FortiAnalyzer

Administration and Management

FortiAnalyzer 6.4
© Copyright Fortinet Inc. All rights reserved.
Last Modified:
Wednesday, February 16, 2022
Lesson Overview

Administrative Access Controls

Monitoring Administrative Events and Tasks

High Availability

Administrative Domains (ADOMs)

RAID
Administrative Access Controls
Objectives
• Control or restrict administrative access using admin profiles,
trusted hosts, and ADOMs
• Validate administrators using external servers
• Configure two-factor authentication
Multiple Administrators and Security
• Divide administrative tasks among multiple System Settings > Admin > Administrators
employees by creating additional
administrative accounts
• Every additional administrator causes linear-
to-exponential growth in risk
• To better protect your network, control or
restrict administrator access using:
• Administrative profiles
• Trusted hosts
Admin profile type
• ADOMs

Assign one or more ADOMs

to administrator account

4
 Administrative Profiles
• Never give an administrator more privileges than they need
• Assign the appropriate profile–you can modify and create profiles as required
• Access profiles define administrator privileges

Profile Name Administrator Privileges System Settings > Admin > Profile
Super_User • All system privileges enabled
• All device privileges enabled
Standard_User • No system privileges enabled
• Read-write access for all device privileges
Restricted_User • No system privileges enabled
• Read-only access for all device privileges

Can create custom Can modify individual

profiles privileges in profiles
5
Trusted Hosts
• Trusted hosts restrict login access to specific IPs or subnets
• Configure up to 10 IPv4 and IPv6 trusted hosts
• Applies to both GUI and CLI (when accessed through SSH)

System Settings > Admin > Administrators

Can configure up to 10
IPv4 and IPv6 trusted
hosts

6
Controlling Access Through ADOMs
• Monitor and manage devices in only the assigned ADOM
• Increases security of network and makes device management more effective
• Administrators with Super_User profile have full access to system information and
to all ADOMs

Assign one or more

ADOMs to
administrator account

7
 External Authentication of Administrators
• Configure external servers to validate
your administrator logins (non-local System Settings > Admin > Remote Authentication Server
users)
• LDAP, RADIUS, TACACS+, and PKI can
authenticate administrators
• Must configure server entries for each
authentication server in your network

LDAP, RADIUS,
TACTACS, and PKI
Remote administrator Authentication
server
8
 External Authentication of Administrators (Contd)
• Authenticate users from one or more • The Wildcard
System feature> allows
Settings > Admin you to
Administrators
groups configured on a remote servers
• Single administrative user on FortiAnalyzer
that points to a remote authentication
server (no local authentication credentials)
• Supported using LDAP, RADIUS,
TACACS+ (in Admin Type drop-down list)
• The Admin Type Group supports multiple
authentication servers types

System Settings > Admin > Remote Authentication Server

In this example, two external
authentication servers have
been added. You can group
authentication servers using
the CLI.
9
 Two-Factor Authentication
• Configure two-factor authentication
• Something you know (password) and something you have (token)
• Recommended: FortiAuthenticator and FortiToken
2. Create an administrator account that points to the
• FortiAnalyzer configuration:
RADIUS server
1. Create a RADIUS server that points to System Settings > Admin > Administrators
FortiAuthenticator

System Settings > Admin > Remote Authentication Server

10
SAML Admin Authentication
• FortiAnalyzer supports SAML
• SAML can be enabled across all Security Fabric devices
• Allows smooth movement between devices for administrator
• FortiAnalyzer can be identity provider (IdP) or service provider (SP)

System Settings > Admin > SAML SSO

11
Knowledge Check
1. How do you restrict an administrator's access to a subset of your organization's
ADOMs?
A. Assign the ADOMs to the administrator's account
B. Configure trusted hosts

2. What is a wildcard administrator?

A. A local administrator account that is used to permit group access
B. An external administrator account that is used to permit group access

