FCP_FAZ_AD-7.4 System configuration

System Configuration Detailed Explanation

System configuration in FortiAnalyzer is the essential foundation to ensure smooth operation and performance. This step involves setting up basic networking, enabling access, ensuring system synchronization, and configuring redundancy features like High Availability (HA) and RAID.

1.1 Initial Setup

This phase ensures that FortiAnalyzer is correctly integrated into your network and accessible for management.

Network Connectivity

FortiAnalyzer must have proper network connectivity to communicate with other devices and allow administrative access. Here’s how to configure it step by step:

1. Management Interface IP Address:

   • Assign a unique static IP address to the FortiAnalyzer's management interface. A static IP ensures the device's address doesn’t change, which is crucial for stable communication.
   • Alternatively, you can configure the device to use DHCP, where it obtains an IP address automatically from a DHCP server. However, this is less common for management devices.

2. Default Gateway:

   • The default gateway is the route that FortiAnalyzer uses to communicate with devices outside its local network (e.g., the internet or other subnets).
   • Example: If your local network is 192.168.1.0/24, the default gateway might be 192.168.1.1 (your router’s IP address).

3. DNS Servers:

   • Domain Name System (DNS) servers are used for resolving domain names (like www.google.com) into IP addresses.
   • Configure reliable DNS servers (e.g., Google DNS: 8.8.8.8) for name resolution.

4. Static Routes:

   • If FortiAnalyzer needs to communicate with devices in other networks, you can configure static routes.
   • Example: To reach the network 10.0.0.0/24 via gateway 192.168.1.254, configure a static route with this information.

Management Access

To manage FortiAnalyzer, you must enable and configure secure access protocols. Follow these steps:

1. Enable Management Protocols:

   • Common protocols include:
     • HTTPS for secure web-based management.
     • SSH for secure command-line access.
     • Telnet (optional, insecure and rarely recommended).
     • HTTP (optional, used mainly for testing, insecure).
   • Bind these protocols to the management interface.

2. Access Control:

   • Use IP-based access control to limit which devices can access the FortiAnalyzer.
   • Example: Allow only devices from the subnet 192.168.1.0/24 to access management.

Time Configuration

Time synchronization is critical for accurate logging and reporting.

1. NTP Server Configuration:

   • Configure Network Time Protocol (NTP) servers to keep FortiAnalyzer’s clock accurate.
   • Redundant servers are recommended for reliability. Example servers:
     • time.google.com
     • pool.ntp.org

2. Manual Time Synchronization:

   • If NTP is unavailable, you can manually set the date and time.

3. Importance of Accurate Time:

   • Logs are timestamped based on the system clock. If the time is incorrect, correlating logs across devices will be challenging.

1.2 High Availability (HA)

High Availability ensures that FortiAnalyzer remains operational even if one node fails.

HA Purpose

• Redundancy: Ensures there is no single point of failure in your system.
• Failover Capability: If the primary node (active) fails, the secondary node (passive) takes over seamlessly.

HA Modes

1. Active-Passive Mode:

   • One node (primary) handles all traffic.
   • The secondary node (backup) is on standby and synchronizes data from the primary.

2. Distributed Storage Mode:

   • Distributes log data across multiple nodes for performance and redundancy.

HA Configuration Steps

1. Assign roles to the nodes:

   • Primary Node handles traffic and management.
   • Secondary Node acts as a backup.

2. Synchronize configurations between nodes:

   • Use the HA interface to transfer settings and log data.

3. Configure node priorities:

   • A lower priority number makes a node more likely to become primary during failover.

HA Monitoring

• Regularly review HA status to ensure synchronization.
• Check failover logs for any events where roles were switched or a failure occurred.

1.3 RAID Management

RAID (Redundant Array of Independent Disks) enhances data storage reliability and performance.

Purpose of RAID

1. Redundancy:

   • Protects against data loss in case of disk failure.
   • Example: In RAID 1, data is mirrored across two disks, so if one fails, the other has a complete copy.

