Device Registration

In this lesson, we will examine how devices become registered with FortiAnalyzer so they can begin
sending logs and how to secure communication between devices.

 Device Registration

After completing this lesson, you should have these practical skills that will allow you to register a
device with FortiAnalyzer and configure device options, logging permissions, and secure
communication.

 Device Registration

To FortiAnalyzer, there are only two types of external devices: those that are registered and those
that are unregistered.
A registered device is one that has been authorized to store logs on FortiAnalyzer, whereas an
unregistered device is one that is requesting to store logs on FortiAnalyzer.
As mentioned in the Introduction to FortiAnalyzer lesson, FortiAnalyzer supports the registration of
many different devices, including:

FortiGate
FortiCarrier
FortiMail
FortiWeb
FortiCache
FortiClient
FortiSandbox
FortiManager
Syslog, and
FortiAnalyzers in Collector mode

So how do you register a device?

 Device Registration

There is more than one method you can use to register a supported device with FortiAnalyzer. This
section aims to explain the available options.

 Device Registration

There are two ways you can register a device with FortiAnalyzer:
The first method involves a request for registration from a supported device. When the FortiAnalyzer
administrator receives that request, the request is accepted (though it can be denied).
The second method involves the FortiAnalyzer device registration wizard. If the device is supported
and all the details of the device are correct, the device becomes registered.

 Device Registration

Lets take a closer look at method one: request from a supported device. In this example, a FortiGate
is requesting registration. This is done in the FortiGate Web-based manager through Log & Report >
Log Config > Log Settings. The FortiGate administrator must enable Send Logs to
FortiAnalyzer/FortiManager and enter the IP address of the FortiAnalyzer in the field below.
When the FortiGate administrator clicks Test Connectivity an error dialog box appears stating:
Unable to retrieve FortiAnalyzer/FortiManager status. This is not an error in the true sense. It
cannot retrieve the status because the FortiAnalyzer administrator has not yet accepted the request
to registerthey are not yet connected. At this stage, the FortiGate is an unregistered device.

 Device Registration

So how does the FortiGate move from an unregistered device to a registered one? This is performed
on the FortiAnalyzer side. Once the request is made from the supported device, the request
automatically appears in the Device Manager tab of the FortiAnalyzer Web-based manager. All
external devices that request registration appear here.
The FortiAnalyzer administrator should review the details of the unregistered device, and, if satisfied
add the device.
To add a device, either select the unregistered device and click Add from the menu bar, or right-click
the unregistered device and click Add from the pop up menu options. If ADOMs are enabled on
FortiAnalyzer, the root ADOM is selected by default. Only FortiGate can be added to the root ADOM.
For all other supported devices, select a custom ADOM based on the device type or the preconfigured ADOM specific to the device (for example, FortiMail to the FortiMail ADOM).

 Device Registration

FortiManager*, on the other hand, requests registration with FortiAnalyzer differently than FortiGate.
With FortiManager, the request is through this CLI command. Here, you are enabling logging to
FortiAnalyzer, setting the severity level of logs to be sent (for example, information), and configuring
the FortiAnalyzer IP address. Once FortiManager begins to send logs, the FortiManager device
appears in the Device Manager tab of FortiAnalyzer as an unregistered device. In order to add the
device to FortiAnalyzer, ADOMs must be enabled (System Settings > Dashboard > System
Information widget) and you must add the FortiManager to a FortiManager ADOM. The
FortiManager logs to a FortiManager ADOM.
*FortiManager 5.2.1

