Scribd
Upload
129 views267 pages

FAZ Trainining v6 - 20200310

Uploaded by

Mos Chang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
129 views267 pages

FAZ Trainining v6 - 20200310

Uploaded by

Mos Chang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 267

FortiAnalyZer (FAZ) - Training

Comprehensive Logging , Analyzing and Reporting

Kevin Yang
Technical Consultant
[email protected]
© Copyright Fortinet Inc. All rights reserved.
Course Prerequisite

 Network basics & operation experience.


 Security products using experience.
 Fortinet products using experience.

The course will help you:


 Develop the skills to describe the features of FortiAnalyzer.
 Develop the knowledge to manage the day-to-day configuration,
monitoring, and operation of FortiAnalyzer devices to support
corporate network security policies.

2
LAB Requirement

 Remote Virtual Lab


 Laptops (include wireless network)
 Network LAN Cable
 Chrome browser
 FortiClient application has been installed
 Connect to Internet

3
Agenda - Lesson

What’s FAZ – Basic Lesson 101

What’s New in FAZ

Logs concepts & SQL for FAZ


Log View & FortiView & SOC

Model , Sizing & Debugging


Size & Debug FAZ

Reports, Datasets & Charts


Understanding Event Management & Reports, Datasets and charts
Agenda - Lesson

What’s FAZ – Basic Lesson 101

What’s New in FAZ

Logs concepts & SQL for FAZ


Log View & FortiView & SOC

Model , Sizing & Debugging


Size & Debug FAZ

Reports, Datasets & Charts


Understanding Event Management & Reports, Datasets and charts
Overview - What’s FortiAnalyzer

 FortiAnalyzer is an Integrated network Logging , Analysis , and Reporting


platform

 Centralizes function for :


» Security log analysis / Forensics
» Graphical reporting
» Content archiving / data mining

6
Key Features

 Centralized log repository, including FortiAnalyzer supported devices

 Log storage capacity

 Reports

 Alerts, and

 Content archive

8
Key Features
Centralized log repository Features

 Aggregates log data from one or more Fortinet devices


 Collects logs from any supported Fortinet device it is configured to monitor

 Create a single view of security events taking place on a range of device

9
Key Features
Feature Support

R 6.2.3 10
Key Features
Log Storage capacity

 Receives and stores large volumes of logs

 Primary purpose is to store logs

 Shares common hardware and software platform with FortiManager


 FortiManager has all the Fortianalyzer web-based manager tabs available , but
log volumes are limited (primary purpose not log collection)
 Fortianalyzer has only the logging and reporting specific Web-based manager
tabs and fewer rate restrictions than the FortiManager

11
Key Features
Reports

 Provides network-wide reporting of events , activities , and trends occurring


on supported devices:
 FortiGate ,FortiCarrier , FortiCache, FortiDDOS, FortiMail ,
FortiSandbox, FortiWeb

 Network knowledge can be archived, filtered , and mined for compliance or


used for his historical analysis purposes

 Includes a large collection of predefined reports plus customization


 Can schedule reports or run ad-hoc

12
Key Features
Alerts

 Allow IT administrators to more quickly identify and react to network security


threats
 Administrators can find configured alerts for managed devices on the Event
Management tab
 Alerts specifically related to the FortiAnalyzer are found on the
dashboard (Alert Message Console widget)

 Administrator can send alerts through:


 Email
 SNMP
 Syslog
13
Key Features
Content Archive

 Provides a method of simultaneously logging and archiving copies of content


transmitted over the network
 Email(IMAP/S* , POP3/S* , SMTP/S*)
 FTP
 NNTP
 Web traffic (HTTP/S*)
» S* = request SSL content scanning and inspection

» Allows full or summary (default) archives


 Full archiving requires more than double the original data in bandwidth

» Uses data filtering to track and locate specific email or to examine the contents
of archived files
14
Administrative domains(ADOMs)

 ADOMs enable the domain to constrain other administrator‘s access privileges to a


subset of devices in the device list
 Virtual Domain(VDOM) , a feature of FortiGate , further restricts access

 ADOMs not enabled by default (Use Web-based manager or CLI)

 Admins assign devices to ADOMs and administrators to ADOMs


 Once enabled , Device Manager , FortiView , Event Management and Reports tab
will display per ADOM
15
Summary - Key Features of FortiAnalyzer

 Device Logs Aggregation and


Management
 Security Log Analysis / Forensics
 Network Analysis
 Content Archiving / Quarantine
 Alerts Management
 Admin Partitions (ADOMS)
 Graphical Reporting

16
Operation Modes

 FortiAnalyzer operates in two modes


 Analyzer (default)
 Collector

 Know your network topology prior to selecting one or more


FortiAnalyzer appliances
 You can change the mode of operation in Web-based manager under
» System Setting > Dashboard > System Information widget

17
Logging and reporting workflow

18
Scalability
New FortiAnalyzer Storage Model

FortiAnalyzer (Analyzer Mode)


FortiAnalyzers SIEM
(Collector Mode) Analytics Logs Archived Logs
(SQL Insertion) (Compressed 8:1)
FortiGates, etc.

DATA & COMPLIANCE POLICY


FortiAnalyzer
(Fetch Client)

90 DAYS 365 DAYS

19
Operation mode : Analyzer Mode

 Analyzer (default mode)


 Acts as central log aggregator for one or more collectors

20
Network topology : Analyzer Mode

 Network topology example of a FortiAnalyzer device in Analyzer


mode :

21
Operation mode : Collector

 Collects logs from multiple devices


 Forwards logs for selected devices
 Event Management and Reporting table disabled

22
Network topology : Collector Mode

 Network topology example of a FortiAnalyzer device in Collector


mode :

23
FortiAnalyzer HA : Typical FortiAnalyzer Cluster

24
FortiAnalyzer HA : Configuration HA Master

25
FortiAnalyzer HA : Configuration HA Slave

26
FortiAnalyzer HA : Successful Configuration

27
Database Language Support

 FortiAnalyzer support Structured Query Language(SQL) logging


and reporting

 Log data in inserted into SQL databased for log view and report
generation

 Both local and remote SQL databases are supported (5.2 before)

 Knowledge of SQL required for creating custom reports


32
FGT – FAZ Communications
• FortiAnalyzer listens on TCP/514 for:

»Device registration of FortiGate units


»Remote access to quarantine, logs and
reports from a FortiGate unit

• When enabling logging to a FortiAnalyzer


using FortiGate’s GUI, encryption is enabled
by default:

ISAKMP ESP

33
FGT – FAZ Communication

 The Optimized Fabric Transfer Protocol (OFTP) is used over SSL when information is
synchronized between FortiAnalyzer and FortiGate.
» OFTPS is the default setting for securing communications between FortiGate and
FortiAnalyzer.
» OFTP listens on ports TCP/514 and UDP/514.
 SSL communications are auto-negotiated between FortiAnalyzer and FortiGate, so the oftpd
server will use SSL-encrypted FTP only if being used by the connecting FortiGate.
 FortiAnalyzer’s encryption level must be equal to, or less than, FortiGate’s. (enc-algorithm
default setting may vary, please double check on manual for every release.)
» FortiGate = “high-medium" (low encryption models can only do the low level)
» FortiAnalyzer = high

 Global setting on FortiAnalyzer — applies to all connecting FortiGates. If you even have one low
encryption FortiGate in your network while the rest are high, you must set the FortiAnalyzer
encryption level to low.

