Configuring System Settings

The configuration section contains a variety of settings to configure your FortiRecorder.

Establishing the Time

For many features to work, including camera synchronization, scheduling, logging, and SSL/TLS-dependent features, the FortiRecorder system time must be accurate.

You can either manually set the FortiRecorder system time or configure the FortiRecorder appliance to automatically keep its system time correct by synchronizing with a Network Time Protocol (NTP) server.

NTP is recommended to achieve better time accuracy. NTP requires that your FortiRecorder be able to connect to the Internet on UDP port 123. Adjust your firewall, if any, to allow these connections.

Later, when cameras are added to your surveillance system, your FortiRecorder synchronizes the camera clocks with its own to keep them in agreement.

To configure the system time

Go to System > Configuration > Time.
Either manually set the date and time or select to synchronize with NTP server.
Select Apply.

If you manually configured the time, or if you enabled NTP and the NTP query for the current time succeeds, the new clock time should appear in System time. (If the query reply is slow, you may need to wait a couple of seconds, then click Refresh to update the display in System time.)

Configuring system options

The options section contains a variety of general system configurations, such as system timeout periods, ports, and public access.

Go to System > Configuration > Options to configure the system idle timeout, the HTTP, HTTPS, SSH, Telnet, and FortiRecorder Central access ports, and the host name for public/remote access.

If you want remote access — connecting from a home or a branch office through the Internet to your FortiRecorder — for either using the web UI or snapshot notification video clips while you are out of the office, you must configure both your network and the FortiRecorder.

First, on your office’s firewall or Internet router, configure port forwarding and/or a virtual IP (VIP) to forward remote access connections from the Internet to your FortiRecorder’s private network IP.

Remote access opens ports and can weaken the strength of your network security. To prevent attackers on the Internet from gaining access to your surveillance system, configure your firewall or router to require authentication, restrict which IP addresses can use your port forward/virtual IP, and scan requests for viruses and hacking attempts.

If you are not sure what your network’s Internet address is, while connected to your office network, you can use an online utility such as: http://ping.eu/

Next, go to System > Configuration > Options and configure the following settings:

Setting Name	Description
Host name	Type either your network’s IP on the Internet, or its domain name, such as www.example.com. This is either your Internet router’s WAN IP, or a virtual IP (VIP) on your firewall whose NAT table will forward incoming connections from this public network IP to your FortiRecorder’s private network IP.
HTTP/ HTTPS Port number	Type the port number, such as 8080, on your public IP that your Internet router or firewall will redirect to your FortiRecorder’s listening port.

Setting Name

Description

Host name

Type either your network’s IP on the Internet, or its domain name, such as www.example.com.

This is either your Internet router’s WAN IP, or a virtual IP (VIP) on your firewall whose NAT table will forward incoming connections from this public network IP to your FortiRecorder’s private network IP.

HTTP/ HTTPS Port number

Type the port number, such as 8080, on your public IP that your Internet router or firewall will redirect to your FortiRecorder’s listening port.

FortiRecorder supports live streaming (HLS) for mobile devices. You can use the FortiRecorder Mobile drop-down menu to enable live streaming over HTTP or HTTPS.

Configuring mail server settings for notification emails

The mail server settings section contains configuration options for establishing a mail server you can use to send notifications.

The default mail relay server is notification.fortinet.net

To establish notification emails

Go to System > Configuration > Mail Server Settings.

Configure the following settings:

Setting Name	Description
Host name	Type the host name for the appliance. The default FortiRecorder host name is the appliance's serial number. The host name is customizable and can be up to 35 characters in length. It can include US-ASCII letters, numbers, hyphens, and underscores, but not spaces and special characters. The host name of the FortiRecorder appliance is used in multiple places: the subject line and content of notification emails. the command prompt of the CLI. the SNMP system name. For information about SNMP, see “SNMP traps & queries”. The get system status CLI command displays the full host name. If the host name is longer than 16 characters, the name may be truncated elsewhere and end with a tilde ( ~ ) to indicate that additional characters exist, but are not displayed. For example, if the host name is FortiRecorder1234567890, the CLI prompt would be: FortiRecorder123~#
Use custom mail server	While the FortiRecorder can use a Fortinet mail server without any further configuration necessary, a custom mail server can be used instead of the Fortinet mail server (notification.fortinet.net ).
Mail server name	Type the fully-qualified domain name (FQDN) of your SMTP server, such as mail.example.com. If you do not have your own email server, this is often the name of your ISP’s SMTP relay, or a 3rd-party email server such as Yahoo! or Gmail.
Mail server port	Type the port number on which your email server or SMTP relay listens for connections from clients. The default varies by whether you enable Use SMTPS: disabled, it is port 25; enabled, it is port 465.
Use SMTPS	Enable to initiate SSL- and TLS-secured connections to the email server if it supports SSL/TLS. When disabled, SMTP connections from the FortiRecorder appliance’s built-in email client to the SMTP server will occur as clear text, unencrypted. This option must be enabled to initiate SMTPS-secured connections.
User name	Type the name of the account, such as jdoe or fortirecorder@example.com, that FortiRecorder will use to log in to the SMTP server.
Password	Type the password for the account on the SMTP server.
Authentication type	Select one of the following authentication methods: AUTO — Automatically detect and use the most secure SMTP authentication type supported by the email server. PLAIN — Provides an unencrypted, scrambled password. LOGIN — Provides an unencrypted, scrambled password. DIGEST-MD5 — Provides an encrypted MD5 hash of the password. CRAM-MD5 — Provides an encrypted MD5 hash of the password, with hash replay prevention, combined with a challenge and response mechanism.
Sender display name	If you want to customize the display name in the emails sent by the FortiRecorder, type the desired name that will displayed by the email clients. By default, the display name FortiRecorder is used.
Sender address	Type the sender email address (From:) that will appear in the SMTP header. The default email address is noreply@fortirecorder.com.

Select Apply.

Configuring FortiRecorder to send SMS messages

For FortiRecorder to send SMS messages, you must specify the SMS service providers.

To configure FortiRecorder to send SMS messages

Go to System > Configuration > SMS.
Configure the following settings:

Setting Name	Description
Service provider	Enter the SMS service provider name.
Description	Enter a short description of the provider.
Type	Select an SMS type: either SMTP or HTTP. For SMTP, enter the Email to, Email subject, and Email body information. You can use the following tags when filing the fields: {{:country_code}} represents the country code portion of the SMS number field in the user's configuration. {{:mobile_number}} represents the phone number portion of the SMS number field in the user's configuration. {{:message}} represents the text of the message. For HTTP, enter the following information: HTTP URL: the HTTP or HTTPS URL to contact to send SMS messages, for example, https://myprovider.com/sendsms). HTTP method: either Get or Post. HTTP/S Parameters: configure all the parameters and values required by the provider to send the SMS message. You can use the same tags that were available above for SMTP. If you select the Encrypt check-box in a parameter then the value will not be displayed in clear-text when viewing the configuration. The value will be sent as entered to the remote server which is why using HTTPS is recommended. For example, if your provider indicates that to send a message the syntax should look like the following: https://smsserver.com:8080/sendsms?api_id=1234&user=user&to=<phone_number>&text=<message>&password=<passwd> Then the settings might be: HTTP URL: https://smsserver.com:8080/sendsms HTTP Method: Get Parameters: api_id id user user to {{:country_code}}{{:mobile_number}} text {{:message}} password password (the encrypt checkbox should be selected so this will not show in clear-text when viewing the configuration)

Setting Name

Description

Service provider

Enter the SMS service provider name.

Description

Enter a short description of the provider.

Type

Select an SMS type: either SMTP or HTTP.

For SMTP, enter the Email to, Email subject, and Email body information.

You can use the following tags when filing the fields:

{{:country_code}} represents the country code portion of the SMS number field in the user's configuration.
{{:mobile_number}} represents the phone number portion of the SMS number field in the user's configuration.
{{:message}} represents the text of the message. For HTTP, enter the following information:
HTTP URL: the HTTP or HTTPS URL to contact to send SMS messages, for example, https://myprovider.com/sendsms).
HTTP method: either Get or Post.
HTTP/S Parameters: configure all the parameters and values required by the provider to send the SMS message. You can use the same tags that were available above for SMTP. If you select the Encrypt check-box in a parameter then the value will not be displayed in clear-text when viewing the configuration. The value will be sent as entered to the remote server which is why using HTTPS is recommended.

For example, if your provider indicates that to send a message the syntax should look like the following:

https://smsserver.com:8080/sendsms?api_id=1234&user=user&to=<phone_number>&text=<message>&password=<passwd>

Then the settings might be:

HTTP URL: https://smsserver.com:8080/sendsms

HTTP Method: Get

Parameters:

api_id id

user user

to {{:country_code}}{{:mobile_number}}

text {{:message}}

password password (the encrypt checkbox should be selected so this will not show in clear-text when viewing the configuration)

After configuring the SMTP server and the SMS service provider, configure the cameras to send notifications. For more information on configuring the cameras, see Configuring cameras to send notifications.

