Fortinet FortiLog-100 Manual de usuario

FortiLogAdministration Guide14FortiLog-100FortiLog-4008FortiLog-800FortiLog Administration GuideVersion 1.6 January 15, 200405-16000-0082-20050115

10 05-16000-0082-20050115 Fortinet Inc.About this guide IntroductionAbout this guideThis document describes how to set up and configure the FortiLog u

100 05-16000-0082-20050115 Fortinet Inc.CLI commands FortiLog CLI referenceCommands Descriptionset log client <client_string> deviceid <id_st

FortiLog CLI reference CLI commandsFortiLog Administration Guide 05-16000-0082-20050115 101set log setting syslog remote server <server_ip> po

102 05-16000-0082-20050115 Fortinet Inc.CLI commands FortiLog CLI referenceset log devtype <string> filters <string> Select the filter opt

FortiLog CLI reference CLI commandsFortiLog Administration Guide 05-16000-0082-20050115 103set NASUse set NAS to configure the FortiLog NAS server s

104 05-16000-0082-20050115 Fortinet Inc.CLI commands FortiLog CLI referenceset reportUse set report to configure the FortiLog report settings.set syst

FortiLog CLI reference CLI commandsFortiLog Administration Guide 05-16000-0082-20050115 105set systeminterface <intf_str>configdenyaccessping

106 05-16000-0082-20050115 Fortinet Inc.CLI commands FortiLog CLI referenceset systeminterface <intf_str>configdenyaccessping <return>http

FortiLog CLI reference CLI commandsFortiLog Administration Guide 05-16000-0082-20050115 107set systemopmodeactive <return>passive <return&g

108 05-16000-0082-20050115 Fortinet Inc.CLI commands FortiLog CLI referenceCommands Descriptionset system admin username <name_str> password <

FortiLog CLI reference CLI commandsFortiLog Administration Guide 05-16000-0082-20050115 109set system interface config stp_passthroughset system int

Introduction Related documentationFortiLog Administration Guide 05-16000-0082-20050115 11Related documentationAdditional information about Fortinet

110 05-16000-0082-20050115 Fortinet Inc.CLI commands FortiLog CLI referenceunset branchUse unset to remove configuration of alert email, log, and syst

FortiLog CLI reference CLI commandsFortiLog Administration Guide 05-16000-0082-20050115 111unset nas user <user name> Remove a user name.unset

112 05-16000-0082-20050115 Fortinet Inc.CLI commands FortiLog CLI reference

FortiLog Administration Guide Version 1.6FortiLog Administration Guide 05-16000-0082-20050115 113Appendix A: Log Report TypesYour FortiLog unit is ca

114 05-16000-0082-20050115 Fortinet Inc.Appendix A: Log Report TypesFTP ActivityFTP reports record total FTP access activities including traffic direc

Appendix A: Log Report Types FortiLog Administration Guide 05-16000-0082-20050115 115Terminal ActivityTerminal activity reports record total Terminal

116 05-16000-0082-20050115 Fortinet Inc.Appendix A: Log Report TypesIntrusion ActivityIntrusion activity reports record top network attacks and top at

Appendix A: Log Report Types FortiLog Administration Guide 05-16000-0082-20050115 117Mail Filter ActivityMail filter activity reports record total an

118 05-16000-0082-20050115 Fortinet Inc.Appendix A: Log Report TypesVPN ActivityVPN activity reports record total VPN activities by a specific time an

Appendix A: Log Report Types FortiLog Administration Guide 05-16000-0082-20050115 119Content Traffic By Hour Of Day And ServiceHourly content traffic

12 05-16000-0082-20050115 Fortinet Inc.Related documentation IntroductionFortiManager documentation• FortiManager QuickStart GuideExplains how to inst

120 05-16000-0082-20050115 Fortinet Inc.Appendix A: Log Report Types

FortiLog Administration Guide 05-16000-0082-20050115 121FortiLog Administration Guide Version 1.6IndexAaccess to files 82account levels 48active and

122 05-16000-0082-20050115 Fortinet Inc.IndexLlanguage setting 46, 109LCD panel 21log policy 45logsdownload FortiLog debug log 39importing 77informati

IndexFortiLog Administration Guide 05-16000-0082-20050115 123web-based managerconnecting 19idle timeout 46introduction 19language 46, 109windows sh

124 05-16000-0082-20050115 Fortinet Inc.Index

Introduction Customer service and technical supportFortiLog Administration Guide 05-16000-0082-20050115 13Customer service and technical supportFor

14 05-16000-0082-20050115 Fortinet Inc.Customer service and technical support Introduction

FortiLog Administration Guide Version 1.6FortiLog Administration Guide 05-16000-0082-20050115 15Setting up the FortiLog unitThis chapter includes:• C