34
FGT – FAZ Communication

On FortiAnalyzer:
 To verify current setting, enter the CLI command:
get system global

 To change the level, enter the CLI command:


config system global
set enc-algorithm [high | medium | low]
end

On FortiGate:
 To change the level. enter the CLI command:
config log fortianalyzer setting
set enc-algorithm [high | high-medium | low]
end

35
FortiAnalyzer Series

* Only restricted to the hardware platform performance (e.g. there are no software licensing limitations) 36
FortiAnalyzer VM-Series

37
FortiAnalyzer VM-Series (Min System Requirement)

 The collector sustained rate can be calculated by multiplying the analytic sustained rate by 1.5.
 This table does not take into account other hardware specifications, such as bus speed, CPU model, or storage type.

R 6.2.0 38
Agenda - Lesson

What’s FAZ – Basic Lesson 101

• What’s New in FAZ

Logs concepts & SQL for FAZ


Log View & FortiView & SOC

Model , Sizing & Debugging


Size & Debug FAZ

Reports, Datasets & Charts


Understanding Event Management & Reports, Datasets and charts
What’s New in FortiAnalyzer 6.0/6.2?
 New GUI  Real-time Visibility (FortiView)
» Updated, flat look & feel » Visualization improvements
» Simplified navigation » Retrospective IOC - History Scan (6.2.0)

 Scalability and Availability  Compliance & Reporting


» FortiAnalyzer High Availability » Additional report types: PCI DSS, 360 Security
Review, etc.
 Near real-time logging » GDPR Masking User data based on configured
timeframe (6.2.2)
» Provide flexibility for logs to be forwarded in more
granular frequency such as real-time, every minute » First predefined SD-WAN Report Template (6.2.2)
or every five minutes
» Security Fabric ADOM, UTM & Traffic Log  NOC/SOC Dashboard
correlation across Security Fabric (6.2.0) » Purpose-designed dashboards for NOC/SOC
operations (full screen mode)
 Event Management » Enhanced visualization for real-time activities and
» Incident Detection & Response historical trends for analysts to effectively monitor
» Incident Timeline in Incident Management (6.2.0) network activities and security alerts
» New Threat Map (6.2.2)
40
GUI in 5.2

41
GUI in 5.4

42
GUI in 5.6

43
GUI in 6.2

44
FortiAnalyzer – SOC / FortiView

45
FortiAnalyzer – FortiView (Compromised Hosts)

 Machine Learning
 Millions of Global
Sensors
 Web Crawlers
 200+ Threat Exchange
 Hacker Sites/Forums
 Community Submissions
FortiGuard  Global Security Analysts
TIDB  Botnet C&C IPs,
Malware Domain,
Malware URLs URLs

46
FortiAnalyzer – SOC Dashboard (Monitors)

47
FortiAnalyzer – Incidents & Events

48
FortiAnalyzer – Storage Trending and Visualizations

System Settings  Storage Info

Granular Storage Controls


 Ability to define analytics and
archive (compressed) storage

 Predictive visualizations based on


actual vs. maximum storage

 Instant view of storage stats relative


to number of days required (for
compliance)

49
Resource

 Fortinet Document Library


https://docs.fortinet.com/
 Fortinet Knowledge Base
https://kb.fortinet.com/kb/microsites/microsite.do
 Fortinet COOKBOOK
https://cookbook.fortinet.com/
 Fortinet Video Library
https://video.fortinet.com/
 NSE Institute Technical Training Courses
https://training.fortinet.com/course/index.php
50
LAB00 – 檢查 LAB 的環境配置…
開啟網頁連線 SSLVPN POD 主機
https://60.250.130.68 (SDL Portal Public IP )
https://10.1.201.200 (Fortinet Intranet Lab Portal)

pod11 : pod11
pod12 : pod12


pod29 : pod29
pod30 : pod30

52
遠端連線主機資訊清單

 此次會用到的 主機與連線方式 – 安裝 FortiClient

53
或從 FortiClient 網站下載 Forticlient 程式

http://www.forticlient.com/

54
下載!、安裝!、執行!

55
建立一個新的 SSLVPN 設定檔
https://60.250.130.68 (SDL Portal Public IP )
https://10.1.201.200 (Fortinet Intranet Lab Portal)

60.250.130.68 or 10.1.201.200

56
下載!、安裝!、執行!

57
建立一個新的 SSLVPN 設定檔
https://60.250.130.68 (SDL Portal Public IP )
https://10.1.201.200 (Fortinet Intranet Lab Portal)

60.250.130.68

58
開啟 Forticlient 連線對應 SSLVPN 小組

 Each POD allow one user to connect


» From POD11 ~ 30 XX = POD Number
» ID: podxx Pod11
» PW: podxx Pod12
Pod13


Pod30

59
SSLVPN 連線完成

Each Pod IP is different! If you r IP is wrong, please raise your hand!

Pod11 : 10.211.211.x
Pod12 : 10.212.212.x


Pod 30: 10.230.230.x

60
LAB 的環境配置
FortiGate WIN7 FortiAnalyzer

Internet

PodXX
OOB POD
NETWORK
10.10.2xx.0/24

OOB int IntraLan Int


(Port1) (Port2)
FortiGate 10.10.2xx.99/24 192.168.1.99/24
LAPTOP 10.10.201.88 10.10.201.66 FortiAnalyzer 10.10.2xx.87/24 192.168.1.87/24
STUDENT
10.2xx.2xx.x FML Server AD + DNS
(NAT to 10.10.2xx.254) fortinet.com.tw 10.10.201.67 FortiManager 10.10.2xx.136/24 192.168.1.136/24
FSAE + DNS
WIN7 10.10.2xx.123/24 192.168.1.123/2461
OOB - 所有的 FGT / FAZ OOB IP 都是設定好的 !!!

 All of FGT IP were pre-config as below :


» Port 1 : 10.10.2xx.99/24
XX = POD Number
» GW :10.10.2xx.254
Pod11
» DNS : 10.10.201.66 / 10.10.201.67
Pod12
» Allow PING / SSH / HTTP / HTTPS / FMG Pod13

 All of FAZ IP were pre-config as below: …
Pod30
» Port 1: . 10.10.2xx.87/24

62
Step 1 : 檢查你的 WIN7 OOB 連線
PODXX_RDP_WIN7

» WIN7 ( 可用 Windows 遠端桌面連線 10.10.2XX.123)


 Username: SDL
 Password: 1qazXSW@

» 提示命令字元  ipconfig  檢查你的 IP / GW


XX = POD
NIC1 : IP __192.168.1.123 /24___ , GW __192.168.1.99__ Number
NIC2 : IP __10.10.2XX.123/24___ , GW ___NULL_______
Pod11
» Ping FGT OOB interface (10.10.2xx.99) , OK or not _OK_, WHY_ Pod12
» Ping FAZ OOB interface (10.10.2xx.87) , OK or not  _OK_, WHY_ Pod13
» Ping Internet (168.95.1.1) From WIN7 , OK or not  _OK, WHY_ …

Pod30
» Use Web console login FGT via SSL_VPN, OK or not _OK_
63
IntraLAN - 所有的 FGT 基本的設定 已經好的 !!!

