DO NOT REPRINT

© FORTINET

FortiAnalyzer Administrator
Lab Guide
for FortiAnalyzer 7.2
DO NOT REPRINT
© FORTINET
Fortinet Training Institute - Library

https://training.fortinet.com

Fortinet Product Documentation

https://docs.fortinet.com

Fortinet Knowledge Base

https://kb.fortinet.com

Fortinet Fuse User Community

https://fusecommunity.fortinet.com/home

Fortinet Forums

https://forum.fortinet.com

Fortinet Product Support

https://support.fortinet.com

FortiGuard Labs

https://www.fortiguard.com

Fortinet Training Program Information

https://www.fortinet.com/nse-training

Fortinet | Pearson VUE

https://home.pearsonvue.com/fortinet

Fortinet Training Institute Helpdesk (training questions, comments, feedback)

https://helpdesk.training.fortinet.com/support/home

11/30/2022
DO NOT REPRINT
© FORTINET

TABLE OF CONTENTS

Network Topology 5
Lab 1: Initial Configuration 6
Exercise 1: Examining the Network Settings 10
Lab 2: Administration and Management 15
Exercise 1: Configuring ADOMs 16
View ADOM Information 17
Create Custom ADOMs 18
Exercise 2: Configuring an External Server to Validate Administrators 21
Configure an LDAP Server on FortiAnalyzer 21
Create a Wildcard LDAP Administrator 23
Test External Administrator Access 24
View the Event Logs 27
Exercise 3: Modifying Disk Quotas 28
Modify the Disk Quota 28
Lab 3: RAID and HA 30
Lab 4: Device Registration and Communication 31
Exercise 1: Registering Devices on FortiAnalyzer 33
Accept Device Registration Requests 33
Exercise 2: Registering Devices With Fabric Authorization 36
Configure FortiAnalyzer for Fabric Authorization 36
Register Remote-FortiGate 36
Verify Device Registration 38
Exercise 3: Moving Devices Between ADOMs 39
Move a Device to a Different ADOM 39
Rebuild the ADOM Database to Migrate the Device Logs 40
Exercise 4: Exploring Troubleshooting Commands 41
Verify Device Registration 41
Verify Device Communication 42
Troubleshoot Device Communication 42
Verify That FortiAnalyzer is Receiving Logs 43
Exercise 5: Gathering Benchmark Diagnostics 44
View System Resource Information 44
Gather Data Policy and Disk Utilization Information 45
DO NOT REPRINT
© FORTINET
Exercise 6: Generating Traffic 47
Generate Traffic Using FIT 47
Generate Traffic Using Nikto 48
Lab 5: Log and Report Management 51
Exercise 1: Viewing Used Storage Space 52
View Used Storage Statistics 52
Exercise 2: Configuring Hcache and Output Profile 53
Enable Hcache in a Report 53
Create and Configure an Output Profile 53
DO Network
NOTTopology
REPRINT
© FORTINET
Network Topology

FortiAnalyzer Administrator 7.2 Lab Guide 5

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 1: Initial Configuration

In this lab, you will examine the network settings of FortiAnalyzer from the CLI and GUI.

Objectives
l Examine the network settings

Time to Complete
Estimated: 25 minutes

Prerequisites
Before beginning this lab, you must update the firmware and initial configuration on Local-FortiGate, ISFW, and
Remote-FortiGate.

This lab environment is also used for the FortiGate Security and FortiGate Infrastructure 7.2.0 training, and
initializes in a different state from what is required for the FortiAnalyzer 7.2.1 training.

To update the FortiGate firmware on all FortiGate devices

1. Log in to the Local-Client VM with the username Administrator and password password.
2. Open a browser, and then log in to the Remote-FortiGate GUI at 10.200.3.1 with the username admin and
password password.
You can use the links in the favorites bar to access all devices, as shown in the following image:

3. Click System > Fabric Management > Remote-FortiGate, and then click Upgrade.

4. Click File Upload, and then click Browse.

6 FortiAnalyzer Administrator 7.2 Lab Guide

Fortinet Technologies Inc.
DO Lab
NOT 1: InitialREPRINT
Configuration

© FORTINET
5. Browse to Desktop > Resources > FortiAnalyzer Administrator > FGT-Firmware, select FGT_VM64_KVM-
v7.2.1.F-build1254-FORTINET.out, and then click Select to load the file.
6. Click Confirm and Backup Config, and then in the warning window, click Continue to initiate the upgrade.

The system starts rebooting.

7. Open another browser tab, and then log in to the Local-FortiGate GUI at 10.0.1.254 with the username admin
and password password.

8. Repeat this procedure to update the firmware for Local-FortiGate.

9. Open a third browser tab, and then log in to the ISFW GUI at 10.0.1.200 with the username admin and
password password.

10. Repeat this procedure to update the firmware for ISFW.

To restore the Remote-FortiGate configuration file

Make sure you restore the correct configuration file on the correct device. The name of
the configuration file matches the name of the device that it must be restored on.

1. On the Local-Client VM, open a browser, and then log in to the Remote-FortiGate GUI at 10.200.3.1 with the
username admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

FortiAnalyzer Administrator 7.2 Lab Guide 7

Fortinet Technologies Inc.
DO NOT REPRINT Lab 1: Initial Configuration

© FORTINET

3. Click Local PC, and then click Upload.

4. Click Desktop > Resources > FortiAnalyzer Administrator > LAB-1 > Remote-FortiGate_initial.conf,
and then click Select.
5. Click OK.
6. Click OK to reboot.

To restore the Local-FortiGate configuration file

1. On the Local-Client VM, open a browser, and then log in to the Local-FortiGate GUI at 10.0.1.254 with the
username admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

3. Click Local PC, and then click Upload.

4. Click Desktop > Resources > FortiAnalyzer Administrator > LAB-1 > Local-FortiGate_initial.conf,
and then click Select.
5. Click OK.
6. Click OK to reboot.

