FortiAnalyzer_日志审计

防火墙测试报告2013．06．目录1测试目的................................................. 错误!未定义书签。

2测试环境与工具........................................... 错误!未定义书签。

测试拓扑................................................. 错误!未定义书签。

测试工具................................................. 错误!未定义书签。

3防火墙测试方案........................................... 错误!未定义书签。

安全功能完整性验证....................................... 错误!未定义书签。

防火墙安全管理功能的验证............................. 错误!未定义书签。

防火墙组网功能验证................................... 错误!未定义书签。

防火墙访问控制功能验证............................... 错误!未定义书签。

日志审计及报警功能验证............................... 错误!未定义书签。

防火墙附加功能验证................................... 错误!未定义书签。

防火墙基本性能验证....................................... 错误!未定义书签。

吞吐量测试........................................... 错误!未定义书签。

延迟测试............................................. 错误!未定义书签。

信息安全审计与检测工具介绍在当今数字化的时代，信息安全已经成为了企业和个人不可忽视的重要问题。

随着网络攻击手段的日益复杂和多样化，信息安全审计与检测工具成为了保护信息资产的重要防线。

这些工具能够帮助我们发现潜在的安全威胁，评估系统的安全性，并采取相应的措施来防范风险。

接下来，让我们详细了解一下一些常见的信息安全审计与检测工具。

一、漏洞扫描工具漏洞扫描工具是信息安全审计中最常用的工具之一。

它们能够自动检测系统、网络和应用程序中的安全漏洞。

这些工具通过发送各种探测数据包，并分析返回的响应，来识别可能存在的弱点，如操作系统漏洞、软件漏洞、网络配置错误等。

常见的漏洞扫描工具包括 Nessus、OpenVAS 等。

Nessus 是一款功能强大且广泛使用的商业漏洞扫描工具，它提供了全面的漏洞检测功能，并能够生成详细的报告，帮助安全人员了解系统的安全状况。

OpenVAS 则是一款开源的漏洞扫描工具，具有良好的扩展性和自定义能力，适合对成本较为敏感的用户。

二、入侵检测与预防系统（IDS/IPS）IDS（入侵检测系统）和 IPS（入侵预防系统）是用于监测和防范网络入侵行为的工具。

IDS 主要负责监控网络流量，通过分析数据包的特征和行为模式，发现潜在的入侵迹象，并发出警报。

IPS 则不仅能够检测入侵，还能够主动采取措施阻止攻击，如丢弃恶意数据包、切断连接等。

Snort 是一款知名的开源 IDS 工具，它具有强大的规则库和灵活的配置选项，可以根据用户的需求定制检测规则。

而 Cisco Firepower 则是一款企业级的 IPS 解决方案，提供了高性能的入侵防护和深度的威胁检测功能。

三、日志分析工具系统和应用程序会产生大量的日志记录，这些日志包含了丰富的信息，如用户活动、系统事件、错误消息等。

日志分析工具能够帮助我们收集、整理和分析这些日志，从中发现异常活动和潜在的安全问题。

ELK Stack（Elasticsearch、Logstash、Kibana）是一个流行的日志分析解决方案。

1FortiAnalyzer Big DataFortiAnalyzer Big Data delivers high-performance big data network analytics for large and complex networks. It is designed for large-scale data center and high-bandwidth deployments, offering the most advanced cyber threat protection byemploying hyperscale data ingestion and accelerated parallel data processing. Together with its new distributed software and hardware architecture and Fortinet’s high performance next generation firewalls, this powerful 4RU chassis offers blazing fast performance, enterprise-grade data resiliency, built-in horizontal scalability, and consolidated appliance management.DATA SHEETBig Data Analytics Scalable Performance Built-in High AvailabilityHigh Performance§Totally redesigned and optimized architecture, employing the newest Big Data Kafka/ Hadoop/ Spark technologies §Massive Parallel event streaming and data processing for high-speed ingestion, data storage, and search capabilities §The highest performing FortiAnalyzer appliance:300 000 logs/sec out-of-box, horizontally scalable to petabytes of storage Unified Appliance Management§Enterprise-grade Big Data Appliance with consolidated hardware and software monitoring through the Cluster Manager §Simple installation, updating, expansion, and data management §Built-in automation and customizable job templates Reliable and Scalable Deployment§Built-in enterprise high availability and data resiliency based on a newly optimized software and hardware architecture §Designed for rapid scalability with multiple Big Data appliances using high speed 40 Gb/s built-in switch modules §Specifically designed to accelerate the visibility and expansion of the Fortinet Security FabricBig Data Security Analytics§Monitor and analyze your entire network from end-to-end at an accelerated rate, maximizing the visibility of your entire attack surface, network traffic, applications, users, and end-point hosts §Interactive dashboards and informative reports using real-time tracking of key security metrics, link health status, and application steering performance §Ready to use and customizable report templates for compliance, security posture assessments, and system performance checks §Use log analytics to query IPFIX log messagescollected, when Ingestion is configured in Flow mode Rapid Incident Detection and Response§Intuitive event and incident workflow for SOC teams to focus on critical alerts §The built-in correlation engine automates and groups alerts to remove false positives §Out-of-box connectors and extensive APIs for security teams to automate repetitive tasksAvailable in:ApplianceVirtual MachineDATA SHEET | FortiAnalyzer Big Data2HIGHLIGHTSFortiAnalyzer Big Data supports all of the features and technologies of FortiAnalyzer family. FortiAnalyzer Big Data alsoprovides additional scalability and high-speed performance using new massive parallel data processing and Columnar Data Store processes. After the data ingest, the FortiAnalyzer Big Data provides an easy to use front-end UI that interacts with the distributed big data SQL engine to search, query, and aggregate the data.Security Analytics Log View✓⃝✓⃝Interactive FortiView Dashboards ✓⃝✓⃝Fabric View - Assets and Identity ✓⃝✓⃝Out-of-Box Report Templates✓⃝✓⃝Global Search across all Big Data clusters —✓⃝IPFIX Support—✓⃝Incident Response Indicators of Compromise Service ✓⃝✓⃝Event Correlation and Alerting✓⃝✓⃝Incident Escalation Workflow and Management✓⃝✓⃝Automation and Integration Security Fabric Connectors ✓⃝✓⃝Security Fabric Integration ✓⃝✓⃝REST API✓⃝✓⃝Multi-Tenancy and RBAC ADOM✓⃝✓⃝Role-Based Access Control ✓⃝✓⃝Performance and ScalabilityDeploymentSmall, Medium Enterprise Large Enterprise and ServiceProvidersHigh Availability and Redundancy Yes, requires a second unit Yes, built-in HA andredundancy Sustained Rate Up to 100 000 logs/secStart at 300 000 logs/secHorizontal Scalability —✓⃝Big Data Analytics Engine —✓⃝Massive Parallel Data Processing —✓⃝Distributed Architecture —✓⃝Columnar Data Store—✓⃝Appliance Management Chassis—✓⃝Cluster Manager—✓⃝To download the FortiAnalyzer Datasheet, please visit - https:///content/dam/fortinet/assets/data-sheets/fortianalyzer.pdfFortiAnalyzer Big Data Virtual MachinesFortinet offers FortiAnalyzer Big Data in a stackable Virtual license model, with a-la-carte services available for 24x7 FortiCare support and subscription licenses for the FortiGuard Indicator of Compromise (IOC), FortiAnalyzer SOC component, and FortiGuard Outbreak Detection Service.This software-based version of the FortiAnalyzer Big Data hardware appliance is designed to run on many virtualization platforms, which allows you to expand your virtual solution as your environment grows.3Total Interfaces 4x 40 GE QSFP and 8x 10 GE SFP+Storage Capacity Blade#1: 2 x NVMe 750 GB SSD = 1.5 TB; Blade#2 ~#14: 13 x 2 x 7.68 TB SSD x = 200 TBUsable Storage 200 TBRemovable Hard Drives28 (Max) SSD, each blade 2 x 2.5” Storage DeviceRedundant Hot Swap Power Supplies**✓⃝* The max number of days if receiving logs continuously at the sustained log ingestion rate. This number can increase if the average log rate is lower.** All four power supplies must be installed and plugged in to a reliable power source when the device is turned on / powered up. Three power supplies are required for the device tofully operate, which allows hot swap of one power supply at a time. The max power consumption of the unit is 4967 W and each PSU supports 2200 W. The fourth power supply provides redundancy.SPECIFICATIONSSafety CertificationsFCC Part 15 Class A, RCM, VCCI,CE, UL/cUL, CBversion. Visit https:///product/fortianalyzer-bigdata/ and find the Release Information at the bottom section. Go to “Product Integration and Support” -> “FortiAnalyzer BigData [version] support” -> “Virtualization”FBD-DAT-R6-20220524Copyright © 2022 Fortinet, Inc. All rights reserved. Fortinet , FortiGate , FortiCare and FortiGuard , and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.Fortinet is committed to driving progress and sustainability for all through cybersecurity, with respect for human rights and ethical business practices, making possible a digital world you can always trust. You represent and warrant to Fortinet that you will not use Fortinet’s products and services to engage in, or support in any way, violations or abuses of human rights, including those involving censorship, surveillance, detention, or excessive use of force. Users of Fortinet products are required to comply with the Fortinet EULA (https:///content/dam/fortinet/assets/legal/EULA.pdf ) and report any suspected violations of the EULA via the procedures outlined in the Fortinet Whistleblower Policy (https:///domain/media/en/gui/19775/Whistleblower_Policy.pdf).ORDER INFORMATIONFortiAnalyzer-BigData-4500FFAZ-BD-4500FFortiAnalyzer high-performance chassis for big data analytics with 14 blade servers, 4x 40 GE QSFPPorts, 8x 10 GE SFP+ Ports, 300 000 logs/sec ingestion rate, and 200TB SSD storage in a single system. Horizontally scalable up to petabytes of storage.Hardware BundleFAZ-BD-4500F-BDL-466-DD Hardware plus 24x7 FortiCare and FortiAnalyzer Enterprise Protection.Enterprise Protection Bundle FC-10-BD45F-466-02-DD Enterprise Protection (24x7 FortiCare plus Indicators of Compromise Service, SOC Subscription license, and FortiGuard Outbreak Alert service).SOC Subscription License FC-10-BD45F-335-02-DD Subscription license for the FortiAnalyzer SOC component.IOC Subscription LicenseFC-10-BD45F-149-02-DD Subscription license for the FortiGuard Indicator of Compromise (IOC).Outbreak Alert Subscription License FC-10-BD45F-462-02-DD Subscription license for FortiGuard Outbreak Alert Service.24x7 FortiCare Contract FC-10-BD45F-247-02-DD 24x7 FortiCare Contract.FortiAnalyzer-BigData-VMFAZ-BD-VM FortiAnalyzer-BD virtual appliance with 150 000 logs/sec ingestion rate and 200TB storage capacity to start. Support add-on to scale up performance and storage.FortiAnalyzer-BigData-VM Add-On * FAZ-BD-VM-UGFortiAnalyzer-BD virtual appliance ADD-ON to add additional capacity with 50 000 logs/sec ingestion rate and 50TB storage. Multiple ADD-ONs can be stacked together to scale up the ingestion rate and storage.Enterprise Protection Bundle VM FC-10-ZBDVM-575-02-DD Enterprise Protection (24x7 FortiCare plus Indicators of Compromise Service, SOC Subscription license, and FortiGuard Outbreak Detection service).SOC Subscription License VM FC-10-ZBDVM-335-02-DD Subscription license for the FortiAnalyzer SOC component.IOC Subscription License VMFC-10-ZBDVM-149-02-DD Subscription license for the FortiGuard Indicator of Compromise (IOC).Outbreak Alert Subscription License VM FC-10-ZBDVM-462-02-DD Subscription license for FortiGuard Outbreak Detection Service.24x7 FortiCare Contract VMFC-10-ZBDVM-248-02-DD24x7 FortiCare Contract.* FortiAnalyzer-BD virtual appliance ADD-ON can stack up to a maximum of 500 000 logs/sec。