 All of FGT IP were pre-config as below :


» Port 2 : 192.168.1.99/24
XX = POD Number
» GW 10.10.2xx.254 Pod11
» DNS : 10.10.201.66 / 10.10.201.67 Pod12
» Allow PING / SSH / HTTP / HTTPS / FMG Pod13


But You need to Setup FAZ IntraLAN IP Pod30

» Port 2: . 192.168.1.87/24

64
LAB01 – FAZ Basic Setup …
Language
Interface
Management
Gateway
Routing
Time Zone
License
DNS (option)
LAB01 – FAZ Basic Setup …
• Language
Interface
Management
Gateway
Routing
Time Zone
License
DNS (option)
LAB01-0 : 更改語系
Web GUI

1. Web UI login , 如果看到繁體中文的 web console


2. 選擇【系統設定】

67
LAB01-0 : 更改語系
Web GUI

1. Web UI login , 如果看到繁體中文的 web console


2. 選擇 【系統設定】
3. 選擇 【管理員設定】

68
LAB01-0 : 更改語系
Web GUI

1. Web UI login , 如果看到繁體中文的 web console


2. 選擇 【系統設定】
3. 選擇 【管理員設定】
4. 選擇 【檢視設定】 -> 【語言】
將自動偵測 改成【英文】
選擇 【套用】

5. 重新登入
右上角【登出】
69
LAB01-0 : 更改語系
Web GUI

70
LAB01 – FAZ Basic Setup …
Language
• Interface
• Management
• Gateway
• Routing
Time Zone
License
DNS (option)
LAB01-1 :
Step 1 : ssh 登入你的 FAZ
PODXX_RDP_WIN7

» ssh 至 10.10.2XX.87 (Putty 在 download)

XX = POD
Number

10.10.2XX.87 Pod11
Pod12
Pod13


Pod30

Username = admin
Password =
72
LAB01-1 :
Step 2 : 測試你的 FAZ 能不能上網
PODXX_RDP_WIN7

» Command : exec ping 168.95.1.1

» 為何不能上網?

73
LAB 的環境配置
FortiGate WIN7 FortiAnalyzer

Internet

PodXX
OOB POD
NETWORK
10.10.2xx.0/24

OOB int IntraLan Int


(Port1) (Port2)
FortiGate 10.10.2xx.99/24 192.168.1.99/24
LAPTOP 10.10.201.88 10.10.201.66 FortiAnalyzer 10.10.2xx.87/24 192.168.1.87/24
STUDENT
10.2xx.2xx.x FML Server AD + DNS
(NAT to 10.10.2xx.254) fortinet.com.tw 10.10.201.67 FortiManager 10.10.2xx.136/24 192.168.1.136/24
FSAE + DNS
WIN7 10.10.2xx.123/24 192.168.1.123/2474
Step 3-1a and 3-2a : 設定你的 FAZ IntraLAN interface IP
Command line
PODXX_RDP_WIN7

 All FAZ IntraLAN IP is


» Port 2 : 192.168.1.87/24
» Allow PING / SSH / HTTP / HTTPS
» GW : 192.168.1.99
» DNS : 10.10.201.66 / 10.10.201.67

75
Step 3-1b : 設定你的 FAZ IntraLAN interface IP
Web GUI

1. Web UI login
2. 選擇【 System Settings 】

76
Step 3-1b : 設定你的 FAZ IntraLAN interface IP
Web GUI

1. Web UI login
2. 選擇【 System Settings 】
3. 選擇【 Network 】
4. 選擇【 All Interface 】

77
Step 3-1b : 設定你的 FAZ IntraLAN interface IP
Web GUI

1. 選擇 【 All Interface 】後
2. 點選設定【 Port2 】
按下【 Edit 】 , 設定其 IP

78
Step 3-1b : 設定你的 FAZ IntraLAN interface IP
Web GUI

設定 Port2 , edit
IP : 192.168.1.87/24

Administrative Access
HTTP , HTTPS ,
PING , SSH

79
Step 3-2b : 設定你的 FAZ Gateway
Web GUI

1. Web UI login
2. 選擇【 System Setting 】

80
Step 3-2b : 設定你的 FAZ Gateway
Web GUI

1. Web UI login
2. 選擇 System Setting
3. 選擇 Network
設定 Port1 Default Gateway
IP : 192.168.1.99

4. 測試 FAZ 網路連線
Exec Ping 168.95.1.1
OK, or not ______________
WHY__________________ 81
LAB 的環境配置
FortiGate WIN7 FortiAnalyzer

Internet

PodXX
OOB POD
NETWORK
10.10.2xx.0/24

OOB int IntraLan Int


(Port1) (Port2)
FortiGate 10.10.2xx.99/24 192.168.1.99/24
LAPTOP 10.10.201.88 10.10.201.66 FortiAnalyzer 10.10.2xx.87/24 192.168.1.87/24
STUDENT
10.2xx.2xx.x FML Server AD + DNS
(NAT to 10.10.2xx.254) fortinet.com.tw 10.10.201.67 FortiManager 10.10.2xx.136/24 192.168.1.136/24
FSAE + DNS
WIN7 10.10.2xx.123/24 192.168.1.123/2482
Step 3-2b : 設定你的 FAZ Gateway
Web GUI

1. Web UI login
2. 選擇【 System Setting 】
3. 選擇【 Network 】
4. 選擇【 Routing Table 】

83
Step 3-2b : 設定你的 FAZ Gateway
Web GUI
1. Web UI login
2. 選擇 System Setting
3. 選擇 Network
4. 選擇 Routing Table
5. Create new routing
Destination 0.0.0.0/0
Gateway 192.168.1.99
Device port2

6. 測試 FAZ 網路連線
Exec Ping 168.95.1.1
OK, or not _____________
84
LAB01 – FAZ Basic Setup …
Language
Interface
Management
Gateway
Routing
• Time Zone
License
DNS (option)
Step 3-3 : 設定 System time
Web GUI

1. Web UI login
2. 選擇【 System Setting 】

86
Step 3-3 : 設定 System time
Web GUI

1. Web UI login
2. 選擇【 System Setting 】
3. 選擇【 Dashboard 】
4. 選擇【 System Time 】
Time Zone 選
(GMT+8:00) Taipei

(Sync Interval could set to


1min to make sync quicker, then set to 60mins again)

87
LAB01 – FAZ Basic Setup …
Language
Interface
Management
Gateway
Routing
Time Zone
• License
DNS (option)
Step 3-4 : Import your license
Web GUI
PODXX_RDP_WIN7

1. Web UI login
2. 選擇【 System Setting 】
3. 選擇【 Dashboard 】
4. 選擇【 License information 】
【 VM License 】
5. Upload Device License

89
LAB02 – FAZ Device Management
Add your Device in your FAZ
1. From FAZ manually
2. From FGT
LAB 的環境配置
FortiGate WIN7 FortiAnalyzer

Internet

PodXX
OOB POD
NETWORK
10.10.2xx.0/24

OOB int IntraLan Int


(Port1) (Port2)
FortiGate 10.10.2xx.99/24 192.168.1.99/24
LAPTOP 10.10.201.88 10.10.201.66 FortiAnalyzer 10.10.2xx.87/24 192.168.1.87/24
STUDENT
10.2xx.2xx.x FML Server AD + DNS
(NAT to 10.10.2xx.254) fortinet.com.tw 10.10.201.67 FortiManager 10.10.2xx.136/24 192.168.1.136/24
FSAE + DNS
WIN7 10.10.2xx.123/24 192.168.1.123/2491
Lab02
Step 0 : Device Manager

1. Web UI login
2. 選擇【 Device Manager 】

92
Lab02
Step 0 : Device Manager

4 Items you can find


1. Total
2. Unregistered
3. Log Status Down
4. Storage Used

93
Lab02
Step 0 : Device Manager

Column Setting
Device Name
IP Address
Platform
Logs

94
Step 1 : Device Manager
Lab02 Option 1 – Add Device from FAZ manually

1. Web UI login
2. 選擇
【 Device Manager 】
3. 選擇【 Add Device 】
 IP Address
» 10.1.8.7
 SN
» FG800D3915800145
 Device Name
» FG800D
95
Step 1 : Device Manager
Lab02 Option 1 – Add Device from FAZ

1. IP Address:
10.1.8.7
2. SN:
FG800D3915800145
3. Device Name :
FG800D

4. Log is Red light

96
Step 1 : Device Manager
Lab02 Option 2 – Add Device from FGT

1. 瀏覽器登入 FGT 10.10.2XX.99


2. 選擇 【 Log & Reports 】
3. 選擇 【 Log Settings 】
4. 選擇 【 Remote Logging and Archiving 】
Send Logs to FortiAnalyzer/FortiManager

5. 設定 IP : 192.168.1.87
6. 設定上傳格式 : Realtime
7. 按下 【 Test Connectivity 】
8. 按下 【 Apply 】 ( 可以 Disable Local Report 藉以優化 FGT 效能 )
97
Step 1 : Device Manager
Lab02 Option 2 – Add Device from FGT

1. Total
2. Unregistered
3. Log Status Down
4. Storage Used

98
Step 1 : Device Manager
Lab02 Option 2 – Add Device from FGT

1. 選擇 【 Unregistered 】
2. 勾選【設備】後
按下【 Authorize 】

99
Step 1 : Device Manager
Lab02 Option 2 – Add Device from FGT

1. 選擇 【 Unregistered 】
2. 勾選【設備】後
按下【 Authorize 】
3. 出現 Authorize Device ,
按下【 OK 】

100
Step 1 : Device Manager
Option 2 – Add Device from FGT

1. 選擇 【 Unregistered 】
2. 勾選【設備】後
按下【 Authorize 】
3. 出現 Authorize Device ,
按下【 OK 】

4. 觀察 Device Manager
5. Log is Green Light

6. If log is not Green, Why


101
102
LAB03 – ADOM
Administrative domains(ADOMs)

 ADOMs enable the domain to constrain other administrator‘s access privileges to a


subset of devices in the device list
 Virtual Domain(VDOM) , a feature of FortiGate , further restricts access

 ADOMs not enabled by default (Use Web-based manager or CLI)

 Admins assign devices to ADOMs and administrators to ADOMs


 Once enabled , Device Manager , FortiView , Event Management and Reports tab
will display per ADOM
104
LAB 的環境配置
FortiGate WIN7 FortiAnalyzer

Internet

PodXX
OOB POD
NETWORK
10.10.2xx.0/24

OOB int IntraLan Int


(Port1) (Port2)
FortiGate 10.10.2xx.99/24 192.168.1.99/24
LAPTOP 10.10.201.88 10.10.201.66 FortiAnalyzer 10.10.2xx.87/24 192.168.1.87/24
STUDENT
10.2xx.2xx.x FML Server AD + DNS
(NAT to 10.10.2xx.254) fortinet.com.tw 10.10.201.67 FortiManager 10.10.2xx.136/24 192.168.1.136/24
FSAE + DNS
WIN7 10.10.2xx.123/24 192.168.1.123/24
105
Lab03-1
Step 1 : 設定開啟 ADOM

1. Web UI login
2. 選擇【 System Setting 】

106
Lab03-1
Step 2 : 設定開啟 ADOM

1. Web UI login
2. 選擇【 System Setting 】
3. 將【 Administrators Domain 】
開成 On

107
Lab03-1
Step 3 : 設定開啟 ADOM

1. Web UI login
2. 選擇【 System Setting 】
3. 將【 Administrators Domain 】
開成 On
4. 按下【 OK 】
確認開啟 ADOM

108
Lab03-1
Step 4 : 設定開啟 ADOM

1. Web UI login
2. 選擇【 System Setting 】
3. 將【 Administrators Domain 】
開成 On
4. 按下【 OK 】
確認開啟 ADOM
5. 系統自動登出 , 再登入

109
Lab03-1
Step 5 : 設定開啟 ADOM

1. Web UI login
2. 選擇【 System Setting 】
3. 將【 Administrators Domain 】
開成 On
4. 按下【 OK 】
確認開啟 ADOM
5. 系統自動登出 , 再登入
6. 選擇【 root 】 ADOM 點入

110
Lab03-1
Step 6 : 設定開啟 ADOM

1. Web UI login
2. 選擇【 System Setting 】
3. 將【 Administrators Domain 】
開成 On
4. 按下【 OK 】
確認開啟 ADOM
5. 系統自動登出 , 再登入
6. 選擇【 root 】 ADOM 點入

111
Lab03-2
Step 1 : 設定 Create Other ADOM

1. Web UI login
2. 選擇【 System Setting 】
3. 進入【 All ADOMs 】

112
Lab03-2
Step 2 : 設定 Create Other ADOM

1. Web UI login
2. 選擇【 System Setting 】
3. 進入【 All ADOMs 】
4. 按下【 Create New 】

113
Lab03-2
Step 3 : 設定 Create Other ADOM

1. Web UI login
2. 選擇【 System Setting 】
3. 進入【 All ADOMs 】
4. 按下【 Create New 】
5. 設定 New ADOMs
Name : Fortinet-HQ
Type : FortiGate

114
Lab03-2
Step 4 : 設定 Create Other ADOM

1. Web UI login
2. 選擇【 System Setting 】
3. 進入【 All ADOMs 】
4. 按下【 Create New 】
5. 設定 New ADOMs
Name : Fortinet-HQ
Type : FortiGate
Device : 【 FortiGate-VM 】
(may need to tune root ADOM to free disk quota for new ADOM)

115
Lab03-2
Step 5 : 設定 Create Other ADOM

1. When you finish your


ADOM setting , you will
see new ADOM in ” All
ADOMs”

116
117
Agenda - Lesson

What’s FAZ – Basic Lesson 101

What’s New in FAZ

Logs concepts & SQL for FAZ


Log View & FortiView & SOC

Model , Sizing & Debugging


Size & Debug FAZ

Reports, Datasets & Charts


Understanding Event Management & Reports, Datasets and charts
Understanding Log Messages

