Deployment Guide

FortiAnalyzer Federation 7.0.0

FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/support-and-training/training.html

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

April 22, 2021

FortiAnalyzer Federation 7.0.0 Deployment Guide
05-700-711439-20210422
 TABLE OF CONTENTS

Change Log 4
Introduction 5
FortiAnalyzer Federation roles 5
Deployment 7
Configuring the FortiAnalyzer Federation 7
Configuring a supervisor 7
Configuring a member 8
Deployment architecture 9
Using the FortiAnalyzer Federation supervisor 10
Device Manager 10
Event Monitor 11
All Events 11
Supervisor Local Events 12
Incidents 12
FortiAnalyzer Federation limitations 14

FortiAnalyzer Federation 7.0.0 Deployment Guide 3

Fortinet Technologies Inc.
Change Log

Change Log

Date Change Description

2021-04-22 Initial release.

FortiAnalyzer Federation 7.0.0 Deployment Guide 4

Fortinet Technologies Inc.
Introduction

Introduction

The FortiAnalyzer Federation enables centralized viewing of devices, incidents, and events across multiple
FortiAnalyzers acting as members. In this mode, FortiAnalyzer Federation members form a Fabric with one
device operating in supervisor mode as the root device. Incident and event information is synced from members
to the supervisor using the API.
The FortiAnalyzer Federation device operating as the supervisor includes the following modules:

Device Manager Displays FortiAnalyzer Federation members with their ADOMs and
authorized logging devices.

FortiSoC Displays the Event Monitor and Incidents panes. Administrators can view
incidents and events created on member FortiAnalyzer Federation.

System Settings Configure the settings for the FortiAnalyzer supervisor.

See the FortiAnalyzer Administration Guide.

Management Extensions Enables supported management extension applications.

See the FortiAnalyzer Administration Guide.

For information on the modules available as a FortiAnalyzer Federation member, see the FortiAnalyzer
Federation Administration Guide.

FortiAnalyzer Federation roles

FortiAnalyzer Federation includes two operation modes, including supervisor and member.
l Supervisors acts as the root device in the FortiAnalyzer Federation. SOC administrators can use the
supervisor to view member devices and their ADOMs and authorized logging devices, as well as incidents
and events created on members.
l Members are devices in the FortiAnalyzer Federation that send information to the supervisor for centralized
viewing. When configured as a member, FortiAnalyzer devices continue to have access to the

FortiAnalyzer Federation 7.0.0 Deployment Guide 5

Fortinet Technologies Inc.
Introduction

FortiAnalyzer features identified in the FortiAnalyzer Administration Guide. Incidents and events are
created or raised from each member.

FortiAnalyzer Federation 7.0.0 Deployment Guide 6

Fortinet Technologies Inc.
Deployment

Deployment

This section includes the following topics:

l Configuring the FortiAnalyzer Federation on page 7
l Deployment architecture on page 9

Configuring the FortiAnalyzer Federation

To configure a FortiAnalyzer Federation, you must configure a supervisor, one or more members, and enable
soc-fabric communication on the interfaces being used.
l Configuring a supervisor on page 7
l Configuring a member on page 8

All FortiAnalyzer Federation members must be configured with the same timezone
settings as the supervisor.

Configuring a supervisor

To configure a supervisor:

1. In the FortiAnalyzer Federation supervisor CLI, enter the following commands to enable soc-fabric
communication:
config system interface
edit <interface used for soc-fabric communication>
set allowaccess soc-fabric (enable other types of interface access as
needed, for example https)
2. Enter the following commands to configure the supervisor:
config system soc-fabric
set status enable
set role supervisor
set name <create the FortiAnalyzer Federation name>
set psk <create the FortiAnalyzer Federation password>
set port 6443 <set the communication port if not using the default one>
set secure-connection {enable | disable}
next
end

FortiAnalyzer Federation 7.0.0 Deployment Guide 7

Fortinet Technologies Inc.
Deployment

Configuring a member

FortiAnalyzer Federation allows multiple FortiAnalyzers to act as fabric members. Each FortiAnalyzer in
Analyzer mode must be individually configured as a member to participate in the FortiAnalyzer Federation.

To configure a member:

1. In the FortiAnalyzer Federation member CLI, enter the following commands to enable soc-fabric
communication:
config system interface
edit <interface used for soc-fabric communication>
set allowaccess soc-fabric (enable other types of interface access as
needed, for example https)
2. Enter the following commands to configure the member:
config system soc-fabric
set status enable
set role member
set name <enter the FortiAnalyzer Federation Name>
set psk <enter the FortiAnalyzer Federation auth password>
set supervisor <enter the IP/FNDN of the supervisor>
set port 6443 <set the communication port if not using the default one>
set secure-connection {enable | disable}
next
end

FortiAnalyzer Federation 7.0.0 Deployment Guide 8

Fortinet Technologies Inc.
Deployment

Deployment architecture

The following is an example of the topology that can make up the FortiAnalyzer Federation, with the supervisor
acting as the root device, and multiple FortiAnalyzer Federation members sending information to the supervisor
through the API. Information can be sent from a FortiAnalyzer operating as a Collector to an Analyzer before
being synced to the supervisor. The FortiAnalyzer Federation is ideal for use in high volume environments with
many FortiAnalyzers.