网管必备：32款日志分析syslogserver工具无名小站收集了网络上32款国外日志分析软件，有IIS、apache、cisco pix防火墙、asa防火墙等等，总之有你想要的。

SurfStats 8.4.0.7这个程序检查记录文件和产生网活动报告。

能够也从你的主人取回记录文件的服务器和不压缩他们，如果需要的话。

程序有带产品的细节和汇总报告方式上银幕，文件目录，ftp 或者电子邮件。

能够从IP 做有活力的 DNS 查阅地址以及过滤的在日期，访问者，来源和文件上的动态。

[网络软件 > 网络管理 > 日志分析]Web Log Storming 1.8.407这是交互基于桌面的网络日志记录分析器，展示攻击记录以交互的画详细列出网站统计数字和报告。

从对于你的网站的每个访问者提供活动的完全的详细地分析。

[网络软件 > 网络管理 > 日志分析]ProxyInspector for ISA Server 2.6m这件工具分析微软 ISA 服务器代理，防火墙和包裹过滤器 Log 记录文件，和通过每个人或者工作组生产关于带宽消费的全面的报告。

报告星期的小时和日之前包括被访问的地点，和用户活动分发。

也包括被阻拦的站点。

[网络软件 > 网络管理 > 日志分析]SmarterStats 3.3这个程序帮助你跟踪网站访问者，和它产生多于135 份报告。

可以通过网页浏览器访问。

[网络软件 > 网络管理 > 日志分析]WebLog Expert 4.1这个Web服务器记录分析器，可以提供关于你的站点访问者，活动统计，文件访问量，关于提交页，搜索引擎，浏览器，操作系统和错误的信息。

