Fortinet black logo

Handbook

FortiAnalyzer

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:283291
Download PDF

FortiAnalyzer

To set up data collection for the Security Fabric, you enable device detection on ISFW FortiGate devices and then connect the FortiAnalyzer to the Security Fabric.

You enable device detection on the interfaces of the ISFW FortiGate devices where you want the devices attached to those interfaces added to the Security Fabric. Only devices detected on those interfaces are shown in the Security Fabric topology views.

Connecting the FortiAnalyzer to the Security Fabric allows the Security Fabric to show historical data for the Security Fabric topology and logs for the entire Security Fabric.

Enable device detection on ISFW FortiGate devices

  1. In the ISFW FortiGate GUI, select Network > Interfaces.
  2. Select the interface that you want to enable device detection on.
  3. Select Edit and in the Networked Devices section, enable Device Detection.
  4. Select OK.
  5. Repeat this procedure for every interface that you want to enable device detection on.

Desynchronizing the FortiAnalyzer, FortiSandbox, and FortiManager

If you want to add devices manually, you can edit the Source IP for downstream FortiGate devices in the Central Management settings. The Central Management settings are located in Security Fabric > Settings. However, if you change the Source IP, you must change the log settings to local.

If you don't want to automatically synchronize the configurations for FortiAnalyzer, FortiSandbox, and FortiManager, you can change the default system settings of the Security Fabric to use local settings.

To use local system settings - CLI:

config system csf

set configuration-sync local

end

Where you set the following variables:

Option

Description

default

Synchronizes the configuration for FortiAnalyzer, FortiSandbox, and Central Management to the root FortiGate.

local

Doesn't synchronize the configuration with the root FortiGate, and you must configure settings individually.

Connect the FortiAnalyzer to the Security Fabric

caution icon

Ensure that all FortiGate devices in the Security Fabric are registered with the same FortiAnalyzer.

  1. In the FortiAnalyzer GUI, select System Settings > Network.
  2. Select All Interfaces.
  3. Select the port that connects to the root FortiGate.
  4. Select Edit.
  5. In the IP Address/Netmask field, enter the IP address used for the Security Fabric configuration on the root FortiGate.
  6. In the Default Gateway field, enter the IP address of the interface on the root FortiGate that the FortiAnalyzer connects to.
  7. Select OK.
  8. Select System Settings > Device Manager.The FortiGate devices are listed as Unregistered.
  9. Select the root FortiGate and the ISFW FortiGate devices in the Security Fabric.
  10. Select + Add Device.The FortiGate devices are now listed as Registered.A warning icon will appear beside the root FortiGate, because the FortiAnalyzer requires administrative access to the root FortiGate in the Security Fabric.
  11. In the Authentication window, complete the Admin User and Password fields to authenticate the Security Fabric.After the FortiAnalyzer authenticates the Security Fabric, the FortiAnalyzer shows the full Security Fabric topology.

You can verify that the FortiAnalyzer configuration is successful by selecting Security Fabric > Settings on the root and ISFW FortiGate devices. The Storage usage field in the FortiAnalyzer Logging section should now show storage usage information.

note icon

It is recommended that you create a user account for the FortiAnalyzer.

Related Videos

sidebar video

Fortinet Security Fabric 6.0.0 Series - Part 4: Connectors

  • 1,339 views
  • 5 years ago

FortiAnalyzer

To set up data collection for the Security Fabric, you enable device detection on ISFW FortiGate devices and then connect the FortiAnalyzer to the Security Fabric.

You enable device detection on the interfaces of the ISFW FortiGate devices where you want the devices attached to those interfaces added to the Security Fabric. Only devices detected on those interfaces are shown in the Security Fabric topology views.

Connecting the FortiAnalyzer to the Security Fabric allows the Security Fabric to show historical data for the Security Fabric topology and logs for the entire Security Fabric.

Enable device detection on ISFW FortiGate devices

  1. In the ISFW FortiGate GUI, select Network > Interfaces.
  2. Select the interface that you want to enable device detection on.
  3. Select Edit and in the Networked Devices section, enable Device Detection.
  4. Select OK.
  5. Repeat this procedure for every interface that you want to enable device detection on.

Desynchronizing the FortiAnalyzer, FortiSandbox, and FortiManager

If you want to add devices manually, you can edit the Source IP for downstream FortiGate devices in the Central Management settings. The Central Management settings are located in Security Fabric > Settings. However, if you change the Source IP, you must change the log settings to local.

If you don't want to automatically synchronize the configurations for FortiAnalyzer, FortiSandbox, and FortiManager, you can change the default system settings of the Security Fabric to use local settings.

To use local system settings - CLI:

config system csf

set configuration-sync local

end

Where you set the following variables:

Option

Description

default

Synchronizes the configuration for FortiAnalyzer, FortiSandbox, and Central Management to the root FortiGate.

local

Doesn't synchronize the configuration with the root FortiGate, and you must configure settings individually.

Connect the FortiAnalyzer to the Security Fabric

caution icon

Ensure that all FortiGate devices in the Security Fabric are registered with the same FortiAnalyzer.

  1. In the FortiAnalyzer GUI, select System Settings > Network.
  2. Select All Interfaces.
  3. Select the port that connects to the root FortiGate.
  4. Select Edit.
  5. In the IP Address/Netmask field, enter the IP address used for the Security Fabric configuration on the root FortiGate.
  6. In the Default Gateway field, enter the IP address of the interface on the root FortiGate that the FortiAnalyzer connects to.
  7. Select OK.
  8. Select System Settings > Device Manager.The FortiGate devices are listed as Unregistered.
  9. Select the root FortiGate and the ISFW FortiGate devices in the Security Fabric.
  10. Select + Add Device.The FortiGate devices are now listed as Registered.A warning icon will appear beside the root FortiGate, because the FortiAnalyzer requires administrative access to the root FortiGate in the Security Fabric.
  11. In the Authentication window, complete the Admin User and Password fields to authenticate the Security Fabric.After the FortiAnalyzer authenticates the Security Fabric, the FortiAnalyzer shows the full Security Fabric topology.

You can verify that the FortiAnalyzer configuration is successful by selecting Security Fabric > Settings on the root and ISFW FortiGate devices. The Storage usage field in the FortiAnalyzer Logging section should now show storage usage information.

note icon

It is recommended that you create a user account for the FortiAnalyzer.