In this lesson, we will examine how devices become registered with FortiAnalyzer so they can beginsending logs and how to secure communication between devices. Device RegistrationAfter completing this lesson, you should have these practical skills that will allow you to register adevice with FortiAnalyzer and configure device options, logging permissions, and securecommunication. Device RegistrationTo FortiAnalyzer, there are only two types of external devices: those that are registered and thosethat are unregistered.A registered device is one that has been authorized to store logs on FortiAnalyzer, whereas anunregistered device is one that is requesting to store logs on FortiAnalyzer.As mentioned in the Introduction to FortiAnalyzer lesson, FortiAnalyzer supports the registration ofmany different devices, including: FortiGate FortiCarrier FortiMail FortiWeb FortiCache FortiClient FortiSandbox FortiManager Syslog, and FortiAnalyzers in Collector modeSo how do you register a device? Device RegistrationThere is more than one method you can use to register a supported device with FortiAnalyzer. Thissection aims to explain the available options. Device RegistrationThere are two ways you can register a device with FortiAnalyzer:The first method involves a request for registration from a supported device. When the FortiAnalyzeradministrator receives that request, the request is accepted (though it can be denied).The second method involves the FortiAnalyzer device registration wizard. If the device is supportedand all the details of the device are correct, the device becomes registered. Device RegistrationLets take a closer look at method one: request from a supported device. In this example, a FortiGateis requesting registration. This is done in the FortiGate Web-based manager through Log & Report >Log Config > Log Settings. The FortiGate administrator must enable Send Logs toFortiAnalyzer/FortiManager and enter the IP address of the FortiAnalyzer in the field below.When the FortiGate administrator clicks Test Connectivity an error dialog box appears stating:Unable to retrieve FortiAnalyzer/FortiManager status. This is not an error in the true sense. Itcannot retrieve the status because the FortiAnalyzer administrator has not yet accepted the requestto registerthey are not yet connected. At this stage, the FortiGate is an unregistered device. Device RegistrationSo how does the FortiGate move from an unregistered device to a registered one? This is performedon the FortiAnalyzer side. Once the request is made from the supported device, the requestautomatically appears in the Device Manager tab of the FortiAnalyzer Web-based manager. Allexternal devices that request registration appear here.The FortiAnalyzer administrator should review the details of the unregistered device, and, if satisfiedadd the device.To add a device, either select the unregistered device and click Add from the menu bar, or right-clickthe unregistered device and click Add from the pop up menu options. If ADOMs are enabled onFortiAnalyzer, the root ADOM is selected by default. Only FortiGate can be added to the root ADOM.For all other supported devices, select a custom ADOM based on the device type or the pre-configured ADOM specific to the device (for example, FortiMail to the FortiMail ADOM). Device RegistrationFortiManager*, on the other hand, requests registration with FortiAnalyzer differently than FortiGate.With FortiManager, the request is through this CLI command. Here, you are enabling logging toFortiAnalyzer, setting the severity level of logs to be sent (for example, information), and configuringthe FortiAnalyzer IP address. Once FortiManager begins to send logs, the FortiManager deviceappears in the Device Manager tab of FortiAnalyzer as an unregistered device. In order to add thedevice to FortiAnalyzer, ADOMs must be enabled (System Settings > Dashboard > SystemInformation widget) and you must add the FortiManager to a FortiManager ADOM. TheFortiManager logs to a FortiManager ADOM.*FortiManager 5.2.1 Device RegistrationFortiMail* is different still. With FortiMail, the request can be performed through the Web-basedmanager through Log and Report > Log Settings > Remote Log Settings. You need to set theFortiAnalyzer IP, the log severity level, the facility identifier FortiMail will use to identify itself whensending log messages, and the log protocol to use (you can select Syslog or the secure protocolOFTPSFortiAnalyzer supports both).You also have to set your logging policy configurationwhat types of logs you want to record toFortiAnalyzer.Once FortiMail begins to send logs, the FortiMail device appears in the Device Manager tab ofFortiAnalyzer as an unregistered device. In order to add the device to FortiAnalyzer, ADOMs must beenabled (System Settings > Dashboard > System Information widget) and you must add theFortiMail to a FortiMail ADOM. The FortiMail logs to a FortiMail ADOM.While were not going to demonstrate registration requests from every supported Fortinet deviceyou can check the devices Administration Guide for more information on logging to a FortiAnalyzeryou can see that the action taken on the FortiAnalyzer side is the same: a registration requestappears in the Device Manager tab and you add the device. Other than FortiGates, all othersupported devices require that FortiAnalyzer has ADOMs enabled and that the device is added to itsdevice-specific ADOM.