Administration Guide

Setting up FortiAnalyzer
- Connecting to the GUI
  - FortiAnalyzer Setup wizard
  - Activating VM licenses
- Security considerations
- GUI overview
- Target audience and access level
- Initial setup
- FortiManager features
- Next steps
- Restarting and shutting down
FortiAnalyzer Key Concepts
- Operation modes
- Administrative domains
- Logs
- Log storage
- FortiView dashboard
Device Manager
- ADOMs
- FortiClient EMS devices
- Unauthorized devices
- Using FortiManager to manage FortiAnalyzer devices
- Adding devices
- Managing devices
- Device groups
  - Adding device groups
  - Managing device groups
FortiView
- FortiView
- Monitor
- Enabling and disabling FortiView
Log View and Log Quota Management
- Types of logs collected for each device
- Log messages
- Log groups
- Log browse
- Log and file storage
Fabric View
- Fabric Connectors
- Subnets
- Identity Center
  - Identity Center dashboard
- Asset Center
  - Asset Center dashboard
- Configuring endpoint and end user data sources
Fortinet Security Fabric
- Adding a Security Fabric group
- Displaying Security Fabric topology
- Security Fabric traffic log to UTM log correlation
- Security Fabric ADOMs
- Enabling SAML authentication in a Security Fabric
Incident and Event Management
- Event handlers
- Events
- Incidents
FortiSoC
- Viewing FortiSoC dashboards
- Configuring playbook automation
- Threat Hunting
- Outbreak Alerts
Reports
- How ADOMs affect reports
- Predefined reports, templates, charts, and macros
- Logs used for reports
- How charts and macros extract data from logs
- How auto-cache works
- Generating reports
- Creating reports
- Managing reports
  - Organizing reports into folders
  - Importing and exporting reports
- Report template library
- Chart library
  - Creating charts
  - Managing charts
- Macro library
  - Creating macros
  - Managing macros
- Datasets
- Output profiles
  - Creating output profiles
  - Managing output profiles
- Report languages
  - Exporting and modifying a language
  - Importing a language
- Report calendar
  - Viewing all scheduled reports
  - Managing report schedules
FortiRecorder
- Configuring cameras in the Camera Manager
- Face Recognition
- Watching live and recorded video in the Monitor
- Enabling and disabling FortiRecorder
System Settings
- Dashboard
- Logging Topology
- Network
- RAID Management
- Administrative Domains (ADOMs)
- Certificates
- Log Forwarding
- Fetcher Management
- Event Log
  - Event log filtering
- Task Monitor
- SNMP
- Mail Server
- Syslog Server
  - Send local logs to syslog server
- Meta Fields
- Device logs
- File Management
- Advanced Settings
- FortiGuard
  - Subscribing FortiAnalyzer to FortiGuard
  - Licensing in an air-gap environment
- Restart, shut down, or reset FortiAnalyzer
Administrators
- Trusted hosts
- Monitoring administrators
- Disconnecting administrators
- Managing administrator accounts
- Administrator profiles
- Authentication
- Global administration settings
- Two-factor authentication
  - Two-factor authentication with FortiAuthenticator
    - Configuring FortiAuthenticator
    - Configuring FortiAnalyzer
  - Two-factor authentication with FortiToken Cloud
High Availability
- Configuring HA options
  - Log synchronization
  - Configuration synchronization
- Monitoring HA status
  - If the primary unit fails
- Load balancing
- Upgrading the FortiAnalyzer firmware for an operating cluster
Collectors and Analyzers
- Configuring the Collector
- Configuring the Analyzer
- Fetching logs from the Collector to the Analyzer
Management Extensions
- FortiSIEM MEA
- FortiSOAR MEA
- Enabling management extension applications
  - CLI for management extensions
- Accessing management extension logs
- Checking for new versions and upgrading
Appendix A - Supported RFC Notes
Appendix B - Log Integrity and Secure Log Transfer
- Maximum TLS/SSL version compatibility
Appendix C - FortiAnalyzer Ansible Collection documentation
Change Log

Home FortiAnalyzer 7.2.2 Administration Guide

7.2.2

Assigning subnet filters to event handlers

You can streamline SOC processes by defining a subnet whitelist/blacklist for event handlers. These addresses can be linked to any event handler through a data selector, enabling or preventing the selected subnets from triggering an event. Creating a subnet whitelist/blacklist in data selectors eliminates the need to specify common networks in every event handler.

To include or exclude subnets in an event handler:

Go to FortiSoC > Handlers > Data Selector List.
Click Create New.
The Add New Data Selector pane displays.
You can also Clone or Edit an existing data selector to include or exclude subnets.
In the Subnets field, select Specify.
The Include Subnets and Exclude Subnets fields display.
Select the subnets to include or exclude in event handlers as part of the data selector.
Configure the other options for the data selector, and click OK. For more information, see Creating data selectors.
Go to FortiSoC > Handlers > Event Handler List.
Select an event handler to add the data selector to, and click Edit.
The Edit Basic Event Handler pane displays.
You can also create a custom event handler to add the data selector to.
From the Data Selector dropdown, select the data selector configured to include or exclude the selected subnets.
Configure the other options for the event handler, and click OK. For more information, see Creating a custom event handler.
Add the data selector to other event handlers, as needed.

If a conflict arises between the exclude and include lists, the exclude list will take priority.

Subnet filters work when either SRCIP or DSTIP hit the subnet, meaning SRCIPs and DSTIPs share the same subnet filters.