FortiManager and FortiAnalyzer Overview (FortiOS 6.2.3)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
today's video is going to cover the florida manager and the florida analyzer and whether or not it's even worth looking at in your environment so stay tuned hey guys mike here from fortinet guru little disclaimer i'm not associated with fortinet this isn't paid for by ford and that i don't work for fortinet i actually compete with them i slam their support regularly so i get a lot of hate from them actually so just know i don't work for them this is just me telling you about products that i use to manage my clients so anyways without further ado i get on almost a daily basis people asking mike tell me about florida manager tell me about florida analyzer what are they are they useful for you would they be useful for me and what environments are they good for things of that nature even things especially on the florida analyzer side of things of i already have you know syslog ng or kiwi or some various open source logging system is it worthwhile to have a ford analyzer for my fortigate and my photomail etc um i already use scripting and push out my stuff to my fortigates via manual batch files and stuff like that it's the ford manager worthwhile to me and tell you the truth yeah if you're using scripts manually and you're using open source logging man you're just setting yourself up for failure i'm not one to beat the whole i actually i don't beat a dead horse often but one that i will continue to just kick while it's down is the fact that if you have more than 10 fortigates and you expect any level of scalability you better have these devices and there's there's a couple reasons why we'll dive in as we go over them which this video is going to be basically a high level uh deep dive a high level deep dive if that's anything true on the ford manager whether or not it's worth it for you and on the ford analyzer and whether or not it's worth it to you so we'll start with for the manager all right number one thing is it is it worthwhile for those of you that don't know much like the name leads you to believe the ford manager is for management the sole purpose of that appliance is to manage other appliances or vms and it can do that on a very large scale like up to 5 000 devices 5 000 vdoms something like that um and basically it can control quite a large list of things it can do fortigate and 4d wi-fi it can do fortinets for the carrier it can manage affordamail it can manage ford analyzers and it can even do the the virtual versions of all of those and you know for the client so whereas most people think ford ems immediately before the client but depending on the version you have you can definitely run and manage for the client from it um much like typical fortinet hardware it's able to be broken down in the adoms or administrative domains so if you are a managed service provider you can deploy this in a manner to where you can have multi-tenant you can lease this as a service to your clients which is very very useful um you can also give various levels of administrative capability to your employees or you know your subordinates or your colleagues etc so if you have little timmy that's just now learning maybe he doesn't get keys to the kingdom but he can at least dive in and start looking right whereas your tier three guy has full run of the mill he can do whatever he needs um i use both of these devices very very heavily and that is i'm going to go ahead and tell you i hated florida manager when i first got with it i am much more into the panorama how palo alto does their centralized management side of things but fortinet's come a long way on for the manager as you learn in nuances and you kind of wrap your head around things it really starts to click and make sense and obviously once you once you harness that power it's just it's incredible so that's the high level of the florida manager it lets you do all these wonderful things right high level on the analyzer is it's centralized network security and reporting and depending on the various licenses that you have you can do something like indicators a compromise and get automated alerts on things that maybe your analysts can't look at right so florida analyzer provides that single pane i know i hate it too but that single pane of glass from a security perspective where you could have all of your heads up displays ran off of you know this particular device and your guys are able to scale because you have an appliance running through all the machine learning and all the events and the triggers and everything to make it to where you only have to look into things that are relevant they can give you things like network capacity you know utilization data it has a security analysis report that we'll dive into it fully integrates with afforda manager which is smooth and it's pretty efficient a lot of the reports that come in the box are really all you need in order to help strengthen your security posture as a whole and to make things work for what you're looking at so right now we're going to dive in we're going to take a look at the ford manager first then we're going to look at the ford analyzer and we'll we'll see what's going on so first things first i have i have two virtual machines built in my um in my lab and one's a ford manager once for the analyzer neither one of them has afforda gate going to it yet unless a friend of mine that i let play in the lab did so let's log in and afford a manager first you get a login stream much like you would on a fortigate so we just log in and the first thing you're going to be brought to is this page um this is if you have a single eight ohm where like in the root eight or whatever comes out of the box right if you have multiple add-ons you'll actually get prompted before you make it to this page asking you specifically which adom you want to control and obviously if you're an account that only has access to a single adam that's the only one you're going to see but anyways we have device manager which just like it sounds it's got all the devices listed policy and objects where you actually configure your policy sets your address