 Device Registration

FortiMail* is different still. With FortiMail, the request can be performed through the Web-based
manager through Log and Report > Log Settings > Remote Log Settings. You need to set the
FortiAnalyzer IP, the log severity level, the facility identifier FortiMail will use to identify itself when
sending log messages, and the log protocol to use (you can select Syslog or the secure protocol
OFTPSFortiAnalyzer supports both).
You also have to set your logging policy configurationwhat types of logs you want to record to
FortiAnalyzer.
Once FortiMail begins to send logs, the FortiMail device appears in the Device Manager tab of
FortiAnalyzer as an unregistered device. In order to add the device to FortiAnalyzer, ADOMs must be
enabled (System Settings > Dashboard > System Information widget) and you must add the
FortiMail to a FortiMail ADOM. The FortiMail logs to a FortiMail ADOM.
While were not going to demonstrate registration requests from every supported Fortinet device
you can check the devices Administration Guide for more information on logging to a FortiAnalyzer
you can see that the action taken on the FortiAnalyzer side is the same: a registration request
appears in the Device Manager tab and you add the device. Other than FortiGates, all other
supported devices require that FortiAnalyzer has ADOMs enabled and that the device is added to its
device-specific ADOM.
*FortiMail 5.2.1

 Device Registration

The one third-party device that is supported is syslog. Syslog does not make a request to become a
registered device in the same way as Fortinet devices. In this case, you have to configure your
syslog server to send logs to FortiAnalyzer and then ensure FortiAnalyzer is reachable for syslog.
For example, on a Linux server syslog this command sets the rule to log all incoming packets limited
to 20 messages per minute. Log level 6 is info. Then, you have to edit the syslog.conf file to send
those logs to FortiAnalyzer by adding these lines at the end of the file.
On the FortiAnalyzer side, ensure FortiAnalyzer is listening for syslog (System Settings > Network
> All Interfaces). Once completed, you should see syslog appear as an unregistered device in the
Device Manager tab. You cannot add the syslog device unless ADOMs are enabled (System
Settings > Dashboard > System Information widget). The syslog logs to a Syslog ADOM.

 Device Registration

The second registration method is using the device registration wizard on FortiAnalyzer. Here, it is
the FortiAnalyzer administrator that proactively initiates, and ultimately performs, the registration.
With this method, the administrator must have specific details about the device that is to be
registered.
You can launch the wizard from the Device Manager tab by clicking Add Device from the menu bar.
If you have enabled ADOMs and want to add the device to a specific ADOM, select the ADOM from
the drop down-list before clicking Add Device. Otherwise, it is created in root.

 Device Registration

The first step in the device registration wizard is adding the model device. On the Login page, select
Add Model Device and enter the IP address of the device you want to register as well as the user
name and password.

 Device Registration

The second step is adding the specific details of the device, such as the device type, model, firmware
version, whether the device is part of a high availability cluster, serial number, and, if a VM, the VM
license type. You also need to specify configuration options, such as the amount of space the disk
log is allowed to use, the action the system is to take when the allocated disk quota is filled, and the
device permissions, such as what the device is authorized to send to FortiAnalyzer.
If the device information verifies, the wizard changes the status to device created successfully.

 Device Registration

The third step requires no action, but rather provides confirmation of the registered device along with
the specific details of the device added.
The Device Manager tab now shows the device as registered.

 Device Registration

If the device registration is brokered on the FortiAnalyzer side, as is the case with the device
registration wizard, the device may appear on the Device Manager tab with a red circle in the Logs
field. This indicates no logs have recently been received by FortiAnalyzer, even though the device
registration was successful. To troubleshoot the connection, ensure Send Logs to
FortiAnalyzer/FortiManager is enabled on FortiGate along with the correct IP address, and that
Realtime is enabled (through Log & Report > Log Settings). You dont always have to send logs in
real-timeyou have the option to send logs at a scheduled time (such as a low bandwidth time) on
FortiGate models that have a hard drivebut this is the most immediate way to see whether logs are
being received successfully.
If the Send Logs to FortiAnalyzer/FortiManager setting is enabled, the registered device on the
FortiAnalyzer displays a green circle in the Logs field. This indicates FortiAnalyzer is receiving logs
from the device.

 Device Registration

Once you register various Fortinet devices, they appear on the Device Manager tab.
If using virtual domains (VDOMs), you can configure the Device Manager tab to reflect the set up of
the FortiGate. In this example, Device_Two includes VDOM1 and VDOM2.

 Device Registration

This section outlines some of the device options available for registered devices, such as high
availability, disk log quotas, and device permissions.

 Device Registration

After a device is registered with FortiAnalyzer, you can edit some of the configuration options
associated with the device. In the Device Manager tab, right-click the device you want to edit and
select Edit from the menu.
This is useful as your network expands or requirements change. For example, if the device is now
part of a high availability clusteror was recently removed from oneyou can enable or disable the
option. You can also change the disk log quota, the behavior taken by FortiAnalyzer when the
allocated disk space is full, and the devices permissions.
Lets take a closer look at some of these options.

 Device Registration

If the registered device is part of a high availability cluster, you can enable the HA Cluster option and
enter the serial numbers associated with each device in the cluster. The only device that
communicates with FortiAnalyzer is the primary device. The other devices in the cluster sends their
logs to the primary device, which then forwards them along to FortiAnalyzer.
FortiAnalyzer distinguishes different devices based on their serial numbers. These are found in the
headers for all the different log message types.

 Device Registration

By default, each device is allowed 1000 Megabytes (or just under 1 Gigabyte) worth of drive space
on FortiAnalyzer in order to store log data. However this number is configurable. You cannot set the
minimum below 100MB and the maximum depends on the disk space allocation of the specific
FortiAnalyzer device. The FortiAnalyzer system reserves between 10%-25% disk space for system
usage and unexpected quota overflow, leaving about 75%-90% disk space for allocation to devices.
You can also adjust the action the FortiAnalyzer takes when the disk log quota is filled. You can
choose to overwrite the oldest logs or stop logging completely.
The available space per device is graphically represented in the Quota column for each device in the
Device Manager tab. The bar grows as more logs are received and stored.

 Device Registration

You can also specify the device permissions of the registered device, such as what log types
FortiAnalyzer will store. Options include:

Logs. This option stores logs of the registered device. The type of log depends on the device, as
FortiAnalyzer only supports specific logs types from each device. This is covered in the Logs and
Archives lesson.
DLP archive. This option store logs detailing information about any sensitive data trying to get in,
or out of, your network.
Quarantine. This option stores logs detailing files that have been placed into quarantine on the
device.
IPS Packet log. This option stores logs detailing information about misidentified or missing
packets and network intrusions involving malicious packets.

 Device Registration

The last thing we are going to explore is securing communication between FortiGate and
FortiAnalyzer.

 Device Registration

Between supported devices, log messages are sent over UDP port 514 or OFTP (TCP 514). When a
secure connection is configured, log traffic is sent over UDP port 500/4500, protocol IP/50.
There are two ways you can secure connections:

SSL encryption (which is enabled by default between FortiAnalyzer and FortiGate), and
IPsec

Lets start with SSL.

 Device Registration

SSL is the default setting for securing communications between FortiGate and FortiAnalyzer.
SSL communications are auto-negotiated between FortiAnalyzer and FortiGate, so the OFTPD
server will use the SSL-encrypted FTP protocol only if being used by the connecting FortiGate. If the
FortiGate is configured to send data in plain text, then FortiAnalyzer responds the same way.
SSL can send logs in real time, and if the FortiGate model has a hard disk for log storage, you also
have the option to store and upload logs. If using the store and upload option, you must enable disk
logging on FortiGate through the CLI.

 Device Registration

Since SSL is enabled by default once a connection is established between FortiAnalyzer and
FortiGate, the only thing you may need to do is set the encryption level. By default, FortiAnalyzer is
set to low, while FortiGate is set to medium. It is important to note that the encryption level of
FortiAnalyzer must be equal to, or less than, the FortiGate encryption level. FortiAnalyzer will not be
able to connect to the device if the encryption level is higher than the encryption level of the device
from which it intends to receive logs.
The FortiAnalyzer encryption level is global it applies to all connecting FortiGates. Accordingly, if
you even have one low encryption FortiGate in your network while the rest are high, you must set the
FortiAnalyzer encryption level to low.

 Device Registration

This table outlines the available encryption settings and levels.

High uses the strongest encryption algorithms (Diffie-Hellman and AES to name a couple).
Medium uses high strength encryption methods, but also allows the medium strength ones, such
as RC4.
Low uses weak encryption methods or encryption algorithms that have small keys.

So long as the setting on the FortiGate is equal to, or higher than, the minimum level on the
FortiAnalyzer, SSL negotiations will complete properly.
Keep in mind that higher level SSL and IPsec requires additional CPU resources.

 Device Registration

On the FortiAnalyzer CLI you can adjust the minimum SSL level to allow. Remember, this setting is
global, so it applies to all incoming device connections. Do not set it too high, or FortiAnalyzer will not
be able to connect to the device.
To first verify the current setting, enter the get system global CLI command. If required, change the
level using the command noted on this slide, where {high | medium | low} refer to the encryption
levels explained on the previous slide (medium = default).
Note that changing the enc-algorithm setting on FortiAnalyzer will cause all existing FGFM
tunnel/WebService connection to reset.
On the FortiGate side, change the level using the command noted on this slide. Again, {default | high
| low} refers to the encryption levels explained on the previous slide.
The set enc-algorithm command is not available if you have IPsec enabled as the secure
communication method. If this is the case, you first need to disable IPsec by entering set encrypt
disable.

 Device Registration

Now, lets look into configuring an IPsec tunnel between FortiGate and FortiAnalyzer. This secure
communication method requires more configuration, as it must be configured on both ends of the
tunnel: FortiAnalyzer and FortiGate.
Securing communications is extremely important if sending traffic over an unsecured network like the
internet. This secure communication type allows logs to be sent in real-time, and if the FortiGate
model has a hard disk for log storage, you also have the option to store and upload logs. If using the
store and upload option, you must enable disk logging on FortiGate through the CLI.

 Device Registration

On the FortiAnalyzer side, select the Device Manager tab. Right-click the device with which you
want to configure an IPsec tunnel and select Edit from the menu. Locate the Secure Connection
section in the Edit Device dialog box and enable Secure Connection. In the ID field, accept the
default ID or create your own. This is the name of your IPsec tunnel. In the Pre-Shared Key field,
enter a key (password).
The FortiGate administrator requires both the ID and pre-shared key.

 Device Registration

On the FortiGate side, the administrator must enter the CLI command shown here, where:
<fortianalyzer_ip> is the IP of the FortiAnalyzer with which you are securing communication over
an IPsec tunnel.
<name_of_IPsec_tunnel> is the name given to the IPsec tunnel. You must use the same identifier.
<preshared_IPsec_tunnel_key> is the pre-shared key, or password, for the IPsec tunnel.
This assumes communication between the two is already enabled. If not, enter: set status enable.
Note: If SSL encryption is enabled, you first need to disable it on FortiGate. This is still done within
the config log fortianalyzer setting CLI option:
set enc-algorithm disable

 Device Registration

To verify whether you successfully established an IPsec tunnel on FortiAnalyzer, view the Device
Manager tab. The Secure Connection column associated with the device with which you set up an
IPsec tunnel indicates the status. A green up arrow indicates the IPsec tunnel is up, whereas a red
down arrow indicates the IPsec tunnel is down. A grey x denotes that no secure connection has
been enabled.
The same green up arrow indicates a connection on FortiGate, through the Log & Report > Log
Config > Log Settings page.

 Device Registration

After this lesson, you should be able to describe the difference between a registered and
unregistered device; explain the methods available for registering a device; configure device logging
options, such as a high availability cluster, disk log quota, and device permissions; explain the
methods available to secure communication; configure SSL encryption and set encryption levels; and
configure an IPsec tunnel.