下载文档原格式
防火墙测试报告2013.06.目录1测试目的................................................. 错误!未定义书签。
2测试环境与工具........................................... 错误!未定义书签。
测试拓扑................................................. 错误!未定义书签。
测试工具................................................. 错误!未定义书签。
3防火墙测试方案........................................... 错误!未定义书签。
安全功能完整性验证....................................... 错误!未定义书签。
防火墙安全管理功能的验证............................. 错误!未定义书签。
防火墙组网功能验证................................... 错误!未定义书签。
防火墙访问控制功能验证............................... 错误!未定义书签。
日志审计及报警功能验证............................... 错误!未定义书签。
防火墙附加功能验证................................... 错误!未定义书签。
防火墙基本性能验证....................................... 错误!未定义书签。
吞吐量测试........................................... 错误!未定义书签。
延迟测试............................................. 错误!未定义书签。
信息安全审计与检测工具介绍在当今数字化的时代,信息安全已经成为了企业和个人不可忽视的重要问题。
随着网络攻击手段的日益复杂和多样化,信息安全审计与检测工具成为了保护信息资产的重要防线。
这些工具能够帮助我们发现潜在的安全威胁,评估系统的安全性,并采取相应的措施来防范风险。
接下来,让我们详细了解一下一些常见的信息安全审计与检测工具。
一、漏洞扫描工具漏洞扫描工具是信息安全审计中最常用的工具之一。
它们能够自动检测系统、网络和应用程序中的安全漏洞。
这些工具通过发送各种探测数据包,并分析返回的响应,来识别可能存在的弱点,如操作系统漏洞、软件漏洞、网络配置错误等。
常见的漏洞扫描工具包括 Nessus、OpenVAS 等。
Nessus 是一款功能强大且广泛使用的商业漏洞扫描工具,它提供了全面的漏洞检测功能,并能够生成详细的报告,帮助安全人员了解系统的安全状况。
OpenVAS 则是一款开源的漏洞扫描工具,具有良好的扩展性和自定义能力,适合对成本较为敏感的用户。
二、入侵检测与预防系统(IDS/IPS)IDS(入侵检测系统)和 IPS(入侵预防系统)是用于监测和防范网络入侵行为的工具。
IDS 主要负责监控网络流量,通过分析数据包的特征和行为模式,发现潜在的入侵迹象,并发出警报。
IPS 则不仅能够检测入侵,还能够主动采取措施阻止攻击,如丢弃恶意数据包、切断连接等。
Snort 是一款知名的开源 IDS 工具,它具有强大的规则库和灵活的配置选项,可以根据用户的需求定制检测规则。
而 Cisco Firepower 则是一款企业级的 IPS 解决方案,提供了高性能的入侵防护和深度的威胁检测功能。
三、日志分析工具系统和应用程序会产生大量的日志记录,这些日志包含了丰富的信息,如用户活动、系统事件、错误消息等。
日志分析工具能够帮助我们收集、整理和分析这些日志,从中发现异常活动和潜在的安全问题。
ELK Stack(Elasticsearch、Logstash、Kibana)是一个流行的日志分析解决方案。
1FortiAnalyzer Big DataFortiAnalyzer Big Data delivers high-performance big data network analytics for large and complex networks. It is designed for large-scale data center and high-bandwidth deployments, offering the most advanced cyber threat protection byemploying hyperscale data ingestion and accelerated parallel data processing. Together with its new distributed software and hardware architecture and Fortinet’s high performance next generation firewalls, this powerful 4RU chassis offers blazing fast performance, enterprise-grade data resiliency, built-in horizontal scalability, and consolidated appliance management.DATA SHEETBig Data Analytics Scalable Performance Built-in High AvailabilityHigh Performance§Totally redesigned and optimized architecture, employing the newest Big Data Kafka/ Hadoop/ Spark technologies §Massive Parallel event streaming and data processing for high-speed ingestion, data storage, and search capabilities §The highest performing FortiAnalyzer appliance:300 000 logs/sec out-of-box, horizontally scalable to petabytes of storage Unified Appliance Management§Enterprise-grade Big Data Appliance with consolidated hardware and software monitoring through the Cluster Manager §Simple installation, updating, expansion, and data management §Built-in automation and customizable job templates Reliable and Scalable Deployment§Built-in enterprise high availability and data resiliency based on a newly optimized software and hardware architecture §Designed for rapid scalability with multiple Big Data appliances using high speed 40 Gb/s built-in switch modules §Specifically designed to accelerate the visibility and expansion of the Fortinet Security FabricBig Data Security Analytics§Monitor and analyze your entire network from end-to-end at an accelerated rate, maximizing the visibility of your entire attack surface, network traffic, applications, users, and end-point hosts §Interactive dashboards and informative reports using real-time tracking of key security metrics, link health status, and application steering performance §Ready to use and customizable report templates for compliance, security posture assessments, and system performance checks §Use log analytics to query IPFIX log messagescollected, when Ingestion is configured in Flow mode Rapid Incident Detection and Response§Intuitive event and incident workflow for SOC teams to focus on critical alerts §The built-in correlation engine automates and groups alerts to remove false positives §Out-of-box connectors and extensive APIs for security teams to automate repetitive tasksAvailable in:ApplianceVirtual MachineDATA SHEET | FortiAnalyzer Big Data2HIGHLIGHTSFortiAnalyzer Big Data supports all of the features and technologies of FortiAnalyzer family. FortiAnalyzer Big Data alsoprovides additional scalability and high-speed performance using new massive parallel data processing and Columnar Data Store processes. After the data ingest, the