FCP_FAZ_AD-7.4 Administration

Administration Detailed Explanation

Administration in FortiAnalyzer involves managing user access, allocating resources, and maintaining the system to ensure its stability and security. Each aspect focuses on specific tasks critical for smooth operations.

4.1 User Management

User management defines who can access FortiAnalyzer, what they can do, and how their activities are monitored.

Role Assignment

1. Defining User Roles:

   • FortiAnalyzer provides predefined roles like:
     • Administrator: Full access to configure and manage the system.
     • Analyst: Limited access to view logs and generate reports.
   • Custom roles can also be created based on specific needs.

2. Assigning Access Permissions:

   • Role-based access control ensures that users can only perform tasks relevant to their role.
   • Example:
     • Analysts can only view logs but cannot modify system settings.

User Authentication

1. Two-Factor Authentication (2FA):

   • Enhances security by requiring two forms of identification to log in:
     • Something you know (password).
     • Something you have (authentication app or token).
   • To enable:
     • Configure FortiToken or third-party 2FA services.

2. Centralized Authentication with LDAP or RADIUS:

   • Centralized user management using external directories like:
     • LDAP (Lightweight Directory Access Protocol):
       • Connect FortiAnalyzer to your organization’s directory (e.g., Active Directory).
     • RADIUS (Remote Authentication Dial-In User Service):
       • Authenticate users based on RADIUS policies.

Audit Logs

1. Tracking User Activities:

   • FortiAnalyzer logs all user actions for accountability.
   • Example:
     • Viewing configuration changes, log searches, and system updates.

2. Monitoring Significant Changes:

   • Use audit logs to detect unauthorized changes or potential misuse.
   • Export logs for compliance or forensic analysis.

4.2 Administrative Domains (ADOMs)

Administrative Domains (ADOMs) are logical partitions that help organize and isolate data for different users or customers.

Purpose of ADOMs

1. Logical Isolation:

   • ADOMs allow separate management for:
     • Different departments within an organization.
     • Multiple customers in a managed service provider (MSP) environment.
   • Example:
     • HR and IT departments can have separate ADOMs to ensure data confidentiality.

2. Improved Scalability:

   • Supports managing multiple networks without interference.

ADOM Configuration

1. Create New ADOMs:

   • Assign devices to an ADOM to separate their logs and configurations.

2. Switch Between ADOMs:

   • Administrators can easily switch ADOM contexts to access specific data.

Cross-ADOM Management

1. Enable Resource Sharing:

   • Allow shared policies or reports across ADOMs if required.

2. Collaboration Between ADOMs:

   • Useful for teams working across multiple domains while maintaining isolation.

4.3 Disk and Backup Management

Disk and backup management ensures efficient use of storage and protects data from loss.

Disk Quota

1. Log Storage Quotas:

   • Allocate specific storage amounts to different devices or ADOMs to avoid overuse by a single source.
   • Example:
     • ADOM 1: 50GB
     • ADOM 2: 100GB

2. Quota Alerts:

   • Set alerts to notify administrators when a quota is nearing its limit.

Regular Backups

1. Automating Backups:

   • Schedule backups of configuration and logs to:
     • Remote servers (e.g., FTP, SFTP).
     • Cloud storage (e.g., AWS S3).
   • Example:
     • Backup system configuration weekly.

2. Disaster Recovery:

   • Use backups to restore system settings in case of failure or corruption.

Disk Monitoring

1. Monitor Disk Usage:

   • Check storage usage regularly to ensure the system operates efficiently.

2. Plan for Expansion:

   • Add storage capacity or clean up old logs if disk usage is high.

4.4 System Maintenance

System maintenance keeps FortiAnalyzer running optimally and up to date.

Firmware Updates

1. Check for Updates:

   • Regularly visit Fortinet's support portal for firmware updates.
   • Updates provide:
     • Security patches.
     • Performance improvements.
     • New features.

2. Backup Before Upgrading:

   • Always back up system configurations to avoid data loss in case of an update failure.

System Monitoring

1. Resource Monitoring:

   • Track key metrics like:
     • CPU usage: Ensure it’s within acceptable limits.
     • Memory usage: Avoid memory overloading.
     • Disk usage: Prevent disk overfill to ensure log storage continues.

2. Dashboard Tools:

   • Use FortiAnalyzer’s built-in monitoring tools to visualize system health.

Error Logs

1. Review System Error Logs:

   • Regularly check logs for issues such as:
     • Failed logins.
     • Disk errors.
     • Communication problems.

2. Quick Problem Resolution:

   • Address errors immediately to avoid system interruptions.

Conclusion

Administration is a critical aspect of FortiAnalyzer that ensures secure and efficient system operation. By managing users, organizing data with ADOMs, maintaining storage, and regularly updating the system, you can create a stable and scalable environment.

Administration (Additional Content)

1. User Activity Auditing

Why is this important?