To restore the ISFW configuration file

1. On the Local-Client VM, open a browser, and then log in to the ISFW GUI at 10.0.1.200 with the username
admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

8 FortiAnalyzer Administrator 7.2 Lab Guide

Fortinet Technologies Inc.
DO Lab
NOT 1: InitialREPRINT
Configuration

© FORTINET

3. Click Local PC, and then click Upload.

4. Click Desktop > Resources > FortiAnalyzer Administrator > LAB-1 > ISFW_initial.conf, and then click
Select.
5. Click OK.
6. Click OK to reboot.

FortiAnalyzer Administrator 7.2 Lab Guide 9

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Examining the Network Settings

In this exercise, you will examine the initial configuration of FortiAnalyzer from the CLI and GUI.

To examine the network settings using the CLI

1. On the FortiAnalyzer CLI, log in with the username admin and password password.
2. Enter the following command to display basic status information about FortiAnalyzer:

CLI command Data Result

# get system status What is the firmware version?

Knowing the FortiAnalyzer firmware

version is important because it
determines which Fortinet products—
and associated firmware versions—are
supported.

Are administrative domains (ADOMs)

enabled?

By default, ADOMs are disabled.

What is the time zone?

For proper log correlation, it is important

that the system time on FortiAnalyzer
and all registered devices is
synchronized.

What is the license status?

FortiAnalyzer requires a valid license to

collect and store logs.

3. Enter the following command to display information about the configuration of the FortiAnalyzer interface:

10 FortiAnalyzer Administrator 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Examining
REPRINTthe Network Settings

© FORTINET
CLI command Diagnostic Result

# show system interface What is the IP address of port1?

port1 is the management port and has

the IP address of FortiAnalyzer.

Which administrative access protocols

are configured for port1?

This will help you to troubleshoot

access issues.

What is the IP address of port3?

According to the network topology

diagram, port3 is used to route traffic
between Remote-FortiGate and
FortiAnalyzer. Remote-FortiGate,
therefore, connects to FortiAnalyzer
using the port3 IP address.

Which administrative access protocols

are configured for port3?

4. Enter the following command to display DNS setting information:

CLI command Diagnostic Result

# show system dns What are the primary and secondary DNS
settings?

Several FortiAnalyzer functions use DNS, such

as sending alert emails and resolving host
names in the logs. By default, FortiAnalyzer
uses FortiGuard DNS servers.

5. Enter the following commands to display NTP setting information:

CLI command Diagnostic Result

# get system ntp Is NTP enabled?

NTP is recommended on FortiAnalyzer and

all registered devices for proper log
correlation.

How often does FortiAnalyzer synchronize

its system time with the NTP server?

# show system ntp Which server is configured for NTP?

By default, one of the Fortinet servers is

configured for NTP.

FortiAnalyzer Administrator 7.2 Lab Guide 11

Fortinet Technologies Inc.
DO NOT REPRINT Exercise 1: Examining the Network Settings

© FORTINET
6. Enter the following command to display information about the FortiAnalyzer routing configuration:

CLI command Diagnostic Result

# show system route What is the gateway route associated with

port3?

According to the network topology diagram,

this IP address is the route to use to reach
Remote-FortiGate.

7. Close the FortiAnalyzer CLI session.

To examine the network settings using the GUI

1. Log in to the FortiAnalyzer GUI with the username admin and password password.
2. On the main tiles, click System Settings.

The dashboard appears.

3. Examine the System Information and License Information widgets to display the information shown below.
This displays the same information available from the get system status CLI command.
l Firmware version
l ADOM status
l System time and time zone
l License status (VM)
4. On the System Information widget, click the edit pencil icon beside System Time to view the NTP information.

This displays the same information available from the get system ntp and show system ntp CLI
commands.

12 FortiAnalyzer Administrator 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Examining
REPRINTthe Network Settings

© FORTINET

5. Click X to go back to the System Information widget.

6. In the menu on the left, click Network.
This page displays information about all FortiAnalyzer interfaces, including their configured IP addresses and
administrative access protocols. This page also shows the DNS servers and the routing table.

The information displayed here is the same information available from the show system interface, show
system dns, and show system route CLI commands. For example, according to the show system
interface CLI command, you should see that port2 and port3 are also configured.

7. To modify the settings of an interface, or the routing table, select the checkbox for the entry that you want to
change, and then click Edit.
8. To modify the DNS settings, type new values in the DNS server fields, and then click Apply.

To examine the Local-FortiGate system time

1. Log in to the Local-FortiGate GUI with the username admin and password password.
2. In the menu on the left, click System > Settings, and then check System Time.
Does Local-FortiGate have the same system time settings as FortiAnalyzer?

FortiAnalyzer Administrator 7.2 Lab Guide 13

Fortinet Technologies Inc.
DO NOT REPRINT Exercise 1: Examining the Network Settings

© FORTINET
The system time settings must be the same to ensure log correlation between Local-FortiGate and
FortiAnalyzer.

Setting FortiAnalyzer Local-FortiGate

Time Zone (GMT-8:00) Pacific Time (US & Canada)

Set time NTP

Select server FortiGuard

3. Close the browser.

14 FortiAnalyzer Administrator 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 2: Administration and Management

In this lab, you will configure FortiAnalyzer for administrative domains (ADOMs). You will also configure an
external server to validate non-local (external) administrators.

You will configure the external administrator to have access to a specific ADOM only. Finally, you will modify the
disk quota assigned to one of the ADOMs you create.

Objectives
l Configure ADOMs
l Configure an external server to validate administrators
l Modify the disk quota

Time to Complete
Estimated: 25 minutes

FortiAnalyzer Administrator 7.2 Lab Guide 15

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Configuring ADOMs

In this exercise, you will enable ADOMs, view default ADOM information, and create two custom ADOMs.

A use case for employing ADOMs is to restrict the access privileges of other administrators to a subset of devices
in the device list.

To enable ADOMs
1. Log in to the FortiAnalyzer GUI with the username admin and password password.
2. Click System Settings.
3. On the dashboard, in the System Information widget, turn on Administrative Domain.