12
Lesson Progress

Administrative Access Controls

Monitoring Administrative Events and Tasks

High Availability

Administrative Domains (ADOMs)

RAID
Monitoring Administrative Events and Tasks
Objectives
• Monitor FortiAnalyzer administrators, events, and tasks
• Monitor FortiGate administrator logins and activity
 Monitoring Administrator Login Status
• Monitor current logged in administrator accounts
• Identify logged in user by the green checkmark next to their name
• By default, the list is available only to administrators with Super_User access

System Settings > Admin > Administrators

15
Viewing Administrator Event Logs
• View FortiAnalyzer event logs, including administrator activity
• By default, only available to administrators with Super_User access
System Settings > Event Log

16
Monitoring Tasks
• View the tasks FortiAnalyzer administrators have performed, including progress and status
• By default, available only to administrators with Super_User access

System Settings > Task Monitor

17
Monitoring FortiGate Administrator Logins
• Monitor FortiGate administrator logins, system activity, and failed authentications

FortiGate logging settings must be

FortiView > System > Failed Authentication Attempts configured to send event logs!

18
Monitoring FortiGate Administrator Activity
• Monitor FortiGate system activity

FortiView > System > System Events

19
Knowledge Check
1. In order to view FortiGate event logs on FortiAnalyzer, what configuration is
required?
A. FortiGate must be registered to the root ADOM
B. FortiGate logging settings must have event logging enabled

2. If an administrative user’s job description requires them to manage devices but

not system settings, what is the most appropriate default Admin Profile to
assign?
A. Super_User
B. Standard_User

20
Lesson Progress

Administrative Access Controls

Monitoring Administrative Events and Tasks

High Availability

Administrative Domains (ADOMs)

RAID
High Availability (HA)
Objectives
• Understand FortiAnalyzer HA
• Configure high availability
• Understand HA synchronization and load balancing
• Upgrade an HA cluster’s firmware
• Verify the normal operation of an HA cluster
High Availability (HA)
• FortiAnalyzer supports HA which provides the following:
• Real-time redundancy in case of primary device failure
• Synchronize logs and data between members of the cluster
• Alleviate the load on the primary device by load balance processes on secondary devices
Port2: Port2:
10.200.1.210/24 Peer Network 10.200.1.212/24

FortiAnalyzer HA Device FortiAnalyzer HA Device

(Primary) Cluster Virtual IP (Secondary)
via VRRP
10.0.1.nnn/24
Port1: Port1:
Cluster Network: 10.0.1.nnn/24
10.0.1.nnn/24 10.0.1.n/24

23
HA Options
• FortiAnalyzer has two modes: System Settings > HA
• High Availability (a-p mode)
• Standalone
• You can configure high availability in
FortiAnalyzer System Settings

Virtual IP to provide
redundancy

IP address and serial

number of standby
device

24
HA Synchronization
• FortiAnalyzer HA synchronizes logs in two states:
• Initial synchronization (Initial Sync)
• Real-time synchronization (Log Data Sync)
• FortiAnalyzer HA synchronizes the configuration of the following:
• Device Manager, Event Manager, Reports, and System Settings
System Settings Configuration synchronized
Dashboard > System Information Only ADOM widget is synchronized
All ADOMs Yes
Admin Yes
Certificates > CA Certificates Yes
Certificates > CRL Yes
Log Forwarding Yes
Task Manager Yes
Advanced > Mail Server Yes
Advanced > Syslog Server Yes
25
HA Load Balancing and Firmware Upgrade
• FortiAnalyzer supports load balancing
• Improves performance of following modules:
• Reports
• FortiView
• NOC-SOC
• To upgrade FortiAnalyzer HA cluster firmware:
1. Log in to the GUI of the primary device
2. Upgrade the primary device
• The primary device reboots and upgrades and you must wait for the upgrade to complete
3. When the primary device reboots, a secondary device is automatically selected to be the primary
device so that the HA cluster continues to function
4. When the upgrade is complete on the original primary device, repeat steps 1 to 2 on the newly
selected primary device
5. Repeat this procedure until all devices in the cluster are upgraded