objects you sign them you think devices etc your ap manager i wonder what that does right you know it lets you manage your your aps vpn manager which is really cool you could do mesh help and spoke whatever it basically does all the vpn configuration for you but if you've seen any of my videos you know i like doing custom tunnels this thing definitely uses the wizard but it is what it is it works uh fabric view which has to do with how it ties in the various other third-party cloud applications for the guard overall for the switch manager so you can manage templates and whatnot for your switch and deploy them in scale in mass stock that's your security operation center heads up displays if you will um they provide good stuff out the box but you know it can always be better and then system settings this is a vm the florida manager is available in both hardware and in vm so you have those options i almost always deploy it as a vm because then i can scale it on on my hardware i don't have to worry about anything going end of life or anything like that so first things first we'll dive into device manager and as soon as it lets us in so this is our device manager if you had fortigates they would be listed here and then of course they would also be listed here and here now the reason why they listed multiple spots is because you'll have groups here so you can actually create groups and say this is my you know staging create another group that's ready for deploy or just deployable and then you have another one that says production and that's actually usually what i end up doing i usually have at least three groups sometimes four um i like to have a maintenance one because once you get a laundry list of fortigates in here you end up in a situation where it's kind of hard to keep up with what you've done to what if you're doing maintenance on them obviously you'll be able to see the configuration status the policy status etc but yeah so you can group these devices based on group and a device can be a member of multiple groups so it's pretty powerful there um on this this right pane here if you had all of your devices listed you would see the device name which is you know whatever the host name that you assigned to it you would see its config status so the for the manager will actually tell you if the configuration that you have in the manager is different than the one that is on the um the 40 gate so if you wanted to actually add a device we could add device discover and we'll do 10.30.1.10 which is our um one of our lab units click the enter the password the first step is you know you click add device in the top left second step is you enter the ip address that the interface you wish to connect to the device on take note that you have to have fgfm enabled on the interface that you want to connect with it's a access type just like https or ssh enter the username and password click next let's see if it actually finds it so yes he's a fortigate vm so this is a floridagate vm-01 now when you're adding it you're able to actually define a system template system templates like pre-defined things for snmp dns things of that nature we'll dive into that in a minute click next and when you click next basically it's going to go through the discovery process on the device and that's going to let you do things like import address objects see the interface mappings things of that nature it takes a little bit but you know it is what it is okay so now it's going to check the device status now that's done all that so basically what this is telling me is that to manage the policies and objects of this device you need to import them into the ford manager so if your device has already been deployed and you've deployed your ford manager after the fact you can import the policy set that exists on that device as is which means you can pick up right where you left off and then over time you could create a new policy that'll be your new standardized approach right so we're going to go ahead and go to import now or import all and basically you can choose what you want this to actually be called and for this one we're going to call it fortigate vm nester one dash policy dash 01 it's going to be in my root folder import everything next it goes through it imports all your policies your address objects and it'll actually give you the option do you want to use the local ca or the certificates from fortinet from the fortigate or from the florida manager i usually just leave this as default unless for some reason i've changed it on the device itself and now this has given me a review list i can review this look at it and see what's necessary and then click next so it imported 12 of 12 items one application list one authentication setting one antivirus profile one dns profile basically everything that i had on the florida gate that didn't make that differed from a default config and we click finish now we see our device here and just as you would expect it is synchronized obviously because i just pulled the config from it the policy package is synchronized as well you can see a couple of different things here um you can see yield signs you know if it differs you see red x's if it's completely way off and the columns are customizable too to whatever's useful for you usually what's out of the box works great for me you know it is but then you can you know double click the device and you can actually look at everything tied to it you can see the interfaces that are tied to it everything i have them in zone so it tells you which is neat and you can change what's displayable by clicking display options right here at the top um these are the pre-checks you can customize it and actually tell it that you want to be able to see like dhcp servers dns settings when up you know all that stuff if you're just learning leave it to the adam settings though and then if you had you know a policy change or whatever you just go to your install wizard and it'll walk you through i want to install policy package and device settings or i just want to install device settings that's another thing that you need to consider on afforda manager appliance is you have device settings which