4. Click OK to confirm.
You are automatically logged out of the GUI.

5. Log back in to the FortiAnalyzer GUI with the username admin and password password.
Since ADOMs are now enabled, you must select an ADOM to log in to. The ADOMs that you are presented
with are based on your administrator permissions.

6. Select the root ADOM.

16 FortiAnalyzer Administrator 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT ADOMs View ADOM Information

© FORTINET
View ADOM Information

Before you create new ADOMs, you should be aware of which ADOM types are available to you. You will view
ADOM information on both the GUI and CLI.

To view ADOM information

1. After you log in to the root ADOM on FortiAnalyzer, click System Settings.
2. In the menu on the left, click All ADOMs.
This page lists all available ADOMs and any devices that are added to those ADOMs.

3. On the FortiAnalyzer CLI, log in with the username admin and password password.
4. Run the following command to view the ADOMs that are currently enabled on FortiAnalyzer and the type of device
that you can register to each ADOM:
diagnose dvm adom list

The CLI output is easier to read if you maximize your window. If you already executed
the command, once the window is maximized, press the up arrow to show the last
command you entered, and then press Enter to run the command again.

FortiAnalyzer Administrator 7.2 Lab Guide 17

Fortinet Technologies Inc.
DO Create
NOT REPRINT
Custom ADOMs Exercise 1: Configuring ADOMs

© FORTINET

As you can see, FortiAnalyzer supports several ADOMs, each associated with different device types.

5. Close the FortiAnalyzer CLI window.

Create Custom ADOMs

Now that you have enabled ADOMs on FortiAnalyzer, you can create your own custom ADOMs. In this exercise,
you will create a Fabric ADOM and a FortiGate ADOM. (In Lab 4, you will add FortiGate devices to these ADOMs.)

You do not have to create ADOMs before you register devices to FortiAnalyzer—you
can register devices to the default ADOMs first, and then move those devices into
custom ADOMs later.

The benefit of creating custom ADOMs before device registration is that logs collected for the device that you add
to the ADOM are stored on the ADOM from the beginning. If log collection begins in one ADOM, and then you
move the device to a different ADOM, the analytics (indexed) logs are not automatically moved with the device.
We will explore this scenario in Lab4.

To create custom ADOMs for FortiGate devices

1. Continuing on the FortiAnalyzer GUI, click All ADOMs.
2. Click Create New to create a custom ADOM.
3. In the Create ADOM window, configure the following settings:

Field Value

Name ADOM1

Type Fabric

18 FortiAnalyzer Administrator 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT ADOMs Create Custom ADOMs

© FORTINET

4. Click Select Device.

If you had any devices registered to FortiAnalyzer, you could select them in the list, and then add them to the
ADOM at this time. However, in this lab, you have not registered any devices yet, so the list is empty.

5. Click Cancel.
6. Review the information in the Disk Utilization section for the new ADOM.
The default allocated space depends on the maximum available space.

7. Change the Allocated setting to 1000 MB, and then click OK.

ADOM1, the Fabric ADOM you just created, now appears in the ADOM list. No registered devices are
associated with ADOM1 yet.

8. Repeat this procedure, but this time create an ADOM called ADOM2, set the Type to FortiGate, and set Allocated
to 1000 MB.
Your ADOMs should now appear the same as the following example:

FortiAnalyzer Administrator 7.2 Lab Guide 19

Fortinet Technologies Inc.
DO Create
NOT REPRINT
Custom ADOMs Exercise 1: Configuring ADOMs

© FORTINET

You will add FortiGate devices to these ADOMs in Lab 4.

By default, FortiAnalyzer includes a root ADOM that is the Fabric type. Only FortiGate
devices and devices in a Fortinet Security Fabric can register to the root ADOM.
Therefore, with ADOMs disabled, you cannot register a standalone device that is not a
FortiGate on FortiAnalyzer.

You can switch between ADOMs on the GUI—you do not have to log out and log back
in. To switch ADOMs on the GUI, click ADOM in the top-right corner of the GUI. Your
administrator privileges determine which ADOMs you have access to.

9. Log out of FortiAnalyzer.

20 FortiAnalyzer Administrator 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Configuring an External Server to Validate
Administrators

In this exercise, you will configure an external LDAP server on FortiAnalyzer to validate administrator logins. You
will also create a new administrator account and permit LDAP group access by enabling the wildcard
administrator account feature. You will also configure a wildcard administrator account for accessing a specific
ADOM only.

Most companies, especially medium to large-sized companies, have employee accounts located in a central
database, with employees as members of specific groups. As such, instead of managing employees designated
as FortiAnalyzer administrators locally on FortiAnalyzer across multiple administrator accounts (as well as
managing these employees in the organization's central database), you can configure one wildcard administrator
account on FortiAnalyzer to point to an LDAP group the FortiAnalyzer administrators are members of. This allows
you to have centralized control over your administrators.

For the purpose of this lab, an LDAP server with the following directory tree has been
configured using FortiAuthenticator (10.0.1.150):

After you complete the configuration, you will verify that you can access FortiAnalyzer, and then you will check the
event logs for details.

Configure an LDAP Server on FortiAnalyzer

You will configure FortiAnalyzer to point to a preconfigured LDAP server.

To configure an LDAP server on FortiAnalyzer

1. Log in to the FortiAnalyzer GUI with the username admin and password password.
2. Click root.

FortiAnalyzer Administrator 7.2 Lab Guide 21

Fortinet Technologies Inc.
DO Configure
NOTanREPRINT
LDAP Server on FortiAnalyzer Exercise 2: Configuring an External Server to Validate Administrators

© FORTINET

3. Click System Settings.

4. In the menu on the left, click Admin > Remote Authentication Server.
5. Click Create New, and then in the dialog box that opens, click LDAP Server.

6. Configure the following settings:

You can copy the distinguished name (DN) and user DN from the ADserver-
info.txt file by clicking Desktop > Resources > FortiAnalyzer > LAB-2, opening
the file, copying the information, and then pasting the information directly into the
fields.