2. Performance:

   • RAID configurations like RAID 0 improve read/write speeds by striping data across multiple disks.

Supported RAID Levels

1. RAID 0 (Striping):

   • Data is split across multiple disks to improve performance.
   • No redundancy—if one disk fails, all data is lost.

2. RAID 1 (Mirroring):

   • Data is duplicated across two disks for redundancy.
   • Suitable for environments where data integrity is critical.

3. RAID 5 (Distributed Parity):

   • Balances performance and redundancy by distributing parity information across disks.
   • Requires at least three disks.

RAID Configuration

1. Use CLI or GUI to define the RAID level.
2. Monitor disk health regularly:
   • Replace failed disks promptly to maintain redundancy.

1.4 FortiAnalyzer Core Concepts

Understanding the basic concepts of FortiAnalyzer helps you operate the system effectively.

Operational Modes

1. Analyzer Mode:

   • Focused on collecting, analyzing, and storing logs.
   • Generates detailed reports and alerts.

2. Collector Mode:

   • Specializes in gathering logs from multiple devices.
   • Forwards these logs to an Analyzer.

Key Features

1. Log Storage:

   • Handles high volumes of logs from FortiGate and other devices efficiently.

2. Report Generation:

   • Provides comprehensive reports on network activity, security events, and trends.

3. Event Management:

   • Tracks real-time security events for immediate analysis and action.

Conclusion

By mastering the basics of System Configuration, including initial setup, network access, time synchronization, HA, RAID, and operational concepts, you can confidently set up and manage FortiAnalyzer. These steps ensure a robust foundation for collecting, analyzing, and reporting on logs efficiently.

System Configuration (Additional Content)

1. Device Registration and ADOM (Administrative Domain) Configuration

Why is this important?

• FortiAnalyzer uses ADOM (Administrative Domains) to manage multiple devices such as FortiGate, FortiWeb, and FortiMail.
• Proper registration and assignment of devices to the correct ADOM ensure efficient log management and data isolation.
• ADOMs allow administrators to segment and manage logs separately for different business units, departments, or customers.

Supplementary Details

1.1 Enabling ADOMs

• By default, ADOMs may be disabled in FortiAnalyzer. Administrators must enable ADOM management manually.
• To enable ADOM:
  1. Navigate to System Settings > Advanced Settings.
  2. Locate the Administrative Domains (ADOMs) option and enable it.
  3. Apply the changes and restart the necessary services if required.
• Once ADOMs are enabled, administrators can create multiple ADOMs and allocate devices accordingly.

1.2 Registering Devices

• Devices must be added to FortiAnalyzer before logs can be collected and analyzed.

• Steps to register a device:

  1. Go to Device Manager in FortiAnalyzer.
  2. Click Add Device and specify:
  • Device Type (FortiGate, FortiWeb, FortiMail, etc.).
  • Device Serial Number (if manually adding).
  • Management IP address (if applicable).
  • ADOM Assignment (assign the device to the appropriate ADOM).
  3. Ensure that FortiGate or other devices are configured to send logs to FortiAnalyzer.

• Configuring Log Reception on FortiGate:

  1. Log in to the FortiGate CLI.

  2. Run the command:

  config log fortianalyzer setting
  set status enable
  set server <FortiAnalyzer_IP>
  end
  

  3. Save and apply the settings.

1.3 Managing ADOMs

• ADOMs allow the logical separation of logs for different business units or managed services.
• Best practices for ADOM usage:
  • Create separate ADOMs for different business departments (e.g., Finance-ADOM, HR-ADOM).
  • Set access permissions so that users can only access the ADOMs relevant to their department.
  • Define storage policies for each ADOM to control how long logs are retained.

2. Log Storage Management

Why is this important?

• FortiAnalyzer primarily serves as a log storage and analysis system, but storage space is limited.
• Implementing an effective log storage strategy prevents data loss, optimizes performance, and ensures compliance.