FortiGate Devices Can Record The Following Types And Sub Types Of
LogType
Entry information Description Sub Type
Records traffic flow information, such as an
Traffic Local, Forward, Multicast, Sniffer
HTTP/HTTPS Request And Its response, If any.
AntiVirus, Application Control,
Security Records virus attack and intrusion attempts Data Leak Prevention (DLP),
(UTM) Intrusion Prevention (IPS), Email
Filter, Web Filter
System, High Availability, Router,
Records system and administrative events, such
Endpoint Control, GTP, Virtual
Event as downloading a backup copy of the
Private Network (VPN), WAD,
configuration, or daemon activities
Wireless, User

119
Understanding Log Messages

Priority Levels
Priority
Levels Name Description
0 Emergency The system is unusable or not responding

1 Alert Immediate action required. Used in security logs.

2 Critical Funcationality Is Affected

3 Error An error exists and funcationality could be affected

4 Warning Functionality could be Affected

5 Notification Information about normal Events


General information about system operations. Used in event logs to
6 Information
record configuration changes.

120
Understanding Log Messages
Log Schema Structure - Logs are divided into Header and Body Fields

• Header Contains the date and time the log originated, log identifier, message
identifier, administrative domain (ADOM), the log category, severity level, and
where the log originated. These fields are common to all log types.

• Body Describes the reason why the log was created and actions taken by the
FortiGate device to address it. These fields vary by log type
date=2014-07-04 time=14:26:59 logid=0001000014 type=traffic subtype=local
level=notice vd=vdom1 srcip=10.6.30.254 srcport=54705 srcintf="mgmt1"
dstip=10.6.30.1 dstport=80 dstintf="vdom1" sessionid=350696 status=close
policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=noop
service=HTTP proto=6 app="Web Management" duration=13 sentbyte=1948
rcvdbyte=3553 sentpkt=9 rcvdpkt=9 devtype="FortinetDevice" osname="Fortinet
OS" mastersrcmac=00:09:0f:67:6c:31 srcmac=00:09:0f:67:6c:31
121
Understanding Log Messages

122
Understanding Log Messages

123
Understanding Log Messages

124
FortiAnalyzer and SQL
• FortiAnalyzer uses the internal PostgreSQL or external MySQL databases
to store the log data generated by the FortiGate
» Logs are received in Binary format and normalized in Raw Logs
» Individual Raw Logs for each device and log type are created

p.s. Starting with FortiAnalyzer software versions 5.0.7 and 5.2.0, remote SQL database support will only cover the insertion
of log data into the remote MySQL database. Historical log search and reporting capabilities, which rely on the remote SQL
data, will NO longer be supported.

125
Logging and reporting workflow

126
Log Processing Flow
Stand Alone Deployment

fortilogd fortilogd sqllogd sqlplugin

1. Read the raw logs 1. Inserts logs into DB


Forwards logs to 1. Accepts inbound
2. Creates temporary 2. Verifies DB records
FortiAnalyzer real-time logs SQL-ready logs (subs 3. Sends ack to sqllogd
2. Creates raw logs lookup table IDs, etc.)
3. Deletes temp SQL
logs after ack from
sqlplugin

FORTIGATE FORTIANALYZER

>>> Log Processing Flow >>>

127
Log Messages

 More Information:

http://docs.fortinet.com/document/fortimanager/6.2.3/log-message-reference/

128
LAB04 – Back & Restore Log Files
LAB 的環境配置
FortiGate WIN7 FortiAnalyzer

Internet

PodXX
OOB POD
NETWORK
10.10.2xx.0/24

OOB int IntraLan Int


(Port1) (Port2)
FortiGate 10.10.2xx.99/24 192.168.1.99/24
LAPTOP 10.10.201.88 10.10.201.66 FortiAnalyzer 10.10.2xx.87/24 192.168.1.87/24
STUDENT
10.2xx.2xx.x FML Server AD + DNS
(NAT to 10.10.2xx.254) fortinet.com.tw 10.10.201.67 FortiManager 10.10.2xx.136/24 192.168.1.136/24
FSAE + DNS
WIN7 10.10.2xx.123/24 192.168.1.123/24
130
Lab04-0
Step 1 : Check your Log

1. Web UI login
2. 選擇 ADOM :
Fortinet-HQ
3. 選擇【 Log View 】

131
Lab04-0
Step 1 : Check your Log

1. Web UI login
2. 選擇 ADOM :
Fortinet-HQ
3. 選擇【 Log View 】
4. 選擇【 Log Browse 】

132
Lab04-1
Step 1 : Use Web UI to backup log file

1. Web UI login
2. 選擇 ADOM :
Fortinet-HQ
3. 選擇【 Log View 】
4. 選擇【 Log Browse 】
5. 選擇 1. elog.log
6. 取消 Compress With gzip
7. 選擇【 Download 】

133
Lab04-1
Step 2: Use Web UI to import log file

1. Web UI login
2. 選擇 ADOM :
Fortinet-HQ
3. 選擇【 Log View 】
4. 選擇【 Log Browse 】
5. 選擇【 Import 】
6. 選擇剛下載的 Log 檔
7. 選擇【 OK 】

134
Lab04-1
Step 3: Check the Log status and view logs

1. Web UI login
2. 選擇 ADOM :
Fortinet-HQ
3. 選擇【 Log View 】
4. 選擇【 Log Browse 】
5. 選擇【 Import 】
6. 重新 refresh 網頁,可發現已匯入之檔案,檢視其 Type, Log
Files, From, To 等資訊
7. 亦可用【 Display 】檢視特定 Log 檔資訊
135
Lab04-1
Option Step: Use Web UI to import log file

1. Web UI login
2. 選擇 ADOM :
Fortinet-HQ
3. 選擇【 Log View 】
4. 選擇【 Log Browse 】
5. 選擇【 Import 】
6. 如果發生 “ Internal Error”,
【 Import 】前試著 un-gzip 該 Log 檔

136
Lab04-2 Use FTP load the log
Step 1 : Check your FTP Server Status
PODXX_RDP_WIN7

1. FTP Server is your WIN7


請檢查 FTP server ,
3CDaemon 程式已經啟動,
我們已經事先設定好 FTP 用
戶如下:
IP : 192.168.1.123
FTP username : faz
Password : faz123
Directory : c:\temp\faz
137
Lab04-2 Use FTP load the log
Step 2 : Check the FAZ and FTP server communication

1. 從 System
Settings
Dashboard
CLI Console
Ping FTP Server
# exec ping 192.168.1.123

138
Lab04-2 Use FTP load the log
Step 3 : FAZ log backup from FTP Server
 Backup all logs
execute backup logs-only <device name(s)| all> <ftp/sftp/scp> <ip> <username> <password> <directory>

 FAZ# execute backup logs-only FortiGate-VM ftp 192.168.1.123 faz faz123 / *

139
Lab04-2 Use FTP load the log
Step 4 : FAZ log restore from FTP Server
 Restore all logs
execute restore logs-only <device name(s)| all> <ftp/sftp/scp> <ip> <username> <password> <directory>