Field Value

Name External_Server

Server Name/IP 10.0.1.150

This is the IP address of the FortiAuthenticator acting as the LDAP server.

For more information, see Network Topology on page 5.

Common Name Identifier uid

Distinguished Name ou=Training,dc=trainingAD,dc=training,dc=lab

This is the domain name for the LDAP directory on FortiAuthenticator, with
all users located under the Training organizational unit (ou).

Bind Type Regular

User DN uid=fazadmin,ou=Training,dc=trainingAD,dc=training,dc=lab

fazadmin is the LDAP bind account. FortiAnalyzer uses these account

credentials to authenticate against the LDAP server.

Password Training!

22 FortiAnalyzer Administrator 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT an External Server to Validate Administrators Create a Wildcard LDAP Administrator

© FORTINET
Field Value

Administrative Domain All ADOMs

While this ensures that the LDAP server can provide administrator access
to all ADOMs, it is ultimately the LDAP administrator account that
determines which ADOMs are accessible.

7. Click the icon at the end of the Distinguished Name field to query the DN, and test your LDAP connection.
If the connection is successful, you will see the DN in the LDAP Browser window. If you do not see the DN,
verify that you configured the correct LDAP server information as outlined in the previous step.

8. Click Close to close the LDAP Browser window.

9. Click OK to accept your configuration.
Your remote LDAP authentication server is added to FortiAnalyzer.

Create a Wildcard LDAP Administrator

You will create a new administrator account, and permit LDAP group access by enabling the wildcard
administrator account feature.

To create a wildcard LDAP administrator

1. Continuing on the FortiAnalyzer GUI, click Admin > Administrators.
2. Click Create New.
3. Configure the following settings:

Field Value

User Name remote-admins

Admin Type LDAP

LDAP Server External_Server

This is the LDAP server you created in the previous procedure.

FortiAnalyzer Administrator 7.2 Lab Guide 23

Fortinet Technologies Inc.
DO Test
NOT REPRINT
External Administrator Access Exercise 2: Configuring an External Server to Validate Administrators

© FORTINET
Field Value

Match all users on remote <enable>

server

This ensures that any user account located in the LDAP group (ou) you
specified in the LDAP server configuration can authenticate.

Admin Profile Standard_User

This provides read/write access for all device privileges, but disables
system privileges.

4. Beside Administrative Domain, click Specify, and then click Click here to select.
5. Select ADOM1 in the drop-down list, and then click OK.

Even though you configured the LDAP server to access all ADOMs, this LDAP administrator account limits
access to ADOM1 only. This provides you with more flexibility and security because you can create additional
LDAP administrator accounts for different ADOM access rights, if required.

6. Click OK.
You successfully created a wildcard LDAP administrator.

7. Log out of FortiAnalyzer.

Test External Administrator Access

Now that you have configured an external server, and created a wildcard administrator account that points to that
external server, you are ready to test your configuration.

Based on the preconfigured LDAP server, you should be able to successfully authenticate with the following two
users:

24 FortiAnalyzer Administrator 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT an External Server to Validate Administrators Test External Administrator Access

© FORTINET
l aduser1
l aduser2

Also, since you gave this account the Standard_User profile and access to ADOM1 only, you will notice a
reduction in permissions (compared to the admin user account with the Super_User profile).

To test external administrator account access

1. Log in to the FortiAnalyzer GUI with the username aduser1 and password Training!.
You successfully logged in as an external administrator!

FortiAnalyzer Administrator 7.2 Lab Guide 25

Fortinet Technologies Inc.
DO Test
NOT REPRINT
External Administrator Access Exercise 2: Configuring an External Server to Validate Administrators

© FORTINET
Stop and think!

Since ADOMs are enabled, why do you not have to select an ADOM to log in to after authenticating?

You configured the remote-admins account with permission to access ADOM1 only. Therefore, you are
logged directly in to ADOM1 (your only option).

Why do you not have access to System Settings?

You configured the remote-admins account with the Standard_User profile. This profile does not provide
system privileges.

2. Log out as aduser1, and then log in with the following credentials:
l Username: aduser2
l Password: Training!
You successfully logged in as an external administrator.

Since you configured wildcard access on the remote-user administrator account, any user account located in
the LDAP group (ou) you specified in the LDAP server configuration can authenticate. ADOM permissions
and administrator privileges are the same for each user in the LDAP group.

3. Log out as aduser2.

4. Try to log in as a user located in the same LDAP server (trainingAD.training.lab), but in the Users
organizational unit, not the Training organizational unit that you configured on FortiAnalyzer.
l Username: adadmin
l Password: Training!

Access is denied, because adadmin is not in an allowed LDAP group.

26 FortiAnalyzer Administrator 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT an External Server to Validate Administrators View the Event Logs

© FORTINET

You successfully tested the external validation of administrators.

View the Event Logs

FortiAnalyzer audits administrator activity, so changes can be tracked. Review the event logs to see your recent
administrator user activity.

To view the event logs

1. Log back in to the FortiAnalyzer GUI with the username admin and password password.
2. Click root.
3. Click System Settings.
4. In the menu on the left, select Event Log.
5. Examine the logins from aduser1, aduser2, adadmin, and admin.

6. Close your browser.

FortiAnalyzer Administrator 7.2 Lab Guide 27

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 3: Modifying Disk Quotas

In this exercise, you will modify the disk quota on one of the ADOMs to ensure it has enough space for the
expected logs.

Modify the Disk Quota

In the real world, if you were consistently seeing a high volume of logs in a specific ADOM over a reasonable
amount of time, it might cause your disk to fill up and result in lost logs. In that case, you would do one of the
following:
l Modify the firewall policies to reduce the amount of traffic you are monitoring
l Modify the disk quotas
The easiest way to resolve this issue is to modify the disk quotas, because it allows you to keep the firewall
policies intact.

You will increase the disk quota in ADOM1.

