protection function The overall capacity of linear disks is the sum of all disks Linear disks are generally used for storing large amounts of data and not for protection of important data Striping disk volume Combines two or more disks into one larger disk Stripping disk RAID offers the fastest disk access but does not provide data protection of the data when the striped array fails The disk capacity equals the number of disks in the array times the size of the smallest disk Select striping disk to maximize disk capacity or for fast disk access but not for protection of important data 16000 0082 20050115 43 Config Level 1 Level 5 Log settings Managing the FortiLog unit Mirroring disk volume Protects data by automatically backing up the contents of one disk onto the second disk of a mirrored pair Mirroring protects data if one disks fails Disk capacity is equal to a single hard disk because the second hard disk is used to automatically back up the first Use Level 1 to protect important personal or corporate data RAID 5 disk group Three or more hard disks can be teamed up to
72. e firmware image filename and press Enter The TFTP server uploads the firmware image file to the FortiLog unit and a message similar to the following is displayed Save as Default firmware Run image without saving D R Save as Default firmware Backup firmware Run image without saving D B R Type D The FortiLog unit installs the new firmware image and restarts The installation might take a few minutes to complete Testing a new firmware image You can test a new firmware image by installing the firmware image from a system reboot and saving it to system memory After completing this procedure the FortiLog unit operates using the new firmware image with the current configuration This new firmware image is not permanently installed The next time the FortiLog unit restarts it operates with the originally installed firmware image using the current configuration If the new firmware image operates successfully you can install it permanently To run this procedure you need to install a TFTP server that you can connect to from the FortiLog unit LAN port The TFTP server should be on the same subnet as the LAN port To test a new firmware image before installing it For all three FortiLog models use a terminal emulation software to access the unit s CLI For the FortiLog 800 unit you can also access the unit s CLI by connecting the null modem cable provided to the unit s console port Make sure the TFTP server is running
73. e_str gt Enter the name for this FortiLog unit e lt hostname_str gt is the name of the FortiLog unit set system interface lt nativist gt config allowaccess ping https ssh snap http telnet Select the management access to the FortiLog unit interface port e lt nativist gt is system interface name set system interface lt nativist gt config denatures ping https ssh snap http telnet Select the management access that you want to deny to the FortiLog unit interface portt e lt nativist gt is system interface name set system interface lt nativist gt config WINS lt XXX XXX XXX XXX gt Enter the WINS server IP address P lt XXX XXX XXX XXX gt iS the WINS server IP address set system interface lt nativist gt config matador XX XX XX XX XX XX factory default Set the mac address for this interface You can also set it back to the factory default value P lt XX XX XX XX XX XX gt is the interface mac address set system interface lt intf_str gt config log enable disable Enable or disable logging on traffic to the FortiLog unit from this interface set system interface lt intf_str gt config mtu lt mtu_integer gt Enter the maximum transportation unit for this interface Enter default to cancel the mtu e lt mtu_integer gt is the maximum transportation unit for this interface set system interface lt intf_str gt config Speed lt speed
74. ect Delete to remove the user or group access from the FortiLog unit FortiLog Administration Guide 05 16000 0082 20050115 85 Setting folder and file properties Using the FortiLog unit as a NAS Setting folder and file properties The FortiLog unit enables you to administer the folders and files on the FortiLog hard disk Using the file browser you can rename and delete files and folders e set the access permissions e download files to your local hard disk Figure 51 Set file and folder properties Rename Rename Path Storage user twhite Old name theproject pdf New name ftheproject pdf Permissions read write execute Owner twhite Vv Ww V Group twhite A C F L Other B E B OK Licance Each folder and file has its own access permissions You can set three types of permissions Owner The original user for the file or folder This is the user who creates or uploads the file to the FortiLog hard disk Group A group of users you define The default group is the Admin group Other All other users that are not otherwise the owner of the file or within a group By default when a user adds a new file or folder the access rights are Read Write Execute for the owner user and Read and Execute for the Admin group and Others To set file and folder permissions Go to File Browse gt Files Navigate to the folder or file you wish to set the permissions and select Edit Set the read write and execute permis
75. ecting to the FortiLog CLI USING SSH 0 0 0 eeeeeeeeeeeeeeeeeeeeeeeeeeeeseenaeeeeeeenaeeees 90 Connecting to the FortiLog CLI using Telnet 0 eee ceeeeeeeeeeeeeeneeeeeseeeneeeeeeeeeneeees 90 CLI COMMAS 2 5 a Er EAA E EEEE REEE EETA cab EEEE ERTES 91 executie DONCI orsina a A E E dh cevense jhe Svddes cated 91 get Drane i E T A TNT i 92 sel Danti nensis E E E E 94 Set alertemalll eaa EE E E EE EA 94 SOt COMSOIS inai i AE TA 97 a e a O A E OE E A E 98 Set NAS ii eaii na aiaa aa eaka Taa aaa aaa aa aaa a a aoea a aa aa aaia 103 Set repont escrian aei E a E rede E 104 Set SySt M aiaa ieee ee E 104 unset aC hennsan a A 110 Appendix A Log Report Types ccccecceeeeeeeeeeeeeeeeeeneeeeeeeeeeeeeeeeeeeeeeeeeaaeenens 113 Network ACV ccsa E S 113 Web ACUVIty sececcebeitcestoondsecyerbbecutel spedcesudeypondaucyevinecutelassivuducsvanndeudstieneaedetsvenccdetetpones 113 PTP AGUVIIY criouse aa a Seas a a ect see ae edad peace aaa 114 Temna ACV eera E E vedel a 115 Mall ACV recai aA A 115 TUSON ACUVIY sasea E del eginpbhdeeteannnddlessieheeeeatihaeaen thie 116 Antivirus Activity 0 0 cece cece tener eee eeeeeee eee sttn utnak ttura tattu nanntu nanat EEE En ntn Enna natenn nnne eenn 116 Web Fiker Activity ceisir E era retin ee 116 Mail Filter Activity cecccsccnnanisdiriirs tile N iain 117 MPN ACV cctessetticasetedend edie adiera siiin anaia ai a aada aaa a a 118 Content Activity 2 0 00 eee ctr rere etree errr eee eee KANAANAN E
76. eeeeeeeeeeteeeeeeeetaeeeeeeeetateeeeeeaees 38 Backing Up system SettiNgS cccccccceeeeecccceeeeeeeceeeeeeeeeceeeeeeseeceeeeeeseaeeeeeesseneeeeneeneaeees 39 Downlading the FortiLog debug log eee eeeceeeeeeeneeeeeeeeeneeeeeetnneeeeeeetiaeeeeeeeetaeeeeesenaees 39 Restoring system SettingS c ccceceeeeeeeeetne cece eter eee eeeeeneeeeeeeeaeeeeeeetieeeeseeniaeeeeeneniaees 40 Restore factory default system settings cc eeeceeeeeeeeeeeeeenteeeeeeeeaeeeeeeeeseeeeeeeaees 40 Restoring a FOrtiLog Untticcccecccsccccctisnscceeeeiissccvectssaschucvvessuceecetasuccebevinsseneecbealacdeidevadannees 40 RAID kreni hs deacadaeceeincepdacnstectetet cance doles cpu daecenssnestensn a Ai epepateusteopnactsd areasi fos EER 41 GOING AEE AE EE AEE E E E dada dees N A A EEE E E 42 NGIWOTK 0 eeeecccececeeeecceeececaneeeeeecaeceeeeacaaaneesaqauanseeesesauseeessaneaseesaeaneeseeseaaeeseeeeeeneeseeeseneeds 42 RAID sescsteccecstates cetecvatadebes iia ania aeaiia s aa E AAE EE ladadantevabidsaeieaaets 43 L g SENGS ecserin E E TE N 44 MOG PONGCY S T cvee aedsaceveeseuiedeteeddaadde 45 AMIN cs waist aa Sate N ate tea EE E N AA cea nda dah inca epee angen dee Regt TATEA 46 OPONSE ld dcastathedceassebiden 46 AGM Meca betes idekdh qoeidians A 46 Configure Administrator ACCESS cceceeceeeeeeeeeeeeeeeeeeeenneeeeeeeeaeeeeeeenaeeeeetesieeeeeseeaaes 47 Administrator account levels c ccceccecceeeeeeeeeeeeeeeeeeeeeeeeseeeeeeeeseeeeaeeeeteeen
77. eeeees 67 Selecting report result parameters cccccccecceeeeeeeeeeeeceecaeceeeeeeeeeeeeseceeeecenieeeeeeeeeeess 68 Selecting PIUGHINS anasa RA A 68 Creating a plug in PrOml iis vicieceavececceenes sicacies aseageeacestasiceee shee weteiee teed ences 69 Selecting the scan targets for the report 000 ceeeeee eee eeeeneeeeeeeeeeeeeeeeeeeaeeeeeteeaneeees 69 Creating a scan target profile eee eeteeee teeter eee eetaaeee eee teeeeeeesaeeeeeesineeeeerena 70 Choosing the report destination and format eceeceeeeeeeeeeeeeeeeeeeeeeeteeneeeeeeeeeaeeees 71 Creating a report destination and format profile cccceeeeeeeeeeeceeceeeeeeeeeeeeeeesenes 71 Viewing the vulnerability report cc eeeceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeteeeaeeeeeseeeaaeeeeeeenaaees 72 ISH COGS ciiir iip oree susi ipaa rE iN aSr aap RP aS a ai an 73 The Log view interface c cccecceeeeeeeeeenee eee eeeneeeeeeeeneaeeeeseeaeeeeeeeeaeeeeseeeaeeeeseeeneeeeesenaes 74 Viewing logSecreneia rani n 74 Finding log information ccc cere e erie eerie ee eee reas eee nieeeeeeenieeeeeeeneeeeereea 75 IMPOMting log MOS vic vcseeisectaececidi see TA 77 Ma eka a A I A E AT A A E A E 78 Log watch Aciive Mode aneron aaa E E sere sades 78 Event correlation Active MOde j ccecsescendccctenned scene enia aai aA NANA A AA 79 Using the FortiLog unit as a NAS sssssssssunnnnnnnnnnnnnnnnnnnnnnnnnnnnunnnnnnnnnnnnnnnnnnnn nnna 81 Connecting to the FortiLog fi
78. elect Devices Select These to select specific devices or groups of devices Select the Plus sign to expand the list of devices for a specific group 05 16000 0082 20050115 Fortinet Inc Reports Creating and generating a report Select the group or individual devices to use in the report Select Apply Creating a device profile You can save the selections as a device profile After creating a device profile you can select the profile for use in other reports To create a device profile Select New or Start with an existing profile by selecting the profile and selecting Clone Enter a name for the profile and select OK Select the devices to include in the profile Select Apply Select filtering options FortiLog Administration Guide Filtering enables you to view or remove information from a report to provide a more concise report For example you only want reports on specific error messages or you do not want include certain IP address destinations Figure 31 Filter options n Report Queries Devices Schedule Output Report 1 weekly query All None m Daily 6pm Disk HTML Run now Select a filter None x New Clone Rename Delete Edit it G C mo Include logs that match all any ofthe following criteria Priority Cs C Ce Emergency Source s l Alias FortiGate 400 T Not Destination s Alias FortiGate 400 l Not Interface s DLO y O T Not Virtual Damain s
79. els 43 settings 43 status 41 ranking 59 read amp write access level 48 read only access level 48 re installing firmware 33 report parameters 58 reports alternate formats 65 creating 57 filtering 61 on demand 64 types 113 viewing 65 122 resolve host name 59 restoring system settings 40 restoring the FortiLog unit 40 reverting to an older firmware version 33 RTF files 65 S searching logs 75 settings administrative access for SSH or Telnet 89 administrator 46 config policy 45 idle timeout 46 language 46 log 44 network 42 RAID 43 system date and time 46 specifications environmental 17 hardware 16 status RAID 41 system resources 32 status 29 system settings backup 39 factory defaults 40 restore 40 T testing new firmware image 35 text files 65 TFTP server 40 traffic direction 27 trusted host 49 administrator account 49 U user accounts 82 user groups 83 Using the CLI 87 V viewing logs 74 reports 65 system resources 32 virtual domain 59 vulnerability reports 67 W watching logs 78 05 16000 0082 20050115 Fortinet Inc Index web based manager windows shares 81 connecting 19 idle timeout 46 introduction 19 language 46 109 FortiLog Administration Guide 05 16000 0082 20050115 123 Index 124 05 16000 0082 20050115 Fortinet Inc
80. ency 1 Alert 2 Critical 3 Error 4 Warning 5 Notification 6 Information The log levels will be up to but not higher than the value you set set log setting syslog local status loglevel lt severity_integer gt csv enable disable Enable or disable CSV format to record log messages to the FortiLog unit hard disk in comma separated value CSV formatted files Log message fields are separated by commas set log setting syslog remote enable disable Enable or disable logging to the remote syslog server set log setting syslog remote server lt server_ip gt Configure the remote syslog server log setting p lt server_ip gt is the IP address of the remote server set log setting syslog remote server lt server_ip gt port lt port_integer gt Configure the port that the remote syslog server uses to receive log messages e lt port_integer gt is the port number of the server The default port is 514 100 05 16000 0082 20050115 Fortinet Inc FortiLog CLI reference CLI commands port lt port_integer gt loglevel lt severity_level gt set log setting syslog remote server lt server_ip gt Set the remote syslog severity level 0 Emergency 1 Alert 2 Critical 3 Error 4 Warning 5 Notification 6 Information The log levels will be up to but not higher than the value you set enable disable set log setting syslog remote server lt server_ip gt
81. ents By Date And Top Senders Mail filter events by the top email addresses by specified day or range of days Mail Filter Events By Days Of Week And Top Senders Daily mail filter events by top email for the specified week Mail Filter Events By Hour Of Day And Top Senders Hourly mail events by top email addresses for a Specified period Mail Filter Events By Device And Top Senders Mail filter events by Fortinet device and top email addresses Mail Filter Events By Device And Top Receivers Mail filter events by Fortinet device and top recipient email address Total Mail Filter Events By Device And Block Criteria Mail filter events by Fortinet device and email blocking criteria Top Mail Senders Most active email addresses sending email Top Blocked Mail Senders Email addresses blocked when sending email Top Mail Receivers Most active email recipient addresses Top Blocked Mail Receivers Email addresses most blocked when receiving email Top Mail Receivers And Their Top Senders Most active email recipients and their sources 05 16000 0082 20050115 117 Appendix A Log Report Types VPN Activity VPN activity reports record total VPN activities by a specific time and direction as well as top VPN activities Report Description Total VPN Activity By Date And VPN activity by specified date or range of dates and Direction traf