16 05-16000-0082-20050115 Fortinet Inc.Checking the package contents Setting up the FortiLog unitFigure 5: FortiLog front and back diagramsHardware sp

Setting up the FortiLog unit Planning the installationFortiLog Administration Guide 05-16000-0082-20050115 17Power requirements• FortiLog-100• AC in

18 05-16000-0082-20050115 Fortinet Inc.Connecting the FortiLog unit Setting up the FortiLog unitFigure 6: FortiLog connection optionConnecting the For

Setting up the FortiLog unit Configuring the FortiLog unitFortiLog Administration Guide 05-16000-0082-20050115 19Configuring the FortiLog unitUse th

© Copyright 2005 Fortinet Inc. All rights reserved.No part of this publication including text, examples, diagrams or illustrations may be reproduced,t

20 05-16000-0082-20050115 Fortinet Inc.Configuring the FortiLog unit Setting up the FortiLog unit6 Type admin in the Name field and select Login. Afte

Setting up the FortiLog unit Configuring the FortiLog unitFortiLog Administration Guide 05-16000-0082-20050115 213 Set the primary DNS server IP add

22 05-16000-0082-20050115 Fortinet Inc.Configuring the FortiLog unit Setting up the FortiLog unit

FortiLog Administration Guide Version 1.6FortiLog Administration Guide 05-16000-0082-20050115 23Connecting to the FortiLog UnitIn order for FortiLog

24 05-16000-0082-20050115 Fortinet Inc.Sending device logs to the FortiLog unit Connecting to the FortiLog UnitFigure 7: FortiGate 2.8 log settings5 E

Connecting to the FortiLog Unit Sending device logs to the FortiLog unitFortiLog Administration Guide 05-16000-0082-20050115 25Figure 8: FortiGate 2

26 05-16000-0082-20050115 Fortinet Inc.Configuring the FortiLog unit Connecting to the FortiLog UnitConfiguring the FortiLog unitWhen you configure a

Connecting to the FortiLog Unit Configuring the FortiLog unitFortiLog Administration Guide 05-16000-0082-20050115 273 Enter a device name.For a Fort

28 05-16000-0082-20050115 Fortinet Inc.Configuring the FortiLog unit Connecting to the FortiLog UnitYou can classify the device interfaces as one of N

FortiLog Administration Guide Version 1.6FortiLog Administration Guide 05-16000-0082-20050115 29Managing the FortiLog unitUsing the FortiLog system s

ContentsFortiLog Administration Guide 05-16000-0082-20050115 3Table of ContentsIntroduction...

30 05-16000-0082-20050115 Fortinet Inc.Status Managing the FortiLog unitFigure 11: System status (Active mode)Automatic Refresh IntervalSelect to cont

Managing the FortiLog unit StatusFortiLog Administration Guide 05-16000-0082-20050115 31Changing the FortiLog host nameThe FortiLog host name appear

32 05-16000-0082-20050115 Fortinet Inc.Status Managing the FortiLog unitViewing system resources informationOn the Status page, you can view the CPU,

Managing the FortiLog unit StatusFortiLog Administration Guide 05-16000-0082-20050115 33To change the firmware using the CLIUse the following proced

34 05-16000-0082-20050115 Fortinet Inc.Status Managing the FortiLog unitTo perform this procedure you need to install a TFTP server that you can conne

Managing the FortiLog unit StatusFortiLog Administration Guide 05-16000-0082-20050115 35The following message appears:Enter File Name [image.out]:11

36 05-16000-0082-20050115 Fortinet Inc.Status Managing the FortiLog unit7 Immediately press any key to interrupt the system startup.If you successfull

Managing the FortiLog unit StatusFortiLog Administration Guide 05-16000-0082-20050115 37To install a backup firmware image1 For all three FortiLog m

38 05-16000-0082-20050115 Fortinet Inc.Status Managing the FortiLog unitThe FortiLog unit saves the backup firmware image and restarts. When the Forti

Managing the FortiLog unit StatusFortiLog Administration Guide 05-16000-0082-20050115 39To switch back to the default firmware image1 For all three

Contents4 05-16000-0082-20050115 Fortinet Inc.Managing the FortiLog unit...