are local to that device that'll be wan ip information or really any interface ip information um specific ip pools things like that operation modes local dns settings various features that you have enabled on the device and then you have more broad policy stuff which is specifically geared towards your you know your policy inside the outside outside the inside ssl vpn the inside etc up which leads another thing ssl vpn is a local device setting so you need to be careful you need to know what you're pushing right have a demo unit play with it before you go production with it is what it is it'll be better that way so you're able to dive in here see actual device information look at your tools which will give you global global display options which goes back to that same thing on the table of display options here next time you can go to firmware you can actually update your firmware of your fleet from this and even better you can schedule your firmware updates from your fleet with this so if this was a device that i wanted to upgrade i could go upgrade what do i want to upgrade it to i could push this device to 6.4 if i wanted and i could even schedule it to go off at a certain time so very very smooth stuff works very well especially if you have if you're doing it manually you're logging into each florida gate clicking update on the firmware after you back up the config rinse and repeat there's a lot of control tabs and it's a nightmare you just select all those things follow the upgrade path obviously but you could step them up all in one night if you're if you're good um i like to check on each device just to make sure it comes back up and operates the way it should that's just so i don't get a phone call at six in the morning saying hey why is my stuff down let's check on that you can also import your own custom images if you didn't want to pull from florida guard specifically next tab is the license you can check and keep up using the central page your licenses that are available to you which means you don't have to keep some rolling spreadsheet that may or may not be active accurate so that's really cool uh provisioning templates we mentioned this previously so this is where you can set things like your dns my default provisioning template maybe you call it staging and you have specific dns you deploy a specific ntp server because logs only matter if they're all using the same ntp so you can actually correlate dates from times right administrative settings alerting emails things of that nature snmp and of course your replacement messages that you wish to push to it maybe you have customized fortiguard block pages or things like that you can make part of your template and you can operate on scale remember the whole mo of this is at scale scripts if you are a script junkie and you wanted to script the change of an interface or or you know anything like that anything you can script on this you can you can do and once you have your script created you can either run it on the device objects within the ford manager or you can remotely run it on the florida gate via cli so you got a lot of capability there and yes it does have sd-wan orchestration i don't use this i don't use it at all i don't really use sd-wan i like zones um that's a personal preference really so anyways so next we jump over to our policy and objects this is where we create our policy so as you can see it brought over the policy as well as the names that i named them right so i have my catch all from my inside outside and then i have my policy for the ipsec tunnel that i built in the previous tunnel or video and you know my implies implicit denied there's a lot of cool things about this obviously you can come up with a general configuration that is standardized approach and you can use wild cards or per device mapped items to give you the capability of you know applying it to everyone i'll show you what i mean there the all address object is always 0.0.000 but if we wanted to create an address object we go over to objects and configurations firewall objects addresses we can create one that has per device mapping so if we wanted to call one data vlan because we know we have a data vlan at every location but the data vlan is different from a subnet standpoint from every location so you just you know come in here you do your per device mapping create new you select your device from the drop down and say 10 100.25.0 24. okay which means my data vlan if i reference that address object anywhere in my policy set and i install it to this fortigate it's going to change the variable to be that i mean come on guys it's pretty cool it's a little cool right it enables you to have the same policy across the board so when some jack wagon calls you and says hey man location two is able to get to porn nah if they are they're doing something funky because it has the same policy set i know for a fact gives you what you need right you can also map uh zones if you have more than one um afford to get in here obviously you would want that for scale but maybe one fortigate only has three inside interfaces so you map those interfaces to it so you can see here wi-fi and port two are the internal interfaces for this 40 gig maybe 48.3 has four because for some reason it's got against wi-fi a couple other things so you have that flexibility there security profiles just like you would on fortigate other things like virtual ips can also be mapped on a per device basis uh same thing for for everything else user device is local so you can have ldap servers that are pushed to specific photogates etc so you got guys you got a lot of power here next we have our ap manager i don't have any aps in this obviously but there's a couple different things you can do one you can assign templates so you can build wi-fi profiles so you create an ap profile based on whatever model ap do you have you set your settings just like you would in a fortigate i wanted to show these various ssids i it to be provisioned for these channels etc okay save that you configure the ssids you apply them to that you reference them in that profile and then you build a template and it's crazy so um so if i had a whole