26
HA Monitoring and Troubleshooting
• Cluster Status monitors the status of the FortiAnalyzer devices in an HA cluster
• Displays information about the each cluster device System Settings > HA

• You can use the following CLI commands to diagnose HA:

diagnose ha status (Shows HA status)
diagnose ha stats (Shows HA statistics)
diagnose ha debug-sync {status On|off} (Turn on sync data debug)
diagnose ha dump-datalog (Dump HA data log)
diagnose ha failover (Run on master, force HA failover)
diagnose ha force-cfg-resync (Force HA to re-sync configuration)
diagnose ha load-balance (Shows HA load balance status)
diagnose ha restart-init-sync (Run on master, restart HA initial sync)

27
Knowledge Check
1. Which value is used to select a new primary device in the event of a FortiAnalyzer
HA failure?
A. Device Serial Number
B. Device IP Address

2. Which of these modules does a FortiAnalyzer HA cluster synchronize during

configuration synchronization?
A. Reports
B. Incidents

28
Lesson Progress

Administrative Access Controls

Monitoring Administrative Events and Tasks

High Availability

Administrative Domains (ADOMs)

RAID
Administrative Domains (ADOMs)
Objectives
• Enable and create ADOMs
 Enabling ADOMs
• Enabled or disabled in CLI or GUI System Settings
• Required if you want to register a non-FortiGate
device on FortiAnalyzer

# config system global

set adom status {enable | disable }
End
• Maximum number of ADOMs dependant on
FortiAnalyzer model
• Once enabled, must select ADOM from all your ADOMs not
configured ADOMs enabled by
default

With ADOMs enabled, you

must select ADOM after login

31
How ADOMs Operate with FortiGate VDOMs
• Global ADOM configuration can operate in normal (default) mode and advanced
mode
• Normal: Cannot assign FortiGate VDOMs from a single device to multiple
FortiAnalyzer ADOMs
• Must assign the FortiGate device and all of its VDOMs to a single ADOM
• Advanced: Can assign FortiGate VDOMs from a single device to multiple
FortiAnalyzer ADOMs
• Allows you to use the FortiView, Event Management, and Reports functions to analyze data for
individual VDOMs

System Settings > Advanced > Advanced Settings

# config system global
set adom-mode {advanced | normal}
end

32
 Creating an ADOM
• Create new ADOMs if default ADOMs do not fit requirements
• Devices can be registered to their device-specific ADOMs only
• Disk quota configured per ADOM (not device)
• You cannot delete a custom ADOM if a device is still assigned to it

System Settings > All ADOMs

View
Viewconfigured
configured Configure disk
ADOMs
ADOMs quota

# diagnose dvm adom list

33
Security Fabric ADOM
• FortiAnalyzer has fabric ADOM
• Can contain all devices in a security fabric in the same ADOM
• Security fabric ADOM allows for:
• Fast data processing
System Settings > All ADOMs
• Log correlation
• Combines results to be presented in
• Reports
• FortiView
• Incidents & Events/ FortiSoC

34
Knowledge Check
1. Disk quota is assigned to the <fill in the blank>.
A. ADOM
B. Device
2. Which statement about ADOM advanced mode is true?
A. You must assign FortiGate and all of its VDOMs to a single ADOM.
B. You can assign FortiGate VDOMs from a single device to multiple FortiAnalyzer ADOMs.

