Fortinet black logo

Adding FortiAnalyzer to the Security Fabric

5.4.0
Copy Link
Copy Doc ID 633d2349-6dcf-11e9-81a4-00505692583a:478385
Download PDF

Adding FortiAnalyzer to the Security Fabric

In this recipe, you will add a FortiAnalyzer to a network that is already configured as a Cooperative Security Fabric (CSF). This will simplify network logging by storing and displaying all log information in one place.

In this example, a FortiGate called External is the upstream FortiGate. There are also two ISFWs, called Accounting and Marketing. OSPF routing is used between the FortiGates in the CSF.

To add FortiAnalyzer to the Security Fabric:
  1. Connect the External FortiGate and the FortiAnalyzer.
  2. Configure OSPF routing to the FortiAnalyzer.
  3. Allow internal FortiGates to access the FortiAnalyzer.
  4. Send log information to the FortiAnalyzer.
  5. Review results.

Connecting the External FortiGate and the FortiAnalyzer

In this example, the External FortiGate's port 16 will connect to port 2 on the FortiAnalyzer.

To connect the External FortiGate and FortiAnalyzer:
  1. On the External FortiGate, go to Network > Interfaces and edit port 16.
  2. Set an IP/Network Mask for the interface (in the example, 192.168.55.2).

  3. Configure Administrative Access to allow FortiTelemetry, required for communication between devices in the CSF.
    Configure other services as required.
  4. On the FortiAnalyzer, go to System Settings > Network, select All Interfaces, and edit port2.
  5. Set IP/Netmask to an internal IP (in the example, 192.168.55.10/255.255.255.0).

  6. Connect the External FortiGate and the FortiAnalyzer.
    On the FortiAnalyzer, go to System Settings > Network.
    Port 2 is now shown as the management interface.
  7. Add a Default Gateway, using the IP address of the External FortiGate's port 16.

Configuring OSPF routing to the FortiAnalyzer

To configure OSPF routing to the FortiAnalyzer:
  1. On the External FortiGate, go to Network > OSPF.
  2. Click Create New to create a new network.
  3. Set IP/Netmask to 192.168.55.0/255.255.255.0 (the subnet that includes FortiAnalyzer's port 2) and Area to 0.0.0.0.

Allowing internal FortiGates to access the FortiAnalyzer

To allow internal FortiGates to access the FortiAnalyzer:
  1. On the External FortiGate, go to System > Feature Select.
  2. Under Additional Features, select Multiple Interface Policies.

  3. Go to Policy & Objects > IPv4 Policy and create a policy allowing the internal FortiGates (Accounting and Marketing) to access the FortiAnalyzer.
  4. Do not enable NAT.

Sending log information to the FortiAnalyzer

To send log information to the FortiAnalyzer:
  1. On the FortiAnalyzer, go to Device Manager and add a device.
  2. Enter all information about the External FortiGate, then select Next.
    The FortiAnalyzer will now add the device, and the External FortiGate will be listed on the FortiAnalyzer.

  3. On the External FortiGate, go to Log & Report Settings. Under Remote Logging and Archiving, enable Send Logs to FortiAnalyzer/FortiManager.

  4. Enter the IP Address of the FortiAnalyzer.
    In the example image above, logs are set to be uploaded in Realtime because there is no bandwidth limitations. Also, since log traffic is occurring within the CSF, encryption is not enabled.
  5. Select Test Connectivity to view information about the connection.

  6. Under GUI Preferences, select Display Logs From FortiAnalyzer.

  7. Repeat this process on both the Accounting and Marketing FortiGates.

Review Results

  • All three FortiGates are listed in the FortiAnalyzer's Device Manager.

  • Go to FortiView > System > System Events. Events from all FortiGates in the CSF are shown, allowing you to have a complete view of the network.

  • You can select a type of system event, such as System performance statistics, to view information about the individual events. Events are shown from all three FortiGates (the Device ID shown for each FortiGate is that unit's serial number).

Adding FortiAnalyzer to the Security Fabric

In this recipe, you will add a FortiAnalyzer to a network that is already configured as a Cooperative Security Fabric (CSF). This will simplify network logging by storing and displaying all log information in one place.

In this example, a FortiGate called External is the upstream FortiGate. There are also two ISFWs, called Accounting and Marketing. OSPF routing is used between the FortiGates in the CSF.

To add FortiAnalyzer to the Security Fabric:
  1. Connect the External FortiGate and the FortiAnalyzer.
  2. Configure OSPF routing to the FortiAnalyzer.
  3. Allow internal FortiGates to access the FortiAnalyzer.
  4. Send log information to the FortiAnalyzer.
  5. Review results.

Connecting the External FortiGate and the FortiAnalyzer

In this example, the External FortiGate's port 16 will connect to port 2 on the FortiAnalyzer.

To connect the External FortiGate and FortiAnalyzer:
  1. On the External FortiGate, go to Network > Interfaces and edit port 16.
  2. Set an IP/Network Mask for the interface (in the example, 192.168.55.2).

  3. Configure Administrative Access to allow FortiTelemetry, required for communication between devices in the CSF.
    Configure other services as required.
  4. On the FortiAnalyzer, go to System Settings > Network, select All Interfaces, and edit port2.
  5. Set IP/Netmask to an internal IP (in the example, 192.168.55.10/255.255.255.0).

  6. Connect the External FortiGate and the FortiAnalyzer.
    On the FortiAnalyzer, go to System Settings > Network.
    Port 2 is now shown as the management interface.
  7. Add a Default Gateway, using the IP address of the External FortiGate's port 16.

Configuring OSPF routing to the FortiAnalyzer

To configure OSPF routing to the FortiAnalyzer:
  1. On the External FortiGate, go to Network > OSPF.
  2. Click Create New to create a new network.
  3. Set IP/Netmask to 192.168.55.0/255.255.255.0 (the subnet that includes FortiAnalyzer's port 2) and Area to 0.0.0.0.

Allowing internal FortiGates to access the FortiAnalyzer

To allow internal FortiGates to access the FortiAnalyzer:
  1. On the External FortiGate, go to System > Feature Select.
  2. Under Additional Features, select Multiple Interface Policies.

  3. Go to Policy & Objects > IPv4 Policy and create a policy allowing the internal FortiGates (Accounting and Marketing) to access the FortiAnalyzer.
  4. Do not enable NAT.

Sending log information to the FortiAnalyzer

To send log information to the FortiAnalyzer:
  1. On the FortiAnalyzer, go to Device Manager and add a device.
  2. Enter all information about the External FortiGate, then select Next.
    The FortiAnalyzer will now add the device, and the External FortiGate will be listed on the FortiAnalyzer.

  3. On the External FortiGate, go to Log & Report Settings. Under Remote Logging and Archiving, enable Send Logs to FortiAnalyzer/FortiManager.

  4. Enter the IP Address of the FortiAnalyzer.
    In the example image above, logs are set to be uploaded in Realtime because there is no bandwidth limitations. Also, since log traffic is occurring within the CSF, encryption is not enabled.
  5. Select Test Connectivity to view information about the connection.

  6. Under GUI Preferences, select Display Logs From FortiAnalyzer.

  7. Repeat this process on both the Accounting and Marketing FortiGates.

Review Results

  • All three FortiGates are listed in the FortiAnalyzer's Device Manager.

  • Go to FortiView > System > System Events. Events from all FortiGates in the CSF are shown, allowing you to have a complete view of the network.

  • You can select a type of system event, such as System performance statistics, to view information about the individual events. Events are shown from all three FortiGates (the Device ID shown for each FortiGate is that unit's serial number).