Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
FTNT_FortiJan
Staff
Staff

Created on ‎07-12-2023 08:12 AM Edited on ‎02-13-2024 06:21 AM By Community Manager

Article Id 263671

Technical Tip: How to configure FortiAnalyzer with explicit proxy to see endpoint devices on the map in FortiView

Description

This article describes how to configure FortiAnalyzer without direct Internet access to receive GeoIP City DB updates from the FortiGuard server.

GeoIP City level database is required by the map view option in FortiAnalyzer FortiView (e.g. Threat Map or SSL and Dialup IPsec) to lookup city name and coordinates for client IP address.
Solution

Section 1: FortiAnalyzer web proxy configuration.

 

  1. Configure system web proxy to access map servers mapserver.fortinet.com and maps.googleapis.com.

config system web-proxy
    set status enable
    set mode proxy
    set address <Proxy IP>
    set port <Proxy port>
end

 

     2. Configure the web proxy to access FortiGuard server fds1.fortinet.com and update.fortiguard.net to receive GeoIP Country-level DB updates. It is also used for FortiAnalyzer registration to FortiCloud.  This option does not need to be configured in FortiAnalyzer v7.4.1 onwards.

 

config fmupdate av-ips web-proxy
    set status enable
    set mode proxy
    set address <Proxy IP>
    set port <Proxy port>
end

 

     3. Configure the web proxy to access FortiGuard servers fqsvr.fortinet.net and gip.fortinet.net to receive GeoIP City level DB updates.  This option does not need to be configured in FortiAnalyzer v7.4.1 onwards:

 

config fmupdate web-spam web-proxy
    set status enable
    set mode proxy
    set address <Proxy IP>
    set port <Proxy port>
end

 

Section 2: Verification via CLI.

Once the above web proxy configuration is applied, it might take a couple to 20 minutes to populate FDS server IP addresses from FortiGuard and download the latest GeoIP Country and City level packages.

 

The following CLI commands can be used to verify the current status of FortiAnalyzer:

 

  1. GeoIP Country level DB:

diag system geoip info
Version: 2.184
Date: 2023-7-5
Countries: 253
IPv4: 408226
IPv6: 177521
GEIP 2.184 Copyright (c) 2018 Fortinet Inc. All Rights Reserved

 

diag system geoip ip 4.2.2.2
4.2.2.2 : US - United States

 

     2. GeoIP City level DB:

 

diag system geoip-city info
---- GEOIP City Level info ---
version : 2.184
time : 1688581387 | Wed Jul 5 20:23:07 2023
geo count : 32856
ipv4 count : 11904363
ipv6 count : 238741

 

diag system geoip-city ip 4.2.2.2
entry for ip : "4.2.2.2"
---- GEO Entry info ----
geoname_id : 10173845
continent_iso : NA
continent_name : [en : North America]
country_iso : US
country_name : [en : United States]
region_iso : TX
region_name : [en : Texas]
city_name : [en : Dallas]
latitude : 32.776661
longitude : -96.796989
postal : 75202
timezone : America/Chicago
accuracy_radius : -1

 

Section 3: Verification via GUI:

 

  1. VPN -> SSL & Dialup IPsec (Table view).

 

Table viewTable view

 

     2. VPN -> SSL & Dialup IPsec (Map view):

 

Map viewMap view
Labels:
1511
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.