过滤器帮助你实施全面的调查。

其他特征包括多线程的DNS 查阅，一个固定的调度表和 IP-to –国家绘图。

[网络软件 > 网络管理 > 日志分析]Absolute Log Analyzer 2.3.95这为大型网站设计的Web 日志记录分析工具。

FortiSIEM for Network Visibility, Event Correlation, and Risk ManagementFortiSIEM offers an affordable and all-inclusive solution, delivering continuous monitoring for various CSfC capability packages, whether cross-domain environments or a standalone system. Fortinet’s patented architecture in FortiSIEM enables unified data correlation and analytics from diverse sources, which includes logs, KPI metrics, SNMP traps, important security alerts, and configuration changes made to the devices, providing a comprehensive view of the security posture for networks large or small, such as flyaway kits and on-premises static devices.The breadth of features offered by FortiSIEM allows for massively scalable architecture, supporting a wide variety of IT products and making it an attractive choice for any environment that requires visibility and actionable intelligence when implementing continuous monitoring as part of a holistic risk management and defense-in-depth information security strategy integrated into CSfC architectures.CSfC CM capabilities are designed with a multilayer approach to complement the functional architecture of a CSfC solution. CSfCCM solutions provide high visibility across the monitored network, allowing analysts to validate the operational status of encryption components by observing network activity both before and after encryption points and within management networks and at eight distinct but strategic monitoring points within the CSfC architecture. FortiSIEM can meet CM needs by implementing its collectors and workers at monitoring points, collecting data for analysis and notifying system activities to the FortiSIEM supervisor, which runs all the core services and manages other nodes in the cluster. FortiSIEM is a powerful and feature-rich monitoring and analytics solution with many use cases across the enterprise.FortiSIEM is designed to provide comprehensive data collection with rapid-scale architecture as required and data aggregation fromeach MP into centralized monitoring SIEM systems. FortiSIEM offers security administrators the collective dataset to monitor the security posture of the CSfC solution and report on security-relevant events within the infrastructure. FortiSIEM accomplishes distributed eventcorrelation through a defined set of automated notification capabilities and dashboardsbuilt to identify targeted information of interest. Some of the key innovative and powerfultechnologies included in the FortiSIEM solution:n Distributed event correlationnn Distributed querying and reportingnn A high-performance, optimized NoSQL event databasenDesign for CSfC Use CaseFortiSIEM can be used for many applications across the enterprise; however, for CSfCCM use, the following can be included per the Continuous Monitoring Annex:n Log ingestion and storagennn SOC analytics and incident responsen Performance monitoringnn Compliance reportingnn Management reportingnFortiSIEM ArchitecturesFortiSIEM is a flexible solution that can be deployed in different ways to meet differentperformance, scalability, and topological requirements. The main deployment enclaves are remote, enterprise, and service provider. Small enclave would be the focus for CSfC deployment, which is most applicable since remote deployments are typically smaller and can consist of an all-in-one or a small distributed solution (see Figure 1).Figure 1: FortiSIEM architecture diagram.The FortiSIEM all-in-one architecture is an easy-to-deploy, self-contained, single-server solution that is suitable for smaller deployments. It uses a local disk on the virtual appliance, or the in-built hardware appliance storage, for event storage. It is limited in scalability due to the local storage and does not support the Rapid Scale Architecture because worker nodes cannot be added to an all-in-one deployment.While a single all-in-one node delivers a functional system, most organizations should plan to also deploy at least one collector to assist with log collection, and to support FortiSIEM server agents. Enclaves requiring additional scalability to meet current or future capacity and performance requirements should use a distributed solution with shared storage.FortiSIEM Database Structuren n FortiSIEM uses multiple databases presented in a single GUI.n n In a multi-node deployment, the event database is moved to external storage for scalability.n n NFS or elastic search is supported.The Life of an Event in FortiSIEMFortinet offers a virtual appliance architecture using a three-tier structure to provide an easily scalable solution that can start as a small single-node deployment, and rapidly scale to a large, high-performance system as needed.n n The supervisor node provides core functionality, and in a smaller solution, it can deliver an all-in-one system specifically applicable to a CSfC solution use case.n n Worker nodes are used in conjunction with the supervisor node to scale event processing and report which may or may not be needed depending on deployment size and use case.n n Collectors can be used to provide remote site log collection, and to offload log collection from the supervisor or worker nodes for increased scalability.FortiSIEM FeaturesReal-time Operational Security Analyticsn n Continually update on security events and provide accurate device context configuration, installed software and patches, running services n n FortiSIEM offers system and application performance analytics along with contextual interrelationship data for rapid triaging of security issuesn n User context, in real time, with audit trails of IP addresses, user identity changes, physical and geomapped locationn n Detect unauthorized network devices, applications, and configuration changesn n Out-of-the-box predefined reports supporting a wide range of compliance auditing and management needs including PCI DSS, HIPAA, SOX, NERC, FISMA, ISO, GLBA, GPG13, SANS Critical Controls, COBIT, ITIL, ISO 27001, NERC, NIST 800-53,NIST 800-171, NESA Performance MonitoringFigure 2: FortiSIEM database structure diagram.Performance Monitoringn Monitor basic system/common metricsnn System level via SNMP, WMI, PowerShellnnn Application level via JMX, WMI, PowerShelln Virtualization monitoring for VMware, HyperV—guest, host, resource pool, and cluster levelnnn Storage usage, performance monitoring for EMC, NetApp, Isilon, Nutanix, Nimble, Data Domain environmentsn Specialized application performance monitoringnn Microsoft Active Directory and Exchange via WMI and PowerShellnn Databases—Oracle, MS SQL, MySQL via JDBCnn VoIP infrastructure via IPSLA, SNMP, CDR/CMRnn Flow analysis and application performance for NetFlow, S-Flow, Cisco AVC, NBAR, IPFix environmentsnn Ability to add custom metricsnn Baseline metrics and detect significant deviationsnExternal Technology Integrationsn Integration with any external website for IP address lookupnn API-based integration for external threat feed intelligence sourcesnnn API-based two-way integration with help desk systems, including seamless, out-of-the-box support for ServiceNow, ConnectWise, and Remedyn API-based two-way integration with external CMDB, including out-of-the-box support for ServiceNow, ConnectWise, Jira, and Salesforce nn Kafka support for integration with enhanced Analytics Reporting (i.e., ELK, Tableau, and Hadoop)nn API for easy integration with provisioning systemsnn API for adding organizations, creating credentials, triggering discovery, modifying monitoring eventsnReal-time Configuration Change Monitoringn Collect network configuration files, stored in a versioned repositorynn Collect installed software versions, stored in a versioned repositorynn Automated detection of changes in network configuration and installed softwarenn Automated detection of file/folder changes, including Windows and Linux, and who and what detailsnn Automated detection of changes from an approved configuration filennn Automated detection of windows registry changes via FortiSIEM Windows AgentNotification and Incident Managementn Policy-based incident notification frameworknnn Ability to trigger a remediation script when a specified incident occursn API-based integration to external ticketing systems, including for ServiceNow, ConnectWise, and Remedynnn Incident reports can be structured to provide the highest priority to critical business services and applicationsn Trigger on complex event patterns in real timenn Incident Explorer, dynamically linking incidents to hosts, IPs, and user to understand all related incidents quicklynCopyright © 2020 Fortinet, Inc. All rights reserved. Fortinet , FortiGate , FortiCare and FortiGuard , and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be July 9, 2020 6:07 AM External Threat Intelligence Integrationsn n APIs for integrating external threat feed intelligence, malware domains, IPs, URLs, hashes, Tor nodesn n Built-in integration for popular threat intelligence sources, including Threat-Stream, CyberArk, SANS, Zeus, ThreatConnectn n Technology for handling large threat feeds, incremental download and sharing within cluster, real-time pattern matching with network traffic. All STIX and TAXII feeds are supported.SummaryTo defend against adversaries in modern cyber warfare, CSfC customers need maximum visibility into multi-enclave network activity of their users, devices, and data. They must also have automated correlation and remediation of audit logs to ensure that mitigations are effective in minimizing or altogether preventing the infiltration of malicious actors and extraction of classified data.FortiSIEM is the ideal solution to provide industry-leading speed in data correlation and insights into complex, seemingly unrelatedactivity to accurately identify attempts to compromise the network. For more information on the Fortinet Continuous Monitoring solution, please go to https:///products/siem/fortisiem or contact us at *************************.。