40 05-16000-0082-20050115 Fortinet Inc.Status Managing the FortiLog unitTo download a FortiLog debug log1 Go to System > Status > Status.2 For S

Managing the FortiLog unit StatusFortiLog Administration Guide 05-16000-0082-20050115 41To upload the firmware image to the FortiLog unit1 Make sure

42 05-16000-0082-20050115 Fortinet Inc.Config Managing the FortiLog unitConfigUse system config to configure the FortiLog network settings, RAID setti

Managing the FortiLog unit ConfigFortiLog Administration Guide 05-16000-0082-20050115 43RAIDTo configure the FortiLog RAID level and check the RAID

44 05-16000-0082-20050115 Fortinet Inc.Config Managing the FortiLog unitLog settingsTo configure the FortiLog unit to log locally or to send FortiLog

Managing the FortiLog unit ConfigFortiLog Administration Guide 05-16000-0082-20050115 45Log policySelect Config Policy to configure the FortiLog uni

46 05-16000-0082-20050115 Fortinet Inc.Config Managing the FortiLog unitTimeTo change the FortiLog unit time, go to System > Config > Time. For

Managing the FortiLog unit ConfigFortiLog Administration Guide 05-16000-0082-20050115 47Figure 19: AdminConfigure Administrator accessConfigure admi

48 05-16000-0082-20050115 Fortinet Inc.Config Managing the FortiLog unitTo configure administrative access to the FortiLog unit1 Go to System > Con

Managing the FortiLog unit Devices (Active mode)FortiLog Administration Guide 05-16000-0082-20050115 49To add an administrator account1 Go to System

ContentsFortiLog Administration Guide 05-16000-0082-20050115 5Reports ...

50 05-16000-0082-20050115 Fortinet Inc.Devices (Active mode) Managing the FortiLog unitDevice listTo add and manage devices connecting to the FortiLog

Managing the FortiLog unit Alert EmailFortiLog Administration Guide 05-16000-0082-20050115 51To edit a device1 Go to System > Devices.2 For the d

52 05-16000-0082-20050115 Fortinet Inc.Alert Email Managing the FortiLog unitLocalTo set the email alert notification for the FortiLog unit, go to Sys

Managing the FortiLog unit Alert EmailFortiLog Administration Guide 05-16000-0082-20050115 53Figure 25: Device alert settingsAlert Name Enter a name

54 05-16000-0082-20050115 Fortinet Inc.Alerts Managing the FortiLog unitTo add a device alert1 Go to System > Alert Email > Device.2 Select Crea

Managing the FortiLog unit Network SharingFortiLog Administration Guide 05-16000-0082-20050115 55Figure 26: Device alert messagesNetwork SharingUse

56 05-16000-0082-20050115 Fortinet Inc.Defining IP aliases Managing the FortiLog unitFigure 27: IP aliasesTo set host alias names1 Go to Reports >

FortiLog Administration Guide Version 1.6FortiLog Administration Guide 05-16000-0082-20050115 57ReportsThe FortiLog unit collates information collect

58 05-16000-0082-20050115 Fortinet Inc.Creating and generating a report Reports3 Set the following:• “Configuring report parameters” on page 58• “Conf

Reports Creating and generating a reportFortiLog Administration Guide 05-16000-0082-20050115 595 Select Apply.Configuring a report querySelect the s

Contents6 05-16000-0082-20050115 Fortinet Inc.Adding and modifying group accounts...

60 05-16000-0082-20050115 Fortinet Inc.Creating and generating a report Reports4 Select the plus sign next to a category to expand and view the sub ca

Reports Creating and generating a reportFortiLog Administration Guide 05-16000-0082-20050115 616 Select the group or individual devices to use in th

62 05-16000-0082-20050115 Fortinet Inc.Creating and generating a report Reports4 Select the type of matching for the filter criteria:• Select Any to f

Reports Creating and generating a reportFortiLog Administration Guide 05-16000-0082-20050115 633 Select Schedule.4 Select a day from the following:5

64 05-16000-0082-20050115 Fortinet Inc.Creating and generating a report ReportsTo select the report destination and format1 Go to Reports > Config.

Reports Viewing reportsFortiLog Administration Guide 05-16000-0082-20050115 65Viewing reportsUse the FortiLog web-based manager to view a list of th

66 05-16000-0082-20050115 Fortinet Inc.Viewing reports ReportsRoll up reportThe roll up report contains all reports that you selected for the FortiLog

Reports Vulnerability reportsFortiLog Administration Guide 05-16000-0082-20050115 67Figure 36: VPN activity report in PDFVulnerability reportsVulner

68 05-16000-0082-20050115 Fortinet Inc.Vulnerability reports Reports3 Set the following:• “Selecting report result parameters” on page 68• “Selecting

Reports Vulnerability reportsFortiLog Administration Guide 05-16000-0082-20050115 69Figure 38: Vulnerability plugin optionsTo select the plug-ins1 G

FortiLog Administration Guide Version 1.6FortiLog Administration Guide 05-16000-0082-20050115 7IntroductionFortiLog units are network appliances that

70 05-16000-0082-20050115 Fortinet Inc.Vulnerability reports ReportsFigure 39: Selecting scan targetsTo select the scan targets1 Go to Reports > Co

Reports Vulnerability reportsFortiLog Administration Guide 05-16000-0082-20050115 714 Select Apply.Choosing the report destination and formatSelect

72 05-16000-0082-20050115 Fortinet Inc.Vulnerability reports ReportsViewing the vulnerability reportThe FortiLog unit saves the vulnerability report e

FortiLog Administration Guide Version 1.6FortiLog Administration Guide 05-16000-0082-20050115 73Using LogsThe FortiLog unit collects log files from v

74 05-16000-0082-20050115 Fortinet Inc.The Log view interface Using LogsThe Log view interfaceThe log viewer interface provides a means of viewing dev

Using Logs Viewing logsFortiLog Administration Guide 05-16000-0082-20050115 75Figure 43: Viewing a device logTo view the device log files1 Go to Fil

76 05-16000-0082-20050115 Fortinet Inc.Viewing logs Using LogsFigure 44: Basic log filter5 Do the following to search the log using the Basic log filt

Using Logs Importing log filesFortiLog Administration Guide 05-16000-0082-20050115 776 Select each row in the Filter column.7 Each row of informatio

78 05-16000-0082-20050115 Fortinet Inc.Log Search Using LogsLog SearchUse the Log Search, to perform a simple search of all log files on the FortiLog

Using Logs Event correlation (Active mode)FortiLog Administration Guide 05-16000-0082-20050115 795 Select Apply.Event correlation (Active mode)Event

8 05-16000-0082-20050115 Fortinet Inc.Operational Modes IntroductionOperational ModesThe FortiLog device can operate in two modes: Active mode or Pass

80 05-16000-0082-20050115 Fortinet Inc.Event correlation (Active mode) Using LogsShow me Select Show me to view the selection from the sort list.# The

FortiLog Administration Guide Version 1.6FortiLog Administration Guide 05-16000-0082-20050115 81Using the FortiLog unit as a NASUsers can save, store

82 05-16000-0082-20050115 Fortinet Inc.Providing access to the FortiLog hard disk Using the FortiLog unit as a NASProviding access to the FortiLog har

Using the FortiLog unit as a NAS Providing access to the FortiLog hard diskFortiLog Administration Guide 05-16000-0082-20050115 83Adding and modifyi

84 05-16000-0082-20050115 Fortinet Inc.Providing access to the FortiLog hard disk Using the FortiLog unit as a NASFigure 49: Windows sharing configura

Using the FortiLog unit as a NAS Providing access to the FortiLog hard diskFortiLog Administration Guide 05-16000-0082-20050115 85Figure 50: NFS sha

86 05-16000-0082-20050115 Fortinet Inc.Setting folder and file properties Using the FortiLog unit as a NASSetting folder and file propertiesThe FortiL

FortiLog Administration Guide Version 1.6FortiLog Administration Guide 05-16000-0082-20050115 87FortiLog CLI referenceThis chapter explains how to co

88 05-16000-0082-20050115 Fortinet Inc.Connecting to the CLI FortiLog CLI referenceConnecting to the CLIThe FortiLog-800 model has serial port and you

FortiLog CLI reference Connecting to the CLIFortiLog Administration Guide 05-16000-0082-20050115 8910 Type the password for this administrator and p

Introduction Operational ModesFortiLog Administration Guide 05-16000-0082-20050115 9Figure 3: FortiLog Active mode network architecturePassive ModeP

90 05-16000-0082-20050115 Fortinet Inc.Connecting to the CLI FortiLog CLI reference4 To confirm that you have configured SSH or Telnet access correctl

FortiLog CLI reference CLI commandsFortiLog Administration Guide 05-16000-0082-20050115 91CLI commandsThe FortiLog CLI commands include:• execute br

92 05-16000-0082-20050115 Fortinet Inc.CLI commands FortiLog CLI referenceget branchUse get to display settings, logs, or system information. Table 5:

FortiLog CLI reference CLI commandsFortiLog Administration Guide 05-16000-0082-20050115 93get report resolve Display the settings (what is turned on

94 05-16000-0082-20050115 Fortinet Inc.CLI commands FortiLog CLI referenceset branchUse set to configure settings, logs, or system information.set ale

FortiLog CLI reference CLI commandsFortiLog Administration Guide 05-16000-0082-20050115 95set alertemaildevice {enable | disable}addvirusalert {enab

96 05-16000-0082-20050115 Fortinet Inc.CLI commands FortiLog CLI referenceset alertmail device enable add levelnum {emergency | alert | critical | err

FortiLog CLI reference CLI commandsFortiLog Administration Guide 05-16000-0082-20050115 97set consoleUse set console to set console configuration.Ta

98 05-16000-0082-20050115 Fortinet Inc.CLI commands FortiLog CLI referenceset logUse set log to configure log settingsTable 8: set log command archite

FortiLog CLI reference CLI commandsFortiLog Administration Guide 05-16000-0082-20050115 99setlogdevtype <string>reportname <report name>