To modify the disk quota

1. Log in to the FortiAnalyzer GUI with the username admin and password password.
2. Click ADOM1.
3. Click System Settings.
4. In the menu on the left, select All ADOMs, and then edit ADOM1.
5. Change the allocated disk utilization from 1000 MB to 2000 MB.

6. Click OK.
You successfully increased the disk storage in ADOM1.

28 FortiAnalyzer Administrator 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Modifying
REPRINTDisk Quotas Modify the Disk Quota

© FORTINET

7. Log out of FortiAnalyzer.

FortiAnalyzer Administrator 7.2 Lab Guide 29

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 3: RAID and HA

At this time, there is no lab associated with the RAID and HA lesson..

30 FortiAnalyzer Administrator 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 4: Device Registration and Communication

In this lab, you will register Local-FortiGate, ISFW, and Remote-FortiGate on FortiAnalyzer for the purpose of log
collection.

After you register the devices, you will add them to the custom ADOMs you created in Lab 2: Administration and
Management on page 15

Finally, you will run some diagnostics to troubleshoot device connection issues.

Objectives
l Register devices on FortiAnalyzer
l Troubleshoot device communication

Time to Complete
Estimated: 45 minutes

Prerequisites
Before beginning this lab, you must restore a configuration file to Local-FortiGate and ISFW.

To restore the ISFW configuration file

Make sure you restore the correct configuration file on the correct device. The name of
the configuration file matches the name of the device that it must be restored on.

1. On the Local-Client VM, open a browser, and then log in to the ISFW GUI at 10.0.1.200 with the username
admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

3. Click Local PC, and then click Upload.

4. Click Desktop > Resources > FortiAnalyzer Administrator > LAB-4 > ISFW.conf, and then click Select.

FortiAnalyzer Administrator 7.2 Lab Guide 31

Fortinet Technologies Inc.
DO NOT REPRINT Lab 4: Device Registration and Communication

© FORTINET
5. Click OK.
6. Click OK to reboot.

To restore the Local-FortiGate configuration file

1. On the Local-Client VM, open a browser, and then log in to the Local-FortiGate GUI at 10.0.1.254 with the
username admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

3. Click Local PC, and then click Upload.

4. Click Desktop > Resources > FortiAnalyzer Administrator > LAB-4 > Local-FortiGate.conf, and then
click Select.
5. Click OK.
6. Click OK to reboot.

32 FortiAnalyzer Administrator 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Registering Devices on FortiAnalyzer

In this exercise, you will accept a registration request from Local-FortiGate and ISFW, and then add them to a
custom ADOM you created in the previous exercise.

Accept Device Registration Requests

In this scenario, you will review the preconfigured Fortinet Security Fabric on ISFW and Local-FortiGate. Both
FortiGate devices have requested registration on FortiAnalyzer. This was part of the configuration you restored at
the beginning of this lab. You must review and accept the connection requests. After you accept the requests, the
devices will be registered.

If you use this registration method, you do not need to use the Add Device wizard to register a device.

To review the Security Fabric settings on ISFW and Local-FortiGate

1. Log in to the Local-FortiGate GUI with the username admin and password password.
2. In the menu on the left side of the window, click Security Fabric > Fabric Connectors.
3. Select FortiAnalyzer Logging, and then click Edit to review the configuration on Local-FortiGate.

4. Log out of Local-FortiGate.

5. Log in to the ISFW GUI with the username admin and password password.
6. In the menu on the left, click Security Fabric > Fabric Connectors.
7. Select FortiAnalyzer Logging, and then click View to review the configuration.
8. Log out of ISFW.

To accept a device registration request

1. Log in to the FortiAnalyzer GUI with the username admin and password password.
2. Click root.
All FortiGate registration requests go to the root ADOM.

FortiAnalyzer Administrator 7.2 Lab Guide 33

Fortinet Technologies Inc.
DO Accept
NOT REPRINT
Device Registration Requests Exercise 1: Registering Devices on FortiAnalyzer

© FORTINET
3. Click Device Manager.
A notification about the unregistered devices appears.

4. Click the notification bell, and then click the warning message to display the unauthorized devices.

5. Select both FortiGate devices, and then click Authorize.

The Authorize Device window opens. Since ADOMs are enabled, and you created additional ADOMs, you
can now select which ADOM to register the devices on.

6. Select ADOM1, and then click OK.

7. Click Close.
8. Switch to ADOM1.

Both devices are now registered.

Initially, the values under the Logs and Average Log Rate columns might be different from the image above.
You may need to refresh the page a couple of times to display the same results.

FortiAnalyzer indicates that it is now receiving logs (green circle) from both devices.

34 FortiAnalyzer Administrator 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Registering
REPRINT Devices on FortiAnalyzer Accept Device Registration Requests

© FORTINET
Stop and think!

Why does FortiAnalyzer indicate that it is receiving logs from Local-FortiGate and ISFW (green circle)?

What is indicated by the green lock under the Logs columns for ISFW and Local-FortiGate?

The green lock means that the logs are being encrypted so that they are transferred securely to
FortiAnalyzer.

To validate the FortiAnalyzer certificate

1. Log in to the Local-FortiGate GUI with the username admin and password password.
2. In the menu on the left, click Security Fabric > Fabric Connectors.
3. Select FortiAnalyzer Logging, and then click Edit to review the configuration on Local-FortiGate.
4. Enable Verify FortiAnalyzer certificate, and then click OK.
This is required for FortiAnalyzer to recognize these devices are part of a Security Fabric.

.
5. Click Accept.

6. After the FortiAnalyzer GUI is updated, Device Manager displays the name of the Security Fabric.

7. Leave the FortiAnalyzer web session open for the next exercise.

FortiAnalyzer Administrator 7.2 Lab Guide 35

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Registering Devices With Fabric Authorization

In this exercise, you will configure FortiAnalyzer for fabric authorization, and you will register and authorize
Remote-FortiGate using that option.

