Anda di halaman 1dari 19

FortiCloud Administration Guide

VERSION 2.4.3

FORTINET DOCUMENTLIBRARY
http://docs.fortinet.com
FORTINETVIDEOGUIDE
http://video.fortinet.com
FORTINETBLOG
https://blog.fortinet.com
CUSTOMERSERVICE&SUPPORT
https://support.fortinet.com
http://cookbook.fortinet.com/how-to-work-with-fortinet-support/
FORTIGATECOOKBOOK
http://cookbook.fortinet.com
FORTINETTRAININGSERVICES
http://www.fortinet.com/training
FORTIGUARDCENTER
http://www.fortiguard.com
ENDUSER LICENSE AGREEMENT
http://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdocs@fortinet.com

Thursday, January 21, 2016


FortiCloud Administration Guide Version 2.4.3

TABLEOFCONTENTS
Introduction
Overview of FortiCloud
FortiCloud Sandboxing
FortiDeploy

Interface Overview

4
4
4
5

Home Page
Dashboard Page
Widget List
FortiView Page
Drilldown Page
Chart Type List
Reports Page
Management Page
Sandbox Page

6
7
8
9
10
11
12
14
16

Service Configuration

17

How to set up FortiCloud on your FortiGate


How to set up FortiCloud Sandbox
How to set up FortiDeploy
Appendix
Premium Accounts for Managed Security Service Providers (MSSP)
List of port numbers used by FortiCloud

17
17
17
18
18
18

Introduction
This guide provides information about the FortiCloud service.

Overview of FortiCloud
FortiCloud is a hosted security and wireless infrastructure management solution and log retention service for
FortiGate and FortiWiFi devices.
It gives you centralized reporting, traffic analysis, configuration management, and log retention without the need
for additional hardware and software, with the following feature set:
l

- Simple provisioning of large scale security networks

- Configuration and device management from a single pane of glass

- Hosted log retention and cloud-based storage

- Built-in protection from APTs with FortiGuard sandboxing technology

- Instant security intelligence and analytics with FortiView

- Exceptional network visibility with FortiCloud reporting

- FortiCloud transport security and service availability

FortiCloud also integrates these other Fortinet services: FortiCloud Sandboxing, and FortiDeploy.

FortiCloud Sandboxing
FortiCloud Sandboxing is a service that uploads and analyzes files marked as suspicious by the FortiGate
AntiVirus.
In a proxy-based antivirus profile on a FortiGate, the administrator selects Inspect Suspicious Files with
FortiGuard Analytics to enable a FortiGate unit to upload suspicious files to FortiGuard for analysis. Once
uploaded, the file will be executed and the resulting behavior analyzed for risk. If the file exhibits risky behavior or
is found to contain a virus, a new virus signature is created and added to the FortiGuard antivirus signature
database. The next time the FortiGate unit updates its antivirus database it will have the new signature.
FortiGuard Labs considers a file suspicious if it exhibits some unusual behavior, yet does not contain a known
virus (the behaviors that FortiCloud Analytics considers suspicious will change depending on the current threat
climate and other factors).
The FortiCloud console enables administrators to view the status of any suspicious files uploaded: Pending,
Clean, Malware, or Unknown. The console also provides data on time, user, and location of the infected file for
forensic analysis. Sandboxing is available in both Free and Paid FortiCloud subscriptions.

FortiCloud Administration Guide


Fortinet Technologies Inc.

Introduction

Overview of FortiCloud

FortiDeploy
FortiDeploy is a product built into FortiCloud as a feature, for one-touch provisioning when devices are
deployed, locally or remotely. FortiDeploy provides deployment for FortiAPs into a Cloud AP Network, and
automatic connection of FortiGates to be managed by FortiCloud or a FortiManager unit.
At time of purchase, you can order a FortiDeploy SKU in addition to your FortiCloud subscription.
When you visit forticloud.com and enter the Bulk FortiCloud Key, you will see a list of serial numbers from the
order that contained the FortiDeploy SKU. Once you confirm that the devices are connected, you can perform
basic configuration on the devices remotely, such as sending a FortiManager IP to all remote FortiGate devices,
so they can be managed remotely.
FortiDeploy Support starts the moment you send an email to cs@fortinet.com, which can also be contacted if you
have already purchased a FortiCloud subscription and would like to purchase FortiDeploy to add to your existing
subscription.

