Welcome to the second lesson of the course . Today we will talk about the mechanism of administrative domains on , we will also discuss the process of processing logs - understanding the principles of operation of these mechanisms is necessary for initial settings . And after that, we will discuss the layout that we will use during the course, as well as carry out the initial configuration. . The theoretical part, as well as the full recording of the video lesson, are under the cut.
First, let's talk about administrative domains again. There are a few things you need to know about them before you start using them:
- The ability to create administrative domains is enabled and disabled centrally.
- To enroll any devices other than FortiGate, a separate administrative domain is required. That is, if you want to register multiple FortiMail devices on a device, you need a separate administrative domain to do so. But this does not negate the fact that for the convenience of grouping FortiGate devices, you can create various administrative domains.
- The maximum number of supported administrative domains depends on the model of the FortiAnalyzer device.
- When you enable the ability to create administrative domains, you must select their mode of operation - Normal or Advanced. In Normal mode, you cannot add different virtual domains (or VDOMs in other words) of one FortiGate to different administrative domains of the FortiAnalyzer device. This is possible in Advanced mode. The Advanced mode allows you to process data from different virtual domains and receive separate reporting on them. If you forgot what virtual domains are, take a look , it is described in some detail there.
We will look at creating administrative domains and allocating memory between them a little later in the practical part of the lesson.
Now let's talk about the mechanism for recording and processing logs received by FortiAnalyzer.
Logs received by FortiAnalyzer are compressed and saved to a log file. When this file reaches a certain size, it is overwritten and archived. Such logs are called archived. They are considered offline logs because they cannot be analyzed in real time. They are available for viewing only in raw format. The data retention policy in the administrative domain determines how long such logs will be stored in the device's memory.
At the same time, the logs are indexed in the SQL database. These logs are used for data analysis using the Log View, FortiView and Reports mechanisms. The data retention policy in the administrative domain determines how long such logs will be stored in the device's memory. After these logs are deleted from the device memory, they may remain as archived logs, but this depends on the data storage policy in the administrative domain.
To understand the initial settings, this knowledge is enough for us. Now let's discuss our layout:
On it you see 6 devices - FortiGate, FortiMail, FortiAnalyzer, a domain controller, an external user computer and an internal user computer. FortiGate and FortiMail are required to generate logs of various Fortinet devices in order to consider the aspects of working with various administrative domains using an example. Internal and external users, as well as a domain controller are required to generate various traffic. Windows is installed on the internal user's computer, and Kali Linux is installed on the external user's computer.
In this example, FortiMail is running in Server mode, that is, it is a separate mail server through which internal and external users can exchange email. Necessary settings, such as MX records, are configured on the domain controller. For an external user, the DNS server is an internal domain controller - this is done using port forwarding (or other Virtual IP technology) on FortiGate.
These settings are not covered during the lesson, as they are not related to the topic of the course. Deployment and initial configuration of the FortiAnalyzer appliance will be covered. The remaining components of the current layout were prepared in advance.
The system requirements for various devices are listed below. This layout works for me on a pre-prepared machine in a VMWare Workstation virtual environment. The characteristics of this machine are also shown below.
Π£ΡΡΡΠΎΠΉΡΡΠ²ΠΎ
RAM GB
vCPU
HDD, GB
Domain controller
6
3
40
Internal user
4
2
32
External user
2
2
8
Fortigate
2
2
30
Forti Analyzer
8
4
80
FortiMail
2
4
50
Layout Machine
28
19
280
The system requirements shown in this table are minimum requirements - real-world environments typically require more resources. Additional information on system requirements can be found at .
The video tutorial presents the theoretical material discussed above, as well as the practical part - with the initial configuration of the FortiAnalyzer device. Enjoy watching!
In the next lesson, we will take a closer look at the aspects of working with logs. In order not to miss it, subscribe to our .
You can also follow the updates on the following resources:
Source: habr.com