FortiAnalyzer Federation 7.0.0 Deployment Guide 9

Fortinet Technologies Inc.
Using the FortiAnalyzer Federation supervisor

Using the FortiAnalyzer Federation supervisor

The FortiAnalyzer Federation supervisor includes the following features:

l Device Manager on page 10
l Event Monitor on page 11
l Incidents on page 12

Device Manager

In the FortiAnalyzer Federation supervisor, the Device Manager is used to collect and display information from
members. You can expand each member to view its ADOMs and authorized logging devices. The
Device Manager displays information about device storage, logging rates, and the current real time log status of
devices.
Device filtering can be performed by searching for device information using the search field. For example, you
can search "FortiGate" to view all FortiGate devices, or "100D" to view only FortiGate 100D models.

Device Manager includes the following information for each FortiAnalyzer Federation member:

Name The name of the FortiAnalyzer Federation member.

Serial Number The device's serial number.

Platform The device's platform.

Firmware Version The device's firmware version.

Max Storage The total maximum storage.

FortiAnalyzer Federation 7.0.0 Deployment Guide 10

Fortinet Technologies Inc.
Using the FortiAnalyzer Federation supervisor

Analytics Usage (Used/Max) The analytics for log storage usage, displaying the total amount used
against the maximum available.

FortiAnalyzer Federation member ADOMs are displayed below each member. Each ADOM includes their
authorized logging devices. The following information is displayed for each device and VDOM:

Device Name The name of the device.

IP Address The IP address of the device.

Platform The platform of the device.

Logs The real time log status.

A green circle indicates that logs are being sent. A red circle indicates that
logs are not being sent. The status indicator will turn from green to red when
logs have not been sent for 15 minute or longer.

Average Log Rate The average log rate per second. This information is only available when
(Logs/Sec) the device is sending logs in real time.

Device Storage The amount of storage used by the device or VDOM.

Event Monitor

On the FortiAnalyzer Federation supervisor, the event monitor includes All Events and Supervisor Local Events
panes.
l All Events on page 11
l Supervisor Local Events on page 12

All Events

The All Events pane displays events created on each FortiAnalyzer Federation member.
Event handlers must be configured on members for events to be viewable on the supervisor.
On the supervisor, events are organized into pages. You can configure the number of events that are displayed
per page and navigate between the pages by using the page navigation buttons at the bottom of the pane.
Apply filters by clicking Add Filter or by right-clicking within a column in the events table and selecting your
search parameters.

FortiAnalyzer Federation 7.0.0 Deployment Guide 11

Fortinet Technologies Inc.
Using the FortiAnalyzer Federation supervisor

Double-click an event line to view the event group details. Event group details displays events from members in
the FortiAnalyzer Federation. The member name and ADOM is displayed in the table.
To view log details, select an event in the event group and click View Log. You can drilldown further on each
result to view event details.
Click Search in Log View to perform a log view search using the selected event.

Supervisor Local Events

Supervisor Local Events shows local events from the FortiAnalyzer acting as supervisor in the FortiAnalyzer
Federation. Local events include events such as license validation, system time changes, reboots, and other
events that have occurred on the supervisor in the FortiAnalyzer Federation.

Incidents

On the supervisor, Incidents displays all incidents created on FortiAnalyzer Federation members.
Incidents contain event details, as well as information helpful for administrator analysis. From the incident's
analysis page, administrators can view incidents, audit history, and attached reports, events, and comments.

FortiAnalyzer Federation 7.0.0 Deployment Guide 12

Fortinet Technologies Inc.
Using the FortiAnalyzer Federation supervisor

Incident information syncs from members to the supervisor. New incidents can only be
raised on FortiAnalyzer Federation members.

Double-click on an incident to view the incident analysis page. The incident analysis page indicates the
FortiAnalyzer and ADOM that the incident was created on. For more information on the options available to
SOC analysists, see the FortiAnalyzer Administration Guide.

FortiAnalyzer Federation 7.0.0 Deployment Guide 13

Fortinet Technologies Inc.
FortiAnalyzer Federation limitations

FortiAnalyzer Federation limitations

FortiAnalyzer Federation includes the following limitations in 7.0.0:

l FortiAnalyzer Federation supports the creation of incidents, event handlers, and events on members with
centralizing viewing from the supervisor.
l FortiAnalyzer Federation supports log analysis, including LogView and Reports, on FortiAnalyzer
Federation members.
l Incidents on the FortiAnalyzer Federation supervisor are available in read-only mode.
l FortiAnalyzers configured in high availability (HA) mode can join the FortiAnalyzer Federation as members.
HA is not supported for FortiAnalyzer Federation supervisors.

FortiAnalyzer Federation 7.0.0 Deployment Guide 14

Fortinet Technologies Inc.
 www.fortinet.com

Copyright© 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.