FortiCloud Administration Guide


Fortinet Technologies Inc.

Interface Overview
Home Page
You will see the Home page when you first open the FortiCloud interface.

On the Home page is a list of Fortinet devices connected to the FortiCloud service.
New devices can be added by selecting Add Device above the list, and entering a FortiCloud Key.
Each Device displays:
- the Model/Serial Number
- the FortiOS Version
- if the device is connected through a Management Tunnel
- when the last log was uploaded
- what percentage of the FortiCloud Quota has been filled (and a Manage Quota button, that allows you to
delete old logs and make space on the server)
- what FortiCloud Subscription you have (and a Subscribe button if you have a free trial)
Click on a device icon to go to the FortiCloud Dashboard for that device.

FortiCloud Administration Guide


Fortinet Technologies Inc.

Interface Overview

Dashboard Page

Dashboard Page
The Dashboard page is a general overview of what is happening with your device, using many Widgets.

Each Widget is a customizable box, showing certain information about the device.
If you mouse over the Widget title, the Widget options icons will appear:

You can click on a Widget title and drag it to move it around.

You can refresh a Widget by selecting the Refresh icon.

You can customize any Widget by selecting the Pencil icon.

You can delete a Widget by selecting the Trash icon.


New Widgets can be added by clicking the green +Widget button in the upper left.

The Dashboard can be changed between two columns and three columns, by clicking the gray Column
icon in the upper right.

FortiCloud Administration Guide


Fortinet Technologies Inc.

Dashboard Page

Interface Overview

Widget List

All of the Widgets are listed below:


- Top Traffic by Protocol compares the traffic volume that has passed through a certain interface, based on
which protocol it uses (http, https, dns, tcp, udp, other).
- Top Viruses counts the viruses most frequently found by the device's AntiVirus. (AntiVirus must be
configured on the device.)
- Traffic History is a chart that displays the volume of Incoming and Outgoing traffic over time.
- Top Websites Visited compares which Web Filtering Categories are most frequently visited. You can click
on a category to see which websites in that category are being visited. (Web Filtering must be configured on
the device.)
- Top Attacks counts the attacks most frequently prevented by the device's IPS. (IPS must be configured on
the device.)
- Top Region by Traffic displays which Countries have the most traffic from or to the device.
- Top Application by Traffic compares which Applications are most frequently used, based on the device's
Application Control settings. (Application Control must be configured on the device.)
- Top Spam displays which Sources are sending the most Spam email into the network. (AntiSpam must be
configured on the device.)
- Top Application Category compares which Application Categories are most frequently used, based on the
device's Application Control settings. (Application Control must be configured on the device.)
- Top DLP Sources counts the DLP events detected by the device, sorted by DLP rule. (DLP must be
configured on the device.)

FortiCloud Administration Guide


Fortinet Technologies Inc.

Interface Overview

FortiView Page

FortiView Page
The FortiView page lists the log information that has been sent from the device, reorganized to be easily read.

You can select a Category of logs to view by clicking the blue button in the upper left and choosing from the list.
The Categories are divided into three areas: traffic logs, UTM logs, and system logs.
l

Traffic Logs: Application, Source, Destination

UTM Logs: Web Filter, Application Control, AntiSpam, AntiVirus, DLP & Archives, IPS

System Logs: System Activity, Admin Session, Failed Login, VPN Tunnel, VPN User

The menu to the right of the Categories allows you to select a time period to view:
l

Last 60 Minutes

Last 24 Hours

Last 7 Days

Specified Time Period

By clicking on the Logs text in the upper right (Traffic Logs in the image above), you can see the raw log data
that is creating the FortiView list.
The box in the lower right allows you to move through pages of log data by clicking the arrows or entering a page
number.

