Hello, friends! We welcome you to our new FortiAnalyzer Getting Started course. On course we have already considered the functionality of FortiAnalyzer, but walked through it rather superficially. Now I want to tell you more about this product, about its goals, objectives and capabilities. This course should not be as voluminous as the last one, but I hope that it will be interesting and informative.
Since the lesson turned out to be completely theoretical, for your convenience, we decided to present it also in the format of an article.
During this course, we will cover the following points:
- General information about the product, its purpose, tasks and key features
- Let's prepare the layout, during the preparation we will consider in detail the initial configuration of FortiAnalyzer
- Let's get acquainted with the mechanism for storing, processing and filtering logs for their easy search, and also consider the FortiView mechanism, which presents visual information about the state of the network in the form of various graphs, charts and other widgets
- Consider the process of creating existing reports, as well as learn how to create your own reports and edit existing reports
- Let's go through the main issues related to the administration of FortiAnalyzer
- Let's discuss the licensing scheme again - I already talked about it in lesson 11 of the course but, as they say, repetition is the mother of learning.
The main purpose of FortiAnalyzer is the centralized storage of logs from one or more Fortinet devices, as well as their processing and analysis. This allows security administrators to keep track of various network and security events from one place, quickly get the necessary information from logs and widgets, and build reports on all or devices of interest.
The list of devices from which FortiAnalyzer can receive logs and analyze them is shown in the figure below.
FortiAnalyzer has three key features - reporting, alerts, archiving. Let's consider each of them.
Reporting - Reports provide a visual representation of network events, security events, various activities occurring on supported devices. The reporting mechanism collects the necessary data from the available logs and presents them in a form that is easy to read and analyze. With the help of reports, you can quickly get the necessary information about device performance, network security, most visited resources, and so on. There are a lot of options. Reports can also be used to analyze the status of the network and supported devices over a long period of time. Quite often, they are indispensable in the investigation of various security incidents.
Alerts allow you to quickly respond to various threats occurring on the network. The system generates alerts when logs appear that meet pre-configured conditions - virus detection, exploitation of various vulnerabilities, and so on. These alerts can be viewed in the FortiAnalyzer web interface, as well as configured to send them via SNMP, to a syslog server, and to specific email addresses.
Archiving allows FortiAnalyzer to store copies of various content passing through the network. This is usually used in conjunction with the DLP mechanism to store different files that fall under the various rules of this mechanism. It can also be useful for investigating various security incidents.
Another interesting feature is the ability to use administrative domains. This technology allows you to create groups of devices according to various criteria - device types, geographic location, and so on. The creation of such device groups has the following goals:
- Grouping devices by similar criteria for easy monitoring and management - let's say devices are grouped by geographic location. You need to find some information in the logs for devices that are in the same group. Instead of carefully filtering the logs, you simply look at the logs for the required administrative domain and look for the information you need.
- To differentiate administrative access - each administrative domain can have one or more administrators who have access only to this administrative domain
- Efficiently manage disk space and device storage policies - Instead of creating a single storage configuration for all devices, administrative domains allow you to set more appropriate configurations for individual groups of devices. This can be useful if you have several devices, and you need to store data from one group of devices for a year, and from another - 3 years. Accordingly, a suitable disk space can be allocated for each group - more space can be allocated for a group that generates a large number of logs, and less space for another group.
FortiAnalyzer can work in two modes - Analyzer and Collector. The operating mode is selected depending on individual requirements and the network topology.
When running in Analyzer mode, FortiAnalyzer acts as the main log aggregator from one or more log collectors. Log collectors are both FortiAnalyzer in Collector mode and other devices that are supported by FortiAnalyzer (their list was given above in the figure). This mode of operation is used by default.
When the FortiAnalyzer is running in Collector mode, it collects logs from other devices and then forwards them to another device, such as a FortiAnalyzer in Analyzer or Syslog mode. In Collector mode, the FortiAnalyzer cannot use most features such as reporting and alerts because its main purpose is to collect and forward logs.
Using multiple FortiAnalyzer devices in different modes can increase performance - FortiAnalyzer in Collector mode collects logs from all devices and sends them to the Analyzer for further analysis, which allows FortiAnalyzer in Analyzer mode to save resources spent on receiving logs from multiple devices and fully focus on log processing.
FortiAnalyzer supports declarative SQL query language for logging and reporting. With it, the logs are presented in a readable form. Also, using this query language, various reports are built. Some reporting capabilities require some knowledge of SQL and databases, but often FortiAnalyzer's built-in capabilities make it possible to bypass this knowledge. We will come across this again when we look at the reporting mechanism.
FortiAnalyzer itself can be presented in several versions. It can be a separate physical device, a virtual machine - different hypervisors are supported, their full list can be found in . It can also be deployed in specialized infrastructures - AWS. Azure, Google Cloud and others. And the last option is FortiAnalyzer Cloud, a cloud service provided by Fortinet.
In the next lesson, we will prepare a layout for further practical work. Subscribe to our .
You can also follow the updates on the following resources:
Source: habr.com