Configuring SNMP traps and queries

You can configure the FortiRecorder appliance’s simple network management protocol (SNMP) agent to allow queries for system information and to send traps (alarms or event messages) to the computer that you designate as its SNMP manager. In this way you can use an SNMP manager to monitor the FortiRecorder appliance.

Before you can use SNMP, you must activate the FortiRecorder appliance’s SNMP agent and add it as a member of at least one community. You must also enable SNMP access on the network interface through which the SNMP manager connects. (See “SNMP”.)

On the SNMP manager, you must also verify that the SNMP manager is a member of the community to which the FortiRecorder appliance belongs, and compile the necessary Fortinet-proprietary management information blocks (MIBs) and Fortinet-supported standard MIBs. For information on MIBs, see “MIB support”

Failure to configure the SNMP manager as a host in a community to which the FortiRecorder appliance belongs, or to supply it with required MIBs, will make the SNMP monitor unable to query or receive traps from the FortiRecorder appliance.

To configure the SNMP agent via the web UI

Add the MIBs to your SNMP manager so that you will be able to receive traps and perform queries. For instructions, see the documentation for your SNMP manager.
Go to System > Configuration > SNMP.

Configure the following:

Setting Name	Description
SNMP agent enable	Enable to activate the SNMP agent, so that the FortiRecorder appliance can send traps for the communities in which you enabled queries and traps. To receive queries, also SNMP on a network interface.
Description	Type a comment about the FortiRecorder appliance, such as dont-reboot. The description can be up to 35 characters long, and can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ).
Location	Type the physical location of the FortiRecorder appliance, such as floor2. The location can be up to 35 characters long, and can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ).
Contact	Type the contact information for the administrator or other person responsible for this FortiRecorder appliance, such as a phone number (555-5555) or name (jdoe). The contact information can be up to 35 characters long, and can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ).

Select Apply.
Create at least one SNMP community to define which hosts are allowed to query, and which hosts will receive traps. See "Configuring an SNMP community".

Configuring an SNMP community

An SNMP community is a grouping of equipment for network administration purposes. You must configure your FortiRecorder appliance to belong to at least one SNMP community so that community’s SNMP managers can query the FortiRecorder appliance’s system information and receive SNMP traps from the FortiRecorder appliance.

On FortiRecorder, SNMP communities are also where you enable the traps that will be sent to that group of hosts.

You can add up to three SNMP communities. Each community can have a different configuration for queries and traps, and the set of events that trigger a trap. You can also add the IP addresses of up to 8 SNMP managers to each community to designate the destination of traps and which IP addresses are permitted to query the FortiRecorder appliance.

To add an SNMP community via the web UI

Go to System > Configuration > SNMP.
If you have not already configured the agent, do so before continuing.
Under Community, select New.

Configure the following settings:

Setting Name	Description
Name	Type the name of the SNMP community to which the FortiRecorder appliance and at least one SNMP manager belongs, such as public. The FortiRecorder appliance will not respond to SNMP managers whose query packets do not contain a matching community name. Similarly, trap packets from the FortiRecorder appliance will include community name, and an SNMP manager may not accept the trap if its community name does not match. Caution: Fortinet strongly recommends that you do not add FortiRecorder to the community named public. This popular default name is well-known, and attackers that gain access to your network will often try this name first.
Enable	Enable this community entry.
Community Hosts: IP Address	Type the IP address of the SNMP manager that, if traps or queries are enabled in this community: will receive traps from the FortiRecorder appliance will be permitted to query the FortiRecorder appliance SNMP managers have read-only access. You can add up to 8. To allow any IP address using this SNMP community name to query the FortiRecorder appliance, enter 0.0.0.0. For security best practice reasons, however, this is not recommended. Caution: FortiRecorder sends security-sensitive traps, which should be sent only over a trusted network, and only to administrative equipment. Note: If there are no other host IP entries, entering only 0.0.0.0 effectively disables traps because there is no specific destination for trap packets. If you do not want to disable traps, you must add at least one other entry that specifies the IP address of an SNMP manager.
Queries	Type each port number (161 by default) on which the FortiRecorder appliance listens for SNMP queries from the SNMP managers in this community, then enable it. Port numbers vary by SNMP v1 and SNMP v2c.
Traps	Type each port number (162 by default) that will be the source (Local) port number and destination (Remote) port number for trap packets sent to SNMP managers in this community, then enable it. Port numbers vary by SNMP v1 and SNMP v2c.
SNMP Event	Enable the types of SNMP traps that you want the FortiRecorder appliance to send to the SNMP managers in this community. System events (system reboot, system reload, system upgrade, log disk formatting, and video disk formatting) Remote storage event Interface IP change Camera events (enabling, disabling, communication failure, recording failure, IP change, and camera reboot) While most trap events are described by their names, the following events occur when a threshold has been exceeded: CPU Overusage Memory Low Log Disk Usage Threshold Video Disk Usage Threshold To configure their thresholds, see “To configure the SNMP agent via the web UI”. For more information on supported traps and queries, see “MIB support”.