FortiAnalyzer Big Data provides an easy to use front-end UI that interacts with the distributed big data SQL engine to search, query, and aggregate the data.Security Analytics Log View✓⃝✓⃝Interactive FortiView Dashboards ✓⃝✓⃝Fabric View - Assets and Identity ✓⃝✓⃝Out-of-Box Report Templates✓⃝✓⃝Global Search across all Big Data clusters —✓⃝IPFIX Support—✓⃝Incident Response Indicators of Compromise Service ✓⃝✓⃝Event Correlation and Alerting✓⃝✓⃝Incident Escalation Workflow and Management✓⃝✓⃝Automation and Integration Security Fabric Connectors ✓⃝✓⃝Security Fabric Integration ✓⃝✓⃝REST API✓⃝✓⃝Multi-Tenancy and RBAC ADOM✓⃝✓⃝Role-Based Access Control ✓⃝✓⃝Performance and ScalabilityDeploymentSmall, Medium Enterprise Large Enterprise and ServiceProvidersHigh Availability and Redundancy Yes, requires a second unit Yes, built-in HA andredundancy Sustained Rate Up to 100 000 logs/secStart at 300 000 logs/secHorizontal Scalability —✓⃝Big Data Analytics Engine —✓⃝Massive Parallel Data Processing —✓⃝Distributed Architecture —✓⃝Columnar Data Store—✓⃝Appliance Management Chassis—✓⃝Cluster Manager—✓⃝To download the FortiAnalyzer Datasheet, please visit - https:///content/dam/fortinet/assets/data-sheets/fortianalyzer.pdfFortiAnalyzer Big Data Virtual MachinesFortinet offers FortiAnalyzer Big Data in a stackable Virtual license model, with a-la-carte services available for 24x7 FortiCare support and subscription licenses for the FortiGuard Indicator of Compromise (IOC), FortiAnalyzer SOC component, and FortiGuard Outbreak Detection Service.This software-based version of the FortiAnalyzer Big Data hardware appliance is designed to run on many virtualization platforms, which allows you to expand your virtual solution as your environment grows.3Total Interfaces 4x 40 GE QSFP and 8x 10 GE SFP+Storage Capacity Blade#1: 2 x NVMe 750 GB SSD = 1.5 TB; Blade#2 ~#14: 13 x 2 x 7.68 TB SSD x = 200 TBUsable Storage 200 TBRemovable Hard Drives28 (Max) SSD, each blade 2 x 2.5” Storage DeviceRedundant Hot Swap Power Supplies**✓⃝* The max number of days if receiving logs continuously at the sustained log ingestion rate. This number can increase if the average log rate is lower.** All four power supplies must be installed and plugged in to a reliable power source when the device is turned on / powered up. Three power supplies are required for the device tofully operate, which allows hot swap of one power supply at a time. The max power consumption of the unit is 4967 W and each PSU supports 2200 W. The fourth power supply provides redundancy.SPECIFICATIONSSafety CertificationsFCC Part 15 Class A, RCM, VCCI,CE, UL/cUL, CBversion. Visit https:///product/fortianalyzer-bigdata/ and find the Release Information at the bottom section. Go to “Product Integration and Support” -> “FortiAnalyzer BigData [version] support” -> “Virtualization”FBD-DAT-R6-20220524Copyright © 2022 Fortinet, Inc. All rights reserved. Fortinet , FortiGate , FortiCare and FortiGuard , and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.Fortinet is committed to driving progress and sustainability for all through cybersecurity, with respect for human rights and ethical business practices, making possible a digital world you can always trust. You represent and warrant to Fortinet that you will not use Fortinet’s products and services to engage in, or support in any way, violations or abuses of human rights, including those involving censorship, surveillance, detention, or excessive use of force. Users of Fortinet products are required to comply with the Fortinet EULA (https:///content/dam/fortinet/assets/legal/EULA.pdf ) and report any suspected violations of the EULA via the procedures outlined in the Fortinet Whistleblower Policy (https:///domain/media/en/gui/19775/Whistleblower_Policy.pdf).ORDER INFORMATIONFortiAnalyzer-BigData-4500FFAZ-BD-4500FFortiAnalyzer high-performance chassis for big data analytics with 14 blade servers, 4x 40 GE QSFPPorts, 8x 10 GE SFP+ Ports, 300 000 logs/sec ingestion rate, and 200TB SSD storage in a single system. Horizontally scalable up to petabytes of storage.Hardware BundleFAZ-BD-4500F-BDL-466-DD Hardware plus 24x7 FortiCare and FortiAnalyzer Enterprise Protection.Enterprise Protection Bundle FC-10-BD45F-466-02-DD Enterprise Protection (24x7 FortiCare plus Indicators of Compromise Service, SOC Subscription license, and FortiGuard Outbreak Alert service).SOC Subscription License FC-10-BD45F-335-02-DD Subscription license for the FortiAnalyzer SOC component.IOC Subscription LicenseFC-10-BD45F-149-02-DD Subscription license for the FortiGuard Indicator of Compromise (IOC).Outbreak Alert Subscription License FC-10-BD45F-462-02-DD