2. FortiAnalyzer Getting Started v6.4. Layout preparation

Welcome to the second lesson of the FortiAnalyzer Getting Started course. Today we will talk about the mechanism of administrative domains on FortiAnalyzer, we will also discuss the log processing process – understanding the principles of these mechanisms is necessary for the initial settings FortiAnalyzer… And after that we will discuss the layout that we will use during the course, as well as conduct the initial configuration. FortiAnalyzer… The theoretical part, as well as the complete recording of the video lesson, are under the cut.

To begin with, let’s talk about administrative domains again. There are several things you need to know about them before you start using them:

1. The ability to create administrative domains is enabled and disabled centrally.
2. A separate administrative domain is required to register any device other than FortiGate. That is, if you want to register multiple FortiMail devices on a device, you need a separate administrative domain for this. But this does not negate the fact that for the convenience of grouping FortiGate devices, you can create different administrative domains.
3. The maximum number of supported administrative domains depends on the FortiAnalyzer appliance model.
4. When enabling the ability to create administrative domains, you must select their mode of operation – Normal or Advanced. In Normal mode, you cannot add different virtual domains (or, in other words, VDOMs) of one FortiGate to different administrative domains of the FortiAnalyzer device. This is possible in Advanced mode. Advanced mode allows you to process data from various virtual domains and receive separate reporting on them. If you’ve forgotten what virtual domains are, take a look at the second lesson of the Fortinet Getting Started course, there it is covered in some detail.

We will look at the creation of administrative domains and the allocation of memory between them a little later as part of the practical part of the lesson.

Now let’s talk about the mechanism for recording and processing logs received by FortiAnalyzer.
Logs sent to FortiAnalyzer are compressed and saved to a log file. When this file reaches a certain size, it is overwritten and archived. Such logs are called archived. They are considered offline logs because they cannot be analyzed in real time. They are available for viewing only in raw format. The data storage policy in the administrative domain determines how much such logs will be stored in the device’s memory.
At the same time, the logs are indexed in the SQL database. These logs are used for data analysis using the Log View, FortiView and Reports mechanisms. The data storage policy in the administrative domain determines how much such logs will be stored in the device’s memory. After these logs are deleted from the device memory, they may remain in the form of archived logs, but this depends on the data storage policy in the administrative domain.

To understand the initial settings, this knowledge is enough for us. Now let’s discuss our layout:

On it you can see 6 devices – FortiGate, FortiMail, FortiAnalyzer, domain controller, external user’s computer and internal user’s computer. FortiGate and FortiMail are needed to generate logs for various Fortinet devices, in order to consider the aspects of working with various administrative domains by example. Internal and external users as well as a domain controller are required to generate different traffic. The internal user’s computer is running Windows, and the external user’s computer is Kali Linux.
In this example, FortiMail operates in Server mode, which means it is a separate mail server through which internal and external users can exchange e-mail. The required settings, such as MX records, are configured on the domain controller. For an external user, the DNS server is an internal domain controller – this is done using port forwarding (or another Virtual IP technology) on FortiGate.
These settings are not covered in this lesson as they are not relevant to the course topic. The deployment and initial configuration of the FortiAnalyzer appliance will be covered. The rest of the components of the current layout were prepared in advance.

The system requirements for various devices are presented below. This layout works for me on a pre-prepared machine in the virtual environment VMWare Workstation. The characteristics of this machine are also shown below.