bunch of 320 whatevers whatever the latest greatest ford ap is i could have an ap profile for it that references ssid is listed here that references wids profiles listed here quality of service etc and i can select all my access points here assign that template and then push it and then just like anything else on the floor manager i can upgrade firmware i can look at connected devices it gives me that central control a lot of power is available here i can monitor it and actually see you know the wireless devices their strength etc just like if i was on the fortigate vpn manager super super powerful basically just know you're able to manage all your vpn essentially from this device this needs a standout video always on each individual piece of this actually does so you know anyways but you can you can map it out you can manage it and do everything there next up we have our fabric view this is how you tie it into things like servicenow uh cisco's aci this just makes it all jive this is all about integrating various other third-party vendors and functionality and even other fortinet functionality for instance uh the florida ems the ford in the act fortinet single sign-on etc it's all about tying this together including feeds for to guard let's keep up with your licensing like i mentioned you can also deploy packages you can you can use the ford manager as a method of pushing your fortiguard updates so it's not coming from fortinet directly it can come from you your own whitelisted ips for the switch manager just like the access points you can control your for the switches here you can upgrade the firmware you can build templates that house certain vlans so you create your vlans here like maybe data vlan is vlan 10 and then you can have per device mappings on that vlan saying vlan 10 on fortigate1 is 10.10.1.0 on fortigate2 it's 10.10.2.0 and so forth you configure lldp profiles so you can do like auto tuning of your voice over ip devices to the voice network things like that but you can build templates based on the model switch so if you have a you know a 400 series switch you have 400 series template that specific to the use case for that switch lots and lots of power and of course you have your security operation page that gives you kind of like you know this device has high utilization or or you know it's got required actions like maybe it's in conserve mode or it's just not working the way you intended to so a lot of functionality there and then of course system settings where you can tell it where to log to keep up with how many devices you're managing um it'll actually tell you number of fortigates for vdoms for managing as well as number four to switches four to eight ps et cetera it's very cool and then you know all the stuff you can tie it in the ford authenticator or ldap or you know insert xyz so that's the ford manager super super powerful we're gonna go through the florida analyzer a little bit quicker because it's more of a broad stroke on that one so we'll go over to our florida analyzer log into this puppy and much like for the manager you'll see this page it has a lot of the same tie-ins that you would see elsewhere you can actually make the florida manager manage the florida analyzer and you can access both through that single ford manager log on you'll get more options you know more rows of these things and we'll actually we'll do a video specifically on that because it's pretty cool so just like on the ford manager you can actually see the devices that are in the thing both of my vm fortigates are in here they're both logging i don't know how much data they actually have but you can see your devices you can see that they're logging in real time and they're encrypted ford manager and ford analyzer out of the box try to do encryption to keep your stuff safe which is awesome you can see unauthorized devices which may be devices that you've sent to the analyzer but haven't approved yet see you know devices if their statuses are down and of course how much usage you've actually consumed go over to our sock view this is actually where you'll see things like our threat map top threats things like that you know every security vendor has the ppu map well fortinet does too so you can actually map the coordinates of your fortigates so if you have them across the world you'll see the threats that they're inc that they're encountering it'll actually show you compromised hosts it'll show you for the sandbox detections and things that are clean or dirty et cetera and of course you can look this is basically an extended ford view that you would see on your fortigate right so you can see where my ubuntu boxes is going out to the internet see where you know it's sending log data to the floor to manager where i tied that device into the florida manager a lot of stuff you can look at your top applications across the enterprise guys and you can make educated decisions on your policy set based on what you see here no more looking at individual photo views going man i really wish i knew if this is being used anywhere you have that visibility you can see your vpn status whether it's ssl vpn or site to site um this hasn't received any logs yet since before the analyzer was tied in but i don't know let's see yeah okay so you can see the ipsec tunnels fortigate that's initiating it how long it's been up and the amount of traffic sent we've only sent pings so it's kind of miniscule right and then of course you can look at system logins and things like that so we'll look at for let's see less one week i logged in as admin you know made two configuration changes yadda yadda you have audit capability then you can just look at the straight dirty logs this is powerful you can look at the logs and see if something's getting denied you can look at your application control and see what's going on if you're wanting to look at real time stuff you can do over here if you click this little wrench you can do a real time log and it'll dump logs as they come in so you see what's necessary to actually see it's updating right now you know what's going on so and you can build out event types which we'll do a whole video just on event types because