Advanced Threat Detection & Correlation allows Security & Network teams to immediately identify and respond to network security threats across the infrastructure.Automated Workflows & Compliance Reporting provides customizable dashboards, reports and advanced workflow handlers for both Security & Network teams to accelerate workflows & assist with regulation and compliance audits.Scalable Log Management collects logs from FortiGate, FortiClient, FortiManager, FortiSandbox, FortiMail, FortiWeb, FortiAuthenticator, Generic syslog and others. Deploy as an individual unit or optimized for a specific operation and scale storage based on retention requirements.Key FeaturesSecurity Fabric Analytics§Event correlation across all logs and real-time anomaly detection, with Indicator of Compromise (IOC) service and threat detection, reducing time-to-detectFortinet Security Fabric integration§Correlates with logs from FortiClient, FortiSandbox, FortiWeb, and FortiMail for deeper visibility and critical network insights Enterprise-grade high availability§Automatically back-up FortiAnalyzer DB’s (up to 4 node cluster) that can be geographically dispersed for disaster recovery Security automation§Reduce complexity and leverage automation via REST API, scripts, connectors, and automation stitches to expeditesecurity responseMulti-tenancy and administrative domains (ADOMs)§Separate customer data and manage domains leveraging ADOMs to be compliant and operationally effectiveFlexible deployment options & archival storage§Supports deployment of appliance, VM, hosted or cloud. Use AWS, Azure or Google to archive logs as a secondary storageDATA SHEET | FortiAnalyzer2Feature HighlightsSecurity Operations Center (SOC)FortiAnalyzer’s SOC (Security Operations Center) helps security teams protect networks with real-time log and threat data in the form of actionable views, notifications and reports. Analysts can protect network, web sites, applications, databases, data centers, and other technologies, through centralized monitoring, awareness of threats, events and network activity. The predefined and custom dashboards provide a single-pane-of-glass for easy integration into your Security Fabric. The new FortiSOC service subscription, provides built-in Incident management workflows with playbooks and connectors to simplify the Security Analysts role with enhanced security automation and orchestration.Incident Detection & ResponseFortiAnalyzer’s Automated Incident Response capability enables security teams to manage incident life cycle from a single view. Analysts can focus on event management and identification of compromised endpoints through default and customized event handlers with quick detection, automated correlation and connected remediation of Fortinet devices and syslog servers with incident management and playbooks for quick assignment of incidents for analysis. Track timelines and artifacts, with audit history and incident reports, as well as streamlined integration with ITSM platforms helps bridge gaps in your Security Operations Center and reinforces your Security Posture.Indicators of CompromiseThe Indicators of Compromise (IOC) service identifies suspicious usage and artifacts observed on a network or in an operations system, determined with high confidence to be a computer intrusion. FortiGuard’s IOC subscription provides intelligence information to help security analysts identify risky devices and users based on these artifacts. The IOC package consisting of around 500K IOCs daily and delivers it via our Fortinet Developers Network (FNDN) to our FortiSIEM, FortiAnalyzer, and FortiCloud products. Analysts can also re-scan historical logs for threat hunting and identify threats based on new intelligence, as well as review users’ aggregated threat scores by IP addresses, hostname, group, OS,overall threat rating, a location Map View, and a number of threats.ReportsFortiAnalyzer provides 39+ built-in templates that are ready to use, with sample reports to help identify the right report for you. You can generate custom data reports from logs by using the Reports feature. Run reports on-demand or on a schedule with automated email notifications, uploads and an easy to manage calendar view. Create custom reports with the 700+ built-in charts and datasets ready for creating your custom reports, with flexible report formats include PDF , HTML, CSV , and XML.FortiAnalyzer PlaybooksFortiAnalyzer Playbooks boost security teams’ abilities to simplify efforts and focus on critical tasks. Out of the box playbook templates enable SOC analysts to quickly customize and automate their investigation use cases to respond to compromised hosts, critical intrusions, blocking C&C IPs, and more. Flexible playbook editor for hosts under investigation. FortiAnalyzer also allows analysts to drill down to a playbook to review task execution details and edit playbooks to define custom processes and tasks, and also includes built-in Connectors for playbooks to interact with other Security Fabric devices like FortiOS and EMS.Asset & IdentitySecurity Fabric assets and identity monitoring and vulnerability tracking provides full SOC visibility and analytics of the attack surface. Assets & Identity visibility and assets classification based on telemetry from NAC. Built-in SIEM module for automated log collection, normalization & correlation. Integrated with FortiSOAR for further incident investigation and threat eradication. Support export of incident data to FortiSOAR through the FortiAnalyzer Connector and API Admin.DATA SHEET | FortiAnalyzer3Feature HighlightsLog Forwarding for Third-Party IntegrationYou can forward logs from a FortiAnalyzer unit to another FortiAnalyzer unit, a syslog server, or (CEF) server. The client FortiAnalyzer forwards logs to the server FortiAnalyzer unit, syslog server, or CEF server. In addition to forwarding logs to another unit or server, the client retains a local copy of the logs, which are subject to the data policy settings for archived logs. Logs are forwarded in real-time or near real-time as they are received.Analyzer-Collector ModeYou can deploy in Analyzer mode and Collector mode on different FortiAnalyzer units and make the units work together to improve the overall performance of log receiving, analysis, and reporting. When FortiAnalyzer is in Collector mode, its primary task is forwarding logs of the connected devices to an Analyzer and archiving the logs. The Analyzer off-loads the log-receiving task to the Collector so that the Analyzer can focus on data analysis and report generation. This maximizes the Collector’s log receiving performance.Multi-Tenancy with Flexible Quota ManagementTime-based archive/analytic log data policy per Administrative Domain (ADOM), automated quota management based on the defined policy, and trending graphs to guide policy configuration and usage monitoring.FortiAnalyzer-VMFortiAnalyzer-VM integrates network logging, analysis, and reporting into a single system, delivering increased knowledge of security events throughout a network. Utilizing virtualization technology, FortiAnalyzer-VM is a software-based version of the FortiAnalyzer hardware appliance and is designed to run on many virtualization platforms. It offers all the features of the FortiAnalyzer hardware appliance.FortiAnalyzer-VM provides organizations with centralized security event analysis, forensic research, reporting, content archiving, data mining, malicious file quarantining and vulnerability assessment. Centralized collection, correlation and analysis of geographically and chronologically diverse security data from Fortinet and third-party devices deliver a simplified, consolidated view of your security posture.SD-WAN MonitoringSD-WAN Dashboards enable customers to instantly see the benefit of applying SD-WAN across multiple WAN interfaces with Event handlers to detect SD-WAN alerts for real-time notification & action. History graphs for WAN link health monitoring: Jitter, Latency and Packet Loss Critical & High severity SD-WAN alerts. New Secure SD-WAN report provides an Executive summary of important SD-WAN metrics, detailed charts and history graphs for SD-WAN link utilization by applications, latency, Packet Loss, Jitter changes and SD-WAN performance statistics.FortiAnalyzer-VM-SThe new FortiAnalyzer Subscription license model consolidates the VM product SKU and the FortiCare Support SKU, as well as IOC and FortiAnalyzer SOC (SOAR/SIEM) services into one single SKU, to simplify the product purchase, upgrade and renewal.The FortiAnalyzer S-Series SKUs come in stackable 5, 50 and 500 GB/Day logs licenses, so that multiple units of this SKU can be purchased at a time to increase the number of GB/Day logs. This SKU can also be purchased together with other FAZ VM-S SKUs to expand the total number of GB/Day logs.Virtual MachinesDATA SHEET | FortiAnalyzerSpecificationsCapacity and Performance GB/Day of Logs 1 incl.*+1+5+25+100+500+2,000Storage Capacity 500 GB +500 GB +3 TB +10 TB +24 TB +48 TB +100 TB on Redhat 6.5+ and Ubuntu 17.04, Nutanix AHV (AOS 5.10.5), Amazon Web Services (AWS), Microsoft Azure, Google Cloud (GCP), Oracle CloudInfrastructure (OCI), Alibaba Cloud (AliCloud)Network Interface Support (Minimum / Maximum) 1 / 4vCPUs (Minimum / Maximum) 2 / Unlimited Memory Support (Minimum / Maximum)4 GB / Unlimited* Unlimited GB/Day when deployed in collector modeDATA SHEET | FortiAnalyzer5Specifications* Sustained Rate - maximum constant log message rate that the FAZ platform can maintain for minimum 48 hours without SQL database and system performance degradation.**is the max number of days if receiving logs continuously at the sustained analytics log rate. This number can increase if the average log rate is lower.Safety CertificationsUL/cUL, CBUL/cUL, CBUL/cUL, CBDATA SHEET | FortiAnalyzer6* Sustained Rate - maximum constant log message rate that the FAZ platform can maintain for minimum 48 hours without SQL database and system performance degradation.** is the max number of days if receiving logs continuously at the sustained analytics log rate. This number can increase if the average log rate is lower.*** 3700F must connect to a 200V - 240V power source.SpecificationsSafety CertificationsUL/cUL, CB UL/cUL, CB UL/cUL, CBDATA SHEET | FortiAnalyzer Order InformationProduct SKU DescriptionFortiAnalyzer 150G FAZ-150G Centralized log and analysis appliance — 2 x RJ45 GE, 4 TB storage, up to 50 GB/day of logsFortiAnalyzer 200F FAZ-200F Centralized log and analysis appliance — 2 x RJ45 GE, 4 TB storage, up to 100 GB/day of logs.FortiAnalyzer 300F FAZ-300F Centralized log and analysis appliance — 2 x RJ45 GE, 8 TB storage, up to 150 GB/day of logs.FortiAnalyzer 800F FAZ-800F Centralized log and analysis appliance — 4 x GE, 2 x SFP, 16 TB storage, up to 300 GB/day of logs.FortiAnalyzer 1000F FAZ-1000F Centralized log and analysis appliance — 2 x 10GE RJ45, 2 x 10GbE SFP+, 32 TB storage, dual power supplies, up to660 GB/day of logs.FortiAnalyzer 2000E FAZ-2000E Centralized log and analysis appliance — 4 x GE RJ45, 2 x SFP+, 36 TB storage, dual power supplies, up to 1,000 GB/day of logs.FortiAnalyzer 3000G FAZ-3000G Centralized log and analysis appliance — 2 x GE RJ45, 2x 25GE SFP28, 64 TB storage, dual power supplies, up to3,000 GB/day of logs.FortiAnalyzer 3500G FAZ-3500G Centralized log and analysis appliance — 2 x GbE RJ45, 2 x SFP28, 96 TB storage, dual power supplies, up to5,000 GB/day of logs.FortiAnalyzer 3700F FAZ-3700F Centralized log and analysis appliance — 2 x SFP+, 2 x 1GE slots, 240 TB storage, up to 8,300 GB/day of logs. FortiAnalyzer-VM FAZ-VM-BASE Base license for stackable FortiAnalyzer-VM; 1 GB/Day of Logs and 500 GB storage capacity. Unlimited GB/Day whenused in collector mode only. Designed for all supported platforms.FAZ-VM-GB1Upgrade license for adding 1 GB/Day of Logs and 500 GB storage capacity.FAZ-VM-GB5Upgrade license for adding 5 GB/day of logs and 3 TB storage capacity.FAZ-VM-GB25Upgrade license for adding 25 GB/day of logs and 10 TB storage capacity.FAZ-VM-GB100Upgrade license for adding 100 GB/day of logs and 24 TB storage capacity.FAZ-VM-GB500Upgrade license for adding 500 GB/day of logs and 48 TB storage capacity.FAZ-VM-GB2000Upgrade license for adding 2 TB/Day of Logs and 100 TB storage capacity.FortiAnalyzer-VM Subscription License with Support FC1-10-AZVMS-431-01-DD Central Logging & Analytics subscription for 5 GB/Day logs. Include 24x7 FortiCare support, IOC, SOAR/SIEM services.FC2-10-AZVMS-431-01-DD Central Logging & Analytics subscription for 50 GB/Day logs. Include 24x7 FortiCare support, IOC, SOAR/SIEM services.FC3-10-AZVMS-431-01-DD Central Logging & Analytics subscription for 500 GB/Day logs. Include 24x7 FortiCare support, IOC, SOAR/SIEM services. FortiAnalyzer - Backup to Cloud Service FC-10-FAZ00-286-02-DD 1 year subscription to FortiAnalyzer storage connector service for 10TB data transfer to public cloud.FortiGuard Indicator of Compromise (IOC) Subscription FC-10-[Model code] -149-02-DD 1 Year Subscription license for the FortiGuard Indicator of Compromise (IOC).Enterprise Protection Bundle FC-10-[Model code]-432-02-DD Enterprise Protection (24x7 FortiCare plus Indicators of Compromise Service and SOC Subscription license) FortiAnalyzer SOC Subscription FC-10-[Model code]-335-02-DD Subscription license for the FortiAnalyzer SOC component Copyright © 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.FST-PROD-DS-FAZ FAZ-DAT-R58-202010。