82. eports show top 6 values of the first variable 1 12 3 values of the second variable for each value of the first variable 1 12 Apply To define report parameters Go to Reports gt Config Select new Enter a report name and select OK Configure the following options Time Period Select a date range from the list or select a specific reporting period When making a time selection some times include variables For example Last N days When you select this setting a text box appears Enter the numeric value for N From Date Select the year month day and hour for the start of the reporting period To Date Select the year month day and hour for the ending of the reporting period 05 16000 0082 20050115 Fortinet Inc Reports 5 Creating and generating a report Per Virtual Domain Select to generate the report based on the virtual domains configured on the FortiGate devices For all devices Select to generate the report for all devices Per device Select to generate a separate report for each device Resolve Host Names Select to display host names by name rather than IP addresses For details on configuring IP address host names see Defining IP aliases on page 55 Resolve Service Select to display network service names rather than port numbers Names For example HTTP rather than port 80 In Ranked For some report types you can set the top ranked items for the Reports show report W
83. f Day Hourly VPN activity for the specified period of the most And Top Tunnels traffic active tunnels Total VPN Activity By Top Tunnels VPN activity by the most active tunnels traffic Content Activity Content activity reports record content activities by a specific time and direction as well as top content activities by client service virus and email Report Description Content Traffic By Date And Service Content traffic by Internet services in kilobytes for a Specified date or range of days Content Traffic By Date And Status Email content status by specified date or range of days Content Traffic By Date And Top Top viruses by the specified date or range of days Viruses Content Traffic By Day Of Week And Daily content traffic by Internet services in kilobytes for a Service specified week Content Traffic By Day Of Week And Daily email content status in kilobytes for a specified Status week Content Traffic By Day Of Week And Daily top viruses status for a specified week Top Viruses 118 05 16000 0082 20050115 Fortinet Inc Appendix A Log Report Types FortiLog Administration Guide Content Traffic By Hour Of Day And Service Hourly content traffic by Internet services in kilobytes for specified date or range of days Content Traffic By Hour Of Day And Status Hourly email content status in kilobytes for a specified date or range of days Content Traffic By H
84. fic direction of traffic Total VPN Activity By Day Of Week Daily VPN activity and direction of traffic for the specified And Direction traffic week Total VPN Activity By Hour Of Day Hourly VPN activity and direction of traffic for the And Direction traffic specified period VPN Activity By Top Devices tunnels VPN activity by Fortinet device by VPN events VPN Activity By Top Devices traffic MPN activity by Fortinet device by traffic in megabytes VPN Activity By Top Devices And Top VPN activity by Fortinet device and destination IPs by Peers tunnels VPN events VPN Activity By Top Devices And Top VPN activity by Fortinet device and destination IPs by Peers traffic traffic in megabytes VPN Activity By Devices And Top VPN activity by Fortinet device and internet service Services traffic traffic in megabytes VPN Activity By Top Sources traffic MPN activity by source IP traffic in megabytes VPN Activity By Top Destinations VPN activity by destination IP traffic in megabytes traffic Total VPN Activity By Direction VPN activity by traffic direction in megabytes traffic Total VPN Activity By Date And Top WPN activity by specified date or range of dates and Tunnels traffic traffic of the most active tunnels Total VPN Activity By Day Of Week Daily VPN activity for the specified week of the most And Top Tunnels traffic ctive tunnels Total VPN Activity By Hour O
85. fic flow information is based on the source and destination interfaces of the device and how they are configured to send and receive information To ensure that the traffic information is represented correctly in these reports you need to assign the FortiGate interfaces to an interface type The device interface can include an interface name or a defined VLAN on the device FortiLog Administration Guide 05 16000 0082 20050115 27 Configuring the FortiLog unit Connecting to the FortiLog Unit You can classify the device interfaces as one of None LAN WAN or DMZ to match the type of traffic the interface will process When the FortiLog unit generates the traffic log report the FortiLog unit compares the source and destination interface classifications and determines the traffic direction The traffic direction is one of e Incoming e Outgoing e Internal e External Unclassified The table below illustrates how the source and destination interface types are represented in the log report as traffic direction Table 3 Log report traffic direction identification Source Destination Traffic Direction None All types Unclassified All types None Unclassified WAN LAN DMZ Incoming WAN WAN External LAN DMZ LAN DMZ Internal LAN DMZ WAN Outgoing Creating Device Groups if you have a number of devices belonging to a department or section of the company you can create groups to keep these devices to
86. file to the root directory of the TFTP server Ensure the file name is image out Start the FortiLog unit As the FortiLog unit starts the following message appears Press any key to begin download Immediately press any key to begin the automatic download The FortiLog unit connects to the TFTP server and begin downloading the firmware image Once downloaded the FortiLog will load the firmware and proceed with the system startup Use the RAID Redundant Arrays of Inexpensive Disks tab to set automatic refresh interval and view detailed log device information Note RAID functionality is only available on the FortiLog 400 and 800 These units have four hard disks and support RAID level 0 1 and 5 Figure 12 RAID Status RAID Automatic Refresh Interval none gt Refresh Log Device Configuration Create Date Mon Aug 23 08 59 55 2004 Level RAID 1 Array Size 117218176 120 03 GB Device Size 117218176 120 03 GB Raid Disks 4 Total Disks 4 Log Device Status Update Time Wed Dec 29 08 20 02 2004 State dirty no errors Working Drives 4 HDD1i HDD2 HDD3 HDD4 Active Drives 4 Failed Drives 0 Spare Drives 0 HDD1 HDD2 HDD3 HDD4 Automatic Refresh Select to control how often the web based manager updates the RAID Interval information Go Select to set the selected automatic refresh interval Refresh Select to manually update the RAID information Create Date Date and time when the RAID was created
87. form a large capacity RAID 5 disk group RAID 5 distributes and stores data among member disks as it is received At the same time RAID uses an amount of space roughly equivalent to a whole disk to store reference numbers with the same elements If one of the disks in the group is damaged you can shut down the computer and install a new disk and the FortiLog unit can restore the data on the new disk using the reference information If you have a system with four disks but use only three in your RAID 5 group the fourth serves as a backup disk If one of the three disks is damaged the FortiLog unit automatically reverts to the fourth disk without powering down The approximate capacity of a RAID 5 disk group is one hard disk worth of space less than the total rated capacity of the group To configure the FortiLog unit to log locally or to send FortiLog log messages to a remote syslog server go to System gt Config gt Log Settings You can configure the log level and you can use config policy to record event log messages See Log policy on page 45 for information about the types of logs and how to configure them Figure 15 Log settings V Log Locally Level I Log to Host IP Level CSV format Log Locally Level Config Policy Log to Host IP Port 44 Log Settings Information v Config Policy oT por a Emergency v Config Policy T Enable Select this option to save the log messages on its own hard disks
88. g a query profile essre E ae eeceeen aeeeepeeeaeee ees 60 Selecting the devices for the report 0 eceeeeeceeeeeeeeeeeeeeeeeeseeeeeeeeeeeeeeeeeeeteeeaaeeeeeeeaneees 60 Creating a device profile 00 0 ee ceeeee eee eene eee ee etcneee eee teeeeeetaeeeeeeeiaeeeeertieeeeeeeea 61 Select filtering OPONSE weet eieisccetaiedecdds weesetidaa teedebedieeeeecaleeebadedilvieeddeiaeeeesteiiedeecciaeeeeds 61 Creating a filter Ponle vcisccce sccticecassaduleeadenvidedtede dhducedad ya dadednad obdd Agere shediedagesveltdecssbl Aaa 62 Setting a report schedule c2ic c cevalccpeeeedheceeeeedlctensededehdcgenedttdecesseecdage odebddceeesevineeeseeee 62 Creating a report schedule profile cccccccccecceceeeeeeeeeeeeceeaaeaeceeeeeeeeeeeeeeeneeaees 63 Choosing the report destination and format eceeceeeeeeeeeeeeeeseeneeeeeeeeeeaeeeeeeeeaaeeees 63 Creating a report destination and format profile 0 ccccceeeeeeeeeeceeceeeeeeeeeeeeeeeneees 64 Reports On demand ccccccecceeeeeceeeeeeaecaeeeeeeeeeeeceeeceaaaaeaaeeeeeeeeeeeeeeeececneacaeseeeeseeeneees 64 viewing Tepon sre a a aici eeaiacs nena ay eee ae ndeeats 65 ROI UP report asee a a Rea aa a aa a o e a E mantis 66 individ al TE POMS pssi ainga a aa a aaa aai aai Aaa aN 66 Vulnerability reports sis cectieis steteatiee i deadi tate tettdanaetiee tind a dittediav eben E AE 67 Creating and generating a report oo eee ceeeeee eee eeeeneeeeeteeeeeeeeeeteeeaeeeeeseeeaeeeeeeena
89. ge log file There are two methods of finding information in the log e Basic filter provides a simple filtering mechanism to search the log file for a specific keyword The keyword search applies to all columns of the log file e Standard filter perform a more detailed search of the log With a standard search you can set specific search criteria for each column of information in the log You can also enable or disable a filter for greater search accuracy To perform a basic search of the log contents Go to File Browse gt Logs Select a device and log file In the log view select Column Settings at the top of the page Set the Search to Basic 05 16000 0082 20050115 75 Viewing logs 76 hk OO N 5 Using Logs Figure 44 Basic log filter Do the following to search the log using the Basic log filter Show Select the columns of information you want to view in the log Lines per page Enter the number of entries of the log you want to see on each page Keyword Enter the words you want to find in the log Select Apply To perform a standard search of the log contents Go to File Browse gt Logs Select a device and log file In the log view select Column Settings at the top of the page Set the Search to Standard Figure 45 Standard log filter 20 lines per page Do the following to search the log using the Standard log filter Show Select the columns of information you want to
90. gether for easier access Once you create a group you can add or remove devices from the groups as required To create a device group 1 Go to System gt Devices gt Groups Select Create New Enter a group name Select the devices you wish to add to the group Select OK a A OQ N You do not have to add device to the group when you first create the group There are a number of alternate ways of adding a device to a group e add devices when registering them e select Edit to add or remove devices when required e Inthe selected devices tab select the device and select Assign Selected 28 05 16000 0082 20050115 Fortinet Inc RAT MET Managing the FortiLog unit Using the FortiLog system settings you can view the operating status of the FortiLog unit and configure the FortiLog unit for your network You can also use system settings to configure RAID Redundant Arrays of Inexpensive Disks settings for the FortiLog unit for the FortiLog 400 and FortiLog 800 set email alerts and set system time This chapter includes topics on e Status e Config e Devices Active mode e Alert Email e Network Sharing Status Use system status pages to view and monitor the status of the FortiLog unit The status information includes basic system information alerts information CPU usage memory usage hard disk usage and network utilization RAID information for the FortiLog 400 and FortiLog 800 and a list of all of the comm
91. gs from the devices For details on adding a device see Sending device logs to the FortiLog unit on page 23 The unregistered devices on the network that you configured to send logs to the FortiLog unit are listed at the bottom of the devices page Before the FortiLog unit can generate log reports for the unregistered devices you must register them To register an unregistered device select Add to the right of the device name For complete details on registering a device see Configuring the FortiLog unit on page 26 Editing device information After adding a FortiGate FortiMail or Syslog device to the FortiLog unit you can modify the device information as required Figure 22 Editing a device Edit Device Device Name FeT 60m4 Group bos xl Device ID FoTeom2904400103 amp Secure Connection C yes No Pre shared Key Allocated Disk Space MB 100 7114432 MB still free Max Log File Size MB fio 10 100 MB Max Log File Age days Bess When Allocated Disk Space is All Used Overwrite Oldest Log Files Stop Logging FortiGate Interface Specification L cancel 50 05 16000 0082 20050115 Fortinet Inc Managing the FortiLog unit Alert Email Server FortiLog Administration Guide Alert Email To edit a device Go to System gt Devices For the device you want to edit select Edit Modify the device information and select an Interface Type for each interface as required Select OK