Configure FortiAnalyzer for Fabric Authorization

You can start the registration process from FortiGate and, if you have the proper credentials, you can also finish
the authorization by using the Security Fabric.

To configure fabric authorization

1. Log in to the FortiAnalyzer GUI with the username admin and password password.
2. Click root.
3. Click Admin > Admin Settings.
4. Type the IP address 10.0.1.210 in the Authorization Address box.

5. Click Apply.
6. Leave this session open.

Register Remote-FortiGate

You will register Remote-FortiGate and use fabric authorization to finish the process.

To register a device
1. Log in to the Remote-FortiGate GUI with the username admin and password password.
2. In the menu on the left, click Security Fabric > Fabric Connectors.
3. Select FortiAnalyzer Logging, and then click Edit.
4. Click Enabled, and then configure the following settings:

Field Value

Server 10.200.1.210

This is the IP address of FortiAnalyzer for Remote-FortiGate.

Upload Option Real Time

36 FortiAnalyzer Administrator 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Registering
REPRINT Devices With Fabric Authorization Register Remote-FortiGate

© FORTINET
5. Click OK, and then click Accept to accept the FortiAnalyzer serial number.
6. Click Authorize.

7. Type the username admin and password password, and then click Login.

8. Select Approve, and then click OK.

9. After the device is authorized, click Close.

Remote-FortiGate is now authorized on FortiAnalyzer.

FortiAnalyzer Administrator 7.2 Lab Guide 37

Fortinet Technologies Inc.
DO Verify
NOT REPRINT
Device Registration Exercise 2: Registering Devices With Fabric Authorization

© FORTINET
Using this method, you add the FortiGate devices to the root ADOM. You will move
Remote-FortiGate to a different ADOM later in this lab.

Verify Device Registration

To verify that Remote-FortiGate is correctly registered

1. Return to the FortiAnalyzer GUI, and then open Device Manager.
You should still be on the root ADOM.
2. Verify that Remote-FortiGate is listed, and that it is sending logs.

Stop and think!

If you followed all steps in the lab, you will notice that the logs that Remote-FortiGate sends are not
encrypted. What must you do to secure the log traffic?

To encrypt the log traffic, you must run the following commands on Remote-FortiGate:
# config log fortianalyzer setting

(setting)# set reliable enable

(setting)# end

Local-FortiGate and ISFW had these commands included in the configurations that you restored at the
beginning of the lab.

14. Execute the commands listed above to encrypt the log traffic from Remote-FortiGate.

15. Stay on FortiAnalyzer for the next exercise.

38 FortiAnalyzer Administrator 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 3: Moving Devices Between ADOMs

As you expand your network, or as your organizational structure changes, you may need to reorganize your
devices in ADOMs. In this exercise, you will move a device from one ADOM to another ADOM.

As mentioned in the Device Management lesson, when you move a device to a different ADOM, the archive
(compressed) logs are automatically migrated to that ADOM, but the analytics (indexed) logs are not.

Therefore, if you need the analytics logs, you must rebuild the ADOMs to move the logs to the new ADOM, and
delete them from the old ADOM.

In a real-world scenario, you would perform this procedure during a maintenance

window, when little traffic is passing through the devices you are moving.

Move a Device to a Different ADOM

You will move Remote-FortiGate from the root ADOM to ADOM2.

To move a device to a different ADOM

1. Log in to the FortiAnalyzer GUI with the username admin and password password.
2. Click ADOM2.
3. Click System Settings.
4. In the menu on the left, select All ADOMs, and then double-click ADOM2.
5. Click Select Device.
6. In the Select Device window, select Remote-FortiGate.

7. Click Add to ADOM.

8. Click OK.
Remote-FortiGate moves from the root ADOM to ADOM2.

9. Open Device Manager, and then verify that Remote-FortiGate is registered and still sending logs.

FortiAnalyzer Administrator 7.2 Lab Guide 39

Fortinet Technologies Inc.
DO Rebuild
NOTthe REPRINT
ADOM Database to Migrate the Device Logs Exercise 3: Moving Devices Between ADOMs

© FORTINET

Rebuild the ADOM Database to Migrate the Device Logs

Assuming you want the old logs (analytics logs) in the new ADOM so you can run reports against them, and no
longer want to see the device logs in the old ADOM, you must rebuild both the new ADOM and the old ADOM
databases.

To rebuild the ADOM databases

1. Open a CLI session on FortiAnalyzer, and then enter the following command to rebuild the two ADOMs, and
transfer the analytics logs:
# execute sql-local rebuild-adom root ADOM2
2. Enter y to continue with the operation.

3. Wait a few minutes for the databases to rebuild.

The FortiAnalyzer GUI shows the rebuild progress.

In this lab environment, only a few logs need to be moved, so the process will not take
very long to finish. In a production environment, this process will take longer depending
on the number of logs present.

4. Stay on the FortiAnalyzer CLI session for the next exercise.

40 FortiAnalyzer Administrator 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 4: Exploring Troubleshooting Commands

In this exercise, you will explore several commands that can be useful when troubleshooting communication
issues between FortiAnalyzer and the logging devices.

Verify Device Registration

A quick way to verify device registration with FortiAnalyzer is to use the diagnose dvm device list
command. This command provides the serial number, IP address, name, and registered ADOM for each device
added.

To verify device registration information

1. On the FortiAnalyzer CLI, enter the following command to view which ADOM your devices are currently registered
on:

The CLI output formatting is easier to read if you maximize your window.

# diagnose dvm device list

The output indicates that three devices are currently registered: ISFW (10.0.1.200) and Local-FortiGate
(10.0.1.254) on ADOM1, and Remote-FortiGate (10.200.3.1) on ADOM2.

Use this command to verify that all devices are correctly registered. For example, a
missing IP address indicates an unauthorized device. Using this output, you can also
verify that the devices are in the correct ADOM.

FortiAnalyzer Administrator 7.2 Lab Guide 41

Fortinet Technologies Inc.
DO Verify
NOT REPRINT
Device Communication Exercise 4: Exploring Troubleshooting Commands

© FORTINET
Verify Device Communication

Just because a device is successfully added to FortiAnalyzer, does not mean there is successful communication
between the devices.