日志审计解决方案一、背景介绍随着信息技术的发展和应用的普及，各类企业和组织面临着日益增长的数据量和复杂的信息系统环境。

为了确保信息系统的安全性和合规性，日志审计成为了一项重要的任务。

日志审计可以帮助企业和组织监控和分析其信息系统的活动记录，以发现潜在的安全威胁、追踪异常行为、满足合规要求以及支持事后调查等。

二、日志审计的意义1. 安全威胁检测：通过对日志进行审计，可以发现并及时应对潜在的安全威胁，如未经授权的访问、异常登录行为等。

2. 异常行为追踪：日志审计可以记录和分析用户的操作行为，帮助企业和组织追踪和识别异常行为，如非法操作、数据篡改等。

3. 合规性要求满足：许多行业和法规要求企业和组织对其信息系统进行日志审计，以确保其合规性，如金融行业的PCI DSS、医疗行业的HIPAA等。

4. 事后调查支持：当发生安全事件或违规行为时，日志审计可以提供关键的证据和线索，帮助进行事后调查和取证。

三、日志审计解决方案的关键组成部分1. 日志收集：通过在关键系统和设备上部署日志收集器，实时收集和存储系统产生的日志数据。

收集的日志数据可以包括操作系统日志、应用程序日志、网络设备日志等。

2. 日志存储：将收集到的日志数据存储在安全可靠的存储介质上，确保其完整性和可审计性。

可以采用传统的关系型数据库或专门的日志管理系统进行存储。

3. 日志分析：对存储的日志数据进行分析和挖掘，以发现异常行为和安全威胁。

可以使用各种分析工具和技术，如规则引擎、机器学习算法等。

4. 报告和告警：根据分析结果生成详细的报告和告警，以便管理员和安全团队及时了解系统的安全状况和发现潜在的威胁。

5. 审计日志管理：对日志数据进行管理和维护，包括日志的保留期限、备份策略、访问权限控制等，以确保其完整性和可审计性。

6. 可视化和查询：通过直观的可视化界面和强大的查询功能，管理员和安全团队可以方便地查看和分析日志数据，快速定位和解决问题。

四、日志审计解决方案的实施步骤1. 需求分析：与企业和组织的相关部门和人员沟通，了解其日志审计需求和合规要求，明确解决方案的目标和范围。

设置FortiAnalyzer 生成日志报告
版本 1.0
时间2013年4月
支持的版本N/A
状态已审核
反馈support_cn@
说明：
本文档针对所有FortiAnalyzer设备生成日志报告配置进行说明。

利用FortiAnalyzer可以对搜集到的流量日志、归档日志和事件日志生成报告，管理员可以根据需求制定报告内容，了解网络情况。

环境介绍：
本文使用FortiAnalyzer100A做演示。

本文支持的系统版本为FortiOS v3.0。

步骤一：配置报告内容
在报告――配置――布局中点击新建
报表名称、公司名称、报表标题、页头说明根据需求填写
点击添加图表定义报告内容
在动作下点击加号即可添加，本例仅选择按方向统计流量，管理员可根据需求添加多个内容选择好后点击确定
在列出的报表中点击编辑可以修改报表属性
图表输出、图表风格、最大条目可根据需求选择
创建好后可以看到布局列表
步骤二：配置时间表
在报告――时间表中点击创建
布局选择定义好的布局，语言选择简体中文
时间表：支持每日、每星期、每月、单次，可根据需求定义
设备／组：选择FortiGate设备
输出：默认为HTML，即网页。

支持PDF、Word、文本、MHT格式，并可以下载到ＰＣ
步骤三：浏览报告
在报告――浏览中察看输出报告
点击报告名称可察看内容，点击其他格式可将报告下载到ＰＣ
步骤四：在FortiGate上察看报告
在日志与报告――访问报表中察看报告内容。

Fortify SCA 安装使用手册目录1. 产品说明 (5)1.1.特性说明 (5)1.2.产品更新说明 (5)2. 安装说明 (6)2.1.安装所需的文件 (6)2.2.F ORTIFY SCA支持的系统平台 (6)2.3.支持的语言 (6)2.4.F ORTIFY SCA的插件 (7)2.5.F ORTIFY SCA支持的编译器 (7)2.6.F ORTIFY SCA在WINDOWS上安装 (8)2.7.F ORTIFY SCA安装E CLISPE插件 (9)2.8.F ORTIFY SCA在LINUX上的安装(要有LINUX版本的安装文件) (9)2.9.F ORTIFY SCA在U NIX上的安装(要有U NIX版本的安装文件) (10)3. 使用说明 (11)3.1.F ORTIFY SCA扫描指南 (11)3.2.分析F ORTITFY SCA扫描的结果 (16)4．故障修复 (20)4.1使用日志文件去调试问题 (20)4.2转换失败的信息 (20)如果你的C/C++应用程序能够成功构建，但是当使用F ORTIFY SCA来进行构建的时候却发现一个或者多个“转换失败”的信息，这时你需要编辑<INSTALL_DIRECTORY>/C ORE/CONFIG/FORTIFY-SCA.PROPERTIES 文件来修改下面的这些行：20 COM.FORTIFY.SCA.CPFE.OPTIONS=--REMOVE_UNNEEDED_ENTITIES --SUPPRESS_VTBL (20)TO (20)COM.FORTIFY.SCA.CPFE.OPTIONS=-W --REMOVE_UNNEEDED_ENTITIES -- (20)SUPPRESS_VTBL (20)重新执行构建，打印出转换器遇到的错误。

如果输出的结果表明了在你的编译器和F ORTIFY 转换器之间存在冲突 (20)4.3JSP的转换失败 (20)4.4C/C++预编译的头文件 (21)前言Fortify SCA是目前业界最为全面的源代码白盒安全测试工具，它能精确定位到代码级的安全问题，完全自动化的完成测试，最广泛的安全漏洞规则，多维度的分析源代码的安全问题。