• In enterprise environments, administrator actions can significantly impact system security.
• Logging and auditing user activities ensures accountability, forensic investigation, and compliance with industry regulations.
• If critical misconfigurations occur, audit logs can help track changes and identify responsible users.

Supplementary Details

1.1 User Operation Logs

• FortiAnalyzer automatically records user activity logs, including:

  • Configuration changes
  • Security policy modifications
  • User authentication events
  • Log searches and report generation

• Example scenario:

  • Administrator A logs in at 10:30 AM and modifies the log retention policy in the HR-Logs ADOM.

  • The audit log captures:

    User: AdminA
    Time: 10:30 AM
    Action: Modified ADOM HR-Logs retention policy
    

  • This record allows security teams to verify whether the change was authorized.

• Where to check user logs?

  • Navigate to System Settings > Log & Report > Admin Activity Log.
  • Use filters to search for specific activities by user, timestamp, or action type.

1.2 Configuration Rollback

• Purpose: Enables quick recovery from incorrect configurations, minimizing downtime and data loss.

• Rollback scenarios:

  • An administrator accidentally modifies a log storage policy, causing logs to be deleted prematurely.
  • Using the rollback function, the administrator restores the previous configuration, preventing further data loss.

• How to rollback a configuration?

  1. Navigate to System Settings > Configuration History.
  2. Select the previous configuration state before the misconfiguration.
  3. Click Rollback and confirm.

• Best practice:

  • Schedule automated backups of system configurations before making major changes.
  • Ensure only authorized administrators can perform rollbacks.

2. Account Security Policies

Why is this important?

• FortiAnalyzer stores and processes critical security logs.
• Weak user security policies can lead to unauthorized access and data breaches.
• Implementing strict account security measures helps prevent account compromise, privilege abuse, and insider threats.

Supplementary Details

2.1 Password Policy

To enhance account security:

• Enforce strong password requirements:
  • Minimum 12-character passwords.
  • Must include uppercase, lowercase, numbers, and special characters.
• Implement password expiration policies:
  • Require users to change passwords every 90 days.
  • Prevent reuse of the last 5 passwords.

2.2 User Lockout Policy

• Brute force protection:

  • Automatically lock user accounts after multiple failed login attempts.
  • Example:
    • 3 failed login attempts → Lock account for 30 minutes.
    • 5 failed attempts → Require admin intervention to unlock.

• How to enable account lockout?

  • Go to System Settings > Authentication.
  • Configure Failed Login Attempt Threshold and Lockout Duration.

2.3 Session Timeout Policy

• Why?

  • Prevents unauthorized access in shared or unattended environments.
  • Protects against session hijacking.

• How it works?

  • Automatically logs out inactive users after a set duration.
  • Example:
    • Admin sessions timeout after 15 minutes of inactivity.
    • Regular users timeout after 30 minutes.

• How to configure session timeouts?

  • Go to System Settings > Session Management.
  • Set Session Expiry Duration.

3. API Access and Automation Management

Why is this important?

• Large-scale environments require automation to manage logs efficiently.
• API-based automation reduces manual effort, ensuring faster operations and consistency.
• Security teams can use scripts for log analysis, report generation, and configuration enforcement.

Supplementary Details

3.1 API Access Control

• FortiAnalyzer provides REST API access for automated management.

• Use Cases:

  • Automated report generation:
    • Extract logs weekly and send reports via email.
  • Integration with SIEM systems:
    • Send logs to external security monitoring platforms.

• How to enable API access?

  1. Navigate to System Settings > Admin Settings.
  2. Enable REST API and generate API keys for authorized users.
  3. Assign API permissions based on the required level of access.

• Example API call (Retrieve log data):

  curl -X GET "https://<FortiAnalyzer_IP>/api/v2/logs/events" -H "Authorization: Bearer <API_KEY>"
  

3.2 Script Management

• Purpose:

  • Enables CLI or Python automation for routine administrative tasks.
  • Reduces human error and manual workload.

• Example automated task:

  • Weekly log cleanup script (Python):

    import requests
    
    FAZ_IP = "192.168.1.100"
    API_KEY = "your_api_key"
    
    headers = {"Authorization": f"Bearer {API_KEY}"}
    cleanup_url = f"https://{FAZ_IP}/api/v2/logs/cleanup"
    
    response = requests.post(cleanup_url, headers=headers)
    print(response.json())
    

  • Automated backup script:

    • Exports FortiAnalyzer settings to a secure location every night.

• Best Practices:

  • Restrict API key access to only authorized users.
  • Use scheduled cron jobs for automated scripts.
  • Encrypt API credentials to prevent unauthorized access.

Conclusion

These additional details enhance Administration by covering:

• User Activity Auditing (Ensuring accountability for administrator actions).
• Account Security Policies (Strengthening user authentication and preventing unauthorized access).
• API Access & Automation (Enabling efficient, large-scale log management and analysis).