In this recipe, you will add a FortiAnalyzer to a network that is already configured as a Cooperative Security Fabric (CSF). This will simplify network logging by storing and displaying all log information in one place.
This recipe is part of the Cooperative Security Fabric collection. It can also be used as a standalone recipe.
In this example, a FortiGate called External is the upstream FortiGate. There are also two ISFWs, called Accounting and Marketing. OSPF routing is used between the FortiGates in the CSF.
1. Connecting the External FortiGate and the FortiAnalyzer |
|
|
In this example, the External FortiGate’s port 16 will connect to port 2 on the FortiAnalyzer. |
|
|
On the External FortiGate, go to Network > Interfaces and edit port 16. Set an IP/Network Mask for the interface (in the example, 192.168.55.2). Configure Administrative Access to allow FortiTelemetry, required for communication between devices in the CSF. Configure other services as required. |
 |
| On the FortiAnalyzer, go to System Settings > Network, select All Interfaces, and edit port2. Set IP/Netmask to an internal IP (in the example, 192.168.55.10/255.255.255.0). |  |
| Connect the External FortiGate and the FortiAnalyzer. | |
| On the FortiAnalyzer, go to System Settings > Network. Port 2 is now shown as the management interface. Add a Default Gateway, using the IP address of the External FortiGate’s port 16. |  |
2. Configuring OSPF routing to the FortiAnalyzer |
|
| On the External FortiGate, go to Network > OSPF and create a new Network. Set IP/Netmask to 192.168.55.0/255.255.255.0 (the subnet that includes FortiAnalyzer’s port 2) and Area to 0.0.0.0. |  |
3. Allowing internal FortiGates to access the FortiAnalyzer |
|
| On the External FortiGate, go to System > Feature Select. Under Additional Features, select Multiple Interface Policies. |  |
|
Go to Policy & Objects > IPv4 Policy and create a policy allowing the internal FortiGates (Accounting and Marketing) to access the FortiAnalyzer. Do not enable NAT. |
 |
4. Sending log information to the FortiAnalyzer |
|
|
On the FortiAnalyzer, go to Device Manager and add a device. Enter all information about the External FortiGate, then select Next. |
 |
|
The FortiAnalyzer will now add the device. |
 |
| The External FortiGate is now listed on the FortiAnalyzer. |  |
|
On the External FortiGate, go to Log & Report > Log Settings. Under Remote Logging and Archiving, enable Send Logs to FortiAnalyzer/FortiManager. Enter the IP Address of the FortiAnalyzer. |
 |
|
In this example, logs will be uploaded in Realtime because there is no bandwidth limitations. Also, since log traffic is occurring within the CSF, encryption is not enabled. |
|
|
Select Test Connectivity to view information about the connection.
|
 |
|
Under GUI Preferences, select Display Logs From FortiAnalyzer. |
 |
| Repeat this process on both the Accounting and Marketing FortiGates. | |
5. Results |
|
| All three FortiGates are listed in the FortiAnalyzer’s Device Manager. |  |
| Go to FortiView > System > System Events. Events from all FortiGates in the CSF are shown, allowing you to have a complete view of the network. |  |
| You can select a type of System Event, such as System performance statistics, to view information about the individual events. Events are shown from all three FortiGates (the Device ID shown for each FortiGate is that unit’s serial number). |  |
The post Adding FortiAnalyzer to a security fabric appeared first on Fortinet Cookbook.