FortiAnalyzer
To set up data collection for the Security Fabric, you enable device detection on ISFW FortiGate devices and then connect the FortiAnalyzer to the Security Fabric.
You enable device detection on the interfaces of the ISFW FortiGate devices where you want the devices attached to those interfaces added to the Security Fabric. Only devices detected on those interfaces are shown in the Security Fabric topology views.
Connecting the FortiAnalyzer to the Security Fabric allows the Security Fabric to show historical data for the Security Fabric topology and logs for the entire Security Fabric.
Enable device detection on ISFW FortiGate devices
- In the ISFW FortiGate GUI, select Network > Interfaces.
- Select the interface that you want to enable device detection on.
- Select Edit and in the Networked Devices section, enable Device Detection.
- Select OK.
- Repeat this procedure for every interface that you want to enable device detection on.
Desynchronizing the FortiAnalyzer, FortiSandbox, and FortiManager
If you want to add devices manually, you can edit the Source IP for downstream FortiGate devices in the Central Management settings.
The Central Management settings are located in Security Fabric > Settings. However, if you change the Source IP, you must change the log settings to local
.
If you don't want to automatically synchronize the configurations for FortiAnalyzer, FortiSandbox, and FortiManager, you can change the default system settings of the Security Fabric to use local settings.
To use local system settings - CLI:
config system csf
set configuration-sync local
end
Where you set the following variables:
Option |
Description |
---|---|
|
Synchronizes the configuration for FortiAnalyzer, FortiSandbox, and Central Management to the root FortiGate. |
|
Doesn't synchronize the configuration with the root FortiGate, and you must configure settings individually. |
Connect the FortiAnalyzer to the Security Fabric
|
Ensure that all FortiGate devices in the Security Fabric are registered with the same FortiAnalyzer. |
- In the FortiAnalyzer GUI, select System Settings > Network.
- Select All Interfaces.
- Select the port that connects to the root FortiGate.
- Select Edit.
- In the IP Address/Netmask field, enter the IP address used for the Security Fabric configuration on the root FortiGate.
- In the Default Gateway field, enter the IP address of the interface on the root FortiGate that the FortiAnalyzer connects to.
- Select OK.
- Select System Settings > Device Manager.The FortiGate devices are listed as Unregistered.
- Select the root FortiGate and the ISFW FortiGate devices in the Security Fabric.
- Select + Add Device.The FortiGate devices are now listed as Registered.A warning icon will appear beside the root FortiGate, because the FortiAnalyzer requires administrative access to the root FortiGate in the Security Fabric.
- In the Authentication window, complete the Admin User and Password fields to authenticate the Security Fabric.After the FortiAnalyzer authenticates the Security Fabric, the FortiAnalyzer shows the full Security Fabric topology.
You can verify that the FortiAnalyzer configuration is successful by selecting Security Fabric > Settings on the root and ISFW FortiGate devices. The Storage usage field in the FortiAnalyzer Logging section should now show storage usage information.
|
It is recommended that you create a user account for the FortiAnalyzer. |