Fortinet Solutions RSSO (RADIUS Single Sign On)Author: David OliverConsulting Systems EngineerContentsIntroduction (3)Deployment Considerations (3)Requirements (3)RADIUS Accounting Direct to Fortigate (Fortigate RSSO) (4)Steps and related CLI / Configuration Example (5)Monitoring and Troubleshooting Examples (9)RADIUS Accounting via FortiAuthenticator to Fortigate (FortiAuthenticator RSSO to FSSO) (12)FortiAuthenticator Steps and related CLI / Configuration Example (13)FortiGate Steps and related CLI / Configuration Example (16)Monitoring and Troubleshooting Examples (19)RADIUS Accounting via FortiAuthenticator RADIUS Accounting Proxy to Fortigate (23)(FortiAuthenticator RSSO to RSSO) (23)FortiAuthenticator Steps and related CLI / Configuration Example (24)FortiGate Steps and related CLI / Configuration Example (26)Related Information (27)Change LogIntroductionFortiGate and FortiAuthenticator support the use of RADIUS Start, Stop, and Interim Update messages to authenticate and manage active users transparently. Carriers often use RADIUS servers tied into backend billing systems to record usage information. Enterprises often use RADIUS servers to authenticate VPN connections.In both cases, the entities in question may want to provide UTM functions or other traffic restrictions to this traffic without having the user re-enter their credentials. Fortinet RSSO solutions can assist in deploying these solutions. Deployment ConsiderationsThe following are important aspects that need to be considered prior to using RSSO:∙RADIUS environment needs to be configured to send accounting records. How to configure every possible RADIUS server is beyond the scope of this document.∙For direct to Fortigate RSSO, RADIUS server needs to be configured with appropriate group names and users added to them.∙For RADIUS to FAC to FSSO, Your LDAP Directory needs to be configured with appropriate group names and users added to them.∙It is no longer necessary to import or utilize the Fortinet VSA dictionaryWe use the following default RADIUS attributes in FortigateUser-Name (the username that logged in)Class (use this for the group name)Framed-IP-Address (the ip the user logged in from)We use the following default RADIUS attributes in FortiAuthenticatorUser-Name (the username that logged in)Framed-IP-Address (the ip the user logged in from)Fortinet-Group-Name (use this for the group name.){Group attribute is not entirely necessary as FAC will figure it out by querying the LDAP directory}RequirementsFortiOS 5.0.6.This configuration example uses FortiOS 5.0.6 and FortiAuthenticator 3.0.1.Creation of RADIUS Accounting Records was performed using NTRADping.RADIUS Accounting Direct to Fortigate (Fortigate RSSO)FortiOS supports the use of RADIUS Start, Stop, and Interim Update messages to authenticate and manage active users transparently. Configuration of the Fortigate to receive and utilize these records is quite straight forward.DiagramRADIUS ServerFor GateSteps and related CLI / Configuration ExampleStep 1 – Configure Interface to receive RADIUS Accounting RecordsIt is required that at least one interface that can be reached by the RADIUS Server is configured to listen for RADIUS Accounting messages.Figure 2 – Configure interface GUI.Step 2 – Configure RSSO AgentOnly one RSSO agent is configurable per VDOM. Since the RSSO agent can receive records from any RADIUS server configured to send records to it, more than one is not required to receive from multiple RADIUS servers.The RADIUS server must be configured to send the following Attributes in the Accounting Start, Accounting Stop and Interim Update messagesUser-Name (the username that logged in)Class (The Fortigate uses this to determine the User Group name, Can be any attribute of type octetstring but “sso-attribute” must be set to whatever value you choose. )Framed-IP-Address (the ip the user logged in from)These are standard RADIUS Attributes so the use of the Fortinet VSA Dictionary is not necessaryFigure 4 – Configure RSSO Agent GUI.Step 3 – Create User GroupsYou will need to create User Groups for each class of user you want to authenticate. The RADIUS Attribute value is configured to match the Accounting Record value in the Attribute [Class].Figure 6 – Create User Groups GUIStep 4 – Configure Content Filter (if needed)Refer to for information on how to configure a content filter profile. Step 5 – Configure Identity Based Firewall PoliciesFigure 8 – Configure Identity Based Firewall Policies GUIMonitoring and Troubleshooting ExamplesFigure 9 – Monitor Logged in Users GUIYou CANNOT deauthenticate a user via the GUI. It can only be done via CLI via the command “diag radiusd test 2”. This however will clear the RADIUSD database of all RSSO users. To clear an individual user requires sending an Accounting Stop record for that user.There are several commands in the CLI to monitor and query logged on users.Figure 9 – Query Logged in Users CLIdiag rsso queryallows you to query the rsso database bycarrier-endpoint Query by End Point. (this is the equivalent of the User-name)ip Query by IP address.(this is the Framed-IP address(es). This should be the host ip addressrsso-key Query by RSSO key. (this is the Class Attribute and relates to the Fortigate User Group name).It is useful when you want to quickly look up who is at an IP, or list all the users in a specific Class (User Group) that are logged on.Figure 10 – Query Logged in Users CLI and clear databasediag test app radiusdallows you to query or clear the entire RADIUSD databaseRadius Daemon Test Usage:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-2 : Clear RADIUS server database3 : Show RADIUS server database33 : Show RADIUS server database (with start time)4 : Show RADIUS server database info9 : Check HA context table checksums11 : Show HA sync connection status20 : Show RADIUS server configuration cache21 : Show RADIUS server interface configuration cache99 : RestartFigure 11 – debug RADIUSD events as the occurdiag debug enablediag debug app radiusd -1allows you to debug RADIUSD events as they occurRADIUS Accounting via FortiAuthenticator to Fortigate (FortiAuthenticator RSSO to FSSO)FortiAuthenticator supports the use of RADIUS Start, Stop, and Interim Update messages to authenticate and manage active users transparently. It receives RADIUS accounting messages, Performs lookups against the LDAP server for Group Membership and then populates its FSSO cache with the correct information. This is then sent to the Fortigate as an FSSO login.This is useful when Group membership information is handled by Active Directory or the RADIUS server isbusiness-critical IT infrastructure, limiting the changes that can be made to the server configuration.DiagramRADIUS ServerAuthen catorFor GateFortiAuthenticator Steps and related CLI / Configuration ExampleStep 1 – Configure FortiAuthenticator as an FSSO Collector AgentFSSO must already be configured between the FortiAuthenticator and the Fortigate(s) For information on how to configure FortiAuthenticator for FSSO see/auth/3-0-0/FAC-3.0-Admin-Guide.pdfStep 2 – Configure remote LDAP serverFigure 11 – Configure Remote Auth ServerStep 3 – Enable FSSO and RADIUS accounting SSO Clients Figure 12 – Enable RADIUS accounting SSO ClientsStep 4 – Configure RADIUS Accounting SSO ClientLDAP server must be selected from the drop-down list.RADIUS AttributesUsername Attribute (default User-Name)Client IP attribute (default Framed-IP-Address)are required. I recommend leaving at the defaults.User group attribute is not required.The LDAP server created earlier must be selected from the drop-down list as this is how the FortiAuthenticator establishes group membership.Figure 13 – Create New RADIUS Accounting SSO ClientFortiGate Steps and related CLI / Configuration Example Step 1 – Configure FortiAuthenticator as an FSSO collector agentFigure 15 – Configure FSSO agent GUI Make certain to select groups.Step 2 – Configure FSSO User GroupsStep 3 –Configure Content Filter (if needed)Refer to for information on how to configure a content filter profile.Step 4 – Configure Identity Based Firewall PoliciesFigure 18 – Configure Firewall Policies GUIMonitoring and Troubleshooting ExamplesThere is little in the way of troubleshooting on the FortiAuthenticator. The Monitor/SSO Sessions is the only way to determine who is logged on from where.Figure 19 – Monitor Logged on Users FortiAuthenticatorA single user can be deauthenticated on the FortiAuthenticator.The Fortigate provides more troubleshooting tools for comprehensive debuggingFigure 20 – Monitor Logged on Users Fortigate GUIYou cannot deauthenticate an FSSO user from the Fortigate GUI.Figure 21 – Monitor Logged on Users Fortigate CLIdiag debug authd fssoallows you to query, clear, list and provide comprehensive information about the status of FSSO sessions. It supports filtering which makes searching through thousands of potential logins quite simple.FortiGate-VM64-2 (global) # diag debug authd fssoclear-logons Clear logon information.filter Filters used for list or clear logons.list List current logons.refresh-groups Refresh group mappings.refresh-logons Resync logon database.server-status Show FSSO agent connection status.summary Summary of current logons.FortiGate-VM64-2 (global) # diag debug authd fsso filterclear Clear all filters.group Group name.server FSSO agent name.source Source IP address.user User name.diag debug authd fsso listUnfiltereddiag debug authd fsso filter user FTNTUNRESTRICTEDdiag debug authd fsso listFilteredYou can deauthenticate a single FSSO user from the CLI using diag debug authd fsso filter user <username>diag debug authd fsso clearFigure 22 – debug AUTHD events as the occurdiag debug enablediag debug app authd -1allows you to debug FSSO events as the occurRADIUS Accounting via FortiAuthenticator RADIUS Accounting Proxy to Fortigate(FortiAuthenticator RSSO to RSSO)FortiAuthenticator supports the use of RADIUS Start, Stop, and Interim Update messages to authenticate and manage active users transparently. It receives RADIUS accounting messages, Performs lookups against the LDAP server for Group Membership and then forwards the RADIUS message to the Fortigate RSSO agent.This is useful when Group membership information is handled by Active Directory or the RADIUS server isbusiness-critical IT infrastructure, limiting the changes that can be made to the server configuration.DiagramRADIUS ServerAuthen catorFor GateFortiAuthenticator Steps and related CLI / Configuration Example Step 1 – Configure FortiAuthenticator as a RADIUS Accounting Proxy Figure 23 – Configure Remote Auth ServerStep 2 – Enable RADIUS Accounting SSO ClientsFigure 24 – Enable RADIUS accounting SSO ClientsStep 3 – Create a new Accounting Proxy sourceFigure 25 – Create a new Accounting Proxy SourceThis information would be the RADIUS server.Step 4 – Create a new Accounting Proxy Create a new Rule SetFigure 26 – Create a new Rule SetSelect Action “Add” for a new attributeSelect Action “Modify” to translate an existent attributeThe attribute User-name is what the FortiAutheticator uses to parse group membership info from the LDAP Server.The Value type is what we want FortiAuthenticator to add to the Accounting messages it forwards to the Fortigate. To add the user’s group member ship info select Group names.Select the LDAP server that the FortiAuthenticator will run the group membership query on.Step 5 – Create a New DestinationFigure 26 – Create a new Destination for the translated Accounting messagesThis is the target for the translated Accounting message. Usually this is the Fortigate you wish to send the accounting message to but it can be any RADIUS Server configure to listen for Accounting messages.Make certain you assign the rule set and source correctly.FortiGate Steps and related CLI / Configuration ExampleConfiguration and debugging on the Fortigate is the same as what is describe at the beginning of this document under RADIUS Accounting Direct to Fortigate (Fortigate RSSO).Related InformationFortiOS and FortiGate Technical Documentation/fgt.htmlFortinet Knowledge Base/FortiGate appliances/products/fortigate/FortiAuthenticator Technical Documentation/fauth.htmlCopyright© 2011 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and otherFortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners.Performance metrics contained herein were attained in internal lab tests under ideal conditions. Network variables, different networkenvironments and other conditions may affect performance results, and Fortinet disclaims all warranties, whether express or implied, except tothe extent Fortinet enters a binding contract with a purchaser that expressly warrants that the identified product will perform according to theperformance metrics herein. For absolu te clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’sinternal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise thispublication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S.Patent No. 5,623,600.。