To verify FortiAnalyzer connectivity from FortiGate

1. On the ISFW CLI, log in with the username admin and password password.
2. Enter the following command to view log connectivity to FortiAnalyzer:
# execute log fortianalyzer test-connectivity
The output should indicate that logging connectivity is allowed.

You should get a similar result if you run this command on any of the FortiGate devices in this lab.

Troubleshoot Device Communication

An easy way to verify connectivity between FortiAnalyzer and the logging devices is to run some tests for the
oftpd process. This should also confirm the logging connectivity results from the previous steps.

To verify which devices are connecting to FortiAnalyzer

1. Continuing on the FortiAnalyzer CLI session, enter the following command to display the devices that are
communicating with FortiAnalyzer:
# diagnose test application oftpd 3

All three FortiGate devices should have established a connection with FortiAnalyzer. If a device is missing
from the list, it means there is a problem that must be fixed.

42 FortiAnalyzer Administrator 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Exploring
REPRINTTroubleshooting Commands Verify That FortiAnalyzer is Receiving Logs

© FORTINET
Verify That FortiAnalyzer is Receiving Logs

You will enable real-time debugging on the oftpd process, and then send some test traffic from FortiGate. This
should also confirm the logging connectivity results.

To verify that FortiAnalyzer is receiving logs from FortiGate

1. Continuing on the FortiAnalyzer CLI session, enter the following command to enable real-time debugging on the
oftpd process between FortiAnalyzer and ISFW:
# diagnose debug enable
# diagnose debug application oftpd 8 10.0.1.200
2. Return to the ISFW CLI session, and then enter the following command to create some test logs:
# diagnose log test

It is helpful to have both windows side by side, so you can see the output as it occurs.
You can do this using two PuTTY sessions.

3. Return to the FortiAnalyzer CLI session.

You should see several logs that the device with serial number FGVM010000077646 (ISFW) sent.

If no logs are received, there is a communication or misconfiguration issue that must be addressed.
4. Continuing on the FortiAnalyzer CLI session, enter the following commands to stop the debug:
# diagnose debug disable
# diagnose debug application oftpd ""
5. Close all the CLI sessions.

FortiAnalyzer Administrator 7.2 Lab Guide 43

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 5: Gathering Benchmark Diagnostics

After you register the logging devices, you should be aware of the system resources for FortiAnalyzer and the log
storage policies. This can help you correctly manage your device and the logs that are stored.

View System Resource Information

You can view the real-time and historical usage status of the CPU, memory, and hard disk on FortiAnalyzer. You
can monitor these statistics over time to see how your device is performing.

You can also use the FortiAnalyzer get system status and get system
performance CLI commands to view this information.

To view system performance information

1. Log in to the FortiAnalyzer GUI with the username admin and password password.
2. Click ADOM1.
3. Click System Settings.
4. On the dashboard, examine the System Resources widget.
You can click the refresh icon to get the latest statistics.

Diagnostic Result

What is the average CPU usage?

What is the memory usage?

What is the disk usage?

5. Click the settings icon to view the historical usage over the past hour.

44 FortiAnalyzer Administrator 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT5: Gathering
REPRINTBenchmark Diagnostics Gather Data Policy and Disk Utilization Information

© FORTINET

6. Click OK.

Gather Data Policy and Disk Utilization Information

You should also be aware of your disk quota for each ADOM. This can help prevent any log storage issues that
may occur, especially if some devices produce a high volume of logs.

You can also use the diagnose log device CLI command to obtain this
information.

To check log storage information

1. Continuing on the FortiAnalyzer GUI (ADOM1), click System Settings.
2. In the menu on the left, click Storage Info.
3. Double-click (or edit) ADOM1, and then scroll down to view the data policy and disk utilization policies.

How long are logs configured to be kept in the SQL database (Keep Logs for Analytics)?

This is the number of days that you can view information about the logs on FortiView, Event
Monitor, and Reports. After the specified amount of time expires, logs are automatically
purged from the SQL database.

How long are logs configured to be kept in the compressed state (Keep Logs for Archive)?

When logs are in the compressed state, you cannot view information about the log messages
on FortiView, Event Monitor, and Reports. After the specified amount of time expires,
archive logs are automatically deleted from FortiAnalyzer.

What is the maximum amount of FortiAnalyzer disk space available to use for logs
(Maximum Available)?

Note: The reserved space is already deducted from this total.

How much disk space is allocated to ADOM1?

FortiAnalyzer Administrator 7.2 Lab Guide 45

Fortinet Technologies Inc.
DO Gather
NOT DataREPRINT
Policy and Disk Utilization Information Exercise 5: Gathering Benchmark Diagnostics

© FORTINET
What is the allotted disk space percentage available for indexed (analytics) and compressed
(archive) logs?

Analytics logs require more space than archive logs.

At what percentage are alert messages to be generated and logs automatically deleted?

The oldest archive log files or analytics database tables are deleted first.

4. Click Cancel to close the window.

46 FortiAnalyzer Administrator 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 6: Generating Traffic

The purpose of this exercise is to generate traffic so that you can see the storage used for the logs that
FortiAnalyzer receives in the next lab.

The traffic you generate will go through ISFW and Local-FortiGate. The firewall policies
were preconfigured for you, and logging for all sessions is enabled. To view the firewall
policies on the Local-FortiGate GUI, click Policy & Objects > Firewall Policy.

You will use two tools to generate different types of traffic.

Generate Traffic Using FIT

The firewall inspection tester (FIT) VM generates web browsing traffic, application control, botnet IP hits, malware
URLs, and malware downloads.

In this lab, you will direct FIT-generated traffic through the ISFW Full_Access firewall policy. This firewall policy
was preconfigured for you, and includes the following security policies and logging options:

Because FIT-generated traffic originates from the IP address of the FIT VM

(10.0.3.20), all of these logs display the same source IP address in the
FortiAnalyzer logs. This is a limitation of the lab environment. In a real-world scenario,
you will likely see many different source IP addresses for the traffic.