Subscription license for FortiGuard Outbreak Alert Service.24x7 FortiCare Contract FC-10-BD45F-247-02-DD 24x7 FortiCare Contract.FortiAnalyzer-BigData-VMFAZ-BD-VM FortiAnalyzer-BD virtual appliance with 150 000 logs/sec ingestion rate and 200TB storage capacity to start. Support add-on to scale up performance and storage.FortiAnalyzer-BigData-VM Add-On * FAZ-BD-VM-UGFortiAnalyzer-BD virtual appliance ADD-ON to add additional capacity with 50 000 logs/sec ingestion rate and 50TB storage. Multiple ADD-ONs can be stacked together to scale up the ingestion rate and storage.Enterprise Protection Bundle VM FC-10-ZBDVM-575-02-DD Enterprise Protection (24x7 FortiCare plus Indicators of Compromise Service, SOC Subscription license, and FortiGuard Outbreak Detection service).SOC Subscription License VM FC-10-ZBDVM-335-02-DD Subscription license for the FortiAnalyzer SOC component.IOC Subscription License VMFC-10-ZBDVM-149-02-DD Subscription license for the FortiGuard Indicator of Compromise (IOC).Outbreak Alert Subscription License VM FC-10-ZBDVM-462-02-DD Subscription license for FortiGuard Outbreak Detection Service.24x7 FortiCare Contract VMFC-10-ZBDVM-248-02-DD24x7 FortiCare Contract.* FortiAnalyzer-BD virtual appliance ADD-ON can stack up to a maximum of 500 000 logs/sec。
网管必备:32款日志分析syslogserver工具无名小站收集了网络上32款国外日志分析软件,有IIS、apache、cisco pix防火墙、asa防火墙等等,总之有你想要的。
SurfStats 8.4.0.7这个程序检查记录文件和产生网活动报告。
能够也从你的主人取回记录文件的服务器和不压缩他们,如果需要的话。
程序有带产品的细节和汇总报告方式上银幕,文件目录,ftp 或者电子邮件。
能够从IP 做有活力的 DNS 查阅地址以及过滤的在日期,访问者,来源和文件上的动态。
[网络软件 > 网络管理 > 日志分析]Web Log Storming 1.8.407这是交互基于桌面的网络日志记录分析器,展示攻击记录以交互的画详细列出网站统计数字和报告。
从对于你的网站的每个访问者提供活动的完全的详细地分析。
[网络软件 > 网络管理 > 日志分析]ProxyInspector for ISA Server 2.6m这件工具分析微软 ISA 服务器代理,防火墙和包裹过滤器 Log 记录文件,和通过每个人或者工作组生产关于带宽消费的全面的报告。
报告星期的小时和日之前包括被访问的地点,和用户活动分发。
也包括被阻拦的站点。
[网络软件 > 网络管理 > 日志分析]SmarterStats 3.3这个程序帮助你跟踪网站访问者,和它产生多于135 份报告。
可以通过网页浏览器访问。
[网络软件 > 网络管理 > 日志分析]WebLog Expert 4.1这个Web服务器记录分析器,可以提供关于你的站点访问者,活动统计,文件访问量,关于提交页,搜索引擎,浏览器,操作系统和错误的信息。
过滤器帮助你实施全面的调查。
其他特征包括多线程的DNS 查阅,一个固定的调度表和 IP-to –国家绘图。
[网络软件 > 网络管理 > 日志分析]Absolute Log Analyzer 2.3.95这为大型网站设计的Web 日志记录分析工具。
FortiSIEM for Network Visibility, Event Correlation, and Risk ManagementFortiSIEM offers an affordable and all-inclusive solution, delivering continuous monitoring for various CSfC capability packages, whether cross-domain environments or a standalone system. Fortinet’s patented architecture in FortiSIEM enables unified data correlation and analytics from diverse sources, which includes logs, KPI metrics, SNMP traps, important security alerts, and configuration changes made to the devices, providing a comprehensive view of the security posture for networks large or small, such as flyaway kits and on-premises static devices.The breadth of features offered by FortiSIEM allows for massively scalable architecture, supporting a wide variety of IT products and making it an attractive choice for any environment that requires visibility and actionable intelligence when implementing continuous monitoring as part of a holistic risk management and defense-in-depth information security strategy integrated into CSfC architectures.CSfC CM capabilities are designed with a multilayer approach to complement the functional architecture of a CSfC solution. CSfCCM solutions provide high visibility across the monitored network, allowing analysts to validate the operational status of encryption components by observing network activity both before and after encryption points and within management networks and at eight distinct but strategic monitoring points within the CSfC architecture. FortiSIEM can meet CM needs by implementing its collectors and workers at monitoring points, collecting data for analysis and notifying system activities to the FortiSIEM supervisor, which runs all the core services and manages other nodes in the cluster. FortiSIEM is a powerful and feature-rich monitoring and analytics solution with many use cases across the enterprise.FortiSIEM is designed to provide comprehensive data collection with rapid-scale architecture as required and data aggregation fromeach MP into centralized monitoring SIEM systems. FortiSIEM offers security administrators the collective dataset to monitor the security posture of the CSfC solution and report on security-relevant events within the infrastructure. FortiSIEM accomplishes distributed eventcorrelation through a defined set of automated notification capabilities and dashboardsbuilt to identify targeted information of interest. Some of the key innovative and powerfultechnologies included in the FortiSIEM solution:n Distributed event correlationnn Distributed querying and reportingnn A