92. h line Set the console mode to batch or line The default setting is line set console page lt integer 0 gt et the number of lines that appear on each page of command line console output he default setting is 25 Set this value to 0 to allow output to flow without paging e lt integer 0 gt is the number of lines that appear on each page of command line console output FortiLog Administration Guide 05 16000 0082 20050115 97 CLI commands set log Use set log to configure log settings Table 8 set log command architecture FortiLog CLI reference client deviceid secure yes no psk lt string gt space filesz fileage spacefull lt string gt lt string gt lt number gt lt integer gt lt integer gt overwrite lt return gt lt return gt lt return gt _oldest stop_ logging raid uuid lt raid_ lt raid uuid gt level gt lt return gt devicegr oup lt string gt console status enable loglevel disable lt return gt lt severity_integer gt lt return gt status enable loglevel csv enable disable lt return gt lt severity_integer gt disable local lt return gt set log diskfull memory loglevel setting lt enable lt severity_integer gt disable gt lt return gt remote enable server lt server_ip gt port loglevel csv disable lt return gt lt return gt lt port_integer gt
93. he schedule as a schedule profile After creating a schedule profile you can select the profile for use in other reports To create a report schedule profile 1 Select New or Start with an existing profile by selecting the profile and selecting Clone Enter a name for the profile and select OK Select the schedule for the report Select Apply Choosing the report destination and format Select destination and format for the report Configure the FortiLog unit to either save the reports to the FortiLog hard disk or email the report to any number of recipients or both The default is to save the report to the FortiLog hard disk in HTML format You can save the output options for use in other reports Figure 33 Select a file format m Report Queries Devices Filter Schedule Report 1 weekly query All None Daily 6pm Disk HTML ea Run now Select report output Disk HTML x New Clone Rename Delete Edit it File Browse Reports V prm D por D mswor Text Email list Came po Fomswor T Text L apply FortiLog Administration Guide 05 16000 0082 20050115 63 Creating and generating a report Reports 64 kh O N To select the report destination and format Go to Reports gt Config Select a report from the list Select Output Set the following options File Select the file format for the generated reports that are saved to the FortiLog Browse Reports hard disk To access the reports on the hard d
94. hen setting top ranked items the report will only include the top most active content For example report the most active mail clients within the organization rather than all mail clients Select Apply Configuring a report query FortiLog Administration Guide Select the specific information you need to generate a more concise report Each report category includes a refined list of sub categories that reports specific information For example you can generate an extensive intrusion activity report or only generate intrusion activity by attacks by top types or by hour of the day The default is to run a report for all information in the log files Select the specific information you want to include in the report Reports are listed by categories and sub categories You can save the report query selections to use in other reports Figure 29 Report query options Report 1 1 weekly_query hi E All Run now Select a query weekly_query x New Clone Rename Delete Edit it Filter None Schedule Daily 6pm Output Disk HTML Network_Activity Web_Activity FTP_Activity Terminal_Activity Mail_Activity Intrusion_Activity Antivirus_Activity WebFilter_Activity MailFilter_Activity VPN_Activity Content_Activity Lappy kalico ica ica n a a a a a ka ARIA npn nE n ngii To set the report queries Go to Reports gt Config Select a report from the list Select
95. iearaduinde A 26 Adding a device eee ee ceeeeeeeenete eee ee tenet eee ee tate ee ee eaaeeeeeeetaeeeeeesaeeeeeeesaeeeeseesiaeeeeeseaees 26 Defining device port interfaces srania rena AEE 27 Creating Device Groups isesi anii a aaa AA SE AARAA 28 FortiLog Administration Guide 05 16000 0082 20050115 Contents Contents Managing the FortiLog Uniit eeeeeeeneeeeeeeeeeeeeeeeeeeeeeseeeeseeeeeesseeeeeeeaeeeeeeees 29 E N E i 2h a tives EE A tebe eet sie dt ate na Sales E dah te gee eee et 29 OCU as fa inc dg tated cas atacand dad N L dada cae edie E EEE E E SAER 29 Changing the FortiLog host NaMe ssessssessssrressesennaseesrnnaatsnnnaaannnnaaatnannaaanennnnatnannaa 31 Changing Operating MOS esscccscsrencnicenidii 31 Viewing system resources inforMatiOn cccccccceeeeseeeeeeeeeecceeeeeeenaeeteeeeenaeeeeeeeeaas 32 Changing the firmware 0 ccccceceeeeeeeeeeeeeeenneeeeeeeceeeeeeeeaeeeeeeeeaaeeeeeeeaeeeseeeiaeeeeeeeaas 32 Installing firmware from a system reboot eee eee eeeee eee ee eeceee eee taeeeeeeeeaeeeeeee 33 Testing a new firmware iMage ccccecccccceeeeecccceeeeeeeeceeeeeseeeceeeeeseneaeeeeeteneaeeeeenenaes 35 Installing a backup firmware iMaQe cccceeeeeeeeeceeeeeeeeeeeeeeeeeeseeeeaeeeeteneaaeeeeeeenaeeees 36 Switching to a backup firmware iMAGE cceececeeeeeeeeeeeeeeneeeeeeeeetaeeeeeeeetateeeeeeaees 38 Switching to the default firmware image ceccceeeeee
96. ients Traffic Top Mail Servers by Top Clients Connections 32 Top Mail Servers by Top Clients 28 Traffic 2 WebFilter Activity 23 Intrusion Activity 20 16 12 8 4 o Day of Week Select a report category to expand the list of report sub categories Selecting a report name in the left frame displays the report in the right frame Individual reports Individual reports have the same look and functionality as the roll up reports when viewing the HTML file format When you view the report in one of the alternate formats only the right frame with the report information is included 66 05 16000 0082 20050115 Fortinet Inc Reports Vulnerability reports Figure 36 VPN activity report in PDF W adobe Reader PN_Activity pdF D xj TE Ale Edt view Document Tods Window Help x J i ssar B seectmage w A oO oa VPN Activity Period 2004 09 01 2004 09 28 Devices FGT 300A Generated on 2004 09 28 09 44 Total VPN Activity by Date and Direction traffic Total VPN Activity by Date and Direction traffic Date Traffic Direction Traffic kB of Subtotal 2004 09 25 incoming s 50 00 a eee 40 00 004 09 27 A A outgoing aes 2 64 S T T vase ss 2004 09 28 pniti o te ena A Po Total 21452 100 Layers ff Snares ff Bookmarks S Total VPN Activity by Date and Direction traffic CSS ee Se re eee er 200
97. iew files on the FortiLog hard disk Managing the FortiLog unit describes how to view and configure the FortiLog system settings such as system time session information and user management Reports describes how to generate customize and view log reports and generate vulnerability reports for selected devices Using Logs describes how to select and view device and FortiLog log files It also describes customizing the log views to find information in the logs easier as well as watch logs in real time Using the FortiLog unit as a NAS describes how to use the FortiLog unit as a file storage device and how to provide access to users and groups FortiLog CLI reference is a source for commands when accessing the FortiLog unit from the CLI Appendix A Log Report Types provides an extensive list of the more than 130 log reports that the FortiLog unit can generate This document is available in online help format from the web based manager To access the online help select the question mark icon in the upper right corner of the web based manager window FortiLog documentation 10 FortiLog Administration Guide Describes how to install and configure a FortiLog unit to collect FortiGate and FortiMail log files It also describes how to view FortiGate and FortiMail log files generate and view log reports and use the FortiLog unit as a NAS server FortiLog online help Provides a searchable version of the Administration Guide in HTML forma
98. ile to the FortiLog unit The FortiLog restarts loading the new system settings Reconnect to the web based manager and review your configuration to confirm that the uploaded system settings have taken effect Restore factory default system settings Use the following procedure to restore system settings to the values set at the factory This procedure does not change the firmware version Caution This procedure deletes all changes that you have made to the FortiLog configuration and reverts the system to its original configuration including resetting interface addresses To restore system settings to factory defaults Go to System gt Status gt Status For System Settings select Restore Factory Defaults Select OK to confirm The FortiLog unit restarts with the configuration that it had when it was first powered on Restoring a FortiLog unit Use the following procedure if the FortiLog unit cannot complete the startup procedure When this event occurs you cannot connect to the FortiLog unit through the web based manager or the CLI The cause may be a corrupted firmware image To use the following procedure you must have a TFTP server that the FortiLog unit can connect to The TFTP server IP address must be set to 192 168 1 168 05 16000 0082 20050115 Fortinet Inc Status Managing the FortiLog unit RAID To upload the firmware image to the FortiLog unit Make sure the TFTP server is running Copy the firmware image
99. image from the TFTP server Type the address of the TFTP server and press Enter The following message appears Enter Local Address 192 168 1 188 Type the address of the interface of the FortiLog unit that can connect to the TFTP server and press Enter The following message appears Enter File Name image out Enter the firmware image file name and press Enter The TFTP server uploads the firmware image file to the FortiLog unit and a message similar to the following appears Save as Default firmware Backup firmware Run image without saving D B R Type B 05 16000 0082 20050115 37 Status 38 Managing the FortiLog unit The FortiLog unit saves the backup firmware image and restarts When the FortiLog unit restarts it is running the previously installed firmware version Switching to a backup firmware image Use this procedure to switch the FortiLog unit to operating with a backup firmware image that you previously installed When you switch the FortiLog unit to the backup firmware image the FortiLog unit operates using the configuration that was saved with that firmware image If you install a new backup image from a reboot the configuration saved with this firmware image is the factory default configuration If you use the procedure Switching to the default firmware image on page 38 to switch to a backup firmware image that was previously running as the default firmware image the configuration saved
100. ing HTTP To allow HTTP connections to the FortiLog web based manager HTTP connections are not secure and can be intercepted by a third party SSH To allow secure SSH connections to the FortiLog CLI SNMP To allow a remote SNMP manager to request SNMP information by connecting to this interface TELNET To allow Telnet connections to the FortiLog CLI Telnet connections are not secure and can be intercepted by a third party Configure Administrator access Configure administrative access to allow remote administration of the FortiLog unit However allowing remote administration could compromise the security of your FortiLog unit To improve the security of a FortiLog unit use the following principles when configuring administrative access e Use secure administrator passwords Change these passwords regularly Enable secure administrative access to this interface using only HTTPS or SSH e Do not change the system idle timeout from the default value of 5 minutes 05 16000 0082 20050115 47 Config Managing the FortiLog unit 48 To configure administrative access to the FortiLog unit Go to System gt Config gt Admin Select the Administrative Access methods for the FortiLog unit Select Apply Administrator account levels When the FortiLog unit is initially installed it is configured with a single administrator account with the user name of admin From this administrator account you can add and edit adminis
101. isk see Viewing reports on page 65 Email it Select the file formats for the generated reports that the FortiLog unit sends as an email attachment Email address Enter the email addresses of the recipients of the report Add multiple list recipients by pressing Enter after each email address Select Apply Creating a report destination and format profile You can save the selections in a output profile After creating an output profile you can select the profile for use in other reports To create a pre defined output selection Select New or Start with an existing profile by selecting the profile and selecting Clone Enter a name for the profile and select OK Select the destination and format options Select Apply Reports on demand Reports on demand provides an instant report When requesting a report the FortiLog unit compiles the data from the available device logs and immediately generates a report based on your requirements and the log data available The on demand reports include the same information and options as a scheduled report To generate a report on demand Go to Reports gt Config Select a report from the list or select options for the report Select Run now 05 16000 0082 20050115 Fortinet Inc Reports Viewing reports Viewing reports Use the FortiLog web based manager to view a list of the generated reports The generated reports are available in HTML PDF RTF and ASCII text formats
102. istration Guide 05 16000 0082 20050115 95 CLI commands FortiLog CLI reference set alertmail device enable add levelnum emergency alert critical error warning notification information Set the level to monitor before sending an alert message The FortiLog nit sends alert email for all messages at and above the logging severity evel you set set alertmail device enable add eventnum 1 5 10 20 50 100 500 1000 Set the number of selected events that occur before the FortiLog unit ee an alert message Use this setting in conjunction with the setting elow set alertmail device enable add leveltime 0 5 1 0 3 0 6 0 12 0 24 0 72 0 168 0 Set the wait time for the number of events to occur within before sending an alert email for the specified level log messages Use this setting in conjunction with the setting above set alertmail device enable add leveldevice all per Set level setting to monitor each device separately or as a group set alertmail device enable add attackalert enable disable Enable or disable the monitoring of specific attack types set alertmail device enable add attackany any some Set the FortiLog to monitor for any attack types or specific attacks Use in conjunction with the next command set alertmail device enable add attackeywords lt keyword1 keyword2 set alertmail device enable add attacknum 1 5 10 20 50 100 5