Select OK.
To verify your SNMP configuration and network connectivity between your SNMP manager and your FortiRecorder appliance, be sure to test both traps and queries (assuming you have enabled both). Traps and queries typically occur on different port numbers, and therefore verifying one does not necessarily verify that the other is also functional. To test queries, from your SNMP manager, query the FortiRecorder appliance. To test traps, cause one of the events that should trigger a trap.

Configuring SNMP v3 users

If your SNMP manager supports SNMP v3, you can specify which of its user accounts is permitted to access information about your FortiRecorder appliance. This provides greater granularity of control over who can access potentially sensitive system information.

To specify access for an SNMP user via the web UI

Go to System > Configuration > SNMP.
If you have not already configured the agent, do so before continuing. See “To configure the SNMP agent via the web UI”.
Expand the user section and select New.

Configure the following settings:

Setting Name	Description
User name	Enter the name of the SNMP user. This must match the name of the account as it is configured on your SNMP manager. You can add up to sixteen users.
Enable	Enable this user entry.
Security level	Choose one of the three security levels: No authentication, no privacy — Causes SNMP v3 to behave similar to SNMP v1 and v2, which provides neither secrecy nor guarantees authenticity, and therefore is not secure. This option should only be used on private management networks. Authentication, no privacy — Enables authentication only, guaranteeing the authenticity of the message, but not safeguarding it from eavesdropping. Also configure Authentication protocol. Authentication, privacy — Enables both authentication and encryption, guaranteeing authenticity as well as secrecy. Also configure Privacy protocol.
Authentication protocol	Select either SHA-1 or MD5 hashes for authentication. Also configure a salt in Password. Both the protocols and passwords on the SNMP manager and FortiRecorder must match.
Privacy protocol	Select either AES or DES encryption algorithms. Also configure a salt in Password. Both the protocols and passwords on the SNMP manager and FortiRecorder must match.

Similar to configuring the SNMP community, configure the other settings to specify the trap recipient IP, allowed query source IPs, and trap events (see “Configuring an SNMP community”).
Select OK.
To verify your SNMP configuration and network connectivity between your SNMP manager and your FortiRecorder appliance, be sure to test both traps and queries (assuming you have enabled both). Traps and queries typically occur on different port numbers, and therefore verifying one does not necessarily verify that the other is also functional. To test queries, from your SNMP manager, query the FortiRecorder appliance. To test traps, cause one of the events that should trigger a trap.

MIB support

The FortiRecorder SNMP agent supports the following management information blocks (MIBs):

MIB or RFC	Description
Fortinet Core MIB	This Fortinet-proprietary MIB enables your SNMP manager to query for system information and to receive traps that are common to multiple Fortinet devices.
FortiRecorder MIB	This Fortinet-proprietary MIB enables your SNMP manager to query for FortiRecorder-specific information and to receive FortiRecorder-specific traps.
RFC-1213 (MIB II)	The FortiRecorder SNMP agent supports MIB II groups, except: There is no support for the EGP group from MIB II (RFC 1213, section 3.11 and 6.10). Protocol statistics returned for MIB II groups (IP, ICMP, TCP, UDP, and so on.) do not accurately capture all FortiRecorder traffic activity. More accurate information can be obtained from the information reported by the FortiRecorder MIB.
RFC-2665 (Ethernet-like MIB)	The FortiRecorder SNMP agent supports Ethernet-like MIB information, except the dot3Tests and dot3Errors groups.

You can obtain these MIB files from the Fortinet Technical Support web site, https://support.fortinet.com/.

To communicate with your FortiRecorder appliance’s SNMP agent, you must first compile these MIBs into your SNMP manager. If the standard MIBs used by the SNMP agent are already compiled into your SNMP manager, you do not have to compile them again.

To view a trap or query’s name, object identifier (OID), and description, open its MIB file in a plain text editor.

All traps sent include the message, the FortiRecorder appliance’s serial number, and host name.