Supplementary Details

2.1 Log Storage Policies

• Retention Period: Define how long logs should be stored before being automatically deleted.
  • Example:
    • Critical security logs: retained for 1 year.
    • General traffic logs: retained for 3 months.
• Log Compression:
  • Enables logs to be stored in a compressed format, reducing disk space usage.
  • Can be enabled for older logs that are accessed less frequently.
• Log Cleanup Rules:
  • Automatically remove stale or redundant logs to free up disk space.
  • Can be scheduled to run at off-peak hours to minimize performance impact.

2.2 Log Transmission Methods

• Different protocols offer different trade-offs between performance, reliability, and security:
  1. UDP (User Datagram Protocol)
  • Default protocol for FortiGate to FortiAnalyzer log forwarding.
  • Fast but not reliable (logs may be lost during transmission).
  • Recommended for real-time event logging with low network latency.
  2. TCP (Transmission Control Protocol)
  • Ensures reliable delivery of logs.
  • Uses more network overhead than UDP but prevents log loss.
  • Suitable for environments where log accuracy is critical.
  3. OFTP (Optimized Fortinet Protocol)
  • A Fortinet proprietary protocol optimized for secure log transmission.
  • Provides better performance compared to standard TCP/UDP log forwarding.
  • Recommended for large-scale log storage environments.

2.3 Storage Optimization

• RAID Configuration:
  • Ensures data redundancy and improved performance.
  • Already covered in previous sections.
• External Storage Support:
  • FortiAnalyzer supports external storage options such as NFS (Network File System).
  • Benefits:
    • Offloads log storage from the internal disk.
    • Allows centralized storage for multiple FortiAnalyzer instances.
    • Helps scale storage dynamically based on log volume.
  • To configure NFS storage:
    1. Navigate to System Settings > Storage Settings.
    2. Add an NFS mount point.
    3. Assign logs to be stored on external storage.

3. Device Log Troubleshooting

Why is this important?

• If FortiGate and FortiAnalyzer fail to communicate, logs may be lost, affecting security monitoring and forensic analysis.
• Troubleshooting log reception issues ensures reliable log collection and compliance.

Supplementary Details

3.1 Checking Whether Logs Have Reached FortiAnalyzer

• Run a diagnostic log test in FortiAnalyzer to verify log reception:

  diagnose log test
  

  • If logs are received, it means FortiAnalyzer is properly configured.
  • If logs are missing, further investigation is needed.

• Check logs on FortiGate to confirm whether they are being sent:

  execute log display
  

  • If logs are visible, but not appearing in FortiAnalyzer, the issue is likely on the FortiAnalyzer side.
  • If logs are not visible, it means FortiGate is not forwarding logs properly.

3.2 Common Log Collection Issues

1. Incorrect FortiGate Configuration

• Ensure FortiGate is correctly set to send logs to FortiAnalyzer:

  config log fortianalyzer setting
  set status enable
  set server <FortiAnalyzer_IP>
  end
  

• Check if the log forwarding feature is enabled in FortiGate GUI.

2. Firewall Blocking Log Traffic

• FortiGate logs are sent via UDP port 514 by default.

• Ensure the firewall allows traffic on UDP 514.

• To check if the port is blocked:

  diagnose debug enable
  diagnose sniffer packet any 'port 514' 4
  

• If no traffic is detected, the firewall is likely blocking logs.

3. Insufficient Disk Space on FortiAnalyzer

• If storage is full, logs may be discarded.

• Check disk space usage:

  diagnose system df
  

• Solution:

  • Delete old logs or expand storage using external NFS storage.
  • Adjust log retention policies to prevent excessive disk usage.

Conclusion

These additional details enhance System Configuration by addressing:

• Device Registration and ADOM Configuration (Ensuring devices are correctly added and managed in FortiAnalyzer).
• Log Storage Management (Defining storage strategies, transmission methods, and external storage options).
• Device Log Troubleshooting (Identifying and resolving common log reception issues).