103. k file share path FortiLog Administration Guide 05 16000 0082 20050115 103 CLI commands FortiLog CLI reference set report Use set report to configure the FortiLog report settings Table 10 set report command architecture resolve lt services aliases gt set report alias lt alias gt hostnetrange lt x x x x n y y y y n gt Commands Description set report resolve lt services aliases Select Resolve IP Ports to Service Name to view the port number by its service name For example display HTTP rather than port 80 set alias hostnetrange lt x x x x n Set the alias name for the IP address of the host network or the IP range y y y y n gt set system Use set system to configure the FortiLog system settings Table 11 set system command architecture password lt password_str gt lt return gt permission readonly admin readwrite lt return gt username lt name str gt trusthost lt XXX XXX XXX XXX gt OF lt XXX XXX XXX XXX gt OF lt 0 0 0 0 gt for anynet lt 0 0 0 0 gt for anyip mask lt return gt address status lt enable disable gt primary XXX XXX XXX XXX none lt return gt set system dns secondary XXX XXX XXX XXX none lt return gt hostname lt hostname_str gt lt return gt ping lt return gt https lt return gt i ssh lt return gt il config allowaccess MUSU snmp lt return gt
104. kup firmware image that had been running as the default firmware image When you switch to this backup firmware image the configuration saved with this firmware image is restored 05 16000 0082 20050115 Fortinet Inc Managing the FortiLog unit Se Status To switch back to the default firmware image For all three FortiLog models use a terminal emulation software to access the unit s CLI For the FortiLog 800 unit you can also access the unit s CLI by connecting the null modem cable provided to the unit s console port Enter the following command to restart the FortiLog unit execute reboot As the FortiLog unit starts a series of system startup messages are displayed When the following message appears Press any key to enter configuration menu Immediately press any key to interrupt the system startup Note You have only 3 seconds to press any key If you do not press a key soon enough the FortiLog unit reboots and you must log in and repeat the execute reboot command If you successfully interrupt the startup process the following message appears G Get firmware image from TFTP server F Format boot device B Boot with backup firmware and set as default Q Quit menu and continue to boot with default firmware H Display this list of options Enter G F B Q or H Type B to load the backup firmware image The FortiLog unit loads the backup firmware image and restarts When
105. l local alert enable disable Enable the alert messages for the FortiLog unit set alertmail local localmailaddr lt string gt Set the email address where the FortiLog unit will send the alert messages set alertmail local level emergency alert Set the level to monitor before sending an alert message The FortiLog critical error warning notification nit sends alert email for all messages at and above the logging severity evel you set information set alertmail local eventnum 1 5 10 20 50 Set the number of selected events that occur before the FortiLog unit 100 500 1000 eae an alert message Use this setting in conjunction with the setting elow set alertmail local time 0 5 1 0 3 0 6 0 12 0 Set the wait time for the number of events to occur within before sending 24 0 72 0 168 0 an alert email for the specified level log messages Use this setting in conjunction with the setting above set alertmail device enable disable Enable or disable the monitoring of device logs for alert messages set alertmail device enable add name lt string gt Add a device name to the alertmail list set alertmail device enable add devlist lt string gt Add a device group to the alertmail list set alertmail device enable add levelalert Enable the level alert option to set the level the FortiLog unit will monitor enable disable before sending an alert message FortiLog Admin
106. lation Connecting the FortiLog unit Configuring the FortiLog unit Checking the package contents The FortiLog family includes three models Check the model number on the front panel of your FortiLog unit All three models are shown in the picture below FortiLog 100 desktop model with one hard drive FortiLog 400 desktop model with four hard drives FortiLog 800 rackmount model with four hard drives Table 1 FortiLog unit connectors Connector Type Speed Protocol Description LAN for FortiLog 100 RJ 45 10 100Base T Ethernet Connection to the network LAN 1 for FortiLog 100 and FortiLog 400 400 and 800 10 100 1000Base T FortiLog 800 CONSOLE DB 9 9600 bps RS 232 Connection to the FortiLog 800 only serial management computer Provides access to the command line interface CLI FortiLog Administration Guide 05 16000 0082 20050115 15 Checking the package contents Figure 5 FortiLog front and back diagrams Setting up the FortiLog unit FortiLog 100 FortiLog 400 Front LED indicators Setting Power Error Network LCD Switches and Disk Access Panel LCD Setting Switches Aand B Panel Power Back a Reset Switch Aand B Reset Switch Power Switch LAN1 Network Connection LAN2 and LAN3 For Future Use Power Connection ATX Redundant Power Supplies LAN Power Connection FortiLog 800 Front
107. le system sseessssesessresessnnnseernnenrnnnnnsennnnannnnnnnnnnannnnananna 81 Providing access to the FortiLog hard disk ecceecceeeeeeeeeneeeeeeeeeneeeeeeeeeeeeeeneeeeerenea 82 Selecting a file Sharing ProtOCol ce eceeeeeeeceeeeeeeeeeeeeeeeeeeseeeeeeeeeeseeeeeeeeeeeaaeeeeeeeaaeeees 82 Adding and modifying user accounts 00 0 eee eeeceeeeeeene eee eeeenneeeeeeeeaaeeeeeeeeaeeeeeeeenaeeeeeeeenaas 82 FortiLog Administration Guide 05 16000 0082 20050115 5 Contents Adding and modifying group ACCOUNTS eects scene tere eeeeeeeeeeteeeeaeeeeteeenaeeeeeeenaeees 83 Assigning access to folders cc ccccccecssseeeeecsedeseceeedhasseceeeaeneeneeenenseeceeedbaseeeecennenseees 83 Modifying the user or group folder ACCESS 00 0 eeeeecceeeeeneeeeeeeeeteeeeeeeeneeeeeeetiaeeeeeeeaees 85 Setting folder and file properties cceeceeceeeeeceecceeeeeeeeeeeeeeeeceeeaaecaeeeeeeeeeeeeeeeeeeeneeaeees 86 FOFULOG OL POTEPGNCE i icssisjacicessnis cacagusasntntetoicdssnsnaannabonadaindaacapandarecidinsiansndsubsienns 87 CLI documentation CONVENTIONS cccceeccceeeeeceneeeeeeneceeeeneeaaeaeeeeeeaaaaeeeneeaaaeaeneenaaaaeeeeees 87 Conmecting tothe CLM iccte cee coees bee deteenentenneentete T E NE TNR 88 Connecting to the FortiLog 800 Console 0 cceceeeeeeeeeeeeeee eee eeneeeeeeetaeeeeeeenaeeeeeteaa 88 Setting administrative access for SSH or Telnet eee eeeeeeeeeeeeeeeeeeeeeeneeeeeeeeneeeees 89 Conn
108. lt severity enable lt return gt _integer gt disable syslog lt return gt local status enable loglevel csv disable lt return gt lt severity_integ enable er gt lt return gt disable policy destination event status lt enable category configura ipsec lt syslog disable gt lt return gt tion login local i pmac console gt system routegate way none 98 05 16000 0082 20050115 Fortinet Inc FortiLog CLI reference Table 8 set log command architecture CLI commands set log devtype lt string gt report name lt report name gt lt Return gt period from lt YY MM DD HH gt to lt YY MM DD HH gt today yesterday this year quarter month week last year quarter m onth week nweeks lt weeks gt ndays lt d ays gt nho urs lt hour s gt results top vdom dev all x lt integer 0 99 gt y lt integer 0 99 gt resolve ip port queryset lt string gt deviceset lt string gt filters lt return gt lt string gt schedule lt return gt lt string gt output lt string gt run queryset lt name of queryset gt lt return gt lt qry_indexes gt deviceset lt string gt lt return gt all 0 4 5 filters lt return gt lt string gt lt return gt schedule lt string gt lt return gt none hours lt hour gt daily days lt mon t
109. m Time Tue Jan 4 15 20 47 2003 Active Sascions 2 Log Hard Dick RAID 1 Intact History gt gt Dick Space 114299 114467 Me Format System Command Unit Information System Restart Shutdown Hast Name ForbLog 400 Jfhange Firmware Version FortiLog 400 1 60 build023 041222 Update Seral Number FLG400 2704000001 Operation Mode Passiva Change System Scttings Settings Backup Restore Rectore Factory Defaults FortiLog units running in Passive mode provide secure storage space Using the integrated RAID Redundant Arrays of Inexpensive Disks functionality provides better data security Note RAID functionality is only available on the FortiLog 400 and 800 These units contain four hard disks and support RAID level 0 1 and 5 05 16000 0082 20050115 9 About this guide About this guide Introduction This document describes how to set up and configure the FortiLog unit The configuration and features of the FortiLog unit are similar in either mode Section titles indicate where the features or configuration differs or is unique to each mode For example Devices Active mode This document has the following sections Setting up the FortiLog unit describes how to set up and install the FortiLog unit in your network Connecting to the FortiLog Unit describes how to connect a FortiGate and FortiMail device to the FortiLog unit to for collecting log files It also discusses the requirements to help users to connect and v
110. m the list Select Plug ins Select the plug ins to include in the report Select Apply Creating a plug in profile Default You can save the selections as a plug in profile After creating a plug in profile you can select the profile for use in other vulnerability reports To create a plug in profile Select New Enter a name for the profile and select OK Select the plug ins to include in the query profile Select Apply Selecting the scan targets for the report FortiLog Administration Guide Scan targets are the devices the FortiLog scans for vulnerability threats You can save the device selections to use in other reports 05 16000 0082 20050115 69 Vulnerability reports 70 Nn oO oO fF WD N Oo a FB WO DN Reports Figure 39 Selecting scan targets n Report Plugins Output Local Default Default v Default _Bun now Select Scan Targets Default x New Delete Available IP Aliases Selected IP Aliases FortiGate 400 172 20 140 25 FortiWiFi 60 172 20 120 124 FortiGate 400 172 20 140 25 To select the scan targets Go to Reports gt Config gt Vulnerability Select a report from the list Select Scan Targets Select devices from the Available IP Aliases list Select the right arrow to move the device to the Selected IP Aliases list To add additional devices select Create New and repeat step 4 and 5 Select Apply To add additional devices Select Cre
111. mail events Top Mail Clients Traffic Email clients by traffic in megabytes Top Mail Servers By Top Clients Connections Email servers by top email client by mail event Top Mail Servers By Top Clients Traffic Email servers by top email client by traffic in megabytes 05 16000 0082 20050115 115 116 Intrusion Activity Appendix A Log Report Types Intrusion activity reports record top network attacks and top attacks by a specific time Report Description ttacks By Date And Top Attack ypes Network attack types by intrusion event for a specified date or range of days Attacks By Day Of Week And Top Attack Types Daily network attack types by intrusion event for a specified week Attacks By Hour Of Day And Top Attack Types Hourly network attack types by intrusion event for a specified period Attacks By Top Attack Types Attack types by number of intrusion events ttacks By Top Attack Types And arget Device Attacks By Top Attack Types And Top Attack Source IP Attacks By Target Device And Top Attack Types Antivirus Activity Attack types by target device and number of intrusion events Attack types by source IP and number of intrusion events Destination IP and attack types by number of intrusion events Antivirus activity reports record total antivirus attacks by time attack event types top senders and top receivers
112. me source IP or targets of the same attack Select Show me Figure 48 Event Correlation results Event Correlation Wizard Explore Related Incidents Page q 1 22 p Show mes attacks from same source v Log Time Device ID Source Destnaton Message Page Use the page arrows or enter the page number to move to a different page of the event correlation results Sort list Select an attack sort for viewing the results You can choose from Attacks from the same source or other targets of the same attack 05 16000 0082 20050115 79 Event correlation Active mode Using Logs Show me Select Show me to view the selection from the sort list The number of entries for the attack report Log time The date and time of the attack Device ID The name of the device subjected to the attack Source The source IP address of the attack Destination The IP address of the device subjected to the attack Message The attack message logged for the device The message also includes a link to the FortiProtect web site for further details on the type of attack 80 05 16000 0082 20050115 Fortinet Inc RAT MET Using the FortiLog unit as a NAS Users can save store and access information on the FortiLog hard disk as an alternate means of storing important files and work To provide users with access to the FortiLog file system you must configure the FortiLog unit to use Windows sharing or Network File System NFS e configure u
113. necting to the FortiLog Unit In order for FortiLog to receive log files you need to configure the FortiGate FortiMail or syslog devices to send log files to the FortiLog unit You also need to configure the FortiLog unit to accept the log files from these devices This chapter explains how to set up your devices to send log files to the FortiLog unit running in Active mode If you are using the FortiLog device in Passive mode you do not have to read this chapter This chapter includes e Sending device logs to the FortiLog unit e Configuring the FortiLog unit Sending device logs to the FortiLog unit When running in Active mode the FortiLog unit collects log files from FortiGate FortiMail and syslog devices and uses those logs to generate detailed reports Before this can occur you need to configure the devices to send the log files to the FortiLog unit You also need to configure the FortiLog unit to receive the log files Configuring FortiGate unit running FortiOS 2 8 To configure the FortiGate unit to send log files to the FortiLog unit Log on to the FortiGate unit Go to Log amp Report gt Log Config Select FortiLog kh OO N Select the blue arrow beside the FortiLog selection FortiLog Administration Guide 05 16000 0082 20050115 23 24 Sending device logs to the FortiLog unit Connecting to the FortiLog Unit Figure 7 FortiGate 2 8 log settings Log Settings Fortilog IP J172 20 120 138 Level Err
114. nformation eventnum 1 5 10 20 50 100 500 1000 lt return gt time 0 5 1 0 3 0 6 0 12 0 24 0 72 0 168 0 device enable disable add name lt string gt lt return gt devlist lt string gt lt return gt levelalert enable disable lt return gt levelnum emergency alert critical error warning notification information lt return gt eventnum 1 5 10 20 50 100 500 1000 lt return gt leveltime 0 5 1 0 3 0 6 0 12 0 24 0 72 0 168 0 lt return gt leveldevice all per lt return gt attackalert enable disable lt return gt attackany any some lt return gt attackeywords lt keyword1 keyword2 gt lt return gt attacknum 1 5 10 20 50 100 500 1000 lt return gt attacktime 0 5 1 0 3 0 6 0 12 0 24 0 72 0 168 0 lt return gt attackdevice all per lt return gt attacksingle y n lt return gt 94 05 16000 0082 20050115 Fortinet Inc FortiLog CLI reference CLI commands Table 6 set alertemail command architecture virusalert enable disable lt return gt virusany any some lt return gt viruskeywords lt keyword1 keyword2 gt lt return gt virusnum 1 5 10 20 50 100 500 device enable i 1000 lt return gt set alertemail disa
115. ng and saving a report configuration You can use this report configuration for a scheduled report or for generating reports on demand To create a report Go to Reports gt Config Select New and enter a name for the report 05 16000 0082 20050115 57 Creating and generating a report Reports 58 4 Set the following e Configuring report parameters on page 58 e Configuring a report query on page 59 Selecting the devices for the report on page 60 e Select filtering options on page 61 e Setting a report schedule on page 62 e Choosing the report destination and format on page 63 Select Run now Configuring report parameters kh WO N Report parameters defines the reporting period the FortiLog unit uses when gathering the information from the device logs Report parameters include e the reporting period e the specific device or all device logs submitted to the FortiLog unit the top ranked values for specific report categories Figure 28 Report parameter settings F Report Queries Devices Filter Schedule Output Report_1 weekly query All None Daily 6pm Disk HTML Run now Name Repoti Time period last 7 Days gt C From Date 2003 Dec gt 31 gt Hour 14 gt To Date 2004 z Dec gt 30 x Hour 14 gt Results For all devices Perdevice Per Virtual Domain T Resolve Host Names l Resolve Service Names In Ranked R
116. ng the FortiLog unit as a NAS Providing access to the FortiLog hard disk Figure 50 NFS share configuration Export Configuration Local Path DOSS local Path Button Remote Client Read Only Access a e g fortinet com or 192 168 1 0 24 Read Write Access gt me 3 Select the Local Path button to select the folder for the users or groups to access JA Note The default permissions for files and folders is read and execute privileges The owner of S the document also has write privileges To enable write permissions for users and groups you must select the write permission for the folder and for the user and the group For details see Setting folder and file properties on page 86 Select OK Enter the IP address of the remote system or user ID Select user and group names from the Available Users amp Groups box Hold the Ctrl key to select multiple users 7 Select the type of access rights the users and groups will have and select the appropriate right arrow to move the user or group name to the Read Only Access or Read Write Access boxes 8 Select Ok Modifying the user or group folder access At any time you can modify a user or group folder access to the FortiLog unit You can also delete the access rights To modify the FortiLog folder access 1 Go to Network Sharing gt Access 2 In the Modify column select Edit to update the access rights for a user or group or In the Modify column sel
117. ngs You can also use the web based manager to monitor the status of the FortiLog unit administer users groups and set access rights The web based manager has a similar look and feel as a FortiGate 2 8 web based manager Using a secure HTTPS connection from any computer running Internet Explorer you can configure and manage the FortiLog unit Configuration changes made using the web based manager are effective immediately without resetting the firewall or interrupting service Once you are satisfied with a configuration you can download and save it You can restore the saved configuration at any time For all the three FortiLog models use the following procedure to connect to the web based manager for the first time To connect to the web based manager you need An Ethernet connection between the FortiLog unit and management computer e Internet Explorer version 4 0 or higher on the management computer To connect to the web based manager Connect the LAN interface of the FortiLog unit to the Ethernet port of the management computer Use a cross over Ethernet cable to connect the devices directly Use straight through Ethernet cables to connect the devices through a hub or switch Configure the management computer to be on the same subnet as the FortiLog LAN interface To do this change the IP address of the management computer to 192 168 1 2 and the netmask to 255 255 255 0 To access the FortiLog web based manager sta
118. nt on your management computer and use this client to connect to the FortiLog CLI Caution Telnet is not a secure access method SSH should be used to access the FortiLog CLI from the internet or any other unprotected network To connect to the CLI using Telnet Install and start a Telnet client Connect to the FortiLog port1 interface that is configured for Telnet connections Type a valid administrator name and press Enter Type the password for this administrator and press Enter You have connected to the FortiLog CLI and you can enter CLI commands 05 16000 0082 20050115 Fortinet Inc FortiLog CLI reference CLI commands CLI commands The FortiLog CLI commands include e execute branch e get branch e set branch unset branch execute branch Use execute to run static commands to reset the FortiLog unit to factory defaults to back up or restore FortiLog configuration files and to reboot or shut down the FortiLog system Table 4 execute command architecture reload lt return gt config lt string gt lt XXX XXX XXX XXX gt lt return gt restore image lt string gt lt XXX XXX XXX XXX gt lt return gt backup config lt name_str gt lt XXX XXX XXX XXX gt lt return gt execute reboot lt return gt factoryreset lt return gt save config lt return gt shutdown lt return gt formatlogdisk lt return gt Commands execute reload Description
119. o to Reports gt Config gt Vulnerability Select a report from the list Select Output Set the following options File Select the file format for the generated reports that are saved to the FortiLog Browse Reports hard disk Email list Select the file formats for the generated reports that the FortiLog unit sends as an email attachment Email address Enter the email addresses of the recipients of the report Add multiple list recipients by pressing Enter after each email address Select Apply Creating a report destination and format profile You can save the selections in a output profile After creating an output profile you can select the profile for use in other vulnerability reports To create a pre defined output selection Select New Enter a name for the profile and select OK Select the destination and format options Select Apply 05 16000 0082 20050115 71 Vulnerability reports 72 Reports Viewing the vulnerability report The FortiLog unit saves the vulnerability report either to it hard disk or sends the report as an email attachment Figure 41 Viewing the list of vulnerability reports Report Files Action Started Size bytes Other Formats C E Finance at i Fri Jan 7 09 57 21 2005 Yulnerability html T 785 Text O E FortiGate 400 2 Thu Jan 6 12 24 10 2005 I check allfCheck None fi To view the vulnerability report saved to the FortiLog hard disk Go to File Browse gt Re
120. of the network by employees The FortiLog unit also acts as a Network Attached Storage NAS device Use the FortiLog unit as a means of backing up or storing important information or using the extra hard disk space as a file server or repository Any computer using NFS or Windows sharing can mount the FortiLog hard drive to save and retrieve files 05 16000 0082 20050115 Fortinet Inc Introduction Passive Mode FortiLog Administration Guide Operational Modes Figure 3 FortiLog Active mode network architecture FortiGate Unit FortiMail Unit FortiGate Unit aos EE ee FortiGate Unit SEs O Internet ss E ea A FortiGate Unit D FortiGate Unit Switch b Management PC Reports FortiGate Unit Forti Log Unit Passive mode enables you to use the FortiLog unit solely as a Network Attached Server NAS storage device The collection of device log files and the log reporting features are not available in passive mode Figure 4 FortiLog unit in Passive mode FortiLog 400 WEB CONFIG System Automatic Refresh Interval none Retresh File Browse System Status System Resources Network Sharing Alart FortiGata 400 im yshoo repaated 2timen opyy o FortiGata 400 im yshoo Referanca http i saps FortiGate 400 im yshoo Referenca http i oct More Memory Usage iid Notifications Password ow UP Time dapis 7 hour s O min s Hard Disk Usage Syste
121. om which the administrator can log into the web based manager Set permission to Read Only or Read amp Write Select OK Changing the Administrator password The admin administrator and administrators with read amp write permissions can change their administrator account password To change the admin account password Go to System gt Config gt Admin For your administrator account select Change Password Enter and confirm a new password Select OK kh ON Devices Active mode When using the FortiLog unit in Active mode you can add the FortiGate FortiMail and Syslog devices for the FortiLog unit to collect log files e Device list e Adding and registering a device Editing device information FortiLog Administration Guide 05 16000 0082 20050115 49 Devices Active mode Managing the FortiLog unit Device list To add and manage devices connecting to the FortiLog unit go to System gt Devices Figure 21 Device list 1S crows Unrsitred Forticote svston Secure Disk Space MB Name wv Hardware Firmware IP Address Connection Used allocated Action ReTCaNe 172 20 120 123 a 2 100 MB g A E Forticate 300 0 0 0 0 S 9 100 MB g ff E FortiGate 400 172 20 140 25 Zp 94 100 MB g i E oriak 172 20 120 124 SP 0 100 MB g i 9B syslog 0 0 0 0 eA 0 100 MB g ay Adding and registering a device Add FortiGate FortiMail and Syslog devices to the FortiLog configuration so that the FortiLog unit can receive lo
122. or X Local ID Pre shared key gt l Disk gt O Memory gt Syslog gt I WebTrends Apply Enter the IP address of the FortiLog unit Set the level that the FortiGate unit logs messages to the FortiLog unit The FortiGate unit logs all messages at and above the logging severity you select For example if you select Error the device logs Error Critical Alert and Emergency level messages For a list of severity levels see Log policy on page 45 Select Enable encryption to send the log files through an IPsec connection If you choose to send encrypted log files Enter a Local ID for the FortiGate unit Use an ID that represents the FortiGate unit For example FGT 500A You will use this entry on the FortiLog unit as the device name when registering the FortiGate unit Enter an encryption key You must also specify the identical value on the FortiLog unit For security reasons the encryption key should be more than six characters in length and contain a mixture of alpha and numeric characters Configuring FortiGate devices running FortiOS 2 5 If your FortiGate unit is running with FortiOS version 2 5 use the following procedure to configure the FortiGate unit to record log messages on a remote system To configure the FortiGate unit to send log files to the FortiLog unit Go to Log amp Report gt Log Setting 05 16000 0082 20050115 Fortinet Inc Connecting to the FortiLog Unit a Aa WO N
123. or users and groups to the folder structure of the FortiLog hard disk To add a new Windows share configuration Go to Network Shares gt Access gt Windows Shares Select Create New 05 16000 0082 20050115 83 Providing access to the FortiLog hard disk Using the FortiLog unit as a NAS Figure 49 Windows sharing configuration Share Configuration Local Path a Local Path Share Name Button Available Users amp Groups Read Only Access Read Write Access 3 Select the Local Path button to select the folder for the users or groups to access A Note The default permissions for files and folders is read and execute privileges The owner of S the document also has write privileges To enable write permissions for users and groups you gt must select the write permission for the folder and for the user and the group For details see Setting folder and file properties on page 86 Select OK Enter the Share Name to describe the shared folder Select user and group names from the Available Users amp Groups box Hold the Ctrl key to select multiple users 7 Select the type of access rights the users and groups will have and select the appropriate right arrow to move the user or group name to the Read Only Access or Read Write Access boxes 8 Select Ok To add a new NFS share configuration Go to Network Shares gt Access gt NFS Exports 2 Select Create New 84 05 16000 0082 20050115 Fortinet Inc Usi
124. ortiLog system time must be accurate You can either manually set the FortiLog system time or you can configure the FortiLog unit to automatically keep its system time correct by synchronizing with a Network Time Protocol NTP server Figure 17 Time settings Time Settings Refresh Time Zone GMT 5 00 Eastern Time US amp Canada v System Time Tue Jan 4 13 51 34 2005 LJ Automatically adjust clock for daylight saving changes SetTime Hour 13 g Minute 51 Second 34 Month Jan Day 4 E Year 2005 gt Synchronize with NTP Server Server Syn Interval Jeo mins To change the FortiLog administration options go to System gt Config gt Options On the System Config Options page you can set e the system idle timeout e the language for the web based manager Figure 18 Options Options Idle Timeout 480 1 480 mins Web Administration Language English Idle Timeout Enter an idle timeout number in minutes Idle Timeout controls the amount of inactive time that the web based manager waits before requiring the administrator to log in again The recommend idle time out is 5 minutes The maximum idle time out is 480 minutes 8 hours Language Select a language for the web based manager to use You can choose English Simplified Chinese Japanese Korean or Traditional Chinese To change the FortiLog administrator settings go to System gt Config gt Admin Use admin options to add and configur