*FortiMail 5.2.1 Device RegistrationThe one third-party device that is supported is syslog. Syslog does not make a request to become aregistered device in the same way as Fortinet devices. In this case, you have to configure yoursyslog server to send logs to FortiAnalyzer and then ensure FortiAnalyzer is reachable for syslog.For example, on a Linux server syslog this command sets the rule to log all incoming packets limitedto 20 messages per minute. Log level 6 is info. Then, you have to edit the syslog.conf file to sendthose logs to FortiAnalyzer by adding these lines at the end of the file.On the FortiAnalyzer side, ensure FortiAnalyzer is listening for syslog (System Settings > Network> All Interfaces). Once completed, you should see syslog appear as an unregistered device in theDevice Manager tab. You cannot add the syslog device unless ADOMs are enabled (SystemSettings > Dashboard > System Information widget). The syslog logs to a Syslog ADOM. Device RegistrationThe second registration method is using the device registration wizard on FortiAnalyzer. Here, it isthe FortiAnalyzer administrator that proactively initiates, and ultimately performs, the registration.With this method, the administrator must have specific details about the device that is to beregistered.You can launch the wizard from the Device Manager tab by clicking Add Device from the menu bar.If you have enabled ADOMs and want to add the device to a specific ADOM, select the ADOM fromthe drop down-list before clicking Add Device. Otherwise, it is created in root. Device RegistrationThe first step in the device registration wizard is adding the model device. On the Login page, selectAdd Model Device and enter the IP address of the device you want to register as well as the username and password. Device RegistrationThe second step is adding the specific details of the device, such as the device type, model, firmwareversion, whether the device is part of a high availability cluster, serial number, and, if a VM, the VMlicense type. You also need to specify configuration options, such as the amount of space the disklog is allowed to use, the action the system is to take when the allocated disk quota is filled, and thedevice permissions, such as what the device is authorized to send to FortiAnalyzer.If the device information verifies, the wizard changes the status to device created successfully. Device RegistrationThe third step requires no action, but rather provides confirmation of the registered device along withthe specific details of the device added.The Device Manager tab now shows the device as registered. Device RegistrationIf the device registration is brokered on the FortiAnalyzer side, as is the case with the deviceregistration wizard, the device may appear on the Device Manager tab with a red circle in the Logsfield. This indicates no logs have recently been received by FortiAnalyzer, even though the deviceregistration was successful. To troubleshoot the connection, ensure Send Logs toFortiAnalyzer/FortiManager is enabled on FortiGate along with the correct IP address, and thatRealtime is enabled (through Log & Report > Log Settings). You dont always have to send logs inreal-timeyou have the option to send logs at a scheduled time (such as a low bandwidth time) onFortiGate models that have a hard drivebut this is the most immediate way to see whether logs arebeing received successfully.If the Send Logs to FortiAnalyzer/FortiManager setting is enabled, the registered device on theFortiAnalyzer displays a green circle in the Logs field. This indicates FortiAnalyzer is receiving logsfrom the device. Device RegistrationOnce you register various Fortinet devices, they appear on the Device Manager tab.If using virtual domains (VDOMs), you can configure the Device Manager tab to reflect the set up ofthe FortiGate. In this example, Device_Two includes VDOM1 and VDOM2. Device RegistrationThis section outlines some of the device options available for registered devices, such as highavailability, disk log quotas, and device permissions. Device RegistrationAfter a device is registered with FortiAnalyzer, you can edit some of the configuration optionsassociated with the device. In the Device Manager tab, right-click the device you want to edit andselect Edit from the menu.This is useful as your network expands or requirements change. For example, if the device is nowpart of a high availability clusteror was recently removed from oneyou can enable or disable theoption. You can also change the disk log quota, the behavior taken by FortiAnalyzer when theallocated disk space is full, and the devices permissions.Lets take a closer look at some of these options. Device RegistrationIf the registered device is part of a high availability cluster, you can enable the HA Cluster option andenter the serial numbers associated with each device in the cluster. The only device thatcommunicates with FortiAnalyzer is the primary device. The other devices in the cluster sends theirlogs to the primary device, which then forwards them along to FortiAnalyzer.FortiAnalyzer distinguishes different devices based on their serial numbers. These are found in theheaders for all the different log message types. Device RegistrationBy default, each device is allowed 1000 Megabytes (or just under 1 Gigabyte) worth of drive spaceon FortiAnalyzer in order to store log data. However this number is configurable. You cannot set theminimum below 100MB and the maximum depends on the disk space allocation of the specificFortiAnalyzer device. The FortiAnalyzer system reserves between 10%-25% disk space for systemusage and unexpected quota overflow, leaving about 75%-90% disk space for allocation to devices.You can also adjust the action the FortiAnalyzer takes when the disk log quota is filled. You canchoose to overwrite the oldest logs or stop logging completely.The available space per device is graphically represented in the Quota column for each device in theDevice Manager tab. The bar grows as more logs are received and stored. Device RegistrationYou can also specify the device permissions of the registered device, such as what log typesFortiAnalyzer will store. Options include: Logs. This option stores logs of the registered device. The type of log depends on the device, asFortiAnalyzer only supports specific logs types from each device. This is covered in the Logs andArchives lesson. DLP archive. This option store logs detailing information about any sensitive data trying to get in,or out of, your network. Quarantine. This option stores logs detailing files that have been placed into quarantine on thedevice. IPS Packet log. This option stores logs detailing information about misidentified or missingpackets and network intrusions involving malicious packets. Device RegistrationThe last thing we are going