you can make it alert if an interface goes down or if an ipsec tunnel goes down or if certain actions are taken or if it sees an av file or an antivirus exploit or an ips exploit or you know someone trying to take advantage of your network it'll alert you you can have this thing create tickets and service now if you want so you got a lot of capabilities there just like the florida manager it can tie in all the cool third-party stuff especially if you want automated tickets from servicenow so that you know it can go down to your security analyst and they do the triage and stuff from there incidents and events this will actually show you the list of items that have taken place and then of course you can control it and tell it to do certain things based on handlers you can define subnets you can give subnets various criticality ratings things of that nature and have it kick off actions based on that you can keep incident tracking in here if you wanted your sock to be separate from your central ticket system i don't usually recommend that it's just one more place to lose data right but the capabilities there if you need it and then of course you can run reports my favorite report is the security analysis report it'll tell you everything with regard to bandwidth usage uh top threats intrusions things of that nature tell you who's on the internet the most very very cool stuff you need we'll do videos on each specific report because the data is very very usable but in in reality jump in and play with it that's where you're going to get a lot of your bank for buck but you're looking at things like admin and system events reports so you know when people are logging in and doing things uh cyber threat assessment fortinet used to do something called ctap cyber threat assessment program where vendors or vars basically would come in install a fortigate in transparent mode send it up to fortinet and they got paid just for getting that because it was a business lead right well this gives you the ability to do it for your clients to sell them on the necessity of it if you already have ford analyzer deployed you have a fortigate that is for like an nfr unit that's just for you know getting people addicted to the grooviness of the gate right you use this to tell them everything you have that 40 gate logged your analyzer you run this report after having it on their network for a week and you show them why they need it it almost always guarantees to sell guys this is crazy best thing is all these reports are modifiable if you're good at sql or looking at data i'm not as good at data says man i hire this out but you have everything you would need to take these reports and you know kind of what you see is what you get with a mitch matt mix match get it doing what you want very cool stuff and you can also put these reports on schedules for leadership kick off a porn report every monday for the previous report send it to boss man and then enjoy explaining why susie was going to something she shouldn't have and you have it tied with non-repudiation thanks to for that single sign-on limits are endless there and then of course system settings where you can control your 8 ohms storage info etc ford analyzers are stackable so you can run them in collector mode and have other analyzers forward to it which is pretty cool so you can have an analyzer per region and then a master one that the enterprise as a whole looks at there's a lot of different capabilities there and of course you can have it configured to go to a mail server and send stuff off so a lot of cool stuff that's i mean it's about half an hour right of just oh cool we should deep dive deeper on this because it's really really cool and you'll get a lot of value out of it but guys if you have more than three fortigates you know what if you have more than 10 fortigates you're wasting your time if you don't have afforda manager and unless you're using something like splunk and you have a full-time splunk engineer you're wasting your time if you don't have analyzer keyway is not going to do what you want to do so elk is not going to do what you want to do without having a full-time employee you configure a florida analyzer in 10 minutes you send logs to it pre-can reports just work guys i struggle bus on elk i struggle bus on splunk and i use it daily which is what it is if you want something that comes out of the box ready to start swinging for you the analyzer is it's the tits man it works and you know for the manager just gives you that ability once you figure out the nuances to really make a single engineer scale i manage over 500 fortigates by myself completely manage like my clients don't touch them think about that and it's easy i have lots of free time that's why i make videos so you know check them out try them out if you have questions or comments specifically on affordable florida analyzer let me know as mentioned earlier in the video we will have more specific videos about each individual section because there's so much to learn on these guys we're also going to do a couple cookbook videos and things of that nature to help you get more acclimated to the devices and the ifs ands and buttons about what goes on there guys do me a favor if you like the video if you like the information hit the like button somewhere over here right hit the subscribe buttons and then hit the notification bell so you get the updates as i push them out i shoot for a video a day i try to make them 15 minutes of quality decent information for you so your your life can get better doesn't always work out that way i tend to ramble sometimes they're shorter but if you like what you see hit the like button hit the subscribe button share with your friends you know check out my video about fortinet versus palo send it to paulo people and rub it in let them know that your device costs a third and actually scores better on the security effectiveness you know stuff like that whatever you
Info
Channel: Fortinet Guru
Views: 69,339
Rating: undefined out of 5
Keywords:
Id: n-DzkRet4ks
Channel Id: undefined
Length: 36min 56sec (2216 seconds)
Published: Tue May 12 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.