125. ou can also edit delete and create new groups from this tab Unregistered Displays a list of unregistered devices available to the FortiLog unit This does not indicate that a FortiGate device is not registered with Fortinet Device tabs A tab is available for each device supported by the FortiLog unit To add a device 1 For a FortiGate device go to System gt Devices gt Unregistered For devices that are not automatically registered such as a syslog server select the device tab and select Create New 2 In the Register column select Add for the device you wish to add Figure 10 Adding registering a new device to the FortiLog unit Edit Device Device Name FeT 50m4 Group bos x Device ID FGT60m2904400103 amp Secure Connection C yes No Pre shared Key E Allocated Disk Space MB 100 7114432 MB still free Max Log File Size MB fio 10 100 mB Max Log File Age days Bes When Allocated Disk Space is All Used Overwrite Oldest Log Files Stop Logging FortiGate Interface Specification ok i cane 26 05 16000 0082 20050115 Fortinet Inc Connecting to the FortiLog Unit Configuring the FortiLog unit 3 Enter a device name For a FortiGate device this is the same entry as entered as the Local ID set in the Log amp Config settings for FortiLog For example FGT 500A 4 Select a group to add the device to if desired For details on creating a group see Creating Device Groups on page 28
126. our Of Day And Top Viruses Hourly top viruses status in kilobytes for a specified date or range of days Content Traffic By Status And Service Content traffic by status and Internet service in kilobytes Content Traffic By Service And Status Content traffic by Internet service and status in kilobytes Content Traffic By Service And Top Viruses Content traffic by Internet service and top viruses Content Requests By Status And Service Requested content by status and Internet service by content events Content Requests By Service And Status Requested content by Internet service and status by content events Content Requests By Service And Top Viruses Requested content by Internet service and top viruses Content Traffic By Top Clients And Service Content traffic by user and Internet service used in kilobytes Content Traffic By Top Clients And Status Content traffic by user and content status in kilobytes Content Traffic By Top Clients And Top Viruses Content traffic by user and virus content in kilobytes Content Traffic By Top Servers And Service Content traffic by server and Internet service in kilobytes Content Traffic By Top Servers And Status Content traffic by server and content status in kilobytes Content Traffic By Top Servers And Top Viruses Content traffic by server and virus content in kilobytes Web Traffic By Top Servers We
127. ports gt Vulnerability 2 Select the report name from the list of completed reports Report Files Action Started Size Alternate Formats Check All Check None The name of the report Select the report name to view the vulnerability report file Select the check box next to the report name to select it for removal from the list Select Edit to rename the report Select Delete to remove the report from the list The date and time the FortiLog unit started running the report The size of the report file in bytes Select an alternate file format for the report The default format is HTML and the alternate format is ASCII text Select the checkbox to select all reports in the list to quickly delete all reports from the list Select Delete to delete the reports you selected to delete by selecting the report s check box 05 16000 0082 20050115 Fortinet Inc RAT MET Using Logs The FortiLog unit collects log files from various sources and stores them on its hard disk With the log viewer you can FortiLog Administration Guide view log files collected from FortiGate FortiManager FortiMail and syslog devices customize the log file view download log files to your hard disk filter the logs for specific information using various criteria search multiple log files for unique entries import older log files watch active log files for real time logging information of a selected device This chapter includes
128. que identifier for the FortiLog unit and is required when you register the FortiLog unit Backup and restore system settings See Backing up system settings on page 39 and Restoring system settings on page 40 Restore system settings to factory defaults Restore factory default system settings on page 40 You can also download a debug log see Downlading the FortiLog debug log on page 39 List the generated log reports log reports being generated and the scheduled time to generate next log report 05 16000 0082 20050115 Fortinet Inc Managing the FortiLog unit kh OO N kh OO N FortiLog Administration Guide Status CPU Usage The current CPU status The web based manager displays CPU usage for core processes only CPU usage for management processes for example for HTTPS connections to the web based manager is excluded Memory Usage The current memory status The web based manager displays memory usage for core processes only Memory usage for management processes for example for HTTPS connections to the web based manager is excluded Hard Disk Usage The current status on the hard disk The web based manager displays how much hard disk space is free and how much is used Active Sessions The number of communications sessions being processed by the FortiLog unit History Select History to view a graphical representation of the last minute of CPU memory sessions and network usage System
129. r the administrator account Confirm For improved security the password should be at least 6 characters long The Password password can contain any characters except spaces 05 16000 0082 20050115 Fortinet Inc Managing the FortiLog unit Devices Active mode Trusted host The trusted host IP address for the location from which the administrator can log into the FortiLog unit If you want the administrator to be able to access the FortiLog unit from any address set the trusted host to 0 0 0 0 and the netmask to 0 0 0 0 To limit the administrator to only access the FortiLog unit from a specific network set the trusted host to the address of the network and set the netmask to the netmask for the network For example to limit an administrator to accessing the FortiLog unit from your internal network set the trusted host to the address of your internal network for example 192 168 1 0 and set the netmask to 255 255 255 0 Netmask The trusted host netmask for the location from which the administrator can log into the web based manager If Netmask is 0 0 0 0 there is no restriction on the netmask Permission The permission level for the administrator To add an administrator account Go to System gt Config gt Admin Select New Enter a login name for the administrator account Enter and confirm a password for the administrator account a Fk WOW N Optionally type a Trusted Host IP address and netmask for the location fr
130. re lt share name gt nfs path lt local path gt resolve report alias lt alias gt lt return gt Commands Description lt name_str gt unset system admin username Enter the system administrator name that you want to remove e lt name_str gt is the system administrator name lunset system route number lt xxx gt Enter the system route number that you want to remove e lt xxx gt is the system route number unset system hostname Enter the system hostname that you want to remove lunset system_ttl lt number gt Remove the system time to live session timeout unset log client lt string gt Remove a client added to the FortiLog unit e lt string gt is the name of the client unset alertemail configuration Remove alert email configuration lunset nas protocol nfs share Remove the nas configuration settings 110 05 16000 0082 20050115 Fortinet Inc FortiLog CLI reference CLI commands unset nas user lt user name gt Remove a user name lunset nas group lt group name gt Remove a group name unset nas share lt share name gt Remove a Windows shared folder setting unset nas nfs path lt local path gt Remove a Network File Share path folder setting unset report resolve Remove resolve alias setting when generating log reports When removed the ctual IP addresses will appear on the report rather than the alias names unset report alias lt
131. requirements 2 ccccccccecceeeeeeseeeceeenaeceeceeeeeeeeeeeceeaaeaaeeeeeeeeeeeeeseeeseneensanaeeees 17 Environmental Specifications cccceseceeeccceceeeeeeeeeeeeeeeeeeceaaeaeceeeeeeeeeeeeeeeteesnnaees 17 AP TOW E E E oesdaaaye ccvendaabiiedeaiaeiiaeensiaielaseniiians 17 Mechanical loading 0 cecccccceeeeeeereeeeeeecneeeeeeeaaeeeeeeeaaeeeseeeneeeeeesiaeeeeeeenineeeeseaaes 17 Planning the Installation sson aE aE 17 Connecting the FortiLog UMitas aiiiar anaa a AA Naaa 18 Configuring the ForiLog Unik sessiossa NA 19 Using the web based manager eeeessssesesrrnesesernenntsnnnaaarennanattannaaentnnnnenannnaaatennaantaanna 19 Using the command line interface eecceceeeeeeteeeeeeseneeeeeeeeeaeeeeeeeeaeeeeeeeeneeeeeeneaaas 20 Using the front panel buttons and LCD c eeeeceeeeeeeeeeeeeeee entrees eeeenaeeeeeeeeeaeeeeeeeeaas 21 Connecting to the FortiLog Ulli sisisesisssssoseseassassssacsncassiscesssassasscecseenanasananasencncaces 23 Sending device logs to the FortiLog Unit ee ceeeeeeeeeeeeeeeeeeeeeeeeeeeeeaeeeeseeaaeeeseeeaeeees 23 Configuring FortiGate unit running FortiOS 2 8 00 2 eceeeeeeeeeeeee eee eaeeeeeetaeeeeeee 23 Configuring FortiGate devices running FortiOS 2 5 ec eeeeeeeeeeeeneeeeeeeenneeeeeteenaeees 24 Configuring FortiMail deVICES eeeeeecceeeeeeeneeee eee enne eee ee eenneeeeeeetineeeeeeeeieeeeeeetieeeeee 25 Configuring the FortiLog unit ice ceaiii cara neiae dels deeiit
132. rt set log devtype lt string gt report lt report name gt filters lt string gt Select a defined filter profile to use in the report set log devtype lt string gt queryset lt name gt lt qry_indexes gt Select the queries to include in a report and store as a profile for later use in other reports set log devtype lt string gt deviceset lt string gt lt all 0 4 5 gt FortiLog Administration Guide 05 16000 0082 20050115 Select the devices to include in a report and store as a profile for later use in other reports 101 CLI commands FortiLog CLI reference set log devtype lt string gt filters lt string gt elect the filter options to include in a report and store as a profile for ater use in other reports set log devtype lt string gt schedule lt string gt Select the schedule for the report to run and store as a profile for later none hours lt hour gt daily days lt mon tue se in other reports Select from various time frames A setting of none wed gt dates lt 1 2 3 gt ndicates a report will only be run on demand manually set log devtype lt string gt output lt string gt Select the type of output the FortiLog unit generates for the reports and destionation storage formats lt html pdf rtf whether to save to a file on the FortiLog hard disk or send the results via email to set recipients Store the settings as a profile for later use in text gt mail
133. rt Internet Explorer and browse to https 192 168 1 99 remember to include the s in https 05 16000 0082 20050115 19 Configuring the FortiLog unit Setting up the FortiLog unit Type admin in the Name field and select Login After connecting to the Web based manager you can configure the FortiLog unit IP address DNS server IP address and default gateway to connect the FortiLog unit to the network To configure the FortiLog unit using the web based manager In the web based manager go to System gt Config gt Network Enter the IP address netmask primary DNS server IP address secondary DNS server IP address optional and the default gateway IP address if the FortiLog unit connects to the Internet Using the command line interface 20 You can use a terminal emulation software to connect to the command line interface CLI from any network that is connected to the FortiLog unit including the Internet This applies to all FortiLog models You can also access the FortiLog 800 CLI by using the null modem cable provided to connect to the unit s console port The CLI supports the same configuration and monitoring functionality as the web based manager In addition you can use the CLI for advanced configuration options that are not available from the web based manager To connect to the FortiLog 800 unit Use a null modem cable to connect the FortiLog 800 serial port to the management computer serial port
134. s settings originate from a singe source IP A single source virus attack can indicate a targeted attack on the network Enter the email addresses of the recipients to receive the alert warning messages For multiple addresses separate each address with either a semi colon comma or a space To add a device alert Go to System gt Alert Email gt Device Select Create New Set the Alert email options as required Select Enable to set the FortiLog unit to send alert email messages for selected devices Select OK Use Alerts to view the system alert messages for the FortiLog unit and any other systems monitored by the FortiLog unit 05 16000 0082 20050115 Fortinet Inc Managing the FortiLog unit Network Sharing Figure 26 Device alert messages ets O O Include Warning x and higher in lerts Keep Unacknowledged lerts for 7 days w Page 4 1 Lp C Device g Event n Bavority Time A Alert Inclusion Select the minimum level of alert messages you would like displayed The selection you make and any messages with higher priority will appear in the window Keep Select the number of days of alert messages you want to keep If you unacknowledge change the number of days from a longer period to a shorter period the FortiLog unit removes the older alert messages You will not be able to alerts for change back to a longer period and see the older messages again Acknowledge Select the check bo