 FAZ# execute restore logs-only FortiGate-VM ftp 192.168.1.123 faz faz123 / *

140
Lab04-2 Use FTP load the log
Step 5 : Check the Log status and view logs

1. Web UI login
2. 選擇【 Log View 】
3. 選擇【 Log Browse 】
4. 重新 refresh 網頁,可
發現已 Restore 之檔案,
檢視其 Type, Log
Files, From, To 等資

141
Lab04-3 Schedule Backup Logs to FTP Server
Step 1 : Device Log Setting

1. 從 System Settings
Advanced
Device Log Settings

143
Lab04-3 Schedule Backup Logs to FTP Server
Step 2 : Automatically Delete Old Log Files

1. 從 System Settings
Advanced
File Management
(Automatically
Delete Log Files)

144
Agenda - Lesson

What’s FAZ – Basic Lesson 101

What’s New in FAZ

Logs concepts & SQL for FAZ


Log View & FortiView & SOC
Model , Sizing & Debugging
Size & Debug FAZ

Reports, Datasets & Charts


Understanding Event Management & Reports, Datasets and charts
Generate the log by #diag log test

SSH to Generating
your FGT : 10.10.2XX.99
some logs or 192.168.1.99 PODXX_RDP_WIN7

On Fortigate CLI run diag log test several times (10 times)

146
Login in Log View

1. Web UI login
2. 選擇 Log View

147
Log View

1. Traffic
2. Event
3. Security
4. Custom View
5. Log Browse
6. Log Group
7. Storage Statistics
(move to System Settings -> Storage Info)

148
Log View
Traffic

149
Log View
Traffic – Filter

150
Log View
Traffic – Customize Time Slot View

151
Log View
Traffic – Column Settings

152
Log View
Traffic – Tools

1. Real-Time Log
2. Historical Log

3. Display Raw
4. Formatted Log

153
Log View
Traffic – Tools (Real-Time Log)

154
Log View
Traffic – Tools (Historical Log)

155
Log View
Traffic – Tools (Display Raw)

156
Log View
Traffic – Tools (Formatted Log)

157
Log View
Traffic – Custom View (Traffic in Last 5mins View)

158
Log View
Custom View - Traffic

159
Log View
Security

160
Log View
Event

161
Log View
Storage Statistics (move to System Settings -> Storage Info)

162
Log View
Storage Statistics (move to System Settings -> Storage Info)

Click to see details (Analytic)

Click to see details (Archive)

163
Log View
Storage Statistics

164
Log View -> Storage Statistics move to
System Settings -> Storage Info

165
LAB05 – Log View
Step 1 : Generate the log by #diag log test

SSH to Generating
your FGT : 10.10.2XX.99
some logs or 192.168.1.99 PODXX_RDP_WIN7

On Fortigate CLI run diag log test several times (10 times)

167
Step 1 : Generate the log
•You will see the real time logs appearing
Generating some logs

168
LAB05

 Lab05-1 :
客戶想了解 FortiGate-VM 的 Log Period 記錄到何時
__________________________________________________

 Lab05-2 :
客戶想查詢 FortiGate-VM 上 , Source IP : 1.1.1.1 用了哪些
Application
__________________________________________________

 Lab05-3
客戶想查詢 FortiGate-VM 上 , admin 登入的狀況
169
LAB05

 Lab05-4 :
客戶想了解 FortiGate-VM 上 , Username = user 登出狀況
__________________________________________________

 Lab05-5 :
客戶想查詢 FortiGate-VM 上 , Security  Intrusion Prevention
__________________________________________________

 Lab05-6
客戶想建立 Event  System, Level=warning 的 客製化記錄顯示

170
171
Agenda - Lesson

What’s FAZ – Basic Lesson 101

What’s New in FAZ

Logs concepts & SQL for FAZ


Log View & FortiView & SOC
Model , Sizing & Debugging
Size & Debug FAZ

Reports, Datasets & Charts


Understanding Event Management & Reports, Datasets and charts
SOC (FortiView)

1. Web UI login
2. 選擇 【 SOC 】
3. 選擇 【 FortiView 】

179
FortiView
Threats  Top Threats

180
FortiView
Threats  Threat Map

181
FortiView
Threats  Comprised Hosts (need FortiGuard IOC license)

182
FortiView
Threats  Comprised Hosts (Fortigate Policy Setting)

183
FortiView
Threats  Comprised Hosts

184
FortiView
Traffic  Top Source

185
FortiView
Traffic  Top Destinations

186
FortiView
Traffic  Top Country

187
FortiView
Traffic  Hit Policy

188
FortiView
Applications & Websites  Top Applications

189
FortiView
Applications & Websites  Top Cloud Applications

190
FortiView
Applications & Websites  Top Website Domains

191
FortiView
System  Admin Logins

192
FortiView
System  System Event

193
FortiView
System  Resource Usage Drilldown

194
FortiView
System  Failed Authentication Attempts

195
Agenda - Lesson

What’s FAZ – Basic Lesson 101

What’s New in FAZ

Logs concepts & SQL for FAZ


Log View & FortiView & SOC
Model , Sizing & Debugging
Size & Debug FAZ

Reports, Datasets & Charts


Understanding Event Management & Reports, Datasets and charts
SOC (Monitor)

1. Web UI login
2. 選擇 【 SOC 】
3. 選擇 【 Monitors 】

197
SOC
Monitors  Threats

198
SOC
Monitors  Traffic

199
SOC
Monitors  Applications & Websites

200
SOC
Monitors  Compromised Hosts

201
SOC
Monitors  Local System Performance

202
SOC
Monitors  Archive  Global Threat Research

203
SOC
Monitors  Archive  Threat Detection Timeline

204
SOC
Monitors (Create Your Own Dashboards)

205
LAB06 – FortiView
LAB06

 Lab06-1 :
客戶想客製自己適用的 Monitors Dashboards
__________________________________________________

 Lab06-2 :
客戶想查詢現在的環境哪個威脅 最多 (Top Threat) ,Have any P2P
__________________________________________________

 Lab06-3
客戶想查詢現在的環境哪個 IP (Top Source) 流量最高 ? 在執行哪
些應用?
207
LAB06

 Lab06-4 :
客戶想查詢哪個 Application (Top Application) 流量最高 ? 有沒有
Risk – High 的 Application ? 哪個 IP 在使用 ?
__________________________________________________

 Lab06-5 :
客戶想查詢 admin 有沒有被人 Try 帳號
__________________________________________________

 Lab06-6
客戶想查詢哪個網站最多人去
208
209
Agenda - Lesson

What’s FAZ – Basic Lesson 101

What’s New in FAZ

Logs concepts & SQL for FAZ


Log View & FortiView & SOC

Model , Sizing & Debugging


Size & Debug FAZ
Reports, Datasets & Charts
Understanding Event Management & Reports, Datasets and charts
Challenges

1. Understanding Log rate


» Existing networks  How to check?
» New deployments  How to estimate?