high-performance, optimized NoSQL event databasenDesign for CSfC Use CaseFortiSIEM can be used for many applications across the enterprise; however, for CSfCCM use, the following can be included per the Continuous Monitoring Annex:n Log ingestion and storagennn SOC analytics and incident responsen Performance monitoringnn Compliance reportingnn Management reportingnFortiSIEM ArchitecturesFortiSIEM is a flexible solution that can be deployed in different ways to meet differentperformance, scalability, and topological requirements. The main deployment enclaves are remote, enterprise, and service provider. Small enclave would be the focus for CSfC deployment, which is most applicable since remote deployments are typically smaller and can consist of an all-in-one or a small distributed solution (see Figure 1).Figure 1: FortiSIEM architecture diagram.The FortiSIEM all-in-one architecture is an easy-to-deploy, self-contained, single-server solution that is suitable for smaller deployments. It uses a local disk on the virtual appliance, or the in-built hardware appliance storage, for event storage. It is limited in scalability due to the local storage and does not support the Rapid Scale Architecture because worker nodes cannot be added to an all-in-one deployment.While a single all-in-one node delivers a functional system, most organizations should plan to also deploy at least one collector to assist with log collection, and to support FortiSIEM server agents. Enclaves requiring additional scalability to meet current or future capacity and performance requirements should use a distributed solution with shared storage.FortiSIEM Database Structuren n FortiSIEM uses multiple databases presented in a single GUI.n n In a multi-node deployment, the event database is moved to external storage for scalability.n n NFS or elastic search is supported.The Life of an Event in FortiSIEMFortinet offers a virtual appliance architecture using a three-tier structure to provide an easily scalable solution that can start as a small single-node deployment, and rapidly scale to a large, high-performance system as needed.n n The supervisor node provides core functionality, and in a smaller solution, it can deliver an all-in-one system specifically applicable to a CSfC solution use case.n n Worker nodes are used in conjunction with the supervisor node to scale event processing and report which may or may not be needed depending on deployment size and use case.n n Collectors can be used to provide remote site log collection, and to offload log collection from the supervisor or worker nodes for increased scalability.FortiSIEM FeaturesReal-time Operational Security Analyticsn n Continually update on security events and provide accurate device context configuration, installed software and patches, running services n n FortiSIEM offers system and application performance analytics along with contextual interrelationship data for rapid triaging of security issuesn n User context, in real time, with audit trails of IP addresses, user identity changes, physical and geomapped locationn n Detect unauthorized network devices, applications, and configuration changesn n Out-of-the-box predefined reports supporting a wide range of compliance auditing and management needs including PCI DSS, HIPAA, SOX, NERC, FISMA, ISO, GLBA, GPG13, SANS Critical Controls, COBIT, ITIL, ISO 27001, NERC, NIST 800-53,NIST 800-171, NESA Performance MonitoringFigure 2: FortiSIEM database structure diagram.Performance Monitoringn Monitor basic system/common metricsnn System level via SNMP, WMI, PowerShellnnn Application level via JMX, WMI, PowerShelln Virtualization monitoring for VMware, HyperV—guest, host, resource pool, and cluster levelnnn Storage usage, performance monitoring for EMC, NetApp, Isilon, Nutanix, Nimble, Data Domain environmentsn Specialized application performance monitoringnn Microsoft Active Directory and Exchange via WMI and PowerShellnn Databases—Oracle, MS SQL, MySQL via JDBCnn VoIP infrastructure via IPSLA, SNMP, CDR/CMRnn Flow analysis and application performance for NetFlow, S-Flow, Cisco AVC, NBAR, IPFix environmentsnn Ability to add custom metricsnn Baseline metrics and detect significant deviationsnExternal Technology Integrationsn Integration with any external website for IP address lookupnn API-based integration for external threat feed intelligence sourcesnnn API-based two-way integration with help desk systems, including seamless, out-of-the-box support for ServiceNow, ConnectWise, and Remedyn API-based two-way integration with external CMDB, including out-of-the-box support for ServiceNow, ConnectWise, Jira, and Salesforce nn Kafka support for integration with enhanced Analytics Reporting (i.e., ELK, Tableau, and Hadoop)nn API for easy integration with provisioning systemsnn API for adding organizations, creating credentials, triggering discovery, modifying monitoring eventsnReal-time Configuration Change Monitoringn Collect network configuration files, stored in a versioned repositorynn Collect installed software versions, stored in a versioned repositorynn Automated detection of changes in network configuration and installed softwarenn Automated detection of file/folder changes, including Windows and Linux, and who and what detailsnn Automated detection of changes from an approved configuration filennn Automated detection of windows registry changes via FortiSIEM Windows AgentNotification and Incident Managementn Policy-based incident notification frameworknnn Ability to trigger a remediation script when a specified incident occursn API-based integration to external ticketing systems, including for ServiceNow, ConnectWise, and Remedynnn Incident reports can be structured to provide the highest priority to critical business services and applicationsn Trigger on complex event patterns in real timenn Incident Explorer, dynamically linking incidents to hosts, IPs, and user to understand all related incidents quicklynCopyright © 2020 Fortinet, Inc. All rights reserved. Fortinet , FortiGate , FortiCare and FortiGuard , and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be July 9, 2020 6:07 AM External Threat Intelligence Integrationsn n APIs for integrating external threat feed intelligence, malware domains, IPs, URLs, hashes, Tor nodesn n Built-in integration for popular threat intelligence sources, including Threat-Stream, CyberArk, SANS, Zeus, ThreatConnectn n Technology for handling large threat feeds, incremental download and sharing within cluster, real-time pattern matching with network traffic. All STIX and TAXII feeds are supported.SummaryTo defend against adversaries in modern cyber warfare, CSfC customers need maximum visibility into multi-enclave network activity of their users, devices, and data. They must also have automated correlation and remediation of audit logs to ensure that mitigations are effective in minimizing or altogether preventing the infiltration of malicious actors and extraction of classified data.FortiSIEM is the ideal solution to provide industry-leading speed in data correlation and insights into complex, seemingly unrelatedactivity to accurately identify attempts to compromise the network. For more information on the Fortinet Continuous Monitoring solution, please go to https:///products/siem/fortisiem or contact us at *************************.。
Advanced Threat Detection & Correlation allows Security & Network teams to immediately identify and respond to network security threats across the infrastructure.Automated Workflows & Compliance Reporting provides customizable dashboards, reports and advanced workflow handlers for both Security & Network teams to accelerate workflows & assist with regulation and compliance audits.Scalable Log Management collects logs from FortiGate, FortiClient, FortiManager, FortiSandbox, FortiMail, FortiWeb, FortiAuthenticator, Generic syslog and others. Deploy as an individual unit or optimized for a specific operation and scale storage based on retention requirements.Key FeaturesSecurity Fabric Analytics§Event correlation across all logs and real-time anomaly detection, with Indicator of Compromise (IOC) service and threat detection, reducing time-to-detectFortinet Security Fabric integration§Correlates with logs from FortiClient, FortiSandbox, FortiWeb, and FortiMail for deeper visibility and critical network insights Enterprise-grade high availability§Automatically back-up FortiAnalyzer DB’s (up to 4 node cluster) that can be geographically dispersed for disaster recovery Security automation§Reduce complexity and leverage automation via REST API, scripts, connectors, and automation stitches to expeditesecurity responseMulti-tenancy and administrative domains (ADOMs)§Separate customer data and manage domains leveraging ADOMs to be compliant and operationally effectiveFlexible deployment options & archival storage§Supports deployment of appliance, VM, hosted or cloud. Use AWS, Azure or Google to archive logs as a secondary storageDATA SHEET | FortiAnalyzer2Feature HighlightsSecurity Operations Center (SOC)FortiAnalyzer’s SOC (Security Operations Center) helps security teams protect networks with real-time log and threat data in the form of actionable views, notifications and reports. Analysts can protect network, web sites, applications, databases, data centers, and other technologies, through centralized monitoring, awareness of threats, events and network activity. The predefined and custom dashboards provide a single-pane-of-glass for easy integration into your Security Fabric. The new FortiSOC service subscription, provides built-in Incident management workflows with playbooks and connectors to simplify the Security Analysts role with enhanced security automation and orchestration.Incident Detection & ResponseFortiAnalyzer’s Automated Incident Response capability enables security teams to manage incident life cycle from a single view. Analysts can focus on event management and identification of compromised endpoints through default and customized event handlers with quick detection, automated correlation and connected remediation of Fortinet devices and syslog servers with incident management and playbooks for quick assignment of incidents for analysis. Track timelines and artifacts, with audit history and incident reports, as well as streamlined integration with ITSM platforms helps bridge gaps in your Security Operations Center and reinforces your Security Posture.Indicators of CompromiseThe Indicators of Compromise (IOC) service identifies suspicious usage and artifacts observed on a network or in an operations system, determined with high confidence to be a computer intrusion. FortiGuard’s IOC subscription provides intelligence information to help security analysts identify risky devices and users based on these artifacts. The IOC package consisting of around 500K IOCs daily and delivers it via our Fortinet Developers Network (FNDN) to our FortiSIEM, FortiAnalyzer, and FortiCloud products. Analysts can also re-scan historical logs for threat hunting and identify threats based on new intelligence, as well as review users’ aggregated threat scores by IP addresses, hostname, group, OS,overall threat rating, a location Map View, and a number of threats.ReportsFortiAnalyzer provides 39+ built-in templates that are ready to use, with sample reports to help identify the right report for you. You can generate custom data reports from logs by using the Reports feature. Run reports on-demand or on a schedule with automated email notifications, uploads and an easy to manage calendar view. Create custom reports with the 700+ built-in charts and datasets ready for creating your custom reports, with flexible report formats include PDF , HTML, CSV , and XML.FortiAnalyzer PlaybooksFortiAnalyzer Playbooks boost security teams’ abilities to simplify efforts and focus on critical tasks. Out of the box playbook templates enable SOC analysts to quickly customize and automate their investigation use cases to respond to compromised hosts, critical intrusions, blocking C&C IPs, and more. Flexible playbook editor for hosts under investigation. FortiAnalyzer also allows analysts to drill down to a playbook to review task execution details and edit playbooks to define custom processes and tasks, and also includes built-in Connectors for playbooks to interact with other Security Fabric devices like FortiOS and EMS.Asset & IdentitySecurity Fabric assets and identity monitoring and vulnerability tracking provides full SOC visibility and analytics of the attack surface. Assets & Identity visibility and assets classification based on telemetry from NAC. Built-in SIEM module for automated log collection, normalization & correlation. Integrated with FortiSOAR for further incident investigation and threat eradication. Support export of incident data to FortiSOAR through the FortiAnalyzer Connector and API Admin.DATA SHEET | FortiAnalyzer3Feature HighlightsLog Forwarding for Third-Party IntegrationYou can forward logs from a FortiAnalyzer unit to another FortiAnalyzer unit, a syslog server, or (CEF) server. The client FortiAnalyzer forwards logs to the server FortiAnalyzer unit, syslog server, or CEF server. In addition to forwarding logs to another unit or server, the client retains a local copy of the logs, which are subject to the data policy settings for archived logs. Logs are forwarded in real-time or near real-time as they are received.Analyzer-Collector ModeYou can deploy in Analyzer mode and Collector mode on different FortiAnalyzer units and make the units work together to improve the overall performance of log receiving, analysis, and reporting. When FortiAnalyzer is in Collector mode, its primary task is forwarding logs of the connected devices to an Analyzer and archiving the logs. The Analyzer off-loads the log-receiving task to the Collector so that the Analyzer can focus on data analysis and report generation. This maximizes the Collector’s log receiving performance.Multi-Tenancy with Flexible Quota ManagementTime-based archive/analytic log data policy per Administrative Domain (ADOM), automated quota management based on the defined policy, and trending graphs to guide policy configuration and usage monitoring.FortiAnalyzer-VMFortiAnalyzer-VM integrates network logging, analysis, and reporting into a single system, delivering increased knowledge of security events throughout a network. Utilizing virtualization technology, FortiAnalyzer-VM is a software-based version of the FortiAnalyzer hardware appliance and is designed to run on many virtualization platforms. It offers all the features of the FortiAnalyzer hardware appliance.FortiAnalyzer-VM provides organizations with centralized security event analysis, forensic research, reporting, content archiving, data mining, malicious file quarantining and vulnerability assessment. Centralized collection, correlation and analysis of geographically and chronologically diverse security data from Fortinet and third-party devices deliver a simplified, consolidated view of your security posture.SD-WAN MonitoringSD-WAN Dashboards enable customers to instantly see the benefit of applying SD-WAN across multiple WAN interfaces with Event handlers to detect SD-WAN alerts for real-time notification & action. History graphs for WAN link health monitoring: Jitter, Latency and Packet Loss Critical & High severity SD-WAN alerts. New Secure SD-WAN report provides an Executive summary of important SD-WAN metrics, detailed charts and history graphs for SD-WAN link utilization by applications, latency, Packet Loss, Jitter changes and SD-WAN performance statistics.FortiAnalyzer-VM-SThe new FortiAnalyzer Subscription license model consolidates the VM product SKU and the FortiCare Support SKU, as well as IOC and FortiAnalyzer SOC (SOAR/SIEM) services into one single SKU, to simplify the product purchase, upgrade and renewal.The FortiAnalyzer S-Series SKUs come in stackable 5, 50 and 500 GB/Day logs licenses, so that multiple units of this SKU can be purchased at a time to increase the number of GB/Day logs. This SKU can also be purchased together with other FAZ VM-S SKUs to expand the total number of GB/Day logs.Virtual MachinesDATA SHEET | FortiAnalyzerSpecificationsCapacity and Performance GB/Day of Logs 1 incl.*+1+5+25+100+500+2,000Storage Capacity 500 GB +500 GB +3 TB +10 TB +24 TB +48 TB +100 TB on Redhat 6.5+ and Ubuntu 17.04, Nutanix AHV (AOS 5.10.5), Amazon Web Services (AWS), Microsoft Azure, Google Cloud (GCP), Oracle CloudInfrastructure (OCI), Alibaba Cloud (AliCloud)Network Interface Support (Minimum / Maximum) 1 / 4vCPUs (Minimum / Maximum) 2 / Unlimited Memory Support (Minimum / Maximum)4 GB / Unlimited* Unlimited GB/Day when deployed in collector modeDATA SHEET | FortiAnalyzer5Specifications* Sustained Rate - maximum constant log message rate that the FAZ platform can maintain for minimum 48 hours without SQL database and system performance degradation.**is the max number of days if receiving logs continuously at the sustained analytics log rate. This number can increase if the average log rate is lower.Safety CertificationsUL/cUL, CBUL/cUL, CBUL/cUL, CBDATA SHEET | FortiAnalyzer6* Sustained Rate - maximum constant log message rate that the FAZ platform can maintain for minimum 48 hours without SQL database and system performance degradation.** is the max number of days if receiving logs continuously at the sustained analytics log rate. This number can increase if the average log rate is lower.*** 3700F must connect to a 200V - 240V power source.SpecificationsSafety CertificationsUL/cUL, CB UL/cUL, CB UL/cUL, CBDATA SHEET | FortiAnalyzer Order InformationProduct SKU DescriptionFortiAnalyzer 150G FAZ-150G Centralized log and analysis appliance — 2 x RJ45 GE, 4 TB storage, up to 50 GB/day of logsFortiAnalyzer 200F FAZ-200F Centralized log and analysis appliance — 2 x RJ45 GE, 4 TB storage, up to 100 GB/day of logs.FortiAnalyzer 300F FAZ-300F Centralized log and analysis appliance — 2 x RJ45 GE, 8 TB storage, up to 150 GB/day of logs.FortiAnalyzer 800F FAZ-800F Centralized log and analysis appliance — 4 x GE, 2 x SFP, 16 TB storage, up to 300 GB/day of logs.FortiAnalyzer 1000F FAZ-1000F Centralized log and analysis appliance — 2 x 10GE RJ45, 2 x 10GbE SFP+, 32 TB storage, dual power supplies, up to660 GB/day of logs.FortiAnalyzer 2000E FAZ-2000E Centralized log and analysis appliance — 4 x GE RJ45, 2 x SFP+, 36 TB storage, dual power supplies, up to 1,000 GB/day of logs.FortiAnalyzer 3000G FAZ-3000G Centralized log and analysis appliance — 2 x GE RJ45, 2x 25GE SFP28, 64 TB storage, dual power supplies, up to3,000 GB/day of logs.FortiAnalyzer 3500G FAZ-3500G Centralized log and analysis appliance — 2 x GbE RJ45, 2 x SFP28, 96 TB storage, dual power supplies, up to5,000 GB/day of logs.FortiAnalyzer 3700F FAZ-3700F Centralized log and analysis appliance — 2 x SFP+, 2 x 1GE slots, 240 TB storage, up to 8,300 GB/day of logs. FortiAnalyzer-VM FAZ-VM-BASE Base license for stackable FortiAnalyzer-VM; 1 GB/Day of Logs and 500 GB storage capacity. Unlimited GB/Day whenused in collector mode only. Designed for all supported platforms.FAZ-VM-GB1Upgrade license for adding 1 GB/Day of Logs and 500 GB storage capacity.FAZ-VM-GB5Upgrade license for adding 5 GB/day of logs and 3 TB storage capacity.FAZ-VM-GB25Upgrade license for adding 25 GB/day of logs and 10 TB storage capacity.FAZ-VM-GB100Upgrade license for adding 100 GB/day of logs and 24 TB storage capacity.FAZ-VM-GB500Upgrade license for adding 500 GB/day of logs and 48 TB storage capacity.FAZ-VM-GB2000Upgrade license for adding 2 TB/Day of Logs and 100 TB storage capacity.FortiAnalyzer-VM Subscription License with Support FC1-10-AZVMS-431-01-DD Central Logging & Analytics subscription for 5 GB/Day logs. Include 24x7 FortiCare support, IOC, SOAR/SIEM services.FC2-10-AZVMS-431-01-DD Central Logging & Analytics subscription for 50 GB/Day logs. Include 24x7 FortiCare support, IOC, SOAR/SIEM services.FC3-10-AZVMS-431-01-DD Central Logging & Analytics subscription for 500 GB/Day logs. Include 24x7 FortiCare support, IOC, SOAR/SIEM services. FortiAnalyzer - Backup to Cloud Service FC-10-FAZ00-286-02-DD 1 year subscription to FortiAnalyzer storage connector service for 10TB data transfer to public cloud.FortiGuard Indicator of Compromise (IOC) Subscription FC-10-[Model code] -149-02-DD 1 Year Subscription license for the FortiGuard Indicator of Compromise (IOC).Enterprise Protection Bundle FC-10-[Model code]-432-02-DD Enterprise Protection (24x7 FortiCare plus Indicators of Compromise Service and SOC Subscription license) FortiAnalyzer SOC Subscription FC-10-[Model code]-335-02-DD Subscription license for the FortiAnalyzer SOC component Copyright © 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.FST-PROD-DS-FAZ FAZ-DAT-R58-202010。
日志审计解决方案一、背景介绍随着信息技术的发展和应用的普及,各类企业和组织面临着日益增长的数据量和复杂的信息系统环境。
为了确保信息系统的安全性和合规性,日志审计成为了一项重要的任务。
日志审计可以帮助企业和组织监控和分析其信息系统的活动记录,以发现潜在的安全威胁、追踪异常行为、满足合规要求以及支持事后调查等。
二、日志审计的意义1. 安全威胁检测:通过对日志进行审计,可以发现并及时应对潜在的安全威胁,如未经授权的访问、异常登录行为等。
2. 异常行为追踪:日志审计可以记录和分析用户的操作行为,帮助企业和组织追踪和识别异常行为,如非法操作、数据篡改等。
3. 合规性要求满足:许多行业和法规要求企业和组织对其信息系统进行日志审计,以确保其合规性,如金融行业的PCI DSS、医疗行业的HIPAA等。
4. 事后调查支持:当发生安全事件或违规行为时,日志审计可以提供关键的证据和线索,帮助进行事后调查和取证。
三、日志审计解决方案的关键组成部分1. 日志收集:通过在关键系统和设备上部署日志收集器,实时收集和存储系统产生的日志数据。
收集的日志数据可以包括操作系统日志、应用程序日志、网络设备日志等。
2. 日志存储:将收集到的日志数据存储在安全可靠的存储介质上,确保其完整性和可审计性。
可以采用传统的关系型数据库或专门的日志管理系统进行存储。
3. 日志分析:对存储的日志数据进行分析和挖掘,以发现异常行为和安全威胁。
可以使用各种分析工具和技术,如规则引擎、机器学习算法等。
4. 报告和告警:根据分析结果生成详细的报告和告警,以便管理员和安全团队及时了解系统的安全状况和发现潜在的威胁。
5. 审计日志管理:对日志数据进行管理和维护,包括日志的保留期限、备份策略、访问权限控制等,以确保其完整性和可审计性。
6. 可视化和查询:通过直观的可视化界面和强大的查询功能,管理员和安全团队可以方便地查看和分析日志数据,快速定位和解决问题。
四、日志审计解决方案的实施步骤1. 需求分析:与企业和组织的相关部门和人员沟通,了解其日志审计需求和合规要求,明确解决方案的目标和范围。
设置FortiAnalyzer 生成日志报告
版本 1.0
时间2013年4月
支持的版本N/A
状态已审核
反馈support_cn@
说明:
本文档针对所有FortiAnalyzer设备生成日志报告配置进行说明。
利用FortiAnalyzer可以对搜集到的流量日志、归档日志和事件日志生成报告,管理员可以根据需求制定报告内容,了解网络情况。
环境介绍:
本文使用FortiAnalyzer100A做演示。
本文支持的系统版本为FortiOS v3.0。
步骤一:配置报告内容
在报告――配置――布局中点击新建
报表名称、公司名称、报表标题、页头说明根据需求填写
点击添加图表定义报告内容
在动作下点击加号即可添加,本例仅选择按方向统计流量,管理员可根据需求添加多个内容选择好后点击确定
在列出的报表中点击编辑可以修改报表属性
图表输出、图表风格、最大条目可根据需求选择
创建好后可以看到布局列表
步骤二:配置时间表
在报告――时间表中点击创建
布局选择定义好的布局,语言选择简体中文
时间表:支持每日、每星期、每月、单次,可根据需求定义
设备/组:选择FortiGate设备
输出:默认为HTML,即网页。
支持PDF、Word、文本、MHT格式,并可以下载到PC
步骤三:浏览报告
在报告――浏览中察看输出报告
点击报告名称可察看内容,点击其他格式可将报告下载到PC
步骤四:在FortiGate上察看报告
在日志与报告――访问报表中察看报告内容。
Fortify SCA 安装使用手册目录1. 产品说明 (5)1.1.特性说明 (5)1.2.产品更新说明 (5)2. 安装说明 (6)2.1.安装所需的文件 (6)2.2.F ORTIFY SCA支持的系统平台 (6)2.3.支持的语言 (6)2.4.F ORTIFY SCA的插件 (7)2.5.F ORTIFY SCA支持的编译器 (7)2.6.F ORTIFY SCA在WINDOWS上安装 (8)2.7.F ORTIFY SCA安装E CLISPE插件 (9)2.8.F ORTIFY SCA在LINUX上的安装(要有LINUX版本的安装文件) (9)2.9.F ORTIFY SCA在U NIX上的安装(要有U NIX版本的安装文件) (10)3. 使用说明 (11)3.1.F ORTIFY SCA扫描指南 (11)3.2.分析F ORTITFY SCA扫描的结果 (16)4.故障修复 (20)4.1使用日志文件去调试问题 (20)4.2转换失败的信息 (20)如果你的C/C++应用程序能够成功构建,但是当使用F ORTIFY SCA来进行构建的时候却发现一个或者多个“转换失败”的信息,这时你需要编辑<INSTALL_DIRECTORY>/C ORE/CONFIG/FORTIFY-SCA.PROPERTIES 文件来修改下面的这些行:20 COM.FORTIFY.SCA.CPFE.OPTIONS=--REMOVE_UNNEEDED_ENTITIES --SUPPRESS_VTBL (20)TO (20)COM.FORTIFY.SCA.CPFE.OPTIONS=-W --REMOVE_UNNEEDED_ENTITIES -- (20)SUPPRESS_VTBL (20)重新执行构建,打印出转换器遇到的错误。
如果输出的结果表明了在你的编译器和F ORTIFY 转换器之间存在冲突 (20)4.3JSP的转换失败 (20)4.4C/C++预编译的头文件 (21)前言Fortify SCA是目前业界最为全面的源代码白盒安全测试工具,它能精确定位到代码级的安全问题,完全自动化的完成测试,最广泛的安全漏洞规则,多维度的分析源代码的安全问题。