FortiRecorder™FortiRecorder 100D, 200D, 400D and VMFortiRecorders solve your surveillance problems while streamlining the user experience. Place cameras to cover your entry points and critical areas such as Point of Sale terminals, warehouses, public areas and loading docks. Configure FortiRecorder for continuous or motion-based recording (or both). Alarms and notifications keep you aware of what’s going on. An event timeline lets you find and review motion events quickly and easily.T wo ways to see: web-based interface or advanced FortiRecorder Central appFortiRecorder’s web-based interface is one of the most sophisticated in the industry, with full controls for browsing past footage, setting alerts and monitoring a few cameras. Or choose the free FortiRecorder Central windows application. It’s a sleek, high-performance, easily customizable interface that delivers fast, intuitive access to real time and recorded images. It’s friendly and easy for casual users, but sophisticated enough for more intensivesecurity installations that require constant monitoring of multiple cameras and recorders.Camera freedom: use FortiCameras or third-party camerasFortiCameras are tailor-made to work with FortiRecorder, with easy configuration and no additional license fees. But FortiRecorder also works with third-party ONVIF cameras to allow you to choosespecialty cameras when you need them.FortiRecorder Web interfaceFortiRecorder Central VMSAppliance or virtual: you chooseFortiRecorder is available as an appliance or a virtual machine, so you get the complete functionality in the format that works best for you. Choose the FortiRecorder 100D, 200D or 400D for ease of set-up right out of the box — just plug in your FortiCameras, turn on the recorder and you’re ready to go using your web browser or FortiRecorder Central. Or choose FortiRecorder-VM with simple, stackable licenses and platform flexibility for IT -friendly environments and support of up to 1024 cameras.FortiRecorder-VM is supported on VMware’s vSphere Hypervisor, Microsoft Hyper-V , KVM, Citrix XenServer and Amazon AWS (on-demand).3FortiRecorder 200DFortiRecorder 100DFortiRecorder 400DGLOBAL HEADQUARTERS Fortinet Inc.899 KIFER ROAD Sunnyvale, CA 94086United StatesTel: +/salesEMEA SALES OFFICE 905 rue Albert Einstein 06560 Valbonne FranceTel: +33.4.8987.0500APAC SALES OFFICE 300 Beach Road 20-01The Concourse Singapore 199555Tel: +65.6395.2788LATIN AMERICA SALES OFFICE Sawgrass Lakes Center13450 W. Sunrise Blvd., Suite 430 Sunrise, FL 33323United StatesTel: +1.954.368.9990Copyright© 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.FST -PROD-DS-FRC FRC-DAT-R6-201703FortiRecorder ™ORDER INFORMATIONFortiGate 94D-POE FG-94D-POE 24x 802.3af PoE ports.FortiSwitch 80-POE FS-80-POE 4x 802.3af PoE ports.FortiSwitch 124B-POE FS-124B-POE 12x 802.3af PoE ports.FortiSwitch 224B-POE FS-224B-POE 20x PoE ports.FortiSwitch 324B-POE FS-324B-POE 20x PoE and 4x PoE+ ports.Power Injector GPI-1151-port Gigabit PoE Power Injector, 802.3af, 15.4 W.FortiRecorder Central FREE download Video Management System for Windows.FortiRecorder Mobile iOS App.FREE download Monitor FortiRecorder from your iPhone or iPad.FortiRecorder Mobile Android App.FREE downloadMonitor FortiRecorder from your Android device.。