2. How to calculate required storage?

3. Which deployment topology to consider?

217
Sizing FAZ

Planning FortiAnalyzer deployments has traditionally been more art than


science, so lets see more empirical approach to size FortiAnalyzer concepts.
There are many important things to know, but 3 main sizing factors:

Max Log rate


LR Log rate (log/sec)
GB/day of Logs

RM Retention months Average retention

SR Storage requirements (GB) Storage Capacity

218
Metrics

 Log/Sec (LPS): Average number of log messages per second


received over a 24 hour period

 Sessions/Sec (CPS)
» Used to estimate LPS

 Average Number of Concurrent Users


» Used to estimate CPS

219
Space

On the firmware version FAZ 5.4:


The observed ratio (FAZ/FGT log size) is somewhere between 1:6 to 1:8
depending on the log distribution of log types (traffic log, utm logs etc).

The raw logs on disk is first received in LZ4 format and then further
compressed/archived in .gz so the size is much smaller.

When the logs inserted into the database, The extra space from the SQL is
needed for storing the indexes, caches for fast performance of
FortiView/Reports, and the SQL's transaction logs, backup files etc so the
average size of a log gets much bigger.

http://fastcompression.blogspot.com.ar/2011/05/lz4-explained.html

220
Space -- Experience

Required Storage Size = Log Rate * Log Size * 86400 * Storage Period

»Average analytic log size: 400 bytes


»Average archive log size: 50 bytes

»Online analytics period – typically 30 days or longer


»Archive period as required by compliance/auditing or service
agreements

For large existing deployments, there may be other tools available to measure the customer's unique usage and tune
these accordingly
221
Sizing Wizard

222
Existing Networks

 Step 1: Determine Log Rate


» Viewable via System Resources widget in FOS dashboard

 Step 2: Collect Analytic and Archive Period requirements

 Step 3: Use sizing table

223
Sizing Tool – Output

224
New Deployments

 Challenge: Log Rate Unknown


» Option 1: CPS is known
» Option 2: Estimate CPS based on
avg. concurrent users

 Extra customer network


information required
» UTM features in use
» CPS
or
» Number or users (if CPS unknown)
225
Sizing Tool – Logs Type Distribution
Log/Sec=10% x Sessions/sec
IPS
App Control
Web Filtering
AV
Botnet
DNS

10%
Log/Sec=2~3% x Sessions/sec
IPS
App Control
AV
Botnet
DNS
2~3%

Log/Sec=Sessions/sec
Firewall Only
1:1
Sessions/sec

226
Scenarios Summary

 Existing Network
» 20,000 LPS
» 3 Months Analytics / 1 Year Archive Requirements

 New Network (CPS Known) »...


» Sessions/sec (CPS) x Sum (Logs Type, Estimated Logs Type Distribution %) 
Logs/sec (LPS)

 New Network (CPS Unknown)


» Estimated users, Estimated sessions/sec/user  sessions/sec (CPS)
» Sessions/sec (CPS) x Sum (Logs Type, Estimated Logs Type Distribution %) 
Logs/sec (LPS)
227
Debugging
Basic commands

# get system status

# execute top
# get sys performance
# diagnose debug crashlog read

# diagnose debug enable


# diagnose debug console enable
# diagnose debug info
# diagnose debug timestamp enable

229
Hardware Commands

# diagnose hardware info


# diagnose system disk enable
# diagnose system raid status
# diagnose system disk attributes
# diagnose system disk errors
# diagnose system disk health
# diagnose system disk info

230
Log Daemon

# diagnose log device


# diagnose fortilogd msgrate
# diagnose fortilogd status
# diagnose fortilogd msgrate-total
# diagnose fortilogd msgrate-device
# diagnose debug crashlog read

231
SQL Commands

# get system sql


# diagnose sql status rebuild-db
# diagnose sql status sqlplugind
# diagnose sql show db-size
# diagnose sql status sqlreportd
# diagnose sql status run_sql_rpt
# diagnose sql process list
# diagnose sql show hcache-size
# diagnose sql gui-rpt-shm list-all
# diagnose test application sqllogd 2
# diagnose test application sqllogd 70
# diagnose debug application sqlplugind 8

232
Diagnose

Sniffer
diagnose sniffer packet <interface> <filter>
<verbose> <count> <Timestamp_format>

233
Sniffer

234
Agenda - Lesson

What’s FAZ – Basic Lesson 101

What’s New in FAZ

Logs concepts & SQL for FAZ


Log View & FortiView & SOC

Model , Sizing & Debugging


Size & Debug FAZ

Reports, Datasets & Charts


Understanding Event Management & Reports, Datasets and charts
Event Management

1. Web UI login
2. 選擇 【 Incidents & Events 】

236
Event Management
Enable Event Handler List (# diag log test to trigger Events)

237
Event Management
All Events

238
Event Management
Raise Incident & Incidents Management

239
Event Management
FortiGate Event Handles (Automation with FortiGate)

240
Event Management
FortiGate Event Handles (Automation with FortiGate)

241
Event Management
FortiAnalyzer-build1631-postgres.schema

242
Agenda - Lesson

What’s FAZ – Basic Lesson 101

What’s New in FAZ

Logs concepts & SQL for FAZ


Log View & FortiView & SOC

Model , Sizing & Debugging


Size & Debug FAZ

Reports, Datasets & Charts


Understanding Event Management & Reports, Datasets and charts
Reports

1. Web UI login
2. 選擇 【 Reports 】

244
Reports
All Reports

1. Web UI login
2. 選擇 【 Reports 】
3. 選擇 【 All Reports 】

245
Reports
Datasets

1. Web UI login
2. 選擇 【 Reports 】
3. 選擇 【 Datasets 】

246
Reports
Datasets

1. Web UI login
2. 選擇 【 Reports 】
3. 選擇 【 Datasets 】
4. 選擇
【 Top-User-by-Session 】

247
Reports
Datasets

1. Web UI login
2. 選擇 【 Reports 】
3. 選擇 【 Datasets 】
4. 選擇
【 Top-User-by-Session 】
按下右鍵 選擇【 View 】

248
Reports
FAZ Reports
Datasets

249
LAB07 – Customize a FAZ Report
LAB07

Dataset Examples

 Client asked a table report with


source IP
username (if available)
website/hostname accessed
website category
application name
application category
only considering TCP port 80 and port 443

251
LAB07
Step 1 – Create a new dataset named as FAZ-Lab07
New Dataset Examples
 Name : FAZ-Lab07
 Log Type : Traffic
 Query :

Select * from $log

 Time Period:
This Quarter

252
LAB07
Step 2 – Test from Query
Dataset Examples
 Name : FAZ-Lab07
 Log Type : Traffic
 Query :

Select * from $log

 Time Period:
This Quarter
 按下【 Test 】

253
LAB07
Step 3 – Select
Query :
SELECT srcip as ip, user, hostname, catdesc, app, appcat
FROM $log
WHERE dstport IN ('80','443') What is this user?

