DOCUMENT LIBRARY

Administration Guide

Setting up FortiAnalyzer
- Connecting to the GUI
  - FortiAnalyzer Setup wizard
  - Activating VM licenses
- Security considerations
- GUI overview
- Target audience and access level
- Initial setup
- FortiManager features
- Next steps
- Restarting and shutting down
FortiAnalyzer Key Concepts
- Operation modes
- Administrative domains
- Logs
- Log storage
- FortiView dashboard
Dashboards
- Customizing the status dashboard
- System Information widget
- System Resources widget
- License Information widget
- Unit Operation widget
- Alert Messages Console widget
- Log Receive Monitor widget
- Insert Rate vs Receive Rate widget
- Log Insert Lag Time widget
- Receive Rate vs Forwarding Rate widget
- Disk I/O widget
- Device widgets
- Restart, shut down, or reset FortiAnalyzer
- IOT dashboard
- Email metrics dashboard
- SOC dashboard
Device Manager
- ADOMs
- FortiClient EMS devices
- Unauthorized devices
- Using FortiManager to manage FortiAnalyzer devices
- Adding devices
- Managing devices
- Device groups
  - Adding device groups
  - Managing device groups
FortiView
- FortiView
- Monitors
- Enabling and disabling FortiView
Log View and Log Quota Management
- Types of logs collected for each device
- Log messages
- Log groups
- Log browse
- Log and file storage
Fabric View
- Asset Identity Center
- Subnets
Fortinet Security Fabric
- Adding a Security Fabric group
- Displaying Security Fabric topology
- Security Fabric traffic log to UTM log correlation
- Security Fabric ADOMs
- Enabling SAML authentication in a Security Fabric
Incidents & Events
- Incidents
- Event Monitor
- Event handlers
- Indicators
  - Managing indicators
  - Indicator enrichment
- Automation
- Outbreak Alerts
- SIEM log parsers
- FortiAnalyzer Security Automation Service
  - Security Automation Service objects
FortiAI
- Enabling administrator access to FortiAI
- Using FortiAI
- FortiAI data privacy
- FortiAI tokens
- FortiAI example tasks
Reports
- How ADOMs affect reports
- Predefined reports, templates, charts, and macros
- Logs used for reports
- How charts and macros extract data from logs
- How auto-cache works
- Generating reports
- Creating reports
- Managing reports
  - Organizing reports into folders
  - Importing and exporting reports
- Report template library
- Chart library
  - Creating charts
  - Managing charts
- Macro library
  - Creating macros
  - Managing macros
- Datasets
- Output profiles
  - Creating output profiles
  - Managing output profiles
- Report languages
- Report calendar
  - Viewing all scheduled reports
  - Managing report schedules
System Settings
- Logging Topology
- Network
- RAID Management
- Administrative Domains (ADOMs)
- Fabric Management
  - Creating or editing storage connectors
- Certificates
- Log Forwarding
- Log Fetching
- Event Log
  - Event log filtering
- Task Monitor
- Mail Server
- Syslog Server
  - Send local logs to syslog server
- Meta Fields
- Device logs
- File Management
- Miscellaneous Settings
- FortiGuard
Administrators
- Trusted hosts
- Monitoring administrators
- Disconnecting administrators
- Managing administrator accounts
- Administrator profiles
- Authentication
- Global administration settings
- Multi-factor authentication
  - Multi-factor authentication with FortiAuthenticator
    - Configuring FortiAuthenticator
    - Configuring FortiAnalyzer
  - Multi-factor authentication with FortiToken Cloud
High Availability
- Configuring HA options
- Monitoring HA status
  - If the primary unit fails
- Load balancing
- Upgrading the FortiAnalyzer firmware for an operating cluster
Collectors and Analyzers
- Configuring the Collector
- Configuring the Analyzer
- Fetching logs from the Collector to the Analyzer
Management Extensions
- FortiSIEM MEA
- FortiSOAR MEA
- Enabling management extension applications
  - CLI for management extensions
- Accessing management extension logs
- Checking for new versions and upgrading
Appendix A - Supported RFC Notes
Appendix B - Log Integrity and Secure Log Transfer
- Maximum TLS/SSL version compatibility
Appendix C - FortiAnalyzer Ansible Collection documentation
Appendix D - FortiAI token entitlements for FortiAnalyzer
Change Log

Home FortiAnalyzer 7.6.1 Administration Guide

7.6.1

Security Fabric connectors

You can use the Active Connectors tab to create and edit the following types of security fabric connectors:

FortiClient EMS
FortiMail
FortiCASB
FortiAuthenticator
FortiWeb
FortiSandBox

Once configured, Security Fabric connectors enrich incident response related actions available in playbooks.

To create a Security Fabric connector:

Go to Incidents & Events > Automation > Active Connectors, and click Create New.

The Create New Fabric Connector pane displays.
Under Security Fabric, select one of the available connector types.

In the Configuration tab, configure the following options for:

FortiClient EMS

Property		Description
Type		Select FortiClient EMS or FortiClient EMS Cloud.
Name		Type a name for the Security Fabric connector.
Description		(Optional) Type a description for the Security Fabric connector.
FortiClient EMS	IP/FQDN	Type the IP address or FQDN for the Security Fabric device.
	Username	Type the username for the Security Fabric device.
	Password	Type the password for the Security Fabric device.
FortiClient EMS Cloud	Account ID	Super users can type the account ID of the FortiClient EMS Cloud instance. For non-super users, the field is automatically populated with the default account ID. The FortiAnalyzer device must be registered with FortiCloud to create and update the connector as a non-super user. The FortiClient EMS must be v7.0 or later. After the FortiClient EMS Cloud connector is created, the connector's health-check sends an authentication request with SNI (the account ID) to the EMS instance. The authentication request from the FortiAnalyzer device must be approved in EMS: Administration > Fabric Devices. For more information, see FortiClient on the Fortinet Document Library.

FortiMail

Property	Description
Name	Type a name for the Security Fabric connector.
Description	(Optional) Type a description for the Security Fabric connector.
IP/FQDN	Type the IP address or FQDN for the Security Fabric device.
Username	Type the username for the Security Fabric device.
Password	Type the password for the Security Fabric device.

FortiCASB

Property	Description
Name	Type a name for the Security Fabric connector.
Description	(Optional) Type a description for the Security Fabric connector.
IP/FQDN	Type the IP address or FQDN for the Security Fabric device. Use the FortiCASB FQDN for your chosen server location. The server location is selected when creating your FortiCASB account. Use `forticasb.com` for global servers or `eu.forticasb.com` for EU based servers.
Account ID	Enter the credentials token used for authentication. To create a FortiCASB credentials token, log in to FortiCASB with your account, go to Home > Manage Company > API Setting, and click Generate New. For more information, see FortiCASB on the Fortinet Docs Library.

FortiAuthenticator

Property	Description
Name	Type a name for the Security Fabric connector.
Description	(Optional) Type a description for the Security Fabric connector.
IP/FQDN	Type the IP address or FQDN for the Security Fabric device.
User Name	Type the username for the Security Fabric device.
API Key	Enter the API key for the FortiAuthenticator device.

FortiWeb

Property	Description
Name	Type a name for the Security Fabric connector.
Description	(Optional) Type a description for the Security Fabric connector.
IP/FQDN	Type the IP address or FQDN for the Security Fabric device.
User Name	Type the username for the Security Fabric device.
Password	Type the password for the Security Fabric device.
FortiWeb ADOM	Enter the FortiWeb ADOM that the device is in.

FortiSandBox

Property	Description
Name	Type a name for the Security Fabric connector.
Description	(Optional) Type a description for the Security Fabric connector.
IP/FQDN	Type the IP address or FQDN for the Security Fabric device.
User Name	Type the username for the Security Fabric device.
Password	Type the password for the Security Fabric device.
FortiSandBox Version	Enter the version of the FortiSandBox device.
FortiSandBox Instance Type	Select the FortiSandBox instance type: On Premise or Cloud.

Click the Actions tab to view the actions available with the Security Fabric connector, then click OK.

After the connector is saved, it is visible in Incidents & Events > Automation > Active Connectors with a toggle to enable or disable the connector.
Toggle the status of the connector to disabled or enabled according to your needs.

After the Security Fabric connector is created, playbooks configured in Fabric View can use the connector to execute automated actions. For a list of connector actions available in playbooks, see Configuring connectors for automation.

Default playbooks are automatically created when configuring some Security Fabric connectors. For more information on playbooks, see Playbooks.

To edit a Security Fabric connector:

Go to Incidents & Events > Automation > Active Connectors.
Select a Security Fabric connector, and click Edit.

The Edit Connectors pane displays.
Edit the settings, and click OK.

Security Fabric connectors

You can use the Active Connectors tab to create and edit the following types of security fabric connectors:

FortiClient EMS
FortiMail
FortiCASB
FortiAuthenticator
FortiWeb
FortiSandBox

Once configured, Security Fabric connectors enrich incident response related actions available in playbooks.

To create a Security Fabric connector:

Go to Incidents & Events > Automation > Active Connectors, and click Create New.

The Create New Fabric Connector pane displays.
Under Security Fabric, select one of the available connector types.

In the Configuration tab, configure the following options for:

FortiClient EMS

Property		Description
Type		Select FortiClient EMS or FortiClient EMS Cloud.
Name		Type a name for the Security Fabric connector.
Description		(Optional) Type a description for the Security Fabric connector.
FortiClient EMS	IP/FQDN	Type the IP address or FQDN for the Security Fabric device.
	Username	Type the username for the Security Fabric device.
	Password	Type the password for the Security Fabric device.
FortiClient EMS Cloud	Account ID	Super users can type the account ID of the FortiClient EMS Cloud instance. For non-super users, the field is automatically populated with the default account ID. The FortiAnalyzer device must be registered with FortiCloud to create and update the connector as a non-super user. The FortiClient EMS must be v7.0 or later. After the FortiClient EMS Cloud connector is created, the connector's health-check sends an authentication request with SNI (the account ID) to the EMS instance. The authentication request from the FortiAnalyzer device must be approved in EMS: Administration > Fabric Devices. For more information, see FortiClient on the Fortinet Document Library.

FortiMail

Property	Description
Name	Type a name for the Security Fabric connector.
Description	(Optional) Type a description for the Security Fabric connector.
IP/FQDN	Type the IP address or FQDN for the Security Fabric device.
Username	Type the username for the Security Fabric device.
Password	Type the password for the Security Fabric device.

FortiCASB

Property	Description
Name	Type a name for the Security Fabric connector.
Description	(Optional) Type a description for the Security Fabric connector.
IP/FQDN	Type the IP address or FQDN for the Security Fabric device. Use the FortiCASB FQDN for your chosen server location. The server location is selected when creating your FortiCASB account. Use `forticasb.com` for global servers or `eu.forticasb.com` for EU based servers.
Account ID	Enter the credentials token used for authentication. To create a FortiCASB credentials token, log in to FortiCASB with your account, go to Home > Manage Company > API Setting, and click Generate New. For more information, see FortiCASB on the Fortinet Docs Library.

FortiAuthenticator

Property	Description
Name	Type a name for the Security Fabric connector.
Description	(Optional) Type a description for the Security Fabric connector.
IP/FQDN	Type the IP address or FQDN for the Security Fabric device.
User Name	Type the username for the Security Fabric device.
API Key	Enter the API key for the FortiAuthenticator device.

FortiWeb

Property	Description
Name	Type a name for the Security Fabric connector.
Description	(Optional) Type a description for the Security Fabric connector.
IP/FQDN	Type the IP address or FQDN for the Security Fabric device.
User Name	Type the username for the Security Fabric device.
Password	Type the password for the Security Fabric device.
FortiWeb ADOM	Enter the FortiWeb ADOM that the device is in.

FortiSandBox

Property	Description
Name	Type a name for the Security Fabric connector.
Description	(Optional) Type a description for the Security Fabric connector.
IP/FQDN	Type the IP address or FQDN for the Security Fabric device.
User Name	Type the username for the Security Fabric device.
Password	Type the password for the Security Fabric device.
FortiSandBox Version	Enter the version of the FortiSandBox device.
FortiSandBox Instance Type	Select the FortiSandBox instance type: On Premise or Cloud.

Click the Actions tab to view the actions available with the Security Fabric connector, then click OK.

After the connector is saved, it is visible in Incidents & Events > Automation > Active Connectors with a toggle to enable or disable the connector.
Toggle the status of the connector to disabled or enabled according to your needs.

Default playbooks are automatically created when configuring some Security Fabric connectors. For more information on playbooks, see Playbooks.

To edit a Security Fabric connector:

Go to Incidents & Events > Automation > Active Connectors.
Select a Security Fabric connector, and click Edit.

The Edit Connectors pane displays.
Edit the settings, and click OK.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Administration Guide

Security Fabric connectors

Security Fabric connectors

To create a Security Fabric connector:

To edit a Security Fabric connector:

Security Fabric connectors

Security Fabric connectors

To create a Security Fabric connector:

To edit a Security Fabric connector: