Administration Guide

Setting up FortiAnalyzer
- Connecting to the GUI
  - FortiAnalyzer Setup wizard
  - Activating VM licenses
- Security considerations
- GUI overview
- Target audience and access level
- Initial setup
- FortiManager features
- Next steps
- Restarting and shutting down
FortiAnalyzer Key Concepts
- Operation modes
- Administrative domains
- Logs
- Log storage
- FortiView dashboard
Dashboards
- Customizing the status dashboard
- System Information widget
- System Resources widget
- License Information widget
- Unit Operation widget
- Alert Messages Console widget
- Log Receive Monitor widget
- Insert Rate vs Receive Rate widget
- Log Insert Lag Time widget
- Receive Rate vs Forwarding Rate widget
- Disk I/O widget
- Device widgets
- Restart, shut down, or reset FortiAnalyzer
- IOT dashboard
- Email metrics dashboard
- SOC dashboard
Device Manager
- ADOMs
- FortiClient EMS devices
- Unauthorized devices
- Using FortiManager to manage FortiAnalyzer devices
- Adding devices
- Managing devices
- Device groups
  - Adding device groups
  - Managing device groups
FortiView
- FortiView
- Monitors
- Enabling and disabling FortiView
Log View and Log Quota Management
- Types of logs collected for each device
- Log messages
- Log groups
- Log browse
- Log and file storage
Fabric View
- Asset Identity Center
- Subnets
Fortinet Security Fabric
- Adding a Security Fabric group
- Displaying Security Fabric topology
- Security Fabric traffic log to UTM log correlation
- Security Fabric ADOMs
- Enabling SAML authentication in a Security Fabric
Incidents & Events
- Incidents
- Event Monitor
- Event handlers
- Indicators
  - Managing indicators
  - Indicator enrichment
- Automation
- Outbreak Alerts
- SIEM log parsers
- FortiAnalyzer Security Automation Service
  - Security Automation Service objects
FortiAI
- Enabling administrator access to FortiAI
- Using FortiAI
- FortiAI data privacy
- FortiAI tokens
- FortiAI example tasks
Reports
- How ADOMs affect reports
- Predefined reports, templates, charts, and macros
- Logs used for reports
- How charts and macros extract data from logs
- How auto-cache works
- Generating reports
- Creating reports
- Managing reports
  - Organizing reports into folders
  - Importing and exporting reports
- Report template library
- Chart library
  - Creating charts
  - Managing charts
- Macro library
  - Creating macros
  - Managing macros
- Datasets
- Output profiles
  - Creating output profiles
  - Managing output profiles
- Report languages
- Report calendar
  - Viewing all scheduled reports
  - Managing report schedules
System Settings
- Logging Topology
- Network
- RAID Management
- Administrative Domains (ADOMs)
- Fabric Management
  - Creating or editing storage connectors
- Certificates
- Log Forwarding
- Log Fetching
- Event Log
  - Event log filtering
- Task Monitor
- Mail Server
- Syslog Server
  - Send local logs to syslog server
- Meta Fields
- Device logs
- File Management
- Miscellaneous Settings
- FortiGuard
Administrators
- Trusted hosts
- Monitoring administrators
- Disconnecting administrators
- Managing administrator accounts
- Administrator profiles
- Authentication
- Global administration settings
- Multi-factor authentication
  - Multi-factor authentication with FortiAuthenticator
    - Configuring FortiAuthenticator
    - Configuring FortiAnalyzer
  - Multi-factor authentication with FortiToken Cloud
High Availability
- Configuring HA options
- Monitoring HA status
  - If the primary unit fails
- Load balancing
- Upgrading the FortiAnalyzer firmware for an operating cluster
Collectors and Analyzers
- Configuring the Collector
- Configuring the Analyzer
- Fetching logs from the Collector to the Analyzer
Management Extensions
- FortiSIEM MEA
- FortiSOAR MEA
- Enabling management extension applications
  - CLI for management extensions
- Accessing management extension logs
- Checking for new versions and upgrading
Appendix A - Supported RFC Notes
Appendix B - Log Integrity and Secure Log Transfer
- Maximum TLS/SSL version compatibility
Appendix C - FortiAnalyzer Ansible Collection documentation
Appendix D - FortiAI token entitlements for FortiAnalyzer
Change Log

Home FortiAnalyzer 7.6.1 Administration Guide

7.6.1

FortiAI data privacy

FortiAnalyzer and FortiAI protects your data using a multi-layered approach of function callbacks, data masking, and a secure proxy.

Function Callback: Your prompts are sent to the large language model (LLM), which generates a query that FortiAnalyzer can understand. This query is then executed on your local host, ensuring that results are processed locally.

Data Masking: Sensitive information such as IP addresses, MAC addresses, and usernames are automatically masked before being sent to the LLM, as the model does not need this data to form the query. When the function call returns to the local host, the data is unmasked.

For example:

Prompt from Admin: "Give me the statistics of malware activities detected today from endpoint 192.168.50.20?"
Masked data sent from FortiAnalyzer: "Give me the statistics of malware activities detected today from endpoint 12.198.37.2?"

In this example, 12.198.37.2 is an auto-generated, irrelevant IP address based on the session cookie.

Note that different values are masked using different methods within FortiAnalyzer; for instance, IP addresses are masked differently than usernames. The masked values also depend on the session cookie, ensuring that every session uses a different key to mask and protect data.

FortiAI Proxy: All FortiAI prompts pass through the Fortinet FortiAI proxy before reaching the cloud, where additional checks are performed to ensure your data is protected.

Example

The Admin enters a prompt in the FortiAnalyzer FortiAI Assistant.

For example: "How much YouTube did 192.168.4.199 watch today?"

The question is passed through the FortiAI proxy. Sensitive data, such as the IP, is automatically masked before it leaves FortiAnalyzer.
The LLM analyzes the question, determining the correct function to answer the prompt.
The LLM sends the function callback through the FortiAI proxy to FortiAnalyzer.
FortiAnalyzer unmasks the data and queries the database according to the function callback.
FortiAnalyzer replies to the Admin in the FortiAI Assistant.

For example:

"Here are today's statistics for IP 192.168.4.199 access to YouTube based on the logs:
- Log Count: 1803
- Percentage of Total: 99.83%
- Total Sent Bytes: 10.5 MB
- Average Session Duration: 00h 01m 52s

If there is further need to protect data from administrators, including the FortiAI users, you can also use the Privacy Masking feature in administrator profiles. This feature allows you to encrypt and anonymize data for administrators, further protecting user privacy according to your requirements. For more information, see Privacy Masking.