GROUP BY ip, user, hostname, catdesc, app, appcat

Dataset Examples

254
LAB07
Step 4 – Select User
Query :
SELECT srcip as ip, nullifna(`user`) as username, hostname, catdesc, app, appcat
FROM $log
WHERE dstport IN ('80','443')
GROUP BY ip, username, hostname, catdesc, app, appcat

Dataset Examples

255
LAB07
Step 5 – How can we avoid empty fields
Query :
SELECT srcip as ip, nullifna(`user`) as username, hostname, catdesc, app, appcat
FROM $log
WHERE dstport IN ('80','443') How can we avoid empy
fields?
GROUP BY ip, username, hostname, catdesc, app, appcat

Dataset Examples

256
LAB07
Step 6 – How can we avoid empty fields
Query :
SELECT srcip as ip, coalesce(nullifna(`user`),'-') as
username,coalesce(nullifna(`hostname`),ipstr(`dstip`)) as dsthost,coalesce(nullifna(`catdesc`),'-')
as category,app, appcat, count(*) as request
FROM $log
WHERE dstport IN ('80','443')
GROUP BY ip, username, dsthost, category, app, appcat
ORDER BY ip desc, dsthost

Dataset Examples

257
LAB07
Step 7 – Create a new chart
New Chart Library Examples
 Name : FAZ-Lab07
 Dataset : FAZ-Lab07

258
LAB07
Step 7 – Create a new chart
New Chart Library Examples
 Name : FAZ-Lab07
 Dataset : FAZ-Lab07

 Reset to Default
if you change the dataset

259
LAB07
Step 7 – Create a new chart
New Chart Library Examples
 Name : FAZ-Lab07
 Dataset : FAZ-Lab07

260
LAB07
Step 8 – Create a new Report
Create a New Report for “All Reports”
 Name : FAZ-Lab07

261
LAB07
Step 8 – Create a new Report
Create a New Report
 Name : FAZ-Lab07
 Create Form : Blank

262
LAB07
Step 8 – Create a new Report
Create a New Report
 Name : FAZ-Lab07
 Create Form : Blank

This is Setting TAB


 And Select to “Layout”

263
LAB07
Step 8 – Create a new Report
Create a New Report -- Layout

“Layout” TAB
 Insert Chart
 Chart : FAZ_Lab07
 Title : Top N Users
 按下【 OK 】

264
LAB07
Step 8 – Create a new Report
Create a New Report -- Layout

“Layout” TAB
 Insert Chart
 Chart : FAZ_Lab07
 Title : Top N Users
 按下【 OK 】

265
LAB07
Step 8 – Create a new Report
Create a New Report -- Layout

“Layout” TAB
 Insert Chart
 Chart : FAZ_Lab07
 Title : Top N Users
 按下【 OK 】

“Setting” TAB
 Time Period = This Quarter
接著選擇 【 View Report 】
266
LAB07
Step 8 – Create a new Report
Create a New Report -- View Report

“View Report” TAB


 按下【 Run Report 】產出 Report

267
LAB07
Step 8 – Create a new Report
Create a New Report -- View Report

“View Report” TAB


 按下【 Run Report 】產出 Report
 選擇 Format 【 PDF 】

268
LAB07
Step 8 – Create a new Report
Create a New Report -- View Report
 Report Layout

269
LAB07-2

 Client asked a table report with


Dataset
source IP Examples
username (if available)
website/hostname accessed
website category
application name
application category
only considering TCP port 80 and port 443

Now client asked us to create a report showing bandwidth


consuming per user

SELECT
coalesce(nullifna(`user`),ipstr(`srcip`)) as username,
sentbyte, rcvdbyte
FROM $log
WHERE $filter 270
LAB07-2
Step 1 – Create a new the Dataset “ FAZ-Lab07-Bandwidth ”
Query :
SELECT coalesce(nullifna(`user`),ipstr(`srcip`)) as username,
If empty fill with ‘user’
round(sum(coalesce(sentbyte,0))/1024,2) as KBsent, or IP Address
round(sum(coalesce(rcvdbyte,0))/1024,2) as KBrcvd,
Express on KB
round(sum(coalesce(sentbyte,0))/1024+sum(coalesce(rcvdbyte,0))/1024,2) as KB_total
FROM $log
WHERE $filter Add all bytes
GROUP BY username
ORDER BY username asc Round with this decimals
Dataset Examples

271
LAB07-2
Step 2 – Create other new chart for Bandwidth
New Chart Library Examples
 Name : FAZ-Lab07-Bandwidth
 Dataset : FAZ-Lab07-Bandwidth

272
LAB07-2
Step 3 – Insert chart to exist Report

 Name : FAZ-Lab07
 選擇 Edit

273
LAB07-2
Step 4 – Modify a Report
Report -- Layout

“Layout” TAB
 按下【 Insert Chart 】

 Chart : FAZ_Lab07-Bandwidth
 Title : Top N Bandwidth
 按下【 OK 】

接著選擇 【 View Report 】

274
LAB07-2
Step 5 – Report Result

“View Report” TAB


 按下【 Run Report 】產出 Report
 選擇 Format 【 PDF 】

275
LAB07-3
 Client asked a table report with  Now client asked us to create a
Dataset
source IP Examples report showing bandwidth consuming per user
username (if available)
website/hostname accessed
website category
application name
application category
only considering TCP port 80 and port 443

 Now client asked us to TIP:


create a report showing • Copy the previous SQL
• Remove the user
bandwidth consuming • Select the interface
per interface • Group by interfaces
• Keep in mind that more than one FGT can have
the same interface name 276
LAB07-3
Step 1 – Clone a Dataset “ FAZ-Lab07-Bandwidth ”
And Name to “ FAZ_Lab07-Interface”
Query :
SELECT devid, srcintf,
round(sum(coalesce(sentbyte,0))/1024,2) as KBsent,
round(sum(coalesce(rcvdbyte,0))/1024,2) as KBrcvd,
round(sum(coalesce(sentbyte,0))/1024+sum(coalesce(rcvdbyte,0))/1024,2) as KB_total
FROM $log
WHERE $filter
GROUP BY devid, srcintf
ORDER by devid, srcintf

Dataset Examples

277
LAB07-3
Step 2 – Solve unknown interface issue
Query :
Filter unknown interfaces
SELECT devid, srcintf,
round(sum(coalesce(sentbyte,0))/1024,2) as KBsent,
round(sum(coalesce(rcvdbyte,0))/1024,2) as KBrcvd,
round(sum(coalesce(sentbyte,0))/1024+sum(coalesce(rcvdbyte,0))/1024,2) as KB_total
FROM $log
WHERE $filter and srcintf not like 'unknown%' and srcintf not like 'root'
GROUP BY devid, srcintf
ORDER by devid, srcintf

Dataset Examples

278
LAB07-3
Step 3 – Create other new chart for Interface
New Chart Library Examples
 Name : FAZ-Lab07-Interface
 Dataset : FAZ-Lab07-Interface

279
LAB07-3
Step 4 – Insert chart to exist Report

 Name : FAZ-Lab07
 選擇 Edit

280
LAB07-3
Step 5 – Modify a Report
Report -- Layout

“Layout” TAB
 按下【 Insert Chart 】

 Chart : FAZ_Lab07-Interface
 Title : Interfaces Utilization
 按下【 OK 】

接著選擇 【 View Report 】

281
LAB07-3
Step 6 – Report Result

“View Report” TAB


 按下【 Run Report 】產出 Report
 選擇 Format 【 PDF 】

282
283
Feedback form
https://goo.gl/forms/WRxIJRadYPa2hMNN2

You might also like