135. sage set system opmode active Set the FortiLog unit to active mode set system opmode passive Set the FortiLog unit to passive mode set system option admintimeout lt timeout_integer gt Enter an idle timeout number in minutes Idle Timeout controls the amount of nactive time that the web based manager waits before requiring the administrator to og in again The default idle time out is 5 minutes The maximum idle time out is 480 minutes 8 hours e lt timeout_integer gt is the idle timeout number in minutes set system option authtimeout lt timeout_integer gt Enter an auth timeout number in minutes Auth Timeout controls the amount of inactive time that the FortiLog unit waits before requiring users to authenticate again The default Auth Timeout is 15 minutes The maximum Auth Timeout is 480 minutes 8 hours e lt timeout_integer gt is auth timeout number in minutes set system option language lt language_str gt Enter a language for the web based manager to use You can choose English Simplified Chinese Japanese Korean or Traditional Chinese lt language_str gt is the language you choose set system option refresh interval none Set system option refresh interval Enter none to cancel refresh interval set system alert_table alert_severity lt severity_integer gt Set the monitor severity level for alert table 0 Emergency 1 Alert 2 Critical 3 Error 4
136. sers and user groups with access to read and write files on the FortiLog hard disk This chapter includes e Connecting to the FortiLog file system e Providing access to the FortiLog hard disk e Setting folder and file properties Use the FortiLog web based manager to view and manage files on the FortiLog hard disk You can also use the web based manager to set up and manage user and group access to the FortiLog hard disk directories and files To view and manage files stored on the FortiLog hard drive Go to File Browse gt Files Navigate the folder structure by double clicking the folders Connecting to the FortiLog file system FortiLog Administration Guide Before a user can access files on the FortiLog hard disk create user and group accounts and set their access permissions When users connect to the FortiLog unit consider the following e Microsoft Windows users connect to the FortiLog hard disk by mapping a drive letter to a network folder e For Macintosh users enable the FortiLog Windows networking selection Macintosh users can use the SMB sharing protocol to connect to the FortiLog unit e UNIX or Linux users e mount the FortiLog hard disk as smbfs if you are using Windows Networking mount the FortiLog hard disk as nfs if you select Network File System 05 16000 0082 20050115 81 Providing access to the FortiLog hard disk Using the FortiLog unit as a NAS Providing access to the FortiLog hard disk 82
137. sions for the folder Select OK A A OO N For example if you wanted only users in the Finance group to view a folder with financial information create a user group called Finance that includes the users from the Finance department Set the following permissions to the folder Owner Select the user name or Admin and Read Write Execute Group Select Finance from the list and select Read Other No selections 86 05 16000 0082 20050115 Fortinet Inc RAT MET FortiLog CLI reference This chapter explains how to connect to and use the FortiLog command line interface CLI You can use CLI commands to view all system information and to change all system configuration settings e CLI documentation conventions e Connecting to the CLI e CLI commands CLI documentation conventions This guide uses the following conventions to describe CLI command syntax e angle brackets lt gt to indicate variable keywords For example xecute restore config lt filename str gt You enter restore config myfile bak lt xxx_str gt indicates an ASCII string variable keyword lt xxx_integer gt indicates an integer variable keyword lt xxx_ip gt indicates an IP address variable keyword e vertical bar and curly brackets to separate alternative mutually exclusive required keywords For example set system opmode active passive You can enter set system opmode active Orset system opmode passive FortiLog Administration Guide
138. st Security online help Provides information and procedures for using and configuring the FortiClient software FortiMail documentation FortiMail Administration Guide Describes how to install configure and manage a FortiMail unit in gateway mode and server mode including how to configure the unit create profiles and policies configure antispam and antivirus filters create user accounts and set up logging and reporting e FortiMail online help Provides a searchable version of the Administration Guide in HTML format You can access online help from the web based manager as you work FortiMail Web Mail Online Help Describes how to use the FortiMail web based email client including how to send and receive email how to add import and export addresses and how to configure message display preferences Fortinet Knowledge Center The most recent Fortinet technical documentation is available from the Fortinet Knowledge Center The knowledge center contains short how to articles FAQs technical notes product and feature guides and much more Visit the Fortinet Knowledge Center at http kc forticare com Comments on Fortinet technical documentation You can send information about errors or omissions in this document or any Fortinet technical documentation to techdoc fortinet com 12 05 16000 0082 20050115 Fortinet Inc Introduction Customer service and technical support Customer service and technical support
139. t 05 16000 0082 20050115 Fortinet Inc FortiLog CLI reference Table 11 set system command architecture CLI commands set system opmode option active lt return gt passive lt return gt admintimeout lt timeout_integer gt lt return gt authtimeout lt lt timeout_integer gt lt return gt language lt language_str gt lt return gt refresh interval none lt return gt alert_table alert_severity lt serverity_integer gt alert_period lt period_integer gt route lt number gt dst lt XXX XXX XXX XXX gt p address lt XXX XXX XXX XXX gt ip address mask lt return gt gw1 lt XXX XXX XXX XXX gt p address lt return gt dev1 lt intf_name gt lt return gt gw2 lt XXX XXX XXX XXX gt p address lt return gt dev2 lt intf_name gt lt return gt time manual date lt mm dd yyyy gt lt return gt clock lt hh mm ss gt lt return gt zone lt No gt lt return gt dst enable disable lt return gt ntp ntpsync enable disable lt return gt ntpserver XXX XXX XXX XXX hostname lt return gt syncinterval lt Syn interval gt lt return gt zone lt No gt lt return gt dst enable disable lt return gt FortiLog Administration Guide 05 16000 0082 20050115 107 CLI commands FortiLog CLI reference
140. t Set the log RAID level linear 0 1 or 5 There is no default value for this option set log raid uuid lt raid_uuid gt set log devicegroup lt string gt Set the log RAID universal unique identifier Create a device group to add devices to set log setting console loglevel lt severity_integer gt Set the console log severity level 0 Emergency 1 Alert 2 Critical 3 Error 4 Warning 5 Notification 6 Information The log levels will be up to but not higher than the value you set set log setting local status enable disable Enable or disable logging to the FortiLog unit hard disks set log setting local filesz lt file sz_integer gt Set the maximum size for the Fortilog local log file set log setting local logtime lt days_integer gt Set the number of days before the FortiLog unit starts a new log file set log setting local diskfull set log setting local memory status lt enable disable gt Configure the FortiLog unit to log to the local memory set log setting local memory loglevel lt severity_integer gt Set the local FortiLog unit log severity level 0 Emergency 1 Alert 2 Critical 3 Error 4 Warning 5 Notification 6 Information The log levels will be up to but not higher than the value you set set log setting syslog local status loglevel lt severity_integer gt Set the local FortiLog unit log severity level 0 Emerg
141. t Select Apply Setting a report schedule 1 2 Set a schedule so that FortiLog generates reports at a consistent time The default is to run a report for daily at 69m You can save a schedule to use in other reports Figure 32 Report scheduling n Report Queries Devices Filter Output Report 1 weekly query All None Daily_6pm Disk HTML Run now Select a schedule Daily_6pm New Clone Rename Delete C Not Scheduled Daily C These Days Fosun Fomon Ftue M wed Fthu Feri Psat C These Dates e g 1 14 28 At Hour M fis 0 gt C foo jfoo z foo jfoo Apply To create a scheduled report Go to Reports gt Config Select a report from the list 05 16000 0082 20050115 Fortinet Inc Reports Creating and generating a report Select Schedule Select a day from the following Not Scheduled Select to not run a daily report Use this setting when you only want to run the reports as needed For details on running on demand reports see Reports on demand on page 64 Daily Select to run the report every day at the same time These Days Select specific days of the week to run reports These Dates Select specific days of the month to run the report For example to run reports on the first and fifteenth of every month enter 1 15 Select a specified time of the day to run the report up to three times per day Select Apply Creating a report schedule profile You can save t
142. t You can access online help from the web based manager as you work FortiLog QuickStart Guide Explains how to install and set up the FortiLog unit 05 16000 0082 20050115 Fortinet Inc Introduction Related documentation Related documentation Additional information about Fortinet products is available from the following related documentation FortiGate documentation FortiLog Administration Guide Information about FortiGate products is available from the following guides FortiGate QuickStart Guide Provides basic information about connecting and installing a FortiGate unit FortiGate Installation Guide Describes how to install a FortiGate unit Includes a hardware reference default configuration information installation procedures connection procedures and basic configuration procedures Choose the guide for your product model number FortiGate Administration Guide Provides basic information about how to configure a FortiGate unit including how to define FortiGate protection profiles and firewall policies how to apply intrusion prevention antivirus protection web content filtering and spam filtering and how to configure a VPN FortiGate online help Provides a context sensitive and searchable version of the Administration Guide in HTML format You can access online help from the web based manager as you work FortiGate CLI Reference Guide Describes how to use the FortiGate CLI and contains a reference to
143. t in an environment compatible with the manufacturer s maximum rated ambient temperature e Storage temperature 4 to 176 F 20 to 80 C e Humidity 10 to 90 non condensing Air flow e For rack installation make sure that the amount of air flow required for safe operation of the equipment is not compromised e For free standing installation make sure that the appliance has at least 1 5 in 3 75 cm of clearance on each side to allow for adequate air flow and cooling Mechanical loading For rack installation ensure an even mechanical loading of the FortiLog unit to avoid a hazardous condition Planning the installation You can add the FortiLog unit to your local network to receive log messages from your local FortiGate and FortiMail devices or act as a NAS server You can also connect the FortiLog unit to devices remotely through the Internet To connect the FortiLog unit to devices remotely you must configure the DNS server and the default gateway To manage the FortiLog unit you can use a computer within the local network or over the Internet 05 16000 0082 20050115 17 FortiLog Administration Guide Connecting the FortiLog unit Setting up the FortiLog unit Figure 6 FortiLog connection option FortiMail unit FortiGate units Saas Cee Internal Network FortiGate unit FortiLog unit Management PC Internet iico Management PC s lt EEE ET FortiGate unit FortiGate unit FortiGa
144. te unit Connecting the FortiLog unit You can install the FortiLog unit as a free standing appliance on any stable surface You can mount the FortiLog 800 unit in a standard 19 inch rack It requires 1 U of vertical space in the rack To connect the FortiLog unit to the network Place the unit on a stable surface If you have a FortiLog 800 unit you can also mount it in a 19 inch rack The units require 1 5 inches 3 75 cm clearance on each side to allow for cooling Make sure the power of the unit is turned off Connect the network cable to the LAN interface Connect the power cable to a power outlet ao a Aa Q Turn on the power switch 18 05 16000 0082 20050115 Fortinet Inc Setting up the FortiLog unit Configuring the FortiLog unit Configuring the FortiLog unit Use the web based manager or the Command Line Interface CLI to configure the FortiLog unit IP address netmask DNS server IP address and default gateway IP address Table 2 Factory defaults Administrator User name admin account Password none IP 192 168 1 99 EAN Netmask 255 255 255 0 Management Access HTTPS Ping Using the web based manager FortiLog Administration Guide The web based manager provides a GUI interface to configure and administer the FortiLog unit The web based manager has a similar look and feel as the FortiGate 2 8 family You can use the web based manager to configure most FortiLog setti
145. the FortiLog unit restarts it is running the backup firmware version with a restored configuration Backing up system settings kh O N 5 You can back up system settings by downloading them to a text file on the management computer To backup up system settings Go to System gt Status gt Status For System Settings select Backup Select Backup system settings Type a name and location for the file The system settings file is backed up to the management computer Select Return to go back to the Status page Downlading the FortiLog debug log FortiLog Administration Guide Download a debug log to send debug information to Fortinet Tech Support to help diagnose a problem with the FortiLog unit 05 16000 0082 20050115 39 Status 40 kh O N 5 Managing the FortiLog unit To download a FortiLog debug log Go to System gt Status gt Status For System Settings select Backup Select download debug log Type a name and location for the file The debug log file is backed up to the management computer Select Return to go back to the Status page Restoring system settings Restore system settings by uploading a previously downloaded system settings text file To restore system settings Go to System gt Status gt Status For System Settings select Restore Enter the path and filename of the system settings file or select Browse and locate the file Select OK to restore the system settings f
