Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Configuring endpoint and end user data sources

You can configure the data sources used in the Asset Center and Identity Center to specify which sources are used to identify endpoints and end users. Data source modification is configured per ADOM.

The following data sources are configurable in FortiAnalyzer:

FortiGate Log

By default, the log identification of endpoints and end users is enabled for all devices and subnets. You can create rules to specify which FortiGate devices and which subnets are excluded in the data source.

Set the status to OFF to disable UEBA identification on the specified devices or all devices.

FortiClient Log

By default, the log identification of endpoints and end users is enabled for all devices. You can create rules to specify which FortiClient devices are excluded in the data source.

Set the status to OFF to disable identification of endpoints and end users from the specified devices or all devices.

FortiMail Log

By default, the log identification of endpoints and end users is disabled for all devices. You can create rules to specify which FortiMail devices and domains are included in the data source.

FortiWeb Log

By default, the log identification of endpoints and end users is enabled for all devices. You can create rules to specify which FortiWeb devices and which subnets are excluded in the data source.

Set the status to OFF to disable UEBA identification on the specified devices or all devices.

FortiNAC Log

By default, the log identification of endpoints and end users is enabled for all devices. You can create rules to specify which FortiNAC devices and which subnets can be excluded in the data source.

Set the status to OFF to disable UEBA identification on the specified devices or all devices.

EMS Connector

By default, the log identification of endpoints and end users is disabled for all EMS connectors. You can create rules to specify which EMS connectors can be included in the data source.

Note

Rules created for individual devices have priority over those created for "all devices".

You can configure the same data source multiple times when the device or connector is unique. When a conflict arises, you will see a message indicating the data source for that device already exists, and you will have the option to override the existing data source.

To configure data sources:
  1. Go to Fabric View > Identity Center/Asset Center> Tools > Data Sources.
    The Data Source Selection wizard opens. You can create, edit, and delete data sources.
  2. Click Create New to create a new data source.
  3. Configure your data source. Different fields appear for different data source types:
    Data Source

    Select the data source that you want to configure.

    Data sources include FortiGate Log, FortiClient Log, FortiMail Log, FortiWeb Log, FortiNAC Log, and EMS Connector.

    Depending on your selection, different configurable fields will appear below.

    Status

    Enable or disable the data source by setting the Status to ON or OFF.

    When the data source is disabled, FortiAnalyzer will not identify endpoints and end users in this ADOM from the devices, domains, or connectors configured in the data source.

    Devices

    Devices is only available when the data source is FortiGate Log, FortiClient Log, FortiMail Log, FortiWeb Log, or FortiNAC Log.

    Select All Devices or Specify to select individual devices.

    Exclude Subnets

    Exclude Subnets is only available when the data source is FortiGate Log, FortiWeb Log, or FortiNAC Log.

    Select subnets to be excluded from the data source selection. You can create subnets in Fabric View > Fabric > Subnets. See Subnets.

    Include Domains

    Include Domains is only available when the data source is FortiMail Log.

    Enter domains to be included in the data source selection.

    Connectors

    Connectors is only available when the data source is EMS Connector.

    Select an EMS connector to be included in the data source selection. See Creating or editing Security Fabric connectors.

  4. Click OK to save changes to the data source.
    Once created, you can edit and delete the data sources from the Data Source Selection wizard.

Configuring endpoint and end user data sources

You can configure the data sources used in the Asset Center and Identity Center to specify which sources are used to identify endpoints and end users. Data source modification is configured per ADOM.

The following data sources are configurable in FortiAnalyzer:

FortiGate Log

By default, the log identification of endpoints and end users is enabled for all devices and subnets. You can create rules to specify which FortiGate devices and which subnets are excluded in the data source.

Set the status to OFF to disable UEBA identification on the specified devices or all devices.

FortiClient Log

By default, the log identification of endpoints and end users is enabled for all devices. You can create rules to specify which FortiClient devices are excluded in the data source.

Set the status to OFF to disable identification of endpoints and end users from the specified devices or all devices.

FortiMail Log

By default, the log identification of endpoints and end users is disabled for all devices. You can create rules to specify which FortiMail devices and domains are included in the data source.

FortiWeb Log

By default, the log identification of endpoints and end users is enabled for all devices. You can create rules to specify which FortiWeb devices and which subnets are excluded in the data source.

Set the status to OFF to disable UEBA identification on the specified devices or all devices.

FortiNAC Log

By default, the log identification of endpoints and end users is enabled for all devices. You can create rules to specify which FortiNAC devices and which subnets can be excluded in the data source.

Set the status to OFF to disable UEBA identification on the specified devices or all devices.

EMS Connector

By default, the log identification of endpoints and end users is disabled for all EMS connectors. You can create rules to specify which EMS connectors can be included in the data source.

Note

Rules created for individual devices have priority over those created for "all devices".

You can configure the same data source multiple times when the device or connector is unique. When a conflict arises, you will see a message indicating the data source for that device already exists, and you will have the option to override the existing data source.

To configure data sources:
  1. Go to Fabric View > Identity Center/Asset Center> Tools > Data Sources.
    The Data Source Selection wizard opens. You can create, edit, and delete data sources.
  2. Click Create New to create a new data source.
  3. Configure your data source. Different fields appear for different data source types:
    Data Source

    Select the data source that you want to configure.

    Data sources include FortiGate Log, FortiClient Log, FortiMail Log, FortiWeb Log, FortiNAC Log, and EMS Connector.

    Depending on your selection, different configurable fields will appear below.

    Status

    Enable or disable the data source by setting the Status to ON or OFF.

    When the data source is disabled, FortiAnalyzer will not identify endpoints and end users in this ADOM from the devices, domains, or connectors configured in the data source.

    Devices

    Devices is only available when the data source is FortiGate Log, FortiClient Log, FortiMail Log, FortiWeb Log, or FortiNAC Log.

    Select All Devices or Specify to select individual devices.

    Exclude Subnets

    Exclude Subnets is only available when the data source is FortiGate Log, FortiWeb Log, or FortiNAC Log.

    Select subnets to be excluded from the data source selection. You can create subnets in Fabric View > Fabric > Subnets. See Subnets.

    Include Domains

    Include Domains is only available when the data source is FortiMail Log.

    Enter domains to be included in the data source selection.

    Connectors

    Connectors is only available when the data source is EMS Connector.

    Select an EMS connector to be included in the data source selection. See Creating or editing Security Fabric connectors.

  4. Click OK to save changes to the data source.
    Once created, you can edit and delete the data sources from the Data Source Selection wizard.