FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
vraev
Staff
Staff
Article Id 223118

Description

 

This article provides the necessary information changes on FortiManager and FortiAnalyzer to allow the FortiManager to act as a FortiGuard server for the FortiAnalyzer.

 

Scope

 

During the initial installation of the new FortiManager/FortiAnalyzer VM is connected to the FortiCare server to download the contract information.

 

Solution

 

To set up a new FortiAnalyzer VM.

First, upload the license file.

 

Vito_0-1662560836819.jpeg

 

Then the FortiAnalyzer will try to connect to FortiCare servers.

 

Vito_1-1662560859910.png

 

At this point, one has two options:

 

  1. To upload the Entitlement File to the FortiAnalyzer / FortiManager directly.
  2. To override the settings of the device about the FDS point to a local FortiManager who is acting as a FortiGuard server.

 

This article will start with the first scenario.

 

Note: Remember that any change of the IP of the FortiAnalyzer / FortiManager regarding the license will require a new Entitlement File.

 

Connect through the CLI to upload the Entitlement File (see this guide on how to request account entitlement files).

 

execute fmupdate ftp import license "Entitlement_filename" "FTP_IP_addr" "/" "ftp_user" "ftp_pwd"

 

Example of this command:

 

execute fmupdate ftp import license "EntitlementExport-2022-08-30T190500.229" "10.55.5.220" "/" "test1" "test1"

This operation will replace the current package!

Do you want to continue? (y/n)y

 

Start getting file from FTP Server...

Transferred 0.002M of 0.002M in 0:00:00s (0.014M/s)

FTP transfer is successful.

Package installation is in process... This could take some time.

Update successfully

 

Note: Command parameters are case-sensitive. Quotes are always used around the parameters like in this example 'my_Account'.

 

Update: From version 7.2.2, this process could be made through the Install wizard.

 

verrsion_7_2_2.png

 

verrsion_7_2_2_a.png

To review whether the upload was successful, use the 'diagnose fmupdate dbcontract' command.

 

diagnose fmupdate dbcontract

FAZ-VMTMxxxxxxx [SERIAL_NO]

  AccountID: user@fortinet.com

  Industry:

  Company:

  Contract:  6

        ENHN-1-10-20230831

        FMWR-1-06-20230831

        FRVS-1-06-20230831

        PBDS-1-06-20230831

        SOAR-1-06-20230831

        SPRT-1-10-20230831

  Contract Raw Data:

 

After this step, the web page of the FortiAnalyzer/FortiManager needs to be reloaded.

 

Vito_2-1662560937795.png


The third option is available only on FortiManager. Go to FortiGuard -> Settings -> 'Enable Communication with FortiGuard Server' and disable it.
Then at the bottom will be shown Service License 'Upload' using the provided Entitlement file. After the upload is ready enable again the communication with the FortiGuard servers. 

FMG_GUI_entitlement_file_upload_1.png

 

 

Troubleshooting steps:

 

In this case, it is possible to do a packet capture concerning the selected protocol.

Two CLI console connections will be needed.

The first connection is required to start a packet capture. The second connection will be used to initiate the download of the entitlement file again.

If the selected protocol is TFTP, refer to the example below.

 

diagnose sniffer packet any 'udp and port 69' 3 0 a
interfaces=[any]
filters=[udp and port 69]

 

The second option.

 

 First, set up the FortiManager. The version of the FortiManager should be 6.2.x or newer.


config system interface
    edit "port2"
        set ip 10.55.6.18 255.255.240.0
        set serviceaccess fgtupdates fclupdates webfilter-antispam

            config ipv6
                set ip6-autoconf disable
            end
    next

        config fmupdate service
            set query-antispam enable
            set webfilter-https-traversal enable
end

 

To review if the port is open, type the following command:

 

diagnose fmnetwork netstat list

Active Internet connections (servers and established)

tcp        0      0 :::8890                 :::*                    LISTEN

 

After taking all of these steps, add the Entitlement File from the GUI (go to FortiGuard -> Settings -> Service License -> Upload) or upload it through the CLI as shown in the previous section of this article.

 

diagnose fmupdate dbcontract

--- output omitted ---

 

This article will help one how to make it:

Operating as an FDS in a closed network

 

From the FortiAnalyzer set the following commands:


config fmupdate server-override-status
    set mode strict
end

 

config fmupdate fds-setting

config server-override

    set status enable

        config servlist

      edit 1

          set ip 10.55.6.18 <---- FortiManager IP.

          set port 8890

      next

  end

end

end

 

To review whether the settings are correct, use the command below.