35
Lesson Progress

Administrative Access Controls

Monitoring Administrative Events and Tasks

High Availability

Administrative Domains (ADOMs)

RAID
RAID
Objectives
• Configure RAID
• Troubleshoot RAID
Protecting Log Information Through RAID
• RAID is a high-performance storage solution
• Stands for redundant array of independent disks

• Provides redundancy (a copy) of log data

• Different from a log backup

• Not supported on all models (check device specifications)

• Combines multiple equal-sized disk drives into a logical unit

• Data is distributed in different ways–determined by RAID level

• Requires multiple identical drives

• RAID is not a replacement for backing up your logs

• You should still make log backups even if you employ RAID
38
RAID Operation Types
• Basic RAID has two types of operation:
• Mirroring: Makes identical copies of the data on two (or more) separate physical drives
• Striping: Combines two or more drives into a single logical drive and stores data in chunks across
all drives
• Minimum RAID is a mirror or stripe of two drives
• Not all RAID versions behave the same way:
• Some do mirror only, others stripe only, others both, and some include parity (distributed)
• Some can handle one failed drive, others two
• Too many failed drives will result in the loss of all data

39
Configuring RAID Levels
• Not all FortiAnalyzer models support RAID
• Check the model specifications
• Supported RAID levels:
• Linear
• RAID 0
• RAID 1 System Settings > RAID Management
• RAID 1 +spare
• RAID 5
• RAID 5 +spare
• RAID 6
• RAID 6 +spare
• RAID 10
• RAID 50
• RAID 60

40
RAID Levels 0, 1, 5, and 6

Distributed parity

Striping Mirroring

Dual parity

41
RAID Levels 10, 50, and 60

Striping + distributed parity Striping + distributed double parity

Mirroring + Striping

42
 Viewing RAID Status
• View RAID disk status and disk usage
• Disk status states:
• Ready: Functioning normally
• Rebuilding: Writing data to a newly added hard drive to restore hard drive to an optimal state. Not
fully fault tolerant until rebuilding is complete!
• Initializing: Writing to all the hard drives in the device in order to make the array fault tolerant
• Verifying: Ensuring the parity data of a redundant drive is valid
• Degraded: Hard drive is no longer being used by the RAID controller
• Inoperable: One or more drives are missing
—the drive is no longer available to the System Settings > RAID Management
operating system
Data in an inoperable state cannot be
accessed!

43
Viewing RAID Failures and Hot Swapping
• View RAID failures
System Settings > Dashboard > Alert Message Console
• Failure requires a disk replacement
• If FortiAnalyzer device supports:
• Hardware RAID: Can replace the disk while the FortiAnalyzer is still running (hot swapping)
• Software RAID: Recommended to shut down the FortiAnalyzer prior to exchanging the hard disk
(hot swapping is supported with hardware RAID only)

44
Diagnosing RAID
• You can check the RAID and disk status using the following commands

What to Investigate… CLI Command to Use…

RAID status, including RAID level, RAID status, # diagnose system raid status
RAID size, and hard disk information
RAID controller hardware information # diagnose system raid hwinfo

RAID alarm logs # diagnose system raid alarms

SMART information # diagnose system disk info

SMART health status # diagnose system disk health

SMART error logs # diagnose system disk errors

Vendor specific SMART attributes # diagnose system disk attributes

45
Knowledge Check
1. The RAID 10 level comprises what data format?
A. Dual Parity
B. Mirroring and striping
2. If a hard disk on a FortiAnalyzer that supports software RAID fails, what should
you do?
A. Hot swap the disk
B. Shut down FortiAnalyzer and replace the disk

46
Lesson Progress

Administrative Access Controls

Monitoring Administrative Events and Tasks

High Availability

Administrative Domains (ADOMs)

RAID
Review
 Control or restrict administrative access using admin profiles,
trusted hosts, and ADOMs
 Validate administrators using external servers
 Configure two-factor authentication
 Monitor FortiAnalyzer administrators, events, and tasks
 Monitor FortiGate administrator logins and activity
 Understand FortiAnalyzer HA configuration, synchronization, load
balancing and firmware upgrade
 Enable and create ADOMs
 Configure RAID
 Troubleshoot RAID