FortiAnalyzer Administrator 7.2 Lab Guide 47

Fortinet Technologies Inc.
DO Generate
NOTTraffic
REPRINT
Using Nikto Exercise 6: Generating Traffic

© FORTINET
To generate traffic using FIT
1. On the Local-Client VM, open PuTTY, and then connect to the FIT saved session (connect over SSH).
2. Log in with the username student and password password.
3. Enter the following command to run a script that changes the default route of FIT to send traffic through ISFW (see
Network Topology on page 5):
$ sudo ./default3
4. When prompted, enter the password again.
5. Enter the following command to check the default route:
$ ip route
You should see the default route through 10.0.3.254.

6. Enter the following commands:

# cd FIT
# ./fit.py all --repeat

Traffic will begin to generate, and the script will repeat each time it completes.

7. Leave the PuTTY session open (you can minimize it), so that traffic continues to generate. This will run throughout
the remainder of the lab.

Do not close the FIT PuTTY session or traffic will stop generating.

Generate Traffic Using Nikto

Nikto generates intrusion prevention system (IPS) traffic.

You will direct the traffic that Nikto generates through the Local-FortiGate IPS-traffic-policy firewall policy. This
firewall policy was preconfigured for you, and includes the following security policies and logging options:

48 FortiAnalyzer Administrator 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT6: Generating
REPRINT Traffic Generate Traffic Using Nikto

© FORTINET

Because the traffic that Nikto generates originates from the IP address of the Linux VM
where Nikto is installed (10.200.1.254), all of these logs will show the same source
IP address in the FortiAnalyzer logs. This is a limitation of the lab environment. In a
real-world scenario, you will likely see many different source IP addresses for your
traffic. Note that 10.200.1.10 is a virtual IP configured on Local-FortiGate.

To generate traffic using Nikto

1. Continuing on the Local-Client VM, open a second PuTTY application, and then connect to the LINUX saved
session (connect over SSH).
2. Log in with the username student and password password.
3. Enter the following command:
nikto.pl -host 10.200.1.10

The script starts generating traffic.

FortiAnalyzer Administrator 7.2 Lab Guide 49

Fortinet Technologies Inc.
DO Generate
NOTTraffic
REPRINT
Using Nikto Exercise 6: Generating Traffic

© FORTINET
The scan will continue for approximately 25 minutes. When the scan is complete, the window displays an end
time and indication that one host has been tested.

You can run the command again. Press the up arrow, and then press Enter to generate more logs—
however, this is not required. One cycle provides enough logs for the purposes of this lab.

4. Leave the PuTTY session open (you can minimize it), so that traffic continues to generate.
This will run for the remainder of the lab.

Do not close the LINUX PuTTY session or traffic will stop generating.

50 FortiAnalyzer Administrator 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 5: Log and Report Management

In this lab, you will gather information about your FortiAnalyzer performance benchmarks and log storage policies.
Then, you will generate some traffic so that you can examine the used storage statistics. Finally, you will enable
hcache and configure an output profile that will be used in one of the predefined reports.

Objectives
l Gather used storage information
l Configure hcache and output profile

Time to Complete
Estimated: 30 minutes

FortiAnalyzer Administrator 7.2 Lab Guide 51

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Viewing Used Storage Space

Now that FortiAnalyzer is collecting logs, you should view the used storage space to determine whether
FortiAnalyzer is adequately configured to store the logs it receives from the devices registered in your network.

View Used Storage Statistics

Earlier, you obtained your data policy and disk utilization information. Now that FortiAnalyzer has collected some
logs, you will view the current status for the used storage.

You can also use the diagnose log device CLI command to obtain this
information.

To view the current used storage

1. Continuing on the FortiAnalyzer GUI (ADOM1), in the drop-down menu on the left, click System Settings >
Storage Info.
2. Review the storage used by ADOM1.

Due to the relatively low volume of logs in the lab environment, you may see that very
little storage is being used.

If you are running the self-paced version of this lab, and depending on the current date,
logs may have been removed due to the retention policies configured in FortiAnalyzer.
For example, Analytics logs are kept only for 60 days by default.

3. Keep the FortiAnalyzer session open for the next exercise.

52 FortiAnalyzer Administrator 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Configuring Hcache and Output Profile

In this exercise, you will enable the hcache in a report. You will also configure an output profile, and then you will
attach it to a report.

Enable Hcache in a Report

FortiAnalyzer includes many predefined reports to serve a wide variety of scenarios. You will enable hcache on
one of the default reports.

To enable hcache
1. Log in to the FortiAnalyzer GUI with the username admin and password password.
2. Click ADOM1.
3. Click Reports.
4. In the left menu, navigate to Reports Definitions > All Reports.
This page lists the available default reports.

5. Double-click the report at SOC Reports > 360-Degree Security Review.

5. Click the Settings tab for the report, and then select Enable Auto-cache.
The hcache is updated when new logs come in, and new log tables are generated.

6. Click Apply.

Create and Configure an Output Profile

Output profiles allow you to send a copy of generated reports to other servers.

To configure an output profile

1. Click Reports > Advanced > Output Profile.

2. Click Create New.

FortiAnalyzer Administrator 7.2 Lab Guide 53

Fortinet Technologies Inc.
DO Create
NOT REPRINT
and Configure an Output Profile Exercise 2: Configuring Hcache and Output Profile

© FORTINET
3. Complete the Output Profile settings as shown in the following image:

Click + to add the email server.

This email server was preconfigured for this lab.

4. Click OK.
5. Double-click the report at Report Definitions > All Reports > SOC Reports > 360-Degree Security Review.
6. Click the Settings tab, and then select the Enable Notification checkbox
7. Click the Output Profile box, and then select the profile you created in the previous step.

8. Click Apply.
9. Log out of FortiAnalyzer.

54 FortiAnalyzer Administrator 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET

No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.