146. the device IP addresses or alias names Figure 37 Vulnerability report parameters Plugins Scan Targets Output Local Default Default Default F Run now Results For all devices Per device Tl Resolve Host Names l Resolve Service Names apply To define report result parameters Go to Reports gt Config gt Vulnerabilities Select new Enter a report name and select OK Configure the following options For all devices Select to generate the report for all devices Per device Select to generate a separate report for each device Resolve Host Select to display host names by name rather than IP addresses For details Names on configuring IP address host names see Defining IP aliases on page 55 Resolve Service Select to display network service names rather than port numbers For Names example HTTP rather than port 80 Select Apply Selecting plug ins 68 Select the port scans the FortiLog unit will perform on the selected device s 05 16000 0082 20050115 Fortinet Inc Reports a Ff WO N 1 2 3 4 Figure 38 Vulnerability plugin options Vulnerability reports Output F Report Scan Targets Local Default v Default Run now Select a Plugin Set Default New Delete Edit it M Vulnerabilities I backdoor4553 I portscan I servscan I smb_test L apy To select the plug ins Go to Reports gt Config gt Vulnerabilities Select a report fro
147. tiLog CLI using Telnet 90 to the FortiLog console 88 CPU status 32 creating reports 57 D debug log 39 default firmware 38 FortiLog Administration Guide AT MET defining device port interfaces 27 download FortiLog debug log 39 E environmental specifications 17 event correlation 79 F factory default system settings 40 file access 82 formats 65 properties 86 file formats 63 filtering 61 firmware installing backup image 36 installing from reboot 33 re installing current version 33 reverting to an older version 33 switching to a backup image 38 switching to the default image 38 testing new image 35 upgrading using the CLI 33 upgrading using the web based manager 32 FortiGate port interfaces 27 FortiLog account levels 48 status 29 H hard drive usage 32 hardware specifications 16 host name 31 HTTPS 19 idle timeout 46 importing log files 77 installation firmware from reboot 33 planning 17 05 16000 0082 20050115 121 Index L language setting 46 109 LCD panel 21 log policy 45 logs download FortiLog debug log 39 importing 77 information 75 settings 44 watching 78 memory usage 32 MS Word files 65 N network attached server 81 network file system 81 network settings 42 NTP server 46 O on demand reports 64 operating modes active 8 changing 31 passive 9 P passive and active mode 8 PDF files 65 port interfaces 27 power requirements 17 properties 86 R RAID lev
148. to determine the permissions on files and folders Password Enter a password for the user Display Name Enter the user name to identify who the user is For example Terry White You can include spaces in this field If you are using the Windows Networking protocol you only need to complete the information for the User name Password and Display Name Select OK Select Edit in the Modify column to update the user name or password 05 16000 0082 20050115 Fortinet Inc Using the FortiLog unit as a NAS Providing access to the FortiLog hard disk Adding and modifying group accounts Create user groups to assign directory access to many users at once rather than individually To add a user group Go to Network Sharing gt Groups Select Create New Enter the following information for the group account Group Enter a user name For example Finance The name cannot include spaces GID Enter a Group ID Use this field if you are using Network File System Select the users from the Available members area and select the Right arrow to add them to the group To remove a member select a user from the Members area and select the Left arrow Select OK Select Edit in the Modify column to add or remove users from the group Assigning access to folders FortiLog Administration Guide With users groups and a file sharing protocol defined you can apply access rights to users and groups You can apply read only and read write access f
149. trator accounts You can also control the access level of each of these administrator accounts and control the IP address from which the administrator can connect to the FortiLog unit There are three administration account access levels admin Has all permissions Can view add edit and delete administrator accounts Can view and change the FortiLog configuration The admin user is the only user who can go to the System Status page and manually update firmware restore the FortiLog unit to factory defaults restart the FortiLog unit and shut down the FortiLog unit There is only one admin user Read amp Write Can view and change the FortiLog configuration Can view but cannot add edit or delete administrator accounts Can change own administrator account password Cannot make changes to system settings from the System Status page Read Only Can view the FortiLog configuration Administrator options When you add an administrator you can configure the following options Figure 20 Administrator options New Administrator Administrator Password a Confirm Password ee Trusted Host booo Netmask 0 0 0 0 Permission Read Only Read amp Write ok cane Administrator The login name for the administrator account The login name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Password The password fo
150. ue wed gt dates lt 1 2 3 gt output lt string gt lt return gt destination storage formats lt return gt lt html pdf wtf text gt mail address formats lt return gt lt html pdf tf text gt FortiLog Administration Guide 05 16000 0082 20050115 99 CLI commands FortiLog CLI reference Commands Description set log client lt client_string gt deviceid lt id_string gt secure yes no psk lt psk_string gt space lt number gt filesz lt filesz_integer gt fileage lt fileage_integer gt spacefull overwrite_oldest Stop_logging Configure the FortiLog to log a FortiGate client e lt client_string gt is the name of the client e lt id_string gt is the FortiGate client ID for example the serial number e yes no provides the option to configure secured connection or not e lt psk_string gt is the pre shared key number e lt number gt is the amount of the allocated disk space Set disk quota from 0 to 4000 MB A disk quota of 0 is unlimited e cm is the size limit for the log files The default log file size is e lt fileage gt is the time limit for the FortiLog unit to keep the log files The default log file age is 10 days e overwrite_oldest stop_logging allows you to select what you want the FortiLog unit to do when the allocated disk space for the FortiGate device is used up set log raid lt raid_level g
151. unication sessions with the FortiLog unit e Status e RAID Config Status You can connect to the web based manager and view the current system status of the FortiLog unit The status information displays basic system information such as the host name firmware version and serial number of the FortiLog unit FortiLog Administration Guide 05 16000 0082 20050115 29 Status 30 Figure 11 System status Active mode Automatic Refresh Interval none System Status Alert FortiGate 400 im yahoo repeated 2 times FortiGate 400 im yahoo Reference htto FortiGate 400 im yahoo Reference http Mors Notifications Password UP Time 5 day s 5 hour s 22 min s System Time Tue Jan 4 12 42 09 2005 log Hard Disk RAID 1 Disk Space 1142305 114467 MA Format Unit Information Host Name FortLog 400 Change Firmware Version FortLog 400 1 60 build023 041222 Update seral Number FLG 002709000001 Operation Mode Active Change Refresh Reports Status Finished Scheduled Running Pending System Resources tPU Usage Memory Usage Hard Disk Usage Active Sessions History gt gt System Command Managing the FortiLog unit System Settings System Restart Shutdown Settings Backup Restore Restore Factory Defaults Automatic Refresh Interval Go Refresh Alerts Notifications Up time System Time Log Hard Disk Host Name Operating Mode Firmware version Serial number
152. ute ping 192 168 1 168 Enter the following command to restart the FortiLog unit execute reboot As the FortiLog unit starts a series of system startup messages is displayed When the following message appears Press any key to enter configuration menu Immediately press any key to interrupt the system startup Note You have only 3 seconds to press any key If you do not press a key soon enough the FortiLog unit reboots and you must log in and repeat the execute reboot command If you successfully interrupt the startup process the following message appears Get firmware image from TFTP server Format boot device Boot with backup firmware and set as default Quit menu and continue to boot with default firmware G F Bi Q H Display this list of options a a a o ao eoo aoo aoo oe o Enter G F B Q or H Type G to get the new firmware image from the TFTP server Type the address of the TFTP server and press Enter The following message appears Enter Local Address 192 168 1 188 Type the address of the LAN port and press Enter 05 16000 0082 20050115 Fortinet Inc Status Managing the FortiLog unit A s 11 12 Note The local IP address is used only to download the firmware image After the firmware is installed the address of this interface is changed back to the default IP address for this interface The following message appears Enter File Name image out Enter th
153. vice Name FGT 60M _ _Log File elog log From Nov 12 2004 13 02 To Dec 17 2004 10 13 Max lines 30 7 A v Message a Apply cance Select Column Settings to set the log information you want to view Refresh Select an automatic refresh rate between zero none and 30 seconds Select Refresh to manually refresh the screen Raw Select to view the log information as it appears in the log Select Formatted to return to the column view Show Select the columns of information you want to view in the log Up and Down Select a row and select the up and down arrows to reposition the column arrows within the display 05 16000 0082 20050115 Fortinet Inc Using Logs 5 Event correlation Active mode Select Apply Event correlation Active mode A OD FortiLog Administration Guide Event correlation is a data mining feature that provides a way of reviewing attacks on multiple devices in one location The FortiLog unit collates attack events from all submitted logs and displays the information in a table With even Correlation you can view e all attacks on your network e attacks targeted to specific devices e the target and source of the attack e when the attack occurred e details on the type of attack To run an event correlation Go to File Browse gt Event Correlation Select an attack type from the list Select Next From the drop list select to view the attacks from the sa
154. vice and terminal events Top Terminal Servers By Service Traffic Terminal server traffic by service in kilobytes Top Terminal Clients By Service Connections Terminal client by service in terminal events Top Terminal Clients By Service Traffic Terminal server traffic by service in kilobytes Servers Traffic Top Telnet Clients By Top Terminal Terminal servers using Telnet and destination IPs in kilobytes Servers Connections Top Telnet Clients By Top Terminal Terminal servers using Telnet and destination IPs in terminal events Top SSH Clients By Top Terminal Servers Traffic Terminal servers using SSH and destination IPs in kilobytes Top SSH Clients By Top Terminal Servers Traffic Terminal servers using SSH and destination IPs in terminal events Mail Activity Mail activity reports record Email traffic and connections Report Description Mail Traffic By Date Email traffic by date or range of days Mail Traffic By Day Of Week Daily email traffic for a specified week Mail Traffic By Hour Of Day Hourly email traffic for a specified period Mail Traffic By Direction Outgoing and incoming email traffic Top Mail Servers Connections Email servers by traffic in mail events Top Mail Servers Traffic Email servers by volume in megabytes Top Mail Clients Connections Email clients by
155. view in the log Lines per page Enter the number of entries of the log you want to see on each page 05 16000 0082 20050115 Fortinet Inc Using Logs Importing log files Match Select Any to find any matches for the criteria specified Select All to find all criteria All criteria must match to display in the results Up and Down Select a row and select the up and down arrows to reposition the column arrows within the display Select each row in the Filter column Each row of information provides criteria for the search Device time Set the time span Log time Set the time span of the logged information Level The alert level Service The type of service such as POPS Source The source IP address Destination The destination IP address Sent The volume of information sent Received The volume of information received The row criteria available reflect the content within the selected log file Select Enable for each row you want the search criteria to use Select Apply Importing log files kh WO N FortiLog Administration Guide If you have older log files from various devices you can import these logs onto the FortiLog unit to generate log reports Importing log files is also useful when changing your RAID configuration for the FortiLog 400 and FortiLog 800 Changing your RAID configuration wipes the hard disk If you backup your FortiLog log you can import the FortiLog log onto the device Figure 46 Import
156. xes for those alert messages and select acknowledge check box at the bottom of the column to remove the selected alert messages Device Displays the name of the device with the alert message Event The type of alert message logged Severity The severity of the alert message Time The date and time when the alert message was logged Network Sharing Use Network Sharing to configure the FortiLog unit to use file sharing Windows workgroups or NFS to view and share log reports and other files You can define the users groups and file access privileges For details on setting protocols adding user and group access to the FortiLog hard disk see Using the FortiLog unit as a NAS on page 81 Defining IP aliases The IP Aliases list provides a means of mapping a meaningful name to hosts networks or IP ranges The names you add here appear in the log report filters FortiLog Administration Guide 05 16000 0082 20050115 55 Defining IP aliases 56 kh ON Managing the FortiLog unit Figure 27 IP aliases Alias Host Network IP Range Action FortiGate 400 172 20 140 25 A FortiwiFi 60 172 20 120 124 g i Alias Host Network IP Range SS ee eo To set host alias names Go to Reports gt IP Aliases Select Create New Enter a name of the host network or IP address range in the Alias text box Enter the IP address of the host network or the IP range For example e 10 1 1 1 e 10 1 1 1 24 10 1 1 0 24 e 10 1 0 0
Download Pdf Manuals
Related Search