Fortinet white logo
Fortinet white logo

New Features

FortiAnalyzer Federation

FortiAnalyzer Federation

FortiAnalyzer 7.0.0 includes support for FortiAnalyzer Federation.

Configuring a FortiAnalyzer in supervisor mode provides an aggregated view of the devices, events, and incidents of each member FortiAnalyzer. Each member in the federation handles workloads and generate analytics.

This topic includes the following:

This example scenario includes one FortiAnalyzer supervisor and three FortiAnalyzer members.

Device Manager

To view member devices in the Device Manager:
  1. On the FortiAnalyzer Federation supervisor, go to Device Manager.
    The Device Manager lists all authorized member FortiAnalyzer device information as well as each member's registered devices and ADOMs.

    Each member FortiAnalyzer's tree can be expanded and collapsed. When member's device status and information is changed it will be updated on the supervisor in real-time.

FortiSoC

FortiSoC includes the Event Monitor and Incidents panes.

Event Monitor

To view events from members in Event Monitor:
  1. On the FortiAnalyzer Federation supervisor, go to FortiSoC > Event Monitor > All Events.
    All events from members are synced to the supervisor and are organized in event groups with different time ranges. The default view lists event groups from the last day.
  2. Click an event group to view associated events. You can drilldown to check event details.

  3. Select an event and click View Log or Search in Log View.
    • View logs to downstream members:

    • Search in log view from downstream members:

  4. Add filters to narrow results, including filters for the FortiAnalyzer member name and group.

Incidents

To view incidents created on members:
  1. On the FortiAnalyzer Federation supervisor, go to FortiSoC > Incidents.
    All incidents raised on members can be synced to the supervisor when the member connects to the supervisor. Newly generated events are synced in real-time and updated on the supervisor.
  2. Double-click on an incident to view the incident analysis page.
    The incident analysis page displays detailed incident information.
  3. Check each attachment in the incident analysis page (Events, Reports, Affected Assets, etc). Attachments are synced from members to the supervisor.

Supervisor Local Events

To view supervisor local events:
  1. On the FortiAnalyzer Federation supervisor, go to FortiSoC > Event Monitor > Supervisor Local Events.
    Local events from the supervisor are displayed.

Configure FortiAnalyzer Federation in the CLI

To configure a FortiAnalyzer Federation supervisor:
  1. In the supervisor CLI, enable soc-fabric communication:

    config system interface

    edit port1

    set allowaccess soc-fabric

  2. Enter the following commands to configure the supervisor:

    config system soc-fabric

    set status enable

    set role supervisor

    set name <create the FortiAnalyzer Federation name>

    set psk <create the FortiAnalyzer Federation password>

    set port 6443 (set the communication port if not using the default value)

    set secure-connection enable

Multiple FortiAnalyzer devices can be configured as members. Each FortiAnalyzer in Analyzer mode must be individually configured as a member to participate in the FortiAnalyzer federation.

To configure a FortiAnalyzer Federation member:
  1. In the member CLI, enable soc-fabric communication:

    config system interface

    edit port1

    set allowaccess soc-fabric

  2. Enter the following commands to configure the member:

    config system soc-fabric

    set status enable

    set role member

    set name <enter the FortiAnalyzer Federation name>

    set psk <enter the FortiAnalyzer Federation auth password>

    set supervisor ip <enter the IP/FNDN of the supervisor>

    set port 6443 <set the communication port if not using the default one>

    set secure-connection enable

Limitations

  • FortiAnalyzer Federation supports the creation of incidents, event handlers, and events on members with centralizing viewing from the supervisor.
  • FortiAnalyzer Federation supports log analysis, including LogView and Reports, on FortiAnalyzer Federation members.
  • Incidents on the FortiAnalyzer Federation supervisor are available in read-only mode.
  • FortiAnalyzers configured in high availability (HA) mode can join the FortiAnalyzer Federation as members. HA is not supported for FortiAnalyzer Federation supervisors.
  • All FortiAnalyzer Federation members must be configured with the same timezone settings as the supervisor.

FortiAnalyzer Federation

FortiAnalyzer Federation

FortiAnalyzer 7.0.0 includes support for FortiAnalyzer Federation.

Configuring a FortiAnalyzer in supervisor mode provides an aggregated view of the devices, events, and incidents of each member FortiAnalyzer. Each member in the federation handles workloads and generate analytics.

This topic includes the following:

This example scenario includes one FortiAnalyzer supervisor and three FortiAnalyzer members.

Device Manager

To view member devices in the Device Manager:
  1. On the FortiAnalyzer Federation supervisor, go to Device Manager.
    The Device Manager lists all authorized member FortiAnalyzer device information as well as each member's registered devices and ADOMs.

    Each member FortiAnalyzer's tree can be expanded and collapsed. When member's device status and information is changed it will be updated on the supervisor in real-time.

FortiSoC

FortiSoC includes the Event Monitor and Incidents panes.

Event Monitor

To view events from members in Event Monitor:
  1. On the FortiAnalyzer Federation supervisor, go to FortiSoC > Event Monitor > All Events.
    All events from members are synced to the supervisor and are organized in event groups with different time ranges. The default view lists event groups from the last day.
  2. Click an event group to view associated events. You can drilldown to check event details.

  3. Select an event and click View Log or Search in Log View.
    • View logs to downstream members:

    • Search in log view from downstream members:

  4. Add filters to narrow results, including filters for the FortiAnalyzer member name and group.

Incidents

To view incidents created on members:
  1. On the FortiAnalyzer Federation supervisor, go to FortiSoC > Incidents.
    All incidents raised on members can be synced to the supervisor when the member connects to the supervisor. Newly generated events are synced in real-time and updated on the supervisor.
  2. Double-click on an incident to view the incident analysis page.
    The incident analysis page displays detailed incident information.
  3. Check each attachment in the incident analysis page (Events, Reports, Affected Assets, etc). Attachments are synced from members to the supervisor.

Supervisor Local Events

To view supervisor local events:
  1. On the FortiAnalyzer Federation supervisor, go to FortiSoC > Event Monitor > Supervisor Local Events.
    Local events from the supervisor are displayed.

Configure FortiAnalyzer Federation in the CLI

To configure a FortiAnalyzer Federation supervisor:
  1. In the supervisor CLI, enable soc-fabric communication:

    config system interface

    edit port1

    set allowaccess soc-fabric

  2. Enter the following commands to configure the supervisor:

    config system soc-fabric

    set status enable

    set role supervisor

    set name <create the FortiAnalyzer Federation name>

    set psk <create the FortiAnalyzer Federation password>

    set port 6443 (set the communication port if not using the default value)

    set secure-connection enable

Multiple FortiAnalyzer devices can be configured as members. Each FortiAnalyzer in Analyzer mode must be individually configured as a member to participate in the FortiAnalyzer federation.

To configure a FortiAnalyzer Federation member:
  1. In the member CLI, enable soc-fabric communication:

    config system interface

    edit port1

    set allowaccess soc-fabric

  2. Enter the following commands to configure the member:

    config system soc-fabric

    set status enable

    set role member

    set name <enter the FortiAnalyzer Federation name>

    set psk <enter the FortiAnalyzer Federation auth password>

    set supervisor ip <enter the IP/FNDN of the supervisor>

    set port 6443 <set the communication port if not using the default one>

    set secure-connection enable

Limitations

  • FortiAnalyzer Federation supports the creation of incidents, event handlers, and events on members with centralizing viewing from the supervisor.
  • FortiAnalyzer Federation supports log analysis, including LogView and Reports, on FortiAnalyzer Federation members.
  • Incidents on the FortiAnalyzer Federation supervisor are available in read-only mode.
  • FortiAnalyzers configured in high availability (HA) mode can join the FortiAnalyzer Federation as members. HA is not supported for FortiAnalyzer Federation supervisors.
  • All FortiAnalyzer Federation members must be configured with the same timezone settings as the supervisor.