Lumen® SASE Solutions with Fortinet FortiAnalyzerKey Features •Security Fabric Analytics with event correlation and real-time detection across all logs, with•Indicators of Compromise (IOC) service anddetection of advanced threats•Fortinet Security Fabric integration with FortiGate NGFWs, FortiClient,FortiSandbox, FortiWeb, FortiMail, and others for deeper visibility and critical network insights •Enterprise-grade high availability toautomatically back-up FortiAnalyzer databases (up to four node cluster), which can begeographically dispersed for disaster recovery •Security Automation to reduce complexity, leveraging REST API, scripts, connectors, and automation stitches toexpedite security response and reduce time-to-detect •Multi-Tenancy solution with quota management, leveraging (ADOMs) to separate customer data and manage domains for operational effectiveness and compliance•Flexible deploymentoptions as appliance, VM, hosted, or public cloud. Use AWS, Azure, or Google for cloudsecondary archival storageFortiAnalyzer is a powerful log management, analytics, and reporting platform, providing organizations with single-pane orchestration, automation, and response for simplified security operations, proactive identification andremediation of risks, and complete visibility of the entire attack surface.Integrated with the Fortinet Security Fabric, advanced threat detection capabilities,centralized security analytics, and complete end-to-end security posture awareness and control helps security teams identify and eliminate threats before a breach can occur.Orchestrate security tools, people, and process for streamlined execution of tasks andworkflows, incident analysis and response, and rapidly expedite threat detection, case creation and investigation, and mitigation and response.Automate workflows and trigger actions with fabric connectors, playbooks, and eventhandlers to accelerate your network security team’s ability to respond to critical alerts and events, plus service level agreement (SLA) for regulation and compliance.Respond in real-time to network security attacks, vulnerabilities, and warnings ofpotential compromises, with threat intelligence, event correlation, monitoring, alerts and reporting for immediate tactical responseand remediation.Incident Detection and ResponseCentralized NOC/SOC Visibility for the Attack Surface The FortiSOC view helps teams in the security operations center (SOC) and network operations center (NOC) protect networks with access to real-time log and threat data in the form of actionable views with deep drill-down capabilities, notifications and reports,and predefined or customized dashboards for single-pane visibility and awareness. Analysts can utilize FortiAnalyzer workflow automation for simplified orchestration of security operations, management of threats and vulnerabilities, responding to security incidents, or investigate proactively by looking for anomalies and threats in SIEM normalized logs in the Threat Hunting view.Event ManagementFortiAnalyzer Event Monitor enables security teams to monitor and manage alerts and events from logs. Events are processed and correlated in an easily readable format that analysts can understand for immediate response. Analysts can use the Event Monitor for investigative searches into alerts and use the predefined or custom event handlers for NOC and SOC, with customizable filters to generate real-time notifications for around-the-clock monitoring, including handlers for SD-WAN, VPN SSL, wireless, network operations, FortiClient, and more.Incident ManagementThe Incidents component in FortiSOC enables security operations teams to manage incident handling and life cycle with incidents created from events to show affected assets, endpoints, and users. Analysts can assign incidents, view and drill down on event details, incident timelines, add analysis comments, attach reports and artifacts, and review playbook execution details for complete audit history.Integrate with FortiSOAR for further incident investigation and threat eradication including support to export incident data to FortiSOAR through the FortiAnalyzer fabric connector (enabled on FortiSOAR with API admin setup). Playbook AutomationFortiAnalyzer Playbooks boost an organization’s security team’s abilities to simplify investigation efforts through automated incident response, freeing up resources and allowing analysts to focus on tasks that are more critical.Out-of-the-box playbook templates enable SOC analysts to quickly customize their use cases, including playbooks for investigation of compromised hosts, infections and critical incidents, data enrichment for Fabric View Assets & Identity views, blocking of malware, C&C IPs, and more. Security teams can define custom processes, edit playbooks and tasks in the visual playbook editor, utilize the Playbook monitor to review task execution details, import or export playbooks, and use built-in connectors for allowing playbooks to interact with other Security Fabric devices like FortiOS and EMS. The new connector health check provides an indicator for verifying that connectors are always up and working.Security ServicesInclude the FortiSOC subscription to enable further automation for incident response with enhanced alert monitoring and escalation, built-in incident management workflows, connectors, and many more FortiSOC playbooks.The FortiGuard Indicators of Compromise subscription empowers security teams with forensic data from 500,000 IOCs daily, used in combination with FortiAnalyzer analytics to identify suspicious usage and artifacts observed on the network or in an operations system, that have been determined with high confidence to be malicious infections or intrusions, and historicalrescan of logs for threat hunting.The Shadow IT monitoring service provides continuous monitoring usage of unapproved devices and resources, and unsanctioned accounts and unauthorized use of SaaS and IaaS, API integration, third party apps, and rogue users using personal accounts for managing company assets.The FortiGuard Outbreak alert service provides an automatic download of content packages withresources for detecting the latest malware and threats, including views for summary of outbreaks, kill chain mapping for how the malware works. FortiGatecoverage explains what FortiGate NGFW components and services will block the threats, and Fabric Coverage for leveraging the full Fabric security protection.Security Fabric AnalyticsAnalytics and ReportingSecurity teams are empowered with FortiAnalyzerautomation driven analytics and reports providing full visibility of network devices, systems, and users.FortiAnalyzer delivers correlated log data with threat intelligence for analysis of real-time and historical events, providing context and meaning to network activity, risks, and vulnerabilities, attack attempts, operational anomalies, and continuous monitoring of sanctioned and unsanctioned user activity and investigation of Shadow IT.Assets and IdentityFortiAnalyzer Fabric View with Asset and Identity monitoring provides full SOC visibility of users and devices, including analytics of the attack surface and enables analysts to view and manage detailed UEBA information collected from logs and fabric devices, with filters and custom views for refining results.The Assets & Identity views provide security teams with elevated visibility into an organization’sendpoints and users with correlated user and device information, vulnerability detections, and EMS tagging and asset classifications through telemetry with EMS, NAC, and Fortinet Fabric Agent.FortiView is a comprehensive monitoring solution that provides multilevel views and summaries of real-time critical alerts and information such as top threats and IOCs to your network including Botnet and C&C, top sources/destinations of network traffic, topapplications, websites and SaaS, VPN and System information, and other Fabric device intelligence.Monitors view provides operations teams withcustomizable NOC and SOC dashboards and widgets designed for display across multiple screens in the Operations Center. Monitor events in real-time through the pre-defined dashboard views for SD-WAN, VPN, Wi-Fi, Incoming/Outgoing Traffic,Applications and Websites, FortiSandbox Detections,Endpoint Vulnerabilities, Software Inventory, Threats, Shadow IT (monitoring service), Fabric State, and many more.Analysts can expand their investigation in Log View, with easy navigation of managed device logs using search filters, log drill down, formatted or raw logs, log import/export, plus define custom views and create log groups.With a FortiSOC license, a SIEM database isautomatically created to store normalized logs fordevices in Fabric ADOMs.FortiAnalyzer ReportsFortiAnalyzer provides over 60 report templates,800+ datasets, and 750+ charts that are ready-to-use with sample reports, including reports for Secure SD-WAN, VPN monitoring, threat assessments, 360 Security Reviews, situational awareness, self-harm and risk indicators, bandwidth and applications, FortiClient, FortiMail, FortiSandbox, FortiDeceptor, compliance, and many others.Analysts can easily customize, clone, and modify reports to their needs with filters by device, subnets, and type to deliver specific business metrics to target stakeholders. Schedule reports to run at non-peak hours or run on demand, define output profiles for notifications, and deliver reports in flexible viewing formats including PDF, HTML, CSV, and XML. DeploymentsDeploying FortiAnalyzerFortiAnalyzer HA provides real-time redundancy to protect organizations by ensuring continuous operational availability. In the event that the primary (active) FortiAnalyzer fails, a secondary (passive) FortiAnalyzer(up to four-node cluster) will immediately take over, providing log and data reliability and eliminating the risk of having a single point of failure.Multi-Tenancy with Flexible Quota Management FortiAnalyzer provides the ability to manage multiple sub-accounts with each account having its own administrators and users. The time-basedarchive/analytic log data policy, per Administrative Domain (ADOM), allows automated quota management based on the defined policy, with trending graphs to guide policy configuration and usage monitoring.Analyzer-Collector ModeFortiAnalyzer provides two operation modes: Analyzer and Collector. In Collector mode, the primary task is forwarding logs of the connected devices to an Analyzer and archiving the logs. This configuration greatly benefits organizations with increasing log rates, as the resource intensive log-receiving task is off-loaded to the Collector so that the Analyzer can focus on generating analytics and reports.Network operations teams can deploy multiple FortiAnalyzers in Collector and Analyzer modes to work together to improve the overall performance of log receiving and processing increased log volumes, providing log storage and redundancy, and rapid delivery of critical network and threat information. Log Forwarding for Third-Party Integration Forward logs from one FortiAnalyzer to another FortiAnalyzer unit, a syslog server, or (CEF) server. In addition to forwarding logs to another unit or server, the client FortiAnalyzer retains a local copy of the logs, which are subject to the data policy settings for archived logs. Logs are forwarded in real-time or near real-time as they are received from network devices.Trusted Platform Module (TPM) Encryption FortiAnalyzer G Series features a dedicated micro-controller module that hardens physical networking appliances by generating, storing, and authenticating cryptographic keys in TPM, with hardware-based security mechanisms that protect against malicioussoftware and phishing attacks.。

《宁夏电力》2009年第5期摘要：Syslog 常被称为系统日志或系统记录，可以用来管理计算机系统和进行安全审计，在不同的操作系统（Unix/Linux ）的服务器、路由器、交换机等网络设备中，通过Syslog 的系统记录，网络管理员可以随时掌握系统的安全状况，同时也为网络安全审计提供事件记录依据。

关键词：Syslog ；网络安全；日志配置；网络管理；审计分析中图分类号：TP393文献标志码：B文章编号：1672-3643（2009）05-0042-04Syslog 在企业网络管理中的应用温炜1，郭玲2（1.宁夏电力公司教育培训中心，宁夏银川市750011；2.宁夏电力电力科学研究院，宁夏银川市750011）Application of syslog in the network management of the enterpriseWEN Wei 1,GUO Ling 2(1.Ningxia Electric Power Corporation Training Certer,Yinchuan Ningxia 750011,China;2.Electric Power Research Institute of Ningxia Electric Power Corporation,Yinchuan Ningxia 750011,China)Abstract:Syslog is called system log or system record,syslog can manage computer system and make safety audit,in the network equipment of server,route indicator,exchanger under different system （Unix/Linux）,through the system record syslog,the network administrator can master the safety situation of the system ,simultaneously provides case record data for safety audit of the network.Key words:syslog;network safety;log allocation;network management;audit analysis收稿日期：2009-07-22作者简介：温炜（1980-），男，助理工程师，从事网络维护管理工作。

安恒日志审计参数什么是安恒日志审计参数？安恒日志审计参数是指在安全技术领域中，对于安恒日志审计系统中的参数进行配置和管理，以确保日志审计系统能够正常运行并满足安全需求。

日志审计是一种重要的安全措施，通过对系统、应用程序和网络设备生成的日志进行收集、分析和审计，可以帮助企业及时发现和应对安全事件，提高安全防护能力。

安恒日志审计参数的配置涉及到日志收集、存储、分析和报告等方面，合理的参数配置可以提高日志审计系统的性能和效率，同时也能够更好地满足企业的安全需求。

安恒日志审计参数的重要性在当今信息化时代，企业面临着日益复杂和多样化的安全威胁，安全事件的发生频率和影响范围也在不断增加。

通过配置和管理好安恒日志审计参数，可以帮助企业更好地应对这些安全威胁，保障信息系统的安全性和稳定性。

安恒日志审计参数的重要性主要体现在以下几个方面：1. 安全事件的及时发现和应对安恒日志审计系统能够对系统、应用程序和网络设备生成的日志进行实时收集和分析，通过合理配置参数，可以及时发现异常行为和安全事件的发生。

及时发现安全事件可以帮助企业快速采取应对措施，减少安全风险和损失。

2. 合规性要求的满足各行业都有自己的合规性要求，例如金融行业的PCI DSS、医疗行业的HIPAA等。

安恒日志审计参数的配置可以帮助企业满足这些合规性要求，减少合规性风险。

3. 性能和效率的提升合理配置安恒日志审计参数可以提高系统的性能和效率，减少资源的占用和浪费。

例如，可以通过配置合适的日志收集频率和存储策略，避免对系统造成过大的负载。

4. 安全事件的溯源和调查在发生安全事件后，通过分析安恒日志审计系统中的日志，可以追踪安全事件的溯源和调查，帮助企业了解事件发生的原因和过程，为后续的安全防护和调查提供依据。

安恒日志审计参数的配置安恒日志审计参数的配置应根据企业的具体需求和实际情况进行，下面列举了一些常见的参数配置建议：1. 日志收集参数•配置日志收集的对象：包括操作系统、数据库、应用程序、网络设备等，根据企业的实际情况进行选择。