to explore is securing communication between FortiGate andFortiAnalyzer. Device RegistrationBetween supported devices, log messages are sent over UDP port 514 or OFTP (TCP 514). When asecure connection is configured, log traffic is sent over UDP port 500/4500, protocol IP/50.There are two ways you can secure connections: SSL encryption (which is enabled by default between FortiAnalyzer and FortiGate), and IPsecLets start with SSL. Device RegistrationSSL is the default setting for securing communications between FortiGate and FortiAnalyzer.SSL communications are auto-negotiated between FortiAnalyzer and FortiGate, so the OFTPDserver will use the SSL-encrypted FTP protocol only if being used by the connecting FortiGate. If theFortiGate is configured to send data in plain text, then FortiAnalyzer responds the same way.SSL can send logs in real time, and if the FortiGate model has a hard disk for log storage, you alsohave the option to store and upload logs. If using the store and upload option, you must enable disklogging on FortiGate through the CLI. Device RegistrationSince SSL is enabled by default once a connection is established between FortiAnalyzer andFortiGate, the only thing you may need to do is set the encryption level. By default, FortiAnalyzer isset to low, while FortiGate is set to medium. It is important to note that the encryption level ofFortiAnalyzer must be equal to, or less than, the FortiGate encryption level. FortiAnalyzer will not beable to connect to the device if the encryption level is higher than the encryption level of the devicefrom which it intends to receive logs.The FortiAnalyzer encryption level is global it applies to all connecting FortiGates. Accordingly, ifyou even have one low encryption FortiGate in your network while the rest are high, you must set theFortiAnalyzer encryption level to low. Device RegistrationThis table outlines the available encryption settings and levels. High uses the strongest encryption algorithms (Diffie-Hellman and AES to name a couple). Medium uses high strength encryption methods, but also allows the medium strength ones, suchas RC4. Low uses weak encryption methods or encryption algorithms that have small keys.So long as the setting on the FortiGate is equal to, or higher than, the minimum level on theFortiAnalyzer, SSL negotiations will complete properly.Keep in mind that higher level SSL and IPsec requires additional CPU resources. Device RegistrationOn the FortiAnalyzer CLI you can adjust the minimum SSL level to allow. Remember, this setting isglobal, so it applies to all incoming device connections. Do not set it too high, or FortiAnalyzer will notbe able to connect to the device.To first verify the current setting, enter the get system global CLI command. If required, change thelevel using the command noted on this slide, where {high | medium | low} refer to the encryptionlevels explained on the previous slide (medium = default).Note that changing the enc-algorithm setting on FortiAnalyzer will cause all existing FGFMtunnel/WebService connection to reset.On the FortiGate side, change the level using the command noted on this slide. Again, {default | high| low} refers to the encryption levels explained on the previous slide.The set enc-algorithm command is not available if you have IPsec enabled as the securecommunication method. If this is the case, you first need to disable IPsec by entering set encryptdisable. Device RegistrationNow, lets look into configuring an IPsec tunnel between FortiGate and FortiAnalyzer. This securecommunication method requires more configuration, as it must be configured on both ends of thetunnel: FortiAnalyzer and FortiGate.Securing communications is extremely important if sending traffic over an unsecured network like theinternet. This secure communication type allows logs to be sent in real-time, and if the FortiGatemodel has a hard disk for log storage, you also have the option to store and upload logs. If using thestore and upload option, you must enable disk logging on FortiGate through the CLI. Device RegistrationOn the FortiAnalyzer side, select the Device Manager tab. Right-click the device with which youwant to configure an IPsec tunnel and select Edit from the menu. Locate the Secure Connectionsection in the Edit Device dialog box and enable Secure Connection. In the ID field, accept thedefault ID or create your own. This is the name of your IPsec tunnel. In the Pre-Shared Key field,enter a key (password).The FortiGate administrator requires both the ID and pre-shared key. Device RegistrationOn the FortiGate side, the administrator must enter the CLI command shown here, where: is the IP of the FortiAnalyzer with which you are securing communication overan IPsec tunnel. is the name given to the IPsec tunnel. You must use the same identifier. is the pre-shared key, or password, for the IPsec tunnel.This assumes communication between the two is already enabled. If not, enter: set status enable.Note: If SSL encryption is enabled, you first need to disable it on FortiGate. This is still done withinthe config log fortianalyzer settingCLI option:set enc-algorithm disable Device RegistrationTo verify whether you successfully established an IPsec tunnel on FortiAnalyzer, view the DeviceManager tab. The Secure Connection column associated with the device with which you set up anIPsec tunnel indicates the status. A green up arrow indicates the IPsec tunnel is up, whereas a reddown arrow indicates the IPsec tunnel is down. A grey x denotes that no secure connection hasbeen enabled.The same green up arrow indicates a connection on FortiGate, through the Log & Report > LogConfig > Log Settings page. Device RegistrationAfter this lesson, you should be able to describe the difference between a registered andunregistered device; explain the methods available for registering a device; configure device loggingoptions, such as a high availability cluster, disk log quota, and device permissions; explain themethods available to secure communication; configure SSL encryption and set encryption levels; andconfigure an IPsec tunnel. Device Registration