FortiCloud Administration Guide


Fortinet Technologies Inc.

Drilldown Page

Interface Overview

Drilldown Page
The Drilldown page shows you interactive charts built from your device's log data, that can be 'drilled down' into
to find more specific information.

You can select a Chart Type using the blue button in the upper left.
You can read about each Chart Type in the next section.
You can also create a new chart in the same menu, by selecting the green +Create New button in the lower right
of the chart list.

10

FortiCloud Administration Guide


Fortinet Technologies Inc.

Interface Overview

Drilldown Page

Chart Type List

Here are the existing Chart Types, separated into three categories:

Network Activity
l

Top Traffic by From IP displays which IP is sending the most traffic to the device.

Top Traffic by To Country displays which Countries have the most traffic from the device.

Top Applications by Destination lists which Applications are most frequently detected, listed by Destination.
(Application Control must be configured on the device.)
Top Applications by Source lists which Applications are most frequently detected, listed by Source. (Application
Control must be configured on the device.)

Top Traffic by Service displays which Services have the most traffic to and from the device.

Traffic Trend to Internet tracks which local IP is sending the most traffic to the internet.

Web Activity
l

Top Web Categories displays which Filtering Categories are most frequently detected by Web Filtering.

Top Web User Source tracks which Users are triggering the most Web Filtering events, listed by Source.

Top Web User Source Request Blocked tracks which Users are triggering the most Request Blocked Web
Filtering events, listed by Source.

Top Websites Allowed counts which Websites are most frequently allowed by Web Filtering.

Top Websites Blocked counts which Websites are most frequently blocked by Web Filtering.

(All of the above require that Web Filtering must be configured on the device.)

Threats
l

Top Attack Destinations counts the attacks most frequently prevented by the device's IPS, by Destination.

Top Attack Sources counts the attacks most frequently prevented by the device's IPS, by Source.

Top Spam displays which Sources are sending the most Spam email into the network.

Top Viruses counts the viruses most frequently found by the device's AntiVirus.

Top Blocked Applications compares which Applications are most frequently blocked, based on the device's
Application Control settings.
Top Data Leaks counts the DLP events detected by the device, sorted by frequency.

(All of the above require that the correct Security Profile must be configured on the device.)

FortiCloud Administration Guide


Fortinet Technologies Inc.

11

Reports Page

Interface Overview

Reports Page
The Reports page generates custom reports of traffic data, and can email them to specified addresses.

By selecting the blue Schedule button in the upper-right, you can set how often reports are run: Daily, Weekly or
Monthly, and which email the reports are sent to. You can also choose to run a report immediately.

Next to the Schedule button is the Configure Report Layout button.


Selecting this will allow you to edit the content of the report, adding or removing sections as you choose.

12

FortiCloud Administration Guide


Fortinet Technologies Inc.

Interface Overview

Reports Page

Above the ConfigureReport Layout button is a gear icon that you can select to open the Report Settings. Here
you can upload a report logo, and set the report language.

FortiCloud Administration Guide


Fortinet Technologies Inc.

13

Management Page

Interface Overview

Management Page
The Management page allows you to remotely manage FortiGate and FortiWiFi devices that are connected to
the FortiCloud service.

On the left side top, is Remote Access & Setup Wizard widget.
By clicking the pencil icon next to the title, you can edit which port the device is connecting through.

Selecting Remote Access will allow you to remotely connect to the device's management interface. Pop-ups must
be allowed for this to work.
Selecting Setup Wizard will allow you to remotely perform basic setup tasks on the device, such as changing
Administrator Passwords, changing the Time Zone, and basic Security settings.

14

FortiCloud Administration Guide


Fortinet Technologies Inc.

Interface Overview

Management Page

On the left side bottom, is Config Backup widget.


On the device, you can choose to backup your configuration from the Dashboard. This page will allow you to see
previous backup files, in case you need to roll back a configuration.

On the right side top, is Firmware Upgrade widget.


Here you can see the current firmware version installed on the device. You can also update to newer stable
versions with one click, if newer versions are available.

On the right side bottom, is Script widget.


You can click the Upload button to upload a script file, that will then be run as a series of CLI commands on the
connected device, one command per line.

You can also click the Plus icon next to the title and type a script file directly into the box, to run on the device.

FortiCloud Administration Guide


Fortinet Technologies Inc.

15

Sandbox Page

Interface Overview

Sandbox Page
The Sandbox page displays files that have been flagged as suspicious by your connected device's AntiVirus,
which have been uploaded to FortiCloud, to be analyzed by FortiGuard services.

The page only appears if you have the FortiCloud Sandbox service enabled, and if files have been sent from the
device to be analyzed.
By selecting Past Daily Reports in the upper left, you can see the daily reports that are returned by the FortiGuard
service.
You can choose to have Alert Emails sent to you when analysis returns a positive virus detection, by selecting
Alert Setting in the upper right.
The Analysis column on the Sandbox page will show you what the FortiGuard analysis has returned.

16

Pending: file is still being analyzed.

Clean: file has been analyzed, is not harmful.

Malicious: file has been analyzed, is harmful, has been quarantined.

FortiCloud Administration Guide


Fortinet Technologies Inc.

Service Configuration
This section describes how to enable and set up the various FortiCloud services.

How to set up FortiCloud on your FortiGate


1. Register the FortiGate/FortiWiFi on the Service and Support Portal at support.fortinet.com.
2. Create a FortiCloud account in the FortiGate/FortiWiFi dashboard licensing widget.
3. Activate the FortiGate/FortiWiFi within the dashboard licensing widget.
4. Create a firewall policy with logging enabled. Configure log uploading, if necessary.
5. Log into the portal at https://www.forticloud.com.

How to set up FortiCloud Sandbox


1. Register the FortiGate/FortiWiFi on the Service and Support Portal at support.fortinet.com.
2. Create and activate a FortiCloud account in the FortiGate/FortiWiFi dashboard licensing widget.
3. Go to System > Config > FortiSandbox, and under FortiSandbox Settings, select Enable Sandbox Inspection, and
select 'FortiSandbox Cloud'. The associated FortiCloud Account should appear below.
4. In Security Profiles > AntiVirus, create a profile that has Send Files To FortiSandbox Cloud For Inspection
enabled.
5. Create a firewall policy with logging enabled, that uses the FortiSandbox-enabled AntiVirus profile.
6. Once some files have been uploaded to the FortiCloud Sandbox, log into the portal at https://www.forticloud.com
to see the results.

How to set up FortiDeploy


1. Purchase a FortiDeploy SKU when you purchase your FortiCloud subscription, or by contacting cs@fortinet.com if
you have already purchased a FortiCloud subscription.
2. Visit forticloud.com and enter the Bulk FortiCloud Key, you will see a list of serial numbers from the order that
contained the FortiDeploy SKU.
3. Send an email to FortiDeploy Support, at cs@fortinet.com to confirm your subscription and start the service.
4. Once you confirm that the devices are connected with FortiDeploy, you can deploy basic configurations to the
devices remotely.

FortiCloud Administration Guide


Fortinet Technologies Inc.

17

Appendix

Service Configuration

Appendix
This section includes additional information about the FortiCloud service.

Premium Accounts for Managed Security Service Providers (MSSP)


FortiCloud has a premium account type, designed for Managed Security Service Providers.
An MSSP account allows you to:
l

Create and manage groups of FortiCloud-connected devices,

Create and view reports from devices and device groups,

Create client/customer accounts, can only manage the devices and device groups you specify.

When you open FortiCloud with an MSSP account, you will see a different landing page, in which you can view
and device groups, reports, device units, and clients.
You can register for an MSSP account by contacting Fortinet Support.

List of port numbers used by FortiCloud


FortiCloud uses the following ports:
TCP/443
TCP/514
TCP/541
TCP/10151

18

FortiCloud Administration Guide


Fortinet Technologies Inc.

Copyright 2016 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.