 

diagnose fmupdate view-serverlist fds

Fortiguard Server Comm : Enabled

Server Override Mode   : Strict

FDS   server list      :

Index   Address                    Port            TimeZone        Distance        Source

------------------------------------------------------------------------------------------------------

*0      10.55.6.18                 8890            1               0               CLI

 

If a second connection is kept to the FortiAnalyzer through CLI the FDS connectivity log can be observed with the command below:

 

diagnose fmupdate view-linkd-log fds

2022/09/01_12:14:53.857 info    fds_svrd[1003]: Send subshm update notification to fgdsvrd

2022/09/01_12:14:53.860 warn    fds_svrd[1003]: *** Set forticlient max number: 50000

2022/09/01_12:14:53.860 info    fds_svrd[1003]: update_downstream_fct_fect, 543: update file /var/fds/data/downstream_fct_fect.dat

2022/09/01_12:15:03.970 info    fds_svrd[1003]: Start fds client session to '10.55.6.18:8890', task = SELPOLL svc=0

2022/09/01_12:15:03.990 info    fds_svrd[1003]: [FMG-->FDS] Request: Protocol=4.0|Command=SelectivePoll|Firmware=FAZVM64-FW-7.02-1215|SerialNumber=FAZ-VMTM22011525|Persistent=false|DataItem=01000000CATL00000-00000.00000-0000000000*00000000FDNI00000-00000.00000-0000000000*04000000OBLT00000-00000.00000-0000000000*03001000SRUL00000-00000.00000-0000000000*03001000BREG00000-00000.00000-0000000000*01000000BLDV00000-00000.00000-0000000000*01000000OBJL00000-00000.00000-0000000000*01000000FMGI00000-00000.00000-0000000000*00000000IMLT00000-00000.00000-0000000000*01000000ALCI00000-00000.00000-0000000000|AcceptDelta=0|ContractItem=FAZ-VMTM22011525|__FMG2FMGVersion=1.0|__FMG2FMGService=FGT^M ^M

2022/09/01_12:15:04.041 info    fds_svrd[1003]: FCP_CONN:: receiving package: num_objects=1 total_size=240

2022/09/01_12:15:04.041 info    fds_svrd[1003]: FCP_CONN:: received object: id=04000000FCPR00000 ver=00000.00000-0000000000 size=112

2022/09/01_12:15:04.041 info    fds_svrd[1003]: [FDS-->FMG] Response: Protocol=4.0|Firmware=FMG-VM64-FW-6.04-2253|SerialNumber=FMG-VMTMxxxxxx|Response=400|Persistent=false^M ^M

2022/09/01_12:15:04.041 error   fds_svrd[1003]: Got error response from fds: code = 400

2022/09/01_12:15:04.042 info    fds_svrd[1003]: Check update with fds 10.55.6.18 SUCCESS

 

During the first connection to the FortiManager is normal to receive the error code 400.

To overcome this, it is necessary to restart the service.

 

diagnose fmupdate service-restart fds

This operation will restart the selected service.

Do you want to continue? (y/n)y

 

diagnose fmupdate view-linkd-log fds

2022/09/01_12:19:45.415 info    fds_svrd[1003]: Start fds client session to '10.55.6.18:8890' by indicated request.

2022/09/01_12:19:45.433 info    fds_svrd[1003]: [FMG-->FDS] Request: Protocol=3.0|Command=VMSetup|Firmware=FAZVM64-FW-7.02-1215|SerialNumber=FAZ-VMTM22011525|Uid=bb133442-db28-7dbb-f960-273d7ec41fd6|Language=en-US|UpdateMethod=1|__FMG2FMGVersion=1.0|__FMG2FMGService=FGT^M ^M

2022/09/01_12:19:45.556 info    fds_svrd[1003]: FCP_CONN:: receiving package: num_objects=1 total_size=240

2022/09/01_12:19:45.556 info    fds_svrd[1003]: FCP_CONN:: received object: id=04000000FCPR00000 ver=00000.00000-0000000000 size=112

2022/09/01_12:19:45.557 info    fds_svrd[1003]: [FDS-->FMG] Response: Protocol=3.0|Firmware=FMG-VM64-FW-6.04-2253|SerialNumber=FMG-VMTMxxxxx|Response=200|Persistent=false^M ^M

2022/09/01_12:19:45.557 info    fds_svrd[1003]: Send setup to fds 10.55.6.18 SUCCESS

 

Related documents: