FortiScan v5.0 MR1 Administration Guide
FortiScan v5.0 MR1 Administration Guide September 26, 2013 17-511-207925-20130926 Copyright© 2013 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard® are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
Technical Documentation
http://docs.fortinet.com
Knowledge Base
http://kb.fortinet.com
Forums
https://support.fortinet.com/forum
Customer Service & Support
https://support.fortinet.com
Training Services
http://training.fortinet.com
FortiGuard Threat Research & Response
http://www.fortiguard.com
Document Feedback
Email:
[email protected]
Table of Contents Change Log..................................................................................................... 14 Introduction..................................................................................................... 15 Scope..................................................................................................................... 15
What’s New in FortiScan v5.0 MR1............................................................... 17 Key Concepts ................................................................................................. 19 Workflow ................................................................................................................ 19 Architecture ........................................................................................................... 20 What is an asset? .................................................................................................. 21 Assets with multiple IP addresses ................................................................... 22 Administrative domains (ADOMs) .......................................................................... 22 Scan techniques: agentless versus agent-based.................................................. 22 Agent-based surveys ............................................................................................. 24 CEIDs ............................................................................................................... 25 Survey intervals and network load................................................................... 25 Agent scan status .................................................................................................. 26 Risk: prioritizing your business-critical machines.................................................. 27 What is a vulnerability? .......................................................................................... 28 Severity .................................................................................................................. 29 How to fix vulnerabilities and non-compliances .................................................... 30
How to use the Web-based Manager ........................................................... 33 System requirements............................................................................................. 33 URL for access ...................................................................................................... 33 Permissions ........................................................................................................... 33 Administrative domains (ADOMs) & permissions ............................................ 39 Maximum concurrent administrator sessions........................................................ 40 Global Web-based Manager settings .................................................................... 41 Buttons, navigation menus, and the displays........................................................ Displaying and arranging columns................................................................... Filtering list entries ........................................................................................... Deleting entries ................................................................................................
42 44 45 47
Powering the FortiScan appliance on or off .......................................................... 47 Powering on a FSC-3000C/FSC-3000D .......................................................... 47 Shutdown......................................................................................................... 48
How to set up your FortiScan........................................................................ 49 Appliance versus virtual appliance ........................................................................ 49 Registering your FortiScan .................................................................................... 49 Planning the network topology .............................................................................. 49
Connecting to your FortiScan ....................................................................... 52 Connecting to the Web-based Manager ............................................................... 52 Table of Contents
Page 3
FortiScan v5.0 MR1 Administration Guide
Connecting to the CLI............................................................................................ 54 Changing the “admin” account password............................................................. 57 Setting the system time and date .......................................................................... 58 Configuring the network settings........................................................................... Configuring the network interfaces.................................................................. Configuring DNS settings ................................................................................ Adding a gateway ............................................................................................
61 61 65 67
Connecting to FortiGuard Services .............................................................. 72 Accessing via a web proxy .................................................................................... 76 Scheduling VCM updates ...................................................................................... 76 Manually initiating update requests ....................................................................... 77 Uploading VCM updates ....................................................................................... 78
Updating the Firmware .................................................................................. 80 Testing new firmware before installing it ............................................................... 81 Installing firmware and agent installers.................................................................. 83 Installing alternate firmware................................................................................... 87
Configuring Global Email Settings................................................................ 91 Administrative Domains (ADOMs) ................................................................ 93 Manually assigning assets to an ADOM .............................................................. 100 Configuring administrator accounts .................................................................... 101 Configuring the ADOM’s connections from FortiScan agents ............................ 105 Configuring the ADOM’s email settings............................................................... 107 Configuring logins for third party updates ........................................................... 107
Discovering your Network’s Hosts ............................................................. 109 Viewing discovery scan reports ........................................................................... 111 Importing hosts into the asset inventory ............................................................. 115 Manually adding a host to the asset inventory .................................................... 116
Agent Setup .................................................................................................. 117 System requirements........................................................................................... 118 Network and firewall requirements ................................................................ 120 Using the push installers...................................................................................... System requirements ..................................................................................... Network and firewall requirements .......................................................... Launch: desktop vs. web-based push installer ............................................. Running the push installer ............................................................................. Adding hosts to the push installer’s list of targets................................... Editing a FortiScan agent’s settings file................................................... Customizing push installer scripts ................................................................. Example: Custom command prompt.......................................................
Table of Contents
Page 4
121 121 121 124 126 132 135 137 138
FortiScan v5.0 MR1 Administration Guide
Using the MSI installer ......................................................................................... System requirements ..................................................................................... Network and firewall requirements .......................................................... Running the MSI installer ............................................................................... About MSI installer parameters................................................................ Example 1: Progress indicator & custom certificate file .......................... Example 2: Reinstall and upgrade ........................................................... Example 3: Via Active Directory group policy objects .............................
138 139 139 140 142 145 146 146
Registering agents with the appliance................................................................. 148 Assigning FortiScan agents to the ADOM ........................................................... 149 FortiScan agent files and permissions................................................................. 149
Agentless Setup............................................................................................ 153 Network and firewall requirements ...................................................................... 153 Preparing Windows hosts.................................................................................... 154 Windows XP................................................................................................... 155 Windows 7 or Windows Vista ........................................................................ 159 Preparing Linux or Solaris hosts.......................................................................... 164 Configuring the appliance with asset logins ........................................................ 165
Testing the Installation ................................................................................ 166 Backup your FortiScan ................................................................................ 167 Restoring a previous configuration...................................................................... 171
System Settings............................................................................................ 175 Changing the FortiScan appliance’s host name.................................................. 175 Changing the RAID level ...................................................................................... 175 Supported RAID levels................................................................................... 177
Your Asset Inventory.................................................................................... 179 Grouping assets................................................................................................... Removing an asset from an asset group ....................................................... Moving an asset between groups.................................................................. Moving an asset group .................................................................................. Renaming and changing the criticality of an asset group.............................. Deleting an asset group .................................................................................
181 186 186 187 187 188
Configuring asset-specific settings ..................................................................... Configuring the appliance with an asset login ............................................... Indicating asset criticality............................................................................... Entering an asset description ........................................................................ Configuring custom fields .............................................................................. Overriding the ADOM’s survey intervals ........................................................
189 189 193 194 195 196
Deleting and retiring assets ................................................................................. 199
Table of Contents
Page 5
FortiScan v5.0 MR1 Administration Guide
Viewing overall asset statistics ............................................................................ Assets by Network Scan status chart............................................................ Assets by Agent Scan status chart................................................................ Assets by OS chart ........................................................................................ Assets by criticality chart ............................................................................... Windows assets distribution chart................................................................. Latest statistics table ..................................................................................... Viewing a chart’s asset summary .................................................................. Viewing a chart’s asset details.................................................................
201 202 203 204 205 205 206 206 207
Survey Data from FortiScan Agents ........................................................... 217 Hardware and OS ................................................................................................ 217 Administrators, users, and groups....................................................................... 219 Installed patches.................................................................................................. 220 Processes ............................................................................................................ 221 Devices and drivers ............................................................................................. 223 Network ............................................................................................................... 223 File system ........................................................................................................... 225 Installed software................................................................................................. 226 Search for software or processes........................................................................ 227
Agentless Vulnerability Scans ..................................................................... 228 About vulnerability sensors.................................................................................. 228 Workflow .............................................................................................................. 228 Configuring remote vulnerability scans ............................................................... Configuring vulnerability scan sensors .......................................................... Configuring network vulnerability scan profiles ............................................. Configuring report output for remote network vulnerability scans ................ Scheduling network vulnerability scans.........................................................
229 229 235 238 241
Viewing remote vulnerability scan reports ........................................................... 244 Viewing host vulnerability statuses...................................................................... Vulnerabilities by severity level and top 10 categories .................................. Top 10 vulnerable hosts by business risk...................................................... Top 10 vulnerabilities .....................................................................................
247 247 247 248
Viewing the vulnerability database ...................................................................... 249 Configuring network audit scans ......................................................................... 251
IPS Advisor.................................................................................................... 252 Overview .............................................................................................................. 252 IPS database ....................................................................................................... 253 IPS device configuration...................................................................................... 254 IPS device information......................................................................................... 255 Advisory ............................................................................................................... 256 IPS advisor reports .............................................................................................. 257
Table of Contents
Page 6
FortiScan v5.0 MR1 Administration Guide
Agent-based Vulnerability Scans ................................................................ 258 About vulnerability alerts ..................................................................................... 258 Workflow .............................................................................................................. 258 Viewing the sets of vulnerability definitions ......................................................... 259 Viewing vulnerability definitions in the set ..................................................... 260 Defining settings for vulnerability scans .............................................................. 261 Scheduling a vulnerability scan ........................................................................... 263 Viewing vulnerability statistics ............................................................................. Viewing vulnerabilities per category .............................................................. Viewing assets per vulnerability..................................................................... Viewing vulnerability details ........................................................................... Viewing remediations available for a vulnerability .........................................
265 267 268 269 271
Viewing vulnerability scan results ........................................................................ Viewing detailed vulnerability scan results .................................................... Viewing detailed vulnerability scan results per platform................................ Viewing an asset’s vulnerabilities .................................................................. Summary section ..................................................................................... Vulnerabilities Summary section .............................................................. Error summary section.............................................................................
273 274 276 279 279 281 282
Patch Scans .................................................................................................. 283 Workflow .............................................................................................................. 283 Viewing defined patch sets.................................................................................. 283 Viewing patch definitions ............................................................................... 285 Defining settings for patch scans ........................................................................ 285 Scheduling a patch scan ..................................................................................... Viewing patch scan statistics......................................................................... Viewing patch scan results ............................................................................ Viewing detailed patch scan results ........................................................ Viewing detailed patch scan results per platform.................................... Viewing an asset’s patch-related vulnerabilities............................................ Summary section ..................................................................................... Patch vulnerabilities summary section..................................................... Error summary section.............................................................................
288 290 292 293 295 297 297 300 301
Compliance ................................................................................................... 302 PCI DSS ............................................................................................................... What does PCI DSS compliance require? ..................................................... Workflow ........................................................................................................ Generating PCI DSS compliance reports ...................................................... Using PCI DSS compliance reports...............................................................
Table of Contents
Page 7
302 302 303 303 305
FortiScan v5.0 MR1 Administration Guide
Agent-based compliance scans .......................................................................... Workflow ........................................................................................................ Uploading benchmarks.................................................................................. Searching by CVE ID................................................................................ Viewing compliance benchmarks ............................................................ Viewing the rules in a benchmark ............................................................ Viewing an OVAL definition’s details ....................................................... Modifying a benchmark ........................................................................... Scheduling a compliance scan ...................................................................... Viewing compliance statistics........................................................................ Viewing compliance scan results................................................................... Viewing detailed compliance scan results ............................................... Viewing detailed compliance scan results per asset group..................... Viewing detailed compliance scan results per benchmark...................... Viewing FISMA reports ............................................................................ Viewing rule violations.............................................................................. Viewing the score breakdown.................................................................. Waiving and correcting test results..........................................................
308 309 309 310 314 316 316 318 320 324 325 327 329 331 333 335 337 344
Viewing compliance rule violations...................................................................... 346 Achieving real-time compliance via policies........................................................ Configuring compliance policies.................................................................... Adding conditions to a compliance policy............................................... Adding remediation actions to a compliance policy................................ Allowing only authorized software ........................................................... Applying policies to a combination of assets ................................................ Removing policies from assets ...................................................................... Determining which assets are affected by a policy ................................. Grouping policies ...........................................................................................
347 353 356 358 360 361 363 364 365
Alerts ............................................................................................................. 368 Event types .......................................................................................................... 368 Event statuses................................................................................................ 369 Event contents ............................................................................................... 369 Importing events from third party sources .......................................................... 370 Viewing alert events ............................................................................................. 370 Modifying alert event page display settings .................................................. 371 Handling vulnerability alerts................................................................................. 371 Viewing vulnerability alert details ................................................................... 374 Handling policy alerts .......................................................................................... 376 Viewing policy alert details............................................................................. 378 Handling dispatched remediations ...................................................................... 380 Viewing dispatched remediation alert details ................................................ 381 Remediating alert events ..................................................................................... 382 Manually remediating alert events ................................................................. 383 Automatically remediating an alert ................................................................ 386 Table of Contents
Page 8
FortiScan v5.0 MR1 Administration Guide
Accepting risk for an alert.................................................................................... 387 Marking a vulnerability or policy alert as externally resolved .............................. 388 Canceling risk acceptance or external resolution for an alert ............................. 388 Removing an alert ................................................................................................ 389 Alert notifications via e-mail................................................................................. 390 Configuring e-mail alerts for policy violations................................................ 390 Enabling e-mail alerts for remediations ......................................................... 390
Tickets ........................................................................................................... 392 Workflow .............................................................................................................. 392 Configuring ticket policies ................................................................................... 392 Viewing ticket statistics ....................................................................................... 395 Tracking and closing tickets ................................................................................ 397
Remediating.................................................................................................. 399 Viewing unresolved vulnerabilities ....................................................................... 399 Viewing remediations available from Fortinet ...................................................... 401 Viewing remediation details ........................................................................... 402 Searching for remediations by CVE ID .......................................................... 403 Defining remediation templates ........................................................................... Adding actions to a remediation template..................................................... Modifying remediation actions....................................................................... Copying a remediation template.................................................................... Combining multiple remediation templates ...................................................
403 406 407 408 408
Dispatching remediations .................................................................................... 409 Viewing remediation statistics ............................................................................. 415 Viewing remediation summary lists per category .......................................... 417
Defining Custom Fields................................................................................ 418 Importing and exporting custom field definitions ................................................ 419 Importing custom field data................................................................................. 422
Monitoring the System................................................................................. 424 The dashboard..................................................................................................... System information widget ............................................................................ License information widget............................................................................ CLI console widget ........................................................................................ System resources widget .............................................................................. Disk monitor widget ....................................................................................... Replacing hard disks ............................................................................... Viewing RAID settings.............................................................................. Unit operation widget..................................................................................... Statistics widget.............................................................................................
Table of Contents
Page 9
424 426 427 429 430 432 434 438 439 440
FortiScan v5.0 MR1 Administration Guide
Compliance and vulnerability statistics ............................................................... Compliance summary chart........................................................................... Compliance job summary table ............................................................... Vulnerability summary chart........................................................................... Vulnerability job summary table ............................................................... Patch summary chart..................................................................................... Patch job summary table ......................................................................... Authorized software policy summary chart ................................................... Authorized software policy summary table..............................................
442 443 443 444 445 446 447 447 448
Security postures................................................................................................. Compliance posture tab ................................................................................ Vulnerability posture tab ................................................................................ Viewing the top 10 most vulnerable assets ............................................. Patch posture tab .......................................................................................... Authorized software posture tab ...................................................................
449 449 451 454 455 456
Monitoring and disconnecting administrator sessions ........................................ 457 SNMP traps and queries...................................................................................... 457 MIB support ................................................................................................... 462 Scheduled tasks and events................................................................................ 463 Logs ..................................................................................................................... Viewing system logs ...................................................................................... Viewing audit logs .......................................................................................... Viewing asset audit logs .......................................................................... Viewing operation audit logs.................................................................... Customizing the log view............................................................................... Displaying and arranging log columns..................................................... Filtering logs............................................................................................. Searching the logs ...................................................................................
464 464 466 466 467 468 469 469 470
System errors....................................................................................................... Viewing general error events.......................................................................... Viewing asset error events............................................................................. Removing an error event................................................................................
473 474 475 476
Reports ................................................................................................................ Generating real-time agent-based reports .................................................... Viewing posture reports ........................................................................... Viewing traditional reports ....................................................................... Tabular views ........................................................................................... Scheduling reports......................................................................................... Viewing all pending scheduled reports .................................................... Viewing a completed scheduled report ................................................... ODBC access for third party reports ............................................................. Configuring allowed database clients...................................................... Configuring database users .....................................................................
476 477 478 478 479 482 487 488 489 489 489
FortiGuard updates.............................................................................................. 490 Table of Contents
Page 10
FortiScan v5.0 MR1 Administration Guide
Vulnerability scans and alerts .............................................................................. 490
Maintaining Your Agent Deployments........................................................ 491 Workflow .............................................................................................................. 491 Installing the FortiScan agent on discovered assets ........................................... 491 Determining a FortiScan agent’s version............................................................. 492 Starting and stopping a FortiScan agent............................................................. 493 Resetting a FortiScan agent ................................................................................ 494 Updating the FortiScan agents............................................................................ 494 Uninstalling a FortiScan agent............................................................................. 496
Troubleshooting ........................................................................................... 500 Tools .................................................................................................................... Ping and traceroute ....................................................................................... Log messages................................................................................................ Diff.................................................................................................................. Packet capture...............................................................................................
500 500 501 501 502
Troubleshooting basics ....................................................................................... Establishing a system baseline ...................................................................... Defining the type of problem ......................................................................... Searching for a known solution ..................................................................... Creating a plan............................................................................................... Obtaining access & privileges for equipment ..........................................
507 507 507 508 508 508
Troubleshooting by issue type............................................................................. Connectivity issues ........................................................................................ Checking hardware connections ............................................................. Examining the ARP table ......................................................................... Checking routing...................................................................................... Checking port assignments ..................................................................... Performing a packet trace........................................................................ Bootup issues ................................................................................................ A. Do you see the boot options menu? ................................................... B. Do you have problems with the console text? .................................... C. Do you have visible power problems? ................................................ D. You have a suspected defective FortiScan appliance? ......................
508 508 509 509 509 517 517 518 518 518 519 519
Restoring firmware (“clean install”)...................................................................... 519
Appendix A: Maximum Values..................................................................... 523 Appendix B: Port Numbers .......................................................................... 525 FortiScan appliances ........................................................................................... 525 FortiScan agents.................................................................................................. 526 MSI installer ................................................................................................... 527 Push installer.................................................................................................. 527 Agentless hosts ................................................................................................... 528
Table of Contents
Page 11
FortiScan v5.0 MR1 Administration Guide
Appendix C: Supported RFCs ..................................................................... 529 Appendix D: ODBC Support ........................................................................ 530 System requirements........................................................................................... 530 Connecting your computer to the FortiScan database ....................................... Step 1: Configure the FortiScan appliance to accept ODBC connections.... Step 2: Install the ODBC driver for PostgreSQL............................................ Step 3: Configure the ODBC data source name (DSN) .................................
530 530 531 531
About the FortiScan database schema ............................................................... Entities in the database.................................................................................. Attributes of each entity................................................................................. alert_view ................................................................................................. applied_policy_view ................................................................................. asset_details_view ................................................................................... asset_log_view......................................................................................... asset_retired_view ................................................................................... asset_uptime_view................................................................................... users_view ............................................................................................... installed_device_view............................................................................... installed_device_summary_odbc_view.................................................... installed_application_view ....................................................................... installed_patch_view ................................................................................ killed_process_view ................................................................................. running_process_view ............................................................................. ungrouped_assets_view .......................................................................... unprotected_assets_view ........................................................................ violated_policy_view ................................................................................ summary_elements_view ......................................................................... assets_with_multi_ip_view ....................................................................... asset_remediation_history_view .............................................................. asset_vuln_history_view........................................................................... installed_app_summary_odbc_view ........................................................ user_activity_log_view ............................................................................. unique_alert_view .................................................................................... unapplied_policy_asset_view................................................................... benchmark_view ......................................................................................
532 532 533 533 534 535 536 537 537 538 538 539 539 540 540 541 542 542 543 543 543 544 544 545 545 546 546 546
Appendix E: Remediation Actions .............................................................. 549 Appendix F: Policy Conditions .................................................................... 560 Appendix G: About CVE ............................................................................... 566 What does it mean to be CVE-compatible? ........................................................ 566 What is CVE? ....................................................................................................... 566 Why CVE?............................................................................................................ 566 CVE Editorial Board ............................................................................................. 567 Candidate Numbering Authority .......................................................................... 567
Table of Contents
Page 12
FortiScan v5.0 MR1 Administration Guide
CVE Editor ........................................................................................................... 567 From Candidate to CVE Entry ............................................................................. 567 The Candidate Numbering Process............................................................... 568 The CVE Candidate-to-Permanent Process .................................................. 568
Appendix H: EULA and Copyright ............................................................... 569 OpenSSL FIPS object module by Open Source Software Institute .................... 569 Open SSL toolkit.................................................................................................. 571 Open Vulnerability Assessment Language (OVAL) .............................................. 573 eXtensible Configuration Checklist Description Format (XCCDF) ....................... 573 Common Vulnerabilities and Exposures (CVE®) ................................................. 573 Common Configuration Enumeration (CCETM)................................................... 574 Common Platform Enumeration (CPETM) ........................................................... 574 Common Vulnerability Scoring System (CVSS)................................................... 574 Red Hat Linux & Applications license.................................................................. 574 PostgreSQL license ............................................................................................. 577 Java Terms of Use ............................................................................................... 577 Apache license..................................................................................................... 582 Microsoft Terms of Use ....................................................................................... 587 Microsoft End-User Agreement ........................................................................... 593 JasperReports GLGPL......................................................................................... 602
Index .............................................................................................................. 607
Table of Contents
Page 13
FortiScan v5.0 MR1 Administration Guide
Change Log Date
Change Description
2013-08-06
Initial release.
2013-09-26
Minor update for FortiScan v5.0 MR1 Patch Release 1.
Page 14
Introduction Welcome, and thank you for selecting Fortinet products for your network protection. FortiScan is a managed security service provider (MSSP) and enterprise-level IT security solution. It empowers you to protect your many network hosts from known vulnerabilities and exploits, and to achieve compliance with many regimes, including: • PCI DSS • SOX (Sarbanes-Oxley) • HIPAA • FDCC • USGCB FortiScan physical or virtual network appliances, together with FortiScan agents, help you to efficiently address the ever-increasing number of computer security threats. FortiScan network appliances provide ready-to-deploy fixes and enforcement actions, which can change host configurations to mitigate weak settings and patch applications. This frees your time to focus on zero-day vulnerabilities and exploits, before vendor-provided patches or fixes are available. FortiScan network appliances can scan your network for vulnerabilities and compliance exposures, prioritizing hosts by risk.
Scope This document describes how to set up your FortiScan appliance. For both the hardware and virtual appliance versions of FortiWeb, it describes how to complete first-time system deployment, including planning the network topology. It also describes how to use the web user interface (Web-based Manager), and contains lists of default utilized port numbers, configuration limits, and supported standards. This document assumes, if you have installed the physical appliance version and/or virtual appliance version (FortiScan VM), that you have already followed the instructions in the FortiScan Hardware Install Guide and FortiScan VM Install Guide. After completing “How to set up your FortiScan” on page 49: • You will have administrative access to the Web-based Manager and/or CLI. • You will have completed firmware updates, if any. • The system time, DNS settings, administrator password, and network interfaces will be configured. • The FortiScan agent has been installed on hosts that you want to monitor and/or manage. • Firmware and FortiGuard Vulnerability Management Service (VCM) plug-in and engine updates have been completed. • You will have configured basic logging.
Fortinet Technologies Inc.
Page 15
FortiScan v5.0 MR1 Administration Guide
Once that basic installation is complete, you can use the rest of this document to use the Web-based Manager to: • Update the FortiScan appliance. • Reconfigure features. • Use advanced features, such as asset management, compliance management, vulnerability management, and remediation, and reporting. • Diagnose problems. This document does not cover commands for the command line interface (CLI). For information on the CLI, see the FortiScan CLI Reference. This document is intended for administrators, not end users. If you have a user account on a host where the FortiScan agent is installed, please contact your system administrator.
Fortinet Technologies Inc.
Page 16
FortiScan v5.0 MR1 Administration Guide
What’s New in FortiScan v5.0 MR1 The list below contains features new or changed since the previous releases, FortiScan v5.0.0 and FortiScan 4.0 MR3. For upgrade information, see the Release Notes available with the firmware and “Updating the Firmware” on page 80. FortiScan v5.0 MR1 • Configuration of agent vulnerability scan task: You can now configure schedules and set the scan timeout to allow you to frequently scan a group of consistently changing assets. • Enhancement of the Accept Risk feature: You may want to designate some detected vulnerabilities as accepted risks, leave them out for remediation, and exclude from impacting the PCI compliance status. This enhancements allows these settings to be applied to all future alerts, separately reporting them in PCI scans. • When configuring agent-based vulnerability scan, you can enable to purge historical scan results automatically. FortiScan v5.0.0 • IPS advisor for FortiGates: FortiScan can now act as a central information point when using your FortiGate firewalls for distributed network vulnerability scans. Network vulnerability scans performed by a FortiGate running FortiOS v4.0 MR3 or v5.0 can be imported into FortiScan. If either: • an asset is not currently protected by a corresponding IPS signature on one of the FortiGates protecting the asset, or • no IPS signature is available (such as for those that occur only with local access, and not through the network) and you must patch the host FortiScan will indicate this. See “IPS Advisor” on page 252. • Network audit scan: Network audit scan provides the overview of network compliance and other configuration. Compliance audit scans can now be performed by the FortiScan appliance connecting to the asset, without having to install a FortiScan agent on that computer or device. Previously, audit scans required installation of the agent. See “Agentless Vulnerability Scans” on page 228. • Network scan focused interface: The Asset Inventory page is adapted based on the assets selected. A number of tabs are not displayed if there is no asset having agent managed. When deploying without installing a FortiScan agent on each of your network’s devices, the FortiScan appliance’s Web-based Manager will now provide a Web-based Manager that is more tailored to that deployment type. For example, the asset inventory will now indicate the network scan status rather than the agent connectivity status (which is not applicable in this deployment type). See “Your Asset Inventory” on page 179. • Improved accuracy for OS fingerprinting: Additional network device types can now be detected. Also, when the OS cannot be determined, FortiScan will now indicate that rather than making a best guess that may be incorrect. See OS Type and OS Version in “Your Asset Inventory” on page 179. • Report template customization: You can upload a customer logo when configuring a report template and include the logo in the report. You can also enter one or more sections of text to form part of the report. Each section should have a section title and one or more paragraphs of text. These form an integrated part of the report.
Fortinet Technologies Inc.
Page 17
FortiScan v5.0 MR1 Administration Guide
• Network vulnerability scan enhancements: You can suspend a network scan for a period of time in a day and pause or resume a network scan. • Web-based Manager enhancements under the Asset, Network Scan, Report, and Events & Tickets menus. • New platforms supported: FortiScan agents included with this release support two latest Microsoft Windows platforms: Windows 8 and Windows 2012 server. • New appliance model FSC-3000D: This platform replaces FSC-3000C with the same capabilities in various metrics.
Fortinet Technologies Inc.
Page 18
FortiScan v5.0 MR1 Administration Guide
Key Concepts This chapter defines basic FortiScan concepts and terms. If you are new to FortiScan, or new to risk and vulnerability management systems, this chapter can help you to quickly understand this document and your FortiScan.
Workflow Begin with “How to set up your FortiScan” for your initial deployment. These instructions will guide you to the point where you have a simple, verifiable working installation. Once you have successfully deployed, ongoing use involves: • Backups • Updates • Configuring optional features • Discovery scans or manual asset inventory use to add new assets and retire old ones • Adjusting policies • Fine-tuning performance • Periodic compliance scans, vulnerability scans, and patch scans as required by your security policy or compliance regime • Monitoring remediation tickets • Applying remediations (security patches and compliance changes) • Network vulnerability scans to monitor hosts without a FortiScan agent, and to perform external penetration testing and generate PCI DSS compliance reports • Monitoring reports, logs, tickets, and alerts Ongoing use is located in the chapters after “How to set up your FortiScan”.
Fortinet Technologies Inc.
Page 19
FortiScan v5.0 MR1 Administration Guide
Architecture Figure 1: FortiScan network architecture
The FortiScan Vulnerability and Compliance Management (VCM) platform architecture employs a client-server model, comprised of two key components: • FortiScan appliance: An integrated security appliance and central FortiScan application server. It keeps its definitions of vulnerabilities and compliance benchmarks current by downloading them from the Fortinet Distribution Network (FDN). The FortiScan appliance uniquely identifies and tracks each FortiScan agent in your network using an identifier called the CEID. The appliance can discover your network’s hosts and do remote vulnerability scans, regardless of whether or not a FortiScan agent has been installed on each host. However, for hosts that do have installed the FortiScan agent (called an “asset” or “protected host” in FortiScan documentation), the appliance can perform many more protective functions: it maintains a database of their protection and compliance status, the latest hardware and software survey results, and a periodically updated list of known vulnerabilities, remediations, and patches available from Fortinet and your third-party vendors. Alerts for non-compliant hosts can be viewed from within the Web-based Manager. Remediations can be applied to assets either automatically or with the approval of a FortiScan appliance administrator, and can be tracked using tickets. If your network has a centralized reporting server, it can connect as an ODBC client to the appliance’s database in order to generate custom reports. • FortiScan agents: Client software installed on hosts in your network. FortiScan agents are lightweight, with negligible processor, memory, and hard disk requirements. Depending on the operating system of the host, the agent may be a daemon or a service. The FortiScan agent periodically surveys the asset’s hardware and software configuration and reports it to the FortiScan appliance. The agent also polls the appliance for directives to complete
Fortinet Technologies Inc.
Page 20
FortiScan v5.0 MR1 Administration Guide
compliance scans, vulnerability scans, or patch scans, and remediations dispatched to it. It reports on the results of the remediation during the next survey. FortiScan may also be configured to accept some other client connections, such as: • ODBC clients (such as a centralized reporting server) • SNMP clients (such as an SNMP manager that sends queries) Of course, like many other systems that also employ a client-server model, FortiScan appliances sometimes also make some connections where it acts as a client (that is, the origin of the connection) instead of as a server: • performing network vulnerability scans of unprotected and protected hosts • querying DNS servers • polling for patches and updates from the FDN and third-party servers
For details on port numbers and protocols used by the FortiScan appliance, the FortiScan agents, and push installers, see “Appendix B: Port Numbers” on page 525.
What is an asset? An asset (host) is any network device with an IP address, such as a computer, router, switch, server, workstation, laptop, printer, “smart” mobile phone such as an iPhone or Android mobile phone, or even a VoIP phone. To add your assets to your inventory, you can upload a list, add them individually, or use the FortiScan appliance to scan your network. IP addresses discovered during a discovery scan are automatically imported into the ADOM’s asset inventory (see “Discovering your Network’s Hosts” on page 109). Once you have an inventory of your devices, you can manage your assets, including: • installing a FortiScan agent on each host (see “Agent Setup” on page 117) • searching for installed viruses or pirated software (see “Search for software or processes” on page 227) • auditing for and enforcing compliance (see “Agent-based Vulnerability Scans” on page 258) • applying disk space and other policies (see “Achieving real-time compliance via policies” on page 347) • dispatching fixes (see “Dispatching remediations” on page 409) • running a remote vulnerability scan (see “Agentless Vulnerability Scans” on page 228) FortiScan agents periodically submit surveys which track various compliance and vulnerability data. Charts, tables, and reports can be generated from survey data, helping you to make informed policies and remediations for your assets. Assets may belong to an automatically-maintained group, such as All Assets. You can create additional groups to make it more simple to apply remediations and policies to similar sets of hosts.
Fortinet Technologies Inc.
Page 21
FortiScan v5.0 MR1 Administration Guide
Assets with multiple IP addresses In many large networks, it is common for an asset to have multiple network interface cards (NICs) installed, and for some or all of those NICs to be aliased to IP addresses other than its primary address. The FortiScan appliance reports all of the NICs on an asset, and all of the IP addresses associated with those NICs on the Network tab when the asset is opened in the asset editor pane (see “Your Asset Inventory” on page 179). A vulnerability scan may detect vulnerabilities on any or all of the IP addresses associated with an asset. The FortiScan appliance aggregates these vulnerability reports into a single vulnerability alert that is bound to the IP address from which the asset’s FortiScan agent registered and sends surveys. For example, if an asset registered using the IP address 172.16.1.1, but it also has three other NICs with their own IP address aliases, vulnerabilities detected on any of the asset’s IP addresses will be reported in a single vulnerability alert for 172.16.1.1.
Administrative domains (ADOMs) Each host that you add to the asset inventory within the appliance’s database is assigned to one or more administrative domains (ADOMs). ADOMs effectively divide assets into sets that can be assigned to a FortiScan administrator account, thereby restricting the account to viewing and/or modifying assets which that account is responsible for. All FortiScan administrator accounts, except admin, must be assigned to an ADOM. admin is a special account which is not assigned to any ADOM. It is its responsibility to configure global settings that apply to the entire appliance, as well as configuring the ADOMs themselves. Which hosts belong to an ADOM? Can hosts belong to multiple ADOMs? Both are determined by each ADOM’s asset filter. Asset filters define which IP addresses are allowed to be included in the ADOM, and therefore can be added to its asset inventory (see “Assigning FortiScan agents to the ADOM” on page 149). Because all administrators except the admin administrator are assigned to an ADOM, asset filters partially determine permissions for which assets each administrator can affect. For more information on permissions, see “Permissions” on page 33. To configure ADOMs, see “Administrative Domains (ADOMs)” on page 93.
Scan techniques: agentless versus agent-based FortiScan appliances can scan using multiple different techniques. Some scans are executed locally by a host’s FortiScan agent and sent to the appliance; these distribute load to each host for enhanced performance and capabilities. Others are performed remotely, by the FortiScan appliance attempting to connect to each host. In the diagram below, connection directionality is indicated by the arrows; initiators are outlined in green.
Fortinet Technologies Inc.
Page 22
FortiScan v5.0 MR1 Administration Guide
Figure 2: Agent-based versus agentless scan topologies
Techniques include: • Remote network vulnerability scans (sometimes called “port scans” or “RVS”) • Remote, authenticated network vulnerability scans • FortiScan agent-based surveys of hardware, software, and configuration • FortiScan agent-based scans • Compliance (audit) scans • Vulnerability scans • Patch scans Each scan type has its own benefits and drawbacks. Table 1: Agentless versus agent-based scans Agentless scans
Agent-based scans
Does not require inbound policy from FortiScan through firewalls No
Yes
Does not require software installed on hosts
Yes
No
Accurate fingerprinting
Yes *
Yes
Software & hardware audits
Yes
Yes
Reports
Yes
Yes
Ticketing for manual fixes
Yes
Yes
Automatic fixes where possible
No
Yes
* Requires authentication. Unauthenticated port scan fingerprints may not be accurate. For the most comprehensive protection, “How to set up your FortiScan” on page 49 will guide you through the setup for all techniques. Some techniques may not be possible or practical for you. Omit setup for inapplicable techniques. Fortinet Technologies Inc.
Page 23
FortiScan v5.0 MR1 Administration Guide
For example, cloud security providers and PCI DSS auditors typically do not use agent-based scans. They do not own the hosts that they are scanning, and therefore cannot install software such as the FortiScan agent. Also, if a security provider’s customer does not have directory-based authentication such as OpenLDAP, IBM Lotus Domino, or Microsoft Active Directory, they might not use authenticated RVS for that customer — thousands of hosts, each with local accounts, may make configuring authenticated RVS of every individual too time-consuming to be practical. In contrast, a large bank with its many hosts and compliance regimes might use both authenticated RVS and agent-based surveys and scans in order to maximize accuracy and knowledge and minimize manual work and risk.
Agent-based surveys Upon initial startup, FortiScan agents on each asset conduct a quick, limited survey of agent’s host, then submit this information to their FortiScan appliance to complete registration. This transitions the asset to Registered status. (See “Agent scan status” on page 26.) A short time later, each FortiScan agent provides a more detailed survey which allows the appliance to begin analysis and policy enforcement. Thereafter, the agent periodically sends two types of surveys: • Standard surveys: Limited survey that occurs every 61 minutes by default. On Windows hosts, this is generated by survey.exe located in the deployment directory. Includes: • processes (name, PID, path, owner, size, permissions, creation time, modification time, and MD5 checksum value) • central processing unit (CPU) utilization • logical drives and partitions • available hard drive space • total hard drive capacity • local administrators (including which are currently connected) • groups • Detailed surveys: Full survey that occurs every 24 hours (1,440 minutes) by default, as well as every time the agent is started. On Windows hosts, this is generated by LongSurvey.exe located in the deployment directory. Includes: • all standard survey items (above) • boot time and date • host name • address resolution protocol (ARP) table • routing table • internet protocol (IP) address • media access control (MAC) address • network interfaces • network connections (netstat) • installed software, patches, and hot fixes • device driver list (Windows only) • operating system (OS) type and version • basic input output system (BIOS) version and manufacturer • total random access memory (RAM) and its utilization Fortinet Technologies Inc.
Page 24
FortiScan v5.0 MR1 Administration Guide
• virtual RAM and paged memory utilization • CPU family, model, speed, and count You can specify the survey interval for both standard and detailed surveys globally (for all assets), or on an asset-by-asset basis. For details, see “Configuring the ADOM’s connections from FortiScan agents” on page 105 and “Overriding the ADOM’s survey intervals” on page 196. Surveys can also be initiated by dispatching a remediation to an asset. FortiScan agents will retrieve the remediation directive at the next time that it connects to the appliance to send a survey. The remediation template must contain only one remediation action: either the Detailed Survey action or the Standard Survey action. See “Defining remediation templates” on page 403 then “Dispatching remediations” on page 409.
CEIDs When an asset’s FortiScan agent is installed and initially connects with the FortiScan appliance, if it does not already have one, it receives a unique identifier, called a CEID or watermark. The CEID is stored in a .ceid file with the agent, and ensures that the appliance does not confuse an asset with another, regardless of how many different assets are using the same IP address on their own separate private networks. If multiple agents accidentally use the same CEID, you may experience issues such as disconnections and merged data. This can occur if you have installed agents to a Norton Ghost image or virtual machine image that was then deployed to multiple different assets. For more CEID-related troubleshooting information, see “FortiScan agent files and permissions” on page 149. CEIDs do not appear in the Web-based Manager. Usually, an asset is listed by its host name, description, or IP address. However, you can view an asset’s CEID using an ODBC connection to the appliance’s database (see “Appendix D: ODBC Support” on page 530) or by viewing the .ceid file on the asset (see “FortiScan agent files and permissions” on page 149).
Survey intervals and network load When adjusting survey intervals for optimal performance, it is helpful to have an idea of their impact on network traffic. Standard surveys are typically about 2 KB in size. Detailed surveys can vary from 15 KB to 40 KB in size. Survey size is directly related to the amount of information being reported, so the number of running processes, connected administrators, installed applications, installed patches, etc. will cause the survey to be larger or smaller. If many FortiScan agents’ survey intervals coincide, you may want to plan for network load accordingly, or adjust the survey intervals of some hosts. Keep in mind that longer intervals increase the risk that the ADOM’s database will not be current and therefore policy enforcement may be slow to act; intervals that are too short will increase network load. To estimate the network load from a detailed survey, go to Asset > Inventory > Asset Inventory, select the asset, and review the amount of data in the asset editor pane. For example, a DNS server with hundreds or even thousands of connections will generate a much larger survey than a basic single-administrator desktop computer with a small number of applications. If you have many such data-intensive surveys, you may want to adjust their agents’ survey intervals so that they do not coincide.
Fortinet Technologies Inc.
Page 25
FortiScan v5.0 MR1 Administration Guide
Agent scan status The FortiScan appliance assigns a connectivity and agent-based protection status to all assets (hosts) that you have added to your ADOM’s asset inventory. Figure 3: Agent scan status
Table 2 lists asset protection statuses and icons. Table 2: Asset protection statuses and icons Icon Name
New
Fortinet Technologies Inc.
Description Assets which have been discovered, but are not proactively protected. These assets can be protected by installing and registering a FortiScan agent with the FortiScan appliance. For details, see “Agent Setup” on page 117.
Registered
Assets which have sent a summary survey, but have yet to send a detailed survey. Some assets may have Registered status for a short time until the first detailed survey is received, at which time they will move to Protected status. A FortiScan agent is installed and running, but it is not yet subject to vulnerability or policy analysis by the FortiScan appliance.
Protected
Assets which have a FortiScan agent installed, running, and registered with the FortiScan appliance. When the FortiScan agent is running and periodically submitting surveys to the FortiScan appliance, these assets are subject to policies, monitoring, and remediation by the FortiScan appliance. Sometimes referred to as Connected.
Page 26
FortiScan v5.0 MR1 Administration Guide
Table 2: Asset protection statuses and icons (continued) Icon Name Disconnected
Description Assets which are registered, but have not communicated a detailed survey to the FortiScan appliance for two or more standard survey intervals, and therefore are not currently proactively protected — that is, they are not currently receiving remediation actions, nor are they able to be evaluated for current policy compliances. The cause is typically one of the following: • The asset is shut down or disconnected from the network. • The asset is connected and running, but the FortiScan agent is not running. • Network connectivity problems prevent the FortiScan agent from reporting to the FortiScan appliance. • The survey interval is longer than Disconnect Asset Expiration Period (hours), causing the asset to be falsely flagged as disconnected before its scheduled survey occurs. This is usually a misconfiguration.
Retired N/A
Assets which have been taken out of service, and are no longer protected. However, they remain in the asset inventory and can quickly be returned to protection if needed, such as when you bring temporary equipment out of storage. See “Deleting and retiring assets” on page 199.
To view the status of a specific asset, go to Asset > Inventory > Asset Inventory, select the asset, and see its Agent Scan Status column. (See “Your Asset Inventory” on page 179.) To view a summary of all assets with a specific status, go to Asset > Summary > Asset Summary. (See “Assets by Agent Scan status chart” on page 203.)
Risk: prioritizing your business-critical machines Upon initial discovery of an asset, or other addition to the asset inventory, the FortiScan appliance automatically assigns each asset a default criticality level. Criticality level is used throughout the FortiScan appliance’s Web-based Manager to prioritize alerts, policy responses, and reports, because it is an important factor in how you will conduct risk management of your network. (Security vulnerabilities and non-compliances are both types of risk.) Possible criticality levels are: Highest, High, Medium, Low, or Lowest.
Fortinet Technologies Inc.
Page 27
FortiScan v5.0 MR1 Administration Guide
Figure 4: Asset inventory criticality
If the asset has a FortiScan agent installed, the asset’s criticality can be estimated. FortiScan determines the default criticality level by algorithm based on survey data, based on the asset’s degree of either: • Importance (intolerance of loss) to the network • Risk (probability of loss or degradation) posed to the network For example, compromise of a core router might be improbable (low risk) but intolerable (of high importance, since it could cripple your entire network). If the asset does not have a FortiScan agent installed, its importance and risk cannot be known with reasonable certitude. Its default criticality level is Medium. If the default criticality level is inaccurate, you can change it. For details, see “Indicating asset criticality” on page 193 or “Renaming and changing the criticality of an asset group” on page 187. You should do this for hosts where FortiScan cannot use machine data to automatically determine if a host is high-risk or high-importance, such as your CEO’s smart phone or your CFO’s laptop — from surveys or remote vulnerability scans, these will look like any mundane end-point on your network, but due to who uses them, they will be much more attractive and lucrative targets for black-hat hackers.
What is a vulnerability? A vulnerability is any flaw that allows compromise of your system, whether due to misconfiguration or insecure software design. Natures of vulnerabilities vary, which affects their approximate severity. Security researchers consider some categories of vulnerabilities to be more severe than others. For example, a vulnerability could allow an attacker to: • Execute commands as an administrator (privilege escalation) • Conduct a denial of service (DoS) • Pose as another entity (fraud or spoofing) • Read or write data contrary to its permissions • Trick a device or user into contributing to an attack • Gather server information for accurate fingerprinting to make a tailored attack
Fortinet Technologies Inc.
Page 28
FortiScan v5.0 MR1 Administration Guide
If FortiScan cannot be certain that a vulnerability does or will exist, it calls it a “potential” vulnerability. Reasons could include: • Vulnerable software or hardware may exist, but is not currently running. If it is activated in the future, the vulnerability will then become actionable by an attacker. • Verification might be disruptive or invasive, such as if it would require the execution of an actual DoS or penetration test to gauge vulnerability. Vulnerabilities can exist anywhere on your network: smart phones, gateway routers, web servers, databases, VPN software, web browsers, email clients, office productivity suites, antivirus software that is itself insecure, plug-ins, and many others. Because no system is ever completely invulnerable, vulnerability management is an art of risk management, where you must consider the relative trade-offs of the benefits provided by software or hardware against its vulnerability, mitigated by patches or more secure configuration. Due to the sheer size and complexity of large networks, vulnerability mitigation work is generally prioritized by criticality. For more information on vulnerabilities, see: http://www.cve.mitre.org/about/terminology.html
Severity Severity level of a vulnerability varies by the effect of attacks and magnitude of compromise it makes possible. Attacks that result in complete privilege escalation and system unavailability are generally considered to be the most severe. Each standard, however, has its own severity definitions. Fortinet-defined severity levels, from most to least severe, are: • Critical: Risks a total or near-complete system compromise by either DoS or arbitrary code execution with privileges escalated to root/Administrator or another administrator account. Could interfere with important services/daemons that are only recoverable by the root/Administrator account, provide full read permissions to the file system, or provide administrative backdoors. Examples: Rootkits, default passwords, DoS, kernel-level crash such as a Red or Blue Screen of Death, service-level crashes, Trojan/worm installation, system command injection, remote code execution, heap/stack/buffer overflow or underflow attacks that compromise an administrator account. • High: Risks a partial system compromise by arbitrary code execution with low privileges. Does not result in a crash or DoS, but could cause the host to perform unwanted actions. Examples: Spam botnet installation, viruses, user-space software crashes, Trojan/worm installation, remote code execution, heap/stack/buffer overflow or underflow attacks that compromise only an unprivileged user account. • Medium: Risks fraud or participation in attacks of other hosts. Code execution may be involved, but it is not permanently installed or requires user involvement to execute each time. Disclosure of security mechanisms, and therefore weaknesses, may be involved. Examples: Cross-site scripting (XSS), open mail relays, spoofing, list of security settings. • Low: Risks temporary service instability or malfunction with no possibility of privilege escalation or code execution. Examples: Missing non-security patches or hotfixes. • Information: Risks no system instability or compromise at the moment, but with the possibility to augment or precede a more serious risk. Attackers can scout for identifiers or weaknesses. Information disclosure is not a direct vulnerability, but fingerprinting the host's
Fortinet Technologies Inc.
Page 29
FortiScan v5.0 MR1 Administration Guide
hardware, software, memory usage, or other information is often a precursor for a specifically crafted attack. Examples: Open port numbers, SSH or HTTP headers with the server name/version, list of running services, list of settings. Severity levels are estimates only. Your organization may and sometimes should assign different severity definitions to specific vulnerabilities. For example, an ISP may consider on open mail relay to be a serious vulnerability, due to the fact that its SMTP servers are business-critical, and the risk is that they could be blacklisted as spammers by various RBL services, and therefore effectively blockaded. CVSS score-defined severity levels are: • High: CVSS score is 7.0 to 10.0. • Medium: CVSS score is 4.0 to 6.9. • Low: CVSS score is 0.0 to 3.9. Severity is compounded by the risk and importance (criticality) of the host/software. For example, a legacy system may be completely vulnerable, but it is not often powered on, and the host is not part of critical infrastructure. As such, it is not a very likely target for an attacker. Therefore its severity is very high, but its criticality is very low. You would prioritize its remediations after a moderately vulnerable but both very important and high-risk (high criticality) web server.
How to fix vulnerabilities and non-compliances Remediations can be applied to correct or reduce a vulnerability or non-compliance, thereby mitigating risk and/or severity. A remediation can be any action that improves the situation. For example, a remediation could be: • Installing a patch or hotfix • Running an operating system utility • Hardening the configuration to reduce the attack surface and improve resilience • Removing unused software • Replacing problematic hardware Whenever the FortiScan appliance discovers a violation either by: • Agentless remote vulnerability scan • Survey or scan submitted by a FortiScan agent the appliance will log a vulnerability alert or policy alert, and match discovered vulnerabilities and non-compliances with known remediations. More than one remediation may be provided for a vulnerability, and each remediation may address multiple vulnerabilities. Remediations can be: • Defined by an administrator (see “Defining remediation templates” on page 403) • Predefined by Fortinet (see “Connecting to FortiGuard Services” on page 72 and “Viewing remediations available from Fortinet” on page 401) Because new vulnerabilities are discovered on a daily basis, and approximately 80% of attacks focus on newly discovered vulnerabilities, your remediations can only continue to provide good protection if they are current.
Fortinet Technologies Inc.
Page 30
FortiScan v5.0 MR1 Administration Guide
Predefined remediations from Fortinet’s security researchers save you large amounts of time by providing tested fixes for known vulnerabilities, allowing you to focus on unknown, zero-day attacks, social engineering issues, and physical security. Ongoing remediation updates are available when you purchase a contract for the FortiGuard Vulnerability and Compliance Management service. Depending on your preference, FortiScan provides two ways to dispatch remediations: • Automatically: If you have configured a policy, FortiScan will automatically deploy the remediation included in the policy to the asset or asset group that it governs. See “Achieving real-time compliance via policies” on page 347 and “Automatically remediating an alert” on page 386. • Manually: By default, if no policy is configured, FortiScan will wait for administrator approval/execution to give a command to apply the remediation whenever the asset’s FortiScan agent connects during the next command channel interval. See “Dispatching remediations” on page 409 and “Manually remediating alert events” on page 383. Figure 5: Agent-based remediation dispatch
Remediation dispatch via the FortiScan appliance, both manual and automatic, is only supported where the FortiScan agent is installed on the asset. To remediate other assets, you can do the described remediation in person or deploy it via other means, such as your directory or domain controller. In some cases, FortiScan cannot or should not dispatch a remediation command. You must intervene. • Assets you do not own (e.g. A customer’s asset if you are their MSSP.) • Physical vulnerabilities (e.g. You must physically unplug a USB keylogger.) • Assets where the FortiScan agent is not installed (in Asset > Inventory > Asset Inventory, their Status is Unprotected) • Zero-day attacks (i.e. A vulnerability and attack were discovered simultaneously, and a remediation by either you or Fortinet’s security lab team is still in progress.) • Situation-specific contingencies (i.e. A remediation may not be suitable, depending on the purpose of the host, such as disabling open SMTP ports on your email server.) Fortinet Technologies Inc.
Page 31
FortiScan v5.0 MR1 Administration Guide
In these cases, FortiScan may have instructions on how to remediate the detected vulnerability yourself. Each FortiScan administrator account is assigned a role at the time of creation, and each role contains a specific set of permissions to perform some or all the FortiScan administrator tasks. Your administrator account may not permit you to perform all of the administrator tasks, including remediations. For a list of the specific permissions assigned to each role, see “Permissions” on page 33.
Fortinet Technologies Inc.
Page 32
FortiScan v5.0 MR1 Administration Guide
How to use the Web-based Manager This section contains general information about using the Web-based Manager user interface for the FortiScan appliance that can be accessed using any supported web browser.
System requirements The management computer that you use to access the Web-based Manager must have a compatible web browser, such as Microsoft Internet Explorer or Mozilla Firefox. To minimize scrolling, the computer’s screen should have a resolution that is a minimum of 1280 x 1024 pixels.
URL for access You access the Web-based Manager by URL using a network interface on the FortiScan appliance that you have configured for administrative access. By default, the URL when accessing the Web-based Manager through port1 is: https://192.168.1.99/ If the network interfaces have been configured differently during installation, the URL and/or permitted administrative access protocols (such as HTTPS) may no longer be in their default state. In that case, for the URL, use either a DNS-resolvable domain name for the FortiScan appliance, or the IP address that you configured for the network interface to which you are connected. For example, you might have configured port2 with the IP address 10.0.0.1 and enabled HTTPS. You might have also configured a private DNS server on your network to resolve fortiscan.example.com to 10.0.0.1. To access the Web-based Manager through port2, you could enter either https://fortiscan.example.com/ or https://10.0.0.1/.
If the URL is correct and you still cannot access the Web-based Manager, you may also need to configure static routes.
Permissions Depending on the account that you use to log in to the FortiScan appliance, you may not have access to CLI commands or areas of the Web-based Manager. Roles and asset filters in each administrative domain (ADOM) together control which commands, assets, and features an account can access. Roles restrict an account’s access to features in the FortiScan appliance’s Web-based Manager, based upon what is appropriate for the job that he or she does. Features inappropriate for an account’s assigned role are hidden.
Fortinet Technologies Inc.
Page 33
FortiScan v5.0 MR1 Administration Guide
Roles are: admin Administrator, Administrator, Operator, or Auditor.
Administrators other than the admin administrator cannot use the CLI. They must use their permitted features through the Web-based Manager.
Table 3: Permissions by role Menu
Action
Role admin Administrator Operator administrator
System
Configure administrative domains (ADOMs)
Yes
Auditor
No*
* Administrators whose Role is Administrator can configure ADOM Default Authentication. View dashboard
Yes
Change host name
Yes
Change system time
Yes
Update firmware
Yes
Update FortiGuard VCM packages
Yes
Configure network interface
Yes
Configure DNS servers
Yes
Configure routing
Yes
Reboot
Yes
Shutdown
Yes
Reset
Yes
Change idle timeout
Yes
Change language
Yes
Configure administrator accounts
Yes
Yes
Change own password
Yes
Yes
Terminate administrator sessions
Yes
Configure RAID
Yes
Configure report output
Yes
Yes
Configure e-mail settings
Yes
Yes
Backup configuration
Yes
Fortinet Technologies Inc.
Page 34
Yes
Yes
FortiScan v5.0 MR1 Administration Guide
Table 3: Permissions by role (continued) Menu
Action
Role admin Administrator Operator administrator
Restore configuration
Yes
Configure FortiGuard connectivity
Yes
Configure SNMP
Yes
Yes
Configure ODBC host
Yes
Yes
Configure ODBC administrator
Yes
Yes
Configure asset communication setting
Yes
Yes*
Auditor
* Administrators whose Role is Administrator can configure asset communication settings only for their own ADOM. Configure audit log settings
Yes
Yes
Configure e-mail settings
Yes
Yes*
* Administrators whose Role is Administrator can configure e-mail settings only for their own ADOM. Configure third-party patch download credentials
Yes
Yes*
* Administrators whose Role is Administrator can configure third-party patch download settings only for their own ADOM. Asset
View asset inventory
Yes
Yes
Yes
Yes
View asset inventory by OS detail
Yes
Yes
Yes
Yes
View most vulnerable assets
Yes
Yes
Yes
Yes
View statistics
Yes
Yes
Yes
Yes
Create asset group
Yes
Yes
Yes
Delete asset
Yes
Yes
Yes
Delete asset group
Yes
Yes
Yes
Dispatch remediation to asset
Yes
Yes
Yes
Dispatch remediation to group
Yes
Yes
Yes
Modify asset criticality
Yes
Yes
Yes
Modify asset description
Yes
Yes
Yes
Modify asset vulnerability remediation strategy
Yes
Yes
Yes
Modify assets as group
Yes
Yes
Yes
Fortinet Technologies Inc.
Page 35
FortiScan v5.0 MR1 Administration Guide
Table 3: Permissions by role (continued) Menu
Action
Role admin Administrator Operator administrator
Network Scan
Agent Scan
Auditor
Modify asset survey intervals
Yes
Yes
Yes
Move asset group
Yes
Yes
Yes
Move asset to group
Yes
Yes
Yes
Remove asset from group
Yes
Yes
Yes
Rename asset group
Yes
Yes
Yes
Retire asset
Yes
Yes
Yes
View assets
Yes
Yes
Yes
Yes
View asset groups
Yes
Yes
Yes
Yes
Schedule discovery scans
Yes
Yes
Import assets
Yes
Yes
View host status
Yes
Yes
Yes
View vulnerability database
Yes
Yes
Yes
View scheduled vulnerability scan
Yes
Yes
Yes
Configure vulnerability scan profile
Yes
Yes
Yes
Configure sensor
Yes
Yes
Yes
View assets by OS
Yes
Yes
Yes
Yes
View compliance results by benchmark
Yes
Yes
Yes
Yes
View vulnerabilities by status
Yes
Yes
Yes
Yes
View vulnerabilities by severity
Yes
Yes
Yes
Yes
View vulnerabilities by asset criticality
Yes
Yes
Yes
Yes
View most vulnerable assets
Yes
Yes
Yes
Yes
View unresolved vulnerabilities
Yes
Yes
Yes
Yes
Upload benchmarks
Yes
Yes
Yes
View benchmarks
Yes
Yes
Yes
Adapt a regulatory standard (wizard)
Yes
Yes
Perform a compliance audit (wizard)
Yes
Yes
Yes
Evaluate compliance results
Yes
Yes
Yes
Fortinet Technologies Inc.
Page 36
Yes
Yes
Yes
FortiScan v5.0 MR1 Administration Guide
Table 3: Permissions by role (continued) Menu
Action
Role admin Administrator Operator administrator
Auditor
View vulnerability scan definitions
Yes
Yes
Yes
Create a vulnerability scan (wizard)
Yes
Yes
Perform a vulnerability scan (wizard)
Yes
Yes
Yes
View vulnerability scan results
Yes
Yes
Yes
Yes
View unresolved vulnerabilities
Yes
Yes
Yes
Yes
View statistics
Yes
Yes
Yes
Yes
View vulnerabilities referenced by vendor Yes
Yes
Yes
Yes
Create policy
Yes
Yes
Yes
Create policy group
Yes
Yes
Yes
Delete policy
Yes
Yes
Yes
Delete policy group
Yes
Yes
Yes
Modify policy
Yes
Yes
Yes
Move policy group
Yes
Yes
Yes
Move policy to group
Yes
Yes
Yes
Rename policy
Yes
Yes
Yes
Rename policy group
Yes
Yes
Yes
View policies
Yes
Yes
Yes
Yes
CVE search
Yes
Yes
Yes
Yes
View remediation distribution
Yes
Yes
Yes
Yes
View remediation latest statistics
Yes
Yes
Yes
Yes
View remediations for vulnerabilities by Vendor
Yes
Yes
Yes
Yes
View patch-based remediations
Yes
Yes
Yes
Yes
View configuration-based remediations
Yes
Yes
Yes
Yes
View text-based remediations
Yes
Yes
Yes
Yes
Copy remediation template
Yes
Yes
Yes
Create remediation template
Yes
Yes
Yes
Delete remediation template
Yes
Yes
Yes
Fortinet Technologies Inc.
Page 37
Yes
FortiScan v5.0 MR1 Administration Guide
Table 3: Permissions by role (continued) Menu
Action
Role admin Administrator Operator administrator
Report
Auditor
Modify remediation template
Yes
Yes
Yes
Rename remediation template
Yes
Yes
Yes
Save remediation as a remediation template
Yes
Yes
Yes
View remediation templates
Yes
Yes
Yes
Yes
View remediations
Yes
Yes
Yes
Yes
View asset scan report
Yes
Yes
Yes
View real-time report
Yes
Yes
Yes
Yes
Schedule report
Yes
Yes
Yes
Yes
View scheduled report
Yes
Yes
Yes*
Yes*
Download scheduled report
Yes
Yes
Yes*
Yes*
Delete scheduled report
Yes
Yes
Yes*
Yes*
View compliance report template
Yes
Yes
Yes
View compliance report
Yes
Yes
Yes
* Administrators whose Role is Operator or Auditor can only download, view, and delete their own scheduled reports, not those of other accounts. Events & Tickets
View alerts and events
Yes
Yes
Yes
Remediate vulnerability alerts
Yes
Yes
Yes
Remediate policy alerts
Yes
Yes
Yes
Remove alerts and events
Yes
Yes
Yes
Accept risk of alerts
Yes
Yes
Yes
Mark alert as resolved externally
Yes
Yes
Yes
Mark alert as pending
Yes
Yes
Yes
View real-time system log
Yes
Yes
Yes
View historical system log
Yes
Yes
Yes
View asset audit log
Yes
Yes
Yes
Yes
View operation audit log
Yes
Yes
Yes
Yes
Create and modify tickets
Yes
Yes
Yes
Fortinet Technologies Inc.
Page 38
Yes
FortiScan v5.0 MR1 Administration Guide
ADOM asset filters restrict an account’s access to data about specific assets based on the asset’s IP address. Data for assets not assigned to the account is hidden. For details, see “Administrative Domains (ADOMs)” on page 93. For example, there might be one administrator for each business unit in a company. Each administrator should only be allowed to govern IP addresses assigned to their own business unit — they should not be able to affect other administrators’ hosts. To do this, you could restrict them by: • configuring one ADOM for each person, • configuring each ADOM using an asset filter that includes only that person’s assigned hosts, then • assigning each person’s account to his or her ADOM Unlike other administrator accounts, the administrator account named admin exists by default and cannot be deleted. The admin administrator account is similar to a root administrator account. This administrator account always has full permissions to view and change all FortiScan configuration options, including viewing and changing all other administrator accounts. Its name and permissions cannot be changed. It is the only administrator account than can reset another administrator’s password without being required to enter that administrator’s password. For complete access to all commands, you must log in with the administrator account named admin.
Administrative domains (ADOMs) & permissions Administrative domains (ADOMs) enable the admin administrator to constrain other FortiScan appliance administrators’ access privileges to a subset of assets in the asset inventory. Table 4: Administrative domains & permissions admin administrator account
Other administrators
Access to Global
Yes
No
Can create ADOMs
Yes
No
Yes
Yes (in the same ADOM only)
Yes
No (can enter assigned ADOMs only)
Yes
No
Can create administrator accounts Can enter all ADOMs
Can access the CLI
ADOMs alter the structure and available functionality of the web-based manager and CLI according to whether you are logging in as the admin administrator. • If you log in as admin, you first access the Global (root) ADOM where you have full access to the menus and can configure other ADOMs in System > ADOM > ADOM. At the end of the menu list, the Current ADOM menu appears (see “Buttons, navigation menus, and the displays” on page 42), enabling you to enter into another ADOM or return to the Global (root) ADOM. The Global (root) ADOM contains settings used by the FortiScan appliance itself and settings shared by ADOMs, such as RAID, network settings, and settings for the Web-based Manager. It does not include ADOM-specific settings or data, such as some logs and Fortinet Technologies Inc.
Page 39
FortiScan v5.0 MR1 Administration Guide
reports. When configuring other administrator accounts, if you are logged in as the admin administrator, an additional option appears allowing you to restrict other administrators to an ADOM. For more information, see “Configuring administrator accounts” on page 101. • If you log in as any other administrator, you enter the ADOM assigned to your account. You can only access the menu items assigned to you in your ADOM and Role. You may be able to use Current ADOM to switch between ADOMs if you are assigned to more than one, but you cannot access the Global (root) ADOM.
Maximum concurrent administrator sessions When you log in to the Web-based Manager, you may be required to disconnect other administrator's account sessions before you can continue. Each FortiScan appliance supports a maximum of 20 concurrent administrator sessions. If an auditor attempts to log in after the maximum has been reached, a Login Alert warning message and dialog appears. Figure 6: Login alert prompt
To disconnect one or more sessions, mark the check box for each session you want to disconnect and then select Disconnect and Continue. Those selected sessions are terminated and, if you are logging in as the administrator account named admin, the dashboard appears.
Fortinet Technologies Inc.
Page 40
FortiScan v5.0 MR1 Administration Guide
Global Web-based Manager settings System > Admin > Settings enables you to view and configure settings for the Web-based Manager that apply regardless of which administrator account you use to log in. To access this part of the Web-based Manager, you must log in as the admin administrator, then from Current ADOM, select Global. For details, see “Permissions” on page 33. Figure 7: Administrator settings
Configure the following settings: Idle Timeout
Enter the number of minutes that a Web-based Manager connection can be idle before the administrator must log in again. The maximum is 480 minutes (8 hours). To maintain security, keep the idle timeout at the default value of 5 minutes. Sessions will not time out when viewing real-time logs.
Web Administration Select which language to use when displaying the Web-based Manager. Currently, only English is supported. Note: This setting does not affect the display of the CLI.
Fortinet Technologies Inc.
Page 41
FortiScan v5.0 MR1 Administration Guide
Buttons, navigation menus, and the displays Figure 8: Web-based Manager parts Navigation menu
Current ADOM
Submenu
Content pane (may contain tabs or sub-panes)
Toolbar
Dashboard widget
A navigation menu is located on the left side of the Web-based Manager. At the bottom of it is Current ADOM. Current ADOM is a switch that determines whether you are modifying settings for: • the appliance itself or common to all assets (Global), or • a subset of assets in a specific administrative domain (ADOM) For more information on ADOMs, see “Administrative Domains (ADOMs)” on page 93.
Do not use your browser’s Back button to navigate — pages may not operate correctly. Instead, use the navigation menu, tabs, and buttons within the pages of the web UI.
To expand or collapse an area of the menu, select the name of the area itself. Within each area may be multiple submenus. To expand or collapse a submenu, select the + or - button next to the submenu name, or select the name of the submenu itself. Within each submenu may be one or more tabs or sub-panes, which are displayed to the right of the navigation menu, in the content pane. At the top of the content pane is a toolbar. The toolbar contains buttons that enable you to perform operations on items displayed in the content pane, such as importing or deleting entries.
Fortinet Technologies Inc.
Page 42
FortiScan v5.0 MR1 Administration Guide
Each tab or pane displays or allows you to modify settings, using a similar set of buttons. Table 5: Common buttons and menus Appearance
Description Select to collapse a visible area.
Select to expand a hidden area.
Select to view the first page’s worth of records within the tab. or pane If this button is grey, you are already viewing the first page. Select to view the page’s worth of records that is 10 pages previous to the currently displayed page. If this button is grey, you are viewing the first page. Select to view the previous page’s worth of records within the tab or pane. If this button is grey, you are viewing the first page. To go to a specific page number in the records for that tab or pane, either type the page number and press Enter, or select the page number link to the right of the text entry box. The total number of pages depends on the number of records per page. Select to view the next page’s worth of records within the tab or pane. If this button is grey, you are viewing the last page. Select to view the page’s worth of records that is 10 pages after the currently displayed page. If this button is grey, you are viewing the first page. Select to view the last page’s worth of records within the tab or pane. If this button is grey, you are already viewing the last page. Select to filter out entries in the page based upon match criteria for each column. If this button is green, the filter is currently enabled. To change the size of each page’s worth of records in the tab or pane, type the number and press Return. The total number of pages depends on the number of records per page.
Create New
Fortinet Technologies Inc.
Select to create a new entry using only typical default values as a starting point.
Page 43
FortiScan v5.0 MR1 Administration Guide
Table 5: Common buttons and menus (continued) Select to create a new entry by duplicating an existing entry. Copy
To use this button, you must first select to select an existing entry upon which the new entry will be based. Select to modify an existing entry.
Move
To use this button, you must first select which existing entry you want to modify. Select to remove an existing entry.
Delete
To use this button, you must first select which existing entry you want to remove. To delete multiple entries, either mark the check boxes of each entry that you want to delete, then select Delete.
Common buttons are not described in subsequent sections of this Administration Guide. Some pages have unique buttons, or special behaviors associated with common buttons. Those buttons are described in their corresponding section of the Administration Guide.
Displaying and arranging columns When viewing lists of information, you can display, hide, and re-order columns to display only relevant categories of information in your preferred order. For log message columns, you can also filter data within the columns to include or exclude items which contain your specified text in that column.
Column settings persist only while viewing the same page. If you visit a different page and come back, your column display settings will be lost.
Figure 9: Displaying and arranging log columns
To display or hide columns: 1. On the content pane’s toolbar, select Column Settings. Lists of available and displayed columns for the page appear.
Fortinet Technologies Inc.
Page 44
FortiScan v5.0 MR1 Administration Guide
2. Select which columns to hide or display: • To display one or more hidden columns, in the Available Fields area, select the name of each column you want to display, then select the single right arrow button to move the selected columns to the Display Fields area. To display all the columns, select the double right arrow. • To hide one or more columns, in the Display Fields area, select the name of each column you want to hide, then select the single left arrow to move the selected columns to the Available Fields area. To hide all columns, select the double left arrow. • To return all columns to their default displayed/hidden status, select Default. 3. Select OK. To change the order of the columns: 1. On the content pane’s toolbar, select Column Display Settings. Lists of available and displayed columns for the page appear. 2. In the Display Fields area, select a column name whose order of appearance you want to change. 3. Select the up arrow button or the down arrow button to move the column in the ordered list. Placing a column name upwards in the Display Fields list will move the column itself towards the left side of the page. 4. Select OK.
Filtering list entries When viewing a list of items, you can sometimes filter columns to display only those rows that do or do not contain your specified content in a specific column. By default, these column headings contain a gray filter icon, which becomes green when a filter is configured and enabled. Filters are make it easier to find specific information. They reduce the number of entries that are displayed in a list so that you can focus on the information that is important to you.
Filter settings persist only while visiting the same page. If you visit a different page and comes back, your filter settings will be lost.
Figure 10:Filtering rows
Fortinet Technologies Inc.
Page 45
FortiScan v5.0 MR1 Administration Guide
To filter a list in the Web-based Manager: 1. In the heading of the column that you want to filter, select Filter. A list of columns on the current page, and the filter settings for the currently selected column appear. 2. From Filters, select the name of the column whose contents you want to use as criteria for filtering the page’s rows. To the right of the Filters list, filter criteria for that selected column appear. 3. Mark the Enable check box. 4. If you want to exclude rows that match the configured criteria, mark the NOT check box. If you want to include rows that match the configured criteria, clear the NOT check box. 5. In the remaining fields, enter values for the column that matching rows must match in order to be included or excluded. Most filters require that you enter the column’s whole text in order to successfully match, i.e. matching is not greedy, and requires your filter to exactly equal that column in the row. Partial entries do not equal the entire contents, and therefore do not match. This can result in a misconfigured filter that includes/excludes every row. For example, you might have a page with an IP address column. One of the rows has 192.168.2.5 in its IP Address column, and you want to show only rows that also have that same IP address in that column. To create a column filter, you would enter the entire, exact IP address, 192.168.2.5. If you entered only one octet of the IP address (192), the filter would not fully match any of the complete IP addresses, and so the filter would omit all rows, rather than showing rows starting with 192. Exceptions to this rule include columns that contain multiple words or long strings of text, such as messages or URLs. In those cases, you may be able to filter the column using a substring of the text contained by the column, rather than the entire text contained by the column. The text string can be blank or contain many characters. The text string can also contain special characters, such as less than symbols ( < ), ampersands ( & ), and greater than symbols ( > ). Filtering ignores characters following a < unless it is followed by a space. For example, filtering ignores
characters and any characters inside them. For example, filtering ignores but does not ignore >string>. 6. Select OK. A column’s filter icon turns green when its filter is currently enabled. The content pane refreshes to display only the rows that match the filter criteria. Matching rows will be excluded or included in your view based upon whether you have marked or cleared NOT. To add filters for other columns, repeat this procedure. To disable a filter: 1. In the heading of the column whose filter you want to disable, select Filter. A column’s filter icon turns green when its filter is currently enabled. A list of columns on the current page, and the filter settings for the currently selected column, appears. 2. Do one of the following: • To disable a single filter, in the Filters list, select the filter that you want to disable. The list of criteria for the selected filter appears. Clear the Enable check box. • To disable all the filters, select Clear All Filters. This disables the filter; it does not delete any filter text you might have configured. 3. Select OK. A column’s filter icon turns gray to when its filter is currently disabled. Fortinet Technologies Inc.
Page 46
FortiScan v5.0 MR1 Administration Guide
Deleting entries To delete a part of the configuration, you must first remove all references to it. For example, if you selected a profile named “Profile1” in a policy named “PolicyA”, that policy references “Profile1” and requires it to exist. Therefore the appliance will not allow you to delete “Profile1” until you have reconfigured “PolicyA” (and any other references) so that “Profile1” is no longer required and may be safely deleted.
If you do not know where your configuration refers to the entry that you want to delete, to find the references, you can download a backup of the configuration and use a plain text editor to search for the entry’s name.
Predefined entries included with the firmware cannot be deleted.
Powering the FortiScan appliance on or off Power supplies and switches vary by hardware model. However, the shutdown procedure is the same for all models.
Powering on a FSC-3000C/FSC-3000D Figure 11:Turning on the system
Press the power button. The power indicators should light.
Fortinet Technologies Inc.
Page 47
FortiScan v5.0 MR1 Administration Guide
Shutdown Always properly shut down the FortiScan appliance’s operating system before turning off the power switch or unplugging it. This causes it to finish writing any buffered data, and to correctly spin down and park the hard disks.
Do not unplug or switch off the FortiScan appliance without first halting the operating system. Failure to do so could cause data loss and hardware problems.
To power off the FortiScan appliance: 1. Connect to the CLI or Web-based Manager as the admin administrator. For details, see “Connecting to your FortiScan” on page 52. 2. From the CLI console, enter the following command: config global execute shutdown Alternatively, if you are connected to the Web-based Manager, go to System > Dashboard > Status, and in the System Information widget, select Shut Down. You may be able to hear the appliance become more quiet when the appliance halts its hardware and operating system, indicating that power can be safely disconnected. 3. For hardware appliances, press the power button if there is one. For FortiScan VM, power off the virtual machine. 4. Disconnect the power cable from the power supply.
Fortinet Technologies Inc.
Page 48
FortiScan v5.0 MR1 Administration Guide
How to set up your FortiScan These instructions will guide you to the point where you have a simple, verifiable working installation. From there, you can begin to use optional features and fine-tune your configuration. Time required to deploy varies by: • Number of your hosts • Complexity of your administrative domains or number of NAT segments
Appliance versus virtual appliance Installation workflow varies depending on whether you are installing FortiScan as a physical appliance or as a virtual machine. To install a physical FortiScan appliance, follow the instructions in the FortiScan Hardware Install Guide, then continue with “How to set up your FortiScan”. To install a virtual appliance, FortiScan VM, first follow the FortiScan VM Install Guide, then continue with “How to set up your FortiScan”.
Registering your FortiScan Before you begin, take a moment to register your Fortinet product at the Fortinet Technical Support web site: https://support.fortinet.com Many Fortinet customer services such as firmware updates, technical support, and FortiGuard services require product registration. For more information, see the Fortinet Knowledge Base article Registration Frequently Asked Questions.
Planning the network topology Before choosing a physical location for your FortiScan appliance, consider your network topology. Firewall policies and routes, for example, may need to be changed to allow the FortiScan appliance and the FortiScan agents to communicate with each other. Choose a location with fewer intermediary routers and firewalls, if possible, to reduce the number of network changes and possible sources of errors. Firewall settings must permit communication between FortiScan appliances and FortiScan agents. See “Appendix B: Port Numbers” on page 525. If you are a managed security service provider (MSSP), because of complicated network topologies between you and your clients, you might require a VPN connection with each client network before you can perform a successful network discovery scan or other scans. If a VPN connection is not feasible and these scans cannot run successfully, you can hide these features from FortiScan appliance accounts whose Role is Auditor or Operator. FortiScan appliances require a route to the Internet to be able to download updates from Fortinet, and to verify their licenses for the FortiGuard Vulnerability Management Service. Routes and IP addresses can be configured using either the Web-based Manager or CLI. Fortinet Technologies Inc.
Page 49
FortiScan v5.0 MR1 Administration Guide
Most network address translation (NAT) environments are supported. NAT requirements include: • Static NAT outbound from FortiScan agents to the FortiScan appliance • Static NAT inbound from the FortiScan appliance to the FortiScan agent (required only by the remote network vulnerability scanner in the Network Scan menu) • Connectivity for web services communications from all NATed assets to the FortiScan appliance • No duplicate IP address spaces for NAT segments, unless they belong to separate administrative domains (ADOMs) (e.g. Two segments with different address spaces such as 192.168.1.0-254 and 192.168.2.0-254 would be supported, but two segments both with the same address space 192.168.1.0-254 would not be supported unless they belong to separate ADOMs. See Figure 12 on page 50, Figure 13 on page 51, and Figure 14 on page 51.) Figure 12:Topology — Supported (non-overlapping NAT)
Fortinet Technologies Inc.
Page 50
FortiScan v5.0 MR1 Administration Guide
Figure 13:Topology — Supported (overlapping NATs in separate ADOMs)
Figure 14:Topology — Not supported (overlapping NATs in the same ADOM)
Fortinet Technologies Inc.
Page 51
FortiScan v5.0 MR1 Administration Guide
Connecting to your FortiScan To configure, maintain, and administer the FortiScan appliance, you need to connect to it. There are two methods: • use the Web-based Manager from within a web browser • use the command line interface (CLI), an interface similar to DOS or UNIX commands, from a local serial console, Secure Shell (SSH) or Telnet terminal Access to the CLI and/or Web-based Manager is not yet configured if: • you are connecting for the first time • you have just reset the configuration to its default state • you have just restored the firmware In these cases, you must access either interface using the default settings.
If the above conditions do not apply, access the Web-based Manager using the IP address, administrative access protocol, administrator account and password already configured, instead of the default settings.
If you are installing a FortiScan VM virtual appliance, you should have already connected if you followed the instructions in the FortiScan VM Install Guide.
After you connect, you can use the Web-based Manager or CLI to configure basic network settings and access the CLI and/or Web-based Manager through your network. However, if you want to update the firmware, you may want to do so before continuing. See “Updating the Firmware” on page 80. Until the FortiScan appliance is configured with an IP address and connected to your network, you may prefer to connect the FortiScan appliance directly to your management computer, or through a switch, in a peer network that is isolated from your overall network. However, isolation is not required.
Connecting to the Web-based Manager You can connect to the Web-based Manager using its default settings. Table 6: Default settings for connecting to the Web-based Manager Network Interface
port1
URL
https://192.168.1.99/
Administrator Account
admin
Password
(no default password)
Fortinet Technologies Inc.
Page 52
FortiScan v5.0 MR1 Administration Guide
Requirements • a computer with an RJ-45 Ethernet network port • a web browser such as Microsoft Internet Explorer or Mozilla Firefox • a crossover Ethernet cable (on FortiScan-VM, this is whatever cable you use to connect to the hypervisor’s network) To connect to the Web-based Manager: 1. On your management computer, if connecting to a physical appliance such as a FSC-3000D, configure the Ethernet port with the static IP address 192.168.1.2 with a netmask of 255.255.255.0. If connecting to FortiScan-VM, configure your management computer to connect to the hypervisor’s network. 2. Using the Ethernet cable, connect your computer’s Ethernet port to the FortiScan appliance’s port1. 3. Start your browser and enter the URL: https://192.168.1.99/ (Remember to include the “s” in https://.) Your browser connects the appliance. If you do not see the login page due to an SSL cipher error during the connection, and you are connecting to the trial license of FortiScan-VM or a LENC version of FortiScan, then your browser must be configured to accept encryption of 64-bit strength or less during the handshake. (RC2, RC4, and DES with less than 64-bit strength is supported. AES and 3DES is not supported in these versions.) For example, in Mozilla Firefox, if you receive this error message: ssl_error_no_cypher_overlap you may need to enter about:config in the URL bar, then set security.ssl3.rsa.rc4_40_md5 to true. To support HTTPS authentication, the FortiScan appliance ships with a self-signed X.509 certificate, which it presents to clients whenever they initiate an HTTPS connection to the FortiScan appliance. When you connect, depending on your web browser and prior access of the FortiScan appliance, your browser might display two security warnings related to this certificate: • The certificate is not automatically trusted because it is self-signed, rather than being signed by a valid certificate authority (CA). Self-signed certificates cannot be verified with a proper CA, and therefore might be fraudulent. You must manually indicate whether or not to trust the certificate. • The certificate might belong to another web site. The common name (CN) field in the certificate, which usually contains the host name of the web site, does not exactly match the URL you requested. This could indicate server identity theft, but could also simply indicate that the certificate contains a domain name while you have entered an IP address. You must manually indicate whether this mismatch is normal or not. Both warnings are normal for the default certificate. SSL v3 and TLS v1.0 are supported. 4. Verify and accept the certificate, either permanently (the web browser will not display the self-signing warning again) or temporarily. You cannot log in until you accept the certificate. For details on accepting the certificate, see the documentation for your web browser. 5. In the Name field, type admin. 6. Select Login. (Initially, there is no password.) A password setting dialog appears.
Fortinet Technologies Inc.
Page 53
FortiScan v5.0 MR1 Administration Guide
Figure 15:Edit password dialog box
7. In New Password and Confirm Password, enter a password with sufficient complexity and number of characters to deter brute force and other attacks. 8. Select OK. 9. Log in again with the new password.
You can alternatively log in using an SSH key. For details, see “system admin” on page 439.
If three incorrect login or password attempts occur in a row, you will be disconnected to protect the appliance from brute-force login attempts. Wait one minute, then reconnect to attempt the login again.
Login credentials entered are encrypted before they are sent to the FortiScan appliance. If your login is successful, the Web-based Manager appears. To continue by updating the firmware, see “Updating the Firmware” on page 80. Otherwise, to continue by configuring the basic settings.
Connecting to the CLI Using its default settings, you can access the CLI from your management computer in two ways: • a local serial console connection • an SSH connection, either local or through the network
Fortinet Technologies Inc.
Page 54
FortiScan v5.0 MR1 Administration Guide
Secure Shell (SSH) provides both secure authentication and secure communications to the CLI. Supported SSH protocol versions, ciphers, and bit strengths include SSH 2 with AES-128, 3DES, Blowfish, and SHA-1 (except for trial license or LENC versions of FortiScan-VM). Table 7: Default settings for connecting to the CLI by SSH Network Interface
port1
IP Address
192.168.1.99
SSH Port Number
22
Administrator Account
admin
Password
(no password)
If you are not connecting for the first time, nor have you just reset the configuration to its default state or restored the firmware, administrative access settings may have already been configured. In this case, access the CLI using the IP address, administrative access protocol, administrator account and password already configured, instead of the default settings.
The following procedures describe connection using PuTTY software; steps vary with other terminal emulators or consoles. For example, on FortiScan-VM, connect to the console using Citrix XenCenter or VMware vSphere Client. For an example, see the FortiScan-VM Install Guide. Requirements • a computer with an available serial communications (COM) port • the RJ-45-to-DB-9 or null modem cable included in your FortiScan package • terminal emulation software such as PuTTY To connect to the CLI using a local serial console connection: 1. Using the RJ-45-to-DB-9 or null modem cable, connect your computer’s serial communications (COM) port to the FortiScan appliance’s console port. 2. Verify that the FortiScan appliance is powered on. 3. On your management computer, start PuTTY. 4. In the Category tree on the left, go to Connection > Serial and Configure these settings: Serial line to connect to COM1 (or, if your computer has multiple serial ports, the name of the connected serial port)
Fortinet Technologies Inc.
Speed (baud)
9600
Data bits
8
Stop bits
1
Parity
None
Flow control
None
Page 55
FortiScan v5.0 MR1 Administration Guide
5. In the Category tree on the left, go to Session (not the sub-node, Logging) and from Connection type, select Serial. 6. Select Open. 7. Press the Enter key to initiate a connection. The login prompt appears. 8. Type admin then press Enter twice. (In its default state, there is no password for the admin account.) The CLI displays the following text, followed by a command line prompt: Welcome! You can now enter commands. To continue by configuring the administrator password. Requirements • a computer with an RJ-45 Ethernet port • a crossover Ethernet cable (if connecting directly) or straight-through Ethernet cable (if connecting through a switch or router) (on FortiScan-VM, this is whatever cable you use to connect to the hypervisor’s network) • a FortiScan network interface configured to accept SSH connections. In its default state, port1 accepts SSH. You may need to connect directly first in order to configure a static route so that, later, you can connect through routers. • an SSH client, such as PuTTY To connect to the CLI using an SSH connection: 1. On your management computer, if connecting to a physical appliance such as a FortiScan-3000C/D, configure the Ethernet port with the static IP address 192.168.1.2 with a netmask of 255.255.255.0. If connecting to FortiScan-VM, configure your management computer to connect to the hypervisor’s network. 2. Using the Ethernet cable, connect your computer’s Ethernet port to the FortiScan appliance’s port1. 3. Verify that the FortiScan appliance is powered on. 4. On your management computer, start PuTTY. Initially, the Session category of settings is displayed. 5. In Host Name (or IP Address), type 192.168.1.99. 6. In Port, type 22. 7. From Connection type, select SSH. 8. If you are connecting to the trial license of FortiScan-VM or a LENC version of FortiScan, in the Category pane on the left, go to Connection > SSH to display SSH protocol-specific settings. In Preferred SSH protocol version, select 1. In Encryption cipher selection policy, select DES and select the Up button until it is at the top of the list. (RC2, RC4, and DES with less than 64-bit strength is supported. AES and 3DES is not supported in these versions.) 9. Select Open. The SSH client connects to the FortiScan appliance. The SSH client may display a warning if this is the first time you are connecting to the FortiScan appliance and its SSH key is not yet recognized by your SSH client, or if you have previously connected to the FortiScan appliance but it used a different IP address or SSH key. If your management computer is directly connected to the FortiScan appliance with no network hosts between them, this is normal.
Fortinet Technologies Inc.
Page 56
FortiScan v5.0 MR1 Administration Guide
10.Select Yes to verify the fingerprint and accept the FortiScan appliance’s SSH key. You cannot log in until you accept the key. The CLI displays a login prompt. 11.Type admin and press Enter. (In its default state, there is no password for this account.)
If three incorrect login or password attempts occur in a row, you will be disconnected to protect the appliance from brute-force login attempts. Wait one minute, then reconnect to attempt the login again.
The CLI displays a prompt, such as: FortiScan-3000D # You can now enter commands.
Changing the “admin” account password The default administrator account, named admin, initially has no password. Unlike other administrator accounts, the admin administrator account exists by default and cannot be deleted. The admin administrator account is similar to a root administrator account. This administrator account always has full permission to view and change all FortiScan configuration options, including viewing and changing all other administrator accounts. Its name and permissions cannot be changed. Before you connect the FortiScan appliance to your overall network, you should configure the admin account with a password to prevent others from logging into the FortiScan and changing its configuration. The first time you log in to the Web-based Manager, it will automatically ask you to set a password for the admin account. You can change it again at any time using the following steps. Set a strong password for the admin administrator account, and change the password regularly. Failure to maintain the password of the admin administrator account could compromise the security of your FortiScan appliance, and is a violation of many best practices and compliance regimes, including PCI DSS.
The password cannot be changed through the CLI.
To change the admin administrator password using the Web-based Manager: 1. From Current ADOM, select Global. The admin administrator account applies to the entire appliance, not to an individual ADOM. 2. Go to System > Admin > Administrators. 3. In the row corresponding to the admin administrator account, select Change password. 4. In the Old Password field, enter nothing. 5. In the New Password field, enter a password with sufficient complexity and number of characters to deter brute force and other attacks. 6. In the Confirm Password field, enter the new password again to confirm its spelling. Fortinet Technologies Inc.
Page 57
FortiScan v5.0 MR1 Administration Guide
7. Select OK. 8. Select Logout. The FortiScan appliance logs you out. To continue using the Web-based Manager, you must log in again. The new password takes effect the next time that administrator account logs in.
Setting the system time and date You can either manually set the FortiScan system time or configure the FortiScan appliance to automatically keep its system time correct by synchronizing with a Network Time Protocol (NTP) server.
For many features to work, including scheduling, logging, and SSL-dependent features, the FortiScan system time must be accurate.
To configure the system time via the Web-based Manager: 1. From Current ADOM, select Global. Time settings apply to the entire appliance, not a specific ADOM. 2. Go to System > Dashboard > Status. 3. In the System Information widget, in the System Time row, select Change. The Time Settings dialog appears in a pop-up window. 4. Either configure these settings to manually configure the system time: Figure 16:Time settings
5. Configure the following settings: Time Zone
Select the time zone in which the FortiScan appliance is located.
Set Time
Select this option to manually set the date and time of the FortiScan appliance’s clock, then select the Hour, Minute, Second, Year, Month and Day fields before you select Apply.
or configure these settings to automatically synchronize the FortiScan appliance’s clock with an NTP server: Fortinet Technologies Inc.
Page 58
FortiScan v5.0 MR1 Administration Guide
Figure 17:NTP settings
6. Configure the following settings: Synchronize with NTP Server
Select this option to automatically synchronize the date and time of the FortiScan appliance’s clock with an NTP server, then configure the Server and Sync Interval fields before you select Apply.
Server
Type the IP address or domain name of an NTP server. To find an NTP server that you can use, go to http://www.ntp.org.
Sync Interval
Type how often, in minutes, the FortiScan appliance should synchronize its time with the NTP server. For example, entering 1440 causes the FortiScan appliance to synchronize its time once a day. The default value is 60 minutes. Valid values range from 1 to 1,440 minutes.
7. Select OK.
Fortinet Technologies Inc.
Page 59
FortiScan v5.0 MR1 Administration Guide
To configure NTP via the CLI: To synchronize with an NTP server, enter the following commands: config global config system global set timezone end config system ntp set ntpsync enable set syncinterval config ntpserver edit 0 set server { | } next end end where: • is the index number of the time zone in which the FortiScan appliance is located (to view the list of valid time zones and their associated index numbers, enter a question mark) • is how often, in minutes, the FortiScan appliance should synchronize its time with the NTP server; valid values range from 1 to 1440 • { | } is a choice of either the IP address or fully qualified domain name (FQDN) of the NTP server, such as pool.ntp.org To manually set the date and time via the CLI: To manually configure the FortiScan appliance’s system time and disable the connection to an NTP server, enter the following commands: config global config system ntp set ntpsync disable end config system global set timezone end execute set-time execute set-date where: • is the index number of the time zone in which the FortiScan appliance is located (to view the list of valid time zones and their associated index numbers, enter a question mark) • is the time for the time zone in which the FortiScan appliance is located according to a 24-hour clock, formatted as hh:mm:ss (hh is the hour, mm is the minute, and ss is the second) • is the date for the time zone in which the FortiScan appliance is located, formatted as yyyy-mm-dd (yyyy is the year, mm is the month, and dd is the day)
Fortinet Technologies Inc.
Page 60
FortiScan v5.0 MR1 Administration Guide
Configuring the network settings When shipped, each of the FortiScan appliance’s physical network adapter ports (or, for FortiScan VM, vNICs) has an associated network interface in the firmware. Each network interface has a default IP address and netmask. However, these IP addresses and netmasks may not be compatible with the design of your unique network. In addition, you must configure the FortiScan appliance with the IP address of your DNS servers and gateway router. You can use either the Web-based Manager or the CLI to configure these basic network settings.
If you are installing a FortiScan VM virtual appliance, and you followed the instructions in the FortiScan VM Install Guide, you have already configured some of the settings for port1. To fully configure all of the network interfaces, you must complete this chapter.
Configuring the network interfaces A network interface is a logical layer, an IP address and netmask associated with one of the FortiScan appliance’s physical network ports. Table 8: Default IP addresses and netmasks Network Interface*
IP Address
Netmask
port1
192.168.1.99
255.255.255.0
port2
192.168.2.99
255.255.255.0
port3
192.168.3.99
255.255.255.0
port4
192.168.4.99
255.255.255.0
port5
192.168.5.99
255.255.255.0
port6
192.168.6.99
255.255.255.0
* The number of network interfaces varies by model. You can assign an IP address to each physical port individually by configuring its associated network interface. You must configure at least one FortiScan network interface (usually port1) for you to be able to connect to the CLI and Web-based Manager, which require an IP address. Depending on your network topology and other considerations, you may need to configure one or more of the FortiScan appliance’s other network interfaces for the FortiScan appliance to connect to your network and, if you will use agentless remote network vulnerability scans, to the hosts it protects. In addition to an IP address, each FortiScan network interface can also be configured to set which protocols are permitted for administrative access to the FortiScan appliance through that network interface. For example, you may choose to permit SNMP queries of the FortiScan appliance’s system status through port1, the network interface directly connected to your SNMP manager, but not through any other network interface. Fortinet Technologies Inc.
Page 61
FortiScan v5.0 MR1 Administration Guide
Configure each network interface that you will connect to a network. Enable administrative access only on network interfaces connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiScan appliance. Unlike other administrative protocols, SNMP access and ODBC access are not enabled individually for each network interface. For configuration, see “SNMP traps and queries” on page 457 and “ODBC access for third party reports” on page 489. To configure a network interface’s IP address via the Web-based Manager:
On FortiScan-VM, after 5 changes of the IP address that is bound to the license, administrators will be locked out of the Web-based Manager until you request and upload a new license. To determine the bound IP, see “Management Address” on page 428.
On FortiScan-VM, by default, to prevent potential route confusion, port2, port3, and port4 are disabled (“down”). If the network interface’s Status is a red down arrow, its administrative status is currently “down” and it will not receive or emit packets, even if you otherwise configure it. To bring up the network interface, mark its check box to select it, then select Bring Up. The icon should change to a green up arrow. 1. From Current ADOM, select Global. Network interfaces are configured for the entire appliance, and are not specific to each ADOM. The menu in the next step is available only if Current ADOM is Global. 2. Go to System > Network >Interface. 3. Mark the check box next to the interface that you want to configure. 4. Select Edit in the toolbar. Figure 18:Select Edit in toolbar
Fortinet Technologies Inc.
Page 62
FortiScan v5.0 MR1 Administration Guide
Figure 19:Edit interface window
5. Configure the following settings: Name
The name and media access control (MAC) address of this network interface. Usually directly associated with one physical link as indicated by its name, such as port2.
IP / Netmask
Type the IP address and subnet mask. The IP address must be on the same subnet as the network to which the interface connects.
Administrative Access
Enable the types of administrative access that you want to permit to this interface. These options do not disable outgoing administrative connections, such as update polling connections to the FDN or outgoing ICMP resulting from a CLI command such as execute ping. Neither do they govern traffic destined for a web server or virtual server, which are governed by policies. These options only govern incoming connections destined for the appliance itself. Caution: Enable administrative access only on network interfaces connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiScan appliance.
HTTPS
Enable to allow secure HTTPS connections to the Web-based Manager through this network interface.
PING
Enable to allow: • ICMP type 8 (ECHO_REQUEST) for ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST, FortiScan will reply with ICMP type 0 (ECHO_RESPONSE). Note: Disabling PING only prevents FortiScan from receiving ICMP type 8 (ECHO_REQUEST) and traceroute-related UDP. It does not disable FortiScan CLI commands such as execute ping or execute traceroute that send such traffic.
Fortinet Technologies Inc.
Page 63
FortiScan v5.0 MR1 Administration Guide
HTTP
Enable to allow HTTP connections to the Web-based Manager through this network interface. Caution: HTTP connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiScan appliance.
SSH
Enable to allow SSH connections to the CLI through this network interface.
TELNET
Enable to allow Telnet connections to the CLI through this network interface. Caution: Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiScan appliance.
MTU
Enable to change the maximum transmission unit (MTU) value, then type the maximum packet or Ethernet frame size in bytes. If network devices between the FortiScan appliance and its traffic destinations require smaller or larger units of traffic, packets may require additional processing at each node in the network to fragment or defragment the units, resulting in reduced network performance. Adjusting the MTU to match your network can improve network performance. The default value is 1500 bytes. Valid values range from 576 to 1500 bytes.
6. Select OK. If you were connected to the Web-based Manager through this network interface, you are now disconnected from it. 7. To access the Web-based Manager again, in your web browser, modify the URL to match the new IP address of the network interface. For example, if you configured the network interface with the IP address 172.16.1.20, you would browse to https://172.16.1.20. If the new IP address is on a different subnet than the previous IP address, and your computer is directly connected to the FortiScan appliance, you may also need to modify the IP address and subnet of your computer to match the FortiScan appliance’s new IP address. To configure a network interface’s IP address via the CLI:
On FortiScan VM, after 5 changes of the IP address that is bound to the license, administrators will be locked out of the Web-based Manager until you request and upload a new license. To determine the bound IP, see “Management Address” on page 428.
Fortinet Technologies Inc.
Page 64
FortiScan v5.0 MR1 Administration Guide
On FortiScan VM, by default, to prevent potential route confusion, port2, port3, and port4 are disabled (“down”). To bring up a network interface, when editing it, enter the command set status up.
Enter the following commands: config global config system interface edit set ip set allowaccess {http https ping ssh telnet} end where: • is the name of a network interface, such as port2 • is the IP address assigned to the network interface, such as 192.168.2.99 • is its netmask in dotted decimal format, such as 255.255.255.0 • {http https ping ssh telnet} is a space-delimited list of zero or more administrative protocols that you want to allow to access the FortiScan appliance through the network interface, such as https ssh ping; if you do not want to allow any administrative access on the network interface, instead of typing the set allowaccess command, type unset allowaccess HTTP and Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiScan appliance. If you were connected to the CLI through this network interface, you are now disconnected from it. To access the CLI again, in your terminal client, modify the address to match the new IP address of the network interface. For example, if you configured the network interface with the IP address 172.16.1.20, you would connect to that IP address. If the new IP address is on a different subnet than the previous IP address, and your computer is directly connected to the FortiScan appliance, you may also need to modify the IP address and subnet of your computer to match the FortiScan appliance’s new IP address.
Configuring DNS settings DNS is a protocol that resolves symbolic names such as example.com into IP addresses. A domain name server (DNS server) implements the protocol by storing mappings between domain names and the IP addresses of the computers on which they reside, and by answering the queries of computers that need this information. Like many other types of network devices, FortiScan appliances require connectivity to DNS servers for DNS lookups.
Fortinet Technologies Inc.
Page 65
FortiScan v5.0 MR1 Administration Guide
Your Internet service provider (ISP) may supply IP addresses of DNS servers, or you may want to use the IP addresses of your own DNS servers.
Incorrect DNS settings or unreliable DNS connectivity can cause issues with other features, including FortiGuard services and NTP system time.
For improved performance, use DNS servers on your local network.
To configure DNS settings via the Web-based Manager: 1. From Current ADOM, select Global. DNS is configured for the entire appliance, and is not specific to each ADOM. The menu in the next step is available only if Current ADOM is Global. 2. Go to System > Network > DNS. Figure 20:DNS setting window
3. Configure the following settings: Primary DNS Server
Enter the IP address of the primary DNS server.
Secondary DNS Server
Enter the IP address of the secondary DNS server.
4. Select Apply. The appliance will query the DNS servers whenever it needs to resolve a domain name into an IP address, such as for NTP system time, FortiGuard services, or traceroutes to hosts by their domain names. 5. To verify your DNS settings, in the CLI, enter the following commands: config global execute traceroute where is a domain name such as www.example.com.
DNS tests may not succeed until you have completed “Adding a gateway” on page 67.
Fortinet Technologies Inc.
Page 66
FortiScan v5.0 MR1 Administration Guide
If the DNS query for the domain name succeeds, you should see results for connectivity tests to the IP that hosts that domain name. To configure DNS settings via the CLI: 1. Enter the following commands: config global config system dns set primary set secondary end where is the IP address of a DNS server. The appliance will query the DNS servers whenever it needs to resolve a domain name into an IP address, such as for NTP system time, FortiGuard services, or traceroutes to hosts by their domain names. 2. To verify your DNS settings, in the CLI, enter the following commands: config global execute traceroute where is a domain name such as www.example.com.
DNS tests may not succeed until you have completed “Adding a gateway” on page 67.
If the DNS query for the domain name succeeds, you should see results for connectivity tests to the IP that hosts that domain name.
Adding a gateway Static routes direct traffic exiting the FortiScan appliance — you can specify through which network interface a packet will leave, and the IP address of a next-hop router that is reachable from that network interface. Routers are aware of which IP addresses are reachable through various network pathways, and can forward those packets along pathways capable of reaching the packets’ ultimate destinations. Your FortiScan itself does not need to know the full route, as long as the routers can pass along the packet. You must configure FortiScan with at least one static route that points to a gateway router. You may need to configure multiple static routes if you have multiple gateway routers, each of which should receive packets destined for a different subset of IP addresses, redundant routers, or other special routing cases. However, often you will only need to configure one route: a default route. For example, if your management computer is directly attached to one network interface, but all other destinations, such as connecting clients, are located on distant networks such as the Internet, you might need to add only one route: a default route for the gateway router through which the FortiScan appliance connects to the Internet.
If your management computer is not directly attached to one of the physical ports of the FortiWeb appliance, you may also require a static route so that your management computer can connect with the Web-based Manager and CLI.
Fortinet Technologies Inc.
Page 67
FortiScan v5.0 MR1 Administration Guide
When you add a static route through the Web-based Manager, the FortiScan appliance evaluates the route to determine if it represents a different route compared to any other route already present in the list of static routes. If no route having the same destination exists in the list of static routes, the FortiScan appliance adds the static route, using the next unassigned route index number.
The index number of the route in the list of static routes (diagnose netlink route list) is not necessarily the same as its position in the routing table (diagnose netlink rtcache list).
To add the default route via the Web-based Manager: 1. From Current ADOM, select Global. Routing is configured for the entire appliance, and is not specific to each ADOM. The menu in the next step is available only if Current ADOM is Global. 1. Go to System > Network > Routing. Figure 21:Routing page
2. Select Create New. Figure 22:New routing entry
3. Configure the following settings: Destination IP/Mask
Type the destination IP address and network mask of packets that will be subject to this static route, separated by a slash ( / ). The value 0.0.0.0/0.0.0.0 results in a default route, which matches all packets.
Fortinet Technologies Inc.
Page 68
FortiScan v5.0 MR1 Administration Guide
Gateway
Type the IP address of the next-hop router where the FortiScan appliance will forward packets subject to this static route. This router must know how to route packets to the destination IP addresses that you have specified in Destination IP/Mask, or forward packets to another router with this information. For a direct Internet connection, this will be the router that forwards traffic towards the Internet, and could belong to your ISP.
Interface
Select the name of the network interface through which the packets subject to the static route will egress towards the next-hop router.
Making a default route for your FortiScan is a typical best practice: if there is no other, more specific static route defined for a packet’s destination IP address, a default route will match the packet, and pass it to a gateway router so that the packet can reach its destination. If you do not define a default route, and if there is a gap in your routes where no route matches a packet’s destination IP address, packets passing through the FortiScan towards those IP addresses will, in effect, be dropped. A default route ensures that this kind of locally-caused “destination unreachable” problem cannot occur. 4. Select OK. The FortiScan appliance should now be reachable to connections with networks indicated by the mask. 5. To verify connectivity, from the FortiScan appliance to a host on the network applicable to the route, attempt to connect. To verify bidirectional connectivity, also attempt the inverse: connect from the host to the appliance. If the connectivity test fails, you can use the CLI commands: execute ping to determine if a complete route exists between the host and FortiScan, and: execute traceroute to determine the point of connectivity failure. If you will be using agentless remote network vulnerability scans, also enable PING on the FortiScan’s network interface, then use the equivalent tracert or traceroute command on the host (depending on its operating system) to test routability for traffic traveling in the opposite direction: from the host to the FortiScan. • If these tests fail, or if you do not want to enable PING, first examine the static route configuration on both the host and FortiScan. To display the routing table, enter the CLI command: diagnose netlink rtcache list You may also need to verify that the physical cabling is reliable and not loose or broken, that there are no IP address or MAC address conflicts or blacklisting, and otherwise rule out problems at the physical, network, and transport layer. • If these tests succeed, a route exists, but FortiScan cannot connect for remote network vulnerability scans, or FortiScan agents cannot submit surveys or retrieve commands from the appliance, an application-layer problem is preventing connectivity. Examine routers and firewalls between the host and the FortiScan appliance to verify that they permit SSH, SMB, HTTPS, etc. connectivity between them. Finally, you can also use the CLI command: diagnose system top 5 30
Fortinet Technologies Inc.
Page 69
FortiScan v5.0 MR1 Administration Guide
To verify that the daemons for those connections, such as sshd, newcli, and httpsd are running and not overburdened. For more information, see the FortiScan CLI Reference.
The FortiScan appliance must be able to receive connections from FortiScan agents in order to be able to use agent-based features. The appliance also must be able to connect to the Internet in order to download updates from the FDN.
To add a default route using the CLI: 1. Enter the following commands: config global config router static edit set gateway set device end where: • is the index number (to configure the next available index number, type 0) of the route in the list of static routes • is the IP address of the gateway router • is the name of the network interface through which packets will egress, such as port1 The FortiScan appliance should now be reachable to connections with networks indicated by the mask. 2. To verify connectivity, from the FortiScan appliance to a host on the network applicable to the route, attempt to connect. To verify bidirectional connectivity, also attempt the inverse: connect from the host to the appliance. If the connectivity test fails, you can use the CLI commands execute ping to determine if a complete route exists between the host and FortiScan, and execute traceroute to determine the point of connectivity failure. For details, see the FortiScan CLI Reference. If these tests fail, first examine the static route configuration on both the host and FortiScan. (For the appliance to respond to ICMP ECHO (ping), you must enable it on the network interface that will be receiving connection attempts from the host. For details, see “To configure a network interface’s IP address via the CLI:” on page 64.) You may also need to verify that the physical cabling is reliable and not loose or broken, and otherwise rule out problems at the physical, network, and transport layer. To display the routing table of the appliance, in the CLI, enter the command: diagnose netlink route list For more information, see the FortiScan CLI Reference. Also examine routers and firewalls between the host and the FortiScan appliance to verify that they permit connectivity between them.
The FortiScan appliance must be able to receive connections from FortiScan agents in order to be able to use agent-based features. The appliance also must be able to connect to the Internet in order to download updates from the FDN.
Fortinet Technologies Inc.
Page 70
FortiScan v5.0 MR1 Administration Guide
To reposition a static route entry in the list: 1. From Current ADOM, select Global. 1. Go to System > Network > Routing. 2. Mark the check box for the route you want to move. 3. In the # column, identify the Route ID for the row where you want to move the selected route. 4. Select Move. The Move Routing Entry dialog appears. Figure 23:Move routing entry
5. Configure the following settings: Before
Select to move the route before the route specified in the Route ID field.
After
Select to move the route after the route specified in the Route ID field.
Route ID
Enter the index number of the route before or after which you want to move the selected route.
6. Select OK. To display the routing table of the appliance, in the CLI, enter the command: diagnose netlink route list For more information, see the FortiScan CLI Reference.
Fortinet Technologies Inc.
Page 71
FortiScan v5.0 MR1 Administration Guide
Connecting to FortiGuard Services New vulnerabilities are discovered and new remediations are built by Fortinet researchers every day. Most security exploits and virus exposures occur within the first couple months of a known vulnerability. After the FortiScan appliance is physically installed and configured to operate in your network, if you have subscribed to FortiGuard services, connect the FortiScan appliance to the Fortinet Distribution Network (FDN). Connecting your FortiScan appliance to the FDN or FDN server override ensures that your FortiScan appliance can: • Verify its FortiGuard VCM license • Download up-to-date FortiGuard Vulnerability Management Service (VCM) definition and engine packages in order to scan hosts using the most up-to-date protection • Download FortiScan firmware and agent updates Without these updates, your FortiScan cannot detect the newest threats, compliance violations, nor apply the newest patches and rememdiations. FortiGuard VCM packages contain engines and definitions such as network vulnerability scanner definitions, benchmarks, and remediations that are used by your FortiScan appliance’s features. The service aggregate many sources every day, including: • Independent research by the Fortinet IPS team • Competitors’ services, open source vulnerability projects, and security alerts • Security advisories, compliance standards, and recommendations from: • Software vendors such as Microsoft and Adobe • http://www.sans.org/ • http://www.exploit-db.com/ • http://www.metasploit.com/ • NVD (National Vulnerability Database for Federal Desktop Core Configuration (FDCC) compliance using security content automation protocol (SCAP)) • NIST (National Institute of Standards and Technology) • MITRE for CVE and OVAL benchmarks, etc. FortiScan appliances receive updates from the Fortinet Distribution Network (FDN). The FDN is a world-wide network of Fortinet Distribution Servers (FDS). When a FortiScan appliance connects to the FDN to download FortiGuard engine and definition updates, by default, it connects to the nearest FDS based on the current time zone setting. Your FortiScan appliance may be able to connect using the default settings. However, you should confirm this by verifying connectivity. You must first register the FortiScan appliance with the Fortinet Technical Support web site, https://support.fortinet.com/, to receive service from the FDN. The FortiScan appliance must also have a valid Fortinet Technical Support contract which includes service subscriptions, and be able to connect to the FDN or the FDS that you will configure to override the default FDS addresses. For port numbers required for license validation and update connections, see “Appendix B: Port Numbers” on page 525. If you do not yet have a FortiGuard VCM subscription, you can purchase one by contacting your reseller or Fortinet Technical Support.
Fortinet Technologies Inc.
Page 72
FortiScan v5.0 MR1 Administration Guide
To determine your FortiGuard license status: 1. If your FortiScan appliance must connect to the Internet (and therefore FDN) through an explicit (non-transparent) web proxy, configure the proxy connection (see “Accessing via a web proxy”). The appliance will attempt to validate its license when it boots. If the appliance could not connect because proxy settings were not configured, or due to any other connectivity issue that you have since resolved, you can reboot the appliance to re-attempt license validation. 2. From Current ADOM, select Global. FortiGuard connectivity is configured for the entire appliance, not for an individual ADOM. 3. Go to System > Dashboard > Status. 4. In the License Information widget, in the Vulnerability and Compliance Management row, look at the status icon to determine the appliance’s license status. Figure 24:License information widget
• Expired or Not Registered (orange X icon): At the last attempt, the FortiScan appliance was able to contact the FDN. However, its FortiGuard Vulnerability Management Service license was not valid. To purchase a license, select Subscribe.
Your FortiScan appliance cannot detect the latest vulnerabilities and compliance violations unless it is licensed and has network connectivity to download current definitions from the FortiGuard Vulnerability Management Service.
• Licensed (green check mark icon): At the last attempt, the FortiScan appliance was able to successfully contact the FDN and validate its FortiGuard Vulnerability Management Service license. You must first register the FortiScan appliance with the Fortinet Technical Support web site: https://support.fortinet.com/ to receive vulnerability management updates from the FDN. The FortiScan appliance must also have a valid Fortinet Technical Support contract, which includes a FortiGuard service subscription. • Unreachable (grey X icon): Unable to determine license status due to network connection errors. Check the configuration of the FortiScan appliance and any NAT or firewall devices that exist between the FortiScan appliance and the FDN or override server. For example, you may need to add static routes. To verify FortiGuard update connectivity: 1. Before performing this procedure, if your FortiScan appliance connects to the Internet using a proxy, configure the FortiScan appliance to connect to the FDN through the proxy (see “Scheduling VCM updates” on page 76). 2. From Current ADOM, select Global. FortiGuard connectivity is configured for the entire appliance, not for an individual ADOM.
Fortinet Technologies Inc.
Page 73
FortiScan v5.0 MR1 Administration Guide
3. Go to System > Maintenance > FortiGuard. Figure 25:FortiGuard page
This page displays the following: FortiGuard Subscription Services Vulnerability and Compliance Management
Indicates whether or not this FortiScan appliance is licensed for FortiGuard Vulnerability Management Service: • Expired or Not Registered (orange X icon): At the last attempt, the FortiScan appliance was able to contact the FDN. However, its FortiGuard Vulnerability Management Service license was not valid. To purchase a license, select Subscribe. Caution: Your FortiScan appliance cannot detect the latest vulnerabilities and compliance violations unless it is licensed and has network connectivity to download current definitions from the FortiGuard Vulnerability Management Service. • Licensed (green check mark icon): At the last attempt, the FortiScan appliance was able to successfully contact the FDN and validate its FortiGuard Vulnerability Management Service license. • Unreachable (grey X icon): Unable to determine license status due to network connection errors. Check the configuration of the FortiScan appliance and any NAT or firewall devices that exist between the FortiScan appliance and the FDN or server override. For example, you may need to add static routes.
Fortinet Technologies Inc.
Page 74
FortiScan v5.0 MR1 Administration Guide
VCM Service Pack Select the Update link to upload a VCM service pack upgrade file from your management computer. To obtain a VCM file, contact Fortinet Technical Support. You might upload a VCM file if you want to provide an immediate update, or use a VCM version other than the one currently provided by the FDN. If you want to use a VCM file other than the one currently provided by the FDN, also disable scheduled updates. Note: Manual updates are not a substitute for a connection to the FDN. As with scheduled updates, manual updates require that the FortiScan appliance be able to connect to the FDN to validate its VCM license, and cannot be performed in an offline environment. 4. If you want your FortiScan appliance to connect to a specific FDS other than the default for its time zone, enable Use override server address, and enter the IP address and port number of an FDS in the format :, such as 10.0.0.1:443.
Firmware downloads use the same web proxy and connection override settings as FortiGuard VCM service. However, they do not use the same schedule. Firmware download queries to the FDN will occur on a fixed schedule.
5. Select Apply. 6. Select Request Update Now. The FortiScan appliance tests its connection to the FDN or, if any, the FDN server override. Time required varies by the speed of the FortiScan appliance’s network connection, and the number of timeouts that occur before the connection attempt is successful or the FortiScan appliance determines that it cannot connect. Test results are indicated in Events & Tickets > System Log > Historical, such as this log message: VM upgrade: no new update available or: VM upgrade: package installed successfully from 192.168.1.10:443 which indicates that the connection succeeded. If the connection test did not succeed due to license issues, you would instead see this log message: VM upgrade: license expired or not valid If the connection test did not succeed due to failed connectivity with the proxy, you would instead see this log message: VM upgrade: failed connecting to 192.168.1.10:443 FortiScan must be able to connect to either the FDN or the IP address that you have configured to override the default FDN addresses. For port numbers required for license validation and update connections, see “Appendix B: Port Numbers” on page 525. For more troubleshooting information, see the command diagnose debug application fortiguard 8 in the FortiScan CLI Reference.
Fortinet Technologies Inc.
Page 75
FortiScan v5.0 MR1 Administration Guide
Accessing via a web proxy Using the CLI, you can configure the FortiScan appliance to connect (tunnel) through an explicit (non-transparent) web proxy server to the FortiGuard Distribution Network (FDN) for signature updates. For example, you might enter the following commands: config global config system fortiguard set vm-proxy enable set vm-proxy-ip 192.168.1.10 set vm-proxy-port 8080 set vm-proxy-user fortiscan set wm-proxy-passwd myPassword1 end For details, see the FortiScan CLI Reference. You can also configure this using the Web-based Manager. Go to System > Maintenance > FortiGuard. The FortiScan appliance connects to the proxy using the HTTP CONNECT method, as described in RFC 2616.
Scheduling VCM updates You can configure the FortiScan appliance to periodically request FortiGuard Vulnerability Management Service (VCM) engine and definition updates from the FDN, and automatically download and apply updates if they exist. For example, you might schedule updates every night at 2 AM or weekly on Sunday, when traffic volume is light.
Alternatively, you can manually upload update packages, or initiate an update request. For details, see “Manually initiating update requests” on page 77 and “Uploading VCM updates” on page 78.
To configure automatic updates: 1. Verify that the FortiScan appliance has a valid license and can connect to the FDN or override server. For details, see “To determine your FortiGuard license status:” on page 73 and “To verify FortiGuard update connectivity:” on page 73. 2. From Current ADOM, select Global. FortiGuard connectivity is configured for the entire appliance, not for an individual ADOM. 3. Go to System > Maintenance > FortiGuard. 4. Select Vulnerability and Compliance Management and select the checkbox to enable Scheduled Update.
Fortinet Technologies Inc.
Page 76
FortiScan v5.0 MR1 Administration Guide
5. Select either: • Every: Select to update once every n hours, then select the number of hours in the interval. • Daily: Select to update once every day, then select the hour. The update attempt occurs at a randomly determined time within the selected hour. • Weekly: Select to update once a week, then select the day of the week and the hour of the day. The update attempt occurs at a randomly determined time within the selected hour. 6. Select Apply. The FortiScan appliance next requests an update according to the schedule. If you have enabled logging, when the FortiScan appliance requests an update, the event is recorded in Events & Tickets > System Log > Historical, such as this log message: VM upgrade: no new update available or: VM upgrade: package installed successfully from 192.168.1.10:443
Manually initiating update requests You can manually trigger the FortiScan appliance to connect to the FDN or override server to request available updates for its FortiGuard packages. You can manually initiate updates as an alternative or in addition to other update methods. For details, see “Scheduling VCM updates” on page 76. To manually request updates: 1. Verify that the FortiScan appliance has a valid license and can connect to the FDN or override server. For details, see “To determine your FortiGuard license status:” on page 73 and “To verify FortiGuard update connectivity:” on page 73. 2. From Current ADOM, select Global. FortiGuard connectivity is configured for the entire appliance, not for an individual ADOM. 3. Go to System > Maintenance > FortiGuard. 4. Select Vulnerability and Compliance Management and select the checkbox to enable Scheduled Update. 5. Select Request Update Now. The Web-based Manager displays a message similar to the following: This might take a few minutes, do you want to continue? 6. Select OK. The page refreshes. 7. After a few minutes, select the FortiGuard submenu to refresh the page, or go to System > Dashboard > Status and look at the License Information widget. If an update was available, the packages that were updated have new version numbers. If you have enabled logging, when the FortiScan appliance requests an update, the event is recorded in Events & Tickets > System Log > Historical, such as this log message: VM upgrade: no new update available or: VM upgrade: package installed successfully from 192.168.1.10:443
Fortinet Technologies Inc.
Page 77
FortiScan v5.0 MR1 Administration Guide
Uploading VCM updates You can upload VCM packages to FortiScan. Updating definitions ensures that your FortiScan appliance can detect recently discovered vulnerabilities, and uses up-to-date compliance benchmarks. You might manually upload a FortiGuard Vulnerability Management Service (VCM) file if you want to provide an immediate update, or use a VCM version other than the one currently provided by the FDN. (If you want to use a VCM file other than the one currently provided by the FDN, make sure you also disable scheduled updates.) After restoring the firmware of the FortiScan appliance, you should install the most currently available package through FortiGuard. Restoring firmware installs the attack signatures that were current at the time the firmware image file was made: they may no longer be up-to-date.
Manual updates are not a substitute for a connection to the FDN. As with scheduled updates, manual updates require that the FortiScan appliance be able to connect to the FDN to validate its FortiGuard VCM license. Closed networks are not supported.
To upload signatures: 1. Register your FortiScan appliance with the Fortinet Technical Support web site, https://support.fortinet.com/, and obtain a valid support contract. Signature update files will then be available for download when you log in to the Fortinet Technical Support web site. 2. Download the latest signature update file from the FortiGuard Service Updates page of the Fortinet support web site at: https://support.fortinet.com 3. Log in to your FortiScan as the admin administrator. 4. From Current ADOM, select Global. FortiGuard connectivity is configured for the entire appliance, not for an individual ADOM. 5. Do one of the following: • Go to System > Dashboard > Status and in the License Information widget, VCM Service Pack row, select Update. • Go to System > Maintenance > FortiGuard. In the VCM Service Pack row, select Update. An upload dialog will appear in a pop-up window. Figure 26:VCM update dialog box
6. Select Browse. 7. Locate the VCM service pack file on your computer, then select Open. The name of the file appears in the Upload File field.
Fortinet Technologies Inc.
Page 78
FortiScan v5.0 MR1 Administration Guide
8. Select OK. Your browser uploads the file. Time required varies by the network connection and size of the file.
Fortinet Technologies Inc.
Page 79
FortiScan v5.0 MR1 Administration Guide
Updating the Firmware Your new FortiScan appliance comes with the latest operating system (firmware) when shipped. However, if you want to upload the agent installers to the appliance, or if a new version has been released since your appliance was shipped, you should update the firmware before you continue the installation. If you are installing a FortiScan VM virtual appliance, and you followed the instructions in the FortiScan VM Install Guide, you have already updated the firmware. To configure alternative firmware, complete “Installing alternate firmware” on page 87. Otherwise, skip this chapter and continue with “Configuring Global Email Settings” on page 91. Fortinet periodically releases FortiScan firmware updates to include enhancements and address issues. After you have registered your FortiScan appliance, FortiScan firmware is available for download at: https://support.fortinet.com Installing new firmware can overwrite vulnerability and compliance packages using the versions of the packages that were current at the time that the firmware image was built. To avoid repeat updates, update the firmware before updating your FortiGuard packages. New firmware can also introduce new features which you must configure for the first time. For information specific to the firmware release version, see the FortiScan Release Notes available with that release.
In addition to major releases that contain new features, Fortinet releases patch releases that resolve specific issues. It is recommended to download and install patch releases as soon as they are available.
Before you can download firmware updates for your FortiScan appliance, you must first register your FortiScan appliance with Fortinet Technical Support. For details, go to: https://support.fortinet.com/ or contact Fortinet Technical Support. Updating differs from a new installation. Fortinet provides FortiScan software in three formats: • .out image file: Use this for new physical appliance installations. Contains only the appliance’s operating system. • .zip or .tgz image file: Use this for new virtual appliance (VM) installations. Contains a deployable virtual machine package. Download whichever is appropriate for your hypervisor.
Fortinet Technologies Inc.
Page 80
FortiScan v5.0 MR1 Administration Guide
(If you have purchased licenses or want to try FortiScan VM for multiple hypervisor platforms, download the package for each platform.) Table 9:
Hypervisor support
File name suffix
Supported hypervisor platform
.out.ovf.esx.zip
VMware vSphere ESX / ESXi
.out.ovf.xen.zip
Citrix XenServer
.out.xen.tgz
Open Source Xen Hypervisor
• .pkg image file: Use this for upgrades and adding the agent installer. Contains the .out file, plus: • FortiScan agent software • Windows application version of the push installer • Microsoft Installer and other software required by the agent • FortiScan Release Notes After installing a new appliance using either the .out image file or a VM package file, upload the .pkg image file to the appliance either manually or by initiating a download from the FDN. This will provide you with the software necessary to deploy FortiScan agents in your network. Fortinet strongly recommends reviewing the FortiScan Release Notes in the .pkg file for each release before updating the firmware.
To provide an alternative operating system if the firmware upgrade fails, see “Installing alternate firmware” on page 87.
This topic includes: •
Testing new firmware before installing it
•
Installing firmware and agent installers
•
Installing alternate firmware
•
Restoring firmware (“clean install”)
Testing new firmware before installing it You can test a new firmware image by temporarily running it from memory, without saving it to disk. By keeping your existing firmware on disk, if the evaluation fails, you do not have to re-install your previous firmware. Instead, you can quickly revert to your existing firmware by simply rebooting the FortiScan appliance. While testing firmware, FortiScan agents may not be able to communicate properly with the appliance, due to mismatching software versions. Some features may not be supported or may have changed. To minimize survey data impact, schedule the test before you connect agents to the appliance, or between survey intervals. For details on changing the interval, see “Configuring the ADOM’s connections from FortiScan agents” on page 105.
Fortinet Technologies Inc.
Page 81
FortiScan v5.0 MR1 Administration Guide
Downgrading to previous firmware versions is not supported.
To test a new firmware image: 1. Download the firmware file from the Fortinet Technical Support web site: https://support.fortinet.com/ 2. Connect your management computer to the FortiScan console port using a RJ-45-to-DB-9 RS-232 serial cable or a null-modem cable. 3. Initiate a connection from your management computer to the CLI of the FortiScan appliance, and log in as the admin administrator. For details, see “Connecting to the CLI” on page 54. 4. Connect port1 of the FortiScan appliance directly or to the same subnet as a TFTP server. 5. Copy the new firmware image file to the root directory of the TFTP server. 6. Verify that the TFTP server is currently running, and that the FortiScan appliance can reach the TFTP server. To use the FortiScan CLI to verify connectivity, enter the following commands: config global execute ping 192.168.1.168 where 192.168.1.168 is the IP address of the TFTP server. 7. Enter the following command to restart the FortiScan appliance: execute reboot 8. As the FortiScan appliance starts, a series of system startup messages appear. Press any key to display configuration menu........ 9. Immediately press a key to interrupt the system startup.
You have only three seconds to press a key. If you do not press a key soon enough, the FortiScan appliance reboots and you must log in and repeat the execute reboot command.
If you successfully interrupt the startup process, the following messages appears: [G]: [F]: [B]: [Q]: [H]:
Get firmware image from TFTP server. Format boot device. Boot with backup firmware and set as default. Quit menu and continue to boot with default firmware. Display this list of options.
Enter G,F,B,Q,or H: Please connect TFTP server to Ethernet port "1". 10.Type G to get the firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]:
Fortinet Technologies Inc.
Page 82
FortiScan v5.0 MR1 Administration Guide
11.Type the IP address of the TFTP server and press Enter. The following message appears: Enter local address [192.168.1.188]: 12.Type a temporary IP address that can be used by the FortiScan appliance to connect to the TFTP server. The following message appears: Enter firmware image file name [image.out]: 13.Type the firmware image file name and press Enter. The FortiScan appliance downloads the firmware image file from the TFTP server and displays a message similar to the following: Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]? 14.Type R. The firmware image is loaded into memory and uses the current configuration, without saving the new firmware image to disk. 15.To verify that the firmware has been loaded, log in to the CLI as the admin administrator and type: config global get system status The firmware version number is displayed. 16.Test the new firmware image. • If the new firmware image operates successfully, you can install it to disk, overwriting the existing firmware, using the procedure “Installing firmware and agent installers” on page 83. • If the new firmware image does not operate successfully, reboot the FortiScan appliance to discard the temporary firmware and resume operation using the existing firmware.
Installing firmware and agent installers You can use either the Web-based Manager or the CLI to update the firmware of the FortiScan appliance. The firmware version number in the System Information widget of the dashboard is used to determine if you are upgrading or reverting your firmware image. For example, if your current firmware version is: FortiScan-3000D v5.0,build0291,130105 changing to: FortiScan-3000D v4.0,build0217,110521 an earlier version, build number, and date, indicates that you are reverting.
Downgrading to previous firmware versions is not supported.
Fortinet Technologies Inc.
Page 83
FortiScan v5.0 MR1 Administration Guide
If you are installing a firmware version that requires a different size of system partition, you may be required to format the boot device before installing the firmware by re-imaging the boot device. Consult the FortiScan Release Notes. In that case, do not install the firmware using this procedure. Instead, see “Restoring firmware (“clean install”)” on page 519. There are two ways you can upload new firmware to a FortiScan appliance: • via your management computer (see “To change the firmware manually:” on page 85), or • via the FDN (see “To change the firmware via the FDN:” on page 84) Back up your configuration and database before beginning this procedure. For information on backups, see “Backup your FortiScan” on page 167. For information on reconnecting to a FortiScan appliance whose network interface configuration has been reset, see “Connecting to your FortiScan” on page 52.
Before you can download firmware updates for your FortiScan appliance, you must first register your FortiScan appliance with Fortinet Technical Support. For details, go to http://support.fortinet.com/ or contact Fortinet Technical Support.
To change the firmware via the FDN: 1. Log in to the Web-based Manager of the FortiScan appliance as the admin administrator. 2. From Current ADOM, select Global. 3. Configure the appliance to periodically poll the FDN for a list of available updates (see “Connecting to FortiGuard Services” on page 72). 4. Go to System > Dashboard > Status. Figure 27:System information widget
5. In the System Information widget, in the Firmware Version row, select Update. The Firmware Upgrade dialog appears. Figure 28:Firmware upgrade dialog box
FortiScan appliances query the FDN for a list of new firmware packages every 2 hours. If a new version is available, its availability appears in the Download Release Packages From FDN section of the dialog. Usually, the appliance waits until its CPU and network bandwidth
Fortinet Technologies Inc.
Page 84
FortiScan v5.0 MR1 Administration Guide
is available, then automatically downloads the new version. Download status, such as Scheduled, appears in the Download Progress column. 6. If the firmware download has not yet started and you want it to begin immediately, in the Download Release Packages From FDN section, select the Download icon. The download is initiated. The time required varies by the size of the file and the speed of your network connection. 7. Wait until the appliance finishes unpacking the new firmware, then refresh the page. The unpacked firmware’s row appears in the Releases Available For Upgrade section. 8. In the row corresponding to the firmware that you want to install, select the icon in the Upgrade Firmware column, then select OK in the dialog that appears. The FortiScan appliance installs the firmware and restarts. 9. Clear the cache of your web browser and restart it to ensure that it reloads the Web-based Manager and correctly displays all tab, button, and other changes. For details, see your browser’s documentation. 10.To verify that the firmware was successfully installed, log in to the Web-based Manager again and go to System > Dashboard > Status. In the System Information widget, the Firmware Version row indicates the currently installed firmware version. 11.Update the vulnerability management engine and definitions. Installing firmware replaces the current network vulnerability management engine with the version included with the firmware release that you are installing. After you install the new firmware, make sure that your vulnerability definitions are up-to-date. For more information, see “Connecting to FortiGuard Services” on page 72. 12.Continue by configuring administrative domains (ADOMs). See “Administrative Domains (ADOMs)” on page 93. Later, you must install or update the FortiScan agents on your assets to use software whose version matches the firmware. See “Agent Setup” on page 117 or (for assets with existing agents) “Updating the FortiScan agents” on page 494. To change the firmware manually: 1. Download the .pkg firmware file from the Fortinet Technical Support web site: https://support.fortinet.com/ 2. Log in to the Web-based Manager of the FortiScan appliance as the admin administrator. 3. From Current ADOM, select Global. 4. Go to System > Dashboard > Status. 5. In the System Information widget, in the Firmware Version row, select Update. The Firmware Upgrade dialog appears (see Figure 28). 6. In the Manually Upload a Release Package section, in the Upload Package field, select Browse to locate the .pkg firmware file, then select Open. 7. Select OK. Your browser uploads the firmware file. The time required varies by the size of the file and the speed of your network connection. When the file transfer is complete, a message appears: “Manual upload release complete. It will take a few minutes to unpack the uploaded release. Please wait.” If this message does not appear, verify that there are not too many hops and too much latency between the appliance and your computer. Fortinet Technologies Inc.
Page 85
FortiScan v5.0 MR1 Administration Guide
8. Wait until the appliance finishes unpacking the new firmware (usually about 5 minutes), then refresh the page. The unpacked firmware’s row appears in the Releases Available For Upgrade section. 9. In the row corresponding to the firmware that you want to install, select the icon in the Upgrade Firmware column, then select OK in the dialog that appears. The FortiScan appliance installs the firmware and restarts. 10.Update the vulnerability management engine and definitions. Installing firmware replaces the current network vulnerability management engine with the version included with the firmware release that you are installing. After you install the new firmware, make sure that your vulnerability definitions are up-to-date. For more information, see “Connecting to FortiGuard Services” on page 72. 11.Continue by configuring administrative domains (ADOMs). See “Administrative Domains (ADOMs)” on page 93. Later, you must install or update the FortiScan agents on your assets to use software whose version matches the firmware. See “Agent Setup” on page 117 or (for assets with existing agents) “Updating the FortiScan agents” on page 494. To install firmware using the CLI: 1. Download the .pkg firmware file from the Fortinet Technical Support web site: https://support.fortinet.com/ 2. Connect your management computer to the FortiScan console port using a RJ-45-to-DB-9 RS-232 serial cable or a null-modem cable. 3. Initiate a connection from your management computer to the CLI of the FortiScan appliance, and log in as the admin administrator. For details, see “Connecting to the CLI” on page 54. 4. Connect port1 of the FortiScan appliance directly or to the same subnet as a TFTP server. 5. Copy the new firmware image file to the root directory of the TFTP server. 6. Verify that the TFTP server is currently running, and that the FortiScan appliance can reach the TFTP server. To use the FortiScan CLI to verify connectivity, enter the following commands: config global execute ping where is the IP address of the TFTP server, such as 192.168.1.168.
Fortinet Technologies Inc.
Page 86
FortiScan v5.0 MR1 Administration Guide
7. Enter the following commands to download the firmware image from the TFTP server to the FortiScan appliance: execute restore image tftp where: • is the IP address of the TFTP server • is the path and file name of the firmware image file For example, if the firmware image file name is image.out and it is in a directory relative to the TFTP root called firmware, and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image tftp 192.168.1.168 firmware/image.out One of the following message appears: This operation will replace the current firmware version! Do you want to continue? (y/n) or: Get image from tftp server OK. Check image OK. This operation will downgrade the current firmware version! Do you want to continue? (y/n) 8. Type y. The FortiScan appliance downloads the firmware image file from the TFTP server. The FortiScan appliance unpacks the firmware (usually about 5 minutes), then installs the firmware and restarts. The time required varies by the size of the file and the speed of your network connection. 9. To verify that the firmware was successfully installed, log in to the CLI as the admin administrator and type: config global get system status The firmware version number is displayed. 10.Update the vulnerability and compliance definitions. Installing firmware replaces the current vulnerability and compliance definitions with those included with the firmware release that you are installing. After you install the new firmware, make sure that your definitions are up-to-date. For more information, see “Connecting to FortiGuard Services” on page 72. 11.Continue by configuring administrative domains (ADOMs). See “Administrative Domains (ADOMs)” on page 93. Later, you must install or update the FortiScan agents on your assets to use software whose version matches the firmware. See “Agent Setup” on page 117 or (for assets with existing agents) “Updating the FortiScan agents” on page 494.
Installing alternate firmware You can install alternate firmware which can be loaded from its separate partition if the primary firmware fails. Installing alternate firmware can only be done during a boot interrupt, before network connectivity is available, and therefore requires a console connection to the CLI. It cannot be done through a network connection. Fortinet Technologies Inc.
Page 87
FortiScan v5.0 MR1 Administration Guide
To install alternate firmware: 1. Download the firmware file from the Fortinet Technical Support web site: https://support.fortinet.com/ 2. Connect your management computer to the FortiScan console port using a RJ-45-to-DB-9 RS-232 serial cable or a null-modem cable. 3. Initiate a connection from your management computer to the CLI of the FortiScan appliance, and log in as the admin administrator. For details, see “Connecting to the CLI” on page 54. 4. Connect port1 of the FortiScan appliance directly or to the same subnet as a TFTP server. 5. Copy the new firmware image file to the root directory of the TFTP server. To use the FortiScan CLI to verify connectivity, enter the following commands: config global execute ping where is the IP address of the TFTP server, such as 192.168.1.168. 6. Enter the following command to restart the FortiScan appliance: execute reboot 7. As the FortiScan appliances starts, a series of system startup messages appear. Press any key to display configuration menu........ 8. Immediately press a key to interrupt the system startup.
You have only three seconds to press a key. If you do not press a key soon enough, the FortiScan appliance reboots and you must log in and repeat the execute reboot command.
If you successfully interrupt the startup process, the following messages appears: [G]: [F]: [B]: [Q]: [H]:
Get firmware image from TFTP server. Format boot device. Boot with backup firmware and set as default. Quit menu and continue to boot with default firmware. Display this list of options.
Enter G,F,B,Q,or H: Please connect TFTP server to Ethernet port "1". 9. Type G to get the firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]: 10.Type the IP address of the TFTP server and press Enter. The following message appears: Enter local address [192.168.1.188]: 11.Type a temporary IP address that can be used by the FortiScan appliance to connect to the TFTP server. The following message appears: Enter firmware image file name [image.out]:
Fortinet Technologies Inc.
Page 88
FortiScan v5.0 MR1 Administration Guide
12.Type the firmware image file name and press Enter. The FortiScan appliance downloads the firmware image file from the TFTP server and displays a message similar to the following: Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]? 13.Type B. The FortiScan appliance saves the alternate firmware image and restarts. When the FortiScan appliance restarts, it is running the primary firmware. 14.To verify that the alternate firmware was successfully installed, log in to the Web-based Manager as the admin administrator, from Current ADOM select Global, then go to System > Maintenance > Backup & Restore. In the Firmware section, the inactive partition should list the backup firmware version. To use alternate firmware as the primary firmware: 1. Connect your management computer to the FortiScan console port using a RJ-45-to-DB-9 RS-232 serial cable or a null-modem cable. 2. Initiate a connection from your management computer to the CLI of the FortiScan appliance, and log in as the admin administrator. For details, see “Connecting to the CLI” on page 54. 3. Enter the following commands to restart the FortiScan appliance: config global execute reboot 4. As the FortiScan appliances starts, a series of system startup messages appear. Press any key to display configuration menu........ Immediately press a key to interrupt the system startup.
You have only three seconds to press a key. If you do not press a key soon enough, the FortiScan appliance reboots and you must log in and repeat the execute reboot command.
If you successfully interrupt the startup process, the following messages appears: [G]: [F]: [B]: [Q]: [H]:
Get firmware image from TFTP server. Format boot device. Boot with backup firmware and set as default. Quit menu and continue to boot with default firmware. Display this list of options.
Enter G,F,B,Q,or H: Please connect TFTP server to Ethernet port "1". 5. Type B to reboot and use the alternate firmware. 6. To verify that the firmware has been loaded, log in to the CLI as the admin administrator and type: config global get system status The firmware version number is displayed.
Fortinet Technologies Inc.
Page 89
FortiScan v5.0 MR1 Administration Guide
7. Continue by configuring administrative domains (ADOMs). See “Administrative Domains (ADOMs)” on page 93. Later, you must install or update the FortiScan agents on your assets to use software whose version matches the alternate firmware. See “Agent Setup” on page 117 or (for assets with existing agents) “Updating the FortiScan agents” on page 494.
Fortinet Technologies Inc.
Page 90
FortiScan v5.0 MR1 Administration Guide
Configuring Global Email Settings Some settings are global — that is, they are used by all ADOMs, or by the appliance itself. You could configure the settings in this chapter at another stage of the installation. However, for settings that can be overridden by each administrative domain (ADOM), configuring global settings now may help you to decide on reasonable defaults, minimizing the number of overrides that you must configure later. For the FortiScan appliance to be able to send e-mail alerts and network vulnerability scan reports, you must configure it to connect to an e-mail server (SMTP relay) that will handle delivery. If you define the SMTP server using a domain name, the FortiScan appliance will query a DNS server to resolve the IP address of that domain name. In this case, you must also define a DNS server. If sending an e-mail by SMTP fails, the FortiScan appliance will attempt to send the e-mail again every ten seconds, and never stop until either it succeeds in sending the message, or the administrator reboots the FortiScan appliance. To add settings for connecting to an SMTP server: 1. From Current ADOM, select either Global or an ADOM. Depending on which you select, you will either configure global e-mail settings, or e-mail settings that are specific to the ADOM. 2. Go to System > Config > Mail Server. 3. Select Create New. Figure 29:Mail server settings
4. Configure the following settings: SMTP Server
Enter the fully qualified domain name (FQDN) or IP address of the SMTP relay or server that the FortiScan appliance will use to send alerts and generated reports. Caution: If you enter a domain name, you must also configure the FortiScan appliance with settings to connect to at least one DNS server. Failure to configure a DNS server may cause the FortiScan appliance to be unable to resolve the domain name, and therefore unable to send the alert.
Enable Authentication
Fortinet Technologies Inc.
Mark to authenticate with the SMTP relay when sending email.
Page 91
FortiScan v5.0 MR1 Administration Guide
E-Mail Account
Enter the user name of the account on the SMTP relay that will be used to send e-mail. Often, the account name is a full e-mail address that includes the domain name, such as [email protected]. However, if the SMTP relay only handles e-mail for a single domain, the format of the account name could be simply username. This option is applicable only if Enable Authentication is enabled.
Password
Enter the password of the account on the SMTP relay that will be used to send email. This option is applicable only if Enable Authentication is enabled.
5. Select OK. To verify e-mail server connectivity: 1. Go to System > Config > Mail Server. Figure 30:Mail server page
2. Mark the check box in the row of the e-mail settings that you want to verify, then select Test. 3. Enter an e-mail address in the Send test e-mail to field. To verify complete connectivity from the FortiScan appliance to the administrator’s inbox, this should be the administrator’s e-mail address. 4. Select Test. A message appears, indicating the success or failure of connecting to the SMTP server in order to send the e-mail. If the connection succeeds, verify that it reached the e-mail address. Some invalid e-mail parameters such as a non-existent recipient adress can only be determined by the destination e-mail server. FortiScan will usually not be able to detect this, as it will be connecting to an SMTP relay that is not the same as the recipient’s SMTP server. Verify that the settings are correct for the SMTP server before troubleshooting the FortiScan appliance.
Fortinet Technologies Inc.
Page 92
FortiScan v5.0 MR1 Administration Guide
Administrative Domains (ADOMs) Administrative domains (ADOMs) define which assets are visible to and/or governable by each FortiScan administrator account. ADOMs prevent administrators from accidentally modifying each other’s assets. If you have separate computers on different parts of your network that use the same IP address, ADOMs also distinguish those computers. Unlike FortiAnalyzer, FortiScan ADOMs cannot be disabled. Also, they may overlap assets. An administrator can be assigned to more than one ADOM. See “Manually assigning assets to an ADOM” on page 100). Some asset settings, such as authentication, either can be inherited from an ADOM or at the asset group or asset-specific level, similar to group-level vs. domain-level vs. system administrator-level settings on FortiMail. See ADOM Default Authentication. For example, different administrators might be responsible for different segments of your network. If you are a managed security service provider (MSSP) whose customers have computers behind NAT, their computers might have the same private network IP address (e.g., there could be multiple hosts whose IP is 192.168.1.1), despite being physically distinct hosts on separate customers’ networks. To prevent confusion of your customers’ identically-addressed computers, you would configure one ADOM for each customer. ADOMs can also save you time: instead of configuring authentication repeatedly, for each individual computer in your inventory, you can define a common user name and password once, then use it with all computers in the ADOM. Except for the admin administrator, all FortiScan administrator accounts are assigned to an ADOM. As such, ADOMs are one factor in privileges. Table 10:Administrative permissions admin administrator account
Other administrator accounts
Access to global settings
Yes
No
Can create ADOMs
Yes
No
Can create administrator accounts
Yes
Yes (in the same ADOM only)
Can enter all ADOMs
Yes
No (can enter assigned ADOMs only)
Can access the CLI
Yes
No
ADOMs determine what Web-based Manager and CLI functionality is available to you. • If you log in as admin, you have full access to all menus. When you log in, you will initially be in the Global (root) scope. At the bottom of the navigation menu, you can use the Current ADOM menu (see “Buttons, navigation menus, and the displays” on page 42) to switch to an ADOM or return to the Global (root) settings. (In the CLI, you must first enter either config
Fortinet Technologies Inc.
Page 93
FortiScan v5.0 MR1 Administration Guide
global or config adom to indicate a scope.) You can configure other ADOMs in System > ADOM > ADOM. Global contains system-wide settings shared by all ADOMs, such as RAID, network settings, and settings for the Web-based Manager. When you are logged in as the admin administrator and configure other administrator accounts, you can assign other administrators to an ADOM. See “Configuring administrator accounts” on page 101. • If you log in as any other administrator, you can only access the menu items assigned to you in your ADOM and Role. When you log in, you will initially be in the ADOM that was assigned to you. If you were assigned to more than one, you may be able to use Current ADOM to switch between ADOMs, but you cannot access the Global (root) scope. To configure ADOMs: Configure asset filters with care, and back up the configuration before beginning this procedure. Asset filters that are too inclusive could allow asset access by unauthorized administrators. Conversely, asset filters that are too exclusive could prevent authorized administrators from being able to remediate or administer an asset. For details on creating a backup, see “Backup your FortiScan” on page 167. 1. Log in to the Web-based Manager as admin. Other FortiScan administrator accounts, depending on their Role, may be able to configure ADOM-specific settings in their own ADOMs, but cannot make new ADOMs. 2. From Current ADOM, select Global. From within other ADOMs, you will not be able to see and configure ADOMs other than your currently selected ADOM. 3. Go to System > ADOM > ADOM. Figure 31:ADOM page View Assigned Assets Assign Assets Edit Delete
This page displays the following:
Fortinet Technologies Inc.
Name
The name of the ADOM.
Description
A comment describing the ADOM, if any.
Page 94
FortiScan v5.0 MR1 Administration Guide
Delete
Select to remove an ADOM. This icon is visible only if your Current ADOM is Global (see “Buttons, navigation menus, and the displays” on page 42). Caution: Back up the FortiScan appliance’s configuration and database before performing this operation. All data belonging to the ADOM, such as benchmark subsets, policies, and scheduled compliance scans, will also be deleted. For information on how to make a backup, see “Backup your FortiScan” on page 167.
Edit
Select to modify an ADOM, including its name, description, maximum asset limit, asset filter, and authentication. Note: If your Current ADOM is not Global, selecting this icon will only allow you to modify the ADOM Default Authentication settings; other settings in the dialog will be read-only.
Assign Assets
Select to assign or un-assign assets from the ADOM’s asset inventory. For details, see “Manually assigning assets to an ADOM” on page 100. This icon is visible only if your Current ADOM is Global. If your Current ADOM is not Global, you cannot un-assign the asset, but can still add, delete, or retire the asset in your ADOM’s asset inventory. For details, see: •“Discovering your Network’s Hosts” on page 109 • “Importing hosts into the asset inventory” on page 115 • “Manually adding a host to the asset inventory” on page 116 •“Deleting and retiring assets” on page 199 Note: You can only assign or un-assign assets that match the ADOM’s asset filter, and exist in at least one ADOM’s asset inventory.
View Assigned Assets
Select to view a list of all assets in the ADOM’s asset inventory. Assets appear in this list after being added to the inventory, unless the admin administrator has un-assigned the host from the ADOM by selecting Assign Assets.
4. Select Create New.
Fortinet Technologies Inc.
Page 95
FortiScan v5.0 MR1 Administration Guide
Figure 32:ADOM default authentication window
5. Configure the following settings: Name
Type a unique name for the administrative domain (ADOM), such as www.example.com. The name cannot be longer than 11 characters, and cannot contain special characters, except for underscores ( _ ), hyphens ( - ), periods ( . ), and “at” symbols ( @ ).
Description
Optional. Type a descriptive comment for the administrative domain.
Inherit Global Configuration (Email Server Setting)
Enable for this ADOM to inherit the same e-mail settings as the overall FortiScan appliance (see “Configuring Global Email Settings” on page 91). Disable to configure e-mail settings specific to this ADOM, then configure those settings when you configure the ADOM (see “Configuring the ADOM’s email settings” on page 107).
Asset Limit
Type the maximum number of assets that can belong to this ADOM. The total number of assets that can be supported by a FortiScan appliance varies by model. To prevent an ADOM from consuming this hardware limit and starving other ADOMs for resources, restrict the ADOM to a proportionate amount of the total. For details on the limits of each model, see “Appendix A: Maximum Values” on page 523. Note: Assets can belong to multiple ADOMs. Because of this, the total number of assets in all ADOMs can sometimes be greater than the total number of unique assets supported by your FortiScan model, without necessarily resulting in resource starvation.
Fortinet Technologies Inc.
Page 96
FortiScan v5.0 MR1 Administration Guide
6. Select the blue arrow to expand the Asset Filters area. 7. Select Create New. The New Asset Filters window opens. Figure 33:New asset filters window
8. Configure the following settings: Filter Name
Type a unique name for the asset filter, such as domain1.
Asset IP
Select either: • IP Value: Type an IP address that you want to allow to be assigned to the ADOM, and added to the ADOM’s asset inventory. • IP Range: Type the first and last IP addresses in the range of IP addresses that you want to allow to be assigned to the ADOM, and added to the ADOM’s asset inventory. If you want to exclude one or more of the IP addresses from the IP range, configure IP Exceptions.
IP Exceptions
To define which IP addresses will be excluded from the IP Range set, select Add, then, in the IP Exception dialog that appears, enter the excluded IP addresses in either IP Value or IP Range.
9. Select OK to return to the ADOM dialog. 10.Repeat steps 7 to 9 for each set of IP addresses that you want to include in the ADOM. 11.Select the Move Up or Move Down buttons to change the order of filter sets. Entry order matters. Entries are evaluated for a match from top to bottom. Position filter entries so that the first matching entry matching will include or exclude the IP address from the ADOM, whichever you intend. Once the appliance finds a match, it will not evaluate subsequent entries. For example, an asset filter could have two entries: the IP address 172.16.1.1 and the IP range 10.0.0.1-10.0.255.255, which has no exceptions. In that case, any asset whose IP address matched either the individual IP address or any of the IP addresses in the range would be allowed in the ADOM.
Fortinet Technologies Inc.
Page 97
FortiScan v5.0 MR1 Administration Guide
12.If many of the ADOM’s assets have identical authentication — e.g. either: • all users authenticate through the same central Active Directory or LDAP server, or • all computers have identically configured local accounts you can configure the appliance to use these when logging in to run authenticated remote network vulnerability scans (see “Agentless Setup” on page 153). Configuring authentication settings that are in common reduces the number of places you must reconfigure if, for example, the password is changed. Alternatively, or if some assets have different account/authentication methods, you can override these ADOM-level authentication settings at the asset group level (using the Group Default Authentication setting) or individual asset level (using the Authentication setting). See “Configuring the appliance with an asset login” on page 189 and “Grouping assets” on page 181. Figure 34:ADOM default authentication window
13.Configure the following settings: ADOM Default Authentication
Enable one or more of the following: Windows Share (SMB), SSH, or SNMP v2c. Note: These settings are used only if you have not overridden them using Group Default Authentication or Authentication.
Windows Share (SMB)
Enable to use Microsoft Windows-style server message block (SMB)/common internet file system (CIFS) authentication with assets in the ADOM. Also configure Level, Domain, Username, and Password. Authenticating this way is typically possible on Windows computers where network file shares are enabled. If it does not work, verify that connections are not blocked by Windows Firewall, FortiClient, or another host-based firewall or antivirus. Also verify that the group policy object (GPO) allows remote users to authenticate as themselves, rather than reducing their permissions to Guest.
Fortinet Technologies Inc.
Page 98
FortiScan v5.0 MR1 Administration Guide
Level
Select either: • Domain User: Users authenticate through a central server, using accounts that are defined on a Microsoft Active Directory (AD) domain controller. • Local: Users authenticate with each computer individually, using accounts that are locally defined on each computer.
Domain
Enter the name of the Microsoft Active Directory (AD) domain to which the account in Username belongs. This field applies only if Level is Domain User. For stand-alone computers that do not use a centralized authentication server, leave this blank.
Username
Enter the name of the account that the FortiScan appliance will use to log in to the assets. This field appears only if you have enabled one of the authentication methods (Windows Share (SMB) or SSH).
Password
Type the password for the account in Username. This field appears only if you have enabled one of the authentication methods (Windows Share (SMB) or SSH).
Confirm Password SSH
Type the password again to confirm. Enable to authenticate using secure shell (SSH). Also configure Enable Sudo, RSA Private Key, DSA Private Key, Username, and Password.
Enable Sudo
Mark the check box to use the sudo or su command (depending on the host’s operating system) to gain superuser privileges when they are required for the appliance to be able to execute a command, such as when viewing files with restrictive permissions that were created by the root superuser. This option applies only for assets running Linux or Solaris.
RSA Private If you want to authenticate using Rivest, Shamir and Adleman Key (RSA) keys instead of Username and Password, type the RSA-style private key. Also install the public key in the key chain of every asset in the ADOM. This option applies only for assets running Linux or Solaris. DSA Private If you want to authenticate using digital signature algorithm (DSA) Key keys instead of Username and Password, type the DSA-style private key. Also install the public key in the key chain of every asset in the ADOM. This option applies only for assets running Linux or Solaris. SNMP v2c
Enable to authenticate using simple network management protocol (SNMP). Also configure Community Strings.
Community Enter the name of the SNMP community to which the ADOM Strings belongs, such as public. The appliance will use this name when sending queries to assets in the ADOM. Fortinet Technologies Inc.
Page 99
FortiScan v5.0 MR1 Administration Guide
14.Select OK to save the ADOM. 15.Configure administrator accounts, assigning each of them to an ADOM (see “Configuring administrator accounts” on page 101). 16.Configure settings that are specific to the ADOM (see “Configuring the ADOM’s connections from FortiScan agents” on page 105 or “Configuring the ADOM’s email settings” on page 107). 17.Add assets to the ADOM’s asset inventory. There are multiple possible methods. See: • “Discovering your Network’s Hosts” on page 109 • “Importing hosts into the asset inventory” on page 115 • “Manually adding a host to the asset inventory” on page 116 • “Agent Setup” on page 117 18.If an asset should belong to multiple ADOMs, include them in those ADOMs’ asset inventories (see “Manually assigning assets to an ADOM” on page 100).
Manually assigning assets to an ADOM Usually, assigning assets is not necessary. Assets are automatically assigned to the ADOM when you add them to its asset inventory via: • a discovery scan • manual inventory addition/import • FortiScan agent installation that references the ADOM by name In some cases, however, you may want to assign or un-assign assets manually. For example, you may want to assign an asset to multiple ADOMs, or un-assign an asset from one of the ADOMs to which it should no longer belong. Un-assigning an asset removes references to it from the ADOM’s asset inventory. (Data remains for other ADOMs to which the asset was assigned.) Un-assigned assets remain in this list of assignable assets, and can be assigned again at a later time. To assign or un-assign assets in the ADOM: 1. Log in to the Web-based Manager as admin. Other FortiScan administrator accounts cannot assign or un-assign assets from their own ADOM. 2. From Current ADOM, select Global. From within other ADOMs, you will not be able to assign or un-assign assets. 3. Go to System > ADOM > ADOM. 4. In the row corresponding to the ADOM for which you want to change assignments, select Assign Assets. The Assign Asset - Select Assets dialog appears. It displays a list of all assets known to the FortiScan appliance whose IP addresses are allowed to be assigned to the ADOM, based upon the ADOM’s asset filter.
Fortinet Technologies Inc.
(Check box in column heading. No label.)
Mark the check box to select all rows.
Host Name
The host name of the asset, if any.
Page 100
FortiScan v5.0 MR1 Administration Guide
IP
The IP address of the asset. Multiple entries may exist for an IP address if, according to the CEIDs used by the assets’ FortiScan agents, the IP is used by multiple different hosts. This can happen when multiple private networks use the same IP address space. For more information on CEIDs, see “CEIDs” on page 25.
Criticality
The importance of the asset to your organization or network security: Highest, High, Medium, Low, or Lowest. For details, see “Risk: prioritizing your business-critical machines” on page 27.
OS Type
The operating system (OS) running on the asset.
Discovered Date
The date and time that the asset was added to the asset inventory.
Related ADOMs
The ADOMs to which the asset is currently assigned.
5. Mark the check box of each asset that you want to assign to the ADOM. Clear the check box of each asset that you want to un-assign from the ADOM. To limit the number of assets, use the filter icons (see “Filtering list entries” on page 45). Only one asset of a given IP address can belong to an ADOM at a time. If there are multiple assets with the same IP address, such as may happen when multiple private networks use the same IP address scheme, you must assign only one and un-assign the others. For more information about how FortiScan appliances distinguish different assets that use the same IP address, see “CEIDs” on page 25. 6. Select Next. 7. Select Finish.
Configuring administrator accounts When initially installed, the FortiScan has a single default administrator account with the name admin and no password. Set a strong password for the admin administrator account, and change the password regularly. The password must contain at least one lower case letter, one upper case letter, one digit and one special character. By default, this administrator account has no password. Failure to maintain the password of the default admin administrator account could compromise the security of your FortiScan appliance. The admin administrator has permissions that grant full access to the FortiScan configuration and firmware. After connecting to the Web-based Manager or the CLI using the admin account, you can configure additional administrator accounts with various levels of access to different parts of the FortiScan configuration. For details on restricting access based upon role or asset filter in the account’s assigned ADOM, see “Permissions” on page 33 and “Administrative Domains (ADOMs)” on page 93. Administrators may be able to access the Web-based Manager or the CLI through the network, depending on the permissions enabled for each of the FortiScan appliance’s network interfaces, and the administrator’s role.
Fortinet Technologies Inc.
Page 101
FortiScan v5.0 MR1 Administration Guide
Permissions to view and use a FortiScan appliance’s features depends on the account’s assigned Role — Administrator, Operator, or Auditor. For details, see “Permissions” on page 33. Figure 35:System administrator page Change password
Delete
Copy
Edit To change an administrator’s password: 1. If an administrator forgot their password or if you need to change an administrator account’s password and you do not know its current password, log in as any administrator account whose Role is Administrator. Administrators whose Role is Operator or Auditor can only change their own password. If you have forgotten the password of the admin administrator, you can restore the firmware to reset the FortiScan appliance to its default state, including the default administrator account and password. For details, see “Restoring firmware (“clean install”)” on page 519. 2. Go to System > Admin > Administrator. 3. In the row corresponding to the administrator account, select Change Password. Figure 36:Edit password dialog box
4. In the Old Password field, enter the current password for the account. This field appears only if you are not logged in as the admin administrator, or if you are changing the password of the admin administrator account. 5. In the New Password and Confirm Password fields, enter the new password. 6. Select OK. If you change the password for the admin administrator account, the FortiScan appliance logs you out. To continue using the Web-based Manager, you must log in. The new password takes effect the next time that administrator account logs in.
Fortinet Technologies Inc.
Page 102
FortiScan v5.0 MR1 Administration Guide
To configure a FortiScan administrator account:
Names of deleted accounts cannot be reused. The default account, admin, cannot be deleted. To delete your own account, you must first log in using another account. You cannot delete the account with which you are currently logged in.
1. Log in as an administrator whose Role is Administrator. If the account will be assigned to a new administrative domain (ADOM), you must log in as the admin administrator and create the ADOM first. For details, see “Administrative Domains (ADOMs)” on page 93. 2. Go to System > Admin > Administrator. 3. Select Create New. The New User dialog box opens. Figure 37:New user dialog box
4. Configure the following settings: Name
Enter the name of the account. Do not include spaces. Account names are case-sensitive. For example, Jane and jane are different accounts. Note: Names of deleted accounts cannot be reused.
Fortinet Technologies Inc.
Page 103
FortiScan v5.0 MR1 Administration Guide
Password
Enter the password for the account. For security reasons, a password must contain at least one lower case letter, one upper case letter, one digit, and one special character. An administrator must change this initial password the first time he or she logs in. If an administrator attempts to log in and mis-types the password three times, he or she is prevented from further login attempts for 3 minutes (that is, he or she is temporarily locked out). Note: Passwords are case-sensitive.
Confirm Password
Re-enter the password to confirm its spelling.
First Name
Enter the first name (given name) of the administrator.
Last Name
Enter the surname (family name) of the administrator.
Phone Number
Optional. Enter the administrator’s telephone number.
Email
Enter the administrator’s email address.
Ticket Notification
Select whether or not to receive e-mail about tickets. If you enable this setting, you must also configure Email. For more information on tickets, see “Tickets” on page 392.
Pager
Optional. Enter the administrator’s pager number.
Fax
Optional. Enter the administrator’s fax number.
Role
Select one of the following roles: Administrator, Auditor, or Operator. For a list of the specific permissions granted to each role, see “Permissions” on page 33. Note: You cannot change an account’s role while logged in to that account. To change the role of your own account, log in to a different account, then modify the role of your initial account.
Assigned ADOM
To assign an administrator account to one or more ADOMs, in Available ADOM, select the names of the ADOMs, then select the right arrow button to move them into the Assigned ADOM area.
Default ADOM
If you are assigning the administrator account to multiple ADOMs, in Assigned ADOM, select which ADOM the administrator will initially see when first logging in to the Web-based Manger, then select Default ADOM. After logging in, the administrator can switch to any of their other assigned ADOMs by selecting one from the Current ADOM list at the bottom of the navigation menu (see “Buttons, navigation menus, and the displays” on page 42).
5. Select OK.
Fortinet Technologies Inc.
Page 104
FortiScan v5.0 MR1 Administration Guide
Configuring the ADOM’s connections from FortiScan agents You can configure ADOM-wide settings for surveys conducted by FortiScan agents and sent to the appliance, as well as commands to perform patch scans, compliance scans, and remediations locally. Changes to these settings are applied to each protected asset when it next connects. If you want to apply the changes immediately, create and dispatch a standard survey remediation to an asset or asset group. This will cause a protected asset to send in a survey and obtain the new survey settings. The remediation template must contain only one remediation action: either the Detailed Survey action or the Standard Survey action. See “Defining remediation templates” on page 403 then “Dispatching remediations” on page 409. By default, assets will use these survey settings. However, you can override the settings on a per-asset basis, either by: • using the Web-based Manager (see “Overriding the ADOM’s survey intervals” on page 196) • editing each FortiScan agent’s configuration file (see “Editing a FortiScan agent’s settings file” on page 135) To configure agent connection settings: 1. From Current ADOM, select an ADOM. Survey settings will apply to all assets added to the asset inventory for this ADOM, unless you override the settings on a per-asset basis. 2. Go to System > Server Settings > Asset Communication. The Asset Communication dialog box opens. Figure 38:Asset communication dialog box
Fortinet Technologies Inc.
Page 105
FortiScan v5.0 MR1 Administration Guide
3. Configure the following settings: Standard Asset Survey Interval (minutes)
Enter the interval (in minutes) between each standard survey that all assets’ FortiScan agents will send to the appliance (unless configured with an individual override). The default is every 61 minutes. Note: The standard survey interval cannot be greater than the detailed survey interval. For information on the differences between standard and detailed surveys, see “Agent scan status” on page 26. Note: Specifying a shorter interval for numerous assets can cause a noticeable increase in network load. See “Survey intervals and network load” on page 25. Note: Do not configure an interval that is shorter than the time it takes your assets to produce a survey. It will adversely affect the assets’ performance. For example, if it takes a specific computer 7 minutes to create and send a detailed survey, but you set the detailed survey interval to 5 minutes, then that computer would constantly be producing detailed survey data.
Detailed Asset Survey Intervals (minutes)
Enter the interval (in minutes) between each detailed survey that all assets’ FortiScan agents will send to the appliance (unless configured with an individual override). The default is every 1440 minutes (24 hours). Note: Specifying a shorter interval for numerous assets can cause a noticeable increase in network load. See “Survey intervals and network load” on page 25. Note: Do not configure an interval that is shorter than the time it takes your assets to produce a survey. It will adversely affect the assets’ performance. For example, if it takes a specific computer 7 minutes to create and send a detailed survey, but you set the detailed survey interval to 5 minutes, then that computer would constantly be producing detailed survey data.
Fortinet Technologies Inc.
Check For Dispatch Interval (minutes)
Enter the interval (in minutes) between each connection that all assets’ FortiScan agents will make to check for any dispatches, such as configuration updates, patch updates, or services that the agent should run. The default is 5 minutes.
Command Channel Interval (minutes)
Enter the interval (in minutes) between each connection that all assets’ FortiScan agents will make using the command channel to check with the FortiScan appliance for any administrative operations, such as stopping or restarting, that the agent should perform. The default is every 17 minutes.
Page 106
FortiScan v5.0 MR1 Administration Guide
Enable User Survey Data
Mark this check box to enable FortiScan agents to include a list of the asset’s configured user accounts with each detailed survey it sends to the FortiScan appliance. This option is disabled by default. Note: Do not enable this option unless necessary. Some hosts, such as domain controllers for Microsoft Active Directory, could potentially list thousands of users, causing detailed surveys to take a significant amount of time to generate and send to the appliance.
Enable Group Survey Data Mark this check box to enable FortiScan agents to include a list of the asset’s configured user groups with each detailed survey it sends to the FortiScan appliance. This option is disabled by default. Note: Do not enable this option unless necessary. Some hosts, such as domain controllers for Microsoft Active Directory, could potentially list thousands of user groups, causing detailed surveys to take a significant amount of time to generate and send to the appliance. Disconnect Asset Expiration Period (hours)
Enter the number of hours an asset can remain out of communication with the appliance before being flagged with a Disconnected status (see “Agent scan status” on page 26). The default is 24 hours. Note: To prevent disconnection false positives, this interval should longer than the standard survey interval.
Configuring the ADOM’s email settings You may have already configured email settings globally (see “Configuring Global Email Settings” on page 91). If not, or if you want an ADOM to use email settings that are different from those used by the appliance, configure the ADOM’s email settings.
Configuring logins for third party updates For the FortiScan appliance to be able to download and apply patches for Solaris from Oracle, you must configure it with an Oracle login. Login credentials are stored securely on the FortiScan appliance in encrypted format. To configure login credentials for downloading Solaris updates: 1. From Current ADOM, select an ADOM that is not Global. Third-party update credentials are specific to each ADOM, and cannot be configured globally. 2. Go to System > Server Settings > Administrator Credentials.
Fortinet Technologies Inc.
Page 107
FortiScan v5.0 MR1 Administration Guide
Figure 39:,Administrator credentials dialog box
3. Configure the user name and password that your FortiScan appliance will use to authenticate with the Oracle download server 4. Select Apply.
Fortinet Technologies Inc.
Page 108
FortiScan v5.0 MR1 Administration Guide
Discovering your Network’s Hosts Before you can mass-deploy the FortiScan agent to your network’s hosts, or run remote network vulnerability scans of your assets, you need to have a complete list of those hosts. If you have a list, you can either import it by going to Asset > Inventory > Add Asset, or you can load it into the push installer (see “Adding hosts to the push installer’s list of targets” on page 132). If you do not have a list, or if you want to verify that it is complete, you can discover your network’s hosts by scheduling the FortiScan appliance to do a discovery scan. Usually, the majority of hosts are either imported as a list to your ADOM’s asset inventory or discovered primarily during the initial installation of your FortiScan appliance. However, you may need to add more assets or periodically scan your network as it grows. You may also want to periodically scan your network to discover any rogue hosts. You can set up periodic discovery scans to ensure that the FortiScan appliance’s knowledge of your network is up-to-date. As a new, unprotected hosts comes on line, they can be detected, and you can then install a FortiScan agent on each to bring them under the protection of the FortiScan appliance. The ability to have an accurate picture of the IP assets in the enterprise at any time is fundamental to keeping those assets secure. The FortiScan appliance can rapidly scan large networks with minimal intrusion. Discovery scan protocols include: • ARP • ICMP, including ping and traceroute • TCP, including TCP SYN and TCP RST (reset) to 20 common ports • UDP, including DNS, reverse DNS (RDNS), & DNS zone transfer • Other protocols Before running a discovery scan, verify that any firewalls between your hosts and the FortiScan appliance permit all connection types. Some assets may not be discovered if the firewall blocks communication with the appliance. For successful discovery: • Network communication must be allowed between the appliance and all hosts. • Scan settings must use port numbers and protocols that your hosts respond to.
The maximum number of assets varies by model. For details, see “Appendix A: Maximum Values” on page 523.
To run a discovery scan: 1. Log in as admin or another account whose Role is Administrator. Other accounts do not have sufficient permissions. 2. From Current ADOM, select an ADOM that is not Global. The discovery scan will add new assets to that specific ADOM’s asset inventory.
Fortinet Technologies Inc.
Page 109
FortiScan v5.0 MR1 Administration Guide
3. Go to Asset > Discovery > Schedule. Run
Mark a check box to select which discovery scan to immediately perform, then select Run. This may take a while depending on the targets selected, number of hosts in the network, and network speed.
Cancel
Select to stop a discovery scan that is in progress.
Name
The name of the discovery scan.
Target
The asset group, domain, or IP address range which the discovery scan will target.
Schedule
If the discovery scan is configured to run on a repeating schedule, the frequency. For example, “Daily at 16:00.”
Effective Period
The first time a repeating discovery scan occurs. For example, “From 2009-07-14.”
4. Select Create New. Figure 40:Create asset discovery (map) schedule
5. Configure the following settings: Name
The name of the profile.
Target Asset Group
Select the name of the asset group that will be the network scan target. The FortiScan appliance will attempt to contact live hosts. Reported host numbers may vary at different scan times if some hosts, such as laptops, are sometimes unreachable. Alternatively or additionally, configure Domain or IP Range.
Fortinet Technologies Inc.
Page 110
FortiScan v5.0 MR1 Administration Guide
Domain
Enter a domain name that will be the network scan target.The FortiScan appliance will first attempt to find the domain’s hosts by identifying the authoritative name server for the domain, then sending a request to that name server for a list of all of the domain’s hosts. However, this request is not always permitted and may be forbidden by the name server’s administrator. If the request fails, the FortiScan appliance will use brute force to query the name server for each fully qualified domain name (FQDN) in a proprietary list of roughly 100 common names, such as www or ftp, to find out if they resolve to an IP address. Alternatively or additionally, configure Asset Group or IP Range.
IP Range
Enter an IP range that will be the network scan target. The IP range must be within the same subnet. The FortiScan appliance will attempt to contact live hosts. Reported host numbers may vary at different scan times if some hosts, such as laptops, are sometimes unreachable. Alternatively or additionally, configure Asset Group or Domain.
Schedule
Select when to start the network scan, either: • Run Now: Generate a report when the profile is saved, and any time that you select Run Now for this profile in the list of scan profiles. No scheduled reports will be generated. • Run Later: Generate a report at scheduled intervals. You must configure the Start Date and Time, and select the recurrence pattern (either Daily, Weekly, or Monthly). Also configure the schedule expiration date.
Output Option File output
Select which report file format(s) you want to generate: HTML (required) and PDF.
Email/Upload
Enable to have the report delivered to an e-mail address or FTP server, then either select an existing report output template or create a new one. For details, see “Configuring Global Email Settings” on page 91 and “Configuring report output for remote network vulnerability scans” on page 238.
6. Select OK. When a scheduled network discovery scan job completes, discovered hosts are automatically imported into Asset > Inventory > Asset Inventory, where they appear in the Unprotected asset group.
Viewing discovery scan reports Asset > Discovery > Report in ADOMs other than Global lists the discovery scan reports that have been generated by the FortiScan appliance. Discovery scan reports are generated by running a discovery scan. For details, see “Discovering your Network’s Hosts” on page 109. When a scheduled discovery scan completes, the FortiScan appliance creates a report listing all of the hosts it discovered on the local network segment during the scan. Discovered hosts are Fortinet Technologies Inc.
Page 111
FortiScan v5.0 MR1 Administration Guide
then automatically imported into Asset > Inventory > Asset Inventory, where they initially appear in the automatically-maintained group for assets whose Agent Scan Status is Unprotected. To view a discovery scan report: 1. From Current ADOM, select an ADOM that is not Global. Asset discovery reports are specific to each ADOM. 2. Go to Asset > Discovery > Report. 3. Select the name of a report. The HTML version of the report appears, which contains the following: Figure 41:Map report summary
Fortinet Technologies Inc.
Page 112
FortiScan v5.0 MR1 Administration Guide
Figure 42:Asset group: all
The following settings are displayed: Map Report Summary Date
The date and time the network discovery report was generated.
Asset Group
The asset group on which the discovery scan was run.
Domain
The domain in which the scan was executed.
IP Range
The IP range in which the scan was executed.
Total Hosts The number of hosts found during the scan on the targets. Found
Fortinet Technologies Inc.
Scan Started
The starting date and time of the scan.
Scan Ended
The ending date and time of the scan.
Page 113
FortiScan v5.0 MR1 Administration Guide
VM Engine The FortiGuard Vulnerability Management Service (VCM) engine version Version number and date of last update. This is updated via the FortiGuard Distribution Network (FDN) if you are a FortiGuard Vulnerability Management Service subscriber. VM Plugin Version
The VCM module version number and date of last update. This is updated via the FortiGuard Distribution Network (FDN) if you are a FortiGuard Vulnerability Management Service subscriber.
(TCP or The host port(s) that is configured to be checked. UDP) Ports Live Host Sweep
The status of network live host discovery. Live host sweep discovers live hosts in the IP address range specified. This option is enabled and disabled through the CLI command. For more information, see the command config vm in the FortiScan CLI Reference. By default, this option is enabled. If you disable it, the FortiScan appliance will treat all hosts in the IP range as alive, even if some are not accessible.
Exclude Hosts Discovered Only By DNS
If this option is On, the discovery scan will exclude hosts discovered by querying the DNS server. This option is enabled and disabled through the CLI. For more information, see the command config vm in the FortiScan CLI Reference. By default, this option is disabled.
Scan target Under each scan target (asset group, domain, or IP range) specified, the discovered hosts and their respective services are listed. Hosts Host
The IP address of the discovered host.
DNS
The hostname indicated when querying the DNS server.
NetBIOS
The NetBIOS name of the host, if any.
Router
The gateway router used by the host.
OS
The operating system running on the host.
Host Services Select the expansion arrow next to each host IP address for more details:
Fortinet Technologies Inc.
Discovery Method
The method used to discover a host, such as a discovery scan or import of a list of IP addresses.
Port
The port number that responded to the discovery scan.
Service
The service running on the discovered host.
Page 114
FortiScan v5.0 MR1 Administration Guide
Importing hosts into the asset inventory You can import hosts into your ADOM’s asset inventory by uploading a list. This can be useful, for example, to immediately populate your asset inventory, rather than waiting for a discovery scan to complete.
The maximum number of assets varies by model. For details, see “Appendix A: Maximum Values” on page 523.
To import hosts from a file: 1. From Current ADOM, select an ADOM that is not Global. Assets will be added to the specific ADOM’s asset inventory. 2. Go to Asset > Inventory > Add Asset. 3. Enable Import hosts from a file. The button to select which file to import becomes available. 4. Select Browse. 5. Locate and select a text file that contains a list of hosts on your network. Each line in the file must be: {windows|linux|solaris|FortiOS} where: • is the IP address of a host that you are adding to your ADOM’s asset inventory; if the host has multiple IP addresses, type the IP address it will use to contact the FortiScan appliance • is the host name of the asset, if any; if you do not know the current host name, the FortiScan appliance can discover it when the asset’s FortiScan agent sends its first complete survey • {windows|linux|solaris|FortiOS} is whichever operating system (OS) family is running on the asset For example, a line in the file might be for a web server whose fully qualified domain name is www.example.com: 192.168.1.1 www.example.com linux You cannot import IP addresses that are a duplicate of another IP address already assigned to your ADOM. Also, the IP address must be allowed by your ADOM’s asset filter. For more information, see “CEIDs” on page 25, “Administrative Domains (ADOMs)” on page 93, and “Manually assigning assets to an ADOM” on page 100. 6. Select Open. 7. Select Add. Hosts appear in the asset inventory on Asset > Inventory > Asset Inventory. Time required to upload the file varies by network speed and the size of the file. If the import does not succeed, verify that the file’s format is correct, that its IP addresses are not already in the inventory, and that its IP addresses are allowed in your ADOM.
Fortinet Technologies Inc.
Page 115
FortiScan v5.0 MR1 Administration Guide
Manually adding a host to the asset inventory Alternatively or in addition to discovery scans and importing lists of hosts, you can manually add hosts to your ADOM’s asset inventory on Asset > Inventory > Asset Inventory. This can be useful between scheduled discovery scans, when adding an individual host to your network.
Downgrading a FortiScan VM license will result in being unable to add new assets until you have removed excess assets from the asset inventory.
The maximum number of assets varies by model. For details, see “Appendix A: Maximum Values” on page 523.
To manually add a host to the asset inventory: 1. From Current ADOM, select an ADOM that is not Global. Assets will be added to the specific ADOM’s asset inventory. 2. Go to Asset > Inventory > Add Asset. 3. Configure these settings: IP Address
Type the IP address of the host. If the host has multiple IP addresses, type the IP address that it will use to contact the FortiScan appliance. Note: You cannot import IP addresses that are a duplicate of another IP address already assigned to your ADOM. Also, the IP address must be allowed by your ADOM’s asset filter. For more information, see “CEIDs” on page 25, “Administrative Domains (ADOMs)” on page 93, and “Manually assigning assets to an ADOM” on page 100.
Host Name
Type the host name of the asset, if any. If you do not know the current host name, the FortiScan appliance can discover it when the asset’s FortiScan agent sends its first complete survey.
OS Type
Select which of the supported operating system (OS) families is running on the asset: Windows, Solaris (Sparc), Solaris (x86), Linux, or FortiOS.
4. Select OK. Hosts appear in the asset inventory on Asset > Inventory > Asset Inventory. If the addition does not succeed, verify that the IP address does not already exist in the asset inventory, and that it is allowed in your ADOM.
Fortinet Technologies Inc.
Page 116
FortiScan v5.0 MR1 Administration Guide
Agent Setup After you have configured your administrative domains (ADOMs), if possible, you usually should install FortiScan agent software on each of your network’s hosts. Most advanced FortiScan appliance features are agent-based, and require that an agent be installed on each host. Table 11: Feature support with agents vs. without agents With agent
Without agent
Asset discovery scan & inventory
+
+
Reports
+
+
Remote vulnerability scan
+
+
Local vulnerability scan
+
-
Hardware and software configuration monitoring
+
-
Compliance deployment
+
-
Patch deployment
+
-
Remediation dispatches
+
-
Prioritized tickets
+
+
PCI DSS compliance auditing
-
+
Other compliance auditing
+
+
Exceptions to this rule might include hosts such as routers, whose OS by their nature does not support installation of the agent. FortiScan agent software can be installed either: • Remotely: Using the push installer, you can install the agent on multiple assets. The push installer can be launched as either a standalone Windows desktop application or a Java applet through the setup wizard appliance’s Web-based Manager. Supports multiple target host OS types. • Locally: Using the MSI installer, you can install the agent on a single host. Supports Windows target hosts only. Unlike the push installer, on Windows, the MSI installer provides entries in Programs and Features in the Control Panel (on older versions of Windows, this is Add/Remove Programs). Choose one method and always use that same method to install, uninstall, and upgrade the FortiScan agent software on an asset. Fortinet does not recommend mixing multiple installation methods on the same asset. For example, using the MSI executable to install the agent manually and uninstalling it later using the push installer could cause unpredictable outcomes.
The FortiScan agent may not install or update properly on a host if it is currently running a malicious botnet program that is locking the file system on that asset. For best results, before installing, verify that the host is free of trojans and viruses.
Fortinet Technologies Inc.
Page 117
FortiScan v5.0 MR1 Administration Guide
After the FortiScan agent is installed, you can start or stop the service/daemon, query it for its version number, and/or uninstall it. For details, see “Maintaining Your Agent Deployments” on page 491. This topic includes: • System requirements • Using the push installers • Using the MSI installer • Registering agents with the appliance • Assigning FortiScan agents to the ADOM • FortiScan agent files and permissions
System requirements The FortiScan agent requires that its host computer have: • Java™ Runtime Environment (JRE) version 1.5.0 or above • Secure shell (SSH) (required for Linux or Solaris hosts only) • Sufficient disk space (see Table 12 below) Table 12: FortiScan agent disk space requirements Operating System
Required Disk Space
Red Hat Linux
90 MB
Fedora Linux
90 MB
CentOS
90 MB
Oracle Solaris
130 MB
Microsoft Windows
36 MB
When a new FortiScan agent is installed over an existing FortiScan agent, the FortiScan push installer creates a backup copy of the existing FortiScan agent before installing the new FortiScan agent. This doubles the disk space requirements.
Fortinet Technologies Inc.
Page 118
FortiScan v5.0 MR1 Administration Guide
• Any of the following supported operating systems Table 13: Supported operating systems Vendor/ Organization
Operating System
Version
Windows XP
Professional Datacenter Edition Enterprise Edition
Windows 2003 (32- and 64-bit) Standard Edition Web Edition Ultimate Home Premium Microsoft
Home Basic
Windows Vista (32- and 64-bit)
Business Enterprise Windows 2008 Server (32- and 64-bit)
Standard Edition
Windows 2008 Server Release 2 (32- and 64-bit)
Standard Edition
Windows 7 (32- and 64-bit) Windows 8 (32 and 64 bit) Windows server 2012 (64 bit) Linux
9 3.1 4.0
Red Hat Enterprise Linux (WS, ES, & AS)
5.0 6.1 13 Fedora Project
Fedora Linux
14 15 3
CentOS
CentOS
4 5
Fortinet Technologies Inc.
Page 119
FortiScan v5.0 MR1 Administration Guide
Table 13: Supported operating systems Vendor/ Organization
Oracle
Operating System
Version
Solaris Sparc
9.0
Solaris Sparc(X86_32)
10.0
Solaris Sparc(X86_64)
10.0
Supported operating systems may change as newer versions are introduced. To see if a platform not listed, such as a beta release, is currently supported, contact Fortinet Technical Support.
Network and firewall requirements In addition to hardware and operating system requirements, to function correctly, FortiScan agents must be able to communicate with the FortiScan appliance. Firewalls between the two must be configured to allow required port numbers, access methods, and files. If connecting to the trial license of FortiScan-VM or a LENC version of FortiScan, the asset must be able to use DES encryption of 64-bit strength or less during HTTPS or SSH handshakes. (RC2, RC4, and DES with less than 64-bit strength is supported. AES and 3DES is not supported in these versions.) Table 14: Required outbound port numbers to the FortiScan appliance Port number Protocol
Purpose
443
Download of appliance’s PKI server certificate
TCP
FortiScan agent executable download (HTTP) Note: By default, this port is not used. It is required only if HTTPS_PROXY is not set the agent configuration file, SEClient.conf (on Linux or Solaris) or seclient.conf (on Windows). See “HTTPS_PROXY” on page 135 (for the push installer).
3128
TCP
3129
TCP
FortiScan agent executable download (HTTPS)
4443
TCP
Registration
8445
TCP
Dispatch poll
8446
TCP
Long and short surveys
8448
TCP
Command channel
8449
TCP
Update of appliance’s PKI server certificate
8451
TCP
Dispatch response
Fortinet Technologies Inc.
Page 120
FortiScan v5.0 MR1 Administration Guide
In addition to the FortiScan agent itself, the installers and the network vulnerability scan also have their own network requirements. For a complete list of port numbers required by all features between the appliance/your management computer and your network’s hosts, see also: • “Network and firewall requirements” on page 121 (push installer) • “Network and firewall requirements” on page 139 (MSI installer) • “Network and firewall requirements” on page 153 (network vulnerability scan)
Using the push installers The push installer can install or uninstall the FortiScan agent on multiple remote hosts within your network. There are two varieties of push installer: • a Windows desktop application • a Java applet available within the FortiScan appliance’s Web-based Manager System requirements, launch method, and other things vary by which variety of the push installer you use.
System requirements The Windows desktop application variety of the push installer requires both: • Microsoft Windows • Java™ Runtime Environment (JRE) version 1.5.0 or above The Java applet variety of the push installer requires both: • Microsoft Windows • the browser plug-in for Java™ Runtime Environment (JRE) version 1.5.0 or above
Network and firewall requirements The push installer must be able to communicate with hosts where you want to install the FortiScan agent (“target hosts”). Before modifying firewalls and antivirus software to meet the requirements of the push installer, verify that hosts will not be accessible to untrusted sources. If possible, restrict access to allow only authenticated connections from your management computer(s). Failure to restrict access could compromise the security of your network’s hosts. On hosts running Linux or Solaris, to enable the push installer to connect: • Install and configure SSH and either su or sudo. • Configure the host with a superuser account that the push installer can use in order to log in via SSH and install the agent. This can be the same account used by the FortiScan appliance to authenticate for network vulnerability scans (see “To add a superuser account:” on page 164). On hosts running Microsoft Windows, to enable the push installer to connect: • Enable file and printer sharing. • Configure the host with an administrative account that the push installer can use in order to log in via Windows file sharing and install the agent. This can be the same account used by Fortinet Technologies Inc.
Page 121
FortiScan v5.0 MR1 Administration Guide
the FortiScan appliance to authenticate for network vulnerability scans (see either “To add an administrator account:” on page 155 (Windows XP) or “To add an administrator account:” on page 159 (Windows 7 or Vista). • Configure Windows Firewall and/or any third-party firewall to allow connections from the push installer (see “To add Windows Firewall exceptions:” on page 161). • Configure Windows Firewall and/or any third-party antivirus software to allow the sps.exe executable and other FortiScan agent files to pass through (see “FortiScan agent files and permissions” on page 149). • Enable the ADMIN$ network share and disable simple file sharing (SFS). Methods very by the version of Windows. For example: • On Windows XP, see step 3 of “To enable remote users to authenticate as themselves:” on page 161. • On Windows 7, see either “To enable the ADMIN$ share (Windows 7):” or “To enable remote users to authenticate as themselves:” on page 161. The ADMIN$ share is required by the push installer, but is not required by the FortiScan agent itself. If the host does not require it during its normal operations, and you will not be using authenticated network vulnerability scans from the FortiScan appliance (which require shares such as C$), you can tighten security by disabling administrative network shares after running the push installer. • Open Internet Explorer, go to Tools > Internet Options, then select the Advanced tab. In the Security section, disable Check for server certificate revocation and select OK. Close Internet Explorer. Failure to do this will cause the installation to fail. The FortiScan appliance uses a factory default PKI server certificate for SSL encryption only, which is not designed for authentication using typical certificate trust chains. As a result, certificate revocation checks will cause the certificate to be rejected. Firewalls and routers between the two must be configured to allow required port numbers, access methods, and files. In addition to accepting incoming connections from the push installer, all hosts must be able to make outgoing connections to the FortiScan appliance in order to complete registration and other normal operations. For more information on port numbers required by the FortiScan agent itself, see “Network and firewall requirements” on page 120. If connecting to the trial license of FortiScan-VM or a LENC version of FortiScan, the asset must be able to use DES encryption of 64-bit strength or less during HTTPS or SSH handshakes. (RC2, RC4, and DES with less than 64-bit strength is supported. AES and 3DES is not supported in these versions.)
These ports are required by the push installer, but are not required by the FortiScan agent itself. If you will not be running authenticated network vulnerability scans from the FortiScan appliance, and the host does not require them during its normal operations, you can close them again after running the push installer in order to tighten security.
Fortinet Technologies Inc.
Page 122
FortiScan v5.0 MR1 Administration Guide
Table 15: Push installer — Required listening port numbers on target hosts Port number Protocol
Purpose
22
TCP
SSH (Solaris and Linux)
139
TCP
File and printer sharing (Common internet file system (CIFS)/server message block (SMB) share; Windows)
445
TCP
File and printer sharing (Common internet file system (CIFS)/server message block (SMB) share; Windows)
137
UDP
File and printer sharing (Login and WINS/NetBIOS host name query; Windows)
138
UDP
File and printer sharing (Login and NetBIOS datagram; Windows)
Table 16: Push installer — Required outbound port numbers on target hosts Port number Protocol
Purpose
443
TCP
Download of appliance’s PKI server certificate
4443
TCP
Registration
8449
TCP
Update of appliance’s PKI server certificate
Figure 43:Windows Firewall configuration to allow connections from the push installer
Fortinet Technologies Inc.
Page 123
FortiScan v5.0 MR1 Administration Guide
To enable the ADMIN$ share (Windows 7): 1. Log in to the host using an account with Administrator privileges. 2. Select the Start (Windows logo) menu to open it. 3. Type regedit and press Enter. If a dialog appears asking you if the program is allowed to modify the computer, select Yes. The Registry Editor appears. 4. In the registry tree, go to: HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Policie s/System/ You must select the System item in the tree to select it and display its contents in the right-hand pane. The location in the next step will be incorrect if you do not select System. 5. In the right-hand pane, right-click and select New > DWORD (32-bit) Value. New Item #1 appears, with its name selected and editable. 6. Type LocalAccountTokenFilterPolicy and press Enter. New Item #1 is renamed to the name of the setting for the ADMIN$ share. 7. Double-click LocalAccountTokenFilterPolicy. A registry editor dialog appears. 8. In Value data, type 1. 9. Select OK. 10.Reboot the computer. From your management computer, you should now be able to access the other computer’s share over the network. (Depending on your management computer’s operating system, to view the share, you may need to modify its settings. For example, on Windows XP, you may need to match the workgroup name of the other computer.) To verify that you can access the ADMIN$ share from your management computer, select the Start menu, then enter: \\HostName\ADMIN$ where HostName is the host name of the computer where you configured the share. (If that computer requires it, you may need to authenticate as an account with Administrator privileges.) A window should open that displays the ADMIN$ share, which includes the other computer’s Windows directory (%SystemRoot%). You also may need to disable simple file sharing (SFS), and to modify Windows Firewall and/or third-party firewall settings to allow the remote connection from both your management computer and the FortiScan appliance’s IP address (see “To add Windows Firewall exceptions:” on page 157 and documentation for your version of Windows).
Launch: desktop vs. web-based push installer The push installer has two possible forms. It can be launched either: • From Asset > Inventory > Asset Inventory within FortiScan appliance’s Web-based Manager. This form uses your FortiScan appliance’s current knowledge of which of your ADOM’s hosts are unprotected to suggest which hosts should have the agent installed. • As a Windows desktop application. Once you have downloaded the file, this form can be run from a computer such as your management computer or Active Directory domain controller, and does not require the person using the installer to have a login to the FortiScan appliance’s Web-based Manager. However, it does not ask the FortiScan appliance which of your ADOM’s assets are currently unprotected. You must indicate yourself which hosts should receive the agent.
Fortinet Technologies Inc.
Page 124
FortiScan v5.0 MR1 Administration Guide
To launch the push installer as a Java applet from the appliance’s Web-based Manager: 1. Log in to your Windows management computer as Administrator. 2. Open a web browser. 3. Log in to the FortiScan appliance’s Web-based Manager as the admin administrator. 4. From Current ADOM, select an ADOM that is not Global. Asset inventories are specific to each individual ADOM. The menu in the next step is not available when Current ADOM is Global. 5. Go to Asset > Inventory > Asset Inventory. 6. In the asset group selection tree, select View Filters > By Status > New. 7. Mark the check box of each asset on which you want to install the FortiScan agent, then select Installer on the toolbar. To launch the push installer as a Windows desktop application: 1. Log in to your Windows management computer as Administrator. 2. Open a web browser. 3. Log in to the FortiScan appliance’s Web-based Manager as the admin administrator. 4. From Current ADOM, select Global. The menu in the next step is available only when Current ADOM is Global. 5. Go to System > Dashboard > Status. 6. In the System Information widget, in the Firmware Version field, select Update. The Firmware Upgrade dialog appears. Figure 44:Firmware upgrade page
7. In the Download Push Installer column, select the Push Installer icon. 8. If your web browser asks you, select the location where you want to save FSC_Pushinstaller.zip. 9. On your management computer, extract the zip file’s contents to C:\FSC_Pushinstaller. 10.Open the C:\FSC_Pushinstaller directory in Windows Explorer. 11.Right-click startSEPush.bat and select Run as administrator.
Windows Vista, Windows 2008, and Windows 7 require that you run the command as Administrator. Failure to launch the batch file with Administrator permissions can cause push installer errors such as failed SSH connections to target hosts.
Fortinet Technologies Inc.
Page 125
FortiScan v5.0 MR1 Administration Guide
If a dialog appears asking whether to allow the program to make changes to the computer, select Yes. The batch file launches the push installer. Continue with “Running the push installer”.
Running the push installer When launched, the FortiScan push installer initially opens to the Hosts tab, where you can create a list of hosts where you want to install the agent, edit the configuration file that will be used by the agents, and then start a batch installation. Figure 45:Push installer (Hosts tab)
Configure the following settings: Hosts tab IP or hostname of FortiScan Appliance
The IP address or domain name of the FortiScan appliance. By default, this is the address of the FortiScan appliance’s port1 network interface. Note: If the push installer is launched from the Web-based Manager, this field cannot be changed. To use a different network interface for connections between agents and the FortiScan appliance, launch the push installer as a standalone Windows desktop application instead (see “Launch: desktop vs. web-based push installer” on page 124).
ADOM Names (separate by comma)
The names of the administrative domains (ADOMs) to which the agent belongs on the FortiScan appliance (see “Administrative Domains (ADOMs)” on page 93). For example: CompanyA,CompanyB Note: This setting is required.
Fortinet Technologies Inc.
Page 126
FortiScan v5.0 MR1 Administration Guide
File containing IP addresses
To import a CSV (comma-separated value) spreadsheet file containing host IP addresses instead of adding hosts individually by selecting Add New Host, select Browse for file to import. For details, see “Adding hosts to the push installer’s list of targets” on page 132.
Host
Type the IP address of a host where you want to install the FortiScan agent. When the push installer is launched via the Web-based Manager, this is pre-populated with the assets you selected from Asset > Inventory > Asset Inventory. Otherwise, you must populate the rows either by selecting Browse for file to import and uploading a CSV file, or manually add individual install targets by selecting Add New Host. See “Adding hosts to the push installer’s list of targets” on page 132.
Platform
Select the operating system (OS) of the target host. By default, when you add a new host in the push installer, the windows option is already selected. If the host is not running Microsoft Windows, select this field to transform it into a drop-down menu, then select one of the following options from the menu: linux, solaris_sparc, solaris_x86, or windows.
Method
Select the method to use, if any, when authenticating as a superuser in order to have the necessary privileges to run the FortiScan agent installer on the target host. By default, when you add a new host to the push installer, the N/A option is already selected. If the host is not running Microsoft Windows, select this field to transform it into a drop-down menu, then select one of the following options from the menu: • su: Use the su command (Solaris or Linux). Also configure InstallUser and InstallPwd. • sudo: Use the sudo command (Linux). The installer authenticates as a superuser using the same user name and password that it uses to connect to the host (ConnectUser and ConnectPwd). • N/A: Do not authenticate as superuser (Windows).
ConnectUser
If authentication is required when connecting to copy FortiScan agent files to the target host, type the user name of an account on the host. Connection protocols vary by the operating system that you select in Platform. For Linux and Solaris, authentication will occur through the SSH protocol. For Windows, authentication, if any, will occur through Windows file sharing. Alternatively, use Set Credentials.
ConnectPwd
Type the password, if any, corresponding to ConnectUser. Alternatively, use Set Credentials.
Fortinet Technologies Inc.
Page 127
FortiScan v5.0 MR1 Administration Guide
InstallUser
If the host requires su-style superuser authentication in order to authorize software installation, type the name of a superuser account name. This field is applicable only if Method is su. Alternatively, use Set Credentials. Tip: On Linux and Solaris, if the connection succeeds but the installation fails due to permissions issues, you may be able to succeed if you set Method to su and enter credentials for the root account in both ConnectUser and InstallUser.
InstallPwd
Type the password, if any, corresponding to InstallUser. Alternatively, use Set Credentials.
Task
Select the installation task. By default, when you add a new host in the push installer, the install option is already selected. If you do not want to install, select this field to transform it into a drop-down menu, then select one of the following options from the menu: install or uninstall. Caution: Uninstalling the agent using the push installer will delete the .ceid file on the host, even if the DelCEID check box is not marked.
DelCEID
If a .ceid file might already exist on the host, and you want to delete it and generate a new one, mark the check box. This causes the appliance to add the host to the asset inventory as if it were a new, previously unknown host, and receive a new CEID. Asset data associated with the old CEID will remain in the appliance’s database until it is deleted, but will not be associated with this new agent installation. The appliance will regard the two data sets as if they belong to physically separate assets. This option can be useful when asset data associated with that CEID in the FortiScan appliance’s database is no longer applicable, or was generated by a different host that accidentally used that same CEID in the past. For example, if the host has been formatted, reinstalled, and reassigned to a different department in a different ADOM, and you want to disassociate any legacy data from that CEID, you would enable this option. For the location of the .ceid file, see “FortiScan agent files and permissions” on page 149. Caution: If you want to make a Norton Ghost image of the host’s FortiScan agent installation and then deploy it to multiple separate hosts, you must delete the .ceid file before making the master image. Failure to delete the .ceid file will cause disconnection and merged data issues when multiple hosts with the same CEID connect to the appliance.
Fortinet Technologies Inc.
Page 128
FortiScan v5.0 MR1 Administration Guide
Status
Push installation errors, if any, such as: • Success • NOTICE: sudo method does not need installuser and installpass to be set, ignoring supplied values • ERROR: su method requires installuser and installpass to be set • (9)Error trying to scp files • (24)Failure in local script execution This field is empty until after you have selected Push Agents. For information on troubleshooting errors that appear in this column, see “To push install FortiScan agents on selected hosts:” on page 130 and “To verify the installation (Windows):” on page 142.
Agent Client Configuration
Type additional FortiScan agent configuration settings that you want to use, if any. The settings will be used by all hosts that you have added in the push installer. See “Editing a FortiScan agent’s settings file” on page 135.
Add New Host
Select to add a blank row, which you can then configure, to the list of hosts in the Hosts tab in the push installer. See “Adding hosts to the push installer’s list of targets” on page 132.
Delete Hosts
Mark the check box of one or more hosts whose rows you want to delete, then select Delete Hosts.
Set Credentials
Mark the check box of one or more hosts that use the same login credentials for ConnectUser, ConnectPwd, InstallUser, and InstallPwd, then select Set Credentials. A dialog appears that enables you to configure those credentials for all of the currently selected hosts.
Check All
Select to mark the check boxes of all hosts’ rows. After this button is selected, it changes to Uncheck All.
Uncheck All
Select to clear the check boxes for all hosts’ rows. After this button is selected, it changes to Check All.
Push Agents
Mark the check box of one or more hosts where you want to install or uninstall (depending on your selection in Task) the FortiScan agent, then select Push Agents. A dialog appears, prompting you about whether or not to accept the FortiScan appliance’s PKI server certificate. If the certificate is correct, select Yes to continue the installation.
Fortinet Technologies Inc.
Page 129
FortiScan v5.0 MR1 Administration Guide
Console tab
Select to display push installer status or error messages, if any, such as: Agent Installer Launched 2011-06-24 16:26:31.564 Push started 2011-06-24 16:26:37.5 172.16.1.10 linux Success 2011-06-24 17:00:55.387 Push started 2011-06-27 17:06:32.347 172.16.1.10 linux (24)Failure in local script execution 2011-07-08 10:34:33.976 Push started 2011-07-08 10:35:00.574 172.16.1.10 windows (41)Unable to map ADMIN$ share on asset. Check credentials (username and password) OR Admin$ shared OR Windows Firewall Policy
About tab
Select to display the version number for the push installer.
To push install FortiScan agents on selected hosts: Before beginning, you must prepare target hosts to receive the push installer connection, and to be able to use the appliance’s certificate. See “Network and firewall requirements” on page 121. 1. Launch the push installer. See “Launch: desktop vs. web-based push installer” on page 124. Depending on which method you used to launch the push installer, the list of target hosts in the Hosts tab is either pre-populated or empty. 2. Add all hosts where you want to install the FortiScan agent. For details, see “Adding hosts to the push installer’s list of targets” on page 132. 3. If necessary, edit the host information, login credentials, and/or agent settings. If you have Linux or Solaris hosts with custom login prompts or other customizations, also edit the installer script properties. For instructions, see “Editing a FortiScan agent’s settings file” on page 135 and “Customizing push installer scripts” on page 137. When pushing to your own management computer (the same host where you installed and are running the push installer) you do not need to provide connection authentication credentials, as long as you logged in with an account that has Administrator privileges. The push installer will use the same privileges that you used to log in. 4. Mark the check boxes for each host where you want to install the agent. 5. Select Push Agents. A dialog appears, prompting you about whether or not to accept the FortiScan appliance’s PKI server certificate. If the certificate is correct, select Yes to continue the installation. If an SSL error message appears instead of the certificate, verify that your management computer does not have any unsupported IPv6 tunnels or IPv6 network interfaces which may interfere with the push installer’s attempt to retrieve the appliance’s certificate file.
Fortinet Technologies Inc.
Page 130
FortiScan v5.0 MR1 Administration Guide
Figure 46:Certificate retrieved by the push installer
If you omitted the connection and installation user name and password for any target host, a dialog appears, notifying you that for those targets, the push installer will use the same privileges of the account that you used to log in, and asking whether you want to continue. Select Yes. Each target host receives the agent configuration file and public key infrastructure (PKI) server certificate of the appliance from the push installer. When you first attempt to push the agent to host, these files are copied to the installation directory (see “FortiScan agent files and permissions” on page 149). If the host does not receive the PKI files and the installation fails, the host could be rejecting the certificate because the certificate was revoked or is not signed by a trusted certificate authority (CA). To work around this, you must manually add the certificate to the store of trusted certificates. On Windows, open Internet Explorer, go to Tools > Internet Options, then select the Advanced tab; in the Security section, disable Check for server certificate revocation, select OK, then close Internet Explorer. Attempt the push installer again. The certificate should be accepted. Push installer error messages, if any, appear in either the Status column of the Hosts tab and the Console tab of the push installer. To verify the installation on Windows, see “To verify the installation (Windows):” on page 142. If the installation failed, in addition to the troubleshooting steps recommended for the MSI
Fortinet Technologies Inc.
Page 131
FortiScan v5.0 MR1 Administration Guide
installer, also verify that you have correctly configured Windows Firewall and the ADMIN$ share. To verify the installation on Linux or Solaris, log in to the target host and enter the command: ps -ef | grep -v grep | grep sps The command returns the process number(s) of the FortiScan agent process, if it is running. If the process is not running: • If the push installer was not able to initiate an SSH connection to the target host (you can verify this using Wireshark), make sure you launched the push installer using Run as administrator. Failure to run the batch file with Administrator permissions can cause the push installer to be unable to initiate SSH connections. • If the SSH connection was initiated, but did not successfully complete, (you can verify this if files do not exist in either the installation directory or /tmp/linux), verify that the target host supports SSH 2.0 and its algorithms. Also verify the connection credentials that you provided to the push installer. • If temporary files from the push installer do exist in /tmp/linux, but the agent files do not exist in the installation directory, then the local-install shell script that the push installer copied to /tmp/linux could not execute successfully. Verify that the account you provided to the push installer has su or sudo privileges or is the root account.
On Linux and Solaris, if the installation fails due to permissions issues, you may be able to succeed if you set Method to su and provide credentials for the root account in both ConnectUser and InstallUser.
• Also verify that the binaries required by the local-install shell script exist in the expected locations. For local-install error messages that indicate the point of failure, examine the log file /tmp/se-install-log.txt. • Finally, verify that you did not select the windows option from Platform. (If you selected the wrong platform, there may be an error in the Console tab referring to a Windows ADMIN$ share; there may also be no shell script installer log file, /tmp/se-install-log.txt.)
Adding hosts to the push installer’s list of targets To specify which hosts will be targets of the FortiScan agent push installer, you can do any of the following: • Import the list from an ADOM’s asset inventory (Asset > Inventory > Asset Inventory) in the FortiScan appliance’s Web-based Manager (see “To import a list of hosts from an ADOM’s asset inventory:” on page 133). The list of unprotected hosts in the asset inventory can be populated: • via a discovery scan (see “Discovering your Network’s Hosts” on page 109) • by importing a CSV (comma-separated value) spreadsheet file containing a list of hosts into the asset inventory (go to Asset > Inventory > Add Asset) • individually (go to Asset > Inventory > Add Asset) • Import a CSV (comma-separated value) spreadsheet file containing a list of hosts into the push installer (see “To import a list of hosts from a CSV file:” on page 133). • Individually add hosts to the list in the push installer (see “To manually add a host to the push installer’s list:” on page 134).
Fortinet Technologies Inc.
Page 132
FortiScan v5.0 MR1 Administration Guide
To import a list of hosts from an ADOM’s asset inventory: 1. From Current ADOM, select an ADOM that is not Global. Asset inventories are specific to each individual ADOM. The menu in the next step is not available when Current ADOM is Global. 2. Go to Asset > Inventory > Asset Inventory. 3. In the asset navigation tree, go to View Filters > By Agent Scan Status > New. The list of unprotected assets appears in the asset group details pane. 4. Mark the check box of each host on which you want to install the FortiScan agent and then select Installer on the toolbar. The push installer opens. The selected hosts appear in the list on the Hosts tab. If necessary, you can then edit the host platform type, login credentials, or agent settings before proceeding (see “Editing a FortiScan agent’s settings file” on page 135). 5. Continue with “To push install FortiScan agents on selected hosts:” on page 130. To import a list of hosts from a CSV file: 1. Create a CSV (comma-separated value) spreadsheet file containing the list of hosts on which you want to install the FortiScan agent software. You can use a spreadsheet application such as Microsoft Excel, or any plain text editor. The format of each line in the file is: ,,,, ,,, {install | uninstall}, where: • is the IP address or host name of a host where you want to install the FortiScan agent; required • is the host’s operating system, either linux, solaris, solaris_86, or windows • is method to use, if any, when authenticating as a superuser in order to have the necessary privileges to run the FortiScan agent installer on the target host; either type su to use the su command (for Solaris), type sudo to use the sudo command (for Linux), or leave this parameter empty (for Windows) • is the name of a user account on the host, if authentication is required when connecting to copy FortiScan agent files to the target host; if not applicable, leave this empty • is the password corresponding to ; if not applicable, leave this empty If you prefer not to type user names and passwords in the CSV file because it is unencrypted, you can instead leave those fields empty in the CSV file, and then add user names and passwords to the push installer later, by selecting the Set Credentials button. When pushing to your own management computer (the same host where you installed and are running the push installer) you do not need to provide connection authentication credentials, as long as you logged in with an account that has Administrator privileges. The push installer will use the same privileges that you used to log in.
Fortinet Technologies Inc.
Page 133
FortiScan v5.0 MR1 Administration Guide
• is the name of the superuser account on the host used to authorize software installation; this is required only if is su; if not applicable, leave this empty • is the password corresponding to ; if not applicable, leave this empty • {install | uninstall} is the push installer task, either install or uninstall • is either Y (delete the current .ceid file on the host, if one exists) or N (do not delete the CEID) • Use Y when asset data associated with that CEID in the FortiScan appliance’s database is no longer applicable, or was generated by a different host that used that CEID in the past. • For example, if the host has been formatted, reinstalled, and reassigned to a different department in a different ADOM, and you want to disassociate any legacy data from that CEID, you would enable this option. • For the location of the .ceid file, see “FortiScan agent files and permissions” on page 149. If you want to make a Norton Ghost image of the host’s FortiScan agent installation and then deploy it to multiple separate hosts, you must delete the .ceid file before making the master image. Failure to delete the .ceid file will cause disconnection and merged data issues when multiple hosts with the same CEID connect to the appliance. For example, in this CSV file: 10.0.0.50,linux,sudo,joe,p@55w0rd,root,p@55worD,install, 10.0.0.51,windows,,Administrator,p@ssword,,,install,Y 10.0.0.52,windows,,,,,,install, • the first line connects to the Linux host using an account name of joe, then uses sudo to authenticate as the superuser root when installing the agent • the second line supplies system administrator login credentials for a Windows computer and tells the push installer to delete any existing .ceid file • the third line pushes to the management computer itself, and so does not specifically mention a user name or password for the local connection; instead, it uses the same privileges as the account that you used to log in to your computer 2. Launch the push installer. See “Launch: desktop vs. web-based push installer” on page 124. 3. Select Browse for file to import. 4. Select the CSV file that contains your list of hosts. 5. Select Open. The selected hosts appear in the list on the Hosts tab. If necessary, you can then edit the host platform type, login credentials, or agent settings before proceeding (see “Editing a FortiScan agent’s settings file” on page 135). 6. Continue with “To push install FortiScan agents on selected hosts:” on page 130. To manually add a host to the push installer’s list: 1. Launch the push installer. See “Launch: desktop vs. web-based push installer” on page 124. 2. Select Add New Host. A new empty row is added to the list of hosts. 3. In the new host row, configure the installer parameters for that host. For information about each parameter, see Table 45, “Push installer (Hosts tab),” on page 126. 4. Repeat the previous two steps for each host that you want to add. 5. Continue with “To push install FortiScan agents on selected hosts:” on page 130. Fortinet Technologies Inc.
Page 134
FortiScan v5.0 MR1 Administration Guide
Editing a FortiScan agent’s settings file Usually the default settings are enough for successful operation, but if necessary, you can use the push installer to modify the FortiScan agent configuration file (seclient.conf or SEClient.conf) that will be installed on hosts.
Back up the configuration file before beginning. The push installer does not validate configuration file changes.
FortiScan agents use both a configuration file (seclient.conf) and an identification file (.ceid). In some cases, you may want to retain one or both of these files when and if they already exist on currently protected hosts. In other cases, it may be desirable to pre-configure these files before pushing them out during an upgrade. To determine whether certain files should be re-initialized, retained, or replaced, see the push installer option DelCEID and “FortiScan agent files and permissions” on page 149. You may also want to contact Fortinet Technical Support. Changes are appended to the end of the FortiScan agent configuration file. Redundant properties are permitted. However, only the last instance of a property in the file will take effect. To maintain clarity, you may want to remove redundant properties. To edit FortiScan agent settings: 1. Launch the push installer. See “Launch: desktop vs. web-based push installer” on page 124. 2. In the Agent Client Configuration pane, enter any configuration settings you want to make. Property
Description Type the IP address or domain name of the FortiScan appliance. For example:
EM_SERVER
EM_SERVER=10.0.0.1 EM_SERVER=FortiScan EM_SERVER=fortiscan.example.com This setting is required.
HTTP_PROXY
The IP address and port number of the HTTP proxy, if any, through which the agent will connect to the FortiScan appliance. If none is specified, the agent will instead connect directly to the FortiScan appliance using the IP address specified in EM_SERVER, using port numbers 3128. For example: HTTP_PROXY="10.0.0.1:8080" Note: Do not change this setting.
HTTPS_PROXY
The IP address and port number of the HTTPS proxy, if any, through which the agent will connect to the FortiScan appliance. If none is specified, the agent will instead connect directly to the FortiScan appliance using the IP address specified in EM_SERVER, using port numbers 3129. For example: HTTPS_PROXY="10.0.0.1:4443" Note: Do not change this setting.
Fortinet Technologies Inc.
Page 135
FortiScan v5.0 MR1 Administration Guide
Property
Description
ADOM_NAMES
Type the names of the administrative domains (ADOMs) to which the agent belongs on the FortiScan appliance (see “Administrative Domains (ADOMs)” on page 93). For example: ADOM_NAMES="CompanyA,CompanyB" Note: This setting is required.
KEEP_CUR_ADOM
Disable or enable to keep the ADOM to which the asset identified by this agent’s CEID is currently assigned, either: • 0: Disable (default). For example: KEEP_CUR_ADOM=0 • 1: Enable. For example: KEEP_CUR_ADOM=1 Disable or enable debug logging, either: • 0: Disable (default). For example: DEBUG=0
DEBUG
• 1: Enable. For example: DEBUG=1 Caution: Do not enable this option unless requested by Fortinet Technical Support. Log files may be large. For the location of debug files, see “FortiScan agent files and permissions” on page 149. Disable or enable including a list of all configured user accounts with each detailed survey. • 0: Disable (default). For example: ENABLE_USERS=0 • 1: Enable. For example: ENABLE_USERS=1
ENABLE_USERS
Alternatively, this setting can be configured through the appliance’s Web-based Manager, either for all assets in the ADOM. For details, see “Configuring the ADOM’s connections from FortiScan agents” on page 105. Caution: Do not enable this option unless necessary. Some hosts, such as domain controllers for Microsoft Active Directory, could potentially list thousands of users, causing detailed surveys to take a significant amount of time to generate and send to the appliance.
Fortinet Technologies Inc.
Page 136
FortiScan v5.0 MR1 Administration Guide
Property
Description Disable or enable including a list of all configured user groups with each detailed survey. • 0: Disable (default). For example: ENABLE_GROUPS=0 • 1: Enable. For example: ENABLE_GROUPS=1
ENABLE_GROUPS
Alternatively, this setting can be configured through the appliance’s Web-based Manager, either for all assets in the ADOM, or for each individual asset. For details, see “Configuring the ADOM’s connections from FortiScan agents” on page 105. Caution: Do not enable this option unless necessary. Some hosts, such as domain controllers for Microsoft Active Directory, could potentially list thousands of user groups, causing detailed surveys to take a significant amount of time to generate and send to the appliance. Type the dispatch polling interval, in seconds.
For example: CHECK4DISPATCH_INTERVAL=1200 CHECK4DISPATCH_I Alternatively, this setting can be configured through the appliance’s NTERVAL Web-based Manager, either for all assets in the ADOM, or for each individual asset. For details, see “Configuring the ADOM’s connections from FortiScan agents” on page 105. Type the command channel interval, in seconds. For example: COMMAND_CHANNEL_INTERVAL=600 COMMAND_CHANNEL_ Alternatively, this setting can be configured through the appliance’s INTERVAL Web-based Manager, either for all assets in the ADOM, or for each individual asset. For details, see “Configuring the ADOM’s connections from FortiScan agents” on page 105. Disable or enable adding the FortiScan appliance’s PKI server certificate to the host's store of trusted certificates, instead of the installation’s certificate store. ADD_EM_CERTIFICA • false (or the setting is omitted): Disable (default). TE_TO_SYSTEM_STO • true: Enable. RE For example: ADD_EM_CERTIFICATE_TO_SYSTEM_STORE= true For details, see “FortiScan agent files and permissions” on page 149. PRIORITY
Type the service/daemon priority, either: high, low (default), or idle.
Customizing push installer scripts During the course of normal operation, the push installer will log in to each host and install the FortiScan agents using utilities (e.g. make directories, copy files, set privileges, etc.) on the host’s operating system (OS). If, the host’s OS has been customized, the push installer’s assumptions about its dependencies, such as where to find those utilities, may be incorrect. This could cause the push installer to fail.
Fortinet Technologies Inc.
Page 137
FortiScan v5.0 MR1 Administration Guide
For example, the push installer requires the sudo command on Linux. If the sudo executable is not located in the /bin/sh directory, or if this command has been aliased, then the push installer will fail. If you are using the desktop application version of the push installer, you may be able to correct this. To customize the push installer script: 1. Launch the Windows desktop application version of the push installer. See “Launch: desktop vs. web-based push installer” on page 124. 2. On your management computer, go to C:\FSC_Pushinstaller. 3. Use a plain text editor to modify: • custom_prompts.properties • unix-login-commands.properties To add multiple values to a property, separate each one with a space. 4. Retry the push install.
Example: Custom command prompt The push installer doesn’t look for the entire command prompt when it logs in to a host. It parses the prompt for default characters normally found at the end of the command prompt, such as $, %, and >. However, the command prompt on UNIX-like hosts such as Linux and Solaris can be modified. It might instead consist of the host name and/or user name followed by a hash (#), for example: username@hostname# $, %, and > characters are not found in the above prompt. As a result, the push install would fail. To recognize the custom command prompt in the push installer scripts, you would locate the following lines in the push installer’s custom_prompts.properties file: #com.se.ce.pushinst.userprompts= $ % > #com.se.ce.pushinst.userprompts= # and remove the initial hash (#) to un-comment the line where the prompt itself is a hash: com.se.ce.pushinst.userprompts= #
Using the MSI installer The MSI installer can install, upgrade, or uninstall the FortiScan agent on a single, local Windows host. You can download the FortiScan agent MSI installer from the Web-based Manager of the FortiScan appliance. To download the MSI installer: 1. Log in to your management computer. 2. Open a web browser. 3. Log in the FortiScan appliance as the admin administrator. Alternatively, log in as any account whose Role is Administrator, go to Asset > Inventory > Agent Installation, then skip to step 7.
Fortinet Technologies Inc.
Page 138
FortiScan v5.0 MR1 Administration Guide
4. From Current ADOM, select Global. The menu in the next step is not available unless Current ADOM is Global. 5. Go to System > Dashboard > Status. 6. In the System Information widget, in the Firmware Version field, select Update. The Firmware Upgrade dialog appears, which includes icons that enable you to download the standalone MSI installer. Figure 47:Firmware upgrade dialog box
7. In the Download Agent Software column, select Windows. Depending on your browser’s configuration, a dialog may appear that asks where to save the file. Your browser downloads the MSI installer file (FortiScanAgent.exe). Time required varies by the file size and speed of your network connection. When the download finishes, continue by installing the FortiScan agent. For details, see “Running the MSI installer” on page 140.
System requirements The MSI installer requires Microsoft Windows. It also requires dependencies which are common to Microsoft platforms, including Microsoft .Net 2.0 which itself requires Microsoft Installer 3.0 or later. The MSI installer will install these common dependencies if and only if they are not already installed. (For example, Windows 7 ships with Microsoft Installer 5.0 already installed.) Uninstalling the FortiScan agent will not remove these common dependencies as other software applications may have established dependencies as well.
Network and firewall requirements All hosts must be able to make outgoing connections to the FortiScan appliance in order to complete registration and other normal operations. For more information on port numbers required by the FortiScan agent itself, see “Network and firewall requirements” on page 120. If connecting to the trial license of FortiScan-VM or a LENC version of FortiScan, the asset must be able to use DES encryption of 64-bit strength or less during HTTPS or SSH handshakes. (RC2, RC4, and DES with less than 64-bit strength is supported. AES and 3DES is not supported in these versions.)
Fortinet Technologies Inc.
Page 139
FortiScan v5.0 MR1 Administration Guide
Table 17: MSI installer — Required outbound port numbers on target hosts Port Number
Description
TCP 443
Download of appliance’s PKI server certificate
TCP 4443
Registration
TCP 8449
Update of appliance’s PKI server certificate
Running the MSI installer The MSI installer must be run from the Windows command line, either manually or programmatically. It requires certain command line parameters that are not available when simply double-clicking the installer, nor when selecting it from Programs and Features (Add/Remove Programs on Windows XP) in the Control Panel. To run the MSI installer: 1. Copy the MSI installer to the host where you want to install the FortiScan agent. 2. Log in to the target host using an account with Administrator privileges. 3. Open Internet Explorer, go to Tools > Internet Options, then select the Advanced tab. In the Security section, disable Check for server certificate revocation and select OK. Close Internet Explorer. Failure to complete this step will cause the installation to fail. The FortiScan appliance uses a factory default PKI server certificate for SSL encryption only, which is not designed for authentication using typical certificate trust chains. As a result, certificate revocation checks will cause the certificate to be rejected. 4. Select the Start (Windows logo) menu to open it. If the host is running Windows XP, instead, go to Start > Run... 5. Type cmd then press Enter. The Windows command line appears. 6. Enter the command to change directories to the location where you copied the MSI installer. For example, if you copied the MSI installer to the directory named Downloads in your home directory, you would enter: cd Downloads 7. Enter the command to run the MSI installer.
Fortinet Technologies Inc.
Page 140
FortiScan v5.0 MR1 Administration Guide
Figure 48:Command window
The MSI installer will not reject your command if you omit required parameters. However, omitting a required parameter will cause the installation to fail. For example, the MSI installer does not verify that you have typed the parameter that defines the FortiScan appliance’s address, but the agent’s attempt to connect to the appliance cannot succeed without that parameter. Omitting it will cause the installation to fail. Basic FortiScan agent MSI installer command syntax is: “FortiScanAgent.exe" /quiet /log "C:\FortiScan_install.log" EM_SERVER="" ADOM_NAMES="" (all one line; include a space between install.log" and EM_SERVER) where: • "FortiScanAgent.exe" is the path and file name of the MSI installer, relative to the current directory • /quiet suppresses any alerts or dialogs (recommended); for more optional parameters, see Table 18, “Common MSI installer parameters,” on page 143 • /log "C:\FortiScan_install.log" creates an installation log file • is the IP address or host name of the FortiScan appliance • is a comma-delimited list of the names of the administrative domains (ADOMs) to which the asset is assigned on the FortiScan appliance For more MSI installer parameters, see Table 19, “Parameters for the FortiScan agent MSI installer,” on page 143. The host retrieves the agent configuration file and public key infrastructure (PKI) server certificate of the appliance (see “FortiScan agent files and permissions” on page 149). These files are downloaded to the %SystemRoot%\seclient directory. If the installer does not retrieve the PKI files and the installation fails, the host could be rejecting the certificate either due to errors connecting with the certificate issuer’s server, or due to certificate revocation. To work around this, you must disable checking for revoked certificates or manually add the certificate to the store of trusted certificates (see step 3). During the next installation attempt, the certificate should be accepted. The MSI installer is an asynchronous application with no return code. That is, control of the host is returned immediately to you after executing the FortiScan agent MSI installer. Actual installation, however, may take several minutes depending on the host’s hardware speed and load. Unless you use a parameter such as /passive to display a progress bar, you will have no indicator that the MSI installer has finished. To verify that the agent has been installed, continue with “To verify the installation (Windows):”.
Fortinet Technologies Inc.
Page 141
FortiScan v5.0 MR1 Administration Guide
8. If a Windows dialog appears that asks you whether or not to allow the program to make changes to the computer, select Yes. To verify the installation (Windows): 1. Press Ctrl + Alt + Delete to open the Windows Task Manager and verify that the service named FortiScan_Agent (or process named sps.exe) is running. 2. Log in to the FortiScan appliance and view the ADOM’s asset inventory to determine whether the FortiScan agent has successfully registered with it. Especially when you have simultaneously installed the agent on many hosts, this could take several minutes. 3. If the service does not appear to be running and the FortiScan appliance never received a registration connection from the agent, the installation may have failed. To determine the cause and point of the failure, it may be useful to: • Open the installation log file (in the MSI installer command line example, C:\FortiScan_install.log) and examine it for messages that indicate the point of failure. • Look for the agent’s files (see “FortiScan agent files and permissions” on page 149) • Look for entries in Programs and Features (on earlier versions of Windows, Add/Remove Programs) in the Control Panel. • Look for entries in the Windows registry (HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiScan agent) If the installation failed, verify that: • firewalls and routing between the appliance and the host do not block communications, • you are using an account in the host that has Administrator privileges • the host has Windows Installer • you are using correct syntax for the MSI installer command • if you are logged in to the host remotely, you may also need to verify that the Group Policy Object that governs your account is configured to allow remote users to authenticate as themselves, rather than as the Guest account. For information on how to do this, see step 3 in “To enable remote users to authenticate as themselves:”. If you need to open a ticket with Fortinet Technical Support, you may need to re-install the FortiScan agent with debug logging enabled. See “DEBUG” on page 136 (for the push installer) or “DEBUG” on page 145 (for the MSI installer).
About MSI installer parameters The FortiScan agent MSI installer requires some parameters; others are optional. The most important parameters allow the newly-installed FortiScan agent to communicate with the FortiScan appliance. These include the FortiScan appliance’s address and certificate and the names of the administrative domains (ADOMs) to which the host belongs. The MSI installer will not reject your command if you omit required parameters. However, omitting a required parameter will cause the installation to fail. For example, the MSI installer does not verify that you have typed the parameter that defines the FortiScan appliance’s address, but the agent’s attempt to connect to the appliance cannot succeed without that parameter. Omitting it will cause the installation to fail. MSI installers in general support a number of options provided by Microsoft. For details, see: http://msdn2.microsoft.com/en-us/library/aa367988.aspx
Fortinet Technologies Inc.
Page 142
FortiScan v5.0 MR1 Administration Guide
Typically, you might employ the following Microsoft options with the FortiScan agent MSI installer: Table 18: Common MSI installer parameters Options
Description
/quiet
Silent install, not visible to end users. No user intervention available. Recommended for most deployments.
/passive
Semi-silent install, with progress dialogs displayed. Cancel intervention is available but no user intervention is required. This is the default.
/log
Log the progress of the installation to a file. Type the full path of the log file, such as C:\MySubdirectory\FortiScan_install.log.
The FortiScan agent MSI installer also supports a number of FortiScan-specific parameters to fetch or manage certain files. These parameters consist of named property-value pairs. Properties should be all uppercase followed by an equal sign (=) and then the value. Values that include spaces (such as filenames) should be surrounded in quotes ("). Table 19: Parameters for the FortiScan agent MSI installer Option
Description
EM_SERVER
The IP address or host name of the FortiScan appliance. For example: EM_SERVER=10.0.0.51 EM_SERVER=FortiScan EM_SERVER=fortiscan.example.com Note: This setting is required.
ADOM_NAMES
The names of the administrative domains (ADOMs) to which the agent belongs on the FortiScan appliance (see “Administrative Domains (ADOMs)” on page 93). For example: ADOM_NAMES="CompanyA,CompanyB" Note: This setting is required.
KEEP_CUR_ADO Disable or enable using the ADOM to which the asset identified by this M agent’s CEID is currently assigned, either: • 0: Disable (default). For example: KEEP_CUR_ADOM=0 • 1: Enable. For example: KEEP_CUR_ADOM=1
Fortinet Technologies Inc.
Page 143
FortiScan v5.0 MR1 Administration Guide
Table 19: Parameters for the FortiScan agent MSI installer (continued) Option
Description
CERT
One of the following: • EM_SERVER: Query the appliance during installation to retrieve its server certificate (the installation will fail if the certificate query fails) For example: CERT="EM_SERVER" • the full path in quotes of a local directory or Windows network share where you have already downloaded the FortiScan appliance’s PKI server certificate file For example, either: CERT="C:\temp\ExampleCertificate.cer" or CERT="\\HostName\share\MyFiles\ExampleCertificate.cer" • none (equivalent to EM_SERVER) The file name copied to the FortiScan agent installation directory is automatically renamed to em.cer. For the location of the certificate file, see “FortiScan agent files and permissions” on page 149.
Fortinet Technologies Inc.
Page 144
FortiScan v5.0 MR1 Administration Guide
Table 19: Parameters for the FortiScan agent MSI installer (continued) Option
Description
CEID
One of the following: • KEEP: Look for a previous .ceid file on the computer. If it exists, the newly installed FortiScan agent will use the same CEID. For example: CEID="KEEP" • REMOVE: Generate a new .ceid file when the FortiScan agent starts. If a .ceid file might already exist on the host, and you want to delete it and generate a new one, use this option. This causes the appliance to add the host to the asset inventory as if it were a new, previously unknown host, and receive a new CEID. Asset data associated with the old CEID will remain in the appliance’s database until it is deleted, but will not be associated with this new agent installation. The appliance will regard the two data sets as if they belong to physically separate assets. This option can be useful when asset data associated with that CEID in the FortiScan appliance’s database is no longer applicable, or was generated by a different host that accidentally used that same CEID in the past. For example, if the host has been formatted, reinstalled, and reassigned to a different department in a different ADOM, and you want to disassociate any legacy data from that CEID, you would use this option. For example: CEID="REMOVE" • none (equivalent to KEEP) For the location of the .ceid file, see “FortiScan agent files and permissions” on page 149. Caution: If you want to make a Norton Ghost image of the host’s FortiScan agent installation and then deploy it to multiple separate hosts, you must delete the .ceid file before making the master image. Failure to delete the .ceid file will cause disconnection and merged data issues when multiple hosts with the same CEID connect to the appliance.
DEBUG
Disable or enable debugging, either: • 0: Disable (default). For example: DEBUG=0 • 1: Enable. For example: DEBUG=1 Caution: Do not enable this option unless requested by Fortinet Technical Support. Log files may be large. For the location of debug files, see “FortiScan agent files and permissions” on page 149.
Example 1: Progress indicator & custom certificate file In this FortiScan agent MSI installer command example, the FortiScan appliance is specified by fully qualified domain name (FQDN) (EM_SERVER="fortiscan.example.com") rather than by IP address. All agents belong to a single ADOM, named All. The command specifies that the PKI server certificate file for the FortiScan appliance can be retrieved from a Windows 7 computer’s network share
Fortinet Technologies Inc.
Page 145
FortiScan v5.0 MR1 Administration Guide
(CERT="\\Win7Server\Share\FortiScanAppliance.cer"). Progress is displayed, though there is no user intervention, such as dialogs, required (/passive). "FortiScanAgent.exe" /passive EM_SERVER="fortiscan.example.com" ADOM_NAMES="All" CERT="\\Win7Server\Share\FortiScanAppliance.cer"
Example 2: Reinstall and upgrade Although FortiScan agent has a feature to update itself, it is still possible to repair or upgrade the FortiScan agent using the MSI installer. In this FortiScan agent MSI installer command example, the FortiScan appliance is specified by IPv4 address (EM_SERVER="10.0.0.51"). All agents belong to a single ADOM, named All. The command does not specify a certificate file, instead indicating that it should be fetched from the FortiScan appliance at installation time (CERT="EM_SERVER"). Rather than performing a fresh installation, the installer will attempt to upgrade or repair existing installations (REINSTALL=ALL REINSTALLMODE=vomus). "FortiScanAgent.exe" /quiet /log "C:\FortiScan_install.log" EM_SERVER="10.0.0.51" ADOM_NAMES="All" CERT="EM_SERVER" REINSTALL=ALL REINSTALLMODE=vomus
Example 3: Via Active Directory group policy objects In this FortiScan agent MSI installer command example, the agent is installed using a startup script, via a group policy object in Microsoft Active Directory (AD). Group policy objects can be modified using the Microsoft Management Console (MMC). For details on how to create an operation unit (OU) group policy object, see Microsoft’s documentation for Microsoft Active Directory. To install the agent using a group policy object: 1. Download the MSI installer to a Windows network share. In this example, a network share shared_folder is on the Windows file server named AD_Server. 1. Log in to the AD domain controller. 2. Open the Microsoft Management Console. If it does not already have the Group Policy Object Editor snap-in, add it. 3. In your AD domain, group all target hosts to an operation unit (OU). 4. Make sure that the file permissions of the Windows network share and the MSI installer give read and execute privileges to all hosts in the OU. 5. Create a group policy object for the OU. 6. Go to Computer Configuration > Windows Settings > Scripts > Startup.
Fortinet Technologies Inc.
Page 146
FortiScan v5.0 MR1 Administration Guide
7. Add a startup script similar to the following batch script: @ECHO off SET SET SET SET SET SET SET SET
ServerAndFolder="\\AD_Server\share_folder" FortiScanMSIInstaller="FortiScanAgent.exe" ShareDrive= TryDrives="U V W X Y Z" FortiScanAddress="10.0.0.51" ADOMNames="DeptA,DeptB" MSIInstallerLog="C:\FortiScan_install.log" ScriptFlag="C:\.FortiScan_installed"
REM Detect if script flag file exists. REM If yes, this script already installed the agent, REM so cancel the install. IF EXIST %ScriptFlag% GOTO END :NEXT REM If a drive letter is in use, pick a different one. REM Use the last available drive letter in TryDrives. FOR /F "tokens=1-6" %%G IN (%TryDrives%) DO ( CALL :TRYDRIVE %%G CALL :TRYDRIVE %%H CALL :TRYDRIVE %%I CALL :TRYDRIVE %%J CALL :TRYDRIVE %%K CALL :TRYDRIVE %%L) REM If no drive letters are free, stop. IF "%ShareDrive%"=="" ( ECHO No drive letters are available for the network share. GOTO END) :MAPIT REM We might be using the drive letter of a network share REM whose connection timed out. (EXIST can give a false REM negative in that case.) So try to delete the REM drive letter first to catch that error condition and REM make sure the subsequent mapping works. net use "%ShareDrive%": /d ECHO Mapping the drive net use "%ShareDrive%": %ServerAndFolder% REM Install agent. %ShareDrive%:\%FortiScanMSIInstaller% /quiet /log %MSIInstallerLog% Fortinet Technologies Inc.
Page 147
FortiScan v5.0 MR1 Administration Guide
EM_SERVER=%FortiScanAddress% ADOM_NAMES=%ADOMNames% REM Un-map network share. net use %ShareDrive%: /d REM Create the script flag file. ECHO > %ScriptFlag% REM Hide the script flag file. attrib +H %ScriptFlag% GOTO END :TRYDRIVE IF NOT EXIST %1: SET ShareDrive=%1 :END EXIT where: • ServerAndFolder is a Windows network share where you have copied the FortiScan agent MSI installer • FortiScanMSIInstaller is the path, relative to the Windows network share folder, and file name of the FortiScan agent MSI installer (use whichever is appropriate for your target hosts) • TryDrives is a space-delimited list of 6 drive letters; the script will try to map the last unused one, if any, to ServerAndFolder • FortiScanAddress is the IP address or host name of the FortiScan appliance • ADOMNames are the comma-delimited names of the two ADOMs to which the agent belongs on the FortiScan appliance • MSIInstallerLog is the full path and file name of the log that the FortiScan agent MSI installer will write on each host to indicate whether it succeeded or failed • ScriptFlag is a hidden file that the script places on each host to indicate that this script has already executed on that host before The agent will be installed the next time the host restarts.
Registering agents with the appliance When a host’s FortiScan agent is started for the first time, it will automatically attempt to connect to the FortiScan appliance to retrieve the appliance’s PKI server certificate and register with the ADOM’s asset inventory. (For port numbers, see “System requirements” on page 118.) FortiScan appliances handle agent registration requests on a “first come, first served” basis. When the FortiScan agent software is initially deployed in an enterprise-sized network, a large number of FortiScan agents could be started in a relatively short span of time. Each of these FortiScan agents will initiate registration with the FortiScan appliance. As a result, a FortiScan agent might need to make several registration attempts before its registration connection succeeds. Allow up to 30 minutes after initial deployment for all FortiScan agents to complete the registration process. If the installation succeeded but the registration fails, verify that firewalls
Fortinet Technologies Inc.
Page 148
FortiScan v5.0 MR1 Administration Guide
and routers between each host and the appliance permit the registration connection (see “Network and firewall requirements” on page 120). For details on asset statuses, see “Agent scan status” on page 26. To view the list of newly registered assets: 1. From Current ADOM, select an ADOM that is not Global. Asset inventories are specific to each ADOM. The menu in the next step is not available if Current ADOM is Global. 2. Go to Asset > Inventory > Asset Inventory. 3. In the asset group tree, go to View Filters > By Agent Scan Status > Registered. Assets whose status is Registered are not subject to vulnerability analysis or policy enforcement by the FortiScan appliance. Policies cannot be evaluated until a survey is received and the host’s status becomes Protected. Time required varies by the hardware speed and network connectivity of each host, but typically takes 10 to 20 minutes.
Assigning FortiScan agents to the ADOM Assets are automatically assigned to the ADOM when you add them to the ADOM’s asset inventory via a FortiScan agent installation that references the ADOM by name. In some cases, however, you may want to assign or un-assign assets manually. For details, see “Manually assigning assets to an ADOM” on page 100.
FortiScan agent files and permissions If you need to verify that the FortiScan agent has been successfully installed with correct permissions, it can be useful to know where it is located. FortiScan agent files are installed in a default location that varies by the operating system of its host. Table 20: Default location of files Operating System
Default Location of the FortiScan Agent Installation
Red Hat Linux Fedora Linux
/opt/seclient
CentOS Oracle Solaris
/opt/seclient %SystemRoot%\seclient and (if installed using the MSI installer)
Microsoft Windows
%SystemRoot%\Program Files\Fortinet\FortiScan Agent\seclient Note: The default location of %SystemRoot% is C:\Windows (Windows 2008, 2003, 7, Vista, or XP).
Near the end of the installation, the installer attempts to start the agent, which attempts to connect to the appliance in order to retrieve the appliance’s PKI server certificate, and to Fortinet Technologies Inc.
Page 149
FortiScan v5.0 MR1 Administration Guide
register the agent with the asset inventory and receive a CEID. This results in these files being added to the installation directory: • em.cer — Your FortiScan appliance’s PKI server certificate. Required for secure connections to the FortiScan appliance. • seclient.conf — Customizable FortiScan agent configuration file. • se_store.sto — The store of trusted PKI server certificates. If these files are not present, the installer may not have been able to connect to the appliance to retrieve the certificate, or the server’s certificate may not be trusted. When installation is finished, the installation location files as described in Table 21 and Table 22.
The following tables omit files that are not modifiable and not useful in troubleshooting. It also omits files that may be present during installation but are later removed, such as .Net application files in the installation package on Windows hosts.
Table 21: FortiScan agent files in SystemRoot\seclient on Microsoft Windows File
.ceid
Description An asset ID. The CEID is a form of globally unique identifier (GUID) that enables the appliance to uniquely identify each separate agent in its database of assets. It is generated client-side using the host’s hardware information as a seed, and should be present regardless of whether or not the agent has registered with the FortiScan appliance, unless you have purposely deleted it in order to cause the agent to re-generate it. Hidden. See also the push installer option DelCEID.
Check4Dispatch.exe
Polls for dispatches, such as configuration updates, patch updates, or services that the agent should run. See “Check For Dispatch Interval (minutes)” on page 106.
ClientRegistration.exe
Registers the FortiScan agent with the appliance.
CommandChannel.exe
Retrieves directives from the appliance that the agent should execute, such as updating itself or stopping its service/daemon. Your FortiScan appliance’s PKI server certificate. Required for secure connections with the FortiScan appliance.
em.cer
Note: This file is found in %SystemRoot%\seclient, but not in %SystemRoot%\Program Files\Fortinet\FortiScan Agent\seclient .
LongSurvey.exe
Periodically sends a detailed survey of the host’s software and hardware. See “Detailed Asset Survey Intervals (minutes)” on page 106.
Periodic.dat
Created by the FortiScan agent during command channel communications.
Fortinet Technologies Inc.
Page 150
FortiScan v5.0 MR1 Administration Guide
Table 21: FortiScan agent files in SystemRoot\seclient on Microsoft Windows (continued) File
Description The store of trusted PKI server certificates.
se_store.sto
Note: This file is found in %SystemRoot%\seclient, but not in %SystemRoot%\Program Files\Fortinet\FortiScan Agent\seclient .
SECertMgr.exe
Manages the appliance’s PKI server certificate. Customizable FortiScan agent configuration file. See “Editing a FortiScan agent’s settings file” on page 135.
seclient.conf
Note: This file is found in %SystemRoot%\seclient, but not in %SystemRoot%\Program Files\Fortinet\FortiScan Agent\seclient .
sps.exe
The FortiScan agent service/daemon executable.
Survey.exe
Periodically sends a short survey of the host’s software and hardware. See “Standard Asset Survey Interval (minutes)” on page 106.
Note: There may be additional files in %SystemRoot%\seclient, such as ClientRegistration.exe.log or sps.txt, if you installed the FortiScan agent with the flag DEBUG=1. See “DEBUG” on page 136 (for the push installer) or “DEBUG” on page 145 (for the MSI installer). On Windows, the push installer sets FortiScan agents’ files’ Administrator permissions to Read-Only and SYSTEM permissions to Full Control; the MSI installer sets FortiScan agents’ files’ Administrator and SYSTEM permissions to Full Control. Figure 49:FortiScan agent file permissions set by the MSI installer (Windows)
Fortinet Technologies Inc.
Page 151
FortiScan v5.0 MR1 Administration Guide
Refer to the following table. Table 22: FortiScan agent files in /opt/seclient on Linux or Solaris File
Description
.ceid
An asset ID. The CEID is a form of globally unique identifier (GUID) that enables the appliance to uniquely identify each separate agent in its database of assets. Hidden. See also the push installer option DelCEID. Customizable configuration file. See “Editing a FortiScan agent’s settings file” on page 135.
SEClient.conf
On Windows Vista and later, to edit this file, you must change the owner of the file to Administrator. (By default, depending on the installer that you use, Administrator may have read-only access.)
em.cer
Your FortiScan appliance’s PKI server certificate.
truststore
The store of trusted PKI server certificates.
sps
The FortiScan agent service/daemon executable.
bin
The Java Runtime Environment (JRE) and other native executables used by the agent.
lib
Executable libraries used by the agent.
On Linux or Solaris, the push installer sets the file permissions as follows: chmod chmod chmod chmod
640 640 755 750
/opt/seclient/SEClient.conf /opt/seclient/truststore /opt/seclient/local-uninstall /opt/seclient
The file name of the daemon/service is either: • sps.exe (on Microsoft Windows) • sps (on Linux or Solaris) When running, its process name is: • sps.exe on Microsoft Windows, in the Processes tab of the Windows Task Manager (it is FortiScan_Agent in the Services tab of the Windows Task Manager) • sps on Linux or Solaris, in the process list (ps)
Fortinet Technologies Inc.
Page 152
FortiScan v5.0 MR1 Administration Guide
Agentless Setup Beyond simple port scans, FortiScan appliances’ network vulnerability scanner (also called a remote vulnerability scanner) can make more in-depth and accurate scans by logging in to your network’s assets. Similarly to surveys submitted by FortiScan agents, authenticated remote network vulnerability scans, located in the Network Scan menu, can audit things that port scans cannot, such as: • patches and hot fixes • environment variables • installed non-network applications • running services/daemons • registry keys • administrative file shares such as \\\C$ • exact operating system (OS) and software version fingerprints Authenticated network vulnerability scans can also detect vulnerabilities that may not have been detected if a host’s FortiScan agent was disabled or not installed. To run authenticated network vulnerability scans, you must first prepare an account on your hosts. The FortiScan appliance will log in to run its scan using this account. You must then configure the FortiScan appliance with these authentication credentials.
Without an account with full access, the scan may fail back to an unauthenticated scan or use the limited account, and therefore be incomplete or may contain false negatives and/or false positives.
Network and firewall requirements Where you place the FortiScan appliance in your network relative to the hosts that you want to scan can affect the results of a network vulnerability scan, increasing false positives and false negatives. Differences in routing and firewall policies could block the network vulnerability scan from one source in your network, making it seem that a target host is safe, when an attack attempt from a different source in your network might actually be able to succeed. As a result, when performing a network vulnerability scan it is important to consider what type of scan, and where you will attach the FortiScan appliance to your network. • Will you run a simple port scan, or a more comprehensive, authenticated network vulnerability scan? • Do you want to test the target host fully in order to harden it against vulnerabilities from any source, or only focus on vulnerabilities that are possible to execute from untrusted, risky sources in the network? The best topology for executing a network vulnerability scan that reflects your risks in the real world may not be the same topology that is best for you when using other features on the FortiScan appliance, such as periodic survey and remediation connections with the FortiScan agents on your network. In this case, during a network vulnerability scan, you could temporarily attach the FortiScan appliance to access your network from a point that is most risky in terms of sources of attack. Then, after the scan completes, you could return the appliance to its usual location in the network. However, you should consider the risks inherent in assumptions about likely attack vectors. If a target host is a high-profile target, or its services are especially vulnerable, for example, you may decide that it is more appropriate to perform a comprehensive Fortinet Technologies Inc.
Page 153
FortiScan v5.0 MR1 Administration Guide
scan with no obstacles between the FortiScan appliance and the target host, so that you will know all possible vulnerabilities, regardless of an attack attempt’s source, and be able to harden the target host accordingly. Fortinet strongly recommends that you do not scan for vulnerabilities on live web sites or other servers that must be highly available. Instead, duplicate the hosts in a test environment and perform the scan in that environment. If you do not rate limit the vulnerability scan, be aware that some servers or firewalls could perceive its rapid rate of requests as a denial of service (DoS) attack. Rapid access can also result in degraded network performance during the scan. You may need to configure the server and intermediary firewalls to omit rate limiting for connections originating from the IP address of the FortiScan appliance. For a comprehensive vulnerability scan, use an authenticated network vulnerability scan instead of a simple port scan, and disable or modify firewalls that could block the scan. (Alternatively, you could temporarily connect the target host directly to the FortiScan appliance.) Especially if there is network address translation (NAT) between the appliance and the target host, you may also need to create a VPN tunnel between the appliance and the target host, configure port forwarding, or otherwise modify your network so that any traffic from the appliance can reach the target host. For instructions on how to do this, see the documentation for your router or firewall. Table 23: Required listening port numbers on target hosts Port number Protocol
Purpose
22
TCP
SSH (Solaris and Linux)
139
TCP
File and printer sharing (Common internet file system (CIFS)/server message block (SMB) share; Windows)
445
TCP
File and printer sharing (Common internet file system (CIFS)/server message block (SMB) share; Windows)
137
UDP
File and printer sharing (Login and WINS/NetBIOS host name query; Windows)
138
UDP
File and printer sharing (Login and NetBIOS datagram; Windows)
Preparing Windows hosts To scan Windows hosts using an authenticated network vulnerability scan, the FortiScan appliance must have a user account with local or domain Administrator privileges (depending on whether hosts are standalone or part of an Active Directory (AD) domain). If you can configure the same user name and password and/or SNMP community string on each asset in your ADOM, such as for assets that belong to a Microsoft Active Directory (AD) domain, you can configure the FortiScan appliance once, with ADOM-wide login credentials, rather than configuring them separately for each asset. Time savings can be substantial. For details, see “Administrative Domains (ADOMs)” on page 93. Hosts must also permit remote authentication, accept incoming connections, and allow remote registry and share access. Simple file sharing (SFS) must be disabled.
Fortinet Technologies Inc.
Page 154
FortiScan v5.0 MR1 Administration Guide
Many of these requirements can be configured using alternative methods, depending on your version of Windows: • Windows XP • Windows 7 or Windows Vista
Windows XP The following instructions use the Microsoft Management Console (MMC) on either a standalone host with Windows XP or a domain controller. Complete all instructions in this section, and complete them in order. To start MMC: 1. Using an Administrator account, log in to either: • the scan’s target host (if accounts/settings are local to each host, i.e. standalone) or • the domain controller (if accounts/settings are managed for all hosts through an AD domain) If the target host is part of a domain, you must log in to the domain controller to manage the services required by the FortiScan appliance. Do not change settings locally. Otherwise, the changes will be removed the next time that the host synchronizes its information with the domain controller. 2. Go to Start > Run... 3. Type mmc and press Enter. The Microsoft Management Console (MMC) opens. To add an administrator account: 1. If your MMC console does not have the snap-in for local or domain user accounts (depending on whether your network uses an AD domain), add it using the following steps. Otherwise, skip to step 6. 2. In the menu bar, go to File > Add/Remove snap-in... The snap-in dialog appears. 3. Select Add... 4. From the list of available snap-ins: • for domains, select Active Directory Users and Computers • for standalone hosts, select Local Users and Groups 5. Select Add, select Finish, select Close, then select OK. Local Users and Groups (Local) or > Users (depending on whether you have a standalone host or a domain) appears in the Console Root pane. 6. In the Console Root pane: • for domains, go to > Users • for standalone hosts, go to Local Users and Groups (Local) > Users 7. Select the Users node to select it. The menu in the next step varies by your current selection, and will not be available unless the Users node is currently selected. 8. For domains, in the menu bar, go to Actions > New > User... For standalone hosts, in the menu bar, go to Actions > New User... Fortinet Technologies Inc.
Page 155
FortiScan v5.0 MR1 Administration Guide
9. In User Name, type the name of the account, such as FortiScan, that the FortiScan appliance will use when it remotely authenticates to do a scan. 10.In Password and Confirm password, type a password for the FortiScan appliance’s account.
Enter a password of sufficient length and complexity to deter brute force and dictionary attacks, and change it regularly. Because the account will be granted Administrator privileges, a weak password could compromise the security of your host or domain.
11.Disable User must change password at next logon. 12.Select Finish (for domains) or Create, then select Close (for standalone hosts). 13.From the list of user accounts, right-select the FortiScan account, then select Properties. The account’s properties dialog appears. 14.Go to the Member Of tab. 15.Select Add... 16.In the field named Enter object names to select, type Administrators, then select Check Names. Your entry in Enter object names to select may be automatically completed to include the host name (for standalone hosts, the format is \Administrators).
You can create an account that is not assigned to the Administrators group. However, scan results may not be as accurate, resulting in more false positives and/or false negatives.
For domains, the FortiScan account must be a Security type (not Distribution) and have global scope. For more information, see documentation from Microsoft.
17.Select OK twice. The FortiScan account has now been created and added as a member to the Administrators group. To test the new account, log in locally on the host that will be the target of the scan using the FortiScan account. To enable required services and disable incompatible ones: 1. If your MMC console does not have the snap-in for Services or Group Policy Objects (depending on whether or not your network uses an AD domain), add it using the following steps. Otherwise, skip to step 7. 2. In the menu bar, go to File > Add/Remove snap-in... The snap-in dialog appears. 3. Select Add... 4. From the list of snap-ins: • for domains, select Group Policy Object Editor • for a standalone host, select Services 5. If Group Policy Object does not contain the name of the host or domain policy that you want to configure, select Browse to change it.
Fortinet Technologies Inc.
Page 156
FortiScan v5.0 MR1 Administration Guide
6. Select Finish, select Close, then select OK. 7. In the Console Root pane: • for domains, go to > Computer Configuration > Windows Settings > Security Settings > System Services • for standalone hosts, go to Services (Local) 8. Select the System Services or Services (Local) node to select it. The settings required for the next step become visible in the right pane once you have selected the correct node. 9. Configure the following settings: Setting
Startup Type
Remote Registry
Automatic
Server
Automatic
Windows firewall
Automatic
To configure a setting, double-select it. The setting’s properties dialog will appear. Then, from Startup type, select Automatic, then select OK. To enable remote users to authenticate as themselves: 1. If your MMC console does not have the snap-in for Group Policy Objects, add it using the following steps. Otherwise, skip to step 3. 2. In the Console Root pane: • for domains, go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options • for standalone hosts, go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options 3. Configure Network access: Sharing and security model for local accounts to be Classic - local users authenticate as themselves. This also has the effect of disabling simple file sharing (SFS). Disabling SFS is a requirement for authenticated network vulnerability scans. To add Windows Firewall exceptions: Verify that firewall and other security designs in your network prevent administrative and unsolicited connections from hosts other than the FortiScan appliance. Failure to properly restrict access could weaken the security of your network when Group Policy Objects are modified as required by authenticated scans. 1. If your MMC console does not have the snap-in for Services or Group Policy Objects (depending on whether or not your network uses an AD domain), add it using the following steps. Otherwise, skip to step 7. 2. In the menu bar, go to File > Add/Remove snap-in... The snap-in dialog appears. 3. Select Add... 4. From the list of snap-ins: • for domains, select Group Policy Object Editor • for standalone hosts, select Services Fortinet Technologies Inc.
Page 157
FortiScan v5.0 MR1 Administration Guide
5. If Group Policy Object does not contain the name of the host or domain that you want to configure, select Browse to change it. 6. Select Finish, select Close, then select OK. 7. In the Console Root pane: • for domains, go to > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile • for standalone hosts, go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profile 8. Select the Domain Profile or Standard Profile node to select it. The settings required for the next step become visible in the right pane once you have selected the correct node. 9. Configure the following settings: Setting
State
Windows Firewall: Protect all network connections
Enabled
Windows Firewall: Allow remote administration exception
Enabled
Windows Firewall: Allow file and printer sharing exception
Enabled
Windows Firewall: Allow ICMP exceptions
Enabled
Allow unsolicited incoming messages from:
Allow unsolicited incoming messages from:
Allow inbound echo request To test administrative share access: 1. Log in to a management computer running Windows. To verify routing and networking, the computer should be on the same subnet and receive the same firewall and routing policies as the FortiScan appliance. 2. Go to Start > Run... 3. Enter the command: net use Z: \\\C$ /user:\ /persistent:no (all on one line; be sure there is a single space between and /persistent) where: • Z: is any unused drive letter on the management computer that can be temporarily mapped to a network share • is the IP address or Windows host name of the remote host that will receive an authenticated scan • is the name of your AD domain; for standalone hosts, omit \ • is the name of the Windows user account the FortiScan appliance will use to authenticate
Fortinet Technologies Inc.
Page 158
FortiScan v5.0 MR1 Administration Guide
4. Enter the password for . If the test is successful, the command window displays the message The command completed successfully. Open the network drive in Windows Explorer. The full contents of the remote host’s C$ administrative share should be readable. To test registry access: 1. Log in to a management computer running Windows. To verify routing and networking, the computer should be on the same subnet and receive the same firewall and routing policies as the FortiScan appliance. 2. Go to Start > Run... 3. Type cmd and press Enter. 4. Enter the command: runas /user:\ "cmd /k reg.exe query \\\HKLM\Software" (all on one line; be sure there is a single space between query and \\) where: • is the name of your AD domain; for standalone hosts, omit \ • is the name of the Windows user account the FortiScan appliance will use to authenticate • is the IP address of the remote host that will receive an authenticated scan 5. Enter the password for . If the test is successful, a new command window appears and lists the HKLM/Software part of the remote host’s registry tree.
Windows 7 or Windows Vista The following instructions use the Microsoft Management Console (MMC) on a standalone host with Windows 7. Complete all instructions in this section, and complete them in order. To start MMC: 1. Using an Administrator account, log in to the scan’s target host. 2. Select the Start (Windows logo) menu to open it. Alternatively, press the Windows logo key on your keyboard. 3. Place your cursor in the Search programs and files input field. 4. Type mmc and press the Enter key. The Microsoft Management Console (MMC) opens. To add an administrator account: 1. If your MMC console does not have the snap-in for local user accounts, add it using the following steps. Otherwise, skip to step 5. 2. In the menu bar, go to File > Add/Remove snap-in... The snap-in dialog appears. 3. From the list of available snap-ins, select Local Users and Groups. 4. Select Add >, select Finish, then select OK. Local Users and Groups (Local) appears in the Console Root pane. Fortinet Technologies Inc.
Page 159
FortiScan v5.0 MR1 Administration Guide
5. In the Console Root pane, go to Local Users and Groups (Local) > Users. 6. Select the Users node to select it. The menu in the next step varies by your current selection, and will not be available unless the Users node is currently selected. 7. In the menu bar, go to Action > New User... 8. In User Name, type the name of the account, such as FortiScan, that the FortiScan appliance will use when it remotely authenticates to do a scan. 9. In Password and Confirm password, type a password for the FortiScan appliance’s account.
Enter a password of sufficient length and complexity to deter brute force and dictionary attacks, and change it regularly. Because the account will be granted Administrator privileges, a weak password could compromise the security of your host or domain.
10.Disable User must change password at next logon. 11.Select Create, then select Close. 12.From the list of user accounts, double-select the FortiScan account. The account’s properties dialog appears. 13.Go to the Member Of tab. 14.Select Add... 15.In the field named Enter the object names to select, type Administrators, then select Check Names. Your entry in Enter the object names to select may be automatically completed to include the host name (for standalone hosts, the format is \Administrators).
You can create an account that is not assigned to the Administrators group. However, scan results may not be as accurate, resulting in more false positives and/or false negatives.
For domains, the FortiScan account must be a Security type (not Distribution) and have global scope. For more information, see documentation from Microsoft.
16.Select OK twice. The FortiScan account has now been created and added as a member to the Administrators group. To test the new account, log in locally on the host that will be the target of the scan using the FortiScan account. To enable required services and disable incompatible ones: 1. If your MMC console does not have the snap-in for Services, add it using the following steps. Otherwise, skip to step 5. 2. In the menu bar, go to File > Add/Remove snap-in... The snap-in dialog appears. 3. From the list of available snap-ins, select Services.
Fortinet Technologies Inc.
Page 160
FortiScan v5.0 MR1 Administration Guide
4. Select Add >, select Finish, then select OK. Services (Local) appears in the Console Root pane. 5. In the Console Root pane, go to Services (Local). 6. Select the Services (Local) node to select it. The settings required for the next step become visible in the right pane once you have selected the correct node. 7. Configure the following settings: Setting
Startup Type
Remote Registry
Automatic
Server
Automatic
Windows Firewall
Automatic
To configure a setting, double-select it. The setting’s properties dialog will appear. Then, from Startup type, select Automatic, then select OK. To enable remote users to authenticate as themselves: 1. If your MMC console does not have the snap-in for Group Policy Objects, add it using the following steps. Otherwise, skip to step 5. 2. In the menu bar, go to File > Add/Remove snap-in... 3. From the list of available snap-ins, select Group Policy Object Editor. 4. Select Add >, select Finish, then select OK. Local Computer Policy appears in the Console Root pane. 5. In the Console Root pane, go to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. 6. Select the Security Options node to select it. The settings required for the next step become visible in the right pane once you have selected the correct node. 7. Double-select Network access: Sharing and security model for local accounts. The setting’s properties dialog appears. 8. In the unlabeled drop-down menu on the Local Security Setting tab, select Classic - local users authenticate as themselves. This also has the effect of disabling simple file sharing (SFS). Disabling SFS is a requirement for authenticated network vulnerability scans. To add Windows Firewall exceptions: Verify that firewall and other security designs in your network prevent administrative and unsolicited connections from hosts other than the FortiScan appliance. Failure to properly restrict access could weaken the security of your network when Group Policy Objects are modified as required by authenticated scans. 1. If your MMC console does not have the snap-in for Group Policy Object Editor, add it using the following steps. Otherwise, skip to step 5. 2. In the menu bar, go to File > Add/Remove snap-in... The snap-in dialog appears.
Fortinet Technologies Inc.
Page 161
FortiScan v5.0 MR1 Administration Guide
3. From the list of available snap-ins, select Group Policy Object Editor. 4. Select Add >, select Finish, then select OK. Services (Local) appears in the Console Root pane. 5. In the Console Root pane, go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profile. 6. Select the Standard Profile node to select it. The settings required for the next step become visible in the right pane once you have selected the correct node. 7. Configure the following settings: Setting
State
Windows Firewall: Protect all network connections
Enabled
Windows Firewall: Allow inbound remote administration exception
Enabled
Windows Firewall: Allow ICMP exceptions
Enabled
Allow unsolicited incoming messages from these IP addresses:
Allow inbound echo request Windows Firewall: Allow inbound file and printer sharing exception
Enabled Allow unsolicited incoming messages from these IP addresses:
To configure a setting, double-select it. The setting’s properties dialog will appear. To test administrative share access: 1. Log in to a management computer running Windows. To verify routing and networking, the computer should be on the same subnet and receive the same firewall and routing policies as the FortiScan appliance. 2. Select the Start (Windows logo) menu to open it. Alternatively, press the Windows logo key on your keyboard. 3. Place your cursor in the Search programs and files input field. 4. Type cmd and press Enter. The Windows command prompt opens.
Fortinet Technologies Inc.
Page 162
FortiScan v5.0 MR1 Administration Guide
5. Enter the command: net use Z: \\\C$ /user:\ /persistent:no (all on one line; be sure there is a single space between and /persistent) where: • Z: is any unused drive letter on the management computer that can be temporarily mapped to a network share • is the IP address or Windows host name of the remote host that will receive an authenticated scan • is the name of your AD domain; for standalone hosts, omit \ • is the name of the Windows user account the FortiScan appliance will use to authenticate 6. Enter the password for . If the test is successful, the command window displays the message The command completed successfully. Open the network drive in Windows Explorer. The full contents of the remote host’s C$ administrative share should be readable. To test registry access: 1. Log in to a management computer running Windows. To verify routing and networking, the computer should be on the same subnet and receive the same firewall and routing policies as the FortiScan appliance. 2. Select the Start (Windows logo) menu to open it. Alternatively, press the Windows logo key on your keyboard. 3. Place your cursor in the Search programs and files input field. 4. Type cmd and press Enter. The Windows command prompt opens. 5. Enter the command: runas /user:\ "cmd /k reg.exe query \\\HKLM\Software" (all on one line; be sure there is a single space between query and \\) where: • is the name of your AD domain; for standalone hosts, omit \ • is the name of the Windows user account the FortiScan appliance will use to authenticate • is the IP address of the remote host that will receive an authenticated scan 6. Enter the password for . If the test is successful, a new command window appears and lists the HKLM/Software part of the remote host’s registry tree.
Fortinet Technologies Inc.
Page 163
FortiScan v5.0 MR1 Administration Guide
Preparing Linux or Solaris hosts To scan supported UNIX-like hosts such as Oracle Solaris or Red Hat Linux using an authenticated network vulnerability scan, the FortiScan appliance must at least have a user account that has read permissions for: • /etc/redhat-release (for Red Hat Linux-based distributions) or • /etc/release (for Solaris) and execute permissions for: • uname and • rpm (for Red Hat Linux-based distributions) or • pkginfo (for Solaris) These are required for accurate kernel and distribution version information. Depending on the software that is installed on your host, and the current vulnerability and compliance signatures, for a complete and accurate authenticated scan, FortiScan may also require permissions to additional files and executables. For this reason, Fortinet recommends that you create an account with superuser permissions for the FortiScan appliance. To add a superuser account: Methods may vary by distribution, whether you have centralized/directory authentication, and by whether your host’s file system uses access control lists (ACLs) or simple group IDs (GIDs). For your specific configuration and distribution, see your distribution’s documentation. The following instructions assumes Linux with local accounts and simple file system permissions. 1. Log in using an account that has superuser (sudo) permissions to create user accounts using the command adduser. Alternatively, log in using the root account, and run the following commands without sudo. 2. Enter the command: sudo adduser where is the name of the Linux user account the FortiScan appliance will use to authenticate. This command will add a Linux user account to the host. 3. Type the password for and press Enter. 4. Type the password again to confirm its spelling and press Enter. 5. Complete any optional information that you want for the account. At the prompt Is the information correct? [Y/n], type y and press Enter. 6. Enter the command: sudo adduser where: • is the name of the Linux user account the FortiScan appliance will use to authenticate • is the name of the Linux group for superusers, such as root or wheel; if accounts are defined locally, the name of the group whose gid is 0 might be displayed by entering the command sudo cat /etc/group This command will add the new user account to the same group as root, enabling the new account to read and execute files and programs where that group’s membership is required for those privileges.
Fortinet Technologies Inc.
Page 164
FortiScan v5.0 MR1 Administration Guide
7. Enter the command: visudo /etc/sudoers Edit the file to add root privileges to the FortiScan appliance’s Linux user account whenever it precedes a command line with sudo. visudo uses the text editor that you have specified in your EDITOR or VISUAL environment variables; as a result, text editing commands are often those of vi, but may vary. For details, see the documentation for visudo and your text editor. 8. To test the new account, from the FortiScan appliance, schedule a network vulnerability scan. Errors may indicate that the scan does not have full access to the Linux host. For details on scheduling network vulnerability scans, see “Agentless Vulnerability Scans” on page 228.
Configuring the appliance with asset logins Once you have configured each asset with an account that the FortiScan appliance can use to log in for authenticated network vulnerability scans, you must configure the appliance with those user names and passwords and/or SNMP community strings. Login credentials can be configured at multiple levels. Authentication settings that are more specific override those at more general levels. From more general to more specific, these levels are: • ADOM-wide (see “Administrative Domains (ADOMs)” on page 93) • asset group-wide (see “Grouping assets” on page 181) • individual asset (see “Configuring the appliance with an asset login” on page 189) Once this is done, the appliance is ready for you to run on-demand or scheduled network vulnerability scans. After you have finished the installation, continue with “Agentless Vulnerability Scans” on page 228.
Fortinet Technologies Inc.
Page 165
FortiScan v5.0 MR1 Administration Guide
Testing the Installation When the configuration is complete, test it by forming connections between your network hosts and the FortiScan appliance at various points within your network topology. • For agentless assets, you can test connectivity by either manually pinging the host, or (if you must test many assets) running a remote network vulnerability scan, which will cause FortiScan to attempt to connect to those hosts. • For assets with a FortiScan agent installed, wait for the agent to attempt to register and then submit its first survey. FortiScan agents will periodically connect to the FortiScan appliance to submit surveys and request instructions such as whether you have scheduled any compliance scans, configuration changes, or patch installations. Connection intervals vary by your configuration (see “Configuring the ADOM’s connections from FortiScan agents” on page 105). If an agent cannot connect to send surveys, the agent’s associated Asset Status will become Unprotected or Disconnected after some time, depending on how you added the asset to the asset inventory, and whether it was able to connect initially for registration. To view each asset’s Asset Status, from Current ADOM select the ADOM, then go to Asset > Inventory > Asset Inventory. If agent connections are failing, verify that firewalls and routers between the agent and the appliance fulfill all FortiScan connectivity requirements (see “Appendix B: Port Numbers” on page 525). Different types of connections from agents use different port numbers. For example, it is possible that a survey connection could succeed while a dispatch connection could fail. For normal functionality, all required connectivity must be allowed. Because FortiScan appliances do not initiate connections to agents but instead wait for agents to poll, for the most accurate connectivity tests, initiate a connection from each FortiScan agent’s host to the appliance, not from the FortiScan appliance to each host. Due to firewalls and/or VPN tunnels between the appliance and the agents, connectivity success could vary by directionality. For more troubleshooting information, see “Troubleshooting” on page 500.
Fortinet Technologies Inc.
Page 166
FortiScan v5.0 MR1 Administration Guide
Backup your FortiScan Once you have tested your basic installation and verified that it functions correctly, create a backup. This “clean” backup can be used to: • troubleshoot a non-functional configuration by comparing it with this functional baseline (via a tool such as diff or WinMerge) • rapidly restore your installation to a simple yet working point (see “Restoring a previous configuration” on page 171) • batch-configure FortiScan appliances by editing the file in a plain text editor, then uploading the finalized configuration to multiple appliances (see “Restoring a previous configuration” on page 171) After you have a working deployment, back up the configuration again after any changes. This will ensure that you can rapidly restore your configuration exactly to its previous state if a change does not work as planned. Your deployment’s configuration is comprised of a few separate components. To make a complete configuration backup, you must include the: • Core configuration file (see either “To back up the configuration file via the Web-based Manager :” or “To back up the configuration file via the CLI:”) • Database (see “To back up the database via the CLI:”) • Configuration files of the FortiScan agent on each asset (for a suitable backup method, see the documentation for the host’s operating system or your preferred third-party backup software)
Configuration backups do not include data such as logs and reports.
To back up the configuration file via the Web-based Manager :
When making a complete backup, you can save time by backing up both the database and configuration file via the CLI instead. (The database cannot be backed up using the Web-based Manager.) See “To back up the configuration file via the CLI:”.
1. Log in to the Web-based Manager as the admin administrator. Other administrator accounts do not have the required permissions. 2. From Current ADOM, select Global. The configuration file applies to the entire appliance, not to an individual ADOM. 3. Go to System > Maintenance > Backup & Restore. The top of the page displays the date and time of the last backup. (Only a hyphen appears if the configuration was never backed up, or you restored the firmware.)
Fortinet Technologies Inc.
Page 167
FortiScan v5.0 MR1 Administration Guide
Figure 50:System configuration page
4. In the Backup configuration to list, select Local PC. 5. If you want to encrypt your configuration file, mark the Encrypt configuration file check box, enter a password, and enter the password again to confirm.
Remember to record the password to the backed up configuration file, and keep it in a secure location. A password-encrypted backup configuration file cannot be restored without the password.
6. Select Backup. If your browser prompts you, navigate to the folder where you want to save the configuration file. Select Save. Your browser downloads the configuration file. Time required varies by the size of the configuration and the specifications of the appliance’s hardware as well as the speed of your network connection, but could take several minutes. For a complete backup, continue with “To back up the database via the CLI:” on page 169. To back up the configuration file via the CLI: 1. Log in to the CLI as the admin administrator using either the local serial console, the CLI Console widget in the Web-based Manager, or an SSH or Telnet connection. Other administrator accounts do not have the required permissions. 2. Enter the following commands: config global execute backup config {ftp | scp | sftp | tftp} { | } [] where:
Fortinet Technologies Inc.
Variable
Description
{ftp | scp | sftp | tftp}
Choose which protocol to use to connect to the server. With SSH servers, use SCP.
{ | }
Type the IP address or domain name of the server. Note: Domain names are currently not valid input with this command if you choose the FTP protocol. Page 168
FortiScan v5.0 MR1 Administration Guide
Enter one of the following: • For FTP, SFTP, or SCP, type the user name that the FortiScan appliance will use to authenticate when connecting to the server. • For TFTP, type the directory path on the server where the backup will be uploaded.
Enter one of the following: • For FTP, SFTP, or SCP, type the password, if any. If there is no password, type a hyphen ( - ). • For TFTP, type the file name of the backup.
Type the directory path on the server where the backup will be uploaded. This argument is not applicable when using the command with TFTP.
[]
Optional. If you do not want to use the default file name, type a file name for the backup. This argument is not applicable when using the command with TFTP.
For example, the following commands back up a FortiScan-3000D’s configuration file to a file named FortiScan-3000D.conf in the current directory on the SSH server 172.16.1.10, authenticating using an account named FortiScan whose password is P@ssw0rd1: FortiScan-3000D # config global global # exec backup config scp 172.16.1.10 FortiScan P@ssw0rd1 ./ FortiScan-3000D.conf Before transferring the backup, the FortiScan appliance creates a compressed archive of the configuration file. Time required varies by the size of the configuration and the specifications of the appliance’s hardware as well as the speed of your network connection, but could take several minutes. For a complete backup, continue with “To back up the database via the CLI:” on page 169. To back up the database via the CLI: 1. Log in to the CLI as the admin administrator using the local serial console or an SSH or Telnet connection. Other administrator accounts do not have the required permissions. Because all administrators’ Web-based Manager sessions are disconnected during database backup and restore operations, you cannot use the CLI Console widget in the Web-based Manager. 2. Enter the following commands: config global execute em_dbbackup {ftp | scp | sftp | tftp} { | } []
Fortinet Technologies Inc.
Page 169
FortiScan v5.0 MR1 Administration Guide
where: Variable
Description
{ftp | scp | Choose which protocol to use to connect to the server. With SSH sftp | tftp} servers, use SCP. { | Type the IP address or domain name of the server. } command if you choose the FTP protocol.
Enter one of the following: • For FTP, SFTP, or SCP, type the user name that the FortiScan appliance will use to authenticate when connecting to the server. • For TFTP, type the directory path on the server where the backup will be uploaded.
Enter one of the following: • For FTP, SFTP, or SCP, type the password, if any. If there is no password, type a hyphen ( - ). • For TFTP, type the file name of the backup.
Type the directory path on the server where the backup will be uploaded. This argument is not applicable when using the command with TFTP.
[] Optional. If you do not want to use the default file name, type a file name for the backup. This argument is not applicable when using the command with TFTP. For example, the following command backs up a FortiScan 3000D’s database to a file named FortiScan 3000DB in the current directory on the FTP server 172.16.1.10, authenticating using an account named FortiScan that has no password (as indicated by the hyphen): FortiScan 3000D # config global global # exec em_dbbackup ftp 172.16.1.10 FortiScan - ./ FortiScan-3000DB During the backup, the FortiScan appliance stops the Web-based Manager daemon, shuts down its application server, and creates a compressed file containing the database information. Time required varies by the size of the database and the specifications of the appliance’s hardware as well as the speed of your network connection, but could take several minutes. After the backup is finished, the FortiScan appliance reboots, allowing you to access the appliance through the Web-based Manager again. For a complete backup, continue with “To back up the configuration file via the Web-based Manager :” on page 167 or “To back up the configuration file via the CLI:” on page 168.
Fortinet Technologies Inc.
Page 170
FortiScan v5.0 MR1 Administration Guide
Restoring a previous configuration If you have downloaded configuration backups, you can upload one to revert the appliance’s configuration to that point. Your deployment’s configuration is comprised of a few separate components. To make a complete configuration restoration, you must include the: • Core configuration file (see either “To upload a configuration file via the Web-based Manager:” or “To restore the configuration file via the CLI:”) • Database (see “To restore the database via the CLI:”) • Configuration files of the FortiScan agent on each asset To upload a configuration file via the Web-based Manager: 1. Log in to the Web-based Manager as the admin administrator. Other administrator accounts do not have the required permissions. 2. From Current ADOM, select Global. The configuration file applies to the entire appliance, not to an individual ADOM. 3. Go to System > Maintenance > Backup & Restore. Figure 51:Backup and restore page
4. In the Restore configuration from list, select Local PC. 5. If the configuration file was password-encrypted, in Password, enter the password that was used. 6. Select Browse and locate the configuration backup file. (It has a .conf extension.) 7. Select Restore. If your browser prompts you, navigate to the folder where you want to save the configuration file. Select Save. Your web browser uploads the configuration file and the FortiScan appliance restarts with the new configuration. Time required to restore varies by the size of the file and the speed of your network connection. Your Web-based Manager session will be terminated when the FortiScan appliance restarts. 8. To continue using the Web-based Manager, if you have not changed the IP address and static routes of the Web-based Manager, simply refresh the web page and log in again. Otherwise, to access the Web-based Manager again, in your web browser, modify the URL t to match the new IP address of the network interface. Fortinet Technologies Inc.
Page 171
FortiScan v5.0 MR1 Administration Guide
For example, if you configured port1 with the IP address 10.10.10.5, you would browse to: https://10.10.10.5 If the new IP address is on a different subnet than the previous IP address, and your computer is directly connected to the FortiScan appliance, you may also need to modify the IP address and subnet of your computer to match the FortiScan appliance’s new IP address. See “Connecting to the Web-based Manager” on page 52. For a complete restoration, continue with “To restore the database via the CLI:” on page 173. To restore the configuration file via the CLI: 1. Log in to the CLI as the admin administrator using either the local serial console, the CLI Console widget in the Web-based Manager, or an SSH or Telnet connection. Other administrator accounts do not have the required permissions. 2. Enter the following commands: config global execute restore config {ftp | scp | sftp | tftp} { | } [] where: Variable
Description
{ftp | scp | Choose which protocol to use to connect to the server. With SSH sftp | tftp} servers, use SCP. { | Type the IP address or domain name of the server. } command if you choose the FTP protocol.
Enter one of the following: • For FTP, SFTP, or SCP, type the user name that the FortiScan appliance will use to authenticate when connecting to the server. • For TFTP, type the directory path on the server where the backup will be uploaded.
Enter one of the following: • For FTP, SFTP, or SCP, type the password, if any. If there is no password, type a hyphen ( - ). • For TFTP, type the file name of the backup.
Type the directory path on the server where the backup will be uploaded. This argument is not applicable when using the command with TFTP.
[] Optional. If you do not want to use the default file name, type a file name for the backup. This argument is not applicable when using the command with TFTP.
Fortinet Technologies Inc.
Page 172
FortiScan v5.0 MR1 Administration Guide
For example, the following commands restore a FortiScan-3000D’s configuration file from a file named FortiScan-3000D.conf in the current directory on the SSH server 172.16.1.10, authenticating using an account named FortiScan whose password is P@ssw0rd1: FortiScan-3000D # config global global # exec restore config scp 172.16.1.10 FortiScan P@ssw0rd1 ./ FortiScan-3000D.conf FortiScan will connect to the server, download the file, install it, and reboot. Your CLI connection may time out. 3. To continue using the CLI, if you have not changed the IP address and static routes of the Web-based Manager, simply reconnect and log in again. Otherwise, to access the CLI again, reconnect using the new IP address of the network interface that are specified in the configuration file that you restored. For example, if you configured port1 with the IP address 10.10.10.5, you would connect to 10.10.10.5. If the new IP address is on a different subnet than the previous IP address, and your computer is directly connected to the FortiScan appliance, you may also need to modify the IP address and subnet of your computer to match the FortiScan appliance’s new IP address. See “Connecting to the CLI” on page 54. For a complete restoration, continue with “To restore the database via the CLI:” on page 173. To restore the database via the CLI: 1. Log in to the CLI as the admin administrator using either the local serial console or an SSH or Telnet connection. Because the database includes information on all ADOMs, other administrator accounts do not have the required permissions. Because all administrators’ Web-based Manager sessions are disconnected during database backup and restore operations, you cannot use the CLI Console widget in the Web-based Manager. 2. Enter the following commands: config global execute em_dbrestore {ftp | scp | sftp | tftp} { | } [] where the variables and options are as follows: Variable
Description
{ftp | scp | Choose which protocol to use to connect to the server. With SSH sftp | tftp} servers, use SCP. { | Type the IP address or domain name of the server. } command if you choose the FTP protocol.
Fortinet Technologies Inc.
Page 173
FortiScan v5.0 MR1 Administration Guide
Enter one of the following: • For FTP, SFTP, or SCP, type the user name that the FortiScan appliance will use to authenticate when connecting to the server. • For TFTP, type the directory path on the server where the backup will be uploaded.
Enter one of the following: • For FTP, SFTP, or SCP, type the password, if any, or, if there is no password, type a hyphen ( - ). • For TFTP, type the file name of the backup.
Type the directory path on the server where the backup will be uploaded. This argument is not applicable when using the command with TFTP.
[] Optional. If you do not want to use the default file name, type a file name for the backup. This argument is not applicable when using the command with TFTP. For example, the following commands restore a FortiScan-3000D’s database from a file named FSC3000DB in the current directory ( ./ ) on the SSH server 172.16.1.10, authenticating using an account named fortiscan that has the password P455w0rd!: FortiScan-3000D # config global global # exec em_dbrestore scp 172.16.1.10 fortiscan P455w0rd! ./ FSC3000DB During the restoration, the FortiScan appliance stops the Web-based Manager daemon, shuts down its application server, and decompresses the file containing the database information. Time required varies by the size of the database and the specifications of the appliance’s hardware, but could take several minutes. After the restoration is finished, the FortiScan appliance reboots, allowing you to access the appliance through the Web-based Manager or CLI again. For a complete restoration, continue with “To upload a configuration file via the Web-based Manager:” on page 171 or “To restore the configuration file via the CLI:” on page 172.
Fortinet Technologies Inc.
Page 174
FortiScan v5.0 MR1 Administration Guide
System Settings The System menu configures a variety of settings that apply to the entire FortiScan appliance. Many system settings must be configured during the initial installation. This section only contains optional settings that can be configured later. For required system settings, see the appropriate section of “How to set up your FortiScan” on page 49.
Changing the FortiScan appliance’s host name The host name of the FortiScan appliance is used in several places. • It appears in the System Information widget on System > Dashboard > Status. For information about the System Information widget, see “System information widget” on page 426. • It is used in the command prompt of the CLI. • It is used as the SNMP system name. For information about SNMP, see “SNMP traps and queries” on page 457. The System Information widget and the get system status CLI command will display the full host name. However, if the host name is longer than 16 characters, the CLI and other places display the host name in a truncated form ending with a tilde ( ~ ) to indicate that additional characters exist, but are not displayed. For example, if the host name is FortiScan1234567890, the CLI prompt would be FortiScan123456~#. To change the host name: 1. Go to System > Dashboard > Status. 2. In the System Information widget, in the Host Name row, select Change. The Edit Host Name dialog appears in a pop-up window. 3. In Host Name, type the FortiScan appliance’s host name, such as FortiScan-3000D. The host name may be up to 35 characters in length. It may include US-ASCII letters, numbers, hyphens, and underscores. Spaces and special characters are not allowed. 4. Select OK.
Changing the RAID level System > Config > RAID in the Global ADOM allows you to change the RAID level of the RAID array. Configuring RAID settings is only supported for the FortiScan-3000C/D. For all other models, the RAID settings are view-only. RAID (Redundant Array of Independent Disks) divides data storage over multiple disks, which can increase storage capacity, reliability and/or speed. FortiScan appliances that contain multiple hard disks can configure the RAID array. From System > Dashboard > Status, you can view the status of the RAID array from the Disk Monitor widget. The Disk Monitor widget displays the status of each disk in the RAID array, including the disk’s RAID level. For details, see “Disk monitor widget” on page 432.
Fortinet Technologies Inc.
Page 175
FortiScan v5.0 MR1 Administration Guide
If you need to remove a disk from the FortiScan appliance, you can hot swap it — that is, you can remove a failed hard disk and replace it with a new one even while the FortiScan appliance is still in operation. For details, see “Replacing hard disks” on page 434. To change the RAID level: 1. Log in with the admin administrator account. Other administrator accounts do not have sufficient permissions. 2. From Current ADOM, select Global. RAID is configured for the entire appliance, and is not specific to each ADOM. The menu in the next step is available only if Current ADOM is Global. 3. Go to System > Config > RAID. Alternatively, go to System > Dashboard > Status and, on the Disk Monitor widget, select RAID Settings in the widget’s title bar. Figure 52:RAID settings (FSC-3000C/FSC-3000D only)
The following information is displayed: RAID Level
Select a RAID level and select Apply. The FortiScan appliance will reboot, destroy the existing RAID array, create a new RAID array with the specified level, and then create a new file system on the array. Caution: Changing the RAID level will delete all data from the disks. Available disk space may decrease depending on the RAID level, and whether you have replaced a failed hard disk with a smaller hard disk.
Fortinet Technologies Inc.
Total Disk Space
The amount of disk space available within the RAID array.
Free Disk Space
The amount of free disk space.
Disk #
The number identifying the disk. These numbers reflect what disks are available on the FortiScan appliance. For example, on a FortiScan-1000B, there would be 1-2, while on a FortiScan-1000C there would be 1-4, on a FortiScan-3000C there would be 1-6, and on a FortiScan-3000D there would be 1-8.
Page 176
FortiScan v5.0 MR1 Administration Guide
Size (GB)
The size of the individual hard disk.
Status
The current status of the hard disk. For example, OK indicates that the hard disk is okay and working normally; Not Present indicates that the hard disk is not being detected by the FortiScan appliance or has been removed and no disk is available; Failed indicates that the hard disk is not working properly.
4. From RAID Level, select a RAID level. 5. Select Apply to begin the process of changing the RAID level. The following message appears: Warning: If the RAID setting is changed, ALL data will be DELETED! The procedure could take up to 20 minutes. Continue? 6. Select OK to continue with the process.
Supported RAID levels RAID levels vary between FortiScan appliances. The following table explains the recommended RAID level, the supported RAID level, and any additional information for each appliance. Table 24: Supported RAID levels by model Model
Supported Levels
Recommended Level Note
FSC-1000B
1
1
Software RAID
FSC-1000C
1
1
Software RAID
FSC-3000C, FSC-3000D
0, 1, 5, 10, 50
N/A
Hardware RAID
When changing the RAID level, the available levels depend on the number of working disks that are actually present in the appliance. For example, RAID5 is not available on FortiScan appliances with fewer than three disks. With a full complement of working disks, the default level is the recommended level in the above table. The following sections assume a full complement except where noted. You can find out information about RAID using either of the following CLI commands: • get system status • diagnose raid info
Fortinet recommends having an Uninterruptible Power Supply (UPS) to reduce the possibility of data inconsistencies when power failures occur.
Linear RAID A linear RAID level combines all hard disks into one large virtual disk. It is also known as concatenation or JBOD (Just a Bunch of Disks). The total space available in this option is the capacity of all disks used. There is very little performance change when using this RAID format. If any of the drives fails, the entire set of drives is unusable until the faulty drive is replaced. All data will be lost.
Fortinet Technologies Inc.
Page 177
FortiScan v5.0 MR1 Administration Guide
RAID 0 A RAID 0 array is also referred to as striping. The FortiScan appliance writes information evenly across all hard disks. The total space available is that of all the disks in the RAID array. There is no redundancy available. If any of the drives fails, the data cannot be recovered. This RAID level is beneficial because it provides better performance, since the FortiScan appliance can distribute disk writing across multiple disks. RAID 1 A RAID 1 array is also referred to as mirroring. The FortiScan appliance writes information to one hard disk, and writes a copy (a mirror image) of all information to all other hard disks. The total disk space available is that of only one hard disk, as the others are solely used for mirroring. This provides redundant data storage with no single point of failure. Should any of the hard disks fail, there are several backup hard disks available. With a FortiScan-3000C/D for example, if one disk fails, there are up to five other hard disks the FortiScan appliance can access and still continue functioning. RAID 5 A RAID 5 array employs striping with a parity check. The FortiScan appliance writes information evenly across all drives. Additional parity blocks are written on the same stripes. The parity block is staggered for each stripe. The total disk space is the total number of disks in the array, minus one disk for parity storage. For example, on a FortiScan-3000C/D with four hard disks, the total capacity available is actually the total for three hard disks. RAID 5 performance is typically better with reading than writing, although performance is degraded when one disk has failed or is missing. With RAID 5, one disk can fail without the loss of data. If a drive fails, it can be replaced and the FortiScan appliance will restore the data on the new disk using reference information from the parity volume. RAID 5 appears in the Web-based Manager only for FortiScan appliances with hardware RAID. Currently, only the FortiScan-3000C/D supports hardware RAID. RAID 10 RAID 10 (or 1+0), includes nested RAID levels 1 and 0, or a stripe (RAID 0) of mirrors (RAID 1). The total disk space available is the total number of disks in the array (a minimum of 4) divided by 2. One drive from a RAID 1 array can fail without loss of data; however, should the other drive in the RAID 1 array fail, all data will be lost. In this situation, it is important to replace a failed drive as quickly as possible. RAID 50 RAID 50 (or 5+0) includes nested RAID levels 5 and 0, or a stripe (RAID 0) and stripe with parity (RAID 5). The total disk space available is the total number of disks minus the number of RAID 5 sub-arrays. RAID 50 provides increased performance and also ensures no data loss for the same reasons as RAID 5. One drive in each RAID 5 array can fail without the loss of data. For the FortiScan-3000C/D, data is recoverable with two RAID 5 arrays of three disks each. RAID 5 with hot spare FortiScan-3000C/D appliances can use one of their hard disks as a hot spare (a stand-by disk for the RAID), should any of the other RAID hard disks fail. If a hard disk fails, within a minute of the failure, the FortiScan appliance begins to automatically substitute the hot spare for the failed drive, integrating it into the RAID array, and rebuilding the RAID’s data. When you replace the failed hard disk, the FortiScan appliance uses the new hard disk as the new hot spare. The total disk space available is the total number of disks minus two.
Fortinet Technologies Inc.
Page 178
FortiScan v5.0 MR1 Administration Guide
Your Asset Inventory Asset > Inventory > Asset Inventory displays the list of devices that you have either: • added • imported • discovered during a discovery scan and that are currently assigned to your ADOM. It also displays each asset’s FortiScan agent protection and connectivity status. Figure 53:Asset inventory page Asset selection tree
Asset inventory pane
Asset editor pane The following information is displayed: New Asset Group
Select to create an asset group (see “Grouping assets” on page 181).
Delete
Mark the check boxes of assets that you want to remove from the asset inventory, then select Delete. For details, see “Deleting and retiring assets” on page 199.
Retire
Mark the check boxes of the assets that you want to retire, then select Retire. Retired assets may be activated again later, without re-discovering the host. For details, see “Deleting and retiring assets” on page 199.
Move
Mark the check boxes of the assets that you want to move to a different group, then select Move. See “Moving an asset between groups” on page 186 and “Moving an asset group” on page 187.
Fortinet Technologies Inc.
Page 179
FortiScan v5.0 MR1 Administration Guide
Copy
Mark the check boxes of the assets that you want to add to a group, then select Copy in order to subsequently paste them into a group. See “To add an asset to an asset group:” on page 185.
Apply
Mark the check boxes of the assets to which you want to apply a policy, then select Apply. See “Achieving real-time compliance via policies” on page 347.
Remove
Mark the check boxes of the assets that have policies that you want to remove, then select Remove. See “To remove a policy through the asset inventory:” on page 352.
Reset
Mark the check boxes of the assets where you want to kill and respawn scan processes and all of their child processes on the asset’s FortiScan agent, then select Reset. See “Resetting a FortiScan agent” on page 494.
Installer
Select to launch a Java applet to install the FortiScan agent on an asset. For details, see “Agent Setup” on page 117.
IP
The IP address of the asset. Select to view asset details and history. For more information, see “Viewing a chart’s asset details” on page 207. Only one asset per IP address can be assigned to an ADOM. For details, see “Manually assigning assets to an ADOM” on page 100.
Host Name
The host name of the asset.
Criticality
See “Risk: prioritizing your business-critical machines” on page 27.
OS Type
The operating system (OS) running on the asset.
OS Version
The version or build of the OS running on the asset.
Discovered Date
The date and time that the asset was added to the ADOM’s asset inventory, regardless of whether that occurred via a discovery scan or other method.
Network Scan Status
Displays the FortiScan network scan results: New, Discovered, Vuln-Scanned, Auth-Scanned, or IPS Protected.
Agent Version
The version of the FortiScan agent installed on the asset. For compatibility reasons, this version should correspond with the version of the FortiScan appliance’s currently installed firmware.
Most Recent Survey
The date and time of the last survey that was successfully received from the asset’s FortiScan agent.
Agent Scan Status
Indicates whether a FortiScan agent has been installed and is periodically submitting surveys, and therefore can be protected via remediations and policies. The status is either Protected, Registered, Disconnected, New, or Retired. For details, see “Agent scan status” on page 26.
Action
Fortinet Technologies Inc.
Page 180
FortiScan v5.0 MR1 Administration Guide
Reset
Select to reset the asset’s FortiScan agent. See “Resetting a FortiScan agent” on page 494.
Copy
Select to copy an asset or asset group so that you can paste it into a group. See “To add an asset to an asset group:” on page 185.
Detail
Select to display asset details in the asset editor pane. Some details, such as the asset’s description, are editable. See “Configuring asset-specific settings” on page 189.
Apply Policy
Select to apply a policy to an asset. See “Achieving real-time compliance via policies” on page 347.
Remove Policy
Select to remove a policy from an asset.
Dispatch Remediation
Select to dispatch a remediation to an asset or asset group. See “Dispatching remediations” on page 409.
You can organize assets into groups. You can also configure individualized settings for each asset’s FortiScan agent, dispatch remediations, and govern assets by adding policies. Configuration changes you make using the asset inventory are applied to each protected asset when it connects to send its next survey. If you want to apply the changes immediately, create and dispatch a standard survey remediation to an asset or asset group. This will cause a protected asset to send in a survey and, if it is using the global survey settings, obtain the new values. The remediation template must contain only one remediation action: either the Detailed Survey action or the Standard Survey action. See “Defining remediation templates” on page 403 then “Dispatching remediations” on page 409. The asset inventory pane is empty until you select an asset group in the asset selection tree (for a diagram of the panes in this part of the menu, see Figure 63 on page 203). The asset editor pane displays a group of tabs with details on the currently selected asset (by default, the first in the asset inventory pane). For information on each of these tabs, see “Configuring asset-specific settings” on page 189.
Grouping assets The asset selection tree pane on Asset > Inventory > Asset Inventory (see Figure 53 on page 179) displays the list of known assets in your network, organized by asset group. After the initial discovery scan, discovered assets automatically appear in some groups such as All Assets and Ungrouped Assets, which are automatically maintained by the FortiScan appliance. You can also make your own asset groups. Grouping assets can be useful, for example, when you want to apply remediations to hosts that run similar software, or apply appropriate policies to all hosts belonging to a specific business unit.
Fortinet Technologies Inc.
Page 181
FortiScan v5.0 MR1 Administration Guide
Groups in the asset selection tree pane on Asset > Inventory > Asset Inventory All Assets
All assets either discovered during a discovery scan or imported. Note: This group is automatically maintained by the FortiScan appliance; it cannot be modified manually.
Ungrouped Assets
All assets that have not yet been assigned to a group that administrators have manually created. Note: Automatically maintained by the FortiScan appliance; cannot be modified manually.
Preferred Assets
Groups created by administrators. See “To create an asset group:” on page 182.
View Filters By Criticality
Subgroups of assets according to their criticality level: High, Highest, Low, Lowest, or Medium. See “Risk: prioritizing your business-critical machines” on page 27. Note: This group is automatically maintained by the FortiScan appliance; it cannot be modified manually.
By OS Family
Subgroups of assets according to their operating system (OS): Linux, Solaris, Windows, FortiOS, or Other. Note: This group is automatically maintained by the FortiScan appliance; it cannot be modified manually.
By Agent Scan Status
Subgroups of assets according to their current FortiScan agent connectivity and protection status: New, Registered, Protected, Disconnected, or Retired. See “Agent scan status” on page 26. Note: This group is automatically maintained by the FortiScan appliance; it cannot be modified manually.
By Network Scan Status
An asset can be a member of several asset groups simultaneously. For example, an asset could appear both in the automatically-maintained group containing similar operating systems, and in another group that you created, which contains assets for a specific work group. The status includes: New, Discovered, Vuln-Scanned, Auth-Scanned, or IPS Protected.
To create an asset group: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Asset > Inventory > Asset Inventory. 3. In the asset selection tree, select the New Asset Group button.
Fortinet Technologies Inc.
Page 182
FortiScan v5.0 MR1 Administration Guide
The Create New Asset Group windows appears: Figure 54:Create new asset group window
4. Configure the following settings: Name
Enter the name for the new asset group
Business Impact
Select the degree to which your organization will be affected if assets in this group were to be compromised or non-compliant: Critical, High, Medium, Low, or Minor. See “Risk: prioritizing your business-critical machines” on page 27.
Asset Group Parent
Select the parent group in which to include the new asset group. To create a top level group, select the Preferred Assets group as the parent. Note: Asset groups that are automatically created by the FortiScan appliance, such as All Assets, cannot be a group parent.
Fortinet Technologies Inc.
Page 183
FortiScan v5.0 MR1 Administration Guide
Group Default Authentication
If all or most assets in the group have identical account settings that the appliance can use when logging in to run authenticated network vulnerability scans (see “Agentless Vulnerability Scans” on page 228), enable one or more of the following: • Windows Share(SMB) • SSH • SNMP v2c Note: These settings are used only if you have not overridden them using Authentication. See “Configuring the appliance with an asset login” on page 189. Note: These settings override ADOM-wide settings in ADOM Default Authentication. See “Administrative Domains (ADOMs)” on page 93. Tip: Alternatively, you can configure common authentication settings for all assets in the ADOM. See ADOM Default Authentication in “Administrative Domains (ADOMs)” on page 93. If assets belong to more than one ADOM, also see Default ADOM in “Configuring the appliance with an asset login” on page 189.
Windows Share(SMB)
Enable to use Microsoft Windows-style server message block (SMB)/common internet file system (CIFS) authentication with assets in the group. Also configure Level, Domain, Username, and Password.
Level
Select either: • Domain User: Users authenticate with a central server, using accounts that are defined on a Microsoft Active Directory (AD) domain controller. • Local: Users authenticate with each computer individually, using accounts that are locally defined on each computer.
Domain
Enter the name of the Microsoft Active Directory (AD) domain to which the account in Username belongs. This field applies only if Level is Domain User.
Username
Enter the name of the account that the FortiScan appliance will use to log in to the assets. This field appears only if you have enabled one of the authentication methods (Windows Share(SMB) or SSH).
Password
Type the password for the account in Username. This field appears only if you have enabled one of the authentication methods (Windows Share(SMB) or SSH).
SSH
Enable to authenticate using secure shell (SSH). Also configure Enable Sudo, RSA Private Key, DSA Private Key, Username, and Password.
Enable Sudo
Mark the check box to use the sudo or su command (depending on the host’s operating system) to gain superuser privileges when they are required for the appliance to be able to execute a command, such as when viewing files with restrictive permissions that were created by the root superuser. This option applies only for assets running Linux or Solaris.
Fortinet Technologies Inc.
Page 184
FortiScan v5.0 MR1 Administration Guide
RSA Private Key
If you want to authenticate using Rivest, Shamir and Adleman (RSA) keys instead of Username and Password, type the RSA-style private key. Also install the public key in the keychain of every asset in the group. This option applies only for assets running Linux or Solaris.
DSA Private Key
If you want to authenticate using digital signature algorithm (DSA) keys instead of Username and Password, type the DSA-style private key. Also install the public key in the keychain of every asset in the group. This option applies only for assets running Linux or Solaris.
SNMP v2c
Enable to authenticate using simple network management protocol (SNMP). Also configure Community Strings.
Community Strings Enter the name of the SNMP community to which the assets belong, such as public. The appliance will use this name when sending queries to assets in the group. 5. Select OK. The empty new group appears in the asset selection tree under its parent group. Continue by adding assets to the group. (See “To add an asset to an asset group:”.) To add an asset to an asset group: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Asset > Inventory > Asset Inventory. The asset inventory appears (see Figure 53 on page 179). 3. In the asset selection tree, select All Assets, Ungrouped Assets, or another group that already contains the asset. The contents of the group appear in the asset inventory pane. 4. In the asset inventory pane, do one of the following: • To add a single asset, in the row of the asset that you want to add, select the Copy Asset/Group icon. • To add multiple assets, mark the check boxes for each asset that you want to add, then on the toolbar, select Copy. (When you add an asset to a group, you are actually copying a reference to the asset from the asset inventory and placing the reference in the group.) The Copy Asset dialog appears in the asset editor pane. 5. In the dialog’s Asset Group Parent tree, select the group to which you want to add the asset(s), and then select OK.
Assets cannot be added to automatic groups such as All Assets and Ungrouped Assets.
The asset(s) are added to the group.
Fortinet Technologies Inc.
Page 185
FortiScan v5.0 MR1 Administration Guide
Removing an asset from an asset group You can remove an asset from any asset group that you created. Any asset removed from a group is not deleted from the inventory: you can add it to a group again later from automatically-maintained groups such as All Assets. To remove an asset from an asset group: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Asset > Inventory > Asset Inventory. The asset inventory appears (see Figure 53 on page 179). 3. In the asset selection tree, select the group from which you want to remove the asset.
Assets cannot be removed from groups automatically maintained by the FortiScan appliance, such as All Assets.
The contents of the group appear in the asset inventory pane. 4. In the asset inventory pane, for the asset that you want to remove, select the Remove Asset from Group icon. The asset is removed only from the group you selected. When you remove an asset from a group, you are actually removing a reference to the asset; the original asset remains in the asset inventory unless you delete it. For information on deleting and retiring assets, see “Deleting and retiring assets” on page 199.
Moving an asset between groups You can move assets between administrator-defined asset groups. The asset is removed from the source group and added to the destination group. To move an asset to a different administrator-defined group: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Asset > Inventory > Asset Inventory. The asset inventory appears (see Figure 53 on page 179). 3. In the asset selection tree, select the group that contains the asset.
Assets cannot be moved from groups automatically maintained by the FortiScan appliance, such as All Assets.
The contents of the group appear in the asset inventory pane. 4. In the asset inventory pane, do one of the following: • To move a single asset, in the row corresponding to the asset, select the Move Asset icon. • To move multiple assets, mark the check boxes for the assets you want to move, then on the toolbar, select Move. 5. In the Asset Group Parent tree, select the destination asset group.
Fortinet Technologies Inc.
Page 186
FortiScan v5.0 MR1 Administration Guide
6. Select OK. The selected asset or assets are removed from the first group and added to the second group.
Moving an asset group You can move any administrator-defined asset group to a different parent group. To move an asset group to a different parent group: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Asset > Inventory > Asset Inventory. The asset inventory appears (see Figure 53 on page 179). 3. In the asset selection tree, select the group that contains the asset. The contents of the group appear in the asset inventory pane. 4. In the asset inventory pane, do one of the following: • To move a single asset group, in the row of the asset group that you want to move, select the Move Asset Group icon. • To move multiple asset groups, mark the check boxes for the groups you want to move, then in the toolbar, select Move. The Move Asset Group dialog appears in the asset editor pane. 5. In the Asset Group Parent tree, select the destination asset group.
You cannot move an asset to or from automatically-maintained asset groups such as All Assets.
You cannot move an asset group to a new parent group if that parent already contains an existing group with the same name.
6. Select OK. The selected asset groups are removed from the first group and added to the second group.
Renaming and changing the criticality of an asset group You can edit a administrator-defined asset group to change its name or criticality (Business Impact) rating.
You cannot rename automatically-maintained asset groups such as All Assets.
Fortinet Technologies Inc.
Page 187
FortiScan v5.0 MR1 Administration Guide
To edit an asset group: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Asset > Inventory > Asset Inventory. The asset inventory appears (see Figure 53 on page 179). 3. In the asset selection tree, select the parent group that contains the asset group. The contents of the parent asset group appear in the asset inventory pane. 4. In the asset inventory pane, in the row for the asset group that you want to rename, select the Edit Asset Group icon. The Rename Asset Group dialog appears. 5. If you want to rename the group, in the Name field, type a new name for the asset group.
All group names within the same parent group must be unique.
6. If you want to modify the group’s criticality rating, from the Business Impact list, select a different value. 7. Select OK.
Deleting an asset group You can delete any administrator-defined asset group. All contained asset groups will also be deleted.
You cannot delete automatically-maintained asset groups such as All Assets.
To delete an asset group: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Asset > Inventory > Asset Inventory. The asset inventory appears (see Figure 53 on page 179). 3. In the asset selection tree, select the parent group that contains the asset group. The contents of the parent asset group appear in the asset inventory pane. 4. In the asset inventory pane, do one of the following: • To delete a single asset group, in the row corresponding to the asset group that you want to delete, select the Delete Asset Group icon. • To delete multiple asset groups, mark the check boxes for the groups you want to move, then on the toolbar, select Delete. The confirmation dialog appears in the editor pane. 5. Select OK. The asset group and any sub-groups it contained are deleted. However, the assets still exist in their other groups.
Fortinet Technologies Inc.
Page 188
FortiScan v5.0 MR1 Administration Guide
Configuring asset-specific settings From Asset > Summary > Asset Inventory, when you select a host’s Open Asset to View Detail icon, in the asset editor pane, several tabs appear. Two of them enable you to configure settings specific to the asset: • Configuration tab • Custom Fields tab Some settings apply to any asset, while others apply only to assets where you have installed a FortiScan agent.
Configuring the appliance with an asset login If you will be running authenticated remote vulnerability scans, the FortiScan appliance requires authentication information about each target host. For more information see “Agentless Setup” on page 153. To configure the appliance with a login to the asset: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Asset > Summary > Asset Inventory. 3. Select a host’s Open Asset to View Detail icon. In the asset editor pane, several tabs appear. 4. Select the Configuration tab. Figure 55:Asset inventory configuration tab
Fortinet Technologies Inc.
Page 189
FortiScan v5.0 MR1 Administration Guide
5. Configure the following settings: Default ADOM Default ADOM
The ADOM whose authentication settings the asset will use. Also configure Default ADOM. This option appears only if an asset is assigned to more than one ADOM. For details, see “Administrative Domains (ADOMs)” on page 93. Note: ADOM-wide authentication settings are used only if you have not overridden them using either Group Default Authentication or Authentication.
Set Current ADOM as To set Default ADOM for this asset to the administrative Default ADOM domain that is currently selected in the left-hand navigation menu (Current ADOM), mark this check box, then select Save. This option appears only if an asset is assigned to more than one ADOM. For details, see “Administrative Domains (ADOMs)” on page 93. Agent Properties
The FortiScan agent settings and survey intervals for this specific asset (see “Overriding the ADOM’s survey intervals” on page 196). When an asset is first discovered, its agent uses the ADOM’s survey settings (see “Configuring the ADOM’s connections from FortiScan agents” on page 105). To override these settings, clear each setting’s corresponding Set to Global check box, then enter the new survey settings that will be specific to this asset.
Latest Survey
The date and time of the most recent survey.
Detailed Survey Interval (minutes)
Enter the interval (in minutes) between each detailed survey that this asset’s FortiScan agent will send to the appliance. Note: Specifying a shorter interval for numerous assets can cause a noticeable increase in network load. See “Survey intervals and network load” on page 25. Note: Do not configure an interval that is shorter than the time it takes this specific asset to process a survey. It will adversely affect the asset’s performance. For example, if it takes a specific computer 7 minutes to create and send a detailed survey, but you set the detailed survey interval to 5 minutes, then that computer would constantly be producing detailed survey data.
Fortinet Technologies Inc.
Page 190
FortiScan v5.0 MR1 Administration Guide
Standard Survey Interval (minutes)
Enter the interval (in minutes) between each standard survey that this asset’s FortiScan agent will send to the appliance. Note: The standard survey interval cannot be greater than the detailed survey interval. For information on the differences between standard and detailed surveys, see “Agent scan status” on page 26. Note: Specifying a shorter interval for numerous assets can cause a noticeable increase in network load. See “Survey intervals and network load” on page 25. Note: Do not configure an interval that is shorter than the time it takes this specific asset to process a survey. It will adversely affect the asset’s performance. For example, if it takes a specific computer 7 minutes to create and send a detailed survey, but you set the detailed survey interval to 5 minutes, then that computer would constantly be producing detailed survey data.
Check for Dispatch Interval (minutes)
Enter the interval (in minutes) between each connection that this asset’s FortiScan agent will make to check for any dispatches, such as configuration updates, patch updates, or services that the agent should run.
Command Channel Interval (minutes)
Enter the interval (in minutes) between each connection that this asset’s FortiScan agent will make using the command channel to check with the FortiScan appliance for any administrative operations, such as stopping or restarting, that the agent should perform.
Enable Administrator Survey Data
Mark this check box to enable this asset’s FortiScan agent to report connected administrators to the FortiScan appliance. This option is disabled by default. You may want to disable this option for servers (such as domain controllers for Microsoft Active Directory) with large numbers of connected administrators, since this could create very large detailed surveys that take a significant amount of time to generate and send to the appliance.
Enable Group Survey Data
Mark this check box to enable this asset’s FortiScan agent to report connected administrators to the FortiScan appliance. This option is disabled by default. You may want to disable this option for servers (such as domain controllers for Microsoft Active Directory) with large numbers of connected administrators, since this could create very large detailed surveys that take a significant amount of time to generate and send to the appliance.
Asset Criticality Criticality
Select the criticality level of this asset, based upon its importance to your organization and/or the security of your network: Highest, High, Medium, Low, or Lowest. See “Risk: prioritizing your business-critical machines” on page 27.
Fortinet Technologies Inc.
Page 191
FortiScan v5.0 MR1 Administration Guide
Applied Policies
A list of policies that have been applied to this asset. To apply a different policy, see “Achieving real-time compliance via policies” on page 347.
Authentication
Mark the check box for each type of authentication you want the FortiScan appliance to use when logging in to this asset to run authenticated network vulnerability scans (see “Agentless Vulnerability Scans” on page 228). Available authentication methods include: • Windows Share (SMB) • SSH • SNMP v2c Note: These settings override both Group Default Authentication and ADOM Default Authentication. Tip: Alternatively, you can configure common authentication settings for all assets in the group or ADOM. See Group Default Authentication in “Grouping assets” on page 181, and ADOM Default Authentication in “Administrative Domains (ADOMs)” on page 93. If assets belong to more than one ADOM, also see Default ADOM in “Configuring the appliance with an asset login” on page 189.
Windows Share (SMB) Enable to use Microsoft Windows-style server message block (SMB)/common internet file system (CIFS) authentication with the asset. Also configure Level, Domain, Username, and Password. Level
Select either: • Domain User: Users authenticate through a central server, using accounts that are defined on a Microsoft Active Directory (AD) domain controller. • Local: Users authenticate with each computer individually, using accounts that are locally defined on each computer.
Domain
Enter the name of the Microsoft Active Directory (AD) domain to which the account in Username belongs. This field applies only if Level is Domain User.
Username
Enter the name of the account that the FortiScan appliance will use to log in to the asset. This field appears only if you have enabled one of the authentication methods (Windows Share (SMB) or SSH).
Password
Type the password for the account in Username. This field appears only if you have enabled one of the authentication methods (Windows Share (SMB) or SSH).
SSH
Fortinet Technologies Inc.
Enable to authenticate using secure shell (SSH). Also configure Enable Sudo, RSA Private Key, DSA Private Key, Username, and Password.
Page 192
FortiScan v5.0 MR1 Administration Guide
Enable Sudo
Mark the check box to use the sudo or su command (depending on the host’s operating system) to gain superuser privileges when they are required for the appliance to be able to execute a command, such as when viewing files with restrictive permissions that were created by the root superuser. This option applies only for assets running Linux or Solaris.
RSA Private Key
If you want to authenticate using Rivest, Shamir and Adleman (RSA) keys instead of Username and Password, type the RSA-style private key. Also install the public key in the keychain of the asset. This option applies only for assets running Linux or Solaris.
DSA Private Key
If you want to authenticate using digital signature algorithm (DSA) keys instead of Username and Password, type the DSA-style private key. Also install the public key in the keychain of the asset. This option applies only for assets running Linux or Solaris.
SNMP v2c
Enable to authenticate using simple network management protocol (SNMP). Also configure Community Strings.
Community Strings
Enter the name of the SNMP community to which the asset belongs, such as public. The appliance will use this name when sending queries to the asset.
Indicating asset criticality Default criticality levels are assigned automatically, by algorithm, when an asset is initially discovered or otherwise added to the asset inventory. You can manually reconfigure the criticality level if it is not accurate. To modify an asset’s criticality level: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Asset > Inventory > Asset Inventory. The asset inventory appears (see Figure 53 on page 179). 3. In the asset navigation tree, select the group that contains the asset that you want to use survey intervals and settings different from the global settings. The contents of the selected asset group appear in the asset inventory pane. 4. In the row corresponding to the asset, select its Open Asset to View Detail icon. Several tabs containing details on the selected asset appear in the asset editor pane. 5. Select the Configuration tab. Agent configuration details appear, including the Asset Criticality area.
Fortinet Technologies Inc.
Page 193
FortiScan v5.0 MR1 Administration Guide
Figure 56:Asset configuration details
6. From the Criticality list, select the asset’s degree of importance to your organization or the security of your network. 7. Select Save.
Entering an asset description Normally, assets are listed on the Web-based Manager primarily by host name. If an asset does not have a host name, a description of the asset will be displayed instead. If neither a host name nor a description exists, then the asset’s IP address will be displayed. However, because different hosts on separate NAT segments might have the same IP address, this might not be sufficient for you to be able to tell them apart. A description can help. You can enter a description for each asset in your ADOM. To enter an asset description for an asset: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Asset > Inventory > Asset Inventory. The asset inventory appears (see Figure 53 on page 179). 3. In the asset navigation tree, select the group that contains the asset whose description you want to change. The contents of the selected asset group appear in the asset inventory pane. 4. In the row corresponding to the asset, select its Open Asset to View Detail icon. Several tabs containing details on the selected asset appear in the asset editor pane. 5. Select the Configuration tab. Agent configuration details appear, including the Asset Description area. Fortinet Technologies Inc.
Page 194
FortiScan v5.0 MR1 Administration Guide
Figure 57:Asset configuration details
6. In the Asset Description area, enter a description of the asset. 7. Select Save.
Configuring custom fields The Custom Fields tab displays the custom fields configuration for a host. Before you can configure these custom settings, you must first define them: the setting’s name, its possible values, and defaults, if any. For details, see “Defining Custom Fields” on page 418.
Alternatively, you can import custom fields values for many assets at once. See “Importing custom field data” on page 422.
To configure the Custom Fields tab: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Asset > Summary > Asset Inventory. 3. Select a host’s Open Asset to View Detail icon. In the asset editor pane, several tabs appear. 4. Select the Custom Fields tab.
Fortinet Technologies Inc.
Page 195
FortiScan v5.0 MR1 Administration Guide
Figure 58:Custom fields tab
5. Configure the following settings: Custom Fields Name
Displays the custom field’s name and data type (text, number, or date).
Current Value
Displays the currently configured value
Possible Value
Select from the list of valid values, if any has been configured.
Default Value
Displays the default value, if any has been configured.
Restore Default
Select to set Current Value to the value in Default Value. This icon appears only if you have configured a default value for the custom field.
To edit a custom field’s value, from Possible Value, select the new value, then select Save. To restore a custom field’s value to its default (if it has one), select the Restore Default icon, then select Save.
Overriding the ADOM’s survey intervals By default, assets will use survey intervals and other settings for your ADOM configured in System > Server Settings > Asset Communication (see “Configuring the ADOM’s connections from FortiScan agents” on page 105). However, you can override those settings on a per-asset basis, either by: • editing the agent configuration file (see “Editing a FortiScan agent’s settings file” on page 135) • using the Web-based Manager, as described in this section Overrides can be useful, for example, if you have highly critical assets that you want to survey more often to guarantee compliance, or if you have servers with many accounts that normally change frequently, making it undesirable to include users and groups in detailed surveys. To override the ADOM’s survey intervals & settings for an asset: 1. From Current ADOM, select the name of the ADOM whose survey settings you want to configure. 2. Go to Asset > Inventory > Asset Inventory. The asset inventory appears (see Figure 53 on page 179).
Fortinet Technologies Inc.
Page 196
FortiScan v5.0 MR1 Administration Guide
3. In the asset navigation tree, select the group that contains the asset that you want to use survey intervals and settings different from the global settings. The contents of the selected asset group appear in the asset inventory pane. 4. In the row corresponding to the asset, select its Open Asset to View Detail icon. Several tabs containing details on the selected asset appear in the asset editor pane. 5. Select the Configuration tab. Agent configuration details appear, including the Agent Properties area (see Table 55 on page 189). 6. In the Agent Properties area, for each setting where you want to override the ADOM’s survey settings and use settings specific to this asset, clear its Set to Global check box. Figure 59:Agent properties section
Fortinet Technologies Inc.
Page 197
FortiScan v5.0 MR1 Administration Guide
7. Configure the following settings: Detailed Survey Interval (minutes)
Enter the interval (in minutes) between each detailed survey that this asset’s FortiScan agent will send to the appliance. Note: Specifying a shorter interval for numerous assets can cause a noticeable increase in network load. See “Survey intervals and network load” on page 25. Note: Do not configure an interval that is shorter than the time it takes this specific asset to process a survey. It will adversely affect the asset’s performance. For example, if it takes a specific computer 7 minutes to create and send a detailed survey, but you set the detailed survey interval to 5 minutes, then that computer would constantly be producing detailed survey data.
Standard Survey Interval (minutes)
Enter the interval (in minutes) between each standard survey that this asset’s FortiScan agent will send to the appliance. Note: The standard survey interval cannot be greater than the detailed survey interval. For information on the differences between standard and detailed surveys, see “Agent-based surveys” on page 24. Note: Specifying a shorter interval for numerous assets can cause a noticeable increase in network load. See “Survey intervals and network load” on page 25. Note: Do not configure an interval that is shorter than the time it takes this specific asset to process a survey. It will adversely affect the asset’s performance. For example, if it takes a specific computer 7 minutes to create and send a detailed survey, but you set the detailed survey interval to 5 minutes, then that computer would constantly be producing standard survey data.
Fortinet Technologies Inc.
Check for Dispatch Interval (minutes)
Enter the interval (in minutes) between each connection that all assets’ FortiScan agents will make to check for any dispatches, such as configuration updates, patch updates, or services that the agent should run. The default is 5 minutes.
Command Channel Interval (minutes)
Enter the interval (in minutes) between each connection that all assets’ FortiScan agents will make using the command channel to check with the FortiScan appliance for any administrative operations, such as stopping the agent or restarting, that the agent should perform. The default is every 17 minutes.
Page 198
FortiScan v5.0 MR1 Administration Guide
Enable User Survey Data
Mark this check box to enable FortiScan agents to include a list of the asset’s configured user accounts with each detailed survey it sends to the FortiScan appliance. This option is disabled by default. Caution: Do not enable this option unless necessary. Some hosts, such as domain controllers for Microsoft Active Directory, could potentially list thousands of users, causing detailed surveys to take a significant amount of time to generate and send to the appliance.
Enable Group Survey Data
Mark this check box to enable FortiScan agents to include a list of the asset’s configured user groups with each detailed survey it sends to the FortiScan appliance. This option is disabled by default. Caution: Do not enable this option unless necessary. Some hosts, such as domain controllers for Microsoft Active Directory, could potentially list thousands of user groups, causing detailed surveys to take a significant amount of time to generate and send to the appliance.
8. Select Save. Changes are applied to each protected asset when it next connects.
Deleting and retiring assets Assets in a network come and go — older computers are taken out of service, placed in storage, sold, or scrapped. You can remove intentionally disconnected assets from the list of known assets, either by: • Retirement: Appropriate for computers that are taken out of service temporarily, but may be returned at any time, such as surplus computers that have been put into storage. • Deletion: Appropriate for computers that are taken offline and are not expected to be reconnected.
Before an asset can be deleted or retired, its Agent Scan Status must be Disconnected. For details, see “Agent scan status” on page 26.
If you are logged in as the admin administrator, you can also un-assign an asset from the ADOM instead of deleting it or retiring it. For details, see “Manually assigning assets to an ADOM” on page 100.
To delete an asset: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Asset > Inventory > Asset Inventory. The asset inventory appears (see Figure 53 on page 179).
Fortinet Technologies Inc.
Page 199
FortiScan v5.0 MR1 Administration Guide
3. In the asset navigation tree, select the group that contains the asset you want to delete. The contents of the selected asset group appear in the asset inventory pane. 4. In the asset inventory pane, mark the check box of each asset you want to delete. If you want to delete all the assets in a group, mark the check box at the top of the column to select all of the group’s assets. 5. On the toolbar, select Delete. A confirmation dialog appears. 6. Select OK. Each selected asset is removed from the ADOM’s asset inventory database. All alerts pertaining to the asset are also deleted. Historical data on the asset is retained in the database for reporting purposes. To retire an asset: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Asset > Inventory > Asset Inventory. The asset inventory appears (see Figure 53 on page 179). 3. In the asset navigation tree, select the group that contains the asset you want to retire. The contents of the selected asset group appear in the asset inventory pane. 4. In the asset inventory pane, mark the check box of each asset you want to retire. If you want to retire all the assets in a group, mark the check box at the top of the column to select all of the group’s assets. 5. On the toolbar, select Retire. A confirmation dialog appears. 6. Select OK. Each asset is marked as retired in the ADOM’s asset inventory. An abbreviated record of the asset is retained, enabling the asset to be quickly put back into service without having to discover it again. All alerts pertaining to the asset are deleted. Historical data on the asset is retained in the database for reporting purposes. To reactivate a retired asset: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Asset > Inventory > Asset Inventory. The asset inventory appears (see Figure 53 on page 179). 3. In the asset navigation tree, go to View Filters > By Status > Retired. The list of retired assets appears in the content pane.
Fortinet Technologies Inc.
Page 200
FortiScan v5.0 MR1 Administration Guide
Figure 60:Asset inventory (assets whose status is Retired)
4. In the asset inventory pane, mark the check box for each asset you want to reactivate. If you want to reactivate all the assets, mark the check box at the top of the column to select all retired assets. 5. On the toolbar, select Reactivate. Each formerly retired asset is returned to service and appears in the asset inventory under View Filters > By Status > Disconnected. 6. Start the FortiScan agent on the asset (see “Starting and stopping a FortiScan agent” on page 493).
Viewing overall asset statistics Asset > Summary > Asset Summary summarizes the results of the last survey received from your assets into charts, or, for devices where you have not installed a FortiScan agent, the number of unprotected assets. If some or all of your hosts have not been surveyed recently, the summary may be outdated. For details, see “Configuring the ADOM’s connections from FortiScan agents” on page 105.
Alternatively, you can view detailed information for each asset. See “Configuring asset-specific settings” on page 189.
Fortinet Technologies Inc.
Page 201
FortiScan v5.0 MR1 Administration Guide
Figure 61:Asset summary Select individual chart components to view details
Charts and tables on this page include: • Assets by Network Scan status chart • Assets by Agent Scan status chart • Assets by OS chart • Assets by criticality chart • Windows assets distribution chart • Latest statistics table
Assets by Network Scan status chart The Assets by Network Scan Status chart on Asset > Summary > Asset Summary in ADOMs other than Global displays the number of detected assets per asset status in the asset inventory, displayed as a bar graph.
Fortinet Technologies Inc.
Page 202
FortiScan v5.0 MR1 Administration Guide
Figure 62:Asset summary (Assets by network scan status chart)
Select a bar to view a list of hosts in that category.
If the number of assets with a status is zero, its bar will be omitted from the chart. To view a summary list of all assets with a specific status, select its bar in the chart. For example, selecting the Vuln-Scanned status bar brings up a list of all vulnerability scanned assets. For details, see “Viewing a chart’s asset summary” on page 206.
Assets by Agent Scan status chart The Assets by Agent Scan Status chart on Asset > Summary > Asset Summary in ADOMs other than Global displays the number of detected assets per Agent Scan Status in the asset inventory, displayed as a bar graph. Figure 63:Asset summary (Assets by agent scan status chart)
Select a bar to view a list of hosts in that category.
If the number of assets with a status is zero, its bar will be omitted from the chart. To view a summary list of all assets with a specific status, select its bar in the chart.
Fortinet Technologies Inc.
Page 203
FortiScan v5.0 MR1 Administration Guide
For example, selecting the Disconnected status bar brings up a list of all disconnected assets. For details, see “Viewing a chart’s asset summary” on page 206.
Assets by OS chart The Assets by OS chart on Asset > Summary > Asset Summary in ADOMs other than Global displays the number of all detected assets per operating system (OS), displayed as a pie chart. Figure 64:Asset summary (Assets by OS chart)
Select a pie chart segment to view a list of hosts in that OS family.
Then select the specific OS version in the Assets by OS column go focus the Asset Summary on only those hosts.
Possible slices in the pie chart are: Windows, Linux, SunOS (Oracle Solaris), FortiOS, or Other. To view a summary list of all assets with a specific OS, select its slice in the chart, then in the Assets by OS list, select the OS family and select a specific OS version. For details, see “Viewing a chart’s asset summary” on page 206.
Fortinet Technologies Inc.
Page 204
FortiScan v5.0 MR1 Administration Guide
Assets by criticality chart The Assets by Criticality chart on Asset > Summary > Asset Summary in ADOMs other than Global displays the number of detected assets per criticality level, displayed as a bar graph. Figure 65:Assets by criticality chart
Select to view a list of assets with this criticality level.
If the number of assets with a specific criticality level is zero, its bar will be omitted from the chart. To view a summary list of all assets with a specific criticality level, select its bar in the chart. For example, selecting the Medium bar brings up a list of all medium-criticality assets. For details, see “Viewing a chart’s asset summary” on page 206. For information on criticality levels, see “Risk: prioritizing your business-critical machines” on page 27.
Windows assets distribution chart The Windows Assets Distribution chart on Asset > Summary > Asset Summary in ADOMs other than Global displays the number of all detected assets per version of Microsoft Windows, displayed as a pie chart. Possible Microsoft Windows versions in the pie chart are: Windows 2000, Windows XP, Windows Vista, Windows 7, Windows 8, Windows 2003, Windows 2003 R2, Windows 2008, Windows 2008 R2, or Windows 2012. Figure 66:Distribution of Windows assets chart
Select a segment to view a list of all assets with this Windows version.
To view a summary list of all assets with a specific Windows version, select its slice in the pie chart. For details, see “Viewing a chart’s asset summary” on page 206.
Fortinet Technologies Inc.
Page 205
FortiScan v5.0 MR1 Administration Guide
Latest statistics table The Latest Statistics table on Asset > Summary > Asset Summary in ADOMs other than Global displays the number of assets discovered, disconnected, rebooted, and retired in the last 24 hours, as well as the total number of discovered assets. Figure 67:Latest statistics table
To display an asset summary list for a specific category, select its number in the Count column. For details, see “Viewing a chart’s asset summary” on page 206. To download this table as a PDF or comma-separated values (CSV) spreadsheet file, select Export to PDF or Export to CSV.
Viewing a chart’s asset summary When you select one of the parts in a graph or table on Asset > Summary > Asset Summary in ADOMs other than Global, a table (Asset Summary) appears in the content pane. The Asset Summary page provides some short information about assets that comprised that category of the chart or table. For example, in the Assets by Agent Scan Status chart, if you select Protected, a table will appear that list assets that have a FortiScan agent installed, and provides some information on each of those assets. From this page, for each asset in the category, you can access more detailed information, including (indirectly) an asset’s history. To view an asset’s Asset Detail page, in the row corresponding to the asset, select its Connected IP Address column. For details, see “Viewing a chart’s asset details” on page 207. Figure 68:Asset summary for hosts in a specific category
Fortinet Technologies Inc.
Page 206
FortiScan v5.0 MR1 Administration Guide
The following information is displayed: Export to PDF
Select to download the page as a PDF file.
Export to CSV
Select to download the page as a comma-separated values (CSV) spreadsheet file.
Host Name
The host name of the asset.
Connected IP Address
The IP address of the asset. Select to view the Asset Detail page for the selected asset. See “Viewing a chart’s asset details” on page 207.
OS Type
The operating system (OS) family running on the asset.
OS Version
The version of the OS running on the asset.
Agent Version
The version of the FortiScan agent software installed on the asset.
Status
The protection and connectivity status of the asset: Protected, Registered, Disconnected, Unprotected, or Retired. Assets whose Agent Scan Status is not Protected will not participate when you schedule FortiScan agent-based scans. For details, see “Agent scan status” on page 26.
Criticality
The importance of the asset to your organization or network security: Highest, High, Medium, Low, or Lowest. For details, see “Risk: prioritizing your business-critical machines” on page 27.
Last Survey Time
Date and time of the last survey received from this asset’s FortiScan agent.
If the category contains more than 20 assets, you can select the page controls at the bottom of the pane to view additional items.
Viewing a chart’s asset details After selecting a part of a chart or table on Asset > Summary > Asset Summary in ADOMs other than Global, a table summary of its component data appears (see “Viewing a chart’s asset summary” on page 206). From the Asset Summary table, when you select the Connected IP Address column for an asset, its Asset Detail page appears. The Asset Detail page provides detailed information about the asset. From this page, you can also access various histories about the asset. See: • “Asset history” on page 210 • “Asset compliance history” on page 211 • “Asset vulnerability history” on page 214 • “Asset vulnerability history” on page 214
Alternatively to using a chart to view details for an asset in that chart, you can view any host’s details using tabs from the Asset Inventory. For details, see “Configuring asset-specific settings” on page 189.
Fortinet Technologies Inc.
Page 207
FortiScan v5.0 MR1 Administration Guide
Figure 69:Asset detail appears after selecting a connected IP address in the asset summary
The following information is displayed: Asset History
Select to view the asset’s history. See “Asset history” on page 210.
Compliance History
Select to view the asset’s compliance history. See “Asset compliance history” on page 211.
Vulnerability History
Select to view the asset’s vulnerability history. See “Asset vulnerability history” on page 214.
Remediation History
Select to view the asset’s remediation history. See “Asset remediation history” on page 215.
Asset Summary Host Name
The host name of the asset.
IP Address
The IP address of the asset.
Agent Version
The version of the FortiScan agent installed on the asset.
Standard Survey Interval (min)
Time interval between the FortiScan agent’s standard surveys.
Detail Survey Interval (min)
Time interval between the FortiScan agent’s detailed surveys.
Status
The protection and connectivity status of the asset: Protected, Registered, Disconnected, Unprotected, or Retired. Assets whose Agent Scan Status is not Protected will not participate when you schedule FortiScan agent-based scans. For details, see “Agent scan status” on page 26.
Criticality
The importance of the asset to your organization or network security: Highest, High, Medium, Low, or Lowest. For details, see “Risk: prioritizing your business-critical machines” on page 27.
Fortinet Technologies Inc.
Page 208
FortiScan v5.0 MR1 Administration Guide
Confidence
The confidence level that the data on this asset is correct, based upon its collection method: • High: Data was collected by a FortiScan agent survey (see “Agent-based surveys” on page 24). • Medium: Data was manually edited. • Low: Data was collected by a discovery scan (see “Discovering your Network’s Hosts” on page 109). This is the default. Because some data required for accurate fingerprinting cannot be detected without authenticating and examining the host’s hardware and software, this type of data may not be as reliable as the data gathered by a FortiScan agent. Confidence levels help to identify false positives in vulnerability assessments.
Remediation Strategy
The type of remediation strategy: • Approval: Remediation requires FortiScan administrator approval before being applied to an asset. • Automatic: Remediation is automatically applied to an asset. See “Dispatching remediations” on page 409.
Boot Time
The date and time stamp of when the asset last started up, such as 2011-06-21 09:39:28 PDT.
Operating System & BIOS OS Type
The operating system (OS) family installed on the asset, such as Microsoft Windows 7 PRofessional, 64-bit.
OS Version
The OS version installed on the asset, such as Service Pack 1 (Build 7601).
BIOS Vendor
The basic input/output system (BIOS) or n extensible firmware interface (EFI) vendor, such as APPLE - ac.
BIOS Version
The BIOS version. For hosts that have an EFI instead of a BIOS, this field may be unknown.
CPU
Fortinet Technologies Inc.
Family
The central processing unit (CPU) architecture family, such as Intel64 Family 6 Model 23 Stepping 10.
Model
The CPU make and model, such as Intel(R) Core(TM)2 Duo CPU T9600 @ 2.80GHz
Speed
The CPU speed in megahertz (MHz), such as 2768 MHz
Count
The number of CPU processors.
Utilization
The CPU utilization in percent of its total capability, such as 14%.
Page 209
FortiScan v5.0 MR1 Administration Guide
Hard Disk Drive & Random Access Memory (in MB) Total HDD
Total hard drive capacity in megabytes (MB).
Free HDD
Available hard drive capacity in megabytes (MB).
Total RAM
Total random access memory (RAM) installed in megabytes (MB).
Free RAM
Available random access memory (RAM) in megabytes (MB).
Asset history The Asset History page displays the hardware and configuration change history for a specific asset. To view the Asset History page, go to the Asset Detail page for the asset whose change history you want to view (see “Viewing a chart’s asset details” on page 207), then select the Asset History link. Figure 70:Asset history page
The following information is displayed: Asset Detail
Select to return to viewing the asset’s details. See “Viewing a chart’s asset details” on page 207.
Compliance History
Select to view the asset’s compliance history. See “Asset compliance history” on page 211.
Vulnerability History
Select to view the asset’s vulnerability history. See “Asset vulnerability history” on page 214.
Remediation History
Select to view the asset’s remediation history. See “Asset remediation history” on page 215.
Asset History
A history of all changes made to the asset, in reverse chronological order (most recent first):
Fortinet Technologies Inc.
Page 210
FortiScan v5.0 MR1 Administration Guide
Operation
The type of change that occurred on the asset: • INSERT: A new attribute was created or configured. • UPDATE: An existing attribute was modified. • DELETE: An existing attribute was deleted.
Attribute
The name of the configuration item that was changed.
Date Modified
The date that the asset was modified.
Modified By The name of the user account on the asset which modified the asset, such as root or Administrator. Old Value
The previous value of the attribute.
New Value
The new value of the attribute.
Export to PDF
Select to download the page as a PDF file.
Export to CSV
Select to download the page as a comma-separated values (CSV) spreadsheet file.
Asset compliance history The Asset Compliance History page displays the compliance scan history for a specific asset. To view the Asset Compliance History page, go to the Asset Detail page for the asset whose compliance history you want to view (see “Viewing a chart’s asset details” on page 207), then select the Asset Compliance History link. Figure 71:Asset compliance history page
Fortinet Technologies Inc.
Page 211
FortiScan v5.0 MR1 Administration Guide
The following information is displayed: Asset Detail
Select to return to viewing the asset’s details. See “Viewing a chart’s asset details” on page 207.
Asset History
Select to view the asset’s compliance history. See “Asset history” on page 210.
Vulnerability History
Select to view the asset’s vulnerability history. See “Asset vulnerability history” on page 214.
Remediation History
Select to view the asset’s remediation history. See “Asset remediation history” on page 215.
Compliance History Benchmark Name
The name of the benchmark used during the compliance scan.
Profile Name
The name of the benchmark rule subset used during the compliance scan.
Audit Count
The number of compliance scans (audits) that were performed using the benchmark rule subset specified in Profile Name. Select to view the asset’s profile compliance history for a selected benchmark. See “To view the asset profile compliance history page:” on page 212.
To view the asset profile compliance history page: 1. From Current ADOM, select an ADOM that is not Global. Asset information is specific to each ADOM. The menu in the next step is not available when Current ADOM is Global. 2. Go to Asset > Summary > Asset Summary. 3. Select a part of a chart or table that categorizes the asset whose compliance history you want to view. For example, if you wanted to view the compliance history for a protected asset, in the Assets by Status chart, you could select the Protected bar in that chart. The Asset Summary table appears (see “Viewing a chart’s asset summary” on page 206). 4. From the Asset Summary table, select the Connected IP Address column for an asset. The Asset Detail page appears. 5. Select the Asset Compliance History link. The Asset Compliance History page appears. 6. Select the Audit Count value for the benchmark you want to view. The Asset Profile Compliance History page appears.
Fortinet Technologies Inc.
Page 212
FortiScan v5.0 MR1 Administration Guide
Figure 72:Asset profile compliance history
7. The following information is displayed: Asset Detail
Select to return to viewing the asset’s details. See “Viewing a chart’s asset details” on page 207.
Asset History
Select to view the asset’s compliance history. See “Asset history” on page 210.
Vulnerability History
Select to view the asset’s vulnerability history. See “Asset vulnerability history” on page 214.
Remediation History
Select to view the asset’s remediation history. See “Asset remediation history” on page 215.
Compliance History by Profile A history of compliance assessment profiles applied to the asset, according to benchmark: Profile Name
The name of the benchmark rule subset used during the compliance scan.
Scan Time
The date and time that the compliance scan was performed on the asset.
Applied By
The name of the administrator account which applied the profile.
Scan Status
The result of the compliance scan.
Score
The compliance assessment score. Select to view the Asset Compliance Details page (see “Viewing the score breakdown” on page 337).
Fortinet Technologies Inc.
Export to PDF
Select to download the page as a PDF file.
Export to CSV
Select to download the page as a comma-separated values (CSV) spreadsheet file.
Page 213
FortiScan v5.0 MR1 Administration Guide
8. To view the asset compliance details for a specific assessment profile, in the Compliance History by Profile list, select the Score value in the row for the selected profile. The Asset Compliance Details page appears. For details, see “Viewing the score breakdown” on page 337.
Asset vulnerability history The Asset Vulnerability History page displays the vulnerability history for a specific asset. To view the Asset Vulnerability History page, go to the Asset Detail page for the asset whose vulnerability history you want to view (see “Viewing a chart’s asset details” on page 207), then select the Asset Vulnerability History link. Figure 73:Asset vulnerability history page
The following information is displayed: Asset Detail
Select to return to viewing the asset’s details. See “Viewing a chart’s asset details” on page 207.
Asset History
Select to view the asset’s change history. See “Asset history” on page 210.
Compliance History
Select to view the asset’s compliance history. See “Asset compliance history” on page 211.
Remediation History
Select to view the asset’s remediation history. See “Asset remediation history” on page 215.
Vulnerability History
A vulnerability history for the selected asset, in reverse chronological order (most recent vulnerability first).
Fortinet Technologies Inc.
IP Address
The IP address of the asset.
Vulnerability ID
OVAL ID of the vulnerability issue.
Vulnerability Name
Name of the vulnerability issue.
Page 214
FortiScan v5.0 MR1 Administration Guide
Severity
Severity of the vulnerability, based on the CVSS score: • Low: CVSS score is 0.0 to 3.9 • Medium: CVSS score is 4.0 to 6.9 • High: CVSS score is 7.0 to 10.0
CVSS Score
Common Vulnerability Scoring System (CVSS) score.
CVSS Vector
Select to view the components from which the CVSS score was calculated. Opens an external link to the NIST National Vulnerability database.
CVE
Select to view the entry in the Common Vulnerabilities and Exposures (CVE) dictionary for the selected vulnerability. Opens an external link to the NIST National Vulnerability database.
Date Detected
The date and time that the vulnerability scan detected the vulnerability.
Status
Remediation status of the vulnerability.
Export to PDF
Select to download the page as a PDF file.
Export to CSV
Select to download the page as a comma-separated values (CSV) spreadsheet file.
Asset remediation history The Asset Remediation History page displays the remediation history for a specific asset. To view the Asset Remediation History page, go to the Asset Detail page for the asset whose remediation history you want to view (see “Viewing a chart’s asset details” on page 207), then select the Asset Remediation History link. Figure 74:Asset remediation history page
The following information is displayed: Asset Detail
Select to return to viewing the asset’s details. See “Viewing a chart’s asset details” on page 207.
Asset History
Select to view the asset’s compliance history. See “Asset history” on page 210.
Compliance History
Select to view the asset’s compliance history. See “Asset compliance history” on page 211.
Vulnerability History
Select to view the asset’s vulnerability history. See “Asset vulnerability history” on page 214.
Fortinet Technologies Inc.
Page 215
FortiScan v5.0 MR1 Administration Guide
Remediation History
A remediation history for the selected asset in reverse chronological order, with the most recent remediation at the top.
IP Address
The IP address of the asset.
Remediation ID
Remediation identification number.
Name
Descriptive name of remediation.
Dispatched by
The name of the administrator account which dispatched the remediation.
Status
Remediation result status.
Dispatched Time
The date and time that the remediation was dispatched.
Export to PDF
Select to download the page as a PDF file.
Export to CSV
Select to download the page as a comma-separated values (CSV) spreadsheet file.
Fortinet Technologies Inc.
Page 216
FortiScan v5.0 MR1 Administration Guide
Survey Data from FortiScan Agents From Asset > Summary > Asset Inventory in ADOMs other than Global, when you select a host’s Open Asset to View Detail icon, in the asset editor pane, several tabs appear. Each tab provides a different type of detailed information about the asset. Some can configure per-asset settings and policies. See: •
“Hardware and OS” on page 217
•
“Configuring the appliance with an asset login” on page 189
•
“Overriding the ADOM’s survey intervals” on page 196
•
“Indicating asset criticality” on page 193
•
“Entering an asset description” on page 194
•
“Configuring custom fields” on page 195
•
“Administrators, users, and groups” on page 219
•
“Installed patches” on page 220
•
“Processes” on page 221
•
“Devices and drivers” on page 223
•
“Network” on page 223
•
“File system” on page 225
•
“Installed software” on page 226
•
“Configuring custom fields” on page 195
Alternatively to using tabs from Asset > Summary > Asset Inventory to view details for an asset, you can view a host’s details using charts/tables from the Asset Summary. For details, see “Viewing a chart’s asset details” on page 207.
Hardware and OS The General tab displays basic hardware, operating system (OS), and the last survey received from a host. To view the General tab: 1. From Current ADOM, select an ADOM that is not Global. Asset inventories are specific to each ADOM. The menu in the next step is not available when Current ADOM is Global. 2. Go to Asset > Summary > Asset Inventory. 3. Select a host’s Open Asset to View Detail icon. In the asset editor pane, several tabs appear. The General tab is front most and visible.
Fortinet Technologies Inc.
Page 217
FortiScan v5.0 MR1 Administration Guide
Figure 75:Asset inventory general tab
The following information is displayed: Network Identity Host Name
The host name of the asset.
IP Address
The IP address of the asset.
Data Confidence
The confidence level that the data on this asset is correct, based upon its collection method: • High: Data was collected by a FortiScan agent survey (see “Agent-based surveys” on page 24). • Medium: Data was manually edited. • Low: Data was collected by an asset discovery scan (see “Discovering your Network’s Hosts” on page 109). This is the default. Because some data required for accurate fingerprinting cannot be detected without authenticating and examining the host’s hardware and software, this type of data may not be as reliable. Confidence levels help to identify false positives in vulnerability assessments.
Communication Information Displays recent connections and surveys. Last Contact
Date and time of last connection.
Last Contact Action
Action performed at last connection.
Most Recent Survey
Date and time of the last survey was received from the host’s FortiScan agent.
Boot Time
Data and time the host was last started or restarted.
Operating System Operating System
Fortinet Technologies Inc.
Operating system (OS) running on the host.
Page 218
FortiScan v5.0 MR1 Administration Guide
Version
OS version or build.
Hard Drives Total Hard Drive Capacity
Total hard drive capacity in megabytes (MB)
Total Hard Drive Free
Unused hard drive capacity in megabytes (MB)
BIOS Manufacturer
Boot firmware manufacturer
BIOS Version
Boot firmware version
CPU Family
CPU family type
CPU Model
CPU chipset model
CPU Speed
CPU speed (MHz)
CPU Count
Number of CPU processors
CPU Utilization
CPU percent utilization rate
RAM Total
Total random access memory (RAM) installed on asset
RAM Utilization
Percent of RAM in use
Virtual RAM
Size of virtual RAM
BIOS
CPU
RAM
Administrators, users, and groups The Administrators/Groups tab displays system administrator account, user account, and group information about an asset, including which accounts are currently logged in to the host. To view the Administrators/Groups tab: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Asset > Summary > Asset Inventory. 3. Select a host’s Open Asset to View Detail icon. In the asset editor pane, several tabs appear. 4. Select the Administrators/Groups tab.
Fortinet Technologies Inc.
Page 219
FortiScan v5.0 MR1 Administration Guide
Figure 76:Asset inventory administrators/groups tab
The following information is displayed: Administrator
The administrator accounts defined on the asset
Groups
The groups defined on the asset
Connected Administrators The administrators who were connected to the asset at the time of the last survey.
Installed patches The Installed Patches tab displays information about which patches and hot fixes have been installed on a host.
To quickly find a specific installed patch or hot fix, you can search for software installed on an asset. For details, see “Search for software or processes” on page 227.
To view the installed patches tab: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Asset > Summary > Asset Inventory. 3. Select a host’s Open Asset to View Detail icon. In the asset editor pane, several tabs appear. 4. Select the Installed Patches tab.
Fortinet Technologies Inc.
Page 220
FortiScan v5.0 MR1 Administration Guide
Figure 77:Asset inventory installed patches tab
Processes The Processes tab displays information about the processes, such as services, daemons, and applications, running on a host at the time of the last query.
To quickly find a specific running process, you can search for software installed on an asset. For details, see “Search for software or processes” on page 227.
Process information can be obtained either by FortiScan agent surveys, or between surveys by creating and dispatching a remediation template that contains the Get process file info action (see “Get process file info” on page 555). If you dispatch the Get processes action instead of Get process file info, only the process names and process IDs (PIDs) will be returned — the remaining fields will be blank. To repopulate the other fields, wait for the next survey, or dispatch the Get process file info action to the asset. To view the processes tab: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Asset > Summary > Asset Inventory. 3. Select a host’s Open Asset to View Detail icon. In the asset editor pane, several tabs appear. 4. Select the Processes tab.
Fortinet Technologies Inc.
Page 221
FortiScan v5.0 MR1 Administration Guide
Figure 78:Asset inventory processes tab
The following information is displayed: Processes
Lists all the processes running on the selected asset at the time of the last survey.
PID
Process identification number
Process Name
Process executable file name
Process Path
Directory path of process
Size
Size of executable file
Owner
Process owner
Permissions
Executable file permission settings
Creation Time
Date and time executable file was created.
Modification Time
Date and time executable file was last modified.
MD5
Message-digest algorithm 5 (MD5) takes as input a message of arbitrary length and produces as output a 128-bit message digest, or fingerprint, of the input. MD5 is a way to verify data integrity, and is much more reliable than checksum and many other commonly used methods. The FortiScan appliance collects and displays MD5 values for running processes on Windows, Linux, and Solaris systems.
Export
Select to export the displayed information to a comma-separated value (CSV) spreadsheet file. Note: Microsoft Excel may not display time values correctly by default. After you open a CSV file in Excel, you may have to reformat the column containing the creation time and modification time values.
Fortinet Technologies Inc.
Page 222
FortiScan v5.0 MR1 Administration Guide
Devices and drivers The Devices tab displays information about the logical devices, such as drivers, on a host. To view the devices tab: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Asset > Summary > Asset Inventory. 3. Select a host’s Open Asset to View Detail icon. In the asset editor pane, several tabs appear. 4. Select the Devices tab. Figure 79:Asset inventory devices tab
The following information is displayed: Devices Name
The name of the logical device.
Path
The file path of the logical device.
Network The Network tab displays information about a host’s network interfaces, current network connections, routing table, and address resolution protocol (ARP) table. To view the network tab: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Asset > Summary > Asset Inventory. 3. Select a host’s Open Asset to View Detail icon. In the asset editor pane, several tabs appear. 4. Select the Network tab.
Fortinet Technologies Inc.
Page 223
FortiScan v5.0 MR1 Administration Guide
Figure 80:Asset inventory network tab
The following information is displayed: Network Interfaces Name
The type of adapter of the network interface, such as ethernet, ppp, other (which includes tunnels), or loopback.
Description
The description and link protocol of the network stack for the network interface, such as: • Broadcom NetLink TM Gigabit Ethernet • WAN Miniport PPTP • Microsoft ISATAP Adapter
IP
The IPv4 address of the network interface, if any. For information on how assets with multiple IP addresses are handled by the FortiScan appliance, see “Assets with multiple IP addresses” on page 22.
MAC
The hexadecimal media access control (MAC) address of the network interface, if any.
Route Table Name
The IPv4 destination address of packets that will match this row. (Each row describes a route in the asset’s routing table.) 0.0.0.0 matches all packet destinations, and indicates the default route. If multiple IP addresses match the route, it is indicated by Netmask.
Fortinet Technologies Inc.
Gateway
The IPv4 address of the next-hop router (gateway) that will receive all packets matching the route.
Netmask
The IPv4 address of the netmask, such as 255.255.255.0 or 0.0.0.0, which defines sets of IP addresses that match the route.
Page 224
FortiScan v5.0 MR1 Administration Guide
ARP Table IP
The IPv4 address of each host in the asset’s address resolution protocol (ARP) table.
MAC
The hexadecimal media access control (MAC) address of each host in the asset’s ARP table.
Dynamic
The type of the entry in the asset’s ARP table, such as Dynamic or Static.
Netstat Protocol
The name of the protocol used by each network connection with the asset at the time of the survey, such as TCP or UDP.
Local IP
The port number and IPv4 address of the local host for each network connection. If the connection is not yet established, the port number is shown as an asterisk ( * ).
Foreign IP
The port number and IPv4 address of the remote host to which the socket is connected. If the connection is not yet established, the port number is shown as an asterisk ( * ).
State
Indicates the TCP state of the network connection, such as ESTABLISHED or LISTEN. This column is empty for UDP connections. For more information about the states of a TCP connection, see RFC 793.
File system The Files tab displays information about the file system on a host. To view the files tab: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Asset > Summary > Asset Inventory. 3. Select a host’s Open Asset to View Detail icon. In the asset editor pane, several tabs appear. 4. Select the Files tab.
Fortinet Technologies Inc.
Page 225
FortiScan v5.0 MR1 Administration Guide
Figure 81:Asset inventory files tab
The following information is displayed: Partitions
Displays a list of all the partitions configured on the asset.
Name
The name of the partition or drive, such as C:\.
Type
Type of partition or drive, such as CD-Rom Drive.
Size
Size of partition or drive in megabytes (MB).
Installed software The Installed Applications tab displays information about the software installed on a host. This list reflects installed software according to a method that varies by the asset’s OS. It does not, for example, list portable executables that have not been actually installed and are not present in the Windows registry. For example, on Windows 7, to view this same list, you would open Programs and Features in the Control Panel.
To quickly find a specific installed application, you can search for software installed on an asset. For details, see “Search for software or processes” on page 227.
To view the installed applications tab: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Asset > Summary > Asset Inventory. 3. Select a host’s Open Asset to View Detail icon. In the asset editor pane, several tabs appear. 4. Select the Installed Applications tab.
Fortinet Technologies Inc.
Page 226
FortiScan v5.0 MR1 Administration Guide
Figure 82:Asset inventory installed applications tab
The following information is displayed: Installed Applications
The software installed on the asset at the time of the last survey, such as Microsoft Internet Explorer 9.0.8112.16421 or NVIDIA Drivers 1.10.62.40.
Copy
Select to copy the entire list of installed applications to the FortiScan appliance’s memory. Later you can paste the list as a value for an Installed Applications condition when creating a policy. For details, see “Adding conditions to a compliance policy” on page 356. Note: You cannot use your computer’s clipboard to copy the list of applications.
Search for software or processes Once the FortiScan appliance has received at least one detailed survey from an asset that is host to a FortiScan agent, it knows the processes and software running and installed on that asset. If you are looking for a specific process or application instead of browsing, or if you want to know how many assets have that same process or application, you can search for it. Searching for software can be useful if, for example, you want to create a remediation or authorized software policy for specific assets that have unauthorized software such as pirated software, viruses, worms, or other malware. To search for a process or application: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Asset > Inventory > Application Search. 3. From Search Type, select either Installed Application or Running Process, then, in the text box next to it, type the partial or complete name of the software or process, such as Acrobat. 4. Select Search. A list of assets with that process or software appears in the content pane. 5. To uninstall software, patch it, reconfigure it, or stop a process, dispatch a remediation. See “Dispatching remediations” on page 409. 6. To prevent the software or process from being installed or running in the future, create a policy. See “Achieving real-time compliance via policies” on page 347. Fortinet Technologies Inc.
Page 227
FortiScan v5.0 MR1 Administration Guide
Agentless Vulnerability Scans The Network Scan menu configures remote vulnerability scans and their resulting reports. Vulnerabilities can occur due to problems such as flaws in software or insecure configuration. Network vulnerability scans can determine whether your organization’s computers have these weaknesses. Network vulnerability scans are suitable for scanning many types of hosts, including those running Microsoft Windows or Unix variants such as Linux and Solaris, as well as a variety of applications and services/daemons. This topic includes: •
About vulnerability sensors
•
Workflow
•
Configuring remote vulnerability scans
•
Viewing remote vulnerability scan reports
•
Viewing host vulnerability statuses
•
Viewing the vulnerability database
•
Configuring network audit scans
About vulnerability sensors Vulnerability sensors define what vulnerabilities to look for during a vulnerability scan. The filters in each sensor include pre-defined vulnerability signatures. FortiScan appliances come with pre-defined sensors. You cannot modify or delete the pre-defined sensors. They are updated during FortiGuard Vulnerability Management Service engine and plug-in updates. However, you can add filters to group signatures into sensors for easy selection in profiles. You can also define signatures for specific types of vulnerability scans in separate sensors, and then select those sensors in profiles designed to handle that type of vulnerability scan. For example, you could specify all of the application-related signatures in an sensor, and the sensor can then be used by a profile that specifies the means to be used for scanning host application vulnerabilities. For details on adding a vulnerability scan sensor, see “Configuring vulnerability scan sensors” on page 229.
Workflow To run a network vulnerability scan: 1. Prepare your network topology and host settings for the scan to reach each target host. For details, see “Agentless Setup” on page 153. Remote vulnerability scans, unlike scans conducted by the FortiScan agent, do not require that you install an agent on the target host.
Non-responsive hosts can dramatically increase the time required to complete the scan: FortiScan will wait until the connection attempt times out in order to make sure that the host is indeed unreachable, rather than simply being affected by latency, etc.
Fortinet Technologies Inc.
Page 228
FortiScan v5.0 MR1 Administration Guide
2. Create an asset group that defines the IP addresses of the hosts that you want to scan (see “Grouping assets” on page 181). 3. If you want to run an authenticated network vulnerability scan, configure authentication settings that will allow the FortiScan appliance to log in to each asset. Login credentials can be configured at multiple levels. Authentication settings that are more specific override those at more general levels. From more general to more specific, these levels are: • ADOM-wide (see “ADOM Default Authentication” on page 98) • asset group-wide (see “Group Default Authentication” on page 184) • individual asset (see “Authentication” on page 192) 4. Configure sensors to define which vulnerabilities you want to test for (see “Configuring vulnerability scan sensors” on page 229). 5. Configure scan profiles to specify the port numbers, sensors, and other options to be used when scanning hosts for vulnerabilities (see “Configuring network vulnerability scan profiles” on page 235). 6. Schedule network vulnerability scans (see “Scheduling network vulnerability scans” on page 241). When vulnerability scans are completed, the following reports are generated: • Summary report — Identifies overall network vulnerabilities discovered by all scans (see “Viewing host vulnerability statuses” on page 247) • Scan report — Identifies network vulnerabilities discovered by each specific scan (see “Viewing remote vulnerability scan reports” on page 244) • Compliance report — Reports on hosts’ compliance with PCI DSS (see “Using PCI DSS compliance reports” on page 305)
Configuring remote vulnerability scans The Network Scan > Vulnerability Scan submenu contains the tools you need to define how your assets are scanned, when they’re scanned, and the reports detailing the results. • Configuring vulnerability scan sensors • Configuring network vulnerability scan profiles • Configuring report output for remote network vulnerability scans • Scheduling network vulnerability scans • Viewing remote vulnerability scan reports
Configuring vulnerability scan sensors Network Scan > Vulnerability Scan > Sensor displays the list of pre-defined and administrator-defined vulnerability sensors. The periodically updates the pre-defined sensors, with sensors added to discover new threats. Because sensors included in filters are defined by specifying sensor attributes, new sensors matching existing filter specifications will automatically be included in those filters. For example, if you have a filter that includes all signatures for the Windows operating system, your filter will automatically incorporate new Windows signatures as they are added. For information on displaying your FortiScan appliance’s database of currently known vulnerability signatures, see “Viewing the vulnerability database” on page 249.
Fortinet Technologies Inc.
Page 229
FortiScan v5.0 MR1 Administration Guide
To access this part of the Web-based Manager, your account’s Role be Administrator. For details, see “Permissions” on page 33. Figure 83:Sensor page
The following information is displayed: Edit
Mark the check box of the sensor that you want to edit or view, then select Edit. Note: Only administrator-defined sensors may be edited.You cannot modify predefined sensors that are included with the firmware.
Delete
Mark the check box of one or more sensors that you want to delete, then select Delete.
View Vulnerability Details
Mark the check box of the sensor whose included vulnerability definitions you want to view, then select View Vulnerability Details.
(Check box in column Mark the check box in the heading to select all of the entries. heading. No label.) Name
The name of the sensor.
# Entries
The total number of definitions in the sensor.
Profiles
The name of the vulnerability scan profile, if any, in which the sensor is used.
Comment
A description, if any, of the sensor.
To view a sensor: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Network Scan > Vulnerability Scan > Sensor. 3. Mark the check box for the sensor you want to view and select Edit on the toolbar. The sensor details page appears.
Fortinet Technologies Inc.
Page 230
FortiScan v5.0 MR1 Administration Guide
Figure 84:Sensor page
The following information is displayed: Toolbar View Vulnerability Details
View all of the vulnerabilities included in the selected sensor. This is updated via the FortiGuard Vulnerability Management Service. Only one check box may be marked.
Filters:
Fortinet Technologies Inc.
Insert
Select a filter and then select Insert to place a new filter above the selection.
Move To
Select a filter and then select Move To to move the filter to a new position.
View Vulnerability Details
Select a filter and then select View Vulnerability Details to view all of the vulnerability signatures included in the filter.
#
Current position of each filter in the list.
Name
The filter name.
Type
Indicates whether the filter includes or excludes the matching vulnerability scan parameters.
Severity
The severity level of the vulnerabilities in the filter.
Category
The type of vulnerabilities included in the filter. The category includes application types, traffic types, and host types.
Authentication
The specified host type(s) to be scanned for vulnerabilities. The scan requires host authentication credentials. For information on host authentication credentials configuration, see “Configuring logins for third party updates” on page 107.
Existent
The attributes identified for the signatures. Only the signatures that have these attributes are used for this filter.
Page 231
FortiScan v5.0 MR1 Administration Guide
Non-existent
The attributes identified for the signatures. Only the signatures that do not have these attributes are used for this filter.
Last Update Time
The time period during which the updated signatures were used for the vulnerability scan. This is useful if you only want to use some signatures for a scan.
Overrides:
Overrides are configured and work mainly in the same way as filters. Unlike filters, each override defines the behavior of one or more signatures. Overrides can be used in two ways: • To change the behavior of a signature already included in a filter. For example, to scan application vulnerabilities, you could create a filter that includes all signatures related to applications. If you wanted to disable one of those signatures, the simplest way would be to create an override and mark the signature as excluded. • To add an individual signature, not included in any filters, to a sensor. This is the only way to add custom signatures to the sensors.
#
Current position of each override in the list.
Name
The override name.
Type
Indicates whether the override includes or excludes the specified vulnerability scan signatures.
FID
The specified Fortinet ID of the vulnerability scan signature to be included or excluded in the sensor. The FID is a unique identifier assigned by the FortiGuard Vulnerability Management Service.
To add a sensor: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Network Scan > Vulnerability Scan > Sensor. 3. Select Create New. The New Sensor dialog appears. 4. In Name, type a unique name for the network vulnerability scan sensor. 5. In Comment, type a description, if any, for the sensor. 6. Select OK. The dialog appears that enables you to add filters and overrides. 7. Configure filters for the sensor. For details, see “To configure a filter:” on page 232. 8. Configure any overrides for the sensor. For details, see “To configure an override:” on page 234. 9. Select OK. To configure a filter: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Network Scan > Vulnerability Scan > Sensor.
Fortinet Technologies Inc.
Page 232
FortiScan v5.0 MR1 Administration Guide
3. Either: • Select Create New to add a sensor. See “To add a sensor:” on page 232. • Select an existing sensor and select Edit. The list of filters and overrides configured for the sensor appears. 4. In the Filters list toolbar, select Create New. Figure 85:New filter window
5. Configure the following settings: Name
The filter name.
Type
Select whether the filter includes or excludes the matching vulnerability scan signature.
Severity
The severity level of the vulnerabilities in the filter. Select all or specify any particular levels. Severity defines the relative importance of each signature. Signatures rated critical detect the most dangerous vulnerabilities while those rated as information pose a much smaller vulnerability.
Authentication
Fortinet Technologies Inc.
Specify the host type(s) to be scanned for vulnerabilities. The scan requires host authentication credentials. For information on host authentication credentials configuration, see “Configuring logins for third party updates” on page 107.
Page 233
FortiScan v5.0 MR1 Administration Guide
Category
The type of vulnerabilities included in the filter. The category includes application types, traffic types, and host types. Select all or specify any categories. Select the -> arrow to move the specified categories into the Selected field and the <- arrow to move them back.
Last Update Time
The time period during which the updated signatures will be used for the vulnerability scan. This is useful if you only want to use some signatures for a scan to save time.
Top20 Group
Optionally, select to include Fortinet top 20 vulnerabilities or SANS (SANS Internet Storm Center) top 20 vulnerabilities in the filter.
Other Options
The attributes in a vulnerability signature. Select to refine the signatures for the filtering. • Patch Availability: The availability of patches for the vulnerability of a host. • CVE ID: The Common Vulnerabilities and Exposures ID of the signature. CVE IDs are unique, common identifiers for publicly known information security vulnerabilities. • Bug Traq ID: The Bugtraq ID of this signature. Bugtraq is an electronic mailing list dedicated to issues about computer security. • FortiGuard IPS Signature: The name of the FortiGuard IPS signature for this vulnerability. • Vendor Reference: The remedy for the vulnerability recommended by the host vendor. • Affected Hosts: The number of hosts affected by the vulnerability.
Ignore
Ignore this attribute in the signature. All signatures with or without this attribute will be used for this filter.
Existent
Only use the signatures that have this attribute for this filter.
Non-existent Only use the signatures that do not have this attribute for this filter. 6. Select OK. The new filter appears in the sensor’s list of filters. To configure an override: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Network Scan > Vulnerability Scan > Sensor. 3. Either: • Select Create New to add a sensor. See “To add a sensor:” on page 232. • Select an existing sensor and select Edit. The list of filters and overrides configured for the sensor appears. 4. In the Overrides list toolbar, select Create New. The New Override dialog appears. 5. Configure these settings:
Fortinet Technologies Inc.
Page 234
FortiScan v5.0 MR1 Administration Guide
Figure 86:new override window
6. Configure the following settings: Name
The name of the override.
Type
Select whether the override includes or excludes the specified vulnerability scan signatures (identified by FIDs).
FID
The Fortinet ID of the vulnerability signature to be included or excluded in the sensor. The FID is a unique identifier assigned by the FortiGuard VCM service. Select the Select Vulnerability ID icon to choose the FIDs and then select Import. The FIDs are inserted into this field. If you enter the FIDs manually, separate them with “,”.
7. Select OK. The override appears in the sensor’s list of overrides.
Configuring network vulnerability scan profiles Network Scan > Vulnerability Scan > Profile displays the list of configured network vulnerability scan profiles. Vulnerability scan profiles define what criteria are used to scan hosts for vulnerabilities. FortiScan appliances are shipped with some pre-defined profiles: • vcm_pci_profile: Using this profile gathers data required in order to generate a report about a host’s PCI DSS compliance status. For more information, see “Scheduling network vulnerability scans” on page 241 and “What does PCI DSS compliance require?” on page 302. • vcm_trend_profile: Using this profile shows a host's remediation history, or how vulnerable the host has been over time. You cannot modify or delete the pre-defined profiles. They are updated by FortiGuard Vulnerability and Compliance Management Service updates. However, you can create administrator-defined network vulnerability scan profiles. When configuring a profile, you can specify various ports, as well as the sensor to be used. To access this part of the Web-based Manager, your account’s Role be Administrator. For details, see “Permissions” on page 33.
Fortinet Technologies Inc.
Page 235
FortiScan v5.0 MR1 Administration Guide
Figure 87:Profile page
The following information is displayed: Run
Mark the check box of a profile to select it, then select Run to scan the hosts in the group. A vulnerability report will be generated. See “Viewing remote vulnerability scan reports” on page 244.
Name
The name of the profile.
Sensor
The sensor used by this profile.
To create a profile: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Network Scan > Vulnerability Scan > Profile. 3. Select Create New. The Create Profile dialog appears. Figure 88:Create profile window
Fortinet Technologies Inc.
Page 236
FortiScan v5.0 MR1 Administration Guide
4. Configure the following settings: Name
Enter a name for the profile.
Vulnerability Scan
Enable to use a sensor with scans performed using this profile. Also configure Sensor.
Port Scan
Select the host ports to be scanned. A port must be selected for a profile.
TCP Ports None
Select to disable open TCP port scanning or to enable custom TCP port scanning specified in the Additional field.
Full
Select to scan all TCP ports, from 1-65,535. Note: This option can significantly increase the time required to complete a scan, especially when scanning many hosts, because FortiScan must wait for each unreachable port to time out in order to be sure that it is unreachable. For very large vulnerability scans, this could take days.
Standard
Select to scan a standard set of about 2,000 commonly used TCP ports.
Light
Select to scan a reduced set of about 160 commonly used TCP ports.
Additional
Mark the check box to enable scanning of any additional TCP ports or port ranges and enter the TCP ports or port ranges you want to scan. To scan only the entered ports, select None for the previous setting. Port ranges are defined with the start and end values separated by a hyphen, and ports and ranges are separated by commas. For example, a valid entry is: 6000-7000,9725,11000
UDP Ports None
Select to disable open UDP port scanning or to enable custom UDP port scanning specified in the Additional field.
Full
Select to scan all UDP ports, from 1-65535. Note: This option can significantly increase the time required to complete a scan, especially when scanning many hosts, because FortiScan must wait for each unreachable port to time out in order to be sure that it is unreachable. For very large vulnerability scans, this could take days.
Fortinet Technologies Inc.
Standard
Select to scan a standard set of about 180 commonly used UDP ports.
Light
Select to scan a reduced set of about 30 commonly used UDP ports.
Page 237
FortiScan v5.0 MR1 Administration Guide
Additional
Mark the check box to enable scanning of any additional UDP ports or port ranges and enter the UDP ports or port ranges you want to scan.To scan only the entered ports, select None for the previous setting. Port ranges are defined with the start and end values separated by a hyphen, and ports and ranges are separated by commas. For example, a valid entry is: 6000-7000,9725,11000
Other Options Perform TCP 3-way Enable to establish a connection with the host using the Handshake TCP-standard 3-way handshake. Closing the connection is also performed the same way. Scan Dead Host
Enable to scan hosts that appear to be unreachable. Some hosts may not return ICMP ECHO_REQUEST (pings) although they are still live. Enabling Scan Dead Hosts will force the FortiScan appliance to scan these hosts. Note: This option can significantly increase the time required to complete a scan, especially when scanning many hosts, because FortiScan must wait for each unreachable port to time out in order to be sure that it is unreachable. For very large vulnerability scans, this could take days.
5. Select OK.
Configuring report output for remote network vulnerability scans You can configure the output of network vulnerability scan reports: whether it will appear in one or more file formats, save the reports of selected file formats to the FortiScan appliance hard disk, e-mail the network scan report to recipients, and upload completed report files to a server accepting FTP, SFTP, or SCP. You can make multiple report output templates and assign them to different report schedules. The report output templates are used when configuring a report schedule. For more information, see “Scheduling reports” on page 482. When configuring the FortiScan appliance to e-mail a network scan report, you must first configure the appliance to connect to an e-mail server. For more information, see “Configuring Global Email Settings” on page 91. If the administrator’s e-mail client does not support HTML, the e-mail client will display the HTML code for the reports in the message body. To configure a network scan report output template: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to System > Config > Output. 3. Select Create New.
Fortinet Technologies Inc.
Page 238
FortiScan v5.0 MR1 Administration Guide
Figure 89:New report output
4. Configure the following settings: Name
Enter a name for the report. This name only concerns the report output configuration that you are configuring for your report, not the report itself.
Description
Enter a description for the report. This is optional.
Output Format
If you want to e-mail the report as an e-mail attachment, select one or more of the following file formats: HTML (default), PDF, MS Word (RTF), Text (ASCII), or MHT (Multi-purpose Internet Mail Extension HTML format).
Send Report by Mail
Verify this check box is marked. If you do not want to send a report by e-mail, clear the check box. If the check box is cleared, the available options under Send Report by Mail are hidden.
Only those file formats that are enabled in both output template and schedule output types are sent by e-mail. For example, if PDF and Text formats are selected in the output template, and then PDF and MHT are selected in the report schedule, the report’s file format in the e-mail attachment is PDF.
Fortinet Technologies Inc.
Page 239
FortiScan v5.0 MR1 Administration Guide
5. To send the network scan reports by e-mail, mark the Send Report by Mail check box, and configure the required e-mail information fields: Compress Report If you mark this check box, the report files will be compressed into a Files zip file and that zip file is attached to the e-mail. From
Enter a sender e-mail address for the FortiScan appliance or administrator configure the report.
Server
Select which e-mail server to use when the FortiScan appliance sends reports as an e-mail, or select Create New to configure a new e-mail server connection.
Recipient
Enter the e-mail addresses of the recipients of the report. Add multiple recipients by selecting Add after each e-mail address. These e-mail addresses display in the To list.
To
Displays e-mail addresses in the format, (from through ). If you want to remove an e-mail address from the list, select the e-mail address you want removed, and then select Delete.
Attachment Name Select Use Default if you want the attached report name to be the name given of the report when configuring the layout in Layout. Select Specify to enter a specific name for the attached report in the field. This name will appear as the attachment’s name, and is not the report’s actual name. Subject
Enter a subject for the report e-mail. If you do not enter a subject, the subject line will be the name of the report.
Body
Enter text to include in the body of the e-mail message.
6. To upload the completed network scan report files to an FTP Server accepting FTP, SFTP, or SCP, mark the Upload Report to Server check box and configure the required server fields: Server Type
Select which protocol to use when connecting to the upload server: • FTP (File Transfer Protocol) • SFTP (Secure File Transfer Protocol) • SCP (Secure Copy Protocol)
Fortinet Technologies Inc.
IP Address
Enter the IP address of the upload server.
Username
Enter the user name the FortiScan appliance will use when connecting to the upload server.
Password
Enter the password the FortiScan appliance will use when connecting to the upload server.
Directory
Enter the directory path that the FortiScan appliance will upload the report to.
Page 240
FortiScan v5.0 MR1 Administration Guide
Upload report(s) in Enable to compress the report files using gzip format before gzipped format uploading to the server. Delete file(s) after uploading
Enable to delete the report files from the FortiScan appliance hard disk after the FortiScan appliance has completed uploading the report files to the server.
These fields are only available when the Upload Report to FTP Server check box is marked. When sending reports to an FTP server, the following are sent: HTML, PDF and MHT.
7. Select OK to save the report output template. To delete a network scan report output template: 1. Go to System > Config > Output. 2. Do one of the following: • To delete one or more templates, mark the check box next to each template you want to delete. • To delete all reports, mark the column heading check box. All the template check boxes are marked. 3. Select the Delete icon in the content pane toolbar.
Scheduling network vulnerability scans Network Scan > Vulnerability Scan > Schedule displays the list of vulnerability scan schedules. Vulnerability reports are generated based on scheduled scans. Multiple schedules can be created to periodically generate the reports you require. Time required to complete a remote vulnerability scan varies by: • the number of target hosts • the number of ports that you are scanning on each host • whether the host responds quickly on those ports For example, for a very comprehensive scan of many hosts that are not always responsive, the scan could take a couple of days to complete. For best results, wait for previous remote vulnerability scans to complete, and do not schedule reports concurrently. To access this part of the Web-based Manager, your account’s Role be Administrator. For details, see “Permissions” on page 33.
Fortinet Technologies Inc.
Page 241
FortiScan v5.0 MR1 Administration Guide
Figure 90:Schedule page
The following information is displayed: Run
Run the selected scheduled scan immediately. Only one check box may be selected.
Pause
Pause running the selected scheduled scan. Only one check box may be selected.
Resume
Resume running the selected scheduled scan. Only one check box may be selected.
Cancel
Stop running the selected scheduled scan. Only one check box may be selected.
Name
The schedule name.
Target
The asset group on which the scheduled scan will be run.
Profile
The profile to be used for the schedule. For information about profiles, see “Configuring network vulnerability scan profiles” on page 235.
Schedule
The recurrence time of the schedule.
Effective Period
The starting date of the schedule.
To create a schedule for a vulnerability scan: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Network Scan > Vulnerability Scan > Schedule. 3. Select Create New.
Fortinet Technologies Inc.
Page 242
FortiScan v5.0 MR1 Administration Guide
Figure 91:Create schedule
4. Configure the following settings: Name
Type a name for the vulnerability scan report.
Profile
Select the scan profile to be used. Alternatively, configure Enable PCI Compliance.
Enable PCI Compliance
Enable to use the pre-defined PCI DSS compliance scan profile. Enabling this option automatically populates the Profile field with the pre-defined PCI scan profile - vcm_pci_profile and the field becomes read-only. For more information about PCI compliance, see “What does PCI DSS compliance require?” on page 302.
Asset Group
Select which asset group to scan.
Schedule
Select either: • Run Now: Select to specify an on-demand scan and report. A scan will run and a report will be generated immediately after the schedule is saved, and also whenever the Run Now icon is manually selected thereafter. (Reports will not be automatically periodically generated.) This is the default. • Run Later: Select to have scan reports automatically generated at regular intervals. Also configure the times and dates of the recurring schedule and the schedule expiration date. • Enable Suspend Scan: Select to configure the period of time in a day to suspend the scan.
Daily/Weekly/ Monthly
Fortinet Technologies Inc.
Select Daily, Weekly, or Monthly to have a report automatically generated at the specified interval.
Page 243
FortiScan v5.0 MR1 Administration Guide
Start Date
Specify the date the first scheduled report is generated. From then on, it will be generated at daily, weekly, or monthly intervals.
Time
Specify the time of day the scheduled report will be generated.
Output Option File output
Enable the formats in which the report will be generated. HTML is the default format. Any or all other available formats may be enabled.
Email/Upload
To have the report delivered to an e-mail address or FTP server, enable this option and select report output settings or create a new one. For more information about output templates, see “Configuring report output for remote network vulnerability scans” on page 238.
5. Select OK.
Viewing remote vulnerability scan reports Report > Network Scan > Report lists the reports that have been generated for your ADOM’s completed remote vulnerability scans. Network vulnerability scan reports contain the results of vulnerability scans, whether those reports are initiated on demand or by schedule. Discovered vulnerabilities are added to the list of vulnerability alerts (see “Handling vulnerability alerts” on page 371). Time required to complete a remote vulnerability scan varies by: • the number of target hosts • the number of ports that you are scanning on each host • whether the host responds quickly on those ports For example, for a very comprehensive scan of many hosts that are not always responsive, the scan could take a couple of days to complete. For best results, wait for previous remote vulnerability scans to complete, and do not schedule reports concurrently. To access this part of the Web-based Manager, your account’s Role be Administrator. For details, see “Permissions” on page 33. Name
The name of the report. The name is made up of the vulnerability scan profile name and the date and time the report was generated. Select the name to view the HTML version of the report.
Fortinet Technologies Inc.
Started
The date and time the report was started.
Finished
The date and time the report was completed. Looking at the Started and Finished times, you can calculate how long the FortiScan appliance took to generate the report.
Size (bytes)
The size, in bytes, of the HTML report.
Formats
The formats in which the report was generated. HTML is the default format and any others are listed here.
Page 244
FortiScan v5.0 MR1 Administration Guide
To view a vulnerability scan report: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Report > Network Scan > Report. 3. Select a report name. The HTML version of the report appears in the content page. It includes the following: Report Summary Created
The date and time the report was generated.
Total Hosts
The number of hosts found during the scan on the targets.
Active Hosts
The number of reachable hosts found during the scan on the targets. A host is reachable if it replies to the host discovery methods.
Inactive Hosts
The number of unreachable hosts found during the scan on the targets.
PCI Compliance
Indicates whether or not you enabled the option Enable PCI Compliance in the scan schedule.
Start Time
The starting date and time of the report generation.
End Time
The ending date and time of the scan report generation.
VM Engine Version
The Vulnerability Management engine version number and date of last update. This is updated via the FortiGuard Distribution Network if you are a FortiGuard Vulnerability Management Service subscriber.
VM Plugin Version
The Vulnerability Management module version number and date of last update. This is updated via the FortiGuard Distribution Network if you are a FortiGuard Vulnerability Management Service subscriber.
Scan Profile
The name of the profile used by this scan schedule. It links to the Profile section of this report.
PCI Status
If you enabled PCI compliance for the profile used for the scan, this information appears. For more information about PCI compliance, see “What does PCI DSS compliance require?” on page 302.
Live IP Addresses Scanned Security Risk Rating
Fortinet Technologies Inc.
The active hosts scanned for PCI compliance. The vulnerability level rated for the host. There are 5 ratings with 5 being the highest risk.
Page 245
FortiScan v5.0 MR1 Administration Guide
PCI Status
Indicates whether the host passed the PCI compliance scan: • Passed: No vulnerabilities or potential vulnerabilities, as defined by the PCI DSS compliance standards set by the PCI Council, were detected on the host. • Failed: At least one vulnerability or potential vulnerability, as defined by the PCI DSS compliance standards set by the PCI Council, was detected on the host.
Vulnerability Scan Summary Vulnerabilities by Severity
The total number of vulnerabilities detected are presented in a table and chart by severity level.
Vulnerabilities by Category
The total number of vulnerabilities detected are presented in a table and chart by category.
Top 10 Vulnerable Hosts
The top 10 vulnerable hosts discovered with their IP addresses, total vulnerabilities of each host, and number of vulnerabilities under each severity level.
OS and Services Detected Top 10 Operating Systems Detected
List the top 10 operating systems detected and the number of assets of each and a chart showing the distribution by OS.
Top 10 Services Detected
List the top 10 services detected and the number of assets for each and a chart showing the distribution by service.
Top 10 TCP Services Detected
List the top 10 TCP services detected and the number of assets for each and a chart showing the distribution by TCP service.
Top 10 UDP Services Detected
List the top 10 UDP services detected and the number of assets for each and a chart showing the distribution by UDP service.
Hosts
List the following information on each active host: • Total vulnerabilities, scanned port type, and open ports. • Number of vulnerabilities under each severity level. • Number of vulnerabilities under each category. • Operating system. • Detailed vulnerability information by severity.
Profile
Fortinet Technologies Inc.
The configuration settings of the profile used by this scan schedule. For more information, see “Configuring network vulnerability scan profiles” on page 235.
Page 246
FortiScan v5.0 MR1 Administration Guide
Viewing host vulnerability statuses Network Scan > Vulnerability Scan > Vulnerability Posture combines the results of the last scan of each defined host and summarizes the information in three ways: • Vulnerabilities by severity level • Top 10 vulnerability categories • Top 10 vulnerable hosts by business risk In addition, the page displays a list of the top ten vulnerabilities that is kept updated by the FortiGuard VCM subscription service. For information on scheduling FortiGuard service updates, see “Connecting to FortiGuard Services” on page 72. To access this part of the Web-based Manager, your account’s Role be Administrator. For details, see “Permissions” on page 33.
Vulnerabilities by severity level and top 10 categories The two charts on the host status summary page give you an at-a-glance view of the vulnerabilities detected when your hosts were last scanned. The FortiScan appliance takes the results of the last scan performed on each host and combines them to form these two charts. Therefore, if some or all of your hosts have not been scanned recently, the summary may be out of date. Use recurring schedules to keep the summaries current. Figure 92:Summary of vulnerabilities by severity level and category
The following information is displayed: Vulnerabilities By Severity Level
The number of all detected vulnerabilities are displayed in a bar graph, broken down by severity level.
Top 10 Vulnerability Categories
The 10 most common vulnerability categories of all detected vulnerabilities are displayed in a pie graph.
Top 10 vulnerable hosts by business risk The top 10 vulnerable hosts list shows the 10 hosts with the most significant business risk. Ratings are based on the business impact rating assigned to the host group, the vulnerabilities detected, and the severity levels of the detected vulnerabilities. The hosts appearing on this top 10 list should be the first to receive attention when increasing security on your network.
Fortinet Technologies Inc.
Page 247
FortiScan v5.0 MR1 Administration Guide
Figure 93:Summary of vulnerable hosts
The following information is displayed: IP Address
The IP address of the host.
DNS Name
The DNS name of the host, if any.
NetBIOS Name
The NetBIOS name of the host, if any.
Business Impact
The business impact rating assigned to the group the host belongs to.
Average Security Risk
A calculated value indicating the security risk.
Business Risk
If the host is vulnerable, the business risk is a calculated value showing the degree of risk.
Number of Vulnerabilities
The number of vulnerabilities detected by the scan run on the host.
Last Scan Date
The time and date the host was last scanned.
Top 10 vulnerabilities With a FortiGuard Vulnerability Management Service subscription, the vulnerability database is automatically updated as new vulnerabilities are discovered. The 10 most common vulnerabilities are listed in the Top 10 Vulnerabilities table. The table lists only the vulnerability name, severity, and Fortinet ID. To see additional information about a vulnerability, select the vulnerability name. Figure 94:Top 10 vulnerabilities list
Fortinet Technologies Inc.
Page 248
FortiScan v5.0 MR1 Administration Guide
The following information is displayed: Vulnerability Indicator
A red indicator will appear if the vulnerability was detected on a host during its most recent scan.
FID
The Fortinet ID of the vulnerability. The FID is a unique identifier assigned by the FortiGuard Vulnerability Management Service.
Severity
The vulnerability severity rating.
Title
The name of the vulnerability. Select the name for additional details.
Affected Hosts
The number of hosts affected by a vulnerability.
Viewing the vulnerability database Network Scan > Vulnerability Scan > Vulnerability Database displays the list of vulnerabilities that your FortiScan appliance is currently capable of detecting. FortiScan appliances come with a default database of more than 10,000 vulnerabilities. For FortiGuard Vulnerability Management Service (VCM) service subscribers, this database can be periodically updated via the FortiGuard Distribution Network (FDN) to receive definitions of the most recently discovered vulnerabilities. For details, see “Connecting to FortiGuard Services” on page 72. You can configure sensors to define which subset of the vulnerability database will be used when scanning a host. For details, see “Configuring vulnerability scan sensors” on page 229. To access this part of the Web-based Manager, your account’s Role be Administrator. For details, see “Permissions” on page 33. Figure 95:Vulnerability database Filter icon
Column Settings
The following information is displayed: Toolbar Column Settings
Select to choose which columns are displayed, as well as their order. For more information, see “Displaying and arranging columns” on page 44.
List items
Fortinet Technologies Inc.
Page 249
FortiScan v5.0 MR1 Administration Guide
Filter (in column heading)
Select to filter only those vulnerabilities that do or do not contain your specified content in that column. By default, most column headings contain a gray filter icon, which becomes green when a filter is configured and enabled. The use of this filtering tool is similar to that of the log filtering tool. For more information, see “Filtering list entries” on page 45.
FID
The Fortinet ID of the vulnerability. The FID is a unique identifier assigned by the FortiGuard Vulnerability and Compliance Management Service.
Title
The name of the vulnerability. Select the name for additional details.
Authentication
The authentication type required to scan for this vulnerability. If the field is blank, no authentication is required.
Category
The part of a host in which the vulnerability exists. Example categories include, Operating System, Applications, File Transfer, and Email.
Severity
The vulnerability severity rating.
Affected Hosts
The number of hosts affected by a vulnerability.
Status
Select to enable or disable checking for any vulnerability. The green symbol indicates the vulnerability is enabled. The grey symbol indicates the vulnerability is disabled. All vulnerabilities are enabled by default. If a disabled, the FortiScan will not check hosts for the vulnerability even if it is included in the scan profile.date
FortiGuard IPS Signature The name of the FortiGuard IPS signature for this vulnerability. Last Update Time
The date when the vulnerability was last updated.
Patch Availability
The availability of patches for the vulnerability of a host.
CVE ID
The Common Vulnerabilities and Exposures ID of the vulnerability. CVE IDs are unique, common identifiers for publicly known information security vulnerabilities.
Bug Traq ID
The Bugtraq ID of this vulnerability. Bugtraq is an electronic mailing list dedicated to issues about computer security.
Compliance
The status PCI compliance in the vulnerability. For more information, see “Enable PCI Compliance” on page 243.
Vendor Reference
The remedy for the vulnerability recommended by a host vendor.
Top20 Group
Indicates whether this vulnerability is part of Fortinet top 20 vulnerabilities or SANS (SANS Internet Storm Center) top 20 vulnerabilities.
Fortinet Technologies Inc.
Page 250
FortiScan v5.0 MR1 Administration Guide
x Per Page
Select the number of vulnerabilities to display per page. You can choose up to 1000 entries.
Current page
By default, the first page of vulnerabilities is displayed. The total number of pages appears after the current page number. For example, if 2 of 10 appears, you are currently viewing page 2 of 10 pages. To view pages, select the left and right arrows to display the first, previous, next, or last page. To view a specific page, enter the page number in the field and then press Enter.
Configuring network audit scans Network Scan > Audit Scan provides the overview of network compliance and other configuration. This is essentially the same as what is in Agent Scan > Audit Scan with applicable changes. For more information on Compliance Posture, see “Compliance posture tab” on page 449. For more information on Benchmarks, see “Viewing compliance benchmarks” on page 314. For more information on Customize Benchmark, see “Modifying a benchmark” on page 318. For reference on Schedule, see “Scheduling network vulnerability scans” on page 241. For more information on Assessment Evaluation, see “Viewing compliance scan results” on page 325.
Fortinet Technologies Inc.
Page 251
FortiScan v5.0 MR1 Administration Guide
IPS Advisor FortiScan can perform network vulnerability scan itself and act as a central information point when using your FortiGate firewalls for distributed network vulnerability scans. Network vulnerability scans performed by FortiOS v4.0 MR3 or v5.0 can be imported into FortiScan.
Overview The Overview submenu includes the following sections: Available IPS Rules for Protecting Assets from Known Vulnerabilities Rules Status
• Configurable: Total number of rules that have at least one matching CVE with at least one detected vulnerability. This is the maximum number of rules that can be configured for protecting detected vulnerabilities. It is the total of Active and Inactive rules. • Runtime Active: Number of rules that are enabled with Block/Reset/Monitor IPS action. These vulnerabilities are virtually patched by the IPS device that can not be exploited by network attackers. • Runtime Inactive: Number of rules that are not configured to protect their corresponding vulnerabilities. This is because they are either not configured in sensors, or configured but disabled in the sensor(s), or configured/enabled but without Block/Reset/Monitor IPS action.
Total Rules
Number of total rules in the corresponding row or rule status.
Information
Number of rules of information severity in the corresponding row or rule status.
Low
Number of rules of low severity in the corresponding row or rule status.
Medium
Number of rules of medium critical severity in the corresponding row or rule status.
High
Number of rules of high critical severity in the corresponding row or rule status.
Critical
Number of rules of top critical severity in the corresponding row or rule status.
Active IPS Rules by Severity
The bar chart showing the active rule distribution by severity.
Inactive IPS Rules by Severity
The bar chart showing the inactive rule distribution by severity.
Detected Vulnerabilities
Fortinet Technologies Inc.
Page 252
FortiScan v5.0 MR1 Administration Guide
Vulnerabilities Status
• Protectable: Total number of vulnerabilities that have at least one matching CVE with at least one IPS rule. This is the maximum number of vulnerabilities that can be protected by the IPS device. It is the total of protected and unprotected vulnerabilities. This corresponds to the configurable IPS rules. • Runtime Protected: Number of vulnerabilities that are virtually patched by the IPS device and can not be exploited by network attacks. This corresponds to the active IPS rules. • Runtime Unprotected - Number of vulnerabilities that are not virtually patched by the IPS device and can potentially be exploited by network attacks. This corresponds to the inactive IPS rules.
Total Vulnerabilities Number of total vulnerabilities in the corresponding row or vulnerability status. Information
Number of vulnerabilities of information severity in the corresponding row or vulnerability status.
Low
Number of vulnerabilities of low severity in the corresponding row or vulnerability status.
Medium
Number of vulnerabilities of medium critical severity in the corresponding row or vulnerability status.
High
Number of vulnerabilities of high critical severity in the corresponding row or vulnerability status.
Critical
Number of vulnerabilities of top critical severity in the corresponding row or vulnerability status.
Protected Vulnerabilities by Severity
The bar chart showing the protected vulnerabilities by severity, matching the active rule distribution by severity.
Unprotected Vulnerabilities by Severity
The bar chart showing the unprotected vulnerabilities by severity, matching the inactive rule distribution by severity.
IPS database Similar to Network Scan > Vulnerability Scan > Vulnerability Database, this database simply provides a table with filtering and sorting capability to browse the entire IPS vulnerability/signature database and encyclopedia.
Fortinet Technologies Inc.
Page 253
FortiScan v5.0 MR1 Administration Guide
IPS device configuration The Device Config submenu allows you to configure the FortiGate unit as an IPS device. An IPS device is considered another asset/host/device on the network except it can perform IPS protection and provide an interface for the FortiScan unit to retrieve the IPS configurations. To configure an IPS device: 1. Go to IPS Advisor > FortiGate IPS Advisor > Device Config. Figure 96:FortiGate IPS configuration
2. Configure the following settings: Current IPS Device Information
Overview of the current IPS device, including its: • IP address • username • serial number • firmware version • platform • IPS database version • last communication time with the FortiScan unit • last sync time with the FortiScan unit • schedule sync interval
Change Device
Select and choose the IPS device for this ADOM from the detected IPS devices. Then set the login credentials and schedule its sync interval.
Set Credential
Select to update the login credentials for the IPS device.
Update Interval
Select to update the scheduled sync interval for the IPS device.
3. Select Save.
Fortinet Technologies Inc.
Page 254
FortiScan v5.0 MR1 Administration Guide
IPS device information The IPS Device Info menu/page provides a summary of the IPS policies configured in the IPS device as most recently retrieved by the FortiScan unit. This page is meant for the administrator to ease the referencing or cross-checking the configurations on the FortiGate unit. To view the IPS device information: 1. Go to IPS Advisor > FortiGate IPS Advisor > Device Info. Figure 97:FortiGate IPS device information
The following information is displayed: IPS Device Overview
Overview of the current IPS device, including its: • IP address • model • serial number • firmware version • IPS database version • last communication time with the FortiScan unit • last sync time with the FortiScan unit • schedule sync interval
Fortinet Technologies Inc.
Firewall Policies Summary
Summary of IPS policies and sensor configuration for each firewall policy.
IPS Sensors Summary
Summary of IPS sensors for each IPS sensor.
Page 255
FortiScan v5.0 MR1 Administration Guide
Advisory The Advisory submenu lets you to browse the database of assets and vulnerabilities with filters and sorting capability and to generate PDF advisory reports. By default, the known vulnerabilities on a host/device are those detected in the completed scans in the given scan period. A detection date can be used as a filter to get vulnerabilities of interest, such as vulnerabilities detected for the past three days up to the most recent scan completed successfully. To view the Advisory page, go to IPS Advisor > FortiGate IPS Advisor > Advisory. A list of selected assets is shown. For details, see “Your Asset Inventory” on page 179. Figure 98:IPS advisory
The following information is displayed: Begin Time/End time
Enter the scan begin and end time to select the vulnerabilities detected during this period to analyze. By default, the scan begin time is the date and time 7 days ago and the end time is the current date and time.
VDOM
Select the VDOM on the FortiGate unit. The default is All.
Fortinet Technologies Inc.
Page 256
FortiScan v5.0 MR1 Administration Guide
Sensor
Select the sensor from all the configured sensors in the VDOM. The default is All_Sensors. If you choose a specific VDOM, then you need to select the sensor as well.
Analyze
Select to analyze the vulnerabilities detected during the scanning period. This works with selected assets.
Export
Select to export a PDF report for current settings (assets, time, VDOM and sensor).
IPS advisor reports Similar to Report > Network Scan, the Report > IPS Advisor submenu contains the IPS Advisory reports generated by the IPS advisor report templates. There are 2 pre-defined templates: • IPS Advisory Summary Report This is similar to IPS advisor > Overview and Device Info pages. • IPS Advisory Detail Report This is similar to IPS advisor > Advisory page. IPS advisory report provides a list of assets and reports the current degree of protection, the potential degree of protection, and the list of IPS signatures that can be enabled. The report may include or expand to the list of vulnerabilities, their IPS signatures if available, and other vulnerability information, for each asset. For each asset specified, the key points of an IPS advisory report are: • The list of vulnerabilities the IPS policy configuration on the FortiGate unit protects effectively, or the vulnerabilities detected on the asset. • The list of vulnerabilities the IPS policy configuration on the FortiGate unit protects unnecessarily, or the vulnerabilities not detected on the asset. • The list of vulnerabilities the IPS policy configuration on the FortiGate unit could protect, or the vulnerabilities are detected on the asset that could be protected by the FortiGate unit, but not configured as such. • The list of vulnerabilities the IPS policy configuration on the FortiGate unit cannot protect, or the vulnerabilities are detected on the asset, but have no corresponding IPS signature. For more information, see “Viewing remote vulnerability scan reports” on page 244 and “Generating PCI DSS compliance reports” on page 303.
Fortinet Technologies Inc.
Page 257
FortiScan v5.0 MR1 Administration Guide
Agent-based Vulnerability Scans By periodically scheduling your assets’ FortiScan agents to run vulnerability scans, you can remain aware of your assets’ most current security posture with regards to compliance. Vulnerability scans test whether or not the asset matches any of the vulnerability definitions that you select. Tests can consist of scripts that verify secure configuration settings and that installed software is not a version that is known to be vulnerable to exploits such as permissions escalation, shell code injection, buffer overflows, or buffer underflows. Test results are categorized as successful (passed), untested, or errors. For example, a successful vulnerability test may mean that a particular insecure setting that makes an asset vulnerable to one or more exploits was not found. If the test was not able to execute (perhaps the asset was offline), then the setting was not tested and is categorized as such. If the test executed or attempted to execute, but the results were inconclusive or there was a software error, then the result is categorized as an error.
Unlike vulnerability scans configured in the Network Scan menu, vulnerability scans in the Agent Scan menu require that each asset have a FortiScan agent installed, running, and sending surveys.
About vulnerability alerts If a vulnerability scan finds a vulnerability, it appears in the statistics (see “Viewing vulnerability statistics” on page 265) and generates an alert, which usually contains an appropriate remediation. If it detects a vulnerability for which there is no available remediation, you can manually define your own remediation and manually dispatch it to the asset named in the alert (see “Dispatching remediations” on page 409). FortiScan appliances identify vulnerabilities and remediations using a Fortinet identifier (FID) and/or Common Vulnerabilities and Exposures (CVE) numbering. You can search for vulnerabilities and remediations by their CVE identifier. For details, see “Searching by CVE ID” on page 310.
Workflow To use FortiScan agent-based vulnerability scans, you should generally use the following workflow. 1. Start by defining vulnerability scan settings that you can re-use for each subsequent scan. See “Defining settings for vulnerability scans” on page 261. 2. If you want to automatically create and assign tickets when a vulnerability scan detects vulnerabilities, configure ticket policies. See “Configuring ticket policies” on page 392. 3. Run a scan using one of the settings that you defined in the previous step. See “Scheduling a vulnerability scan” on page 263. 4. Once at least one vulnerability scan has been received from the assets’ agents, you can view overall vulnerability statistics. See “Viewing vulnerability statistics” on page 265, “Vulnerability summary chart” on page 444, and “Vulnerability posture tab” on page 451. 5. Investigate the vulnerability scan results for individual assets. See “Viewing vulnerability scan results” on page 273.
Fortinet Technologies Inc.
Page 258
FortiScan v5.0 MR1 Administration Guide
6. Manually dispatch remediations, configure compliance policies to automatically apply remediations, or externally resolve the issues to correct the detected vulnerabilities. See “Remediating” on page 399. 7. Periodically run vulnerability scans again to ensure that your vulnerability statistics remain current so that you can keep assets compliant by applying policies and remediations.
Viewing the sets of vulnerability definitions Agent Scan > Vulnerability Scan > Definitions in ADOMs other than Global displays the list of vulnerability definition sets. Figure 99:Vulnerability scan definitions
The following information is displayed: Title
The name of the set of vulnerability definitions. Select to view details about the rules it contains (see “Viewing vulnerability definitions in the set” on page 260).
Version
The version number of the vulnerability definition set.
Action Delete
Select to delete the vulnerability definition set.
View all versions
Select to view all available versions of this vulnerability definition set. This icon appears only if multiple versions exist.
Enable Globally Visible
Select to make a vulnerability definition set in your ADOM visible to all other ADOMs. The icon changes to Disable Globally Visible. This icon appears only for vulnerability definitions that you have created.
Disable Globally Visible
Select to hide a vulnerability definition set that is visible to all other ADOMs. The icon changes to Enable Globally Visible. This icon appears only for vulnerability definitions that you have created.
Fortinet Technologies Inc.
Page 259
FortiScan v5.0 MR1 Administration Guide
Viewing vulnerability definitions in the set On Agent Scan > Vulnerability Scan > Definitions in ADOMs other than Global, when you select the Title of a scan definition from the list, the Detail page appears. The Detail page displays the vulnerability definitions per operating system (OS). When the page first appears, the individual vulnerability definitions in the set are hidden. To view the individual definitions for that platform, select its Show Details link. Figure 100:Vulnerability scan definitions details list
The following information is displayed: Show Details
Select to expand the display, showing the list of vulnerability definitions in the set. The link becomes Hide Details.
Hide Details
Select to collapse the display, hiding the list of vulnerability definitions in the set. The link becomes Show Details.
ID
The open vulnerability assessment language (OVAL) identifier for the vulnerability.
Title
The title of the vulnerability definition.
Oval ID
Select to view the OVAL definition details and pseudo code for the rule; see “Viewing an OVAL definition’s details” on page 316.
CVSS Score
The Common Vulnerability Scoring System (CVSS) score for the vulnerability.
Fortinet Technologies Inc.
Page 260
FortiScan v5.0 MR1 Administration Guide
Defining settings for vulnerability scans The FortiScan Web-based Manager provides a wizard that enables you to select specific vulnerability definitions that you can use in future scans. This can save time if you normally scan for the same specific subset of vulnerabilities, not the entire set, each time you scan. To create vulnerability scan settings: 1. From Current ADOM, select the name of an ADOM that is not Global. Vulnerability definition presets are specific to each ADOM. As a result, the menu in the following step is not available in the Global ADOM.
Although your new vulnerability definition set will be created in the specific ADOM that you select, you will be able to share the set with other ADOMs by selecting Enable Globally Visible on Agent Scan > Vulnerability Scan > Definitions.
2. Go to Agent Scan > Vulnerability Scan > Customize Scan. The first step in the wizard, Benchmark, appears. Figure 101:Benchmark page
3. In Scan Title, type a unique name for the scan. 4. Select which vulnerability definition set to use with the scan. 5. Select Next. The Platforms step appears. Figure 102:Platforms page
Fortinet Technologies Inc.
Page 261
FortiScan v5.0 MR1 Administration Guide
6. Mark the check box for one or more platform-specific vulnerability definitions to select which ones you want to use during the scan. 7. Select Next. The Rules step appears. Figure 103:Rules page
The following information is displayed: Select
Mark the check box for each rule that you want to include in the new vulnerability scan settings.
Rule ID
The OVAL definition identifier for the vulnerability.
Title
The descriptive title of the vulnerability.
Oval ID
Select to view the OVAL Definition Detail page for the vulnerability.
8. By default, all of the rules are selected. To select only one or a few rules, first use the Select None button to clear the check boxes, then mark the check box for each rule you want to include in the vulnerability scan settings.
You must select at least one rule. To learn more about any rule, select the link in the OVAL ID field. The OVAL Definition Detail page provides reference information, pseudo code and other details; see “Viewing an OVAL definition’s details” on page 316.
9. Select Next. The Save step appears. Figure 104:Save page
The vulnerability definition subset is saved and appears in the list on the Agent Scan > Vulnerability Scan > Definitions.
Fortinet Technologies Inc.
Page 262
FortiScan v5.0 MR1 Administration Guide
Scheduling a vulnerability scan The FortiScan appliance’s Web-based Manager provides a wizard that enables you to schedule a vulnerability scan on specified assets using a vulnerability definition set. Before scheduling a vulnerability scan, if you often use the same subset of vulnerability definitions, you can create a preset so that you do not have to select them each time. For details, see “Defining settings for vulnerability scans” on page 261. To schedule a vulnerability scan: 1. In the Current ADOM tab, select the name of an ADOM that is not Global in the drop-down list. 2. Go to Agent Scan > Vulnerability Scan > Schedule Scan. 3. Select Create New in the toolbar. The Create Schedule window appears. Figure 105:Create schedule window
4. Configure the following settings: Name
Enter a name to identify the new scheduled scan.
Comments
Enter an optional comment.
Benchmark
Select a benchmark in the drop-down list.
Profile
Select a profile in the drop-down list.
Asset Group
Select an asset group in the drop-down list.
Schedule
Fortinet Technologies Inc.
Scan Timeout
Enter the scan timeout value in minutes. The default value is 60 minutes. The maximum timeout is 4320 minutes.
Recurring
Select one of the following in the drop-down list: Run Now, Run Once, Hourly, Daily, Weekly, or Monthly.
Page 263
FortiScan v5.0 MR1 Administration Guide
Start Date/Time
Select the start date and time. This option is available when selecting Run Once, Hourly, Daily, Weekly, or Monthly in the Recurring field.
Interval (in days) Enter a value for the interval field. This option is available when selecting Hourly, Daily, Weekly, or Monthly in the Recurring field. Enable Purging Historical Scan Results Automatically
Select the checkbox to enable purging historical scan results automatically. Enter a value for the Keep Past Results (in scans) in the text box. This option is available when selecting Hourly, Daily, Weekly, or Monthly in the Recurring field.
Enable Schedule Select the checkbox to enable schedule expiration. Enter the date Expiration and time for the schedule to end. This option is available when selecting Hourly, Daily, Weekly, or Monthly in the Recurring field. 5. Select OK to save the setting. The new schedule will appear in the schedule list. Figure 106:Schedule list
Do not reboot an asset while it is actively engaged in a scan. In the scan results, the Completion Status for that asset will be Completed, but the results will have errors and omissions for that specific asset.
If an asset’s Agent Scan Status is Disconnected, the vulnerability scan will be unable to complete, and the Completion Status will be Expired.
The time required to complete a vulnerability scan can be from a few minutes to three days, depending on the number of definitions in the vulnerability definition set, the number of assets being scanned, network connectivity, and schedule expiration. To determine the progress of the scan, monitor Completion Status in the scan results. When the scan is
Fortinet Technologies Inc.
Page 264
FortiScan v5.0 MR1 Administration Guide
complete, you can view the results (see “Viewing vulnerability statistics” on page 265, “Viewing vulnerability scan results” on page 273, and “Viewing detailed vulnerability scan results” on page 274).
Viewing vulnerability statistics Agent Scan > Vulnerability Scan > Scan Home summarizes the results of the vulnerability scans that have been run, and displays the information in charts and tables. Statistics will be updated with information from every FortiScan agent-based vulnerability scan, whether or not it fully completes. Figure 107:Vulnerability scan home page
Fortinet Technologies Inc.
Page 265
FortiScan v5.0 MR1 Administration Guide
The following information is displayed: Vulnerability Alerts by Severity
The number of vulnerability alerts in a bar graph, per severity and resolution status. Select a bar in the graph to view a list of all vulnerability alerts with the selected severity and status. For details, see “Viewing vulnerabilities per category” on page 267.
Vulnerability Alerts by Asset Criticality
The number of vulnerability alerts in a bar graph, per criticality level. For information on criticality, see “Risk: prioritizing your business-critical machines” on page 27. Select a bar in the graph to view a list of all vulnerability alerts with that criticality. For more information, see “Viewing vulnerabilities per category” on page 267.
Vulnerability Alerts by Status
Latest Statistics
The number of all vulnerability alerts in a pie chart, per alert status. Select a pie chart segment to view a list of all vulnerability alerts with that alert status. For more information, see “Viewing vulnerabilities per category” on page 267. The total number of vulnerability alerts raised, internally resolved, externally resolved, accepted, or still unresolved in the last 24 hours. Select a statistic’s Count value to view a list of all vulnerability alerts included in the count. You can export the listed information to a PDF or text (CSV) file. For more information, see “Viewing vulnerabilities per category” on page 267.
Vulnerability Alerts by Asset Severity
Two bar graphs categorized by resolution status — the graph on the left shows all unresolved vulnerability alerts by severity, while the graph on the right shows all resolved vulnerability alerts by severity. Select a bar in the graph to view a list of all vulnerability alerts with the selected severity and status. For more information, see “Viewing vulnerabilities per category” on page 267.
Vulnerability Alerts by Asset Criticality
Two bar graphs categorized by resolution status — the graph on the left shows all unresolved vulnerability alerts by criticality, while the graph on the right shows all resolved vulnerability alerts by criticality. For information about criticality, see “Risk: prioritizing your business-critical machines” on page 27. Select a bar in the graph to view a list of all vulnerability alerts with the selected criticality and status. For more information, see “Viewing vulnerabilities per category” on page 267.
Known Vulnerability References by Vendor
Fortinet Technologies Inc.
A bar graph of the number of known vulnerability references, distributed by vendor.
Page 266
FortiScan v5.0 MR1 Administration Guide
Viewing vulnerabilities per category When you select one of the parts in a graph or table on Agent Scan > Vulnerability Scan > Scan Home, a table (Vulnerability Alerts) appears in the content pane. The Vulnerability Alerts table provides some short information about vulnerabilities that comprised that category of the chart or table. For example, in the Vulnerability Alerts by Status chart, if you select Pending, a table will appear that lists unresolved vulnerabilities, and provides some information on each of those vulnerabilities, such as the number of times each occurred. From this page, for each entry in the category, you can access more detailed information, including a definition of the vulnerability and a list of assets with that vulnerability. Vulnerability Alerts by Vulnerability ID
The open vulnerability assessment language (OVAL) definition identifier for this vulnerability. Select to view a list of assets with that vulnerability (see “Viewing vulnerability details” on page 269).
Name
The name of the vulnerability.
CVE
Select to view the entry in the Common Vulnerabilities and Exposures (CVE) dictionary for the selected vulnerability. Opens an external link to the NIST National Vulnerability database.
Severity
Severity of the vulnerability, based on the CVSS score: • Low: CVSS score is 0.0 to 3.9 • Medium: CVSS score is 4.0 to 6.9 • High: CVSS score is 7.0 to 10.0 For details, see “Severity” on page 29.
CVSS Base Score
Common Vulnerability Scoring System (CVSS) score.
# of Occurrences
The number of occurrences of this vulnerability alert. Select to view the vulnerability asset summary information, see “Viewing assets per vulnerability” on page 268
Export to PDF
Select to download the page as a PDF file.
Export to CSV
Select to download the page as a comma-separated values (CSV) spreadsheet file.
Fortinet Technologies Inc.
Page 267
FortiScan v5.0 MR1 Administration Guide
Viewing assets per vulnerability The vulnerability asset summary list enables you to view all the assets for which the selected vulnerability alert was raised during the last vulnerability scan. To view the vulnerability asset summary list for a selected vulnerability, select the Number of Occurrences value in a vulnerability alert summary list. (For more information, see “Viewing vulnerabilities per category” on page 267.) Figure 108:Vulnerability asset summary page
The following information is displayed: Vulnerability Detail
Select to view a detailed description of the vulnerability; see “Viewing vulnerability details” on page 269.
Remediations (n)
Select to view the list of available remediations for the vulnerability (the number “n” is the number of remediations); see “Viewing remediations available for a vulnerability” on page 271.
Vulnerability Summary
Shows a brief summary of the vulnerability information.
ID
The vendor’s OVAL database definition for this vulnerability
CVE ID
Select to view the entry in the Common Vulnerabilities and Exposures (CVE) dictionary for the selected vulnerability. Opens an external link to the NIST National Vulnerability database.
Scanner
Type of vulnerability scan
Severity
Severity of the vulnerability, based on the CVSS score: • Low: CVSS score is 0.0 to 3.9 • Medium: CVSS score is 4.0 to 6.9 • High: CVSS score is 7.0 to 10.0 For details, see “Severity” on page 29.
Fortinet Technologies Inc.
Name
Name of vulnerability
Detailed Description
A detailed description of this vulnerability
Page 268
FortiScan v5.0 MR1 Administration Guide
Vulnerable Assets
Lists all the assets with this vulnerability
Host
The host name of the asset.
IP Address
The IP address of the asset. See “Assets with multiple IP addresses” on page 22.
OS Type
The asset’s operating system platform
OS Version
The asset’s OS version.
Criticality
The importance of the asset to your organization or network security: Highest, High, Medium, Low, or Lowest. For details, see “Risk: prioritizing your business-critical machines” on page 27.
Status
The protection and connectivity status of the asset: Protected, Registered, Disconnected, Unprotected, or Retired. Assets whose Agent Scan Status is not Protected will not participate when you schedule FortiScan agent-based scans. For details, see “Agent scan status” on page 26.
Export to PDF
Select to download the data as a PDF file.
Export to CSV
Select to download the data as a comma-separated-values (CSV) spreadsheet file
Viewing vulnerability details When you select the Vulnerability ID value for any vulnerability displayed in a vulnerability summary list, the Vulnerability Asset Detail page for the selected vulnerability appears. Figure 109:Vulnerability asset detail page
Fortinet Technologies Inc.
Page 269
FortiScan v5.0 MR1 Administration Guide
The following information is displayed: Vulnerable Assets
Select to return to the list of assets vulnerable to this specific vulnerability (see “Viewing assets per vulnerability” on page 268).
Remediations (n)
Select to view the list of available remediations for the vulnerability where the number “n” is the number of remediations (see “Viewing remediations available for a vulnerability” on page 271).
Vulnerability Summary
Shows a brief summary of the vulnerability information.
ID
The vendor’s OVAL database definition for this vulnerability
CVE ID
Select to view the entry in the Common Vulnerabilities and Exposures (CVE) dictionary for the selected vulnerability. Opens an external link to the NIST National Vulnerability database.
Scanner
Type of vulnerability scan
Severity
Severity of the vulnerability, based on the CVSS score: • Low: CVSS score is 0.0 to 3.9 • Medium: CVSS score is 4.0 to 6.9 • High: CVSS score is 7.0 to 10.0 For details, see “Severity” on page 29.
Name
Name of vulnerability
Detailed Description
Detailed description of vulnerability
Observation
Lists any additional observations about the vulnerability
Recommendation
Lists recommended actions to take.
Vulnerable Assets
Lists all the assets with this vulnerability
Host
The host name of the asset.
IP Address
The IP address of the asset.
OS Type
The asset’s operating system platform
OS Version
The asset’s OS version.
Criticality
The importance of the asset to your organization or network security: Highest, High, Medium, Low, or Lowest. For details, see “Risk: prioritizing your business-critical machines” on page 27.
Status
The protection and connectivity status of the asset: Protected, Registered, Disconnected, Unprotected, or Retired. Assets whose Agent Scan Status is not Protected will not participate when you schedule FortiScan agent-based scans. For details, see “Agent scan status” on page 26.
Fortinet Technologies Inc.
Page 270
FortiScan v5.0 MR1 Administration Guide
Export to PDF
Select to download the page as a PDF file.
Export to CSV
Select to download the page as a comma-separated values (CSV) spreadsheet file.
Viewing remediations available for a vulnerability When you select the Remediations (n) link in the Vulnerability Asset Detail page, the Vulnerability Remediation Summary page for the selected vulnerability appears. Figure 110:Vulnerability remediation summary list
The following information is displayed: Vulnerability Detail
Select to view a detailed description of the vulnerability; see “Viewing vulnerability details” on page 269.
Vulnerable Assets
Select to view the list of assets showing the vulnerability; see “Viewing assets per vulnerability” on page 268.
Vulnerability Summary
Shows a brief summary of the vulnerability information.
Fortinet Technologies Inc.
ID
The vendor’s OVAL database definition for this vulnerability
CVE ID
Select to view the entry in the Common Vulnerabilities and Exposures (CVE) dictionary for the selected vulnerability. Opens an external link to the NIST National Vulnerability database.
Scanner
Type of vulnerability scan.
Page 271
FortiScan v5.0 MR1 Administration Guide
Severity
Severity of the vulnerability, based on the CVSS score: • Low: CVSS score is 0.0 to 3.9 • Medium: CVSS score is 4.0 to 6.9 • High: CVSS score is 7.0 to 10.0 For details, see “Severity” on page 29.
Name
Name of vulnerability.
Detail Description
A detailed description of the vulnerability.
Available Remediations
Lists all the available remediations for this vulnerability.
Remediation ID
The Fortinet remediation identifier. Select to view the Remediation Detail page; see “Viewing remediation details” on page 402.
Name
The name of the remediation.
Description
The remediation description.
Invasiveness
The invasiveness of the vulnerability.
Type
The type of remediation: • Config: Change a configuration parameter • Patch: Install a software patch. • Text: Manual remediation instructions
Major Version
The remediation’s major version number.
Minor Version
The remediation’s minor version number.
Export to PDF
Select to download the page as a PDF file.
Export to CSV
Select to download the page as a comma-separated values (CSV) spreadsheet file.
Fortinet Technologies Inc.
Page 272
FortiScan v5.0 MR1 Administration Guide
Viewing vulnerability scan results Agent Scan > Vulnerability Scan > Scan Results displays the current status and assessment results for all vulnerability scan jobs. Figure 111:Vulnerability scan results Select job name to view the scan summary and scan task detail for a specific vulnerability scan job
Rescan Edit Delete
The following information is displayed: Job Name
The name of the vulnerability scan job. Select to view the Scan Summary and Scan Task Details for the selected scan job; see “Viewing detailed vulnerability scan results” on page 274.
Scan
The scan definition used by the vulnerability scan job
Version
Scan definition version
Applied By
The name of the administrator account which scheduled the scan.
Start Time
Date and time the scan job started.
Completion Status
Current completion status of the scan job: • Not Started: The scan is scheduled. • In Progress: Scanning is in progress. • Completed: Scan job is complete. • Error: Scan failed due to errors. Errors can be caused by a full hard disk, missing dependencies, or benchmark issues. • Expired: Scan did not completed within two days. (This may happen if some of the assets were disconnected from the FortiScan appliance during the scan period).
Fortinet Technologies Inc.
Page 273
FortiScan v5.0 MR1 Administration Guide
# of Assets
The number of assets that were evaluated by the selected vulnerability scan job.
# of Vulnerability Alerts The number of vulnerability alerts that were generated by the selected scan job. Action
Displays icons to perform an action on a selected scan job.
Delete
Select to delete the selected scan job
Edit
Select to modify the job name or job comments field.
Rescan
Select to repeat the scan job. This icon only appears for completed and expired jobs.
Viewing detailed vulnerability scan results On Agent Scan > Vulnerability Scan > Scan Results, when you select the value in the Job Name field for a vulnerability scan job, the Scan Summary page for the selected job appears. This page displays the details of the selected vulnerability scan job and the results of the scan. It also enables you to view more details about each scan task (by platform) that was part of the job. To view the scan summary page: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Vulnerability Scan > Scan Results. 3. In the Job Name column, select the name of the vulnerability scan job you want to view. The Scan Summary page appears. Figure 112:Scan summary charts
Fortinet Technologies Inc.
Page 274
FortiScan v5.0 MR1 Administration Guide
The following information is displayed: Scan Summary
Displays the details of the selected vulnerability scan job and the scan results.
Job Name
The title of the vulnerability scan job.
Job Comment
The date and time the job completed.
Scan Name
The name of the scan definition used by the vulnerability scan job
Scan Title
The title (description) of the scan definition used by the vulnerability scan job
Version
The scan definition version
Applied By
The name of the administrator account which initiated the vulnerability scan.
Start Time
Date and time the scan job started.
End Time
Date and time the scan job ended.
Status
Current completion status of the scan job: • Pending Dispatch: The scan job is scheduled. • In Progress: Scanning is in progress. • Completed: Scan job is complete. • Error: Scan job failed due to errors. Errors can be caused by a full hard disk, missing dependencies, or benchmark issues. • Expired: Scan job did not completed within two days. (This may happen if some of the assets were disconnected from the FortiScan appliance during the scan period).
# of Assets
Total number of assets scanned
# of Vulnerabilities The number of vulnerabilities that were detected by the selected scan job.
Fortinet Technologies Inc.
Vulnerabilities by Platform
Displays a bar graph showing the distribution of vulnerabilities by OS platform
Vulnerability Scan Evaluation - Scan Task Details
Displays a summary of the tasks performed by the vulnerability scan job and the number of vulnerability alerts that were raised by each task.
Platform
Select to view a summary of vulnerabilities detected for the selected platform; see “Viewing detailed vulnerability scan results per platform” on page 276.
Start Time
Date and time the scan job started.
Page 275
FortiScan v5.0 MR1 Administration Guide
Completion Status Current completion status of the scan job: • Pending Dispatch: The scan job is scheduled. • In Progress: Scanning is in progress. • Completed: Scan job is complete. • Error: Scan job failed due to errors. Errors can be caused by a full hard disk, missing dependencies, or benchmark issues. • Expired: Scan job did not completed within two days. (This may happen if some of the assets were disconnected from the FortiScan appliance during the scan period). # of Assets
Total number of assets scanned by the selected task
# of Vulnerabilities The number of vulnerabilities that were identified by the selected task When multiple OS platforms are scanned by a scan job, a separate scan task is created for each platform type. To view the results for a specific scan task, in the Vulnerability Scan Evaluation Scan Task Details table, select the Platform field for the scan task you want to view. The Platform Summary page appears; see (“Viewing detailed vulnerability scan results per platform” on page 276).
Viewing detailed vulnerability scan results per platform When multiple OS platforms are scanned by a vulnerability scan job, a separate scan task is created for each platform type. You can view the scan task details for a specific task on the Platform Summary page. To view the platform summary page: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Vulnerability Scan > Scan Results. 3. In the Job Name column, select the name of the vulnerability scan job you want to view. The Scan Summary page appears. 4. In the Scan Task Details list, select the Platform name for the scan task you want to view. The Platform Summary page appears.
Fortinet Technologies Inc.
Page 276
FortiScan v5.0 MR1 Administration Guide
Figure 113:Platform summary charts
The following information is displayed: Platform Summary
Displays the scan task details for the selected platform and the scan results.
Name
The name of the scan definition.
Title
The title of the scan definition.
Scan
The name of the scan job
Applied by
The name of the administrator account which initiated the scan.
Start time
The date and time that the compliance scan job started
End Time
Date and time the scan job ended.
Status
Current completion status of the scan: • Pending Dispatch: The scan is scheduled, but assets’ FortiScan agents have not yet connected during their next survey interval, and therefore have not yet received the directive to complete a scan. • In Progress: The scan has started. • Completed: The scan has finished. • Error: The scan failed due to errors. Errors can be caused by a full hard disk, missing dependencies, or benchmark issues. • Expired: The scan did not complete within two days. (This may happen if some of the assets were disconnected from the FortiScan appliance while the scan was occurring).
Fortinet Technologies Inc.
Completion Status
The percentage of completion.
# of Assets
Total number of assets scanned.
Page 277
FortiScan v5.0 MR1 Administration Guide
# of Vulnerabilities
The number of vulnerabilities that were identified by the scan.
Vulnerabilities by Severity (in %)
Displays a pie chart showing the percentage distribution of vulnerabilities according to severity.
Vulnerable Assets by Asset Criticality (in %)
Displays a pie chart showing the percentage distribution of vulnerable assets according to asset criticality. For information about criticality, see “Risk: prioritizing your business-critical machines” on page 27.
Assets Vulnerability Result
Displays an asset summary list of the assets scanned by the selected task and the individual vulnerability results for each asset.
Host Name
The host name of the asset.
IP Address
The IP address of the asset. Select to view the Asset Detail page for the asset (see “Viewing a chart’s asset details” on page 207).
Criticality
The importance of the asset to your organization or network security: Highest, High, Medium, Low, or Lowest. For details, see “Risk: prioritizing your business-critical machines” on page 27.
# of Vulnerability Alerts
The number of vulnerability alerts generated by the selected scan task. Select to view the Asset Vulnerability Detail page for the selected asset; see “Viewing an asset’s vulnerabilities” on page 279.
# of Untested (Error) The number of rules that were not tested due to errors during the Rules scan. See also Status. Status
The completion status of the scan job: • Pending Dispatch: The scan job is scheduled. • In Progress: Scanning is in progress. • Completed: Scan job is complete. • Error: Scan job failed due to errors. Errors can be caused by a full hard disk, missing dependencies, or benchmark issues. • Expired: Scan job did not completed within two days. (This may happen if some of the assets were disconnected from the FortiScan appliance during the scan period).
Action
Select Export OVAL results to save the OVAL results to an XML file.
The Assets Vulnerability Result table at the bottom of the page lists the number of vulnerability alerts that were raised by the scan task for the selected platform. To view more details about these alerts, select the value in the # of Vulnerability Alerts column. The Asset Vulnerability Detail page appears; see “Viewing an asset’s vulnerabilities” on page 279.
Fortinet Technologies Inc.
Page 278
FortiScan v5.0 MR1 Administration Guide
Viewing an asset’s vulnerabilities In the vulnerability scan’s Platform Summary page, when you select the # of Vulnerability Alerts value in the Assets Vulnerability Result table, the Asset Vulnerability Detail page appears. The page is divided into several sections: • Summary section • Vulnerabilities Summary section • Error summary section
Summary section The summary section provides links to asset history and a summary of asset details. A summary of the vulnerabilities found by the scan for the asset is also included. Figure 114:Asset vulnerability detail list
The following information is displayed: Asset History
Select to view the asset’s history; see “Asset history” on page 210.
Compliance History
Select to view the asset’s compliance history; see “Asset compliance history” on page 211.
Vulnerability History
Select to view the asset’s vulnerability history; see “Asset vulnerability history” on page 214.
Remediation History
Select to view the asset’s remediation history; see “Asset remediation history” on page 215.
Asset Summary
Shows detailed summary information about the asset.
Host Name
Fortinet Technologies Inc.
The host name of the asset.
Page 279
FortiScan v5.0 MR1 Administration Guide
IP Address
The IP address of the asset.
Agent Version
The version of FortiScan agent installed on the asset.
Standard Survey Interval (min.)
Time interval between standard surveys.
Detail Survey Interval (min.) Time interval between detailed surveys. Status
The protection and connectivity status of the asset: Protected, Registered, Disconnected, Unprotected, or Retired. Assets whose Agent Scan Status is not Protected will not participate when you schedule FortiScan agent-based scans. For details, see “Agent scan status” on page 26.
Criticality
The importance of the asset to your organization or network security: Highest, High, Medium, Low, or Lowest. For details, see “Risk: prioritizing your business-critical machines” on page 27.
Confidence
The confidence level that the data on this asset is correct, based upon its collection method: • High: Data was collected by a FortiScan agent survey (see “Agent-based surveys” on page 24). • Medium: Data was manually edited. • Low: Data was collected by an asset discovery scan (see “Discovering your Network’s Hosts” on page 109). This is the default. Because some data required for accurate fingerprinting cannot be detected without authenticating and examining the host’s hardware and software, this type of data may not be as reliable. Confidence levels help to identify false positives in vulnerability assessments.
Remediation Strategy
The type of remediation strategy: • Approval: Remediation requires administrator approval before being applied to an asset. • Automatic: Remediation is automatically applied to an asset.
Boot Time Operating System & BIOS
Fortinet Technologies Inc.
The date and time that the asset was last booted. Lists detailed information about the asset’s OS platform and BIOS
OS Type
OS platform installed on the asset.
OS Version
OS platform version
BIOS Vendor
BIOS vendor
BIOS Version
BIOS version
Page 280
FortiScan v5.0 MR1 Administration Guide
Vulnerabilities found in the [definition][platform] Platform
Displays a summary of the number checks performed by the scan task on the asset and their results.
Total Checks
The number of checks performed on the asset
Vulnerabilities Found
The number of vulnerabilities found on the asset
UnTested (Error) Rules
The number of scan rules that were not tested due to errors.
Passed Rules
The number of scan rules that were successfully passed by the asset.
Vulnerabilities Summary section The Vulnerabilities Summary section provides a detailed list of all the vulnerabilities detected on the asset by the scan task. Figure 115:Vulnerabilities summary list
The following information is displayed: Vulnerabilities Summary
Displays a detailed list of all the vulnerabilities found on the asset by the selected scan task.
Rule ID
OVAL definition identifier of scan rule
Title
Title of the scan rule
Severity
Severity of the vulnerability, based on the CVSS score: • Low: CVSS score is 0.0 to 3.9 • Medium: CVSS score is 4.0 to 6.9 • High: CVSS score is 7.0 to 10.0 For details, see “Severity” on page 29.
Fortinet Technologies Inc.
CVSS Base Score
Common Vulnerability Scoring System (CVSS) Score
CVSS Vector
Select to view the components from which the CVSS score was calculated. Opens an external link to the NIST National Vulnerability database.
Page 281
FortiScan v5.0 MR1 Administration Guide
OVAL ID
Select to view the OVAL definition details and pseudo code for the rule; see “Viewing an OVAL definition’s details” on page 316.
CVE ID
Select to view the entry in the Common Vulnerabilities and Exposures (CVE) dictionary for the selected vulnerability. Opens an external link to the NIST National Vulnerability database.
Error summary section This last section of the Asset Vulnerability Detail page displays all the rules that resulted in an error during the scan task. Figure 116:Error summary list
The following information is displayed: Error Summary
Displays a detailed list of all the scan rules that resulted in error during the selected scan task.
Title
Title of the scan rule
OVAL ID
Select to view the OVAL definition details and pseudo code for the rule; see “Viewing an OVAL definition’s details” on page 316.
Reason
Describes the reason for the error.
To view the asset vulnerability detail page: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Vulnerability Scan > Scan Results. 3. In the Job Name column, select the name of the vulnerability scan job you want to view. The Scan Summary page appears. 4. In the Scan Task Details list, select the Platform name for the scan task you want to view. The Platform Summary page appears. 5. In the Asset Vulnerability Results list, select the # of Vulnerability Alerts value for the asset you want to view. The Asset Vulnerability Detail Page appears.
Fortinet Technologies Inc.
Page 282
FortiScan v5.0 MR1 Administration Guide
Patch Scans By periodically scheduling your assets’ FortiScan agents to run patch scans, you can remain aware of your assets’ most current security posture with regards to patch installation.
Workflow To use patch scans, you should generally use the following workflow. 1. Start by defining vulnerability scan settings that you can re-use for each subsequent scan. See “Defining settings for patch scans” on page 285. 2. Run a scan using one of the settings that you defined in the previous step. See “Scheduling a patch scan” on page 288. 3. Once at least one patch scan has been received from the assets’ agents, you can view overall patch statistics. See “Viewing patch scan statistics” on page 290, “Patch summary chart” on page 446, and “Patch posture tab” on page 455. 4. Investigate the patch scan results for individual assets. See “Viewing patch scan results” on page 292. 5. Manually dispatch remediations, configure compliance policies to automatically apply remediations, or externally resolve the issues to correct the detected unpatched software. See “Remediating” on page 399. 6. Periodically run patch scans again to ensure that your patch statistics remain current so that you can keep assets compliant by applying policies and remediations.
Viewing defined patch sets Agent Scan > Patch Scan > Definitions displays the patch definitions that you can use when running a patch scan.
Fortinet Technologies Inc.
Page 283
FortiScan v5.0 MR1 Administration Guide
Figure 117:Patch scan definitions
The following information is displayed: Title
The name of the patch definition set. Select to view a list of the individual patch definitions it contains (see “Viewing patch definitions” on page 285).
Version
The version number of the patch definition set.
Action Delete
Select to delete the scan definition.
View all versions
Select to view all available versions of this patch definition set. This icon appears only if multiple versions exist.
Enable Globally Visible
Select to make a patch definition set in your ADOM visible to all other ADOMs. The icon changes to Disable Globally Visible. This icon appears only for patch definition set that you have created.
Disable Globally Visible
Select to hide a patch definition set that is visible to all other ADOMs. The icon changes to Enable Globally Visible. This icon appears only for patch definition set that you have created.
Fortinet Technologies Inc.
Page 284
FortiScan v5.0 MR1 Administration Guide
Viewing patch definitions You can view which rules are used in a patch scan definition by going to Agent Scan > Patch Scan > Definitions and selecting the Title field for the patch scan definition you want to view. The details page for the selected definition appears. Figure 118:Patch scan definitions (patch definition set details)
The following information is displayed: Show Details
Select to show details about the rules used in the patch scan definition.
Hide Details
Select to hide details about the rules used in the patch scan definition.
ID
The rule identifier
Title
The title describing the rule
OVAL ID
The OVAL definition identifier for the rule. Select to view the OVAL definition details page; see “Viewing an OVAL definition’s details” on page 316.
Defining settings for patch scans The FortiScan appliance’s Web-based Manager provides a wizard that enables you to create a preset patch definition set that you can use in future scans. To create a patch scan definition preset: 1. From Current ADOM, select the name of an ADOM that is not Global. Patch definition presets are specific to each ADOM. As a result, the menu in the following step is not available in the Global ADOM.
Although your new patch definition set will be created in the specific ADOM that you select, you will be able to share the set with other ADOMs by selecting Enable Globally Visible on Agent Scan > Patch Scan > Definitions.
2. Go to Agent Scan > Patch Scan > Customize Scan. The first page of the wizard, Benchmark, appears.
Fortinet Technologies Inc.
Page 285
FortiScan v5.0 MR1 Administration Guide
Figure 119:Benchmark page
3. Select a patch definition scan from list provided. Only one definition scan may be selected. You can use an older version of a patch definition, if available, by selecting the View all versions icon and then selecting the appropriate version from the list that appears. 4. Edit the title as appropriate and select Next at the bottom of the page. The Platforms page appears. Figure 120:Platforms page
5. Mark the check box of one or more platforms you want to include in the new patch scan definition and then select Next. The Rules page appears.
Fortinet Technologies Inc.
Page 286
FortiScan v5.0 MR1 Administration Guide
Figure 121:Rules page
The following information is displayed: Select
Mark the check box for each rule that you want to include in the new patch scan definition.
Rule ID
The OVAL definition identifier for the rule.
Title
The descriptive title of the rule.
Oval ID
Select to view the OVAL Definition Detail page for the rule.
6. By default, all of the rules are selected. To select only one or a few rules, first select the Select None button to clear the check boxes and then mark the check box for each rule you want to include in the new patch scan definition. You must select at least one rule. To learn more about any rule, select the link in the OVAL ID field. The OVAL Definition Detail page provides reference information, pseudo code and other details; see “Viewing an OVAL definition’s details” on page 316. 7. Select Next. 8. The Save page appears, confirming that the patch definition set has been successfully saved. Figure 122:Save page
The patch definition set appears on Agent Scan > Patch Scan > Definitions.
Fortinet Technologies Inc.
Page 287
FortiScan v5.0 MR1 Administration Guide
Scheduling a patch scan The FortiScan appliance’s Web-based Manager provides a wizard that enables you to perform a patch scan on specified assets using a previously created scan definition. Before scheduling a patch scan, if you often use the same subset of patch definitions, you can create a preset so that you do not have to select them each time. For details, see “Defining settings for patch scans” on page 285. To perform a patch scan: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Patch Scan > Perform Scan. The first step in the wizard, Benchmark, appears. Figure 123:Benchmark page
3. From the list provided, select the patch scan definition you want to use. Only one definition may be selected. You can use an older version of a patch definition, if available, by selecting the View all versions icon and then selecting the appropriate version from the list that appears. 4. Enter a unique name for the scan job and any comments, then select Next. The Platforms page appears.
Fortinet Technologies Inc.
Page 288
FortiScan v5.0 MR1 Administration Guide
Figure 124:Platforms page
5. Mark the check box of one or more platforms that you want to include in the scan job. 6. Select Next. The Assets page appears. Figure 125:Assets page
The following information is displayed: Host Name
The host name of the asset.
IP
The asset IP address.
Asset Group
The names of the asset groups, if any, to which this asset belongs.
Asset Status
The protection and connectivity status of the asset: Protected, Registered, Disconnected, Unprotected, or Retired. Assets whose Agent Scan Status is not Protected will not participate when you schedule FortiScan agent-based scans. For details, see “Agent scan status” on page 26.
Criticality
The importance of the asset to your organization or network security: Highest, High, Medium, Low, or Lowest. For details, see “Risk: prioritizing your business-critical machines” on page 27.
7. Mark the check box of one or more assets that you want to scan. 8. Select Next. The Perform page appears, indicating that the patch scan has been successfully scheduled.
Fortinet Technologies Inc.
Page 289
FortiScan v5.0 MR1 Administration Guide
Figure 126:Perform page
The next time that the selected assets’ FortiScan agents connect to the appliance, they receive a directive to complete a patch scan.
Do not reboot an asset while it is actively engaged in a scan. In the scan results, the Completion Status for that asset will be Completed, but the results will have errors and omissions for that specific asset.
If an asset’s Agent Scan Status is Disconnected, the vulnerability scan will be unable to complete, and the Completion Status will be Expired.
Time required to complete a patch scan can be from a few minutes to several days, depending on the number of definitions in the patch definition set, the number of assets being scanned, and network connectivity. To determine the progress of the scan, monitor Completion Status in the scan results. When the scan is complete, you can view the results (see “Viewing patch scan statistics” on page 290, “Viewing patch scan results” on page 292, and “Viewing detailed patch scan results” on page 293).
Viewing patch scan statistics Agent Scan > Patch Scan > Scan Home summarizes the results of the patch scans that have been run, and displays the information in charts and tables. Figure 127:Patch scan home
Fortinet Technologies Inc.
Page 290
FortiScan v5.0 MR1 Administration Guide
• Patch Summary by Asset Groups: This table lists the patch statistics for each asset group. It includes the following fields: Asset Groups
Lists the asset group information
Name
The asset group name
Total Assets
The total number of assets in the asset group.
Patch Index
Lists the patch statistics for all asset groups
NOT Tested
The number of assets in the group that were not tested for compliance.
IN Compliance
The number of assets in the group that are in compliance.
OUT of Compliance The number of assets in the group that are out of compliance. Total Evaluated Assets
The total number of assets in the group that were tested for compliance.
Total Jobs
The total number of patch scan jobs that were run. Selecting this value opens the Patch Job Summary list; see “Patch job summary table” on page 447
• Patch Summary for Group: All — This pie chart display shows the percentage distribution of all assets that are in compliance and out of compliance, according to the latest patch scan information. • Patch Index: This table summarizes the patch statistics across all assets. It includes the following fields: Total in Compliance The total number of assets found to be in compliance. Assets Total Out of The total number of assets found to be out of compliance. Compliance Assets
Fortinet Technologies Inc.
Total Evaluated Assets
The total number of assets that were tested for compliance.
Total Not Tested Assets
The total number of assets that were not tested for compliance.
Total Assets
The total number of assets in the FortiScan appliance database.
Total Jobs
The total number of patch scan jobs that were run. Selecting this value opens the Patch Job Summary list; see “Patch job summary table” on page 447
Total Subgroups
The total number of administrator-defined asset groups defined in the FortiScan appliance database. Select this value to view the Security Posture Report – Patch Summary for all subgroups.
Page 291
FortiScan v5.0 MR1 Administration Guide
Viewing patch scan results Agent Scan > Patch Scan > Scan Results displays the current status and assessment results for all patch scan jobs. Figure 128:Patch scan results Select to view the scan summary and scan task detail for a specific vulnerability scan job
Rescan Edit Delete
The following information is displayed: Job Name
The name of the patch scan job. Select to view the Scan Summary and Scan Task Details for the selected scan job; see “Viewing detailed patch scan results” on page 293.
Scan
The scan definition used by the patch scan job
Version
Scan definition version
Applied By
The name of the administrator account which initiated the scan job.
Start Time
Date and time the scan job started.
Status
Current completion status of the scan job: • Pending Dispatch: The scan job is scheduled. • In Progress: Scanning is in progress. • Completed: Scan job is complete. • Error: Scan job failed due to errors. • Expired: Scan job did not completed within two days. (This may happen if some of the assets were disconnected from the FortiScan appliance during the scan period).
# of Assets
The number of assets that were evaluated by the scan.
# of Vulnerability Alerts The number of vulnerability alerts that were generated by the scan.
Fortinet Technologies Inc.
Page 292
FortiScan v5.0 MR1 Administration Guide
Action Delete
Select to delete the selected scan job
Edit
Select to modify the job name or job comments field.
Rescan
Select to run a patch scan again. This icon only appears for completed or expired scans.
Viewing detailed patch scan results On Agent Scan > Patch Scan > Scan Results, when you select the value in the Job Name field for a patch scan job, the Scan Summary page for the selected job appears. This page displays the details of the selected patch scan job and the results of the scan. It also enables you to view more details about each scan task (by platform) that was part of the job. To view the patch scan summary page: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Patch Scan > Scan Results. 3. In the Job Name column, select the name of the patch scan job you want to view. The Scan Summary page for the selected scan job appears. Figure 129:Patch scan results (scan summary charts)
Select to view the Platform Summary page for the selected platform.
The following information is displayed: Scan Summary
Fortinet Technologies Inc.
Displays the details of the selected patch scan job and the scan results.
Job Name
The title of the patch scan job.
Job Comment
The date and time the job completed.
Scan Name
The name of the patch scan definition used by the scan job
Page 293
FortiScan v5.0 MR1 Administration Guide
Scan Title
The title (description) of the patch scan definition used by the job
Version
The patch scan definition version
Applied By
The name of the administrator account which initiated the patch scan.
Start Time
Date and time the scan job started.
End Time
Date and time the scan job ended.
Status
Current completion status of the scan job: • Pending Dispatch: The scan job is scheduled. • In Progress: Scanning is in progress. • Completed: Scan job is complete. • Error: Scan job failed due to errors. Errors can be caused by a full hard disk, missing dependencies, or benchmark issues. • Expired: Scan job did not completed within two days. (This may happen if some of the assets were disconnected from the FortiScan appliance during the scan period).
# of Assets
Total number of assets scanned
# of Vulnerabilities The number of vulnerabilities that were detected by the selected patch scan job. Vulnerabilities by Platform
Displays a bar graph showing the distribution by OS platform of vulnerabilities due to missing patches.
Patch Scan Evaluation - Scan Task Details
Displays a summary of the tasks performed by the patch scan job and the number of vulnerability alerts that were raised by each task.
Platform
Select to view a summary of vulnerabilities detected for the selected platform; see “Viewing detailed patch scan results per platform” on page 295.
Start Time
Date and time the scan job started.
Completion Status Current completion status of the scan job: • Pending Dispatch: The scan job is scheduled. • In Progress: Scanning is in progress. • Completed: Scan job is complete. • Error: Scan job failed due to errors. Errors can be caused by a full hard disk, missing dependencies, or benchmark issues. • Expired: Scan job did not completed within two days. (This may happen if some of the assets were disconnected from the FortiScan appliance during the scan period). # of Assets
Total number of assets scanned by the selected task
# of Vulnerabilities The number of vulnerabilities that were identified by the selected task
Fortinet Technologies Inc.
Page 294
FortiScan v5.0 MR1 Administration Guide
When multiple OS platforms are scanned by a patch scan job, a separate scan task is created for each platform type. To view the results for a specific scan task, in the Patch Scan Evaluation - Scan Task Details table, select the Platform field for the scan task you want to view. The Platform Summary page appears. For more information, see “Viewing detailed patch scan results per platform” on page 295.
Viewing detailed patch scan results per platform When multiple OS platforms are scanned by a patch scan job, a separate scan task is created for each platform type (see “Viewing detailed patch scan results” on page 293). You can view the scan task details for a specific scan job on the Platform Summary page. Figure 130:Platform summary charts
The following information is displayed: Platform Summary
Fortinet Technologies Inc.
Displays the scan task details for the selected platform and the scan results.
Name
The name of the scan definition.
Title
The title of the scan definition.
Scan
The name of the scan.
Applied by
The name of the administrator which initiated the scan.
Start time
The date and time that the compliance scan job started
End Time
Date and time the scan job ended.
Page 295
FortiScan v5.0 MR1 Administration Guide
Status
Current completion status of the scan job: • Pending Dispatch: The scan job is scheduled. • In Progress: Scanning is in progress. • Completed: Scan job is complete. • Error: Scan job failed due to errors. Errors can be caused by a full hard disk, missing dependencies, or benchmark issues. • Expired: Scan job did not completed within two days. (This may happen if some of the assets were disconnected from the FortiScan appliance during the scan period).
Completion Status
The percentage of completion
# of Assets
Total number of assets scanned
# of Vulnerabilities
The number of vulnerabilities that were identified by the selected task.
Vulnerabilities by Severity (in %)
Displays a pie chart showing the percentage distribution of vulnerabilities according to severity.
Vulnerable Assets by Asset Criticality (in %)
Displays a pie chart showing the percentage distribution of vulnerable assets according to asset criticality. For information on criticality, see “Risk: prioritizing your business-critical machines” on page 27.
Assets Patch Vulnerability Result
Displays an asset summary list of the assets scanned by the selected task and the individual patch vulnerability results for each asset.
Host Name
The asset host name
IP Address
The asset IP address. Select to view the Asset Detail page for the selected asset (see “Viewing a chart’s asset details” on page 207).
Criticality
The importance of the asset to your organization or network security: Highest, High, Medium, Low, or Lowest. For details, see “Risk: prioritizing your business-critical machines” on page 27.
# of Vulnerability Alerts
The number of vulnerability alerts generated by the selected scan task. Select to view the Asset Vulnerability Detail page for the selected asset (see “Viewing an asset’s patch-related vulnerabilities” on page 297).
# of Untested (Error) The number of scan rules that were not tested due to errors during Rules the scan.
Fortinet Technologies Inc.
Page 296
FortiScan v5.0 MR1 Administration Guide
Status
Current completion status of the scan job: • Pending Dispatch: The scan job is scheduled. • In Progress: Scanning is in progress. • Completed: Scan job is complete. • Error: Scan job failed due to errors. Errors can be caused by a full hard disk, missing dependencies, or benchmark issues. • Expired: Scan job did not completed within two days. (This may happen if some of the assets were disconnected from the FortiScan appliance during the scan period).
Action
Select Export OVAL results to save the OVAL results to an XML file.
The Assets Patch Vulnerability Result table at the bottom of the page lists the number of vulnerability alerts that were raised by the scan task for the selected platform. To view more details about these alerts, select the value in the # of Vulnerability Alerts column. The Asset Patch Vulnerability Detail page appears; see “Viewing an asset’s patch-related vulnerabilities” on page 297. To view the platform summary page: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Patch Scan > Scan Results. 3. In the Job Name column, select the name of the patch scan job you want to view. The Scan Summary page appears. 4. In the Scan Task Details list, select the Platform name for the scan task you want to view. The Platform Summary page appears.
Viewing an asset’s patch-related vulnerabilities In the patch scan Platform Summary page, when you select the # of Vulnerability Alerts value in the Assets Patch Vulnerability Result table, the Asset Patch Vulnerability Detail page appears. The page is divided into several sections: • Summary section • Vulnerabilities Summary section • Error summary section
Summary section The summary section provides links to asset history and a summary of asset details. A summary of the patch-related vulnerabilities found by the patch scan for the asset is also included.
Fortinet Technologies Inc.
Page 297
FortiScan v5.0 MR1 Administration Guide
Figure 131:Asset patch vulnerability detail list
The following information is displayed: Asset History
Select to view the asset’s history; see “Asset history” on page 210.
Compliance History
Select to view the asset’s compliance history; see “Asset compliance history” on page 211.
Vulnerability History
Select to view the asset’s vulnerability history; see “Asset vulnerability history” on page 214.
Remediation History
Select to view the asset’s remediation history; see “Asset remediation history” on page 215.
Asset Summary
Shows detailed summary information about the asset.
Host Name
Asset host name.
IP Address
Asset IP address.
Agent Version
FortiScan agent version installed on the asset.
Standard Survey Interval (min.)
Time interval between standard surveys
Detail Survey Interval (min.) Time interval between detailed surveys Status
The protection and connectivity status of the asset: Protected, Registered, Disconnected, Unprotected, or Retired. Assets whose Agent Scan Status is not Protected will not participate when you schedule FortiScan agent-based scans. For details, see “Agent scan status” on page 26.
Fortinet Technologies Inc.
Page 298
FortiScan v5.0 MR1 Administration Guide
Criticality
The importance of the asset to your organization or network security: Highest, High, Medium, Low, or Lowest. For details, see “Risk: prioritizing your business-critical machines” on page 27.
Confidence
The confidence level that the data on this asset is correct, based upon its collection method: • High: Data was collected by a FortiScan agent survey (see “Agent-based surveys” on page 24). • Medium: Data was manually edited. • Low: Data was collected by an asset discovery scan (see “Discovering your Network’s Hosts” on page 109). This is the default. Because some data required for accurate fingerprinting cannot be detected without authenticating and examining the host’s hardware and software, this type of data may not be as reliable. Confidence levels help to identify false positives in vulnerability assessments.
Remediation Strategy
The type of remediation strategy: • Approval: Remediation requires administrator approval before being applied to an asset. • Automatic: Remediation is automatically applied to an asset.
Boot Time Operating System & BIOS
The date and time that the asset was last booted. Lists detailed information about the asset’s OS platform and BIOS
OS Type
OS platform installed on the asset.
OS Version
OS platform version.
BIOS Vendor
BIOS vendor.
BIOS Version
BIOS version.
Patch Vulnerabilities found in the Displays a summary of the number checks performed by [definition][platform] Platform the patch scan task on the asset and their results.
Fortinet Technologies Inc.
Total Checks
The number of checks performed on the asset
Vulnerabilities Found
The number of vulnerabilities found on the asset
UnTested (Error) Rules
The number of scan rules that were not tested due to errors.
Passed Rules
The number of scan rules that were successfully passed by the asset.
Page 299
FortiScan v5.0 MR1 Administration Guide
Patch vulnerabilities summary section The Vulnerabilities Summary section provides a detailed list of all the patch-related vulnerabilities detected on the asset by the scan task. Figure 132:Patch vulnerability summary list
The following information is displayed: Patch Vulnerabilities Summary
Displays a detailed list of all the patch vulnerabilities found on the asset by the selected scan task.
Rule ID
OVAL definition identifier of scan rule
Title
Title of the scan rule
Severity
Severity of the vulnerability, based on the CVSS score: • Low: CVSS score is 0.0 to 3.9 • Medium: CVSS score is 4.0 to 6.9 • High: CVSS score is 7.0 to 10.0 For details, see “Severity” on page 29.
Fortinet Technologies Inc.
CVSS Base Score
Common Vulnerability Scoring System (CVSS) Score
CVSS Vector
Select to view the components from which the CVSS score was calculated. Opens an external link to the NIST National Vulnerability database.
OVAL ID
Select to view the OVAL definition details and pseudo code for the rule; see “Viewing an OVAL definition’s details” on page 316.
CVE ID
Select to view the entry in the Common Vulnerabilities and Exposures (CVE) dictionary for the selected vulnerability. Opens an external link to the NIST National Vulnerability database.
Page 300
FortiScan v5.0 MR1 Administration Guide
Error summary section This last section of the Asset Patch Vulnerability Detail page displays all the rules that resulted in an error during the patch scan task. Figure 133:Error summary list
The following information is displayed: Error Summary
Displays a detailed list of all the scan rules that resulted in error during the selected scan task.
Title
Title of the scan rule
OVAL ID
Select to view the OVAL definition details and pseudo code for the rule; see “Viewing an OVAL definition’s details” on page 316.
Reason
Describes the reason for the error.
To view the asset patch vulnerability detail page: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Patch Scan > Scan Results. 3. In the Job Name column, select the name of the patch scan job you want to view. The Scan Summary page appears. 4. In the Patch Scan Evaluation - Scan Task Details list, select the Platform name for the scan task you want to view. The Platform Summary page appears. 5. In the Asset Patch Vulnerability Results list, select the # of Vulnerability Alerts value for the asset you want to view. The Asset Patch Vulnerability Detail Page appears.
Fortinet Technologies Inc.
Page 301
FortiScan v5.0 MR1 Administration Guide
Compliance Enterprises, by virtue of their large size, are often required by law to demonstrate certain compliances. Independent from that, your organization probably has its own rules and standard operating procedures. FortiScan provides 2 audit (compliance scan) methods: • Agentless: The appliance’s remote vulnerability scanner connects to target hosts to assess their status. Currently, only PCI DSS is supported. • FortiScan agent-based: The appliance issues directives to each asset’s FortiScan agent to run compliance scans (audits), vulnerability scans, and patch scans locally, based upon the latest regulatory benchmarks. Many benchmarks are supported, including FDCC, USGCB, SOX, and HIPAA. Scan results are submitted to the appliance, then displayed in charts and tables, giving you a summary of your overall security posture at a glance. To ensure all assets remain compliant, you can then dispatch remediations and apply policies that utilize the distributed monitoring and execution capabilities of the agents. You can also gather information on whether or not each asset is running any unauthorized software that does not comply with your own IT policies (see “Allowing only authorized software” on page 360).
PCI DSS In addition to testing your network for security vulnerabilities in order to guarantee that your firewalls and other security measures prevent penetration, if you are a bank or merchant, you may be required to generate a report to demonstrate compliance with the Payment Card Industry Data Security Standard (PCI DSS). FortiScan appliances can generate such a report.
Unlike other compliance reports, PCI DSS reports are not based upon data submitted by the FortiScan agent. They are based upon agentless remote vulnerability scans. For more information, see “Agentless Vulnerability Scans” on page 228.
What does PCI DSS compliance require? Payment Card Industry Data Security Standard (PCI DSS), defined by the PCI Security Standards Council, is a set of data security requirements to which banks, online merchants, and Member Service Providers (MSPs) must adhere, enforcing the safe handling of card holder information. To comply with the requirements, merchants and MSPs must: • Annually conduct an on-site audit or complete the PCI Self-Assessment Questionnaire. • Quarterly conduct vulnerability scans on all Internet-facing networks and systems. These scans must be performed by an approved scanning vendor. Vulnerability scans detect security threats associated with electronic commerce, and provide the bank, merchant, or MSP with a report demonstrating compliance status. Threats must be remediated. To meet the second requirement, FortiScan can generate PCI technical and executive compliance reports that shows the pass or failure status for each host on your network.
Fortinet Technologies Inc.
Page 302
FortiScan v5.0 MR1 Administration Guide
Workflow To generate a PCI DSS compliance report: 1. Perform a network vulnerability scan using the default PCI scan profile vcm_pci_profile on all Internet-facing hosts (see “Scheduling network vulnerability scans” on page 241). 2. FortiScan creates two compliance reports, a PCI Executive Report and a PCI Technical Report, based on severity levels predefined by Fortinet.
Generating PCI DSS compliance reports Report > Network Scan > Template displays the list of PCI DSS compliance report templates. Compliance report templates are pre-defined report formats designed to conform to PCI DSS. You cannot modify or delete the pre-defined templates. They are updated with each FortiGuard Vulnerability and Compliance Management Service engine and plug-in update. Running a template generates a compliance report using the same scan configurations when you perform a vulnerability scan in Network Scan > Vulnerability Scan > Schedule. The only difference is that the scan by running a compliance template uses the vcm_pci_profile by default. When you run a template, the window that appears allows you to limit the compliance report results to a specified time period and asset group. To access this part of the Web-based Manager, your account’s Role be Administrator. For details, see “Permissions” on page 33. Figure 134:Network scan template
The following information is displayed:
Fortinet Technologies Inc.
View
Select to view a sample of the template report. The data does not represent your network, but you can view the report format.
Run now
Select to run the template and generate a compliance report. For more information, see “To run a template to generate a PCI DSS compliance report:” on page 304.
Cancel
Select to stop running the template.
Refresh
Select to refresh the page.
Name
The name of the template.
Last Update
The date and time the report was last updated through the vulnerability management engine and plug-in releases.
Status
If the template is running, the current stage of completion is reported here. If the template is not running, this field is blank.
Page 303
FortiScan v5.0 MR1 Administration Guide
To run a template to generate a PCI DSS compliance report: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Schedule a network vulnerability scan that uses the vcm_pci_profile profile in order to gather data that will be used in the PCI DSS compliance report (see “Configuring network vulnerability scan profiles” on page 235). When the scan is complete, results appear in Report > Network Scan > Report. 3. Go to Report > Network Scan > Template. 4. In the row corresponding to the template that you want to run, select Run now. Figure 135:Run compliance report window
5. Configure the following settings: Report Name
Enter the report name the FortiScan appliance will display in the compliance report list. The date and time will be appended to the end of the name each time a compliance report is generated.
Report Title Enter a title that will appear in the report. This field is automatically populated depending on the type of template you choose.
Fortinet Technologies Inc.
Page 304
FortiScan v5.0 MR1 Administration Guide
Benchmark Select a benchmark. Profile
Select a scan profile.
Asset Group Select an asset group. The compliance report results will be limited to the hosts defined in the specified asset group. Report Logo Upload a logo for the report. Comment Title
Enter a title for any comments you have for the report.
Comment
Enter the comment content.
Report Type Select the type of report. If you select Details, choose the rules to be reported and report columns of rules. Period Scope
Select a start and end time. The compliance report results will be limited to the time period you specify.
Output Option File Output
Select the formats in which the report will be generated. HTML is the default format. Any or all other available formats may be selected.
Email/ Upload
To have the report delivered to an e-mail address or FTP server, select this option and select the output template or create a new one. For more information about output templates, see “Configuring report output for remote network vulnerability scans” on page 238.
6. Select OK. The list of templates appears again. To determine whether the report is in progress or complete, refresh the page and update the Status column by selecting the Template submenu. The scan is complete when the Status column is blank.
Using PCI DSS compliance reports Report > Network Scan > Report lists PCI DSS compliance reports that have been generated from the results of network vulnerability scans. Compliance reports detail the scanned hosts’ compliance with PCI DSS, and are generated from compliance report templates. For details, see “Generating PCI DSS compliance reports” on page 303. To access this part of the Web-based Manager, your account’s Role be Administrator. For details, see “Permissions” on page 33.
Fortinet Technologies Inc.
Delete
Select to delete the report
Rename
Select to rename the report
Name
The name of the report. The name includes the date and time the report was generated. Select the name to view the HTML version of the report. For more information, see “To view the list of non-compliant hosts:” on page 306.
Started
The date and time the report was started. Page 305
FortiScan v5.0 MR1 Administration Guide
Finished
The date and time the report was completed. Looking at the Started and Finished times, you can calculate how long the FortiScan appliance took to generate the report.
Size (bytes)
The size, in bytes, of the HTML report.
Formats
The formats in which the report was generated. The HTML report is accessed by selecting the report name. Other formats are listed here.
Current page
By default, the first page of the list of reports is displayed. The total number of pages appears after the current page number. For example, if 2 of 10 appears, you are currently viewing page 2 of 10 pages. To view pages, select the left and right arrows to display the first, previous, next, or last page. To view a specific page, enter the page number in the field and then press Enter.
To view the list of non-compliant hosts: 1. From Current ADOM, select the name of an ADOM that is not Global. (This is the ADOM whose report you will be viewing.) 2. Go to Report > Network Scan >Report. 3. Select the report’s name to view the HTML version of the report. (If you generated the report in any additional file formats, you can select the link in the Format column to view one of those formats.) 4. In the PCI Status section, if any host’s Last Scan is Failed, correct that computer to be compliant. Report Summary Created
The date and time network map report was generated.
Total Hosts
The IP addresses or IP range of the computers that were live and responding during the scan.
Summary From Date
The starting date and time of the report data.
Summary To Date
The ending date and time of the report data.
VM Engine Version
The FortiGuard Vulnerability and Compliance Management engine version number and date of last update. This is updated via the FortiGuard Distribution Network if you are a FortiGuard Vulnerability Management service subscriber.
VM Plugins Version
The FortiGuard Vulnerability and Compliance Management module version number and date of last update. This is updated via the FortiGuard Distribution Network if you are a FortiGuard Vulnerability and Compliance Management service subscriber.
PCI Status IP The IP address of the host scanned. Addresses Fortinet Technologies Inc.
Page 306
FortiScan v5.0 MR1 Administration Guide
Failed Times
The number of times the host failed the PCI compliance scan.
Passed Times
The number of times the host passed the PCI compliance scan.
PCI Disabled
The number of times the host was scanned with the PCI option disabled in the scan schedule.
Total Scanned Times
The total number of scans on the host.
Last Scan
The PCI DSS compliance status of the host according to the latest scan. • Passed: No vulnerabilities or potential vulnerabilities, as defined by the PCI Security Standards Council’s PCI DSS compliance standards, were detected on the host. If there are any security vulnerabilities that are not violations, you should still address them, usually in order of severity. • Failed: At least one PCI DSS violation was detected on the host. All actual or potential vulnerabilities with this status must be remediated in order to be compliant. See also “What is a vulnerability?” on page 28 and “How to fix vulnerabilities and non-compliances” on page 30.
Host Details
The top 10 vulnerable hosts by vulnerabilities and by times.
Vulnerability Detail
The total number of vulnerabilities detected are presented by severity, category, and date. The top 20 vulnerabilities are also listed.
Host
All services and vulnerabilities found for each host. The vulnerabilities that cause the host to fail compliance are highlighted. This section is omitted from PCI Executive Reports.
Appendix
Information about the Payment Card Industry (PCI) status and vulnerability levels.
To resolve a host’s non-compliance: 1. In the Hosts section of the report, select the blue disclosure arrow next to the host’s IP address. This will reveal a list of vulnerability scans of that host. 2. Select the blue arrow next to a vulnerability scan date to reveal the list of discovered problems. 3. After the list of open ports, severity level and category summary, and OS fingerprint, in the Vulnerability Information subsection, select the blue arrow next to each severity level (High, Medium, Low, or Information) to expand the list of vulnerabilities at each level. 4. Resolve each problem by doing one of the suggested solutions for each vulnerability.
Fortinet Technologies Inc.
Page 307
FortiScan v5.0 MR1 Administration Guide
Figure 136:Non-compliance
FortiScan can automatically fix many of the vulnerabilities it can detect, significantly shortening your response time. For details, see “Remediating” on page 399.
Agent-based compliance scans By periodically scheduling your assets’ FortiScan agents to run compliance scans (audits), you can remain aware of your assets’ most current security posture with regards to compliance. Compliance scans test whether or not the asset complies with each rule in a benchmark that you select. Tests can consist of scripts that verify configuration settings and installed patches, and of asking you survey questions. Test results are categorized as successful (passed), untested, failure, or errors. For example, a successful compliance test may mean that a particular required patch was found to be installed. If the test was not able to execute (perhaps the asset was offline), then the rule was not tested and is categorized as such. If the test executed or attempted to execute, but the results were inconclusive or there was a software error, then the result is categorized as an error.
In addition to agent-based compliance reports, you can generate PCI DSS compliance reports using the agentless vulnerability scanner. For details, see “What does PCI DSS compliance require?” on page 302.
Fortinet Technologies Inc.
Page 308
FortiScan v5.0 MR1 Administration Guide
Workflow Periodically run compliance scans again to ensure that your compliance statistics remain current so that you can keep assets compliant by applying policies and remediations. To use compliance scans: 1. Create benchmark subsets that focus on specific areas of compliance that you want to audit in your compliance scans. See “Modifying a benchmark” on page 318. For example, if your network has no assets that run Microsoft Windows, you would create custom benchmarks that omit tests for that platform in order to save time and network resources when running compliance scans. 2. If you want to automatically apply remediations, or be alerted whenever you need to manually dispatch a remediation, configure compliance policies. See “Achieving real-time compliance via policies” on page 347. 3. If you want to automatically create and assign tickets when a compliance scan detects non-compliances, configure ticket policies. See “Configuring ticket policies” on page 392. 4. Run a scan using one of the benchmarks that you defined in the previous step. See “Scheduling a compliance scan” on page 320. 5. Once at least one compliance scan has been received from the assets’ agents, you can view overall compliance statistics. See “Viewing compliance statistics” on page 324, “Compliance summary chart” on page 443, and “Compliance posture tab” on page 449. 6. Review the compliance scan results for individual assets. See “Viewing compliance scan results” on page 325. 7. Manually dispatch remediations or externally resolve the issues if required to completely correct the detected compliance deviations. See “Dispatching remediations” on page 409.
Uploading benchmarks If FortiScan’s predefined benchmarks do not have the one that you need, you can upload your own compliance benchmarks from your computer to the FortiScan appliance. To upload a compliance benchmark: 1. Download a compliance benchmark set, such as: • the Federal Desktop Core Configuration (FDCC) security standard • the United States Government Configuration Baseline (USGCB) security standard from the National Institute of Standards and Technology (NIST) (http://web.nvd.nist.gov/view/ncp/repository).
The benchmark must be in extensible configuration checklist description format (XCCDF) in order to be compatible. If you require a benchmark that is not available in XCCDF, please contact Fortinet Technical Support and request that they convert the file.
2. Download or create an OVAL file to indicate vulnerabilities that are associated with failure to meet each of your XCCDF benchmarks. 3. Using a plain text editor, open the XCCDF file. Change its element’s href attribute to refer to your OVAL file’s ID on the FortiScan appliance — not its file name. The ID of the file can be anything, but to be
Fortinet Technologies Inc.
Page 309
FortiScan v5.0 MR1 Administration Guide
useful, it should typically indicate the version, compliance regime, target platform, and OVAL or XCCDF contents. For example, if your OVAL file is fnbp-winvista-oval.xml and its version is 1.1, the OVAL file’s ID on FortiScan will be 1.1-fnbp-winvista-oval.xml. You would open the XCCDF file and modify it to read: 4. Using a plain text editor, create a file named master.registry. Each line should be a space-delimited mapping between the ID and its OVAL or XCCDF file. The contents should look like this: # ID, shown in benchmark details’ "Source" field# #OVAL/XCCDF file name# ---------------------------------------------------------------------------------1.1-fnbp-winvista-oval.xml fnbp-winvista-oval.xml 1.1-fnbp-winvista-xccdf-index.xml fnbp-winvista-xccdf-index.xml
5. Create a .tar.gz archive that contains those 3 files — the XCCDF file, the OVAL file, and the master.registry file. 6. From Current ADOM, select either Global to make the benchmark available to all ADOMs, or select the name of a specific ADOM to make the benchmark available only to that ADOM. 7. Go to Agent Scan > Upload Benchmark > Upload Benchmark. Figure 137:Benchmark upload window
8. Select Browse. 9. Locate and select the benchmark package file (.tar.gz) that you want to upload. 10.Select Open. The name of the benchmark file appears in the Upload File field. 11.Select OK. The confirmation message “Successfully uploaded the benchmark file to database.” appears after the benchmark file is successfully uploaded to the FortiScan appliance. Time required varies by network speed and the size of the file. To verify that the benchmark was uploaded and imported successfully, go to Agent Scan > Audit Scan > Benchmarks (see “Viewing compliance benchmarks” on page 314).
Searching by CVE ID You can search both the OVAL vulnerability definitions and the remediations for references to a specific CVE identifier (CVE ID).
Not all vulnerabilities have a CVE identifier (CVE or CAN).
Fortinet Technologies Inc.
Page 310
FortiScan v5.0 MR1 Administration Guide
To search remediations by CVE ID: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > CVE Search > CVE Remediation Search. A list of remediations by CVE ID appears. Figure 138:Remediation list
The following information is displayed: CVE ID
The NIST Common Vulnerabilities and Exposures (CVE) identifier for the vulnerability
Name
The descriptive name of the vulnerability. Select to open the Remediation Detail page for the vulnerability; see “Viewing remediation details” on page 402.
Remediation ID
The remediation ID of the vulnerability, if available.
Type
Type of content described in the CVE: Remediation or Vulnerability.
3. In the CVE ID column header, select the filter icon. The filter dialog appears.
Fortinet Technologies Inc.
Page 311
FortiScan v5.0 MR1 Administration Guide
Figure 139:Filter dialog box
4. Mark the Enable check box. 5. In the CVE ID field, enter a whole or partial CVE identifier. You can use wild cards such as an asterisk (“*”) to match any number of characters in a prefix or suffix. 6. If you want to include or exclude CAN vulnerabilities in your search, mark or clear the Include CAN identifiers in search check box. 7. Select OK. The list refreshes to show the results of your search. The filter icon at the top of the CVE ID column turns green to indicate that the results are filtered. To search the FortiScan appliance’s databases by CVE ID: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > CVE Search > CVE ID Search. 3. In the ID field, type the exact CVE identifier. 4. Select Search. The OVAL Search Results page appears.
Fortinet Technologies Inc.
Page 312
FortiScan v5.0 MR1 Administration Guide
Figure 140:OVAL search results page
The following information is displayed: Vulnerability Scan Definitions Vulnerability Scan Definition ID
The vulnerability scan definition where the CVE ID was found.
OVAL ID
The OVAL definition identifier. Select to view the OVAL definition detail page. For more information, see “Viewing an OVAL definition’s details” on page 316.
Title
OVAL definition title
CVSS
CVSS v2 Base Score
Patch Scan Definitions Patch Scan Definition ID OVAL ID
Fortinet Technologies Inc.
This section appears if the search discovers the specified CVE ID in one or more Fortinet vulnerability scan definitions.
This section appears if the search discovers the specified CVE ID in one or more Fortinet patch scan definitions. The patch scan definition where the CVE ID was found. The OVAL definition identifier. Select to view the OVAL definition detail page. For more information, see “Viewing an OVAL definition’s details” on page 316. Page 313
FortiScan v5.0 MR1 Administration Guide
Title
OVAL definition title
CVSS
CVSS v2 Base Score
Remediations
This section appears if the search discovers the specified CVE ID in one or more Fortinet remediations.
Remediation ID
The Fortinet remediation identifier. Select to view the Remediation Detail page for the selected remediation; see “Viewing remediation details” on page 402.
Name
The name of the remediation.
Major
Major version number of the Fortinet remediation.
Minor
Minor version number of the Fortinet remediation
Invasiveness
The invasiveness of the vulnerabilities resolved by the remediation: Highest, High, Medium, Low, or Lowest.
Category
The type of remediation: • Config: Change a configuration parameter • Patch: Install a software patch. • Text: Manual remediation instructions
Network Scan
This section appears the search discovers the specified CVE ID in one or more network scan vulnerability definitions.
FID
The Fortinet ID of the vulnerability. The FID is a unique identifier assigned by the FortiGuard Vulnerability Management Service.
Title
The name of the vulnerability. Select the name for additional details.
Severity
The vulnerability severity rating. See “Severity” on page 29.
Category
The part of a host in which the vulnerability exists. Example categories include, Operating System, Applications, File Transfer, and Email.
Authentication
The authentication type required to scan for this vulnerability. If the field is blank, no authentication is required.
CVE ID
The CVE identifier
5. To the CVE ID Search page, select Back.
Viewing compliance benchmarks Agent Scan > Audit Scan > Benchmarks displays the details of all benchmarks that can be used by compliance scans to audit an asset for compliance. Benchmarks describe regulatory standards for computer configuration and patch management consistent with security best practices. Benchmarks are available from a number of sources, including Fortinet and the Center for Internet Security (CIS). Some benchmarks are included with the FortiScan appliance firmware, such as FDCC and USGBC. You can also upload benchmark files. For details, see “Uploading benchmarks” on page 309.
Fortinet Technologies Inc.
Page 314
FortiScan v5.0 MR1 Administration Guide
Figure 141:Audit scan benchmarks
The following information is displayed: Title
The title of the compliance benchmark. Select to view the list of rules included in the benchmark (see “Viewing the rules in a benchmark” on page 316).
Version
The version number of the benchmark.
Import Time
The date and time the benchmark was imported into the FortiScan appliance. See “Uploading benchmarks” on page 309.
Action Delete
Select to delete the benchmark.
View all versions
Select to view all available versions of this benchmark. This icon appears only if multiple versions exist.
Enable Globally Visible
Select to make a benchmark in your ADOM visible to all other ADOMs. The icon changes to Disable Globally Visible. This icon appears only for benchmarks that you have created.
Disable Globally Visible
Select to hide a benchmark that is visible to all other ADOMs. The icon changes to Enable Globally Visible. This icon appears only for benchmarks that you have created.
Fortinet Technologies Inc.
Page 315
FortiScan v5.0 MR1 Administration Guide
Viewing the rules in a benchmark On Agent Scan > Audit Scan > Benchmarks in ADOMs other than Global, by selecting the Title of a benchmark and then selecting Show Details, you can view the list of rules that are used in a benchmark. Figure 142:Audit scan benchmarks details list
The following information is displayed: Hide Details
Select to hide details about the rules used in the benchmark.
ID
The rule identifier.
Title
A description of the rule.
OVAL ID
The OVAL definition identifier for the rule. Select to view the OVAL definition’s details (see “Viewing an OVAL definition’s details” on page 316).
Viewing an OVAL definition’s details Open vulnerability assessment language (OVAL) definitions appear in several places in the Web-based Manager. You can view details for any OVAL definition, including pseudo-code, raw XML content, and pseudo-evaluation information, for any benchmark rule. To do this, select the value in the OVAL ID column.
Fortinet Technologies Inc.
Page 316
FortiScan v5.0 MR1 Administration Guide
Figure 143:OVAL definition details
The following information is displayed: Details
Fortinet Technologies Inc.
Rule Details
The identifier for the OVAL definition.
Namespace
The URI of the XML Schema used to define the namespace of the OVAL definition file.
Source
The name of the XML file that contains this OVAL rule set.
Test Id
The identifier for the OVAL definition test.
Reference
The URL of the CCE or CVE reference identifier and source, if any.
Affected Family
The operating system (OS) family affected by the vulnerability.
Page 317
FortiScan v5.0 MR1 Administration Guide
Affected Platforms
The OS and version affected by the vulnerability.
Affected Products
The products affected by the vulnerability, if any.
Pseudo Code
The pseudo-code, if any, that describes the OVAL rule.
Raw XML
The part of the XML source file that describes the OVAL rule.
Pseudo Evaluation
The pseudo-code of the evaluation used to determine if the asset is in compliance with the OVAL rule.
Modifying a benchmark Although you cannot create a benchmark from scratch, you can use the wizard to create a subset of benchmark rules so that you do not have to.
You can also upload benchmarks. See “Uploading benchmarks” on page 309.
Benchmarks derived from Security Content Automation Program (SCAP) content are not currently adaptable.
To create a benchmark: 1. From Current ADOM, select an ADOM that is not Global. Benchmark presets are specific to each ADOM. As a result, the menu in the following step is not available in the Global ADOM.
Although your new benchmark will be created in the ADOM that you select from Current ADOM, you will be able to share the benchmark with other ADOMs by selecting Enable Globally Visible on Agent Scan > Audit Scan > Benchmarks.
2. Go to Agent Scan > Audit Scan > Customize Benchmark.
Fortinet Technologies Inc.
Page 318
FortiScan v5.0 MR1 Administration Guide
The first step of the wizard, Benchmark, appears in the content pane. Figure 144:Benchmark page
3. In Benchmark Name and Benchmark Title, type a unique name and title for your new benchmark. 4. Select one of the benchmarks. Your selection will serve as the basis for your new benchmark. You can use an older version of a benchmark, if one exists, by selecting the View all versions icon to the right of the benchmark name, then selecting the version from the list that appears. 5. Select Next. The Profiles step appears. Figure 145:Profiles page
6. Select at least one type of platform-specific rules that you want to include in your new benchmark. 7. Select Next. The Rules step appears, showing all the rules contained in each platform-specific rule set that you selected in the previous step.
Fortinet Technologies Inc.
Page 319
FortiScan v5.0 MR1 Administration Guide
Figure 146:Rules step
8. Enable one or more specific rules to be included in your new benchmark. The Values step appears. 9. If necessary, modify the value bindings associated with each rule. 10.Select Next. The Save step appears, indicating that the benchmark was successfully saved. Figure 147:Save page
Scheduling a compliance scan To assess how well one or more assets comply with a regulatory standard (benchmark), use the wizard to run a compliance scan (audit). Before scheduling a compliance scan, if you often use the same subset of benchmarks, you can create a preset so that you do not have to select them each time. For details, see “Modifying a benchmark” on page 318.
Fortinet Technologies Inc.
Page 320
FortiScan v5.0 MR1 Administration Guide
To perform a compliance scan: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Agent Scan > Audit Scan > Perform Audit. The first page of the wizard, Benchmark, appears in the content pane. Figure 148:Benchmark page
3. Select one of the benchmarks to use when auditing assets for compliance. You can use an older version of a benchmark, if it exists, by selecting the View all versions icon and then selecting the version. 4. In the Job Name field and the Job Comments fields, enter a unique name and description for the scan job. 5. Select Next.
Fortinet Technologies Inc.
Page 321
FortiScan v5.0 MR1 Administration Guide
The Platforms step appears. Figure 149:Platforms page
If your ADOM does not have any protected assets whose operating system (OS) matches the platforms tested by the benchmark, you will not be able to proceed to the next step. Instead, when you select Next, an error message appears: Could not perform assessment at this time. No assets available to the logged in user for the selected benchmark For details on determining an asset’s Agent Scan Status and OS Type, see “Your Asset Inventory” on page 179. 6. Mark the check box of type of platform-specific rules from the benchmark that you want to use in your compliance scan. 7. Select Next. The Assets step appears. Figure 150:Assets page
8. Mark the check box of one or more assets to be included in your compliance scan. To limit the number of assets, use the filter icons (see “Filtering list entries” on page 45). 9. Select Next. 10.If the selected benchmark includes an administrator survey, the Survey step appears. Otherwise, skip to the Perform step.
Fortinet Technologies Inc.
Page 322
FortiScan v5.0 MR1 Administration Guide
Figure 151:Survey page
11.Answer the administrator survey questions. 12.Select Next. The Perform step appears, indicating that the compliance scan is scheduled. Figure 152:Perform page
The next time that the selected assets’ FortiScan agents connect to the appliance, they receive a directive to complete a compliance scan.
Do not reboot an asset while it is actively engaged in a scan. In the scan results, the Completion Status for that asset will be Completed, but the results will have errors and omissions for that specific asset.
If an asset’s Agent Scan Status is Disconnected, the compliance scan will be unable to complete, and the Completion Status will be Expired.
The time required to complete a compliance scan can be from a few minutes to several days, depending on the number of rules in the benchmark, the number of assets being audited, and network connectivity. To determine the progress of the scan, monitor Completion Status in the scan results. When the scan is complete, you can view the results (see “Viewing compliance statistics” on page 324, “Viewing compliance scan results” on page 325, and “Viewing detailed compliance scan results” on page 327). Fortinet Technologies Inc.
Page 323
FortiScan v5.0 MR1 Administration Guide
Viewing compliance statistics Agent Scan > Audit Scan > Scan Home in ADOMs other than Global summarizes the results of the compliance scans that have been run, and displays the information in charts and tables. Figure 153:Audit scan home
The following information is displayed: Compliance Summary by Asset Groups Name
The name of the asset group.
Total Assets
The number of assets in the group.
NOT Tested
The percentage of assets in the group that are untested.
IN Compliance
The percentage of assets in the group that were found to be compliant during the last compliance scan that included that group.
OUT of Compliance The percentage of assets in the group that were non-compliant. Total Evaluated Assets
The number of assets in the group that participated in the last compliance scan. This number may be less than the total number of assets in the group if, for example, some assets were disconnected or rebooted during the last compliance scan that included that group.
Total Jobs
The total number of compliance scan jobs that have involved that group. Select this number to display the Compliance Job Summary table (see “Compliance job summary table” on page 443).
Compliance Summary for Group: {All}
A pie chart showing the relative percentages of compliant, non-compliant, and untested assets.
Compliance Index
Fortinet Technologies Inc.
Page 324
FortiScan v5.0 MR1 Administration Guide
Total in Compliance The total number of assets found to be in compliance. Assets Total Out of The total number of assets found to be non-compliant. Compliance Assets Total Evaluated Assets
The total number of assets that were tested for compliance.
Total Not Tested Assets
The total number of assets that were not tested for compliance.
Total Assets
The total number of assets in the asset inventory.
Total Jobs
The total number of compliance scan jobs that were performed. Select this number to display the Compliance Job Summary table (see “Compliance job summary table” on page 443).
Total Subgroups
The total number of asset groups in the asset inventory that are not automatically maintained (i.e. are administrator-created). Select this number to view Security Posture Report – Compliance Summary, which contains a separate pie chart (Compliance Summary for Group: {}) and Compliance Index table for each subgroup.
Viewing compliance scan results Agent Scan > Audit Scan > Assessment Evaluation in ADOMs other than Global displays the current completion status and results for compliance scans. Figure 154:Assessment evaluation Select the Job Name to view the job summary and benchmark task detail for a specific scan job.
The following information is displayed: Job Name
The name of the compliance scan. Select to view the Job Summary and Benchmark Task Details for the scan (see “Viewing detailed compliance scan results” on page 327).
Benchmark
Fortinet Technologies Inc.
The benchmark used by the scan.
Page 325
FortiScan v5.0 MR1 Administration Guide
Version
The version of the benchmark used in the scan.
Applied By
The name of administrator which initiated the scan.
Start Time
The date and time that the scan started.
Completion Status
The completion status of the scan: • Pending Dispatch: Scan is scheduled, but the assets’ FortiScan agents have not yet connected for their next survey interval, and therefore have not yet received the directive to run a compliance scan. • In Progress: Scan has started, but is not yet complete. • Completed: Scan is complete. This status can occur even if some of the assets were rebooted during the scan, and therefore did not successfully complete the entire compliance scan, resulting in errors or omissions for some results on individual rules in the benchmark. • Error: Scan failed due to errors.Errors can be caused by a full hard disk, missing dependencies, or benchmark issues. • Expired: Scan did not complete within two days. This can occur if the Agent Scan Status of some of the assets was Disconnected during the scan. To display the current scan completion status, refresh the page.
% of Assets
The percentage of assets per compliance status, relative to the total number of assets that were included in the scan: • Green: The percentage of assets in compliance. • Red: The percentage of non-compliant assets. • Yellow: The percentage of untested assets.
Score
The compliance score. For details, see “Viewing the score breakdown” on page 337.
# of Assets Evaluated
The number of assets that were included in the compliance scan. This may be less than the total number of assets in the asset inventory if you selected a subset during the compliance scan wizard. For details, see “Scheduling a compliance scan” on page 320.
Action Delete
Select to delete the scan. Alert events generated from the scan results will still be available.
Edit
Select to modify the scan name or comments.
Rescan
Select to run the scan again. This icon is available only for scans whose Completion Status is Expired or Completed.
Fortinet Technologies Inc.
Page 326
FortiScan v5.0 MR1 Administration Guide
Viewing detailed compliance scan results On Agent Scan > Audit Scan > Assessment Evaluation for ADOMs other than Global, when you select the value in the Job Name field for a compliance scan, the Job Summary page appears. It includes any deviations that were found during the scan. Figure 155:Assessment evaluation (job summary charts)
Select to view the compliance scan job summary results on a per group basis Select to view FISMA details for the scan job, if available
Hover mouse over bar to view the benchmark name
Select to view specific deviations from the benchmark for each asset. Select to view the task details.
The following information is displayed: Job Summary
Fortinet Technologies Inc.
Displays the details of the selected compliance scan job and the scan results.
Job Name
The title of the compliance scan job.
Job Comment
The date and time the job completed.
Benchmark Name
The name of the benchmark used by the compliance scan job
Benchmark Title
The title (description) of the benchmark used by the compliance scan job.
Version
The benchmark version.
Applied By
The name of the administrator account which initiated the compliance scan.
Start Time
Date and time the scan job started.
End Time
Date and time the scan job ended.
Page 327
FortiScan v5.0 MR1 Administration Guide
Status
Current completion status of the scan job: • Pending Dispatch: The scan job is scheduled. • In Progress: Scanning is in progress. • Completed: Scan job is complete. • Error: Scan job failed due to errors. Errors can be caused by a full hard disk, missing dependencies, or benchmark issues. • Expired: Scan job did not completed within two days. (This may happen if some of the assets were disconnected from the FortiScan appliance during the scan period.)
# of Assets
Total number of assets scanned.
Out of Compliance
Percentage of total assets that are out of compliance.
In Compliance
Percentage of total assets that are in compliance.
Not Tested
Percentage of total assets that were not tested by the scan job.
Score
Compliance score. For more information, see “Viewing the score breakdown” on page 337.
Result by Profile
Displays a bar graph showing the distribution of compliance results by assessment profile. Hovering your mouse over the graph bar displays the name of the associated benchmark.
View By Groups
Select to view the job summary results per asset groups (see “Viewing detailed compliance scan results per asset group” on page 329).
FISMA Detailed
Select to view a FISMA report for the scan job (see “Viewing FISMA reports” on page 333). This button appears only if the scan used federal desktop core configuration (FDCC) benchmark rules.
Compliance Assessment Evaluation Displays a summary of the benchmark task details used in by the - Benchmark Task compliance scan job and what deviations were found. Details
Fortinet Technologies Inc.
View Deviations
Select to view a list of deviations from the benchmark rules; see “Viewing rule violations” on page 335.
Profile
The name of the benchmark used in the compliance scan. Select to view the Benchmark Task Detail and the Asset Compliance Result page (see “Viewing detailed compliance scan results per benchmark” on page 331).
Start Time
Date and time the scan job started.
Page 328
FortiScan v5.0 MR1 Administration Guide
Status
Current completion status of the scan job: • Pending Dispatch: The scan job is scheduled. • In Progress: Scanning is in progress. • Completed: Scan job is complete. • Error: Scan job failed due to errors. Errors can be caused by a full hard disk, missing dependencies, or benchmark issues. • Expired: Scan job did not completed within two days. (This may happen if some of the assets were disconnected from the FortiScan appliance during the scan period).
Completion Status
The percentage of completion.
# of Assets
Total number of assets scanned.
Result
Number and color-coded progress bar representing percent of assets that are: • In Compliance: Green • Out of Compliance: Red • Not Tested: Yellow
Score
Compliance score. For details, see “Viewing the score breakdown” on page 337.
Viewing detailed compliance scan results per asset group You can view the results of a compliance scan on a per asset group basis, by selecting the View By Groups button in the compliance scan Job Summary page (see “Viewing detailed compliance scan results” on page 327). The asset group Job Summary page appears. Figure 156:Job summary charts by asset groups
Fortinet Technologies Inc.
Page 329
FortiScan v5.0 MR1 Administration Guide
The following information is displayed: Job Summary
Displays the details of the selected compliance scan job and the scan results.
Job Name
The title of the patch scan job.
Job Comment
The date and time the job completed.
Benchmark Name
The name of the benchmark used by the compliance scan job
Benchmark Title
The title (description) of the benchmark used by the compliance scan job
File Name
The file name of the benchmark
Version
The benchmark version
Status
The benchmark status: Accepted, Deprecated, Draft, Incomplete, or Interim.
Date Imported
The date and time the benchmark was imported into the FortiScan appliance database.
Assessment Time
The data and time the compliance assessment was performed.
Assessed by
The name of the administrator which initiated the compliance scan.
Asset Group: All |Group Lists the assets in the group and the individual evaluation results for name each asset. Host Name
The asset host name
IP Address
The asset IP address
Criticality
The importance of the asset to your organization or network security: Highest, High, Medium, Low, or Lowest. For details, see “Risk: prioritizing your business-critical machines” on page 27.
Profile: ()
Fortinet Technologies Inc.
Displays the assessment evaluation for each asset
Score
Compliance score. For more information, see “Viewing the score breakdown” on page 337.
Modified Score
Modified assessment score, after overrides and waivers have been applied. For more information, see “Viewing the score breakdown” on page 337.
Page 330
FortiScan v5.0 MR1 Administration Guide
Status
Current completion status of the scan job: • Pending Dispatch: The scan job is scheduled. • In Progress: Scanning is in progress. • Completed: Scan job is complete. • Error: Scan job failed due to errors. Errors can be caused by a full hard disk, missing dependencies, or benchmark issues. • Expired: Scan job did not completed within two days. (This can happen if some of the assets were disconnected from the FortiScan appliance during the scan period).
Viewing detailed compliance scan results per benchmark The Task Detail page displays the benchmark version, results, and duration for each compliance scan, per benchmark. From this page, you can also (indirectly) access a score breakdown. To view the task detail page: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Audit Scan > Assessment Evaluation. The Job Summary page appears. 3. In the Profile column, select the name of a benchmark. The Task Detail page appears. Figure 157:Job summary charts’ benchmark task detail
The following information is displayed: Task Detail
Fortinet Technologies Inc.
Name
The name of the assessment profile.
Title
The title of the assessment profile.
Page 331
FortiScan v5.0 MR1 Administration Guide
Benchmark
The name of the benchmark using this profile.
CPE
The CPE identifier for the benchmark.
Applied by
The name of the administrator account which initiated the scan.
Start time
The date and time that the compliance scan started.
End Time
Date and time the scan was finished.
Status
Current completion status of the scan: • Pending Dispatch: The scan is scheduled. • In Progress: Scanning is in progress. • Completed: Scan is complete. • Error: Scan failed due to errors. Errors can be caused by a full hard disk, missing dependencies, or benchmark issues. • Expired: Scan did not completed within two days. (This may happen if some of the assets were disconnected from the FortiScan appliance during the scan period).
Completion Status
The percentage of completion.
# of Assets
Total number of assets scanned.
Out of Compliance
The percentage of assets that are out of compliance, displayed as a number and as a red bar graph.
In Compliance
The percentage of assets that are out of compliance, displayed as a number and as a green bar graph.
Not Tested
The percentage of assets that are out of compliance, displayed as a number and as a yellow bar graph.
Score
Compliance score. For more information, see “Viewing the score breakdown” on page 337.
Rules by Results
Displays a pie chart showing the percentage distribution of rules that failed, passed or had errors.
Asset Count by Results Displays a pie chart showing the percentage distribution of assets that are in compliance, out of compliance and not tested.
Fortinet Technologies Inc.
Out of Compliance Assets by Asset Criticality
Displays a pie chart showing the distribution of out of compliance assets by criticality. For information on criticality, see “Risk: prioritizing your business-critical machines” on page 27.
Assets Compliance Result
Lists the assets scanned with the selected assessment profile and the individual evaluation results for each asset.
Host Name
The host name of the asset.
IP Address
The IP address of the asset.
Page 332
FortiScan v5.0 MR1 Administration Guide
Criticality
The importance of the asset to your organization or network security: Highest, High, Medium, Low, or Lowest. For details, see “Risk: prioritizing your business-critical machines” on page 27.
Score
The compliance score. Select to view the Asset Compliance Detail page for the asset (see “Viewing the score breakdown” on page 337).
Modified Score
Modified compliance score. For details, see “Viewing the score breakdown” on page 337.
Status
Current completion status of the scan: • Pending Dispatch: The scan job is scheduled. • In Progress: Scanning is in progress. • Completed: Scan job is complete. • Error: Scan job failed due to errors. Errors can be caused by a full hard disk, missing dependencies, or benchmark issues. • Expired: Scan job did not completed within two days. (This may happen if some of the assets were disconnected from the FortiScan appliance during the scan period).
Viewing FISMA reports Federal Information Security Management Act (FISMA) reports show the benchmark rules applied during the compliance scan, whether rules passed or failed, the resulting score, CCE ID and OVAL definition for each rule. To view the FISMA report for a compliance scan:
FISMA reports are generated only for compliance scans that used federal desktop core configuration (FDCC) benchmarks.
1. From Current ADOM, select an ADOM that is not Global. 2. Go to Agent Scan > Audit Scan > Assessment Evaluation. 3. In the Job Name column, select the name of the compliance scan you want to view. The Job Summary page for the job appears. 4. Select FISMA Detailed. The Select Assets page appears in a pop-up window.
Fortinet Technologies Inc.
Page 333
FortiScan v5.0 MR1 Administration Guide
Figure 158:Select assets page
5. Mark the check box of one or more assets that you want to include in the FISMA report, up to a maximum of 100 assets. 6. Select Next. The FISMA Detailed Report page appears. Figure 159:FISMA detailed report
Fortinet Technologies Inc.
Page 334
FortiScan v5.0 MR1 Administration Guide
The following information is displayed: FISMA Detailed Report Title
A navigation tree of benchmark rules organized by asset, system class, group, control, and rules. If you fully expand a part of the tree to view its individual rules, scan results for each rule appear in the Result column.
Result
The result of the test during the scan, either: • Pass: The asset passed the associated benchmark rule’s test. • Fail: The asset failed the associated benchmark rule’s test. This column is empty until you expand the benchmark rule tree in Title to reveal individual rules.
Score
The score for each system class, group and control.
CCE ID
The NVD database CCE identifier for the rule. This column is empty until you expand the benchmark rule tree in Title to reveal individual rules.
OVAL ID
The OVAL definition for the rule. Select to view the OVAL Details page (see “Viewing an OVAL definition’s details” on page 316). This column is empty until you expand the benchmark rule tree in Title to reveal individual rules.
Export to XML
Select to download the report in as an XML file.
Viewing rule violations The Compliance Deviations page displays the details of all of an asset’s rule violations (deviations) that were discovered by a compliance scan. To view a list of rule violations (deviations): 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Agent Scan > Audit Scan > Assessment Evaluation. 3. In the Job Name column, select the name of the compliance scan whose results you want to view. The Job Summary page appears. 4. Select View Deviations. The Select Assets page appears in a pop-up window. 5. Mark the check box of one or more assets that you want to include in the report, up to a maximum of 100 assets. 6. Select Next. The Compliance Deviations page appears.
Fortinet Technologies Inc.
Page 335
FortiScan v5.0 MR1 Administration Guide
Figure 160:Compliance deviations page
The following information is displayed: Benchmark Summary Job Name
The name of the compliance scan.
Job Comment
The comment, if any, about the compliance scan.
Name
The name of the benchmark used during the compliance scan.
Title
The title of the benchmark used during the compliance scan.
File Name
The XML file name of the benchmark.
Version
The version number of the benchmark.
Status
The publishing status of the benchmark, such as whether or not the benchmark was final or a draft.
Date Imported
The date and time the benchmark file was uploaded to the FortiScan appliance (see “Uploading benchmarks” on page 309).
Assessment Time
The data and time that the asset’s FortiScan agent ran the compliance scan.
Assessed By
The name of the administrator account which initiated the scan.
Target Facts
Fortinet Technologies Inc.
Host Name
The host name of the asset, if any.
IP Address
The IP address of the asset.
OS Type
The operating system (OS) family that is running on the asset.
OS Version
The version of the OS that is running on the asset.
Page 336
FortiScan v5.0 MR1 Administration Guide
Assessment Profile The name of the assessment profile used by the compliance Name scan. Assessment Profile The title of the assessment profile used by the compliance scan. Title Original Score
The compliance assessment score, not considering waivers. For information on waiving inappropriate or inaccurate test results, see “Waiving and correcting test results” on page 344.
Modified Score
The compliance assessment score, considering waivers, if any. For information on waiving inappropriate or inaccurate test results, see “Waiving and correcting test results” on page 344.
Reported Deviations (n) The details about and number of tests that an asset failed, where “n” is the number of deviations from rules in the benchmark that was used during the scan. Rule Name
The name of the benchmark rule that the asset does not follow.
Description
The description of the benchmark rule that the asset does not follow.
References
The standards and regulations that apply to the rule, if any.
Result
The result of the test for the asset’s compliance with the benchmark rule: PASS or FAIL.
Authorization
The name of the administrator account which configured the waiver, if any. For information on waiving inappropriate or inaccurate test results, see “Waiving and correcting test results” on page 344.
Date Authorized
The date the waiver, if any, was configured.
Mitigating Factors
The comment from the waiver, if any.
Viewing the score breakdown In order to analyze why an asset received its specific score, you can view a breakdown that lists each benchmark test in the compliance scan that the asset failed. If you determine that a test was irrelevant to or inappropriate for the asset (for example, if the benchmark rule requires that sendmail not be installed, but the asset is a mail server that requires sendmail), you can waive that rule and recalculate the asset’s score. For details, see “Waiving and correcting test results” on page 344. To view a score breakdown: 1. From Current ADOM, select the name of an ADOM that is not Global. Scan results are specific to an ADOM, and as a result, the menu in the next step is not available at the global level. 2. Go to Agent Scan > Audit Scan > Assessment Evaluation. The Job Summary page appears. 3. In the Profile column, select the name of a benchmark. The Task Detail page appears. Fortinet Technologies Inc.
Page 337
FortiScan v5.0 MR1 Administration Guide
4. In Score or Modified Score, select the number of the score that you want to investigate. The Asset Compliance Detail page appears. At the top of the page, you can select links to view the asset’s history of compliance, vulnerability, remediation, and system configuration. For details, see: • “Asset history” on page 210 • “Asset compliance history” on page 211 • “Asset vulnerability history” on page 214 • “Asset remediation history” on page 215 Below the links, sections explain the score and list which tests were failed, passed, resulted in errors, or were overridden. For details on each section, see: • “Asset summary section” on page 338 • “Compliance assessment section” on page 340 • “Modified compliance assessment section” on page 341 • “Failing rules section” on page 342 • “Overridden failing rules section” on page 342 • “Untested (error) rules section” on page 343 • “Overridden error rules section” on page 344
Asset summary section The Asset Summary section of the Asset Compliance Detail page displays basic information about the asset, such as its operating system (OS) and IP address. Figure 161:Asset summary section of the asset detail page
The following information is displayed: Asset Summary
Fortinet Technologies Inc.
Host Name
The host name of the asset, if any.
IP Address
The IP address of the asset.
Agent Version
The version of FortiScan agent installed on the asset.
Standard Survey Interval (min.)
The time interval between each standard survey. See “Configuring the ADOM’s connections from FortiScan agents” on page 105.
Page 338
FortiScan v5.0 MR1 Administration Guide
Detail Survey Interval (min.) The time interval between each detailed survey. See “Configuring the ADOM’s connections from FortiScan agents” on page 105. Status
The protection and connectivity status of the asset: Protected, Registered, Disconnected, Unprotected, or Retired. Assets whose Agent Scan Status is not Protected will not participate when you schedule FortiScan agent-based scans. For details, see “Agent scan status” on page 26.
Criticality
The importance of the asset to your organization or network security: Highest, High, Medium, Low, or Lowest. For details, see “Risk: prioritizing your business-critical machines” on page 27.
Confidence
The confidence level that the data on this asset is correct, based upon its collection method: • High: Data was collected by a FortiScan agent survey (see “Agent-based surveys” on page 24). • Medium: Data was manually edited. • Low: Data was collected by an asset discovery scan (see “Discovering your Network’s Hosts” on page 109). This is the default. Because some data required for accurate fingerprinting cannot be detected without authenticating and examining the host’s hardware and software, this type of data may not be as reliable. Confidence levels help to identify false positives in vulnerability assessments.
Remediation Strategy
The type of remediation strategy: • Approval: Remediation requires manual administrator approval and dispatch in order to be applied to an asset. • Automatic: Remediation is automatically dispatched to an asset when non-compliance is detected during a scan.
Boot Time
The date and time that the asset was last started.
Operating System & BIOS
Fortinet Technologies Inc.
OS Type
The operating system (OS) family that is running on the asset.
OS Version
The version of the OS running on the asset.
BIOS Vendor
The vendor of the basic input output system (BIOS).
BIOS Version
The version of the BIOS.
Page 339
FortiScan v5.0 MR1 Administration Guide
Compliance assessment section The Compliance Assessment section of the Asset Detail page (Agent Scan > Audit Scan > Assessment Evaluation) displays a summary of the score details showing the number of tests that an asset failed, passed, or resulted in errors. It also provides links that enable you to waive rules for this asset, view a list of non-compliances (deviations), or export an FDCC XML file. Executable rules are those that are automatically run by a script and do not require FortiScan administrator input. Question rules are those that require you to answer questions in a form on the Web-based Manager. Compliance Assessment against Shows scoring details showing which rules failed, passed the Profile or resulted in errors for the selected asset. Deviation/Waiver Adjustment Select to override specific scan rules for the selected asset; see “Waiving and correcting test results” on page 344. View Deviations
Select to view deviations from the standard scan rules for the selected asset; see “Viewing rule violations” on page 335.
Export FDCC Report
Select to export an FDCC XML file
Total Rules
The total number of rules applied to the asset during the compliance scan.
Total Executable Rules (A)
The total number of tests executed by running a script during the compliance scan. Executable rules are those that are automatically run by a script and do not require administrator input.
Passed Rules (A.1)
The number of executable rules that were successfully passed by the asset.
Failing Rules (A.2)
The number of executable rules that were failed by the asset.
Error Rules (A.3)
The number of executable rules that did not complete due to errors.
UnChecked Rules (A.4)
The number of executable rules that were not checked for the asset.
Total Question Rules (B)
The total number of question rules applied to the asset during the compliance scan. Question rules are those that require administrator answers to survey questions.
Passed Questions (B.1)
The number of question rules that were successfully passed for the asset.
Failing Questions (B.2)
The number of question rules that were failed for the asset.
UnAnswered Questions (B.3) The number of question rules that were not answered for the asset. Total Non Error Rules (T)
Fortinet Technologies Inc.
The sum total of executable rules and question rules, excluding those rules that resulted in an error.
Page 340
FortiScan v5.0 MR1 Administration Guide
Total Passed Rules (P)
The sum total of passed executable rules and passed question rules
Score
The compliance score.
Modified compliance assessment section The Modified Compliance Assessment section of the Asset Compliance Detail page (Agent Scan > Audit Scan > Assessment Evaluation) displays a summary of the modified score details that result after waiving one or more rules. It shows the number of rules failed, passed or resulted in errors for the selected asset, after waivers were applied. It also enables you to export an XCCDF XML file. Executable rules are those that are automatically run by a script and do not require FortiScan administrator input. Question rules are those that require you to answer questions in a form on the Web-based Manager. Modified Compliance Assessment against the Profile
Shows modified scoring details showing which rules failed, passed or resulted in errors for the selected asset.
Export to XCCDF
Select to export an XCCDF XML file
Total Rules
The total number of rules applied to the asset during the compliance scan, after overrides and waivers.
Total Executable Rules (A)
The total number of executable rules applied to the asset during the compliance scan, after overrides and waivers.
Passed Rules (A.1)
The number of executable rules that were successfully passed by the asset, after overrides and waivers.
Failing Rules (A.2)
The number of executable rules that were failed by the asset, after overrides and waivers.
Error Rules (A.3)
The number of executable rules that did not complete due to errors, after overrides and waivers.
UnChecked Rules (A.4)
The number of executable rules that were not checked for the asset, after overrides and waivers.
Total Question Rules (B)
The total number of question rules applied to the asset during the compliance scan.
Passed Questions (B.1)
The number of question rules that were successfully passed for the asset, after overrides and waivers.
Failing Questions (B.2)
The number of question rules that were failed for the asset, after overrides and waivers.
UnAnswered Questions (B.3) The number of question rules that were not answered for the asset, after overrides and waivers. Total Non Error Rules (T)
Fortinet Technologies Inc.
The sum total of executable rules and question rules, after overrides and waivers, excluding those rules that resulted in an error.
Page 341
FortiScan v5.0 MR1 Administration Guide
Total Passed Rules (P)
The sum total of passed executable rules and passed question rules, after overrides and waivers.
Score
The modified score, after configuring waivers, if any (see “Waiving and correcting test results” on page 344).
Failing rules section The Failing Rules section of the Asset Compliance Detail page lists the tests that an asset failed during the compliance scan. Figure 162:Failing rules section of the asset compliance detail page
The following information is displayed: Rule ID
The rule identifier
Title
The rule’s title. Hover your mouse over the title to view the rule’s description.
OVAL ID
The OVAL definition identifier for the rule. Select to view the OVAL definition pseudo code and other details; see “Viewing an OVAL definition’s details” on page 316.
CCE ID
The Common Configuration Enumeration (CCE) identifier for the rule, if applicable.
Reason
The reason the rule failed.
Overridden failing rules section The Overridden Failing Rules section of the Asset Compliance Detail page lists the failed tests that were waived in order to recalculate the score based solely upon tests that are relevant to that specific asset. For more information on waiving tests, see “Waiving and correcting test results” on page 344.
Fortinet Technologies Inc.
Page 342
FortiScan v5.0 MR1 Administration Guide
Figure 163:Overriding failing rules section of the asset compliance detail page
The following information is displayed: Rule ID
The rule identifier
Title
The descriptive title for a rule
OVAL ID
The OVAL definition identifier for the rule. Select to view the OVAL definition pseudo code and other details; see “Viewing an OVAL definition’s details” on page 316.
CCE ID
The Common Configuration Enumeration (CCE) identifier for the rule, if applicable.
Remarks
The reason for the override.
Untested (error) rules section The Untested (Error) Rules section of the Asset Compliance Detail page lists the tests in the compliance scan that failed to complete due to errors. Agent Scan > Audit Scan > Assessment Evaluation (Untested (Error) Rules section of the Asset Compliance Detail page) Rule ID
The rule identifier
Title
The descriptive title for a rule
OVAL ID
The OVAL definition identifier for the rule. Select to view the OVAL definition pseudo code and other details; see “Viewing an OVAL definition’s details” on page 316.
CCE ID
The Common Configuration Enumeration (CCE) identifier for the rule, if applicable.
Reason
The reason for the error.
Fortinet Technologies Inc.
Page 343
FortiScan v5.0 MR1 Administration Guide
Overridden error rules section The Overridden Error Rules section of the Asset Compliance Detail page lists the tests that failed to complete due to errors, and were also waived for the asset. For more information on waiving tests, see “Waiving and correcting test results” on page 344. Agent Scan > Audit Scan > Assessment Evaluation (Overridden Error Rules section of the Asset Compliance Detail page) Rule ID
The rule identifier
Title
The descriptive title for a rule
OVAL ID
The OVAL definition identifier for the rule. Select to view the OVAL definition pseudo code and other details; see “Viewing an OVAL definition’s details” on page 316.
CCE ID
The Common Configuration Enumeration (CCE) identifier for the rule, if applicable.
Remarks
The reason for the override.
Waiving and correcting test results You can waive or correct the results of a failed test or test error, if necessary, in order to improve the meaningfulness of a compliance scan’s score for a specific asset. For example, if a benchmark rule is a general recommendation that does not apply to that particular asset, you can waive the test for compliance with that rule, and the score will be recalculated, omitting that test. As another example, if a rule requires you to verify that a particular network configuration is appropriate for the duties of the person using the asset, then after confirming that the configuration is appropriate, you can override the test result to remove it from the list of tests that the asset failed.
Waivers do not persist for the next compliance scan. Configure them separately for each compliance scan.
To waive a failed test or test error for an asset: 1. Open the Asset Compliance Detail page (see “Viewing the score breakdown” on page 337). 2. In the Compliance Assessment section for the benchmark whose compliance scan test results you want to correct, select the Deviation/Waiver Adjustment link. The Asset Compliance Detail - Edit results dialog appears.
Fortinet Technologies Inc.
Page 344
FortiScan v5.0 MR1 Administration Guide
Figure 164:Assessment evaluation (edit results dialog)
The following information is displayed: Failing Rules Override
Enable to waive the test failure.
Rule ID
The rule identifier. Hover your mouse over the rule ID to view the title description of the rule whose test the asset failed.
CCE ID
The CCE identifier for the rule. Hover your mouse over the CCE ID to view the CCE description of the rule whose test the asset failed.
Mitigating Factors/Remarks
Type in the reasons or other remarks for waiving the test results for this asset.
Untested (Error) Rules Override
Enable to waive the uncompleted test.
Rule ID
The rule identifier. Hover your mouse over the rule ID to view the title description of the rule whose test the asset did not complete.
CCE ID
The CCE identifier for the rule. Hover your mouse over the CCE ID to view the CCE description of the rule whose test the asset did not complete.
Mitigating Factors/Remarks
Type in the reasons or other remarks for waiving the test results for this asset.
3. For each test whose results you want to waive, mark the Override check box for the associated rule, then in the Mitigating Factors/Remarks field, type the reason for waiving the test result.
Fortinet Technologies Inc.
Page 345
FortiScan v5.0 MR1 Administration Guide
4. Select OK. Overridden test results are moved to the Overridden Failing Rules section or Overridden Error Rules section of the Asset Compliance Detail page (see “Overridden failing rules section” on page 342 or “Overridden error rules section” on page 344). Recalculated compliance scores, after adjusting the scores for overridden test results, are displayed in the Modified Compliance Assessment section of the Asset Compliance Detail page (see “Modified compliance assessment section” on page 341).
Viewing compliance rule violations The Failing Rules Summary Report table provides details on which benchmark rules were violated (deviations) by an asset group during a compliance scan (audit). To view an asset group’s compliance violations: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Security Posture > Security Posture. 3. In the asset selection tree, select the asset group whose compliance violations you want to view. 4. Select the Compliance Posture tab. The compliance posture appears in the content pane. 5. In the First 10 out of Compliance Assets for Group {} table, select the Extended View link. The Failing Rules Summary Report appears in a pop-up window. Figure 165:Out of compliance assets
The following information is displayed: Failing Rules Summary Displays a list of all the rules that were failed for an asset group Report during a compliance scan. Generation TIme
The data and time the report was generated
Generated By
The name of the administrator account which generated the report.
All Asset Group Summary Evaluated Assets
Fortinet Technologies Inc.
Summarizes the compliance statistics across all assets in the selected group. The total number of assets in the group that were tested for compliance with the rule. Page 346
FortiScan v5.0 MR1 Administration Guide
In Compliance Assets
The total number of assets in the group found to be in compliance with the rule.
Out of Compliance Assets
The total number of assets in the group found to be out of compliance with the rule.
Not Tested Assets
The total number of assets in the group that were not tested for the rule.
Total Assets
The total number of assets in the asset group.
Total Failing Rules - n
Displays all the rules that were failed during the compliance scan. The number “n” shows the total number of rules that were failed. For each failed rule the following information is provided:
(Rule Title)
The title description of the rule that was failed.
(CCE Identifier)
The Common Configuration Enumeration (CCE) identifier for the issue that caused the selected rule to fail. For more information, visit: http://cce.mitre.org.
Description
The detailed description of the rule.
Asset Count
The number of assets in the group that failed the rule.
References
The following reference information is provided: • DOD standards that apply to this rule • FISMA Controls that apply to this rule • GAO standards that apply to this rule • ISO standards that apply to this rule • NIST standards that apply to this rule • NSA standards that apply to this rule
Host Name
The host name for the asset that failed the rule
IP Address
The IP address for the asset that failed the rule
OS Type
The OS type of the asset that failed the rule
OS Version
The OS version of the asset that failed the rule
Achieving real-time compliance via policies Large enterprises can find it difficult, expensive, and time-consuming to manually enforce and maintain both compliances required by law and your intended IT policies on each of thousands of individual hosts. In the interval between scans or manual examination, without your knowledge, hosts also may lapse into non-compliant states. Via policies, FortiScan can drastically accelerate your: • response time on corrective actions (CARs) • compliance audits • application of IT best practices
Fortinet Technologies Inc.
Page 347
FortiScan v5.0 MR1 Administration Guide
For example, you could create policies to prevent specific software from running on thousands of hosts, to disable a compromised user account, or to detect and delete a malware file. Each policy has one or more match conditions that govern the FortiScan appliance’s behavior. 1. When an asset submits its FortiScan agent survey, the appliance searches the survey data for items that match policy conditions. 2. If a match is found (i.e. policy violation has been found), an alert is generated. The alert contains information about the available remediation actions. You can view these alerts in: • Events & Tickets > Alert Events > Policy Alert (see “Handling policy alerts” on page 376) • Vulnerability Alerts by Severity chart located on Agent Scan > Vulnerability Scan > Scan Home 3. Depending on your configuration, the appliance either: • Automatically queues a command for the FortiScan agent to perform a remediation. This command to perform a remediation action is retrieved by the agent during its next survey interval, when the agent connects to the appliance. • Waits for you to dispatch the remediation manually. The predefined policy group named Sample Policy contains several policies which you can use as templates for creating new policies. For example, you can use the policy named Sample - Authorized Software to create a new policy in order to collect data for the Authorized Software Policy Summary chart on Agent Scan > Summary > Compliance Summary. For details, see “Allowing only authorized software” on page 360. The best method for applying a policy varies by the number and homogeneity of the assets. To apply policies, go to either: • Agent Scan > Policies > Policies: More flexible and most effective for applying or removing policies for a wide range of mixed assets located in diverse asset groups. Use “Applying policies to a combination of assets” on page 361. • Asset > Inventory > Asset Inventory: Most effective when you want to apply or remove policies for either a specific asset, an asset group, or a small number of asset groups. Do not use policies for emergency policy enforcements or corrective actions, such as when you have detected an active network security breach. A policy cannot be enforced unless the FortiScan agent on each asset is already running and has submitted a detailed survey to the FortiScan appliance. Additionally, if you apply a policy to an asset whose Agent Scan Status is Disconnected, the remediation status will be shown as Pending until the asset connects again and returns to Protected status. As a result, if an attacker has already managed to compromise a host and disable the agent, corrective measures via the agent will fail. For details on statuses, see “Agent scan status” on page 26.
Fortinet Technologies Inc.
Page 348
FortiScan v5.0 MR1 Administration Guide
Figure 166:Agent scan policies Policy selection tree
Toolbar
View Assets Delete Move Edit Rename Copy Apply Remove Policy
Content pane The following information is displayed: New Group
Select to create a new policy group.
Create New
Select to create a new policy (see “Configuring compliance policies” on page 353).
Delete
Mark the check boxes of each policy that you want to remove from all assets that use it and from the FortiScan appliance’s list of policies, then select Delete. Tip: Alternatively, you can remove a policy from all assets without removing it from the list of policies. See Remove or “To remove a policy through the asset inventory:” on page 352.
Move
Mark the check boxes of the policies that you want to move, then select Move.
Copy
Mark the check boxes of the policies that you want to copy, then select Copy.
Apply
Mark the check boxes of the policies that you want to apply to an asset or asset group, then select Apply (see “Applying policies to a combination of assets” on page 361).
Remove
Mark the check boxes of the policies that you want to remove from an asset or asset group, then select Remove. Tip: Alternatively, you can remove the policy from the FortiScan appliance’s list of policies in addition to any assets that use it. See Delete.
Fortinet Technologies Inc.
Name
The name of the policy or policy group.
Policy Group
The name of the policy or policy group’s parent.
Page 349
FortiScan v5.0 MR1 Administration Guide
Remediation Strategy
The type of remediation strategy used by the policy: • Approval: Remediation requires FortiScan administrator approval before it will be retrieved and applied by an asset. • Automatic: Remediation is automatically retrieved by each asset’s agent and applied.
Is Group
Whether the row is a policy or a policy group: • Y: Policy group. • N: Policy.
View Assets
Select to view the list of assets to which this policy has been applied.
Delete
Select to delete the policy or policy group from both the FortiScan appliance’s list of policies and any assets which use it.
Move
Select to move the policy or policy group to a different parent.
Edit
Select to modify the policy in this row. Alternatively, see “To edit a policy:” on page 350.
Rename
Select to rename the policy or policy group in this row.
Copy
Select to create a new policy or policy group by copying the policy or policy group in this row (see “Configuring compliance policies” on page 353).
Apply Policy
Select to apply the policy or policy group in this row to a specific set of assets (see “Applying policies to a combination of assets” on page 361).
Remove Policy
Select to remove the policy or policy group in this row from a set of specific assets. The policy itself, however, will remain in the list of policies.
To edit a policy: 1. In the policy selection tree on the left, select to select an individual policy. The Edit Policy dialog appears in the content pane. (If you instead see, the list of policies and policy groups contained within that group, you have selected a group instead of an individual policy.) 2. Modify and save the policy. The policy change will be applied when FortiScan agents next connect. To apply a policy to an individual asset through the asset inventory: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Asset > Inventory > Asset Inventory. 3. Select a host’s Open Asset to View Detail icon. In the asset editor pane, several tabs appear. 4. Select the Configuration tab.
Fortinet Technologies Inc.
Page 350
FortiScan v5.0 MR1 Administration Guide
Figure 167:Configuration tab
5. In the Applied Policies section, select Apply. The Apply Policy - Select Policies dialog appears in the editor pane. Figure 168:Apply policy page
6. Expand the Policies tree and mark the check box of each policy you want to apply. 7. Select Next. The Confirm Policy Application dialog appears. 8. Verify the list of selected policies shown in the Policies field. If incorrect, select Back to change your selection. Otherwise, select Finish. The selected policies are applied to the asset.
Fortinet Technologies Inc.
Page 351
FortiScan v5.0 MR1 Administration Guide
To apply a policy to a group through the asset inventory: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Asset > Inventory > Asset Inventory. The asset inventory appears (see Figure 53 on page 179). 3. In the asset navigation tree, select the group that contains the asset to which you want to apply a policy. The contents of the selected asset group appear in the asset inventory pane. 4. In the asset inventory pane, in the row for the asset, select the Apply Policy icon. The Apply Policy - Select Policies dialog appears in the editor pane. Figure 169:Apply policy page
5. Expand the Policies tree and mark the check box of each policy you want to apply. 6. Select Next. The Confirm Policy Application dialog appears. 7. Verify the list of selected policies shown in the Policies field. If incorrect, select Back to change your selection. Otherwise, select Finish. The selected policies are applied to the assets in the group. To remove a policy through the asset inventory: 1. From Current ADOM, select an ADOM that is not Global. 2. Go to Asset > Inventory > Asset Inventory. The asset inventory appears (see Figure 53 on page 179). 3. In the asset navigation tree, select the group that contains the asset from which you want to remove a policy. The contents of the selected asset group appear in the asset inventory pane. 4. In the asset inventory pane, in the row for the asset, select the Remove Policy icon. Alternatively, mark the check box of each asset from which you want to remove a policy that is common to those assets, then on the toolbar, select Remove. The Remove Policy - Select Policies dialog appears in the editor pane.
Fortinet Technologies Inc.
Page 352
FortiScan v5.0 MR1 Administration Guide
Figure 170:Remove policy page
5. Select the policies that you want to remove. To remove multiple policies, hold down the Shift key while you select each policy name. 6. Select Next. A confirmation dialog appears. 7. Verify the list of selected policies shown in the Policies field. If incorrect, select Back to change your selection. Otherwise, select Finish. The policies are only removed for the asset you selected (i.e., policies are not deleted from the system overall). Policies remain in effect for any other assets to which you have applied them.
Configuring compliance policies You can either create a new policy either from scratch or copy one of the predefined policies in the Sample Policies group in order to use it as a template. To configure a policy: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Policies > Policies. 3. On the toolbar, select New. Alternatively, to create a policy using one of the predefined policies in Sample Policies group as a template, mark its check box, then select Copy. The Copy Policy/Policy Group dialog appears. Select the new policy’s parent policy group, then select OK. The copy appears in the policy selection tree. Select the copy to modify it.
Fortinet Technologies Inc.
Page 353
FortiScan v5.0 MR1 Administration Guide
Figure 171:Copy policy/policy group dialog
You cannot add a copied policy to the Policy Group Parent as the original policy, nor change its name, during the Copy Policy/Policy Group dialog. After the copy has been created, you can move or rename the policy.
Figure 172:Add policy window
Fortinet Technologies Inc.
Page 354
FortiScan v5.0 MR1 Administration Guide
4. Configure the following settings: Name
Enter the policy name.
Description
Optional. Enter a detailed description of the policy. This description is used as the body text of the e-mail messages generated by FortiScan appliance e-mail alert feature. If you plan to enable the e-mail alert feature, make this description as complete and informative as possible for the person reading the alert email. For example, you might enter, “Detects the presence of prohibited process regedit.exe, kills regedit.exe by name, and returns a new process list.”
Remediation Strategy
Select whether or not remediations require approval, either: • Automatic: Automatically apply remediations to an asset when the policy conditions are matched. This is the default. • Approval: Require manual administrator approval on Events & Logs > Alert Events > Policy Alert to apply remediations to an asset when the policy conditions are matched. Tip: If you want a policy to be carried out manually on some assets and automatically on others, create two similar policies: one with the Remediation Strategy set to Approval and the other with a Remediation Strategy set to Automatic.
Policy Group
Mark the check box of the policy group in which you will create the new policy. This option appears only when creating a new policy from scratch. It does not appear when modifying an existing policy, including any copied policy.
5. In the Conditions area, select Add Condition and configure one or more conditions to define when the policy generates an alert. For details, see “Adding conditions to a compliance policy” on page 356. 6. In the Actions area, select Add Action or Add Template to add remediation actions to the policy. For details, see “Adding remediation actions to a compliance policy” on page 358. 7. To enable email notification, configure these settings: Enable Email Notification
Mark the check box to enable email notification for this policy.
Mail Server
Select the mail server you want to use or select Create New to configure a new mail server. For details, see “To add settings for connecting to an SMTP server:” on page 91.
From
Enter the sender (MAIL FROM:) email address.
To
Enter the recipient (RCPT TO:) email address.
Comment
Optional. Enter any comment to be included in the email body.
Email when policy Enable to send an email when the policy is violated. is violated
Fortinet Technologies Inc.
Page 355
FortiScan v5.0 MR1 Administration Guide
8. Select OK. The policy appears in the content pane. To continue by applying the policy, see either “Achieving real-time compliance via policies” on page 347.
Adding conditions to a compliance policy A condition defines an attribute value or range with which asset survey data is compared when enforcing a policy. Predefined general conditions are included with FortiScan appliance; when creating a policy, the administrator chooses a general condition and then specifies a unique value or range for the condition. Conditions fall into the following three categories: • Range: The asset survey attribute lies inside or outside of a specified range • List compare: The asset survey attribute matches a value contained in a list of one or more names • Change: The asset survey attribute changes from its current value Conditions are available to examine each of the asset attributes collected during a FortiScan agent survey. The FortiScan appliance contains a set of predefined conditions created to help you detect and remediate violations of your enterprise security policies. These conditions are highly flexible, and enable you to monitor asset hardware, software, users and groups, and the presence or absence of patches and files, as well as many other items. Conditions are provided to test each of the data items returned by the asset surveys. The conditions you add to a policy determine when the policy generates an alert and trigger remediation actions if automatic remediation is enabled. An alert is triggered when the conditions it contains are true. You can add several conditions to a single policy. Each condition is linked to the others in the policy with a logical AND operator. Therefore, all conditions in the policy must be true to generate an alert. When a policy condition contains several values, such as a list of processes or users, the logical test performed on the values depends on the Operation List setting you select. Generally, the Operation List functions as a logical OR operator. For example, suppose you add a Processes condition to a policy to monitor the presence of a process on an asset, and define Process1.exe and Process2.exe as the values for this condition: • If you set the Operation List parameter to List includes, the condition will be true if either process is found on the asset. If both processes are missing from the asset, the condition will be returned as false. • If you set the Operation List parameter to List excludes, the condition will be true if either process is missing on the asset. If both processes are detected on the asset, the condition will be returned as false. To add a condition to a policy: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Policies > Policies. 3. Do one of the following: • If the policy does not yet exist, create it as described in “Configuring compliance policies” on page 353. • To add conditions to an existing policy, in the policy group selection tree, select the policy you want to work with.
Fortinet Technologies Inc.
Page 356
FortiScan v5.0 MR1 Administration Guide
4. In the Conditions area, select Add Condition. The Add Condition dialog appears. Figure 173:Add condition
5. In the Attribute List field, select the asset attribute you want the policy to monitor from the list. The list contains asset attributes that are monitored in the asset survey process. For example, if you want to monitor which processes are running on an asset, select Processes. For a complete list of available condition attributes and their parameters, see “Appendix F: Policy Conditions” on page 560. 6. In the Operation List field, select the condition you want to use to test the selected asset attribute and enter the appropriate parameters in Value field. Depending on the attribute type and operation you select, additional fields may appear to enable you to configure specific value ranges. If you select Installed Applications in the Attribute List field, the Value field contains a Paste button that you can use to paste a list of installed application copied from the asset detail page in the Asset Inventory submenu. If the logical operation you selected in Operation List is Asset Attribute Changes or Asset Attribute Remains Constant, the Value field does not appear. All other logical operations require administrator-defined parameters (for example, a value range or the name of a process) and the Value field appears. 7. Select OK. The Add Policy or Edit Policy dialog reappears and the newly created condition appears in the Conditions area. 8. To add more conditions to the policy, repeat steps 4 through 7. 9. If the policy contains two or more conditions and you want to change the order in which they are evaluated, select the condition you want to move and select the Move Up or Move Down arrow icons to move it to the correct position in the sequence. Conditions are evaluated in the order in which they appear in the Conditions list, starting from the top of the list. For better performance, place conditions that are most commonly matched and fastest to evaluate at the top of the list. 10.If you want to add or modify remediation actions, see “Adding remediation actions to a compliance policy” on page 358. 11.Select OK.
Fortinet Technologies Inc.
Page 357
FortiScan v5.0 MR1 Administration Guide
Adding remediation actions to a compliance policy An action is the basic building block used to create a remediation template. Each action defines a single procedure that can be carried out on an asset (for example, install a patch, delete a user account, edit the registry, or reboot). An action cannot be directly applied to an asset; it must first be contained in a remediation template (either alone or with other remediation actions) or a policy. Complex remediations can be developed by combining actions in a remediation template. You can add remediation actions to a policy by: • Copying the contents of one or more remediation templates available in the Remediation > Templates > Remediation Template page. • Selecting from the available remediation actions included in the FortiScan appliance.
When you add remediation actions to a policy, all of the actions will be performed if the policy conditions are matched.
To use a remediation template to add remediation actions to a policy: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Policies > Policies. 3. Do one of the following: • If the policy does not yet exist, create it as described in “Configuring compliance policies” on page 353. • To add actions to an existing policy, in the policy group selection tree, select the policy you want to work with. 4. In the Remediations area, select the Add Template button. The Add Template dialog appears, displaying a list of all remediation templates available on system. Figure 174:Add template dialog box
5. From the list, mark the check box for the template that contains the remediation actions you want to add to the policy. You may select more than one template. To view the contents of a remediation template, go to Remediation > Template > Remediation Template and open the template for editing. If there is no template for the remediation actions you want, you can create one. For more information, see “Defining remediation templates” on page 403.
Fortinet Technologies Inc.
Page 358
FortiScan v5.0 MR1 Administration Guide
6. Select Add to copy the actions contained in the template to the policy. The Add Template dialog closes. The Add Policy or Edit Policy dialog reappears. The remediation actions from the selected template appear in the Actions list. The actions contained in the remediation template are copied into the policy. The remediation template remains available for use with other policies. 7. To add more actions to the template, repeat steps 4 through 6. 8. To add FortiScan appliance remediation actions to the list, see “To add remediation actions to a policy:” on page 359. 9. If you want to remove or edit a remediation action you have just copied from the template, in the Actions list, select the Edit or Delete icons for the action you want to change. 10.Remediation actions are executed in the order in which they appear in the Actions list. If the policy contains two or more remediation actions and you want to change their order, select the remediation action you want to move and select the Move Up or Move Down arrow icons. 11.Select OK. To add remediation actions to a policy: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Policies > Policies. 3. Do one of the following: • If the policy does not yet exist, create it as described in “Configuring compliance policies” on page 353. • To add actions to an existing policy, in the policy group selection tree, select the policy you want to work with. 4. In the Remediations area, select the Add Action button. The Add Action dialog appears. Figure 175:Add action dialog box
5. In the Action List field, select the action you want to add from the list. The Description field shows more information about selected the action. Depending on the action selected, additional parameter fields may appear below the Description field. Configure these fields with the settings you want to use. For more
Fortinet Technologies Inc.
Page 359
FortiScan v5.0 MR1 Administration Guide
information about the available remediation actions and their required parameters, see “Appendix E: Remediation Actions” on page 549.
When policy conditions are matched, all remediation actions configured in the policy’s Action List field will be performed.
6. Select OK to add the action. The Add Action dialog closes and the Edit Policy or Add Policy dialog reappears. The added action and its configured parameters appear in the Actions list. 7. Repeat steps 5 and 6 for each action you want to add. 8. If you want to remove or edit an action you have just added to the Actions list use the Edit or Delete icons for the action you want to change. 9. Remediation actions are executed in the order in which they appear in the Actions list. If you have two or more actions in the list and want to change their order, select the remediation action you want to move and use the Move Up or Move Down arrow icons to reposition it in the list. 10.To copy actions from a remediation template to the list, see “To use a remediation template to add remediation actions to a policy:” on page 358. 11.Select OK to save your changes to the policy. When a policy remediation action requires a password argument, the policy remediation strategy should be set to Approval. The policy will generate an alert event in the Policy Alert list to prompt the administrator for a password before applying the remediation action. For more information, see “Manually remediating alert events” on page 383.
Allowing only authorized software You can create a policy which will specify which software to allow on assets. After it is created, FortiScan will collect data on your assets’ installed services and applications, then generate authorized software policy summary charts for each OS platform that you have in your network.
Before creating an Authorized Software policy, you can search the asset inventory for specific unauthorized software. For details, see “Search for software or processes” on page 227.
To create an authorized software policy: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Asset > Inventory > Asset Inventory. 3. In the asset selection tree, select View Filters > By OS Family then select the appropriate default OS group for the platform you want to work with, such as Windows. The list of assets in the selected default group appears in the asset group details list. 4. Select an asset that you know has a clean set of authorized software installed and select the Open Asset icon. The details for the selected asset appear in the asset editor pane. 5. Select the Installed Applications tab and select the Copy button to copy the list of installed applications to FortiScan’s memory. 6. Go to Agent Scan > Policies > Policies. Fortinet Technologies Inc.
Page 360
FortiScan v5.0 MR1 Administration Guide
7. In the policy group selection tree, select the Sample Policy group. The list of sample policies appears in the content pane. 8. In the content pane, mark the check box of the Sample - Authorized Software policy, then select Copy and add the copy to the Policies parent group. The copy appears in the policy group selection tree as a node under the Policies parent group. 9. In the policy group selection tree, expand the Policies group and select the node for the newly created copy of the policy. 10.Change the name to “Authorized Software - ”, where is the platform type of the asset you selected in step 3. The name of the policy must begin specifically with these words: Authorized Software For example, for Microsoft Windows Vista assets, you could create an authorized software policy named: Authorized Software - Windows Vista 11.Select the Edit icon for the Installed Applications condition. The Edit Condition dialog appears. 12.Clear the value field and then select the Paste button. The list of installed applications that you copied in step 5 appears in the Value field. 13.Select OK to save the revised condition. The condition list shows the list of applications in the Parameter column. 14.Select OK to save the changed policy. 15.Go to Asset > Inventory > Asset Inventory. 16.In the asset selection tree, select the View Filters > By OS Family and select the appropriate default OS group for the platform you want to work with. The list of assets for the selected group appears in the asset group details list. 17.Apply the new policy to those assets with the applicable OS platform. For details, see “Achieving real-time compliance via policies” on page 347. Authorized software policy compliance information will appear in the Agent Scan > Summary > Compliance Summary and Agent Scan > Security Posture > Security Posture pages when the assets send their next survey report. Remember to copy the details of the asset with the appropriate OS platform and make sure you name the policy accordingly.
Applying policies to a combination of assets Agent Scan > Policies > Policies enables you to apply one or more policies to any combination of assets and groups.
Alternatively, you can apply a policy using the asset inventory. The best method varies by the number and homogeneity of the assets to which you are applying the policy. For details, see “Achieving real-time compliance via policies” on page 347.
Fortinet Technologies Inc.
Page 361
FortiScan v5.0 MR1 Administration Guide
To apply a policy from the policies page: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Policies > Policies. 3. In the policy selection tree, select the parent policy group node that contains the policy or policy group you want to apply. The list of policies and policy groups for the selected parent group appear in the content pane. 4. Do one of the following: • To apply a single policy, select the Apply Policy icon for the policy you want to apply. • To apply multiple policies, mark check box for each policy you want to apply and then select the Apply button in the toolbar. The Apply Policy - Select Assets dialog appears. Figure 176:Add policy - select assets dialog box
5. Mark the check boxes for the assets where you want to apply the selected policy. You can filter the list as necessary to view only the assets that meet specific criteria. For more information, see “Filtering list entries” on page 45. 6. Select Next. The Confirm Policy Application dialog appears, listing the selected assets.
Fortinet Technologies Inc.
Page 362
FortiScan v5.0 MR1 Administration Guide
Figure 177:Confirm policy application dialog box
When you select an asset group, the policy is applied to all of the assets in the group that have a FortiScan agent installed.
7. Review your selections. If you want to change your selection, select Back and repeat step 6. 8. Select Finish to apply the specified policies to the selected assets.
Removing policies from assets Compliance > Policies > Policies enables you to remove one or more policies from any combination of assets and groups. To remove a policy: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Policies > Policies. 3. In the policy selection tree, select the parent policy group that contains the policy or policy group you want to apply. The list of policies and policy groups for the selected parent group appear in the content pane. 4. Do one of the following: • To remove a single policy, in its row, select the Remove Policy icon. • To remove multiple policies, mark check box for each policy you want to remove, then, on the toolbar, select the Remove button. The Remove Policy - Select Assets dialog appears.
Fortinet Technologies Inc.
Page 363
FortiScan v5.0 MR1 Administration Guide
Figure 178:Remove policy - select assets dialog box
If you select several policies to be removed, the Remove Policy - Select Assets dialog lists only the assets which have all those policies applied.
5. Select the assets from which you want to remove the policy. To select multiple assets, hold down the Ctrl key while selecting each one, or, to select multiple assets in a continuous range, select the first one then hold down the Shift key while selecting the last asset in the range. 6. Select Next. 7. Review your selections. If you want to change your selection, select Back and repeat step 5. 8. Select Finish.
Determining which assets are affected by a policy Before removing a policy, you may want to determine which assets it affects. To view the list of assets affected by a policy: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Policies > Policies. 3. In the policy selection tree, select the parent policy group node that contains the policy or policy group you want to view. The list of policies and policy groups for the selected parent group appear in the content pane. 4. In the row of the policy whose governed assets you want to view, select the View Assets icon. The Assets dialog appears. The assets that this policy or policy group affect are shown in the list.
Fortinet Technologies Inc.
Page 364
FortiScan v5.0 MR1 Administration Guide
Figure 179:Assets dialog box
Grouping policies You can group policies in order to organize them. Grouping policies also makes it easier to apply an entire set of related policies once — you can apply policy groups to an asset or asset group. To create a policy group: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Policies > Policies. 3. In the policy group selection tree toolbar, select New Group. The Create Policy Group page appears. 4. In the Name field, type the name of the new policy group. 5. In the policy selection tree, select a parent node in which to create the new policy group. To create a top level group, select the Policies group as the parent node. 6. Select OK. The new policy group appears in policy selection tree under its parent group node. To move a policy to a different policy group: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Policies > Policies. 3. In the policy selection tree, select the parent policies group node which contains the policy you want to move. The content pane lists the policies contained in the group. 4. Do either of the following: • To move multiple policies, mark the check box of each policy you want to move, then, on the toolbar, select Move. • To move a single policy, in its row, select the Move icon. The Move Policy/Policy Group dialog appears. 5. In the dialog’s policy selection tree, select the new parent group to which you want to move the policy or policies. 6. Select OK. Fortinet Technologies Inc.
Page 365
FortiScan v5.0 MR1 Administration Guide
To move a policy group to a different parent: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Policies > Policies. 3. In the policy selection tree, select the parent group node which contains the policy group you want to work with. The content pane lists the policy groups contained in the parent group. 4. Do either of the following: • To move multiple policy groups, mark the check box of each policy group you want to move, then, on the toolbar, select Move. • To move a single policy group, in its row, select the Move icon. The Move Policy/Policy Group dialog appears. 5. In the dialog’s policy selection tree, select the new parent group to which you want to move the policy group or groups.
You cannot move a parent group into its child group.
6. Select OK. To rename a policy group: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Policies > Policies. 3. Expand the Policies tree and select the parent group node which contains the policy group you want to work with. The content pane lists the policy groups contained in the parent group. 4. In the content pane, select the Rename icon for the policy group you want to rename. The Rename Policy/Policy Group dialog appears. 5. In the Name field, enter the new name you want to use for the policy group. 6. Select OK. The new policy group name appears in policy selection tree. To delete a policy group: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Policies > Policies. 3. Expand the Policies tree and select the parent group node which contains the policy group you want to work with. The content pane lists the policy groups contained in the parent group. 4. Do either of the following: • To delete a single policy group, select the Delete icon in the row of the policy group you want to delete. • To delete multiple policy groups, mark the check box of each policy group you want to delete and select Delete from the toolbar menu. To delete all the policy groups listed, mark the check box in the column heading.
Fortinet Technologies Inc.
Page 366
FortiScan v5.0 MR1 Administration Guide
A confirmation dialog appears.
Deleting a policy group will remove it from all assets to which it is applied.
5. Select OK.
Fortinet Technologies Inc.
Page 367
FortiScan v5.0 MR1 Administration Guide
Alerts Alerts (also called “alert events”) are a notification that the FortiScan appliance has: • Found a vulnerability on an asset • Found a policy violation on a protected asset • Dispatched a remediation template or an asset reset command to a protected asset • Generated an error log The Events & Tickets menu keeps you advised of the security profile of your network by generating and displaying events, logs, and remediation tickets. These can be monitored and managed by the FortiScan administrators, providing rapid and efficient response to network security issues. Events & Tickets > Alert Events in ADOMs other than Global provides several pages that display the different types of security alerts detected by FortiScan appliance. The list of alert events displayed on each page is essentially a real-time view of security risks in your enterprise, with status information on how they are being addressed. For policy alerts and matched vulnerability alerts, you can view the associated remediation actions, and, for manually remediated assets, you can schedule remediation actions. You can choose to accept the risk indicated in an alert as an alternative to remediating it. For more information, see “Remediating alert events” on page 382. Alerts are displayed until you manually remove an alert from the list. You may want to do this if an alert has been successfully remediated, or if you know the alert is being addressed through means outside of FortiScan appliance. For more information, see “Removing an alert” on page 389. Alerts can also be automatically forwarded by e-mail. For more information, see “Alert notifications via e-mail” on page 390.
Event types FortiScan appliances generate three kinds of events: • Alert: Occurs each time a policy condition is violated, or when a vulnerability scan or patch scan discovers an asset vulnerability. An alert event also occurs when a remediation is dispatched. • Error: Occurs when a recognized error condition occurs. • Scheduler: Occurs when a scheduled task is completed.
Fortinet Technologies Inc.
Page 368
FortiScan v5.0 MR1 Administration Guide
Event statuses Each error event is labeled with its current status. • Pending: The alert event is not associated with any remediation or the task is not yet in progress. This may because: • an asset is enabled for manual remediation. • more than one remediation has been matched to the associated vulnerability, but they have not yet all been dispatched to the asset. • the FortiScan appliance is in the process of beginning the remediation or task. • Pending Dispatch: The remediation or task has been scheduled by an administrator for future execution. • In Progress: The remediation or task has been dispatched to the asset and is either being executed or waiting to be executed at the asset.
Resetting the asset will clear the currently active task. Tasks already dispatched to the asset but not yet executed will continue to execute after the reset is complete. See “Resetting a FortiScan agent” on page 494.
• Resolved: The remediation or task has successfully completed. • Resolved, Reboot needed: The remediation or task has successfully completed and the asset needs a reboot to apply the changes. • Failed Asset: The remediation or task could not be completed by the FortiScan agent. • Failed System: The FortiScan appliance has system level error. • Risk Accepted: The vulnerability or policy violation named in the alert has been reviewed and marked by the administrator as an acceptable risk; no remediation action is applied. • Resolved Externally: The vulnerability or policy violation is being addressed through means external to the FortiScan appliance.
Event contents Events can indicate several courses of action to the administrator. To assist in determining what kind of actions may be required by an alert event, the following values are presented in the Contents column of each alert list: • None: The alert event contains no remediation • Exec: The alert event contains one or more executable remediations that can be carried out by FortiScan appliance (for example, a remediation, a policy action, or a administrator-defined remediation template) • Text: The alert contains one or more text-only remediations that describe how to resolve the vulnerability manually • Mixed: The alert contains one or more text remediations and one or more executable remediations Exec, Text, and Mixed alert events containing two or more remediations indicate the number of contained remediations in parentheses; for example, Exec (2). Mixed alert events will show the number of executable remediation and text remediations; for example, Mixed (2/1).
Fortinet Technologies Inc.
Page 369
FortiScan v5.0 MR1 Administration Guide
Importing events from third party sources If you already have vulnerabilities that you have detected using a third party device or software such as Nessus or QualysGuard, you can import them to your FortiScan appliance for comprehensive reporting and ticketing. Go to Events & Tickets > Vulnerability Import > Import 3rd-Party Vulnerability. Figure 180:Importing third party vulnerabilities page
Viewing alert events Alert events are categorized in the submenu by type: • Vulnerability Alert: A list of all vulnerability alerts and their current status. You can investigate, acknowledge, and dispatch remediations and create tickets for any listed vulnerability alert from this page. For more information, see “Handling vulnerability alerts” on page 371. • Policy Alert: A list of all policy alerts and their current status. You can investigate, acknowledge, and dispatch remediations and create tickets for any listed policy alert from this page. For more information, see “Handling policy alerts” on page 376. • Dispatched Reme Template: A status summary of all dispatched remediation templates. You can view alert details for any listed remediation template from this page. For more information, see “Handling dispatched remediations” on page 380. • Risk-Accepted Vulnerability: A list of all risk-accepted vulnerabilities. Once a vulnerability is set to be an accepted risk, the vulnerability will be marked as Risk Accepted in the scan reports of all future vulnerability/PCI scans. The vulnerability will be excluded from being considered in determining whether a PCI scan is passed or failed. When selecting Accept, you can apply this action to the ADOM for all future alerts. Both Events & Tickets > Alert Events > Vulnerability Alert and Events & Tickets > Alert Events > Policy Alert provide an asset selection tree. If you expand the asset selection tree to display the hosts that it contains, icons appearing beside each asset show the protection status. For details, see Table 2, “Asset protection statuses and icons,” on page 26. Figure 181:Asset selection tree (status icons)
Alert events are filtered according to what you select from the asset selection tree.
Fortinet Technologies Inc.
Page 370
FortiScan v5.0 MR1 Administration Guide
For example, if you select the View Filters > Protected asset group, the content pane will display only events pertaining to assets within the Protected assets group. To see all alerts, select the All Assets group. By default, alerts are displayed chronologically according to the detection timestamp, with the oldest alert at the top. You can sort the list manually by selecting a column heading. When you sort a column, a green triangle appears in the column heading to indicate the sorting column and sorting order.
You can only sort some columns. If you hover over a column heading and the cursor changes to a hand icon, the column is sortable.
New alerts are added to the list as they are detected. The number of alerts displayed can quickly grow to a significant number, slowing performance and hampering alert management. You filter the lists to show a subset of the available alerts (by status, or within the last 24 hours, for example). For more information about how to configure list filters, see “Filtering list entries” on page 45. To view alert events: 1. Go to Events & Tickets > Alert Events. The Alert Events submenu appears; see Figure on page 371. 2. Select the page that corresponds to the type of alert event you want to view (vulnerability alert, policy alert or dispatched remediation template alert). 3. For vulnerability or policy alerts, use the asset selection tree to select the asset group or asset you want to view. If you want to see alerts for all assets, select All Assets. The content pane displays the alerts for assets within the selected asset groups. For Dispatched Reme Templates alerts, alerts for all assets will be displayed. The maximum number of assets you can select in the asset selection tree is currently limited to 1000. The list automatically refreshes to show new alerts as they are detected. To manually refresh the alert list, select the same assets or asset group from the asset selection tree.
Modifying alert event page display settings Both the Vulnerability Alert page and Policy Alert page display a large amount information about an alert event. You can use the Column Display Settings icon to show, hide or re-order columns to display only relevant categories of information in the order you prefer. For more information, see “Displaying and arranging columns” on page 44.
Handling vulnerability alerts Events & Tickets > Alert Events > Vulnerability Alert displays vulnerability alerts. The FortiScan appliance generates an alert for each detected vulnerability. When a remediation is matched to a vulnerability on a protected asset (that is, an asset with a FortiScan agent running on it), the alert contains detailed information about the available remediation. Alerts are also generated for unprotected assets after scanned vulnerabilities are imported from a network vulnerability scan report on the Network Scan > Vulnerability Scan > Report submenu. These alerts are informative only and cannot be remediated.
Fortinet Technologies Inc.
Page 371
FortiScan v5.0 MR1 Administration Guide
Figure 182:Vulnerability alert page
The following information is displayed: Toolbar Delete
Mark the check boxes of alerts that you want to remove, then select Delete.
Remedify
Mark the check boxes of vulnerabilities that you want to remediate, then select Remedify. Note: To remediate vulnerabilities on multiple pages in the list, remediate each page’s worth separately. Check box selections are cleared when you page forward or backward.
Accept
Accept risk for an alert. The alert status changes to Risk Accepted. When selecting Accept, you can apply this action to the ADOM for all future alerts.
Mark
Mark the alert as resolved externally. The alert status changes to “Resolved Externally.”
Pending
Cancel a “Risk Accepted” or “Resolved Externally” status and remediate the alert.
Ticket
Mark the check box of an alert for which you want to create a ticket, then select Ticket. See “Tickets” on page 392. Tip: Alternatively or in addition, you can automatically generate and assign tickets each time a vulnerability is detected. For details, see “Configuring ticket policies” on page 392.
Fortinet Technologies Inc.
Page 372
FortiScan v5.0 MR1 Administration Guide
Column Display Settings
Select to rearrange, hide, or display columns. For more information, see “Displaying and arranging columns” on page 44.
Alert Information Alert
OVAL identifier for the vulnerability. Select the filter icon to filter the data by OVAL identifier; see “Filtering list entries” on page 45.
Content
The alert content. For more information, see “Event contents” on page 369.
Status
The alert event status. For more information, see “Event statuses” on page 369. Select the filter icon to filter the data by event status; see “Filtering list entries” on page 45.
Host Name
The host name of the asset.
IP Address
The IP address of the asset.
Criticality
The importance of the asset to your organization or network security: Highest, High, Medium, Low, or Lowest. For details, see “Risk: prioritizing your business-critical machines” on page 27.
Severity
Severity of the vulnerability, based on the CVSS score: • Low: CVSS score is 0.0 to 3.9 • Medium: CVSS score is 4.0 to 6.9 • High: CVSS score is 7.0 to 10.0 For details, see “Severity” on page 29.
Fortinet Technologies Inc.
Alert Name
The descriptive name of the alert
Remediation strategy
The type of remediation strategy. Currently, only the Approval strategy, which requires administrator approval before a remediation is applied to an asset, is supported for vulnerability alerts.
Operating System
The asset’s operating system platform
Detected
The date and time the vulnerability was detected. Select the filter icon to filter the data by date and time; see “Filtering list entries” on page 45.
Reason/Comment
The administrator’s reason or comment when accepting risk or marking a vulnerability as externally resolved.
CVE ID
The CVE Identifier of the vulnerability.
IPS Signature
The name of the FortiGuard IPS signature for this vulnerability.
Page 373
FortiScan v5.0 MR1 Administration Guide
CVSS Score
The Common Vulnerability Scoring System (CVSS) score for the vulnerability
Action
Select the view alert detail icon to view more information about the alert (see “Viewing vulnerability alert details” on page 374).
Viewing vulnerability alert details To view details about a vulnerability alert: 1. Go to Events & Tickets > Alert Events > Vulnerability Alert. 2. From the asset selection tree, select the asset group or asset you want to view. The content pane displays the alerts for assets within the selected asset groups. 3. Select the view alert detail icon in the row for the vulnerability alert you want to view. The details of selected alert appear in a popup window. The popup window has three tabs. The Details tab is front most and visible by default. Figure 183:Details tab
The following information is displayed: Details
Displays detailed information about the vulnerability alert
Vulnerability detected at
The date and time the vulnerability was detected
Violation name
The name of the vulnerability alert.
Description
The detailed description of the alert.
4. To view the vulnerability details, select the Vulnerability tab.
Fortinet Technologies Inc.
Page 374
FortiScan v5.0 MR1 Administration Guide
Figure 184:Vulnerability tab
The following information is displayed: Description
A detailed description of the vulnerability
Observation
Administrator observations, if any about this vulnerability.
CVE ID
The CVE Identifier of the vulnerability.
Vulnerability Scan
Information about the vulnerability scan that raised the alert.
Source
The OVAL definition identifier for the scan rule that was violated.
Scan Completed
The date and time the vulnerability scan was completed.
Scan Imported
The date and time the vulnerability scan data was imported.
Recommendation
Administrator recommendations, if any, for addressing this vulnerability.
5. To view the remediation details, select the Remediations tab. Figure 185:Remediation tab
View Remediation Detail icon
The following information is displayed:
Fortinet Technologies Inc.
Remediation ID
The Fortinet remediation identifier.
Name
The descriptive name of the remediation.
Page 375
FortiScan v5.0 MR1 Administration Guide
Invasiveness
The invasiveness of the vulnerability.
Import Date
The date and time the remediation was imported.
Action
Select the View Remediation Detail icon to view more details about the remediation; see “Viewing remediation details” on page 402.
Handling policy alerts Policy alerts are listed on Events & Tickets > Alert Events > Policy Alerts. Figure 186:Policy alerts page
The following information is displayed: Toolbar
Fortinet Technologies Inc.
Delete
Mark the check box of one or more alerts that you want to remove, then select Delete.
Remedify
Mark the check box of an alert for which you want to schedule a remediation, then select Remedify.
Accept
Mark the check box of one or more alerts whose associated risk you want to acknowledge and accept, then select Accept. The Status changes to Risk Accepted.
Mark
Mark the check box of one or more alerts which were resolved externally, then select Mark.
Page 376
FortiScan v5.0 MR1 Administration Guide
Pending
Mark the check box of one or more alerts whose risk acknowledgement or external resolution you want to cancel, then select Pending. The Status of Risk Accepted or Resolved Externally resets to Pending.
Ticket
Mark the check box of an alert for which you want to create a ticket, then select Ticket. See “Tickets” on page 392. Tip: Alternatively or in addition, you can automatically generate and assign tickets each time a vulnerability is detected. For details, see “Configuring ticket policies” on page 392.
Column Display Settings
Select to rearrange, hide, or display columns. For more information, see “Displaying and arranging columns” on page 44.
Alert Information Alert
The alert identifier.
Content
The alert content. For more information, see “Event contents” on page 369.
Status
The alert event status. For more information, see “Event statuses” on page 369. Select the filter icon to filter the data by event status; see “Filtering list entries” on page 45.
Host Name
The host name of the asset with the vulnerability.
IP Address
The IP address of the asset with the vulnerability. Select the filter icon to filter the data by IP address; see “Filtering list entries” on page 45.
Criticality
The importance of the asset to your organization or network security: Highest, High, Medium, Low, or Lowest. For details, see “Risk: prioritizing your business-critical machines” on page 27.
Alert Name
The descriptive name of the alert
Remediation Strategy
The type of remediation strategy: • Approval: Remediation requires administrator approval before being applied to an asset. • Automatic: Remediation is automatically applied to an asset.
Operating System
The asset’s operating system platform
Detected
The date and time the vulnerability was detected. Select the filter icon to filter the data by date and time; see “Filtering list entries” on page 45.
Reason/Comment
The administrator’s reason or comment when accepting risk or marking a policy violation as externally resolved.
Action
Fortinet Technologies Inc.
Page 377
FortiScan v5.0 MR1 Administration Guide
view event detail
Select to view more information about the alert (see “Viewing policy alert details” on page 378).
Ticket
Select to create a ticket from the event (see “Tickets” on page 392).
Viewing policy alert details To view detailed information about a policy alert: 1. Go to Events & Tickets > Alert Events > Policy Alert. 2. From the asset selection tree, select the asset group or asset you want to view. The content pane displays the alerts for assets within the selected asset groups. 3. Select the view event detail icon in the row for the policy alert you want view. The details of selected alert appear in a popup window. The popup window has two tabs. The Details tab is front most and visible by default. Figure 187:Details tab
The following information is displayed: Alert Details
Displays detailed information about the policy alert
Policy violation detected at The date and time the policy violation was detected Violation Name
The name of the policy alert.
Description & Result
The detailed description of the policy and its result.
4. To view the policy details, select the Policy tab.
Fortinet Technologies Inc.
Page 378
FortiScan v5.0 MR1 Administration Guide
Figure 188:Policy tab
The following information is displayed: General Information
Lists general information about the policy alert.
Name
The name of the policy
Description
The detailed description of the policy.
Conditions
Lists the conditions which were met to produce the alert.
Condition
The name of the condition.
Operation
The operator used with the condition.
Parameter
The value used with the condition and operator.
Actions
Fortinet Technologies Inc.
Action
The type of remediation action performed by the policy, if any; for a list of available remediation actions, see “Appendix E: Remediation Actions” on page 549.
Parameter
The parameters used with the action.
Page 379
FortiScan v5.0 MR1 Administration Guide
Handling dispatched remediations Dispatched remediation templates are listed on Events & Tickets > Alert Events > Dispatched Reme Templates. Figure 189:Dispatched reme templates
The following information is displayed: Delete
Delete one or more selected alerts.
Alert
Type of alert
Content
The alert content. For more information, see “Event contents” on page 369.
Status
The alert event status. For more information, see “Event statuses” on page 369. Select the filter icon to filter the data by event status; see “Filtering list entries” on page 45.
Host Name
The host name of the asset being remediated.
IP Address
The IP address of the asset being remediated. Select the filter icon to filter the data by IP address; see “Filtering list entries” on page 45.
Criticality
The importance of the asset to your organization or network security: Highest, High, Medium, Low, or Lowest. For details, see “Risk: prioritizing your business-critical machines” on page 27.
Alert Name
The descriptive name of the alert
Remediation strategy
The type of remediation strategy: • Approval: Remediation template requires administrator approval before being applied to an asset. • Automatic: Remediation template was automatically applied to an asset.
Operating System
Fortinet Technologies Inc.
The asset’s operating system platform
Page 380
FortiScan v5.0 MR1 Administration Guide
Detected
The date and time the remediation template was dispatched. Select the filter icon to filter the data by date and time; see “Filtering list entries” on page 45.
Action
Select the view alert detail icon to view more information about the alert; see “Viewing dispatched remediation alert details” on page 381.
Viewing dispatched remediation alert details To view detailed information about a dispatched remediation template alert: 1. Go to Events & Tickets > Alert Events > Dispatched Reme Templates. The Dispatched Remediation Templates page appears. 2. Select the view event detail icon in the row for the dispatched remediation template alert you want view. The Dispatched Remediation Details popup window appears. The Details tab is front most and visible by default. Figure 190:Details tab
The following information is displayed: Dispatched Remediation Details
Displays detailed information about the dispatched remediation.
Remediation dispatched at
The date and time the remediation was dispatched
Alert name
The name of the remediation alert.
Description
The detailed description of the alert.
3. Select the Remediation tab. The Remediation Template Details appear.
Fortinet Technologies Inc.
Page 381
FortiScan v5.0 MR1 Administration Guide
Figure 191:Remediation page
The following information is displayed: Remediation Template Detail
Displays detailed information about the dispatched remediation template
Name
The name of the remediation template
Description
The detailed description of the remediation, including any installation notes
Effects
Additional information about the effects of the remediation, if available.
Remediation Actions
Lists the remediation actions applied by the template and the values of the associated arguments, if applicable.
Remediating alert events When remediation actions are associated with a policy or a vulnerability alert event, the remediation can be applied manually with administrator approval, or automatically: • For vulnerability alerts, remediations are applied only with administrator approval. • For policy alerts, the behavior depends on the remediation strategy defined in the policy (by default, policies are enabled for manual remediation).
Remediation dispatch is only supported for assets where the FortiScan agent is installed. To remediate unprotected assets, do the suggested remediation manually.
When a policy is enabled for automatic remediation, you do not have to take any action to remediate the alert. If the policy is not enabled for automatic remediation, you must manually execute the remediation.
Fortinet Technologies Inc.
Page 382
FortiScan v5.0 MR1 Administration Guide
The remediation strategy for vulnerability and policy alerts (automatic or manual) is labeled in the Remediation Strategy column in their respective alert list pages. For information on configuring a policy’s remediation strategy, see “Configuring compliance policies” on page 353.
Manually remediating alert events Alert events can be remediated by creating a remediation schedule. This enables you to easily select the specific alerts that are to be remediated. You can also choose to suppress reboots when you apply the selected remediations, and later apply the reboots manually or as a scheduled task.
The Remedify option is unavailable (greyed out) if the content attribute of any of the selected alerts is Text or None, or if the alert status of any of the selected alerts is Resolved, Risk Accepted, Pending Dispatch or In Progress.
To manually schedule remediation of an alert event: 1. Go to Events & Tickets > Alert Events. 2. Select the page that corresponds to the type of alert event you want to remediate. 3. For vulnerability or policy alerts, use the asset selection tree to select the asset group or asset you want to view. The content pane displays the alerts for assets within the selected asset group. 4. Mark the check box for each vulnerability or policy alert event you want to remediate. To view the details of an alert, select the view event detail icon to the right of the alert record. 5. From the toolbar at the top of the page, select Remedify. The schedule remediation dialog appears. Figure 192:Schedule remediation
The following information is displayed:
Fortinet Technologies Inc.
Total Assets
The total number of assets affected by the selected alerts
Vulnerabilities
The total number of vulnerabilities listed in the selected alerts
Remediations
The total number of remediations available for the selected alert events
Page 383
FortiScan v5.0 MR1 Administration Guide
Asset
Lists the IP address of each asset identified in the selected alert events.
Vulnerability
Lists the vulnerabilities, grouped by asset, in the selected alert events.
Remediation
Lists the remediations available, grouped by vulnerability, in the selected alert events.
Dispatch
Mark the check box for each remediation you want to apply. You can only apply one remediation per vulnerability.
Type
Lists the type of remediation and any reboot requirement.
Suppress reboot for all asset
Mark the check box to suppress reboots for all assets affected by the selected remediations.
6. Select a remediation for each vulnerability you want to remediate. Only one remediation can be selected for a vulnerability.
The header portion of initial dialog shows how many assets are currently selected, the total number of vulnerabilities, and total number of available remediations.
7. If you want to reboot the affected assets at a later time, mark the Suppress reboot for all assets check box at the bottom of the page. If the remediation contains a reboot, the reboot will be suppressed. If the remediation does not contain a reboot, this option is ignored. 8. Select Next. The Order of Remediation Dispatch dialog appears. Figure 193:Order of remediation dispatch
Fortinet Technologies Inc.
Page 384
FortiScan v5.0 MR1 Administration Guide
The following information is displayed: Assets being remediated: (n)
Shows the number of assets being remediated and lists their identification details
Host Name
The asset’s host name.
IP Address
The asset’s IP address. Select to configure the remediation dispatch order for the selected asset.
Remediations (n) will be dispatched in the following order
Lists the remediations selected to be dispatched for the selected asset.
Remediation Name
The name of a selected remediation. Select a remediation and use the Top, Up, Down or Bottom buttons to change its dispatch order.
Type
The type of remediation.
Vulnerabilities (n) will be dispatched in the following order
Lists the vulnerabilities that can be remediated using the selected remediation in the table of remediations above.
Vulnerability Name
The name of a selected vulnerability.
Event Status
The status of the alert event.
9. For each asset: • Select the asset that you want to remediate. The list of remediations for the selected asset appears in the remediation dispatch order table. • Use the Top, Up, Down and Bottom buttons to the right of the table to change the dispatch order of the remediations. To remove a remediation, select the Remove button. 10.If you want to dispatch the remediation immediately, select Finish. The dialog closes and the FortiScan appliance dispatches the remediation to the selected assets. 11.If you want to schedule the remediation to be dispatched at a later date or time, select Next. The Schedule Details dialog appears. Figure 194:Scheduled details page
12. From the Schedule Type list, select one of the following options: Schedule Type
Fortinet Technologies Inc.
Lists the available scheduling options for dispatching the selected remediations.
Page 385
FortiScan v5.0 MR1 Administration Guide
Immediate
Select to schedule the selected remediations immediately.
Once
Select to schedule the selected remediations at a specified date and time in the future. In the Starting At field that appears, configure the date and time when you want to dispatch the remediation.
The scheduled time must be at least 15 minutes in the future relative to the FortiScan appliance time. A scheduled time less than 15 minutes in the future will yield an error.
13.Select Finish to dispatch the remediations as scheduled. A scheduled remediation task is created and appears in the Events & Tickets > Scheduler > Scheduler Task page; see “Scheduled tasks and events” on page 463. When a remediation is scheduled, the alert event status changes to Pending Dispatch. When the remediation begins, the status changes to In Progress. The status changes to “Resolved” when the remediation is complete, or Failed Asset if a problem occurs.
If you are sorting or filtering the list by event status, when the display refreshes, the change in status may cause the selected alert to be relocated to a different page in the display, or hidden depending on your filtering criteria.
Automatically remediating an alert Vulnerability alerts are remediated with administrator approval. Only policy alerts can be remediated automatically. When automatic remediation is configured, the alert appears in the Policy Alerts list with an event status of In Progress, indicating that the alert is currently being remediated. You cannot make any modifications to an alert whose event status is In Progress. Depending on network conditions and the length of the remediation, it is possible that an automatic remediation may be completed before it appears in the Policy Alerts list. In this case, it appears with a status of “Resolved”. If an automatic remediation fails, the alert will remain in the Policy Alerts list with a status of “Failed Asset”. You must manually remove the alert to clear it from the list; for more information, see “Removing an alert” on page 389.
To automatically remediate a policy alert, the policy’s Remediation Strategy must be Automatic (see “Configuring compliance policies” on page 353).
Fortinet Technologies Inc.
Page 386
FortiScan v5.0 MR1 Administration Guide
Accepting risk for an alert In some instances, you may decide that a vulnerability or policy alert should not be remediated at this time. For example, the alert may indicate a configuration-based vulnerability that you know is actually required by the operational role of the asset, such as: A Nesses daemon is running. on your management computer. In these situations, you can change the alert status to Risk Accepted. This indicates that you have reviewed the contents of the alert and are willing to accept the risk associated with the alert., and dismisses the alert. To accept risk for an alert: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Events & Tickets > Alert Events. The Alert Events submenu appears; see Figure on page 371. 3. Select the page that corresponds to the type of alert event you want to work with. 4. For vulnerability or policy alerts, use the asset selection tree to select the asset group or asset you want to view. The content pane displays the alerts for assets within the selected asset group. 5. For each alert you want to accept, do the following: • Select the View Event Detail icon and review the contents of the alert.
Read and understand the contents of each alert before you accept risk for it. Dismissing a serious risk could allow attackers to compromise your assets.
• If appropriate, mark the check box of the alert that you want to accept. You can select multiple alerts for risk acceptance by marking their check boxes. 6. On the toolbar, select Accept. The Reason/Comment dialog appears. 7. Enter for some comments for future reference and select OK. The alert status changes to Risk Accepted. The Accept Risk toolbar item is only enabled for alerts whose event status is Pending, Failed Asset or Failed System. If you are sorting or filtering the list by event status, when the display refreshes, the change in status may cause the selected alert to be relocated to a different page in the display, or hidden depending on your filtering criteria.
Fortinet Technologies Inc.
Page 387
FortiScan v5.0 MR1 Administration Guide
Marking a vulnerability or policy alert as externally resolved In some instances, an administrator may determine to resolve a vulnerability or policy alert in other ways. For example, the alert might be a configuration-based vulnerability, such as “A Nessus daemon is running.” The asset’s system administrator can fix the alert by stopping the daemon process on asset manually. In these situations, the FortiScan administrator can choose to change the alert status to Resolved Externally. This indicates that the administrator has reviewed the contents of the alert and verified with the asset’s system administrator that an external resolution associated with the alert has been performed. To mark an alert as externally resolved: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Events & Tickets > Alert Events. The Alert Events submenu appears; see Figure on page 371. 3. Select the page that corresponds to the type of alert event you want to work with. 4. Use the asset selection tree to select the asset group or asset you want to view. The content pane displays the alerts for assets within the selected asset group. 5. For each alert you want to mark as externally resolved, do the following: • Select the View Event Detail icon and review the contents of the alert.
Read and understand the contents of each alert before you accept risk for it. Dismissing a serious risk could allow attackers to compromise your assets.
• If appropriate, mark the check box of the alert that you want to mark. You can select multiple alerts for external resolution by marking their check boxes. 6. On the toolbar, select Mark. 7. Enter for some comments for future reference and select OK. The alert status changes to Resolved Externally. The Mark toolbar item is only enabled for alerts whose event status is Pending, Failed Asset or Failed System. If you are sorting or filtering the list by event status, when the display refreshes, the change in status may cause the selected alert to be relocated to a different page in the display, or hidden depending on your filtering criteria.
Canceling risk acceptance or external resolution for an alert If you have previously marked a vulnerability alert or policy alert as Risk Accepted or Resolved Externally, it is possible that you may later want to cancel the status and remediate the alert. You can do this on the Vulnerability Alert or Policy Alert page, using the Pending toolbar item.
When you cancel risk acceptance or external resolution for a policy alert that contains a single executable remediation and a remediation strategy of Automatic, the remediation in the policy alert will immediately be applied.
Fortinet Technologies Inc.
Page 388
FortiScan v5.0 MR1 Administration Guide
To cancel the risk accepted or resolved externally status for an alert: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Events & Tickets > Alert Events. The Alert Events submenu appears; see Figure on page 371. 3. Select the page that corresponds to the type of alert event you want to work with. 4. Use the asset selection tree to select the asset group or asset you want to view. The content pane displays the alerts for assets within the selected asset group. 5. Mark the check box of each alert for which you want to cancel risk acceptance or external resolution. 6. On the toolbar, select Pending. The alert status changes to Pending or In Progress, depending on remediation strategy of the alert.
If you are sorting or filtering the list by event status, when the display refreshes, the change in status may cause the selected alert to be relocated to a different page in the display, or become hidden depending on your filtering criteria.
Removing an alert After vulnerability or policy alerts are resolved, you will most likely want to remove them from the alert list to keep the list of manageable size.
Alert information is stored in FortiScan appliance database. Even if you remove an alert from event pages, the information that caused the alert is retained, and can be reviewed by generating a report. For more information on reports, see “Reports” on page 476.
To remove an alert event: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Events & Tickets > Alert Events. The Alert Events submenu appears; see Figure on page 371. 3. Select the page that corresponds to the type of alert event you want to work with. 4. For vulnerability or policy alerts, use the asset selection tree to select the asset group or asset you want to view. The content pane displays the alerts for assets within the selected asset group. 5. Locate and mark the check box for each alert you want to remove. You can select multiple alerts for removal by marking their check boxes. To remove all the alerts in the currently displayed list, mark the check box in the column heading. 6. To view the details of an alert, select the View Event Detail icon for the selected alert record.
You do not have to open an alert to remove it.
7. In the toolbar, select Delete. A delete confirmation dialog appears. 8. Select OK. The selected alert or alerts are removed from alert list Fortinet Technologies Inc.
Page 389
FortiScan v5.0 MR1 Administration Guide
Alert notifications via e-mail Email notifications can be sent to a single administrator when a policy violation triggers or completes, or when a remediation completes execution. Remediations can be executed manually or as a result of a policy violation. Sending an email provides the recipient with a real-time indication that a policy is executing or a remediation is being applied. • Configuring e-mail alerts for policy violations • Enabling e-mail alerts for remediations In general, email notifications could potentially produce a large volume of email traffic based on asset conditions, number of assets monitored, and policy or remediation criteria. Remediation e-mail notifications are only sent upon completion of the remediation. A remediation that requires human intervention, for example, will not be recorded as complete until the human intervention is finished. Only then does the FortiScan appliance send the e-mail notification. These settings can be modified only by administrators whose Role is Administrator.
Configuring e-mail alerts for policy violations Once the FortiScan appliance has been configured to enable e-mail notifications, you can configure policies to trigger an alert e-mail when the policy conditions are violated or when the policy actions are complete. For details, see “Configuring compliance policies” on page 353.
Enabling e-mail alerts for remediations Once the FortiScan appliance has been configured for e-mail notifications, you can then enable e-mail notification alerts to be sent from remediations. To configure e-mail notification for a remediation 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Remediation > Template > Remediation Template. 3. Select the Edit icon for the template which you want to enable for email notification. The Remediation Template Edit dialog appears. 4. In the Email Notification area, configure the following settings:
Fortinet Technologies Inc.
Email notification enabled
Mark the check box to enable email notification for this remediation.
Mail Server
Select the SMTP server you want to use or select Create New to configure a new mail server. For more information, see “To add settings for connecting to an SMTP server:” on page 91.
Email notification from
Enter the sender email address.
Email notification to
Enter the recipient email address.
Comment
Enter a comment.
Page 390
FortiScan v5.0 MR1 Administration Guide
5. Select OK to save your changes. Each execution of the remediation will send an email notification to the named recipient, containing the information in the Comment field.
Fortinet Technologies Inc.
Page 391
FortiScan v5.0 MR1 Administration Guide
Tickets You may have many vulnerable assets, especially during the initial phase of a compliance project when you are bringing many assets into compliance. Especially if you have other administrators working with you to apply remediations to assets, instead of simply viewing alerts, you may want to use tickets. Tickets can track which remediations have already been dispatched, and which vulnerabilities or policy violations still require review and/or action.
Workflow To use tickets, you should generally use the following workflow. 1. Start by viewing your policy alerts and vulnerability alerts. See “Handling vulnerability alerts” on page 371 and “Handling policy alerts” on page 376. On those pages, mark the check boxes of alerts that you want to track, then select Ticket. 2. For faster workflow on subsequent alerts, create policies that automatically generate and assign tickets based upon matching criteria. See “Configuring ticket policies” on page 392. 3. Once tickets have been created, you can track overall statistics for open and pending tickets. See “Viewing ticket statistics” on page 395. 4. Prioritize, reassign, or modify tickets. See “Tracking and closing tickets” on page 397. 5. Close tickets by confirming that the remediation has succeeded during the next vulnerability scan. Tickets that have not been closed by their assigned deadline will result in an e-mail to the FortiScan administrators involved in the ticket if their account is configured for ticket notification (see Ticket Notification on “Configuring administrator accounts” on page 101), indicating the number of days by which the ticket’s closure is late.
Configuring ticket policies Events & Tickets > Tickets > Remediation Policy displays a list of policies that automatically create tickets when a matching vulnerability alert or policy alert occurs.
Alternatively or in addition, you can manually create and assign tickets each time a vulnerability alert or policy alert occurs. For details, see “Handling vulnerability alerts” on page 371 and “Handling policy alerts” on page 376.
Figure 195:Remediation policy Move Down Move Up
Fortinet Technologies Inc.
Page 392
FortiScan v5.0 MR1 Administration Guide
The following information is displayed: (No label.)
Mark the check box at the top of the column to select all ticket policies.
Order
The index number that indicates the position of the policy in the list of policies. Position indicates the order in which policies are evaluated for a match with each new alert. More specific policies, such as policies to match a specific alert on one host, should be positioned at the top of the list to prevent more general policies from matching the alert first, effectively obscuring the host-specific policy.
Title
The name of the ticket policy.
Deadline (days)
The number of days given to close the ticket. Tickets are closed by dispatching a remediation either through the FortiScan appliance or externally, then running a vulnerability scan that confirms that the issue has been resolved. For details on vulnerability scans, see “Agent-based Vulnerability Scans” on page 258.
Assign to
The name of the FortiScan administrator account to which the ticket is currently assigned.
Modified
The date and time stamp of the last time that the ticket was modified.
Action Move Up
Select to move the policy upwards in the list. See Order.
Move Down
Select to move the policy downwards in the list. See Order.
To configure a ticket policy:
If you are unsure about which remediation policies to create first, it may be helpful to base them upon the vulnerabilities of your most vulnerable assets. For information on viewing these assets, see “Viewing the top 10 most vulnerable assets” on page 454.
1. From Current ADOM, select the name of an ADOM that is not Global. The ticket policy you are creating will affect only alerts in this ADOM. 2. Go to Events & Tickets > Tickets > Remediation Policy. 3. Select Create New. The Remediation Policy Edit dialog appears.
Fortinet Technologies Inc.
Page 393
FortiScan v5.0 MR1 Administration Guide
Figure 196:Remediation policy edit
4. Configure the following settings: Rule Title Title
Type a unique name for the ticket policy.
Conditions Hosts Asset Groups
Select which asset group’s alerts will cause tickets to be generated. Alternatively, configure IP Range.
IP Range
Type a range of IP addresses. Alerts about hosts in this range will cause tickets to be generated. Alternatively, configure Asset Groups.
Vulnerability Vulnerability Type one or more open vulnerability assessment language (OVAL) IDs, or List select the Add Vulnerability IDs icon to locate an OVAL ID by search. Separate each ID with a comma. If any subsequent vulnerability alert matches one of the IDs in this list, a ticket will be created automatically. Actions
Fortinet Technologies Inc.
Page 394
FortiScan v5.0 MR1 Administration Guide
Set Deadline Type the number of days after a ticket is created by which it must be closed. Failure to close the ticket by the deadline will increase the overdue counter in the ticket notification e-mail for each day the ticket’s closure is late. Also, the Due Date columns in the ticket statistics and the Due Date column in the list of open tickets will be highlighted in red (see “Viewing ticket statistics” on page 395 and “Tracking and closing tickets” on page 397). (No label.)
Select either: • Assign to: Select this option, then select the name of a FortiScan administrator. Tickets generated by this policy will be assigned to this administrator. • Ignore: Select this option to ignore the alert and create no ticket when an alert matches the conditions in Conditions Hosts and Vulnerability List.
5. Select Submit. The ticket policy appears in the list of ticket policies. 6. In the Action column, select the Move Up or Move Down icon to position the policy in the list. Position indicates the order in which policies are evaluated for a match with each new alert. More specific policies, such as policies to match a specific alert on one host, should be positioned at the top of the list to prevent more general policies from matching the alert first, effectively obscuring the host-specific policy.
Viewing ticket statistics Events & Tickets > Tickets > Ticket Home displays charts showing the number of tickets per completion status and severity. It also displays a list of the top 10 open tickets, categorized by due date and severity.
Fortinet Technologies Inc.
Page 395
FortiScan v5.0 MR1 Administration Guide
Figure 197:Ticket home page
The following information is displayed: Ticket By Status
A pie chart showing the number of tickets whose State is Open and Resolved, relative to the total number of tickets.
Ticket By Vulnerability Summary
A bar chart showing the number of tickets per vulnerability severity.
Top 10 Open Tickets Ticket #
The index number of the ticket. Select this number to display details of the ticket, such as the ticket history, detected vulnerability, and current owner.
Due Date
The date that the ticket’s creator (either manually or via Set Deadline in ticket policy) indicated that the ticket should be closed by. Dates in red indicate that the ticket is overdue.
Host
The IP address of the asset.
Severity
The severity level and CVSS score of the detected vulnerability. For details, see “Severity” on page 29.
Fortinet Technologies Inc.
Page 396
FortiScan v5.0 MR1 Administration Guide
Title
The title of the detected vulnerability.
Owner
The FortiScan administrator account currently assigned to and responsible for closing the ticket. To change the owner, edit the ticket (see “Tracking and closing tickets” on page 397)
Modified
The date and time stamp that the ticket was last modified.
Tracking and closing tickets Events & Tickets > Tickets > Ticket Summary lists all tickets that are open or have been resolved but not yet confirmed as closed by a subsequent vulnerability scan. The most recent tickets appear at the top of the list. To add comments, change a ticket’s assigned FortiScan administrator, or resolve a ticket, in its row, select the Edit Ticket icon. In addition to tracking open and resolved tickets through the Web-based Manager, ticket creators and ticket assignees receive e-mail from the FortiScan appliance, notifying them when a ticket has been changed, or if its deadline has passed without the ticket being resolved. For more information on configuring ticket e-mail notification, see “Configuring administrator accounts” on page 101 and “Configuring ticket policies” on page 392. Figure 198:Ticket home Edit Ticket
Fortinet Technologies Inc.
Page 397
FortiScan v5.0 MR1 Administration Guide
The following information is displayed: (No label.)
Mark the check box in the column heading to select all tickets.
Ticket #
The index number of the ticket. Select this number to display details of the ticket, such as the ticket history, detected vulnerability, and current owner.
State
The completion state of the ticket, either: Open or Resolved. To change the owner, in the Action column, select Edit Ticket.
Due Date
The date that the ticket’s creator (either manually or via Set Deadline in ticket policy) indicated that the ticket should be closed by. Dates in red indicate that the ticket is overdue.
IP
The IP address of the asset.
Severity
The severity level and CVSS score of the detected vulnerability. For details, see “Severity” on page 29.
Title
The title of the detected vulnerability.
Owner
The FortiScan administrator account currently assigned to and responsible for closing the ticket. To change the owner, in the Action column, select Edit Ticket.
Modified
The date and time stamp that the ticket was last modified.
Created
The date and time stamp that the ticket was first created, either manually when viewing vulnerability or policy alerts, or automatically, via ticket policy.
Action Edit Ticket
Fortinet Technologies Inc.
Select to open a pop-up window that enables you to add comments and modify the ticket’s State and Owner.
Page 398
FortiScan v5.0 MR1 Administration Guide
Remediating To bring non-compliant assets into compliance, or to mitigate vulnerabilities, if an asset has FortiScan agent software installed, you can deploy remediations. Remediations can be applied manually or automatically. See “How to fix vulnerabilities and non-compliances” on page 30.
Viewing unresolved vulnerabilities The Remediation Summary page displays information about a selected remediation and a list of the unresolved vulnerabilities to which the selected remediation can be applied. To view the Remediation Summary page, go to Agent Scan > Remediation > Remediations, then, in the row for the remediation, select the value in the # of Unresolved Vulns column. Figure 199:Remediation summary list
The following information is displayed: Remediation Detail
Select to view the remediation details. For more information, see “Viewing remediation details” on page 402.
Remediation Summary
A summary of the remediation details.
Fortinet Technologies Inc.
ID
The Fortinet remediation identifier.
Vulnerability References
The number of vulnerabilities that refer to this remediation.
Invasiveness
The invasiveness of the vulnerabilities resolved by the remediation: Highest, High, Medium, Low, or Lowest.
Page 399
FortiScan v5.0 MR1 Administration Guide
Type
The type of remediation: • Config: Change a configuration parameter • Patch: Install a software patch. • Text: Manual remediation instructions
Name
The name of the remediation
Description
The description of the remediation
Unresolved Vulnerabilities
Displays the unresolved vulnerabilities for the selected asset in order of severity, with the most severe vulnerability at the top.
Host Name
Asset host name.
IP Address
Asset IP address.
Vulnerability ID
Select to view the vendor’s OVAL database definition for this vulnerability. For more information, see “Viewing an OVAL definition’s details” on page 316.
Name
Name of vulnerability
Status
Vulnerability remediation status: Pending, Failed Asset, Failed System, Scheduled, In Progress, or Pending Dispatch.
Export to PDF
Select to download the page as a PDF file.
Export to CSV
Select to download the page as a comma-separated values (CSV) spreadsheet file.
Fortinet Technologies Inc.
Page 400
FortiScan v5.0 MR1 Administration Guide
Viewing remediations available from Fortinet Agent Scan > Remediation > Remediations displays the list of remediations available from Fortinet through the FortiGuard Vulnerability Management Service. Figure 200:Remediations page
The following information is displayed: Remediation ID
The Fortinet remediation identifier. Select to view the Remediation Detail page for that remediation (see “Viewing remediation details” on page 402).
Name
The name of the remediation. Hover your mouse over the name to read a more detailed description.
Invasiveness
The invasiveness of the vulnerabilities resolved by the remediation: Highest, High, Medium, Low, or Lowest.
Type
The type of remediation: • Config: Change a configuration parameter. • Patch: Install a software patch. • Text: Manual remediation instructions.
Major Version
Major version number of the Fortinet remediation.
Minor Version
Minor version number of the Fortinet remediation.
# of Unresolved Vulns
The number of unresolved vulnerabilities for the remediation. Select to view the list of unresolved vulnerabilities; see “Viewing unresolved vulnerabilities” on page 399.
Action Save as Remediation Template
Fortinet Technologies Inc.
Select to save the remediation as a template for future re-use.
Page 401
FortiScan v5.0 MR1 Administration Guide
Viewing remediation details The Remediation Detail page displays details about a remediation and lists unresolved vulnerabilities that are waiting for that remediations. To view the Remediation Detail page, on Agent Scan > Remediation > Remediations, select the Remediation ID link. Figure 201:Remediation detail list
The following information is displayed: Unresolved Vulnerabilities (n)
Select to view a list of unresolved vulnerabilities awaiting this remediation (see “Viewing unresolved vulnerabilities” on page 399).
Remediation Detail ID
Remediation identifier
Vendor Ids count
The number of vendor identifiers to which this remediation applies. The vendor IDs are specified in the Vendors list.
Invasiveness
The invasiveness of the vulnerabilities resolved by the remediation: Highest, High, Medium, Low, or Lowest.
Type
The type of remediation: • Config: Change a configuration parameter • Patch: Install a software patch. • Text: Manual remediation instructions
Fortinet Technologies Inc.
Name
The name of the remediation
Description
The remediation description
Effects
The effects of the remediation
Page 402
FortiScan v5.0 MR1 Administration Guide
Technologies Remediation Actions
The technologies to which the remediation applies. Lists all the actions performed by the remediation.
Action
The remediation action type. For more information, see “Appendix E: Remediation Actions” on page 549.
Argument
The arguments or parameters required by the action.
Value
The value associated with each argument or parameter.
Vendors
The vendor definition identifiers for this remediation.
Searching for remediations by CVE ID Common Vulnerability and Exposures (CVE) is a list of standardized names for all publicly known vulnerabilities and other IT security exposures. The goal of CVE is to make it easier to share data across separate vulnerability databases and security tools. See http://www.cve.mitre.org/about/ for more information. You can search for and locate Fortinet remediations that address specific CVE vulnerabilities. If you know the CVE identifier of a vulnerability, the FortiScan appliance enables you to find all of the remediations that apply to that vulnerability. You can then examine the actions in each remediation, and decide which remediation is the best choice for a given situation. For specific instructions on how to search, see “Searching by CVE ID” on page 310.
Defining remediation templates A remediation template is one or more predefined remediation actions that address an issue on one or more assets. A remediation template can be applied to an asset or asset group either by dispatching a remediation action, or by adding it to a policy that governs that asset. When you create a policy, you can select one or more remediation templates and associate the remediation actions in those templates with the policy. At that time, the remediation actions in the template are copied into the policy — the remediation template remains available for use with other policies. You can define parameters for remediation actions for specific use, or leave them undefined for more general use. You can also merge multiple templates to quickly create a new template that includes all of their actions. Deleting a remediation template has no effect on assets to which you have already dispatched a remediation action.
Fortinet Technologies Inc.
Page 403
FortiScan v5.0 MR1 Administration Guide
Figure 202:Template
View Edit Delete Copy Dispatch Remediation Enable Globally Visible The following information is displayed: Merge
Mark the check boxes of remediation templates that you want to combine, then select Merge (see “Combining multiple remediation templates” on page 408).
(No label.)
Mark the check box in the column heading to select all of the entries.
Name
The name of the remediation template.
Description
The description of the remediation template, if any.
Action View
Select to display the remediation template.
Edit
Select to modify the remediation template.
Delete
Select to remove the remediation template.
Copy
Select to create a new remediation template by duplicating an existing template.
Dispatch As Remediation
Select to schedule the remediation to be applied to assets. See “Dispatching remediations” on page 409.
Enable Select to make a remediation in your ADOM visible to all other Globally Visible ADOMs. The icon changes to Disable Globally Visible. This icon appears only for remediations that you have created. Disable Select to hide a remediation that is visible to all other ADOMs. The Globally Visible icon changes to Enable Globally Visible. This icon appears only for remediations that you have created. To create a remediation template:
You can also create a remediation template from a FortiGuard VCM remediation. To create a template from a remediation, on Remediation > Remediation > Remediations, select Save as Remediation Template.
Fortinet Technologies Inc.
Page 404
FortiScan v5.0 MR1 Administration Guide
1. From Current ADOM, select the name of an ADOM that is not Global. Remediation templates are specific to each ADOM. As a result, the menu in the following step is not available in the Global ADOM.
Although your new remediation template will be created in the ADOM that you select from Current ADOM, you will be able to share the template with other ADOMs by selecting Enable Globally Visible on Remediation > Template > Remediation Templates.
2. Go to Agent Scan > Remediation > Template. 3. On the toolbar, select Create New. Figure 203:Remediation template edit
4. Configure the following settings: Name
Enter a name for the new template.
Description
Enter a description of the remediation template’s intended action.
Remediation Actions
Select Add Action to add a remediation action. See “Adding actions to a remediation template” on page 406.
Enable email notification
Mark the check box to enable email notification for this remediation. Select Test to send a test notification.
Mail Server
Select the mail server you want to use or select Create New to configure a new mail server. For more information, see “To add settings for connecting to an SMTP server:” on page 91.
From
Enter the sender email address.
To
Enter the recipient email address.
Comment
Enter a comment.
5. Add one or more actions to a remediation template before the template can be used. For details, see “Adding actions to a remediation template” on page 406. 6. Select Submit. Fortinet Technologies Inc.
Page 405
FortiScan v5.0 MR1 Administration Guide
Adding actions to a remediation template The FortiScan appliance contains a set of predefined remediation actions specifically designed to assist you in protecting and managing your enterprise assets. Some of these actions are queries — getting a list of running processes, or get a list of files, for example. Other actions act on the asset in some way — deleting a file, killing a process, or disabling an administrator account, for example. This type of action provides administrator-configurable parameters that enable you to execute actions on a specific, asset-by-asset basis. Remediation actions cannot be dispatched directly to an asset, but are used to build remediation templates and conditional remediations in policies. Remediations templates can be dispatched directly to one or more assets. You can add actions at the time you create a new template or create the template first and add the actions later. For a complete list of the available remediation actions, see “Appendix E: Remediation Actions” on page 549. To add actions to a remediation template: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Remediation > Template. 3. Select the Edit icon for the template to which you want to add actions. The Remediation Template Edit dialog appears. 4. In the Remediation Actions area, select the Add Action button. Figure 204:Remediation template action edit
Fortinet Technologies Inc.
Page 406
FortiScan v5.0 MR1 Administration Guide
5. Configure the following settings: Action List
Select the action that you want to use from the list of available FortiScan appliance remediation actions. For more information about available actions, see “Appendix E: Remediation Actions” on page 549.
Description
Enter a description of the remediation template’s intended action
Action
The selected remediation action.
Argument
The parameters for the selected action.
Value
Enter a value for each parameter, if required.
Some remediation actions have parameters associated with them. For example, the Delete File action requires a path name and file specification. For a list of all available actions and their parameters, refer to “Appendix E: Remediation Actions” on page 549.
You do not have to define these parameters when you create the remediation template. The parameters can also be defined after the remediation template has been copied into a policy.
Some actions require administrator-defined values. You must specify this information in the Value column of the Action Edit dialog or you will see an error message when you try to save the action.
6. Select OK. The Remediation Template Action Edit dialog closes. The new action appears in the Remediation Actions area of the Remediation Template Edit dialog. 7. To add more actions to the template, repeat steps 4 through 6. 8. Remediation actions are executed in the order in which they appear in the Remediation Actions list. If the template contains two or more remediation actions and you want to change their order, select the remediation action you want to move and select the Move Up or Move Down arrow icons. 9. Select Submit.
Modifying remediation actions Some remediation actions have parameters associated with them; for example, the Edit File action requires a path name and file specification. You can edit these parameters in the Remediation Template Edit dialog. When creating a administrator account or changing a administrator password, the value of the password parameter can only be entered at the time when you dispatch a remediation to the asset. You can only create a administrator account or change a password by dispatching a remediation template immediately. Scheduled remediation templates do not support these actions.
Fortinet Technologies Inc.
Page 407
FortiScan v5.0 MR1 Administration Guide
To modify a remediation action parameters: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Remediation > Template. 3. Select the Edit icon for the template to which you want to add actions. The Remediation Template Edit dialog appears. The remediation actions for the selected template appear in the Remediation Actions list. 4. To edit remediation action parameters, select the Edit icon for the action you want to modify. The Remediation Template Action Edit dialog appears. 5. To change the action, in the Action List field, select a different remediation action. 6. In the Value column, modify or enter the value for each parameter you want to configure. 7. Select OK to save your settings. The Remediation Template Action Edit dialog closes. 8. In the Remediation Template Edit dialog, continue to modify other actions, as needed. You can rearrange the order of the actions by selecting an action and selecting the Move Up or Move Down icons. 9. Select Submit.
Copying a remediation template You can copy an existing remediation template as a convenient way to create multiple copies of a remediation template that need only minor changes in their remediation action values. To copy a remediation template, go to Agent Scan > Remediation > Template, select the Copy icon for the template that you want to copy, and select OK in the confirmation dialog that appears. The new remediation template appears in the Agent Scan > Remediation > Template list, with the name automatically modified with the prefix Copy_of. You can change the name and modify action parameters and other settings as described in “Defining remediation templates” on page 403.
Combining multiple remediation templates You can combine several existing remediation templates to create a new remediation template that includes all of their configured remediation actions. This is useful when you want to quickly dispatch multiple templates to the same asset or asset group. To combine multiple remediation templates: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Remediation > Template. 3. Mark the check boxes for each template that you want to combine, and from the toolbar menu, select Merge. The Remediation Template Edit dialog appears, listing the all remediation actions included from the selected remediation templates. 4. In the Name field, type a name for the new template. 5. In the Remediation Actions area, review the included actions and modify as needed; see “Adding actions to a remediation template” on page 406. 6. Complete any other fields as required. 7. Select Submit. The new remediation template appears in the Agent Scan > Remediation > Template list. Fortinet Technologies Inc.
Page 408
FortiScan v5.0 MR1 Administration Guide
Dispatching remediations Dispatching a remediation schedules an asset or asset group to perform actions using the remediation template in order to address security or asset configuration needs.
To receive the dispatched remediation, the asset’s FortiScan agent must be running and the Agent Scan Status must be Protected.
You can dispatch a remediation either from: • Agent Scan > Remediation > Template — Flexible and is most effective for dispatching a remediation to a wider range of mixed assets and asset groups. Use “To dispatch a remediation from a template to a mixed group of assets:” on page 409.
Remediations that create an administrator account or change a password on the asset can only be dispatched from Remediation > Template > Remediation Template.
• Asset > Inventory > Asset Inventory — Most effective when you want to dispatch a remediation to a specific asset, to assets in the same group, or to a small number of asset groups. Use “To dispatch a remediation to an asset or asset group:” on page 412. Many of the more current patches from Microsoft require Microsoft Windows Installer 3.1 or later. Fortinet recommends installing Microsoft Windows Installer 3.1 v2 by dispatching the remediation template “Install Microsoft Windows Installer 3.1 (v2) (KB893803)” to the affected systems. This remediation template can be applied to the following operating systems: • Windows Server 2003 • Windows XP • Windows XP Service Pack 1 • Windows XP Service Pack 2 For more information, please see Microsoft knowledge article 893803 (http://support.microsoft.com/?id=893803). To dispatch a remediation from a template to a mixed group of assets:
Do not re-dispatch a remediation while it is in progress. Depending on the timing of the second dispatch and the state of the scheduled task, re-dispatching could cause errors.
1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Remediation > Template. 3. In the row of the template that you want to dispatch, select the Dispatch As Remediation icon. The Dispatch As Remediation dialog appears.
Fortinet Technologies Inc.
Page 409
FortiScan v5.0 MR1 Administration Guide
Figure 205:Dispatch remediation template
4. Configure the following settings: Remediation Details hide
Select to collapse the remediation template details, hiding them from view. The show link appears. The hide link appears only when the Remediation Details section is expanded.
show
Select to expand the remediation template details, making them visible. The hide link appears. The show link appears only when the Remediation Details section is hidden.
Name
The name of the remediation template.
Remediation Actions
Displays a list of all the remediation actions configured in the template.
Action
The action type. Tip: If you want to rearrange, add to, or reduce the list of remediation actions, select Cancel and create or modify a remediation template (see “Defining remediation templates” on page 403).
Argument
The list of action parameter arguments.
Value
The values of the listed action parameter arguments.
Schedule Details
Fortinet Technologies Inc.
Page 410
FortiScan v5.0 MR1 Administration Guide
hide
Select to collapse the remediation schedule details, hiding them from view. The show link appears. The hide link appears only when the Schedule Details section is expanded.
show
Select to expand the remediation schedule details, making them visible. The hide link appears. The show link appears only when the Schedule Details section is hidden.
Send Feedback
Mark the check box to send a notification email when the remediation action is finished on asset.
Schedule Type
Select the type of schedule you want for this remediation: • Immediate: Select to dispatch the remediation right away. • Once: Select to dispatch the remediation once. In the fields that appear, enter the date and time when you want the remediation to begin. • By Minute: Select to schedule a recurring remediation every one or more minutes. In the fields that appear, enter the date and time when you want the remediation to begin and the number of minutes between recurrences. • By Hour: Select to schedule a recurring remediation every one or more hours. In the fields that appear, enter the date and time when you want the remediation to begin and the number of hours between recurrences. • By Day: Select to dispatch a recurring remediation every one or more days. In the fields that appear, enter the date and time when you want the remediation to begin and the number of days between recurrences. • By Week: Select to dispatch a recurring remediation on specific days of the week. In the fields that appear, enter the date and time to begin, the days of the week, and the time you want the remediation to be dispatched on the selected days. • By Month: Select to dispatch a recurring remediation every one or more months on specific days of the month. In the fields that appear, enter the date and time to begin, the number of months between recurrences, the days of the month, and the time you want the remediation to be dispatched on the selected days.
Select Assets hide
Select to collapse the list of assets scheduled for remediation, hiding them from view. The show link appears. The hide link appears only when the Selected Assets section is expanded.
Fortinet Technologies Inc.
Page 411
FortiScan v5.0 MR1 Administration Guide
show
Select to expand the list of assets scheduled for remediation, making them visible. The hide link appears. The show link appears only when the Selected Assets section is hidden.
Host Name
The host name of the asset.
IP
The IP address of the asset.
Asset Group
The asset group to which the asset belongs, if any.
Asset Status
The protection and connectivity status of the asset: Protected, Registered, Disconnected, Unprotected, or Retired. Assets whose Agent Scan Status is not Protected will not participate when you schedule FortiScan agent-based scans, and will not receive remediations. For details, see “Agent scan status” on page 26.
Criticality
The importance of the asset to your organization or network security: Highest, High, Medium, Low, or Lowest. For details, see “Risk: prioritizing your business-critical machines” on page 27.
5. Select OK The remediation is scheduled and will be performed when each asset’s FortiScan agent next connects to the FortiScan appliance during their periodic dispatch interval. To dispatch a remediation to an asset or asset group:
Do not re-dispatch a remediation while it is in progress. Depending on the timing of the second dispatch and the state of the scheduled task, re-dispatching could cause errors.
1. From Current ADOM, select an ADOM that is not Global. 2. Go to Asset > Inventory > Asset Inventory. The asset inventory appears (see Figure 53 on page 179). 3. In the asset navigation tree, select the group that contains the assets or asset groups for which you want to dispatch a remediation. The contents of the selected asset group appear in the asset inventory pane. 4. In the asset inventory pane, in the row for the asset or asset group, select the Dispatch Remediation icon. The Dispatch Remediation - Select Remediation Templates dialog appears.
Fortinet Technologies Inc.
Page 412
FortiScan v5.0 MR1 Administration Guide
Figure 206:Select remediation templates
If the remediation is operating system (OS)-specific, the remediation will be ignored by FortiScan agents where the asset’s OS does not match.
5. From list of available remediation templates, select the one you want to dispatch. If you cannot find a suitable remediation template, or want to rearrange, add to, or reduce the list of remediation actions, select Cancel and create or modify the necessary remediation template in the Remediation > Template > Remediation Template submenu, as described in “Defining remediation templates” on page 403. 6. Select Next. The Dispatch Remediation - Remediation Parameters dialog appears. Figure 207:Remediation parameters
Fortinet Technologies Inc.
Page 413
FortiScan v5.0 MR1 Administration Guide
7. Specify the appropriate values for the actions contained in the remediation template. If the selected remediation template contains actions with administrator-definable parameters, define the parameters.
The parameter values entered in the Dispatch Remediation dialog are used only for the current remediation being dispatched. They do not affect the selected remediation template.
8. Select Next. The Schedule Remediation dialog appears. 9. From the ScheduleType list, select how you want the remediation to be dispatched: Immediate
Select to dispatch the remediation right away.
Once
Select to dispatch the remediation once.
Starting At By Minute
Enter the date and time when you want the remediation to begin. Select to schedule a recurring remediation every one or more minutes.
Starting At
Enter the date and time when you want the remediation to begin.
Every ? Minute(s)
Enter the number of minutes between recurrences.
By Hour
Select to schedule a recurring remediation every one or more hours.
Starting At
Enter the date and time when you want the remediation to begin.
Every ? Hour(s)
Enter the number of hours between recurrences.
By Day
Select to dispatch a recurring remediation every one or more days.
Starting At
Enter the date and time when you want the remediation to begin.
Every ? Day(s)
Enter the number of days between recurrences.
By Week
Select to dispatch a recurring remediation on specific days of the week.
Starting At
Enter the date and time when you want the remediation to begin.
Run At (H:M)
Enter the time you want the remediation to be dispatched on the selected days.
On These Day(s) Select the days of the week when you want the remediation to be dispatched. By Month Starting At
Select to dispatch a recurring remediation every one or more months on specific days of the month. Enter the date and time when you want the remediation to begin.
Every ? Month(s) Enter the number of months between recurrences.
Fortinet Technologies Inc.
Page 414
FortiScan v5.0 MR1 Administration Guide
Run At (H:M)
Enter the time you want the remediation to be dispatched on the selected days.
On These Day(s) Select the days of the month when you want the remediation to be dispatched. To select multiple days, hold down the CTRL key when you make your selections. 10.Select Next. The Dispatch Remediation dialog appears. Figure 208:Dispatch remediation
11.Review the list of the assets and asset groups you selected for remediation. This is helpful if you have selected a large number of assets, and want to confirm your selections before you dispatch the remediation. 12.If you want a Success or Failed message to be displayed on the resulting dispatched remediation alert when the remediation is complete, enable Show simplified feedback messages. 13.Select Finish. The remediation is scheduled and will be performed when each asset’s FortiScan agent next connects to the FortiScan appliance during their periodic dispatch interval. Results will be included in the statistics (see “Viewing remediation statistics” on page 415).
Viewing remediation statistics Agent Scan > Remediation > Summary provides a statistical summary of the remediations available from Fortinet, and their distribution by type of remediation, vulnerability invasiveness, and vendor.
Fortinet Technologies Inc.
Page 415
FortiScan v5.0 MR1 Administration Guide
Figure 209:Remediation summary chart components to view the associated remediation summary list
The following information is displayed: Remediations by Invasiveness
Displays the number of all remediations in a bar graph, distributed by vulnerability invasiveness. Select a status bar to view a list of all remediations addressing vulnerabilities with the selected invasiveness rating. You can also export the information in this list to a PDF or text (CSV) file. For more information, see “Viewing remediation summary lists per category” on page 417.
Remediations by Type
Displays the number of all detected assets in a pie chart, distributed by remediation type. Select a pie segment to view a list of all remediations with the selected type. You can also export the information in this list to a PDF or text (CSV) file. For more information, see “Viewing remediation summary lists per category” on page 417.
Latest Statistics
Displays the total number of new or updated remediations in the last 24 hours. Select the Count value for a statistic to view a list of all remediations included in the count. You can also export the information in this list to a PDF or text (CSV) file. For more information, see “Viewing remediation summary lists per category” on page 417.
Remediations for vulnerabilities by Vendor
Displays the number of all remediations for vulnerabilities in a bar graph, distributed by vendor. Hover your mouse over a bar to see the vendor name.
Fortinet Technologies Inc.
Page 416
FortiScan v5.0 MR1 Administration Guide
Viewing remediation summary lists per category You can view a summary list of remediations categorized by vulnerability invasiveness, remediation type or statistic, by selecting the appropriate graphical element or statistic in the Agent Scan > Remediation > Summary submenu. The corresponding remediation summary list appears. Figure 210:Remediation summary list
The following information is displayed: Export to PDF
Select to download the page as a PDF file.
Export to CSV
Select to download the page as a comma-separated values (CSV) spreadsheet file.
Remediation ID
The Fortinet remediation identifier. Select to view the Remediation Detail page for the selected remediation; see “Viewing remediation details” on page 402.
Name
The name of the remediation. Hover your mouse over the name to read a more detailed description.
Invasiveness
The invasiveness rating of the vulnerabilities resolved by the remediation: Highest, High, Medium, Low, or Lowest.
Type
The type of remediation: • Config: Change a configuration parameter • Patch: Install a software patch. • Text: Manual remediation instructions
Major Version
Major version number of the Fortinet remediation
Minor Version
Minor version number of the Fortinet remediation
# of Unresolved Vulns
The number of unresolved vulnerabilities for the remediation. Select to view the list of unresolved vulnerabilities; see “Viewing unresolved vulnerabilities” on page 399.
Fortinet Technologies Inc.
Page 417
FortiScan v5.0 MR1 Administration Guide
Defining Custom Fields Many default pieces of data are already included in surveys submitted by FortiScan agents to the FortiScan appliance. If you need to keep additional data about a host, you can configure custom fields. For example, if you want to track the physical location, the department name, and the equipment ID of each asset, you would define three custom fields, one for each data item: • Location • Dept • ID In addition to manually entering custom field data, you can export custom field definitions that you have created on one FortiScan appliance to a properties file that you can later import to another FortiScan appliance. For example, you might want to create a properties file to define company-wide custom fields and another file to define custom fields that apply only to a specific department or office. For more information, see “Importing and exporting custom field definitions” on page 419. Custom fields can be defined that are specific to an individual host, alternatively or in addition to global custom fields. For details, see “Configuring custom fields” on page 195. To define a custom field: 1. From Current ADOM, select Global. Custom fields will be defined for assets in all ADOMs. 2. Go to Asset > Inventory > Custom Fields. The list of custom fields appears in the content pane. Figure 211:Custom fields
3. On the toolbar, select Create New. The New Custom Field dialog appears.
Fortinet Technologies Inc.
Page 418
FortiScan v5.0 MR1 Administration Guide
Figure 212:New custom field dialog box
4. In the Display Name field, type a name for the custom field, as you want it to appear in the column header. 5. In the Type field, select one of the following custom field data types: Date, Number, or Text. 6. In the Import / Export Tag Name field, type a tag name for the custom field. 7. If you want to restrict the custom field to a specific set of valid values, in the Possible Value field, type an allowed value, then select Add. Repeat this for each value you want to allow in the field. The values you enter appear in the text area below the Possible Value field. These will appear in the drop-down list from which possible values can be selected in the asset inventory. 8. If you want to define which value from Possible Value is the default, from the Default Value list, select a value from the list of allowable values. 9. Select OK.
Importing and exporting custom field definitions Custom field definitions can be exported to or imported as a .properties file. This can be used to share custom fields data with other FortiScan appliances, or to edit the custom field definitions in a text editor on your management computer. Definitions are only the names of custom fields and their possible and default values. They do not include the actual data: which values were selected for each custom field, on each asset. To import each asset’s custom field data, see “Importing custom field data”“Importing custom field data” on page 422. Table 213 shows an example of a custom fields properties file.
Fortinet Technologies Inc.
Page 419
FortiScan v5.0 MR1 Administration Guide
Figure 213:customfields.properties file
The following information is displayed: Property file line
Description
#Wed May 11 17:28:50 EDT 2011
A comment containing a date and timestamp. Comments in the properties file preceded by a hash mark ( # ) will be ignored when importing custom field definitions.
custom.field=
Enumerates the custom fields, counting from zero. Subsequent property lines refer to each custom field by one of the numbers (n) configured in this line. This line exists only once in the properties file. Example: If 4 custom fields will be defined, this line is: custom.field=0,1,2,3 A tag name for the custom field. Corresponds to Import/Export Tag Name when defining the field in the Web-based Manager, which is used in places such as the list of available fields when importing custom fields data.
custom.field.n.tag.name=
Example: custom.field.0.tag.name=PhysLoc
Fortinet Technologies Inc.
Page 420
FortiScan v5.0 MR1 Administration Guide
custom.field.n.display.name=
A name for the custom field, as it will appear in column headers in the Web-based Manager. Corresponds to Display Name when defining the field in the Web-based Manager. Example: custom.field.0.display.name=Physical L ocation
custom.field.n.column.type=
The data type of the custom field, either date, number, or text. Corresponds to Type when defining the field in the Web-based Manager. Example: custom.field.0.column.type=text
custom.field.n.default.value=
The default value of the custom field. It must be one of the values configured in custom.field.n.possible.values. Corresponds to Default Value when defining the field in the Web-based Manager. Example: custom.field.0.default.value=Palo Alto
custom.field.n.possible.values= The pipe-delimited list of valid values for the custom field. Each value must conform to the data type in custom.field.n.column.type. Corresponds to Possible Value when defining the field in the Web-based Manager. Example: custom.field.0.possible.value=Vancouve r|Palo Alto|Kuala Lumpur|Hamburg To export custom field definitions: 1. From Current ADOM, select Global. Custom fields are defined for assets in all ADOMs. 2. Go to Asset > Inventory > Custom Fields. The list of custom fields appears in the content pane. 3. On the content pane toolbar, select Export. If your browser prompts you for a location, select where you want to save the file. 4. The customfields.properties file is downloaded to your management computer. You can keep it as a backup, or edit it with a plain text editor and import it. To import custom field definitions: 1. From Current ADOM, select Global. Custom fields will be defined for assets in all ADOMs. 2. Go to Asset > Inventory > Custom Fields. The list of custom fields appears in the content pane. 3. On the content pane toolbar, select Import Def. The Import Custom Field Definition dialog appears. Fortinet Technologies Inc.
Page 421
FortiScan v5.0 MR1 Administration Guide
4. Select Browse. 5. Locate and select the customfields.properties file you want to import. 6. Select Open. The file pathname appears in the Upload File field. 7. Select Upload. The selected custom field definition file is uploaded to the FortiScan appliance. Time required varies by network speed and file size.
Importing custom field data Once you have imported the custom fields definitions, you can import those custom fields’ values for each asset. Custom field data is imported from a comma-separated value (CSV) spreadsheet file, where the first item in each line is the IP address of an asset. The total number of comma-delimited items following the IP address depends on the number of custom fields that you have defined and want to import.
Alternatively, you can configure custom fields values for each asset individually. See “Configuring custom fields” on page 195.
To import custom field data: 1. Use a plain text editor or spreadsheet software to build a CSV file where each line contains the asset’s IP address followed by its comma-delimited custom fields data. For example, if you had defined two custom fields, Location and Department, and you want to import data for both of those custom fields for every asset, each line in the CSV file would look like this: 172.16.1.200,Oahu,Research,ADOM_1 where: • 172.16.1.200 is the IP address of an asset • Oahu is a valid value for that asset’s Location custom field • Research is a valid value for that asset’s Department custom field • ADOM_1 is the name of the ADOM to which the asset belongs
You can omit the name of the ADOM. However, if you omit the name of the ADOM, and multiple assets in different ADOMs have the same IP address, all of those assets will receive the same custom field data.
2. From Current ADOM, select Global. 3. Go to Asset > Inventory > Custom Fields. The list of custom fields appears in the content pane. 4. On the content pane toolbar, select Import Data. The Select Custom Fields to be Imported dialog appears.
Fortinet Technologies Inc.
Page 422
FortiScan v5.0 MR1 Administration Guide
Figure 214:Select custom fields dialog box
5. In the Available Custom Fields list, select the tag name of each custom field whose values you want to import, then select the right arrow button to move those tags to the Selected Custom Fields list. Omit tag names that do not exist in the import file. 6. In the Selected Custom Fields list, select each tag name, then select the Move Up or Move Down buttons to move it into position. Position indicates the order of the values in each line in the import file. If a custom field’s data is the right most value in each line, move its corresponding tag name to the bottom the Selected Custom Fields list; for data towards the left in each line, move its tag name upwards in the list. For example, assuming the file in step 1, the tag name for Location would be positioned at the top, above the tag name for Department. 7. Select Done. The Import Custom Field Data dialog appears. 8. Select Browse. 9. Locate and select the comma-separated value (CSV) spreadsheet file that you want to import. 10.Select Open. The file pathname appears in the Upload File field. 11.Select Upload. Your computer uploads the CSV file to the FortiScan appliance, which imports the custom fields in the CSV file and applies its data to the custom fields you selected. Time required to upload the file varies by file size and network speed. When the upload completes, a message appears: The selected custom field data file is uploaded to FortiScan. To verify that all data has been successfully imported, view each asset’s custom fields configuration (see “Configuring custom fields” on page 195).
Fortinet Technologies Inc.
Page 423
FortiScan v5.0 MR1 Administration Guide
Monitoring the System To get the most value out of your FortiScan appliance, use it to keep informed about your network — not just to protect it. FortiScan appliances have many tools that you can use to monitor statuses, traffic, and hardware changes. You can also use them to discover new vulnerabilities and compliance issues. •
The dashboard
•
Compliance and vulnerability statistics
•
Security postures
•
Monitoring and disconnecting administrator sessions
•
SNMP traps and queries
•
Scheduled tasks and events
•
Logs
•
System errors
•
Reports
•
FortiGuard updates
•
Vulnerability scans and alerts
The dashboard System > Dashboard > Status appears first when you log in to the Web-based Manager as the admin administrator. It contains a dashboard with widgets that each indicates performance level or other status. By default, widgets appear which display the serial number and current system status of the FortiScan appliance, including uptime, system resource usage, host name, firmware version and system time. The dashboard also contains a CLI widget that enables you to use the command line through the Web-based Manager. Figure 215:Status page
Fortinet Technologies Inc.
Page 424
FortiScan v5.0 MR1 Administration Guide
The dashboard is customizable. You can select which widgets to display, where they are located on the page, and whether they are minimized or maximized. You can also create additional dashboards. To add a dashboard, on the content pane toolbar, select Dashboard, then select Add Dashboard and type its name. The dashboard is added to the left-hand navigation menu. (For example, for a dashboard named “Usage”, System > Dashboard > Usage would be added to the menu.) The new dashboard is empty until you add the widgets that you want to show on that new dashboard. To move a widget, position your mouse cursor on the widget’s title bar, then select and drag the widget to its new location. To add a widget, in the dashboard toolbar, select Widget, then select the names of widgets that you want to show. To hide a widget, in its title bar, select Close. Figure 216:Adding a widget
To see the available options for a widget, position your mouse cursor over the icons in the widget’s title bar. Options vary slightly from widget to widget, but always include options to close or show/hide the widget. Figure 217:A minimized widget Edit
Widget title Show/Hide arrow
Refresh Close
The following information is displayed: Widget Title
The name of the widget.
Show/Hide arrow
Display or minimize the widget.
Edit
Select to change settings for the widget. This option appears only on the CLI Console widget.
Refresh
Select to update the displayed information.
Close
Select to remove the widget from the dashboard. You will be prompted to confirm the action. To add the widget, select Widget in the toolbar and then select the name of the widget you want to show.
Fortinet Technologies Inc.
Page 425
FortiScan v5.0 MR1 Administration Guide
The available dashboard widgets are: • System information widget • License information widget • CLI console widget • System resources widget • Unit operation widget • Statistics widget • Disk monitor widget
System information widget The System Information widget displays basic information about the FortiScan appliance, such as up time and firmware version. From this widget you can also update the firmware and FortiScan agent software to a different version. Figure 218:System information widget
The system information widget displays the following information. Serial Number
The serial number of the FortiScan appliance. The serial number is unique to the FortiScan appliance and does not change with firmware updates. Use this number when registering your FortiScan appliance with Fortinet Technical Support.
Uptime
The time in days, hours and minutes since the FortiScan appliance was started or last rebooted.
System Time
The current time according to the FortiScan appliance’s internal clock. Select Change to change the time or configure the FortiScan appliance to get the time from an NTP server.
Host Name
The host name of the FortiScan appliance. See “Changing the FortiScan appliance’s host name” on page 175.
Firmware Version
The version of the firmware currently installed on the FortiScan appliance. Select Update to install a new version of firmware. See “Updating the Firmware” on page 80.
Fortinet Technologies Inc.
Page 426
FortiScan v5.0 MR1 Administration Guide
License information widget The License Information widget displays information on features that vary by a purchased license or contract. New vulnerabilities are discovered and new remediations are built by Fortinet researchers every day. Most security exploits and virus exposures occur within the first couple months of a known vulnerability. To ensure that your assets are protected using the latest known vulnerability, patch, and compliance definitions and scripts, it is vital to provide your FortiScan appliance with access to Fortinet’s FortiGuard services. If your appliance is a virtual appliance (FortiScan VM), this widget includes information about your 15-day free trial license or paid license status, and provides a link where you can upload a license file.
Downgrading a FortiScan VM license will result in being unable to add new assets until you have removed excess assets from the asset inventory.
FortiScan VM images include a free 15-day limited trial license. The trial period begins the first time you power on your FortiScan virtual appliance. You can upgrade the trial license to a purchased one at any time during or after the trial period by uploading the license file via the License Information widget in the dashboard of the Web-based Manager. Figure 219:License information widget
The license information widget displays the following information: Virtual Machine License Registration Status Indicates whether or not this FortiScan VM appliance has a paid license: • Not Registered (orange X icon) — The FortiScan VM appliance license was not valid, or is currently a trial license. To upload a purchased license, select Upload. See also the FortiScan-VM Install Guide. • Licensed (green check mark icon) — The FortiScan VM appliance has a valid, non-trial license. To increase the number of assets that this appliance can protect, upload another license. This appears only in FortiScan VM. Number of Assets Allowed
The number of assets that can be protected by this appliance, according to the license files that you have uploaded. See also “Appendix A: Maximum Values” on page 523. This appears only in FortiScan VM.
Fortinet Technologies Inc.
Page 427
FortiScan v5.0 MR1 Administration Guide
Management Address
The IP address to which the FortiScan VM appliance’s license is bound. This appears only in FortiScan VM.
FortiGuard Services Vulnerability and Compliance Management
Indicates whether or not this FortiScan appliance is licensed for FortiGuard Vulnerability Management Service: • Expired or Not Registered (orange X icon): At the last attempt, the FortiScan appliance was able to contact the FDN. However, its FortiGuard Vulnerability Management Service license was not valid. To purchase a license, select Subscribe. Caution: Your FortiScan appliance cannot detect the latest vulnerabilities and compliance violations unless it is licensed and has network connectivity to download current definitions from the FortiGuard Vulnerability Management Service. • Licensed (green check mark icon): At the last attempt, the FortiScan appliance was able to successfully contact the FDN and validate its FortiGuard Vulnerability Management Service license. • Unreachable (grey X icon): Unable to determine license status due to network connection errors. Check the configuration of the FortiScan appliance and any NAT or firewall devices that exist between the FortiScan appliance and the FDN or override server. For example, you may need to add routes to the FortiScan appliance’s routing table. For more information on subscriptions, see “Connecting to FortiGuard Services” on page 72.
VCM Service Pack The version of the FortiGuard Vulnerability Management Service engine, and the date of its last update. There are 3 ways to update the engine: • Manually upload a file: Select Update to manually upload a new version of the engine. See “Uploading VCM updates” on page 78. • Manually initiate a request: Trigger the appliance to immediately request an update and, if found, apply it. See “Manually initiating update requests” on page 77. • Automatically request: The appliance periodically checks for new versions according to a schedule that you define and, if found, downloads them from FDN and applies them. See “Manually initiating update requests” on page 77.
Fortinet Technologies Inc.
Page 428
FortiScan v5.0 MR1 Administration Guide
CLI console widget The CLI Console widget allows you to enter CLI commands to the FortiScan appliance. You can open the console in a separate window or change the console preferences, if you prefer. Figure 220:CLI console widget
To open the CLI console in its own window: 1. Select the Detach icon. (This icon appears when you move your mouse over the title bar.) The CLI Console widget appears in a pop-up window. 2. To edit console preferences, select Customize. 3. To close the window and reattach the console to the dashboard, select Attach. To change the console preferences: 1. Do either of the following: • In the CLI Console widget title bar, select Console Preferences. (This icon appears when you move your mouse over the title bar.) • If the console is detached, select Customize. The Console Preferences dialog appears in a pop-up window. Figure 221:Console preferences dialog
Fortinet Technologies Inc.
Page 429
FortiScan v5.0 MR1 Administration Guide
2. You can change the console color scheme as follows: • To change the text color, select the button to the left of the Text label, then select your preferred color on the color palette. • To change the background color, select the button to the left of the Background label, then select your preferred color on the color palette. The preview area displays the selected text and background color. 3. To add an external command field below the console, mark the Use external command input box check box. A Command input box appears below the console in the preview area. 4. To change the number of most recent entry and display lines to keep in the widget’s memory (buffer), enter the preferred number in the Console buffer length field. For example, if you need to be able to scroll back and see the previous 20 lines only, you would type 20 in the Console buffer length field. 5. To change the font and font size, select your preferred values from the Font and Size lists. 6. To discard your changes and restore the default settings, select Restore Defaults. 7. Select OK.
System resources widget The System Resources widget displays use of the FortiScan appliance’s resources which includes CPU, memory and status of the hard disk. You can display real time or historical data, by using the Edit icon in the widget’s toolbar. To view historical information about system resources: 1. In the System Resources widget title bar, select Edit. Figure 222:Edit system resources settings dialog
2. In the dialog View Type list, select History. 3. To change the time period, select one of the following options from the Time Period list: • Last 10 minutes • Last Hour • Last Day 4. Select OK.
Fortinet Technologies Inc.
Page 430
FortiScan v5.0 MR1 Administration Guide
Figure 223:System resources widget — Historical display
To view real-time information about system resources: 1. In the System Resources widget toolbar, select Edit. 2. In the View Type list, select Real Time. You cannot specify a time period when viewing system resource information in real-time. 3. In the Refresh Interval field, enter a number (between 10-240 seconds) to specify how often you want to refresh the System Resources display with current information. The number zero disables the refresh interval feature. 4. Select OK. The System Resources widget appears, displaying two gauges. Figure 224:System resources widget
The widget displays the following information:
Fortinet Technologies Inc.
CPU Usage
The current CPU usage status. The widget displays CPU usage for core processes only. CPU usage for management processes (for example, for HTTPS connections to the Web-based Manager) is excluded.
Memory Usage
The current memory status. The widget displays memory usage for core processes only. Memory usage for management processes (for example, for HTTPS connections to the Web-based Manager) is excluded.
Page 431
FortiScan v5.0 MR1 Administration Guide
Disk monitor widget The Disk Monitor widget shows the current disk usage and, if your FortiScan model has RAID, the current RAID status of the hard disks. Each circle indicates the status of a hard disk. Figure 225:Disk monitor widget — RAID array without any failures
The widget displays the following information: RAID Status
The following icons and status text indicate when the RAID disk is okay, failed or being rebuilt: • Green check mark (OK) – indicates that the RAID disk is functioning normally • Warning symbol (Warning) – indicates that there is a problem with the RAID disk, such as a failure, and it needs replacing, see “Replacing hard disks” on page 434. The RAID disk is also in reduced reliability mode when this status is indicated in the widget. • Wrench symbol (Rebuilding) – indicates that a drive has been replaced and the RAID array is being rebuilt; it is also in reduced reliability mode • Exclamation point (Failure) – indicates that multiple drives have failed and the RAID array is corrupted and that the drive must be re-initialized This item appears only if the FortiScan model has a RAID array, such as a FortiScan-3000C/D.
Disk Space Usage
The amount of disk used in both percentage and a fill line.
Usage
The amount of used disk space and the total available disk space. These numbers are displayed in GB.
Rebuild Status progress bar
A bar indicating the progress of the rebuilding of a RAID array. This bar displays the progress in percent. This bar displays only when a RAID array is being rebuilt; see Figure 227 on page 433.
Fortinet Technologies Inc.
Page 432
FortiScan v5.0 MR1 Administration Guide
Estimated rebuild time The time period of when the rebuild will be complete. The time is [start and end time] displayed by the number of hours, minutes and seconds. The time period also indicates when the rebuilding process will end, displaying (For software RAID only) the name of the day, and the time in 12-hour format, for example, Friday at 3:14 pm. This time period displays only when an array is being rebuilt. Rebuild Warning
A bar and text reminding you the system has no redundancy protection until the rebuilding process is complete. This text displays only when an array is being rebuilt. This item appears only if the FortiScan model has a RAID array, such as a FortiScan 3000C/3000D.
In Figure 226, the Drive Status Indicator is indicating that Disk 1 has problems. This is displayed by both a warning symbol and text. The text appears when you hover your mouse over the warning symbol; the text also indicates the amount of space in gigabytes. When a disk has a warning, an exclamation mark appears in Drive Status Indicator. Figure 226:Disk monitor widget — disk warning
Figure 227:Disk monitor widget — rebuilding
For more information about RAID, see “Changing the RAID level” on page 175.
Fortinet Technologies Inc.
Page 433
FortiScan v5.0 MR1 Administration Guide
Replacing hard disks If a hard drive on a FortiScan appliance fails, a warning symbol will appear in the Disk Monitor widget for that disk. The RAID status will change to Degrade. When this happens, the hard disk must be replaced. The procedure differs slightly for models that use software RAID (FSC-1000B and FSC-1000C) from those that are equipped with hardware RAID (FSC-3000C and FSC-3000D). In software-managed RAID, you must manually remove the old disk from the RAID unit, then initiate the rebuilding process. In hardware-managed RAID, no intervention is required — the RAID hardware detects the new drive and initiates the rebuilding process automatically. To replace a hard disk (FSC-1000B, FSC-1000C): Electrostatic discharge (ESD) can damage FortiScan equipment. Only perform the procedures described in this document from an ESD workstation. If no such station is available, you can provide some ESD protection by wearing an anti-static wrist or ankle strap and attaching it to an ESD connector or to a metal part of a FortiScan chassis. When replacing a hard disk, you need to first verify that the new disk has at least the same capacity as the old one in the FortiScan appliance. Installing a smaller hard disk will affect the RAID setup and may cause data loss. 1. Log in to the Web-based Manager as the admin administrator. 2. From Current ADOM, select Global. 3. Go to System > Dashboard > Status. 4. Select the black area in the CLI Console widget to activate it and place your cursor.
Fortinet Technologies Inc.
Page 434
FortiScan v5.0 MR1 Administration Guide
5. Enter the following commands: config global diagnose raid info The CLI displays RAID information, including the number of failed disks, such as:
FortiScan-1000C # config global global # dia raid info Free Disk Space: 877.52GB Total Disk Space: 916.89GB RAID information: RAID level: RAID1 RAID state: Degraded RAID controller: Linux MD RAID Number of disks: 2 Array capacity: 931.51GB Disk disk01 disk02 disk03 disk04
State NotPresent OK Missing Missing
This indicates that disk 1 has failed. disk 2 in the RAID is still active.
Size 0.00GB 931.51GB
MD status: Personalities: [linear] [raid0] [raid1] [raid10] [raid6] [raid5] [raid4] [faulty] md0: active raid1 sda1[2](F) sdb1[1] status: DEGRADED member_size: 976759864 976759864 blocks super 1.0 [2/1] [_U] unused devices:
6. Enter the following command to remove the faulty disk from the RAID unit: diagnose raid delete where is the index number of the failed disk. For example, if the faulty (F) disk is sda1[2] which correlates to the physical disk disk01, you would type the physical disk number, 1. A confirmation dialog appears: This command will delete a disk from the RAID array! Do you want to continue? (y/n) 7. Enter y to confirm. The disk is removed from the RAID unit. 8. Go to System > Dashboard > Status.
Fortinet Technologies Inc.
Page 435
FortiScan v5.0 MR1 Administration Guide
9. In the Unit Operation widget, select Shutdown. A confirmation dialog appears. 10.Select OK. The FortiScan appliance shuts down. 11.Remove the faulty hard disk from the chassis and replace it with a new one.
Verify that the new disk is from the same manufacturer and has the same capacity. Replacing a hard disk with a smaller capacity hard disk will require the array to resize based upon the smallest capacity disk, which can result in data loss.
Only remove the faulty drive. Depending on your RAID level, removing one of the remaining functional disks could corrupt the remaining disks in the RAID, resulting in data loss. For physical hard drive location, refer to the following diagrams.
Figure 228:Physical hard drive arrangement (FSC-1000B) Drive 0
Drive 1
Figure 229:Physical hard drive arrangement (FSC-1000C) Drive 0
Drive 1
Drive 2
Drive 3
12.Restart the FortiScan appliance. 13.Log in again to the Web-based Manager as the admin administrator. 14.Go to System > Config > RAID. The RAID Settings dialog appears. A Rebuild icon is shown to the right of the new drive (see Figure 230). Figure 230:RAID settings dialog showing - rebuild icon
15.Select the Rebuild icon. The system begins the rebuilding process. The Disk Monitor widget on System > Dashboard > Status displays a a wrench (rebuild) icon for the new disk and the RAID Status
Fortinet Technologies Inc.
Page 436
FortiScan v5.0 MR1 Administration Guide
area shows the progress of the RAID resynchronization/rebuild (see Figure 227 on page 433).
Once a RAID array is built, if you add another disk from the same manufacturer and with the same capacity, it will not affect the array size until you rebuild the array by restarting the FortiScan appliance.
To replace a hard disk (FSC-3000C and FSC-3000D): Electrostatic discharge (ESD) can damage FortiScan equipment. Only perform the procedures described in this document from an ESD workstation. If no such station is available, you can provide some ESD protection by wearing an anti-static wrist or ankle strap and attaching it to an ESD connector or to a metal part of a FortiScan chassis. When replacing a hard disk, you need to first verify that the new disk has at least the same capacity as the old one in the FortiScan appliance. Installing a smaller hard disk will affect the RAID setup and may cause data loss. 1. Log in to the Web-based Manager as the admin administrator. 2. From Current ADOM, select Global. 3. Go to System > Dashboard > Status. 4. In the Unit Operation widget, select Shutdown. 5. Select OK. 6. Remove the faulty hard disk and replace it with a new one.
Verify that the new disk is from the same manufacturer and has the same capacity. Replacing a hard disk with a smaller capacity hard disk will require the array to resize based upon the smallest capacity disk, which can result in data loss.
Only remove the faulty drive. Depending on your RAID level, removing one of the remaining functional disks could corrupt the remaining disks in the RAID, resulting in data loss. For physical hard drive location, refer to the following diagrams.
Figure 231:Physical hard drive arrangement (FSC-3000C and FSC-3000D) Drive 0
Drive 2
Drive 4
Drive 6 (FSC-3000D only)
Drive 1
Drive 3
Drive 5
Drive 7 (FSC-3000D only)
7. Restart the FortiScan appliance. The FortiScan appliance automatically adds the new disk to the current RAID array. The status appears on the console. After the FortiScan appliance boots, the widget displays a
Fortinet Technologies Inc.
Page 437
FortiScan v5.0 MR1 Administration Guide
green check mark icon for all disks and the RAID Status area displays the progress of the RAID resynchronization/rebuild.
Once a RAID array is built, if you add another disk from the same manufacturer and with the same capacity, it will not affect the array size until you rebuild the array by restarting the FortiScan appliance.
Viewing RAID settings You can view RAID settings from the Disk Monitor widget by selecting the RAID Settings icon. For FSC-3000C and FSC-3000D models, you can also configure RAID from this widget. For more information about configuring RAID settings, see “Changing the RAID level” on page 175. To view RAID settings: 1. From Current ADOM, select Global. 2. Go to System > Dashboard > Status. 3. In the Disk Monitor widget title bar, select RAID Settings. (This option is only available when you hover your mouse cursor over the title bar.) The RAID Settings dialog appears. Figure 232:RAID settings
The following information is displayed:
Fortinet Technologies Inc.
RAID Level
The RAID level.
Total Disk Space
The amount of disk space available within the RAID array.
Free Disk Space
The amount of free disk space.
Disk #
The number identifying the disk. Numbers reflect what disks are available on the FortiScan appliance, and vary by model. For example, on a FSC-1000B, there would be disks 1 and 2, while on a FSC-1000C there would be disks 1-4. On a FSC-3000C, there would be disks 1-6, and on a FSC-3000D, there would be disks 1-8.
Page 438
FortiScan v5.0 MR1 Administration Guide
Size (GB)
The capacity of the hard disk.
Status
The current status of the hard disk. • OK: Indicates that the hard disk is okay and working normally • Not Present: Indicates that the hard disk is not being detected by the FortiScan appliance or has been removed and no disk is available. • Failed: Indicates that the hard disk is not working properly.
Unit operation widget The Unit Operation widget allows administrators to perform basic system operations from the web-based GUI, such as rebooting the FortiScan appliance. The widget also provides link status indicators for all available ports. If a port’s color is gray, the link status is “down”. If a port’s color is green, the link status is “up”. When you hover your mouse over an active port, a tooltip appears displaying the port details (name, IP address/netmask, link status, the connection speed, and the number of bytes sent and received). Selecting a port brings up the network interface list. From there you can change the port state, if necessary. Figure 233:Unit operation widget
To change a port’s status, mark its check box, then select Bring Up or Bring
The following information is displayed: Reboot
Restart the FortiScan appliance.
Shutdown
Halt all processes on the FortiScan appliance in preparation to power off the hardware. To restart the FortiScan appliance after shutdown, perform a power cycle.
Fortinet Technologies Inc.
Page 439
FortiScan v5.0 MR1 Administration Guide
Statistics widget The Statistics widget counts the numbers of sessions handled by the FortiScan appliance. Figure 234:Statistics widget
The widget displays the following information: Statistics (Since...)
The date and time when the statistics were last reset.
Sessions
The current number of IP sessions on the FortiScan appliance. Select Details for a list of current IP connections.
To view the session details: 1. From Current ADOM, select Global. 2. Go to System > Dashboard > Status. 3. In the Statistics widget, select Details. 4. To perform a simple search on the available information, enter a keyword in the Search field located in the toolbar and press Enter. 5. Session information details will appear. Figure 235:Session information
Fortinet Technologies Inc.
Page 440
FortiScan v5.0 MR1 Administration Guide
The following information is displayed: Refresh
Select to update the display with the current list of IP sessions.
(Search box. No label.)
Type a number or IP address, then press Enter to display all rows with a matching port number, IP address, or expiration time.
Protocol
The service protocol of the connection, such as UDP or TCP.
Source
The source IP address of the connection.
Source Port
The source port of the connection.
Destination
The destination IP address of the connection.
Destination Port
The destination port of the connection.
Expires (Secs)
The time in seconds remaining before the session expires, and the connection is terminated.
You can filter the contents of the session information details to find specific content. Each column of data includes a gray Filter icon in the header. When applying a column filter, the filter icon appears green. To filter a column: 1. Select the Filter icon for the column you want to filter. A filter dialog appears. Figure 236:Filter dialog box
2. Select the appropriate filter from the list. • Protocol • Source • Source Port • Destination • Destination Port 3. Mark the Enable check box. 4. In the Text field, enter the text string for which you want to filter. If you want the filter to exclude information with this text, mark the NOT check box. 5. Select OK to apply the filter.
Fortinet Technologies Inc.
Page 441
FortiScan v5.0 MR1 Administration Guide
To turn off filtering: 1. Select the Filter icon in any column. The filter dialog appears. 2. Select Clear All Filters. 3. Select OK. All session information is displayed.
Compliance and vulnerability statistics Agent Scan > Summary > Compliance Summary in ADOMs other than Global displays the results of the last compliance, vulnerability, and patch scans, displayed as charts with accompanying statistical tables. If you have created the policy required in order to gather data for it, this page also displays a summary of authorized software policy compliance. Figure 237:Compliance summary page
The page has the following charts and their accompanying index tables: • Compliance summary chart • Vulnerability summary chart • Patch summary chart • Authorized software policy summary chart
Fortinet Technologies Inc.
Page 442
FortiScan v5.0 MR1 Administration Guide
Compliance summary chart The Compliance Summary chart on the top left quadrant of Agent Scan > Summary > Compliance Summary displays the results of the most recent compliance scan. The compliance index lists the following information: Compliance Summary for Group: All
A pie chart of the total number of assets that are in compliance and out of compliance according to the latest compliance scan, as well as the number of assets that have yet to be tested.
Compliance Index
A table summarizing the compliance statistics across all assets.
Total in Compliance The total number of assets found to be in compliance. Assets Total Out of The total number of assets found to be out of compliance. Compliance Assets Total Evaluated Assets
The total number of assets that were tested for compliance.
Total Not Tested Assets
The total number of assets that were not tested for compliance.
Total Assets
The total number of assets in the FortiScan appliance’s inventory (see “Your Asset Inventory” on page 179).
Total Jobs
The total job calculated based on benchmark. If the same benchmark has 3 times job ran, only count 1 and select the latest one. Select this number to view the Compliance Job Summary list (see “Compliance job summary table” on page 443).
Total Subgroups
The total number of administrator-defined asset groups defined in the FortiScan appliance inventory. Select this value to view the Security Posture Report – Compliance Summary for all subgroups.
Compliance job summary table On Agent Scan > Summary > Compliance Summary, when you select the value in the Total Jobs number in the Compliance Index table, the Compliance Job Summary table appears in the content pane. The table displays the names of all the compliance scans which were performed and the results of each scan. Go to Agent Scan > Summary > Compliance Summary. Figure 238:Compliance job summary table
Fortinet Technologies Inc.
Page 443
FortiScan v5.0 MR1 Administration Guide
The compliance job summary lists the following information: Compliance Job Summary
Displays the status of all compliance scan jobs that were applied to the assets and the result.
Job Name
The name of the compliance scan job that was used to apply the benchmarks.
Title
The title of the compliance scan job.
End Time
The date and time the job completed.
Applied By
The name of the administrator account which initiated the compliance scan.
Status
The job status.
Asset Group
The name of the asset group that was scanned by this job.
Total Assets
Total number of assets scanned.
In Compliance
Percentage of total assets that are in compliance
Out of Compliance
Percentage of total assets that are out of compliance.
Print Preview
Opens a printer friendly browser window that allows you to print the information.
Vulnerability summary chart The Vulnerability Summary chart on the top right quadrant of Agent Scan > Summary > Compliance Summary displays the results of the most recent vulnerability scan. The vulnerability summary chart displays the following information: Vulnerability Summary A pie chart of the total number of assets that are in compliance and for Group: All out of compliance according to the latest vulnerability scan, as well as the number of assets that have yet to be tested. Vulnerability Index
A table summarizing the vulnerability statistics across all assets.
Total in Compliance The total number of assets found to be in compliance with Assets vulnerability management policies. Total Out of The total number of assets found to be out of compliance with Compliance Assets vulnerability management policies.
Fortinet Technologies Inc.
Total Evaluated Assets
The total number of assets that were tested for compliance with vulnerability management policies.
Total Not Tested Assets
The total number of assets that were not tested for compliance with vulnerability management policies.
Total Assets
The total number of assets in the FortiScan appliance’s inventory (see “Your Asset Inventory” on page 179).
Page 444
FortiScan v5.0 MR1 Administration Guide
Total Jobs
The total job calculated based on definition. If the same benchmark has 3 times job ran, only count 1 and select the latest one. Select this value to view the Vulnerability Job Summary page; see “Vulnerability job summary table” on page 445.
Total Subgroups
The total number of subgroups defined in the FortiScan appliance database. Select this value to view the Security Posture Report – Vulnerability Summary for all subgroups.
Vulnerability job summary table On Agent Scan > Summary > Compliance Summary, when you select the value in the Total Jobs number in the Vulnerability Index table, the Vulnerability Job Summary table appears in the content pane. The table displays the names of all the vulnerability scan jobs which were performed and the results of each scan. Figure 239:Vulnerability job summary table
The following information is displayed: Vulnerability Job Summary Job Name
The name of the vulnerability scan job that was used to apply the benchmarks
Title
The title of the vulnerability scan job
End Time
The date and time the job completed
Applied By
The name of the administrator account which initiated the scan.
Status
The job status
Asset Group
The name of the asset group that was scanned
Total Assets
Total number of assets scanned
In Compliance
Percentage of total assets that are in compliance
Out of Compliance
Percentage of total assets that are out of compliance.
Print Preview
Fortinet Technologies Inc.
Displays the status of all vulnerability scan jobs that were applied to the assets and the result
Opens a printer friendly browser window that allows you to print the information.
Page 445
FortiScan v5.0 MR1 Administration Guide
Patch summary chart The Patch Summary chart on the bottom left quadrant of Agent Scan > Summary > Compliance Summary displays the results of the most recent patch scan. The following information is displayed: Patch Summary for Group: All
A pie chart of the total number of assets that are in compliance and out of compliance, according to the latest patch scan, as well as the number of assets that have yet to be tested.
Patch Index
A table summarizing the installed patch statistics across all assets.
Total in Compliance The total number of assets found to be in compliance with installed Assets patch requirements. Total Out of The total number of assets found to be out of compliance with Compliance Assets installed patch requirements.
Fortinet Technologies Inc.
Total Evaluated Assets
The total number of assets that were tested for installed patch status.
Total Not Tested Assets
The total number of assets that were not tested for installed patch status.
Total Assets
The total number of assets in the FortiScan appliance’s inventory (see “Your Asset Inventory” on page 179).
Total Jobs
The total job calculated base on definition. If the same benchmark has 3 times job ran, only count 1 and select the latest one. Select this value to view the Patch Job Summary page (see “Patch job summary table” on page 447).
Total Subgroups
The total number of subgroups defined in the FortiScan appliance database. Select this value to view the Security Posture Report – Patch Summary for all subgroups.
Page 446
FortiScan v5.0 MR1 Administration Guide
Patch job summary table On Agent Scan > Summary > Compliance Summary, when you select the value in the Total Jobs field in the Patch Index table, the Patch Job Summary table appears in the content pane. The table displays the names of all the patch scan jobs which were performed and the results of each scan. Figure 240:Patch job summary table
The following information is displayed: Patch Job Summary
Displays the status of all patch scan jobs that were applied to the assets and the result.
Job Name
The name of the patch scan job that was used to apply the benchmarks.
Title
The title of the patch scan job.
End Time
The date and time the job completed.
Applied By
The name of the administrator account which initiated the scan.
Status
The job status.
Asset Group
The name of the asset group that was scanned
Total Assets
Total number of assets scanned
In Compliance
Percentage of total assets that are in compliance
Out of Compliance
Percentage of total assets that are out of compliance.
Print Preview
Opens a printer friendly browser window that allows you to print the information.
Authorized software policy summary chart The Authorized Software Policy Summary chart on the bottom right quadrant of Agent Scan > Summary > Compliance Summary displays the results of the most recent compliance scan.
To collect data for this chart, you must create a policy specifically named Authorized Software Policy. For details, see “Allowing only authorized software” on page 360.
Fortinet Technologies Inc.
Page 447
FortiScan v5.0 MR1 Administration Guide
The authorized software policy summary and authorized index table displays the following information: Authorized Software Policy Summary for Group: All
A pie chart of the total number of assets that are in compliance and out of compliance with the authorized software policies, according to the latest compliance scan, as well as the number of assets that have yet to be tested.
Authorized Software Index
A table summarizing the authorized software statistics across all assets.
Total in Compliance The total number of assets found to be in compliance in terms of Assets authorized software policies. Total Out of The total number of assets found to be out of compliance in terms of Compliance Assets authorized software policies. Total Evaluated Assets
The total number of assets that were tested for authorized software policy compliance.
Total Not Tested Assets
The total number of assets that were not tested for authorized software policy compliance.
Total Assets
The total number of assets in the FortiScan appliance’s inventory (see “Your Asset Inventory” on page 179).
Total Assets in Violation
The total number of assets that are in violation of the Authorized Software policy applied to those assets. Select this value to view the list of assets are in violation of their applied authorized software policy. For details, see “Authorized software policy summary table” on page 448.
Total Subgroups
The total number of subgroups defined in the FortiScan appliance database. Select this value to view the Security Posture Report – Authorized Software Policy Summary for all access groups.
Authorized software policy summary table On Agent Scan > Summary > Compliance Summary, when you select the value in the Total Assets in Violation field in the Authorized Software Index table, the Authorized Software Policy Summary table appears in the content pane. The table lists all the assets which were found that violate the authorized software policies and lists the unauthorized software found on each asset.
In order for FortiScan appliance to collect data and generate the authorized software policy summary list, you need to create a custom policy specifically named “Authorized Software Policy”. For details, see “Allowing only authorized software” on page 360.
Authorized Software Policy Summary
Fortinet Technologies Inc.
Displays all the assets that were found to be in violation of the applied authorized software policies and lists the policies that were violated for each asset.
Host Name
The name of the asset that violates an authorized software policy
IP Address
The asset’s IP address Page 448
FortiScan v5.0 MR1 Administration Guide
Criticality
The importance of the asset to your organization or network security: Highest, High, Medium, Low, or Lowest. For details, see “Risk: prioritizing your business-critical machines” on page 27.
OS Type
The asset’s OS platform
OS Version
The version (build) of the OS installed on the asset.
Asset Group
The name of the asset group to which the software policies were applied
Status
The protection and connectivity status of the asset: Protected, Registered, Disconnected, New, or Retired. Assets whose Agent Scan Status is not Protected will not participate when you schedule FortiScan agent-based scans. For details, see “Agent scan status” on page 26.
Total Policy Events
The total number of policies that were applied to the asset.
Total Unauthorized Software
The total number of unauthorized software applications found on the asset.
Unauthorized Software
Select the icon to view a list of the unauthorized software that was found on the asset.
Print Preview
Opens a printer friendly browser window that allows you to print the information.
Security postures Agent Scan > Security Posture > Security Posture displays the compliance scan (audit), vulnerability scan, patch, and authorized software policy summaries for each asset group. This location displays the following tabs in the content pane: • Compliance posture tab • Vulnerability posture tab • Patch posture tab • Authorized software posture tab
Compliance posture tab The Compliance Posture tab provides compliance scan summary scores and details per rule, per group of rules, per assessment profile, and per benchmark. Many assets could be out of compliance. Just one test failure per thousands of compliance tests on every thousand assets could yield large volumes of data if you have many assets. To help you focus on the most severe vulnerabilities and prioritize your work to bring non-compliant assets into compliance, the FortiScan appliance identifies those assets that are most out of compliance, and those rules that are violated most frequently. To view the Compliance Posture tab, go to Agent Scan > Security Posture > Security Posture. Then, from the asset selection tree, select the asset group whose compliance scan results you want to view. Several tabs appear. The Compliance Posture tab is front most and visible.
Fortinet Technologies Inc.
Page 449
FortiScan v5.0 MR1 Administration Guide
Figure 241:Security posture - Compliance posture tab
The following information is displayed: Compliance Summary for Group: {}
A pie chart of the number of compliant assets, non-compliant assets, and assets that have not yet been tested in the currently selected group, according to the latest compliance scan.
Compliance Index
Compliance statistics for assets in the currently selected group.
Total in Compliance The total number of assets in the group found to be in compliance. Assets Total Out of The total number of assets in the group found to be out of Compliance Assets compliance. Total Evaluated Assets
The total number of assets in the group that were tested for compliance.
Total Not Tested Assets
The total number of assets in the group that have not yet been tested for compliance.
Total Assets
The total number of assets in the group.
Total Jobs
The total job definition according to compliance summary. Selecting this value opens the Compliance Job Summary list for the selected asset group; see “Compliance job summary table” on page 443
First 10 Out of Lists the first ten of the assets that were evaluated as non-compliant Compliance Assets for in the selected asset group. Group {}
Fortinet Technologies Inc.
Host
The host name of the non-compliant asset.
IP Address
The IP address of the non-compliant asset.
OS Type
The operating system (OS) family of the non-compliant asset.
Page 450
FortiScan v5.0 MR1 Administration Guide
OS Version Top 10 out of n Failing Rules
The OS version of the non-compliant asset. Displays the top ten rules that were failed during the compliance scan. The number “n” shows the total number of rules that were violated.
Rule ID
The title description of the rule that was violated.
OVAL ID
The OVAL database ID for the selected rule.
CCE
The Common Configuration Enumeration (CCE) identifier for the issue that caused the selected rule to fail. Multiple issues are shown separated by commas. For more information, visit: http://cce.mitre.org
FISMA Controls
The Federal Information Security Management Act (FISMA) control requirement that was specified by the rule.
Asset Count
The number of assets in the group that failed the selected rule.
Extended View
Select to view the Failing Rules Summary for all the rules that were violated. See “Viewing compliance rule violations” on page 346.
Vulnerability posture tab The Vulnerability Posture tab in the content pane on Agent Scan > Security Posture > Security Posture provides vulnerability scan results, per asset group as well as per vulnerability definition. To view the Vulnerability Posture tab, go to Agent Scan > Security Posture > Security Posture. Then, from the asset selection tree, select the asset group whose vulnerability scan results you want to view. Several tabs appear. Select the Vulnerability Posture tab.
Fortinet Technologies Inc.
Page 451
FortiScan v5.0 MR1 Administration Guide
Figure 242:Security posture - Vulnerability posture tab
The following information is displayed: Vulnerability Summary A pie chart of the number of vulnerable assets, non-vulnerable for Group assets, and assets that have not yet been tested in the currently selected group, according to the latest vulnerability scan. Vulnerability Index
Summarizes the vulnerability statistics across all assets in the selected group.
Total in Compliance The total number of assets in the group found to be non-vulnerable. Assets Total Out of The total number of assets in the group found to be vulnerable. Compliance Assets Total Evaluated Assets
The total number of assets in the group that were tested during the vulnerability scan.
Total Not Tested Assets
The total number of assets in the group that have not yet been scanned for vulnerability.
Total Assets
The total number of assets in the asset group.
Total Jobs
The total job definition according to compliance summary. Select the number to open the Vulnerability Job Summary list for the asset group (see “Vulnerability job summary table” on page 445).
Fortinet Technologies Inc.
Page 452
FortiScan v5.0 MR1 Administration Guide
Top 10 Most vulnerable Displays information about the top ten most vulnerable assets. Assets for Group Select Extended View to access more detailed information or to {name} export the information to a PDF or text (CSV) file. For more information, see “Viewing the top 10 most vulnerable assets” on page 454. Host
The host name of the asset.
IP Address
The IP address of the asset. Select this field in the Extended View to see the Asset Detail page for the asset. For more information, see “Viewing a chart’s asset details” on page 207
Number of Vulns
The number of vulnerabilities detected in this asset. Select this field in the Extended View to see the Asset Vulnerability Summary page for this asset.
OS Type
The operating system (OS) family running on the asset.
OS Version
The version of the OS running on the asset.
Criticality
The importance of the asset to your organization or network security: Highest, High, Medium, Low, or Lowest. For details, see “Risk: prioritizing your business-critical machines” on page 27.
Status
The protection and connectivity status of the asset: Protected, Registered, Disconnected, New, or Retired. Assets whose Agent Scan Status is not Protected will not participate when you schedule FortiScan agent-based scans. For details, see “Agent scan status” on page 26.
Top 10 Unresolved Vulnerabilities for Group {name}
Fortinet Technologies Inc.
Displays information about the top ten unresolved vulnerabilities. Select Extended View to access more detailed information or to export the information to a PDF or text (CSV) file. For more information, see “Viewing assets per vulnerability” on page 268.
Vulnerability ID
The vendor’s OVAL database definition for this vulnerability. Select this field in the Extended View to go to the Vulnerability Asset Detail page; see “Viewing vulnerability details” on page 269.
Name
Name of vulnerability
CVE ID
Select this field in the Extended View to see the entry in the Common Vulnerabilities and Exposures (CVE) dictionary for the selected vulnerability. Opens an external link to the NIST National Vulnerability database.
Severity
Severity of the vulnerability, based on the CVSS score. See “Severity” on page 29.
CVSS Base Score
Common Vulnerability Scoring System (CVSS) score used to determine Severity.
Page 453
FortiScan v5.0 MR1 Administration Guide
CVSS Vector
Select this field in the Extended View to see the components from which the CVSS score was calculated. Opens an external link to the NIST National Vulnerability database.
Number of Occurrences
The number of occurrences of this vulnerability alert. Select this field in the Extended View to see the vulnerability asset summary information, see “Viewing assets per vulnerability” on page 268
Viewing the top 10 most vulnerable assets You may have many vulnerable assets, especially during the initial phase of a compliance project when you are bringing many assets into compliance. In order to prioritize your work, it can be helpful to view the assets with the greatest number of vulnerabilities in order to focus on those first.
Especially if you have many administrators within your ADOM, you may find it useful to assign remediation work using tickets. For details, see “Tickets” on page 392.
To view the top 10 most vulnerable assets for an asset group: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Agent Scan > Security Posture > Security Posture. 3. In the asset selection tree, select the asset group whose top 10 most vulnerable hosts you want to view. 4. Select the Vulnerability Posture tab. 5. In the Top 10 Most Vulnerable Assets for Group: {} table, select Extended View. A pop-up window appears, showing a detailed list of the top 10 most vulnerable assets in the group. Figure 243:Most vulnerable assets
The following information is displayed: Host
The host name of the asset.
IP Address
The IP address of the asset. Select this field to view the Asset Detail page for the asset. For more information, see “Viewing a chart’s asset details” on page 207
Number of Vulns
The number of vulnerabilities detected in this asset. Select this field to view the Asset Vulnerability Summary page for this asset.
OS Type
Fortinet Technologies Inc.
The asset’s operating system platform
Page 454
FortiScan v5.0 MR1 Administration Guide
OS Version
The asset’s OS version.
Criticality
The importance of the asset to your organization or network security: Highest, High, Medium, Low, or Lowest. For details, see “Risk: prioritizing your business-critical machines” on page 27.
Status
The protection and connectivity status of the asset: Protected, Registered, Disconnected, New, or Retired. Assets whose Agent Scan Status is not Protected will not participate when you schedule FortiScan agent-based scans. For details, see “Agent scan status” on page 26.
Export to PDF
Select to download the page as a PDF file.
Export to CSV
Select to download the page as a comma-separated values (CSV) spreadsheet file.
Patch posture tab To view the Patch Posture page for an asset group, go to Agent Scan > Security Posture > Security Posture and from the Asset Groups tree, select the asset group you want to view. Then select the Patch Posture tab in the content pane. The display shows the Patch Summary for Group graphical pie chart and Patch Index table for the selected asset group. Figure 244:Patch posture tab
The following information is displayed: Patch Summary for Group
Shows in graphical form (pie chart) the total number of assets in the selected group that are in compliance and out of compliance, according to the latest patch scan, as well as the total percentage of assets that have yet to be tested.
Patch Index
Summarizes the patch statistics across all assets in the selected group.
Total in Compliance The total number of assets in the group found to be in compliance. Assets
Fortinet Technologies Inc.
Page 455
FortiScan v5.0 MR1 Administration Guide
Total Out of The total number of assets in the group found to be out of Compliance Assets compliance. Total Evaluated Assets
The total number of assets in the group that were tested during the patch scan.
Total Not Tested Assets
The total number of assets in the group that were not tested during the patch scan.
Total Assets
The total number of assets in the asset group.
Total Jobs
The total job definition according to compliance summary. Selecting this value opens the Patch Job Summary list for the selected asset group; see “Patch job summary table” on page 447.
Authorized software posture tab To view the Authorized Software Policy Posture page for an asset group, go to Agent Scan > Security Posture > Security Posture and from the Asset Groups tree, select the asset group you want to view. Then select the Authorized Software Policy Posture tab in the content pane. The display shows the Authorized Software Policy Summary for Group graphical pie chart and Authorized Software Index table for the selected asset group.
In order for FortiScan appliance to collect data and generate the authorized software policy summary list, you need to create a custom policy specifically named “Authorized Software Policy”. For details, see “Allowing only authorized software” on page 360.
Figure 245:Authorized software policy posture tab
The following information is displayed: Authorized Software Policy Summary for Group
Shows in graphical form (pie chart) the total number of assets in the selected group that are in compliance and out of compliance, according to the latest authorized software policy applied to the selected group, as well as the total percentage of assets that have yet to be tested.
Authorized Software Index
Summarizes the authorized software statistics across all assets in the selected group.
Fortinet Technologies Inc.
Page 456
FortiScan v5.0 MR1 Administration Guide
Total in Compliance The total number of assets in the group found to be in compliance Assets with the authorized software policy applied to the selected group. Total Out of The total number of assets in the group found to be out of Compliance Assets compliance with the authorized software policy applied to the selected group. Total Evaluated Assets
The total number of assets in the group that were tested for authorized software policy compliance.
Total Not Tested Assets
The total number of assets in the group that were not tested for authorized software policy compliance.
Total Assets
The total number of assets in the asset group.
Total Assets in Violation
Select to view the list of all assets in the group that are in violation of their applied authorized software policy. For details, see “Authorized software policy summary table” on page 448.
Monitoring and disconnecting administrator sessions System > Admin > Monitor in the Global ADOM displays the list of administrator accounts that are currently logged in to the FortiScan appliance. Figure 246:System monitor page
To disconnect a session, mark the check box next to an administrator’s account name, then on the toolbar, select Disconnect. If the maximum number of administrator sessions are currently in use when an administrator logs in, the Web-based Manager will prompt the authenticating administrator to terminate one of the existing sessions. For details, see “Maximum concurrent administrator sessions” on page 40.
SNMP traps and queries System > Config > SNMP in the Global ADOM enables you to configure the FortiScan appliance’s SNMP agent. You can configure the FortiScan unit’s simple network management protocol (SNMP) agent to allow queries for system information and to send traps (alarms or event messages) to the computer or appliance that you designate as its SNMP manager. In this way you can use an SNMP manager to monitor the FortiScan appliance. Your SNMP manager could be any computer or appliance, such as a FortiManager system, that can receive the incoming traps from SNMP agents that are a part of its community, and can also query those agents. One FortiScan appliance could belong to multiple communities, such as both a firewall SNMP community and a workstation SNMP community. It can also send traps and receive queries from multiple SNMP managers in those communities.
Fortinet Technologies Inc.
Page 457
FortiScan v5.0 MR1 Administration Guide
Before you can use SNMP, you must activate the FortiScan appliance’s SNMP agent and add it as a member of at least one community. On the SNMP manager, you must also verify that the SNMP manager is a member of the same community to which the FortiScan appliance belongs, and compile the necessary Fortinet-proprietary management information blocks (MIBs) and Fortinet-supported standard MIBs. For information on MIBs, see “MIB support” on page 462.
Failure to add the SNMP manager to a community to which the FortiScan appliance belongs, or to supply it with required MIBs, will make the SNMP manager unable to query or receive traps from the FortiScan appliance.
To configure SNMP: 1. Add the MIBs to your SNMP manager so that you will be able to receive traps and perform queries. For instructions, see the documentation for your SNMP manager. 2. From Current ADOM, select Global. SNMP access includes hardware information, which applies to the entire appliance, not a specific ADOM. 3. Go to System > Config > SNMP. Figure 247:SNMP access list
4. Configure the following settings:
Fortinet Technologies Inc.
SNMP Agent
Mark this check box to enable the SNMP agent.
Description
Type a comment about the FortiScan appliance. The description can be up to 35 characters long, and can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ).
Location
Type the physical location of the FortiScan appliance. The location can be up to 35 characters long, and can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ).
Page 458
FortiScan v5.0 MR1 Administration Guide
Contact
(Expansion arrow. No label.)
Type the contact information for the administrator or other person responsible for this FortiScan appliance, such as a phone number or name. The contact information can be up to 35 characters long, and can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ). Select the expansion arrow to configure thresholds for trap types that are sent when the appliance reaches that level, such as CPU usage, memory usage, or disk usage.
Trap Type
The name of trap types that are configurable, such as cpu, memory, or disk.
Trigger
Type the percentage of usage that is the trap threshold. The percentage must be between 1 and 100. The default is 80 percent. For example, for cpu, typing 80 means that the trap threshold is reached when the CPU usage reaches 80 percent.
Threshold
Type the number of times a threshold must be reached during the sample period in order to trigger the trap.The number must be between 1 and 100. The default is 1 time.
Sample Period(s)
Type a number for the time span, in seconds, during which the threshold must be crossed the number of times specified in Threshold in order to trigger the trap. The number must be between 1 and 28800. The default is 600 seconds (10 minutes). For example, during a sample period of 600 seconds (10 minutes), the SNMP agent could evaluate memory every 60 seconds (1 minute) to see how many times the threshold was exceeded. If the number of times meets or exceeds the number in Threshold, the FortiScan appliance would send the trap to the SNMP manager.
Sample Frequency(s)
Type the number of times to sample the CPU, memory, or hard disk usage during the sample period. The number must be between 1 and 100. The default is 30 seconds.
Communities Create New
Select to add a new SNMP community.
Edit
Mark the check box of the SNMP community that you want to modify, then select Edit.
Delete
Mark the check box of the SNMP community that you want to delete, then select Delete.
Test
Mark the check box of the SNMP community whose configuration you want to verify by sending a test SNMP trap to its SNMP managers, then select Test. This option is available only if the SNMP agent is enabled. To confirm that the trap has been successfully received, log in to your SNMP manager. If the test fails, verify the configuration of your SNMP community.
Fortinet Technologies Inc.
Page 459
FortiScan v5.0 MR1 Administration Guide
#
The sequential of the communities.
Community Name
The name of the SNMP community.
Queries
The status of SNMP queries for each SNMP community. The query status can be enabled (green check mark) or disabled (gray X).
Traps
The status of SNMP traps for each SNMP community. The trap status can be enabled (green check mark) or disabled (gray X)
Enable
Mark this check box to enable the SNMP community. By default, an SNMP community is enabled when it is configured.
5. Select Apply. 6. Under Communities, select Create New. The New SNMP Community dialog appears. Figure 248:New SNMP community
7. Configure the following settings: Community Name
Type the name of a SNMP community to which the FortiScan appliance and at least one SNMP manager belongs.
Hosts
Fortinet Technologies Inc.
Page 460
FortiScan v5.0 MR1 Administration Guide
Host Name
Type the IP address of the SNMP manager that, if traps or queries are enabled in this community: • will receive traps from the FortiScan appliance • will be permitted to query the FortiScan appliance SNMP managers have read-only access. To allow any IP address using this SNMP community name to query the FortiScan unit, type 0.0.0.0. Note: Entering 0.0.0.0 effectively disables traps if there are no other host IP entries, because there is no specific destination for trap packets. If you do not want to disable traps, you must add at least one other entry that specifies the IP address of an SNMP manager.
Interface
Select either ANY or the name of the network interface from which the FortiScan appliance will send traps and reply to queries. Note: You must select a specific network interface if the SNMP manager is not on the same subnet as the FortiScan appliance. This can occur if the SNMP manager is on the Internet or behind a router.
Delete
Select to remove an SNMP manager.
Add
Select to add an SNMP manager to the community. You can add up to 10 SNMP managers per community.
Queries
Type the port number (161 by default) on which the FortiScan unit listens for SNMP queries from the SNMP managers in this community, then enable queries for either or both SNMP v1 and SNMP v2c.
Traps
Type the port number (162 by default) that will be the source (Local) port number and destination (Remote) port number for trap packets sent to SNMP managers in this community, then enable traps for either or both SNMP v1 and SNMP v2c.
SNMP Event
In the Enable column, mark the check box for each SNMP event for which the FortiScan appliance should send traps to the SNMP managers in this community.
8. Repeat the previous two steps for each community to which the FortiScan appliance belongs. 9. To verify your SNMP configuration and network connectivity between your SNMP manager and your FortiScan appliance, be sure to test both traps and queries (assuming you have enabled both). Traps and queries typically occur on different port numbers, and therefore verifying one does not necessarily verify that the other is also functional. To test queries, from your SNMP manager, query the FortiScan appliance. To test traps, cause one of the events that should trigger a trap.
Fortinet Technologies Inc.
Page 461
FortiScan v5.0 MR1 Administration Guide
MIB support You can configure the FortiScan appliance to respond to traps and send alert messages to SNMP managers that were added to SNMP communities. When you are configuring SNMP, you need to first download and install both the FORTINET-CORE-MIB.mib and FORTINET-FORTISCAN-MIB.mib files so that you can view these alerts in a readable format. The Fortinet MIB contains support for all Fortinet devices, and includes some generic SNMP traps; information responses and traps that FortiScan appliances send are a subset of the total number supported by the Fortinet proprietary MIB. Your SNMP manager may already include standard and private MIBs in a compiled database which is all ready to use; however, you still need to download both the FORTINET-CORE-MIB.mib and FORTINET-FORTISCAN-MIB.mib files regardless. FortiScan SNMP is read-only: SNMP v1 and v2 compliant SNMP managers have read-only access to FortiScan system information and can receive FortiScan traps. RFC support includes most of RFC 2665 (Ethernet-like MIB) and most of RFC 1213 (MIB II). FortiScan appliances also use object identifiers from the Fortinet proprietary MIB. The FortiScan SNMP agent supports the following management information blocks (MIBs): Table 26: Supported MIBs MIB or RFC
Description
FORTINET-CORE-MIB
This Fortinet-proprietary MIB enables your SNMP manager to query for system information and to receive traps that are common to multiple Fortinet devices.
FORTINET-FORTISCAN-MIB
This Fortinet-proprietary MIB enables your SNMP manager to query for FortiScan-specific information and to receive FortiScan-specific traps. The FortiScan SNMP agent supports MIB II groups, except: • There is no support for the EGP group from MIB II (RFC 1213, section 3.11 and 6.10).
RFC-1213 (MIB II)
RFC-2665 (Ethernet-like MIB)
• Protocol statistics returned for MIB II groups (IP, ICMP, TCP, UDP, etc.) do not accurately capture all FortiScan traffic activity. More accurate information can be obtained from the information reported by the FortiScan MIB. The FortiScan SNMP agent supports Ethernet-like MIB information except the dot3Tests and dot3Errors groups.
You can obtain these MIB files from the Fortinet Technical Support web site, https://support.fortinet.com. To be able to communicate with your FortiScan appliance’s SNMP agent, you must first compile these MIBs into your SNMP manager. If the standard MIBs used by the SNMP agent are already compiled into your SNMP manager, you do not have to compile them again. To view a trap or query’s name, object identifier (OID), and description, open its MIB file in a plain text editor. All traps sent include the message, the FortiScan appliance’s serial number, and host name. For instructions on how to configure traps and queries, see “SNMP traps and queries” on page 457.
Fortinet Technologies Inc.
Page 462
FortiScan v5.0 MR1 Administration Guide
Scheduled tasks and events Events & Tickets > Scheduler > Scheduler Tasks in the Global ADOM displays the list of scheduled tasks. FortiScan appliance has some internally scheduled tasks. For example, the FortiScan appliance checks the FDS server every hour for new remediation packages. Also, administrators can schedule tasks such report generation or remediations. Each completed scheduled task generates a scheduler event. Figure 249:Scheduler tasks
The following information is displayed: Name
Lists the name of the scheduled task, or the description of the policy or vulnerability that contains a scheduled remediation.
Description
The scheduled task description.
Schedule
The type of scheduling configured for the task: immediately, once, or recurring (by minute, hour, day, week, etc.)
Next Run Time
The next date and time the scheduled task will run.
Last Run Time
The last date and time the scheduled task will run.
Task Type
The type of scheduled task
Action
Select the Delete icon to end the scheduled task and remove it from the scheduler.
You can select the column headings to sort the list. You can also filter the list by selecting the filter icon on a column heading. For more information, see “Filtering list entries” on page 45. Events & Tickets > Scheduler > Scheduler Events displays the list of scheduled events.
Fortinet Technologies Inc.
Page 463
FortiScan v5.0 MR1 Administration Guide
Figure 250:Scheduler events
The following information is displayed: Name
Lists the name of the scheduled task, or the description of the policy or vulnerability that contains a scheduled remediation.
Description
The type of scheduled task.
Schedule
The type of scheduling configured for the task: immediately, once, or recurring
Last Run Start
The date and time the scheduled task began.
Last Run End
The date and time the scheduled task completed.
You can select the column headings to sort the list. You can also filter the list by selecting the filter icon on a column heading. For more information, see “Filtering list entries” on page 45.
Logs FortiScan creates logs both about itself and the hosts where a FortiScan agent is installed.
Viewing system logs Events & Tickets > System Log > Historical in the Global ADOM displays a historical view of system log messages generated by the FortiScan appliance. You can print or download the current list and access a real-time log from this page.
Fortinet Technologies Inc.
Page 464
FortiScan v5.0 MR1 Administration Guide
Figure 251:Historical events Column filter icon
Select Real time range time log
Column Printabl Setting e
Download Current view
Keyword Search
Submenu Toolbar
Paging toolbar
Content pane
The following information is displayed: Show
The value is “Local Logs”
Timeframe
Select the time frame during which you want to display the logs: Anytime, Last 1 hour, Last 1 day, Last 7 days, or Last 1 month.
Realtime Log
Select to view the real-time log messages. In real-time display, the icon changes to the Historical Log icon. Select it again to return to viewing historical logs within a specified time frame.
Column Settings
Select to show or hide specific columns or change the order they appear on the page.
Printable Version
Select to download an HTML file containing all log messages that match the current filters. The HTML file is formatted to be printable. The time required to generate and download large reports varies by the total number of log messages, the complexity of any search criteria, the specificity of your column filters, and the speed of your network connection.
Download Current View
Fortinet Technologies Inc.
Select to download log files in text (.txt), comma-separated value (.CSV), or standard.log (Native) file format. You can also compress the log files in gzipped format before uploading to the server. The downloaded version will match the current log view, containing only log messages that match your current filter settings.
Page 465
FortiScan v5.0 MR1 Administration Guide
Search
Enter a keyword to perform a simple search on the available log information, then press the Enter key to begin the search.
Advanced Search
Select to search logs for matching text using Quick Search or Full Search. For more information, see “Searching the logs” on page 470.
Last Activity
The date and time of the log record.
Device ID
The serial number of the FortiScan appliance.
Type
The log type.
Level
The severity level of the log.
Timestamp
The date and time when events occurred on the devices that sent the logs.
Details
The detailed information of the log.
View n per page
Select the number of rows of log entries to display per page. You can choose up to 1000 entries.
Current Page
Enter a page number, then press Enter to go to the page.
Change Display Options
Select to change how log information is displayed. Selecting Formatted (the default) displays the log files in columnar format. Selecting Raw displays the log information as it actually appears in the log file.
Viewing audit logs FortiScan appliances can log changes to objects under the control of the FortiScan appliance with two levels of audit logging: • Asset audit logging records changes to assets. • Operation audit logging records changes to objects, such as asset groups, in the FortiScan appliance’s database. Both types of logs are stored in the FortiScan appliance’s database.
Viewing asset audit logs Events & Tickets > Audit Log > Asset Audit in the ADOM other than the Global ADOM displays asset audit logs. Asset audit logs record changes made to each asset’s hardware, software, and/or configuration according to survey data from that asset’s FortiScan agent.
Fortinet Technologies Inc.
Page 466
FortiScan v5.0 MR1 Administration Guide
Figure 252:Asset audit
The following information is displayed: IP Address
The IP address of the asset.
Attribute
The name of the attribute that changed since the last survey submitted by the asset’s FortiScan agent, such as hd_total (the number of hard drives) or New Row (new software was installed).
Date Modified
The date and time that the attribute was modified.
Modified By
The name of the user account, on the asset, which modified the object.
Old Value
The previous value of the attribute.
New Value
The modified value of the attribute.
You can sort the asset audit logs by attribute or modification date. You can also filter the logs by asset IP address and modification date. For more information, see “Filtering list entries” on page 45.
Viewing operation audit logs Events & Tickets > Audit Log > Operation Audit in the Global ADOM displays operation audit logs. Operation audit logs record changes to objects in the FortiScan appliance’s database, such as policies, remediation templates, asset groups, and accounts.
Fortinet Technologies Inc.
Page 467
FortiScan v5.0 MR1 Administration Guide
Figure 253:Operation audit
The following information is displayed: Operation
The type of change, such as UPDATE.
Description
The database object that was changed, such as LOGIN_USER or POLICY.
Attribute
The attribute, if any, of the object that was changed, such as user_remarks.
Date Modified
The date and time that the object was modified.
User Name
The name of the FortiScan administrator account which modified the object.
Old Value
The previous attribute value, if any.
New Value
The modified attribute value, if any.
You can sort the operation audit logs by operation, description, attribute and modification date. You can also filter operation audit logs by modification date. For more information, see “Filtering list entries” on page 45.
Customizing the log view Log messages can be displayed in either raw or formatted form. The Raw view displays log messages exactly as they appear in the log file. The Formatted view displays log messages in a columnar format. Each log field in a log message appears in its own column, aligned with the same field in other log messages, for rapid visual comparison. When displaying log messages in the Formatted view, you can customize the log view by hiding, displaying and arranging columns. You can also use the column filters to display only those log messages and fields that you want to see.
Fortinet Technologies Inc.
Page 468
FortiScan v5.0 MR1 Administration Guide
To display logs in raw or formatted view: 1. From Current ADOM, select Global. 2. Go to Events & Tickets > System Log > Historical. The list of system logs appears in the content pane. 3. Select the Change Display Options link in the paging toolbar, and select the Raw button to view the raw logs, or select the Formatted button to view the logs in columnar form. By default, the Formatted button is selected.
You can only rearrange the display of log columns and filter log information in the Formatted view.
Displaying and arranging log columns When viewing logs in Formatted view, you can display, hide and re-order columns to display only relevant categories of information in your preferred order. For more information, see “Displaying and arranging columns” on page 44. For most columns, you can also filter data within the columns to include or exclude log messages which contain your specified text in that column. For more information, see “Filtering logs” on page 469.
Filtering logs When viewing log messages in the Formatted view, you can filter columns to display or hide log messages that meet your specified filter criteria in that column. Most column headings contain a gray filter icon, which becomes green when a filter is configured and enabled. Filter icons do not appear when viewing logs in raw form, or for unindexed log fields in the Formatted view. When you are viewing real-time logs, filtering by time is not supported; by definition, only current logs are displayed in the real-time view. You can also download filtered logs, by selecting the Download Current View icon on the toolbar when a filtered view is displayed. Figure 254:Filtering logs Filter icon
Filter applied
Download Current View
Filters affect only the display of system log messages and do not affect the actual messages. Log messages continue to exist in the FortiScan appliance database regardless of whether they are displayed or not.
Most column filters require fully specified entries to successfully match and filter contents; partial entries do not match the entire contents, and so will not create the intended column filter.
Fortinet Technologies Inc.
Page 469
FortiScan v5.0 MR1 Administration Guide
For example, if the column contains an IP address (such as 192.168.2.5), to create a column filter, enter the entire IP address to be matched. If you enter only one octet of the IP address, (such as 192) the filter will not completely match any of the full IP addresses, and so the resulting filter would omit all logs, rather than including those logs whose IP address contains that octet. Exceptions to this rule include columns that contain multiple words or long strings of text, such as messages or URLs. In those cases, you may be able to filter the column using a substring of the text contained by the column, rather than the entire text contained by the column. For more information on how to apply filters, see “Filtering list entries” on page 45.
Searching the logs You can use the Advanced Search toolbar option to search the device’s log files for matching text using two search types: • Quick Search: Use the Quick Search button to find results more quickly, if your search terms are relatively simple and you only need to search indexed log fields. Indexed log fields are those that appear with a filter icon when browsing the logs in column view; unindexed log fields do not contain a filter icon for the column or do not appear in column view, but do appear in the raw log view. Quick Search keywords cannot contain: • special characters such as single or double quotes (' or ") or question marks (?). • wild card characters (*), or only contain a wild card as the last character of a keyword (logi*). • Full Search: Use the Full Search button if your search terms are more complex, and require the use of special characters or log fields not supported by Quick Search. Full Search performs an exhaustive search of all log fields, both indexed and unindexed, but is often slower than Quick Search. You can stop any search before the search is complete by selecting the Stop Search button. To search logs using the advanced search feature: 1. From Current ADOM, select Global. 2. Go to Events & Tickets > System Log > Historical. The list of system log messages appears. The messages are in the Formatted view, by default. 3. On the toolbar, select Advanced Search.
Fortinet Technologies Inc.
Page 470
FortiScan v5.0 MR1 Administration Guide
The Advanced Search window appears. Figure 255:Advanced search
4. Configure the following settings: Device/Group Select to search logs from FortiScan appliance (Local Logs). Time Period From
Select to search logs from a time frame, or select Specify and define a custom time frame by selecting the From and To date times. Enter the date (or use the calendar icon) and time of the beginning of the custom time range. This option appears only when you select Specify.
To
Enter the date (or use the calendar icon) and time of the end of the custom time range. This option appears only when you select Specify.
Fortinet Technologies Inc.
Keyword(s)
Enter search terms which will match to yield log message search results. To specify that results must include all, any, or none of the keywords, select these options in the Match section.
Quick Search
Select to perform a quick search. Keywords for a quick search cannot contain special characters. Quick Search examines only indexed fields.
Full Search
Select to perform a full search. Keywords for a full search may contain special characters. Full Search examines all log message fields.
Stop Search
Select to stop the search before it is completed. This option is grayed out unless there is a search in progress.
More Options
Select the Expand Arrow to hide or expand additional search options.
Page 471
FortiScan v5.0 MR1 Administration Guide
Match
Select how keywords are used to match log messages which comprise search results: • All Words: Select to require that matching log messages must contain all search keywords. If a log message does not contain one or more keywords, it will not be included in the search results. • Any Words: Select to require that matching log messages must contain at least one of the search keywords. Any log message containing one or more keyword matches will be included in the search results. • Does Not Contain the Words: Select to require that matching log messages must not contain the search keywords. If a log message contains any of the search keywords, it will be excluded from the search results.
Other Filters Specify additional criteria, if any, that can be used to further restrict the search criteria: • Log Level: Select to include only log messages of the specified severity level. For example, selecting Error would cause search results to include only log messages containing pri=error 5. Select either the Quick Search or the Full Search button to perform the search. The search results appear in a list at the bottom of the window. You can print or download the list from the Advanced Search window. You can also change the display settings, and filter or rearrange the columns as in the regular system log list, before printing or downloading the report. 6. Close the Advanced Search window to return to the rest of the Web-based Manager.
Search tips The search returns results that match all, any, or none of the search terms, according to the option you select in Match. If your search does not return the results you expect, but log messages exist that should contain matching text, examine your keywords and filter criteria using the following search characteristics and recommendations: • Separate multiple keywords with a space. • Keywords cannot contain unsupported special characters. Supported characters vary by selection of Quick Search or Full Search. • Keywords must literally match log message text, with the exception of case insensitivity and wild cards; resolved names and IP aliases will not match. • Remove unnecessary keywords and search filters which can exclude results. In More Options, if All Words is selected, for a log message to be included in the search results, all keywords must match; if any of your keywords do not exist in the message, the match will fail and the message will not appear in search results.For example, if you enter into Keyword(s): 192.168.* action=login and if you select All Words, log messages for attacks on 192.168.* by W32/Stration.DU@mm do not appear in the search results, since although the first keyword (the IP address) appears in attack log messages, the second keyword (the
Fortinet Technologies Inc.
Page 472
FortiScan v5.0 MR1 Administration Guide
name of the attack) does not appear, and so the match fails. If the match fails, the log message is not included in the search results. If you cannot remove some keywords, select Any Words. • You can use the asterisk (*) character as a wild card (192.168.2.*). For example, you could enter any partial term or IP address, then enter * to match all terms that have identical beginning characters or numbers. • You can search for IP ranges, including subnets. For example: • 172.16.1.1/24 or 172.16.1.1/255.255.255.0 matches all IP addresses in the subnet 172.16.1.1/255.255.255.0. • 172.16.1.1-140.255 matches all IP addresses from 172.16.1.1 to 172.16.140.255.
System errors Error events are events generated by applications, processes and system resources that affect the operation of FortiScan appliance. There are two types of error events: • General error events: These are generated by errors that occur from import results, applications, processes, and system resources that affect the operation of the FortiScan appliance. • Asset error events: These are generated when errors occur while running Fortinet processes, such as scans or remediations on an asset. To view error events, in a ADOM other than Global, go to Events & Tickets > Error Events. Error events are informational only, and do not contain any remediation actions. You can only view error event details or delete the events. Figure 256:Error events
Fortinet Technologies Inc.
Page 473
FortiScan v5.0 MR1 Administration Guide
Viewing general error events Errors & Tickets > Error Events > General Error in a ADOM other than Global displays general error event logs. General error events are generated by errors in import results, applications, processes, and system resources that affect the operation of the FortiScan appliance. Figure 257:General error
The following information is displayed: Event
The type of error event.
Status
The event status (see “Event statuses” on page 369).
Error Name
The descriptive error name.
Operating System
The operating system that generated the error.
Detected
The date and time the error event was detected.
Action
Select the icon to view details about the general error.
To view the details of a general error, select the view error detail icon for the error you want to view. Figure 258:Details pop-up window
Fortinet Technologies Inc.
Page 474
FortiScan v5.0 MR1 Administration Guide
The following information is displayed: Error Details
Lists detailed information about the error event
Error detected at
The date and time the error was detected.
Violation Name
The name of the error
Description
A detailed description of the event that caused the error.
Viewing asset error events Asset error events are generated when errors occur while running FortiScan processes, such as scans or remediations on an asset. To view the list of asset error events, in a ADOM other than Global, go to Errors & Tickets > Error Events > Asset Error. The Asset Error page appears showing all the asset error events that are stored in the FortiScan appliance database. Figure 259:Asset error page
The following information is displayed: Event
The type of error event.
Status
The event status (see “Event statuses” on page 369).
Host Name
The host name of the asset.
IP Address
The IP address of the asset.
Error Name
The name of the rule which generated an error.
Operating System
The operating system (OS) of the asset.
Detected
The date and time that the error event occurred.
Action
Select the view error detail icon to view details about the error.
To view the details of an asset error, select the view error detail icon for the error you want to view.
Fortinet Technologies Inc.
Page 475
FortiScan v5.0 MR1 Administration Guide
Figure 260:Asset error details pop-up window
The following information is displayed: Error Details Error detected at
The date and time that the error occurred
Violation Name
The name of the rule that caused the error.
Description
A description of the event that caused the error, such as improperly formatted input.
Removing an error event You can remove an error event from the alert list. Event information is stored in FortiScan appliance’s database. Even if you remove an error event from the event pages, information about the event is retained, and can be reviewed by generating a report. For more information on reports, see “Reports” on page 476. To remove an error event: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Events & Tickets > Error Events. 3. Select the page that corresponds to the type of error event you want to work with. 4. To view the details of an error event, select the View Event Detail icon for the selected event record. 5. Mark the check box for each error event you want to remove. To remove all the events from the currently displayed page, mark the check box in the column heading. 6. In the toolbar, select Delete. A delete confirmation dialog appears. 7. Select OK. The selected event or events are removed from alert list.
Reports You can make a large variety of reports to monitor FortiScan activity and its knowledge of your network. There are 4 methods: • Generate an agent-based report instantly — Available when the query is fast. Requires that you have installed the FortiScan agent on your assets. See “Generating real-time agent-based reports” on page 477. • Schedule an agent-based report to be viewed later — Available when the query is slow, such as when the data set is very large. Requires that you have installed the FortiScan agent on your assets. These types of reports can take hours to compile all of the necessary data,
Fortinet Technologies Inc.
Page 476
FortiScan v5.0 MR1 Administration Guide
especially on very large networks, and therefore cannot be viewed immediately. See “Scheduling reports” on page 482. • Schedule an agentless network audit report and vulnerability scan & report — Does not require that you have installed the FortiScan agent on your assets, but does require that the appliance has completed its remote scan. See “Viewing remote vulnerability scan reports” on page 244. • Generate an IPS advisory report — Reports are generated based on IPS advisor report templates. See “IPS advisor reports” on page 257.
Generating real-time agent-based reports “Real-time” reports can be generated very quickly, and therefore viewed immediately. FortiScan can generate a wide variety of real-time reports for monitoring the current state of managed assets. There are three kinds of real-time reports listed in the Available Reports column on Report > Agent Scan > Real-time: • Posture Reports: An overall compliance and/or security posture in the form of a line graph, pie chart, or bar chart displayed directly in the Web-based Manager. See “Viewing posture reports” on page 478. • Reports: Lists each individual issue in a downloaded PDF. Suitable if you need to provide the information to executives or system administrators. See “Viewing traditional reports” on page 478. • Views: Lists each individual issue in a table displayed directly in the Web-based Manager. These can also be download in comma-separated value (CSV) format that you can view in a spreadsheet application such as Microsoft Excel: when viewing the report, select the Export to CSV link in the upper right corner. See “Tabular views” on page 479. Some reports require criteria such as IP addresses and/or a date range in order to present meaningful information. Criteria to limit the scope of reports can be based on: • Assets to be included: Assets can be specified by asset group or IP address range. • Time range to be included: A time range can be specified, either: • Past x hours • Past y days • Date range to be included: A date range is specified, either: • From any calendar date • To any calendar date
The legend of some reports may be difficult to read when the criteria is extremely broad. Narrowing the criteria to fewer assets or a shorter time span will typically yield better results.
To generate a real time report, in a ADOM other than Global, go to Report > Agent Scan > Real-time. The list of available real-time reports appears in the Available Reports column. Select an entry in this list to generate the report.
Fortinet Technologies Inc.
Page 477
FortiScan v5.0 MR1 Administration Guide
Viewing posture reports To view posture reports, in a ADOM other than Global, go to Report > Agent Scan > Real-time. The list of available real-time reports appears. Posture reports are listed under the Posture Reports subheading. To view a report, select its name in the list. There are three kinds of posture reports: • Executive Security Posture Report: A graphical view of compliance, vulnerability, patch and authorized software policy status for all asset groups, by group nesting levels. To view a printable version of the report, select Print Preview. Select the Next Level View link for each asset group to view reports for its sub-groups and assets. • LOB Manager Security Posture Report: A graphical view of compliance, vulnerability, patch and authorized software policy status for all asset groups. To view a printable version of the report, select Print Preview. • Sysadmin Security Posture Report: A posture report of compliance, vulnerability, patch and authorized software policy status for all asset groups. To view a printable version of the report, select Print Preview. For more information, see “Security postures” on page 449.
Viewing traditional reports Traditional downloaded PDF reports are often appropriate for executives and system administrators.
The legend of some reports may be difficult to read when the criteria is extremely broad. Narrowing the criteria to fewer assets or a shorter time span will typically yield better results.
To view traditional real-time reports go to Reports > Real-time > Real-time. PDF reports are listed under the Reports subheading. The following traditional reports are available: • Applied Asset Policies Detailed Report — A listing of the applied asset policies and the assets affected by each policy. • Vulnerability Assessment — A summary of the open and closed vulnerabilities, and open and closed asset policy violations. To generate a traditional report: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Reports > Agent Scan > Real-time. The list of available real-time reports appears. 3. In the Reports section, select the name of the report you want to generate. The Report Criteria dialog appears. 4. Specify the range of assets and time range to be included in the report and then select Run Report. The report is downloaded in PDF format.
Fortinet Technologies Inc.
Page 478
FortiScan v5.0 MR1 Administration Guide
Tabular views Table views show all data, so it is not necessary to enter criteria to limit the scope of the report. You can export the data displayed in any view to a comma-separated-values (CSV) spreadsheet file, by selecting the Export to CSV link at the top of the page.
If data size of view report is more than 25,000 rows, the real-time report will not display. A message will appear requesting that you run the report as a scheduled task. See “Scheduling reports” on page 482.
There are many available table views: Alert View - Patch Scan
A real-time list of security risks in your enterprise detected in patch scan
Alert View - Vulnerability Scan
A real-time list of security risks in your enterprise detected in vulnerability scan
Applied Policy View
A report on which assets a policy has been applied to
Asset Detail View
Detailed information about assets in the network
Asset Uptime View
Information about asset boot time, last survey time and how long an asset has been available since its last bootup
FortiScan Install History View
Information about the initial installation of the FortiScan appliance
Installed Application View
Lists the applications installed on the assets in your network and whether the software complies with your software licensing guidelines.
Installed Device Summary View
Summary of installed devices in your network, grouped by device name
Installed Device View
List of installed devices by asset
Installed Patch View
Information of installed patches on assets. It can be used to monitor whether assets are up-to-date on their maintenance and corrections to installed applications.
Killed Process View
Information about any process that has been killed on protected assets, either through policy enforcement, remediation, or manual action
Patch Inventory
List of all the installed patches with the number of copies in an enterprise
Remediation sent by user view
Information of dispatched remediations
Retired Asset View
Information about assets that have been retired from service
Running Process View
Information of running processes on assets
Fortinet Technologies Inc.
Page 479
FortiScan v5.0 MR1 Administration Guide
Software Inventory
List of all the installed applications with the number of copies in an enterprise
Summary Elements
Information of results from pre-defined summary element modules. Summary elements modules contain several summary elements, each of which generates an individual summary report that is queried and entered into the system over a 24 hour period. Each element query returns a single distinct value (for example 4, true, 15423). A summary element report contains the following: • Date that the report was created • The summary element name • Distinct query value • Transmitted flag The summary element queries are performed every 24 hours. Currently, the summary elements collected are those shown in Table 27 on page 480. Unless denoted elsewhere, each element represents the number of the elements counted
Unique Alert View
Unique vulnerability alerts. Uniqueness is defined as vulnerability vendor ID + status
Unremediated Vulnerability Summary View
Summary of all unremediated vulnerabilities with number of occurrence
User Activity Log View
An audit trail of who did what with FortiScan platform
Violated Policy View
Information about security policy violations on an asset
Table 27: Summary elements collected by the FortiScan appliance Asset Logging Asset criticality-High Asset criticality-Highest Asset criticality-Low Asset criticality-Lowest Asset criticality-Medium Assets less than 1 percent disk free Assets with greater than three severe vulnerabilities Assets with pending vulnerabilities Assets with pending vulnerabilities longer than 7 days Assets with vulnerabilities where risk was accepted
Fortinet Technologies Inc.
Page 480
FortiScan v5.0 MR1 Administration Guide
Table 27: Summary elements collected by the FortiScan appliance (continued) Audit Logging enabled Days since last vulnerability scan import Enabled Microsoft Windows Server 2003 Family, Datacenter 64-Bit Edition Microsoft Windows Server 2003 Family, Datacenter Edition Microsoft Windows Server 2003 Family, Enterprise 64-Bit Edition Microsoft Windows Server 2003 Family, Enterprise Edition Microsoft Windows Server 2003 Family, Standard 64-Bit Edition Microsoft Windows Server 2003 Family, Standard Edition Microsoft Windows Server 2003 Family, Web 64-Bit Edition Microsoft Windows Server 2003 Family, Web Edition Microsoft Windows XP 2003 64-Bit Edition Microsoft Windows XP 64-Bit Edition Microsoft Windows XP Home Edition Microsoft Windows XP Professional Microsoft Windows Vista Ultimate Microsoft Windows Vista Home Premium Microsoft Windows Vista Home Basic Microsoft Windows Vista Business Microsoft Windows Vista Enterprise Windows 8 Windows 2012 server No of accounts not assigned to all asset groups No of accounts with Administrator access No of accounts with Auditor access No of accounts with Operator access No of accounts with passwords not modified with in 90 days No of assets in violation of Site Patch policy No of assets not in violation of Site Patch policy No of assets violating policies
Fortinet Technologies Inc.
Page 481
FortiScan v5.0 MR1 Administration Guide
Table 27: Summary elements collected by the FortiScan appliance (continued) No of critical assets violating policies No of dispatched config based remediations No of dispatched patched based remediations No of failed asset remediations No of protected assets assigned to a policy No of protected assets not assigned to a policy No of successful remediations Number of assets with removable media Protected assets Red Hat Enterprise Linux AS Red Hat Enterprise Linux Desktop Red Hat Enterprise Linux ES Red Hat Enterprise Linux WS Red Hat Linux Retired Assets SuSE linux SunOS SunOS FJ Total imported vulnerabilities Total remediated vulnerabilities Ungrouped assets Unprotected assets Unreporting assets
Scheduling reports Sometimes reports are complex and can take hours, or, in the case of very large data sets, days to generate. In these cases, you can schedule FortiScan to begin generating the report at a convenient time, and view the results later, when the report is complete. Scheduled jobs run in a sequential queue. A scheduled job will wait to begin if another job is still running when its start time arrives. If two reports are scheduled to run at the same time, one job will start only after the prior one is finished.
Fortinet Technologies Inc.
Page 482
FortiScan v5.0 MR1 Administration Guide
There are two kinds of scheduled reports: • Posture Reports: A posture report of compliance, vulnerability, patch and authorized software policy status for all asset groups (Sysadmin Security Posture Report.). To view a printable version of the report, select Print Preview. For more details about the displayed graphs and indexes, see “Security postures” on page 449. • Views: Tables list all rows for each data type, unfiltered by any IP address or date criteria. The following tabular views can be scheduled: Alert View
Information about the security risks in your enterprise, with status information about how they are being addressed. It corresponds to the Vulnerability Alert and Policy Alert pages in the Events & Tickets menu.
Alert View - Patch Scan
A list of security risks in your enterprise detected in patch scan
Alert View - Vulnerability Scan
A list of security risks in your enterprise detected in vulnerability scan
Applied Policy View
A report on which assets a policy has been applied to
Asset Detail View
Detailed information about assets in the network
Asset Uptime View
Information about asset boot time, last survey time and how long an asset has been available since its last bootup
Benchmark View
Information of benchmark compliance scan results
Compliance Summary View Information about distinct compliance rule scan results. Uniqueness is defined as benchmark rule + its pass/fail status
Fortinet Technologies Inc.
Extended Benchmark View
Information about all the completed benchmarks with external mappings
FortiScan Install History View
Information about the initial installation of the FortiScan appliance
Installed Application View
List of the applications installed on the assets in your network and whether the software complies with your software licensing guidelines
Installed Device Summary View
Summary of installed devices in your network, grouped by device name
Installed Device View
List of installed devices by asset
Installed Patch View
Information of installed patches on assets. It can be used to monitor whether assets are up-to-date on their maintenance and corrections to installed applications.
Killed Process View
Information about any process that has been killed on protected assets, either through policy enforcement, remediation, or manual action
Patch Inventory
List of all the installed patches with the number of copies in an enterprise
Page 483
FortiScan v5.0 MR1 Administration Guide
Remediation sent by user view
Information of dispatched remediations
Running Process View
Displays information about all the processes running on protected assets
Software Inventory
Lists all the installed applications with the number of copies in an enterprise
Summary Elements
Lists the results from pre-defined summary element modules. These modules contain several summary elements, each of which generates an individual summary report that is queried and entered into the system over a 24 hour period. Each element query returns a single distinct value (for example 4, true, 15423). A summary element report contains the following: • Date that the report was created • The summary element name • Distinct query value • Transmitted flag The summary element queries are performed every 24 hours. Currently, the summary elements collected are those shown in Table 27 on page 480. Unless denoted elsewhere, each element represents the number of the elements counted.
Unapplied Policy Asset View List of policies that are not applied to protected assets Unique Alert View
Unique vulnerability alerts. Uniqueness is defined as vulnerability vendor ID + status
Unremediated Vulnerability Summary View
Summary of all un-remediated vulnerabilities with number of occurrence
User Activity Log View
An audit trail of who did what with FortiScan platform
Violated Policy View
Information about security policy violations on an asset
Vulnerability View
List of all vulnerabilities detected
To schedule a report: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Report > Agent Scan > Scheduled. 3. In the Available Reports list, either: • Select View All Pending Scheduled Reports. The list of currently pending scheduled reports appears. In the toolbar, select Create New. • Next to the type of report you want to schedule, select the Schedule Report icon. The Schedule A Report dialog appears.
Fortinet Technologies Inc.
Page 484
FortiScan v5.0 MR1 Administration Guide
Figure 261:Schedule a report
4. Configure the following settings:
Fortinet Technologies Inc.
Job Name
Enter a name for the scheduled report job. This will appear in the report job queue.
Description
Optional. Enter a description for the job.
Report Name
Select the type of report to generate from the list, if not already selected.
Page 485
FortiScan v5.0 MR1 Administration Guide
Schedule Type
Select when to begin generating the report. • Immediate: Select to generate the report right away. • Once: Select to generate the report once. In the fields that appear, enter the date and time when you want the task to begin. • By Minute: Select to schedule a recurring report every one or more minutes. In the fields that appear, enter the date and time when you want the scheduled report to begin and the number of minutes between recurrences. • By Hour: Select to schedule a recurring report every one or more hours. In the fields that appear, enter the date and time when you want the report generation task to begin and the number of hours between recurrences. • By Day: Select to schedule a recurring report every one or more days. In the fields that appear, enter the date and time when you want the report generation task to begin and the number of days between recurrences. • By Week: Select to schedule a recurring report on specific days of the week. In the fields that appear, enter the date and time to begin, the days of the week, and the time you want the report generation task to run on the selected days. • By Month: Select to schedule a recurring report every one or more months on specific days of the month. In the fields that appear, enter the date and time to begin, the number of months between recurrences, the days of the month, and the time you want the report generation task to run on the selected days.
Specify the assets to be included in the report
Select which criteria will be used to filter the records to include only specific assets or asset groups. • Asset Group: Select to include assets by asset groups. Then in the asset group tree, mark the check box for each asset group you want to include in the report. • IP Address: Select to include assets by IP address. Then specify the IP range for the report in the From and To fields. This appears only if the selected report requires you to specify assets.
Specify the time period for the report
Select which criteria will be used to filter the records to include only specific time frames. • All Times: Select to include all time periods in the report. • Time Range: Select to specify a time interval. Then specify the appropriate number in the Past [ ] hours or Past [ ] days field. • Date Range: Select to specify a range of dates. Then specify the start and end dates and times in the From and To fields, respectively. You can use the [...] button to select the dates from a calendar. This appears only if the selected report requires you to specify time criteria.
Fortinet Technologies Inc.
Page 486
FortiScan v5.0 MR1 Administration Guide
5. Select Submit to add the job to the report queue. The job appears in the queue schedule. To view the schedule, see “Viewing all pending scheduled reports” on page 487. If the job finishes quickly, it may disappear from the queue more quickly than you can view it. In this case, instead see “Viewing a completed scheduled report” on page 488.
Viewing all pending scheduled reports To view a list of all scheduled reports that have not yet been completed, in a ADOM other than Global, go to Report > Agent Scan > Scheduled, then in the Available Reports column, select View All Pending Scheduled Reports. Figure 262:Viewing all queued report jobs
The following information is displayed: Toolbar New
Create a new scheduled report
Delete
Delete the reports whose check boxes are marked.
List columns Report Name
The name of the scheduled report
Task Name
The name of the scheduled report task
Description
The administrator-defined description for the scheduled report
Type
The type of schedule
Next Time
The next date and time that the report is scheduled to run.
Last Time
The last date and time that the report ran.
CRON
The cron job code describing the schedule.
Operations
Select the Edit icon to edit the scheduled report. Select Delete to delete the report from the list.
Fortinet Technologies Inc.
Page 487
FortiScan v5.0 MR1 Administration Guide
Viewing a completed scheduled report After a scheduled job completes, it no longer appears in the job queue. To view the report, go to Report > Agent Scan > Scheduled, then in the Available Reports column, select the name of the report (not the icon).
Administrators whose Role is Administrator can view, delete and download reports scheduled by other administrators. Administrators whose Role is Operator or Auditor can only access their own scheduled reports.
If a scheduled report contains more than 25,000 rows of data, you can not view it online. You can only download the report.
Figure 263:Completed reports View Report Filter Download Report View Report Delete
The following information is displayed: Toolbar Delete
Delete the reports whose check boxes are marked.
Report Name
The name of the scheduled report
Task Name
The name of the scheduled report task
Create Time
The date and time that the report schedule was created.
Scheduled Time
The date and time that the report was scheduled.
Start Time
The date and time when report generation began.
End Time
The date and time when report generation ended.
Status
The completion status of the report.
Row Count
The number of rows of data in the report.
Description
The administrator-defined description for the scheduled report
Operations Delete
Fortinet Technologies Inc.
Select to delete the report in the selected row.
Page 488
FortiScan v5.0 MR1 Administration Guide
View Report
Select to view the contents of the report directly in the Web-based Manager.
Download Report
Select to download the report as a comma-separated values (CSV) file.
View Report Filter
Select to view the filter criteria used to generate the report.
ODBC access for third party reports In some cases, you may want to grant a management computer access to read the FortiScan appliance’s database. For example, you may want to configure the FortiScan appliance to allow database queries if you want to generate reports using third-party reporting software instead of or in addition to the built-in FortiScan reports. For more information, see “Appendix D: ODBC Support” on page 530. To allow ODBC access, on the FortiScan appliance, you must add the computer to the list of allowed ODBC clients, and create an ODBC login. On the computer, you must configure it with an ODBC driver.
Configuring allowed database clients System > Config > DB Host in the Global ADOM configures which hosts are allowed to query the FortiScan database. This is usually done by third-party software creating custom reports. To add a new ODBC client: 1. From Current ADOM, select Global. 2. Go to System > Config > DB Host. 3. Select Create New. The New ODBC Host dialog appears. 4. In Host IP / Mask, type the IP address and netmask of the computer that you want to allow to make connections to the FortiScan appliance’s database. 5. Select OK. Before the ODBC client can query the FortiScan database, it must also have a login and have installed the ODBC driver. For details, see “Configuring database users” on page 489 and “Connecting your computer to the FortiScan database” on page 530.
Configuring database users System > Config > DB User in the Global ADOM allows you to configure login credentials required for ODBC hosts that will connect to query the FortiScan database. To add a new ODBC account: 1. From Current ADOM, select Global. 2. Go to System > Config > DB User. 3. Select Create New. The New ODBC User dialog appears. 4. In ODBC User, type the login name that the ODBC client must provide when authenticating. 5. In Password, type the password for the ODBC account.
Fortinet Technologies Inc.
Page 489
FortiScan v5.0 MR1 Administration Guide
6. Select OK. Before the ODBC client can query the FortiScan database, its IP address must be added to the list of ODBC clients allowed to access the appliance, and it must have installed the ODBC driver. For details, see “Configuring allowed database clients” on page 489 and “Connecting your computer to the FortiScan database” on page 530.
FortiGuard updates One of the most important things you can do is to ensure that your FortiScan is receiving regular updates from the FortiGuard FortiScan Web Security service. Without these updates, your FortiScan cannot detect the newest threats. Event logs record FortiGuard update attempts. In addition to scheduling polls for automatic updates, you can also manually update the service packages or initiate an connectivity test to the FDN at any time. For details, see “Connecting to FortiGuard Services” on page 72. Figure 264:License information widget
Vulnerability scans and alerts After your initial deployment, it is a good idea to periodically scan your hosts for newly discovered vulnerabilities to current threats. If you discover new threats, adjust your configuration to combat them. Without periodic scans, you may not be aware of the newest threats, and you may not have configured your FortiScan defend against them. For details, see “Agentless Vulnerability Scans” on page 228 and “Compliance” on page 302.
If you have many web servers, you may want a FortiWeb appliance to offload and distribute web vulnerability scans to improve performance and remove bottlenecks.
To be proactive and reduce unnecessary manual intervention, consider configuring policies where possible. FortiScan will generate alerts to notify you if an asset becomes non-compliant. For details, see “Handling vulnerability alerts” on page 371 and “Handling policy alerts” on page 376.
Fortinet Technologies Inc.
Page 490
FortiScan v5.0 MR1 Administration Guide
Maintaining Your Agent Deployments After the initial deployment, you may need to occasionally do some agent maintenance, such as if you need to update, uninstall, or determine which version of the FortiScan agent is currently running on a host. As your network grows and changes, if you install or uninstall a host’s FortiScan agent, you may need to retire or configure the corresponding asset configuration on the FortiScan appliance.
Workflow After your initial discovery scan and FortiScan agent deployment, on an ongoing basis, you need to maintain your agent deployment. • Add new hosts to your ADOM’s asset inventory (see “Discovering your Network’s Hosts” on page 109, “Importing hosts into the asset inventory” on page 115, or “Manually adding a host to the asset inventory” on page 116). • If the asset should be in the asset inventory of more than one ADOM, assign it to its other ADOMs (see “Manually assigning assets to an ADOM” on page 100). • Install the FortiScan agent on each host (see “Agent Setup” on page 117). • Group new assets (see “Grouping assets” on page 181). • Modify a new asset’s criticality, description, or custom fields (see “Indicating asset criticality” on page 193, “Entering an asset description” on page 194, and “Defining Custom Fields” on page 418). • Adjust settings for FortiScan agents installed on your new assets (see “Overriding the ADOM’s survey intervals” on page 196). • Review reports and charts to inform yourself about the state of your assets, and which require remediation or new policies (see “Viewing overall asset statistics” on page 201). • Govern your assets using new policies (see “Achieving real-time compliance via policies” on page 347). • Create tickets to track remediations and deploy patches, hot fixes, and configuration changes to protected assets using remediations (see “Tickets” on page 392 and “Dispatching remediations” on page 409). As your network grows and changes, you may also need to update or remove a host’s FortiScan agent. If you are permanently or temporarily disconnecting an asset, you can remove its uninstall its FortiScan agent and corresponding entry from the asset inventory. For details, see “Deleting and retiring assets” on page 199 and “Maintaining Your Agent Deployments” on page 491.
Installing the FortiScan agent on discovered assets After adding an asset to your ADOM’s asset inventory, in most cases, you should proceed by installing a FortiScan agent on unprotected hosts. Unprotected hosts cannot be protected or governed through most of the FortiScan appliance’s features. Many FortiScan features, including policy enforcement and patch distribution, require that you install a FortiScan agent on each of your network’s assets. If you have not yet installed agents but want to deploy them, see “Agent Setup” on page 117.
Fortinet Technologies Inc.
Page 491
FortiScan v5.0 MR1 Administration Guide
Asset > Inventory > Agent Installation enables you to download the FortiScan agent software or use its push installer. It also enables you to update agents you have already deployed. Updating an agent should usually be done only after you have updated the appliance firmware: the agent and appliance should usually have matching version numbers. If you have already installed an agent and want to upgrade it, see “Updating the Firmware” on page 80.
Determining a FortiScan agent’s version It is sometimes possible, but not recommended, to have a different version of the FortiScan agent running on each of the various hosts in your organization’s network, which therefore are also different and do not match the version of the FortiScan appliance.
Each host cannot run more than one version of the FortiScan agent simultaneously.
If this is the case for you, you may need to be able to determine which version of FortiScan agent a host has, such as when uninstalling the agent, or in order to determine whether or not you want to upgrade it. To determine the version remotely: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Asset > Inventory > Asset Inventory. 3. In the asset navigation tree, locate the asset group containing the asset you want to view. The list of assets appears in the asset group details pane. 4. For the asset you want to view, select Edit. The asset details appear in the asset editor pane. 5. Select the Configuration tab. The version number of the FortiScan agent is in the Agent section. To determine the version locally: 1. Log in to the host as Administrator or root. 2. Stop the service/daemon. Methods vary by operating system. For details, see “Starting and stopping a FortiScan agent” on page 493. 3. If the host is running Windows, enter the command: sps -noservice -version If the host is running Linux or Solaris, enter the command: sps -nodaemon –version
Fortinet Technologies Inc.
Page 492
FortiScan v5.0 MR1 Administration Guide
Starting and stopping a FortiScan agent By default, your host assets will be configured to automatically start the FortiScan agent each time the host boots. You can also manually stop and start the FortiScan agent.
While the FortiScan agent is stopped, the FortiScan appliance cannot protect the asset.
The FortiScan agent can be started using debugging parameters. • -showparm (show all parameters) • -showcall (show program call information) • -showdata (show verbose output) To start or stop the agent (Windows): 1. Log in as Administrator or another account with the privileges to start and stop services. 2. Select the Start (Windows logo) menu to open it, then select Control Panel. On older versions of Windows, instead, go to Start > Control Panel. 3. Select Administrative Tools. On older versions of Windows, instead, double-click Administrative Tools. 4. Double-click Services. A Microsoft Management Console window appears with the Services snap-in. 5. Locate the FortiScan agent service, right-click it, then select Start or Stop. 6. Select Finish. To start the agent (Linux or Solaris): 1. Log in as root or another superuser with the permission to execute the daemon. 1. Enter the commands: cd /opt/seclient ./sps -nodaemon To stop the agent (Linux or Solaris): 1. Log in as root or another superuser with the permission to view all processes and kill the daemon. 2. Enter the command: ps -ef | grep -v grep | grep sps A list of FortiScan agent processes is returned. There may be several. 3. Find the lowest process identification number (PID) of all processes named sps. 4. Stop that PID (without restarting it) by entering the command: kill -9
Fortinet Technologies Inc.
Page 493
FortiScan v5.0 MR1 Administration Guide
Resetting a FortiScan agent If you are experiencing problems such as a hanging scan job or a remediation not being successfully completed on the asset, there could be a problem with the FortiScan agent running on that asset. If you suspect this is the case, you can issue a command to reset its FortiScan agent. This will terminate all the currently running jobs on the agent and kill all child processes spawned by the these jobs. After resetting the asset, these jobs will be dispatched to the agent again. To reset an agent: 1. From Current ADOM, select the name of an ADOM that is not Global. 2. Go to Asset > Inventory > Asset Inventory. The asset inventory appears (see Figure 53 on page 179). 3. In the asset navigation tree, select the group that contains the asset whose FortiScan agent you want to reset. The contents of the selected asset group appear in the asset inventory pane. 4. Mark the check box of the asset. 5. On the toolbar, select Reset. During the next command channel interval, the FortiScan agent retrieves the directive to reset its survey processes.
Updating the FortiScan agents You can update your ADOM’s FortiScan agents by dispatching an instruction to upgrade themselves. The .pkg firmware file includes the matching version of the FortiScan agent software. Following updating the appliance’s firmware, you should update each asset’s FortiScan agent software. Because FortiScan agents communicate with the FortiScan appliance, they must run compatible software versions. Typically, you should update the agents only when updating or restoring the appliance’s firmware. For more information, see “Installing firmware and agent installers” on page 83 and “Restoring firmware (“clean install”)” on page 519. There are multiple ways you can install and upgrade FortiScan agent software. You should upgrade using the same method that you used to install it to avoid potential problems. If you used the MSI installer, for example, update agents using the MSI installer. To upgrade agents using the Web-based Manager: 1. Download the .pkg file for new release software to your computer. 2. From Current ADOM, select an ADOM that is not Global. Assets are specific to each ADOM, and cannot be upgraded globally. 3. Go to Asset > Inventory > Agent Installation. The Releases Available For Upgrade dialog appears. 4. In the Upgrade Agent Software area, select the Upgrade Agent icon. The agent upgrade status for each asset appears in the content pane. Especially in a large ADOM, you may have many assets. You can filter the list of assets to focus on only online assets where the agent is installed, and therefore can be upgraded. In
Fortinet Technologies Inc.
Page 494
FortiScan v5.0 MR1 Administration Guide
the Asset Status column, select the grey Filter icon and include only Protected assets. After applying the column filter, the filter icon will become green. Upgrade
Mark the check box of one or more assets whose FortiScan agent you want to upgrade, then select Upgrade. Assets cannot be updated if their Agent Scan Status is Unprotected. Instead, you must first install the agent. For details, see “Agent Setup” on page 117.
Refresh
Select to update the list with current agent update statuses.
Column Settings
Select to select which columns to display or hide in the window.
(Check box in column heading. No label.)
To select all rows in the list, mark the check box in the column heading.
Agent Version
The version of the FortiScan agent currently installed on the asset.
Asset Group
The name of the administrator-defined asset group to which the asset belongs, if any. If the asset belongs only to groups that are automatically maintained by the appliance, this field displays the word Ungrouped. For more information on groups, see “Grouping assets” on page 181.
Host Name
The host name of the asset.
IP
The IP address of the asset.
Agent Scan Status
The protection and connectivity status of the asset: Protected, Registered, Disconnected, New, or Retired. Assets whose asset status is not Protected will not participate when you schedule an agent software update. For details, see “Agent scan status” on page 26.
Fortinet Technologies Inc.
Page 495
FortiScan v5.0 MR1 Administration Guide
Upgrade Status
The progress of the update for the asset, if any: • Not Started: Update command has been issued, but it has not yet been scheduled. • Pending Dispatch: Update is scheduled, but the assets’ FortiScan agents have not yet connected for their next survey interval, and therefore have not yet received the directive to retrieve their software update. • In Progress: Update has started, but is not yet complete. • Completed: Update is complete. • Error: Update failed due to errors.Errors can be caused by a full hard disk, missing dependencies, or other issues. • Expired: Update did not complete within two days. This can occur if the asset status of some of the assets was Disconnected during the update. To display the current agent update status, refresh the page.
Upgrade Result
The result of the update for the asset, if any, such as Not Available. There may be no results in this column if you have not yet attempted an update.
Last Upgrade Time
The date and time of the last time that an administrator attempted to update the agent.
Feedback
A detailed error message, such as Can not copy certificate files. This column is normally empty unless the update attempt fails.
5. Mark the check box of each asset whose FortiScan agent you want to upgrade. To upgrade all of the agents in your ADOM, mark the check box at the top of the column. 6. Select Upgrade. The selected FortiScan agents will retrieve the directive to upgrade themselves during their next command channel interval (see “Command Channel Interval (minutes)” on page 191). To view the current status of each upgrade attempt, on the toolbar, select Refresh. The Upgrade Status and the Upgrade Result columns show the progress of the upgrade for each asset.
Uninstalling a FortiScan agent If you want to remove the FortiScan agent for any reason (such as taking a computer out of service), you can remove it locally, on the computer on which it is installed, or remotely, using the computer on which the push installer resides. Use whichever method was used to install the agent in the first place. Older FortiScan agents should be uninstalled and replaced with a FortiScan agent matching the corresponding firmware version on the FortiScan appliance. Multiple versions of the FortiScan
Fortinet Technologies Inc.
Page 496
FortiScan v5.0 MR1 Administration Guide
agent cannot coexist on the same asset. The push installer can uninstall old agents while installing the new agent from one convenient tool.
If you remove the FortiScan agent without installing a new one, the FortiScan appliance cannot protect the host.
To remove an agent that was installed with the MSI executable (Windows): Alternatively, you can use the MSI installer command to uninstall the agent: msiexec /uninstall /quiet {} where is the host’s specific FortiScan agent product key. The FortiScan agent product key is defined in the uninstaller batch program, uninstall.bat, and in the Windows registry. 1. On the host, log in as Administrator. 2. Select the Start (Windows logo) menu to open it, then select Control Panel. On older versions of Windows, instead, go to Start > Control Panel. 3. Select Programs and Features. On older versions of Windows, instead, double-click Add or Remove Programs. 4. In the list of installed programs, select FortiScan Agent. 5. Select Uninstall. On older versions of Windows, instead, select Remove. The FortiScan_Agent service is stopped and uninstalled. Some files, such as the .ceid file, remain for future use in case you install the FortiScan agent again. For more information about this file, see “CEIDs” on page 25. To manually remove the agent (Windows): 1. On the host, log in as Administrator. 2. Select the Start (Windows logo) menu to open it, then select Control Panel. On older versions of Windows, instead, go to Start > Control Panel. 3. Select Administrative Tools. On older versions of Windows, instead, double-click Administrative Tools. 4. Double-click Services. A Microsoft Management Console window appears with the Services snap-in. 5. Locate the FortiScan agent service, right-click it, then select Stop. 6. Select the Start (Windows logo) menu to open it, then place your cursor in the Search programs and files field. On older versions of Windows, instead, go to Start > Run... 7. Type cmd then press Enter. A Windows command line window opens.
Fortinet Technologies Inc.
Page 497
FortiScan v5.0 MR1 Administration Guide
8. Enter the command to change directory to the one containing the FortiScan agent (sps.exe): cd %SystemRoot%\seclient. This changes the command prompt to indicate that you have changed directories. Depending on the host’s OS, it should be either: C:\Windows\seclient> or C:\WINNT\seclient> 9. Enter the command to remove the FortiScan agent from the Services list: sps.exe /remove 10.Enter the command to open the folder %SystemRoot%: explorer %SystemRoot% 11.Right-click the folder seclient and select Properties. The properties dialog for that folder opens. 12.Select the Security tab. 13.Select the Advanced button. The Advanced Security Settings for seclient dialog opens. 14.Select the Owner tab. 15.If the host is running a newer version of Windows, select the Edit button. An editable dialog appears. 16.In the Change owner to field, select Administrator. This changes the owner of the folder to the account that you used to log in, enabling you to delete the folder.
Alternatively, you could use the cacl command. For syntax, see http://technet.microsoft.com/en-us/library/bb490872.aspx.
17.Mark the check box Replace owner on subcontainers and objects. 18.Select OK on each dialog to save the changes and close the dialogs. 19.Delete the folder %SystemRoot%\seclient by dragging it to the Recycle Bin or entering the Windows command line: del /F %SystemRoot%/seclient To manually remove the agent locally (Red Hat or Solaris): 1. Log in as root. If you do not log in as root, you may need to run the sudo or su command to gain superuser privileges before you can successfully run the commands in the following step. 2. Enter the commands: cd /opt/seclient/ ./local-uninstall To remove the FortiScan agent using the push installer Java applet You can also remove the agent using the Windows desktop application version of the push installer.
Fortinet Technologies Inc.
Page 498
FortiScan v5.0 MR1 Administration Guide
1. Log into the FortiScan appliance. 2. From Current ADOM, select the name of an ADOM that is not Global. 3. Go to Asset > Inventory > Asset Inventory. 4. In the asset navigation tree, select the asset group containing the asset or assets from which you want to remove the FortiScan agent. The list of assets appears in the asset group details pane. 5. Mark the check box of each asset whose FortiScan agent you want to remove, then, on the toolbar, select Installer. The Java applet version of the push installer opens in a pop-up window. The assets you selected appear in the list of hosts on the Hosts tab. 6. For each host from which you want to remove the FortiScan agent, configure: • Host • Platform • Method • ConnectUser • ConnectPwd • InstallUser • InstallPwd • Task — Select uninstall.
Uninstalling the agent using the push installer will delete the .ceid file on the host, even if the DelCeid check box is not marked. If you want to keep the watermark for a future reinstallation, make a backup copy of the CEID before uninstalling.
For details on each setting, see “Running the push installer” on page 126. 7. Mark the check box of each host whose FortiScan agent you want to remove, or select the Check All button to select all hosts. 8. Select Push Agents. The push installer stops the FortiScan agent service/daemon on each selected host, then deletes the agent’s files. All files in the %SystemRoot%\seclient directory are deleted, but the directory itself will remain unless you delete it manually.
Fortinet Technologies Inc.
Page 499
FortiScan v5.0 MR1 Administration Guide
Troubleshooting This topic provides guidelines to help you resolve issues if your FortiScan appliance is not behaving as you expect. Keep in mind that if you cannot resolve the issue on your own, you can contact Fortinet Customer Service & Support. This topic includes: • Tools • Troubleshooting basics • Troubleshooting by issue type • Restoring firmware (“clean install”)
Tools To locate network errors and other issues that may prevent connections from passing to the FortiScan appliance, FortiScan appliances feature several troubleshooting tools. You may also be able to perform additional tests from your management computer or the other hosts in your network. Troubleshooting methods may use: • the command line interface (CLI) • the Web-based Manager • external third-party tools Some CLI commands provide troubleshooting information not available through the web UI; third-party tools on external hosts can test connections from perspectives that cannot be achieved locally.
Ping and traceroute If your FortiScan appliance cannot connect to other hosts, try using ICMP (ping and traceroute) to determine if the host is reachable or to locate the node of your network at which connectivity fails, such as when static routes are incorrectly configured. You can do this from the FortiScan appliance using CLI commands. For example, you might use ICMP ping to determine that 172.16.1.10 is reachable. execute ping 172.16.1.10 PING 172.16.1.10 (172.16.1.10): 56 data bytes 64 bytes from 172.16.1.10: icmp_seq=0 ttl=64 time=2.4 64 bytes from 172.16.1.10: icmp_seq=1 ttl=64 time=1.4 64 bytes from 172.16.1.10: icmp_seq=2 ttl=64 time=1.4 64 bytes from 172.16.1.10: icmp_seq=3 ttl=64 time=0.8 64 bytes from 172.16.1.10: icmp_seq=4 ttl=64 time=1.4
ms ms ms ms ms
--- 172.20.120.167 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 0.8/1.4/2.4 ms
Fortinet Technologies Inc.
Page 500
FortiScan v5.0 MR1 Administration Guide
or that 192.168.1.10 is not reachable: execute ping 192.168.1.10 PING 192.168.1.10 (192.168.1.10): 56 data bytes Timeout ... Timeout ... Timeout ... Timeout ... Timeout ... --- 192.168.1.10 ping statistics --5 packets transmitted, 0 packets received, 100% packet loss Both ping and traceroute require that network nodes respond to ICMP ECHO_REQUEST. If you have disabled either requests or responses to ICMP on your network, hosts may appear to be unreachable to ping and traceroute, even if connections using other protocols (or even other ICMP types) can succeed. If the host is not reachable, you can use traceroute to determine the router hop or host at which the connection fails: execute traceroute 192.168.1.10 traceroute to 192.168.1.10 (192.168.1.10), 32 hops max, 72 byte packets 1 192.168.1.2 2 ms 0 ms 1 ms 2 * * * For more information on CLI commands, see the FortiScan CLI Reference. For more information on troubleshooting connectivity, see “Connectivity issues” on page 508.
Log messages Log messages often contain clues that can aid you in determining the cause of a problem. FortiScan appliances can record log messages when errors occur that cause failures, upon significant changes, and upon processing events. To view logs, go to Events & Tickets > System Log > Historical.
Diff You can compare backups of the core configuration file with your current configuration. This can be useful if, for example: • A previously configured feature is no longer functioning, and you are not sure what in the configuration has changed. • You want to recreate something configured previously, but do not remember what the settings were. Difference programs can help you to quickly find all changes.
Fortinet Technologies Inc.
Page 501
FortiScan v5.0 MR1 Administration Guide
Figure 265:Configuration differences highlighted in WinMerge
There are many such difference-finding programs, such as WinMerge and the original diff. They can compare your configurations, line by line, and highlight parts that are new, modified, or deleted. For instructions, see your difference program’s documentation.
Packet capture Packet capture, also known as sniffing, records some or all of the packets seen by a network interface. By recording packets, you can trace connection states to the exact point at which they fail, which may help you to diagnose some types of problems that are otherwise difficult to detect. FortiScan appliances have a built-in sniffer. Packet capture on FortiScan appliances is similar to that of FortiGate appliances. To use the built-in sniffer, connect to the CLI and enter the following command: diagnose sniffer packet [] [{none | ''}] [{1 | 2 | 3}] []
Fortinet Technologies Inc.
Page 502
FortiScan v5.0 MR1 Administration Guide
where: • is either the name of a network interface, such as port1, or enter any for all interfaces. • '' is the sniffer filter that specifies which protocols and port numbers that you do or do not want to capture, such as 'tcp port 80' or 'src host 172.168.1.10', or enter none for no filters. • {1 | 2 | 3} is an integer indicating the depth of packet headers and payloads to display: 1 for header only, 2 for IP header and payload, or 3 for Ethernet header and payload. • is the number of packets the sniffer reads before stopping. Packet capture output is printed to your CLI display until you stop it by pressing Ctrl+C, or until it reaches the number of packets that you have specified to capture. Packet capture can be very resource intensive. To minimize the performance impact on your FortiScan appliance, use packet capture only during periods of minimal traffic, with a serial console CLI connection rather than a Telnet or SSH CLI connection, and be sure to stop the command when you are finished. For example, you might capture all TCP port 443 (typically HTTPS) traffic occurring through port1, regardless of its source or destination IP address. The capture uses a high level of verbosity (indicated by 3). A specific number of packets to capture is not specified. As a result, the packet capture continues until the administrator presses CTRL+C. The sniffer then confirms that five packets were seen by that network interface. Verbose output can be very long. As a result, output shown below is truncated after only one packet. FortiScan# diagnose sniffer packet port1 'tcp port 443' 3 interfaces=[port1] filters=[tcp port 443] 10.651905 192.168.0.1.50242 -> 192.168.0.2.443: syn 761714898 0x0000 0009 0f09 0001 0009 0f89 2914 0800 4500 ..........)...E. 0x0010 003c 73d1 4000 4006 3bc6 d157 fede ac16 .
Fortinet Technologies Inc.
Page 503
FortiScan v5.0 MR1 Administration Guide
Requirements • terminal emulation software such as PuTTY • a plain text editor such as Notepad • a Perl interpreter • network protocol analyzer software such as Wireshark To view packet capture output using PuTTY and Wireshark: 1. On your management computer, start PuTTY. 2. Use PuTTY to connect to the FortiScan appliance using either a local serial console, SSH, or Telnet connection. For details, see the FortiScan CLI Reference. 3. Type the packet capture command, such as: diagnose sniffer packet port1 'src 172.16.1.10' 3 but do not press Enter yet. 4. In the upper left corner of the window, select the PuTTY icon to open its drop-down menu, then select Change Settings. Figure 266:PuTTY window
A dialog appears where you can configure PuTTY to save output to a plain text file. 5. In the Category tree on the left, go to Session > Logging. 6. In Session logging, select Printable output. 7. In Log file name, select the Browse button, then choose a directory path and file name such as C:\Users\MyAccount\packet_capture.txt to save the packet capture to a plain text file. (You do not need to save it with the .log file extension.) 8. Select Apply. 9. Press Enter to send the CLI command to the FortiScan appliance, beginning packet capture. 10.If you have not specified a number of packets to capture, when you have captured all packets that you want to analyze, press Ctrl + C to stop the capture. 11.Close the PuTTY window. 12.Open the packet capture file using a plain text editor such as Notepad.
Fortinet Technologies Inc.
Page 504
FortiScan v5.0 MR1 Administration Guide
Figure 267:Packet capture
13.Delete the first and last lines, which look like this: =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.07.25 11:34:40 =~=~=~=~=~=~=~=~=~=~=~= FortiScan-3000 # These lines are a PuTTY timestamp and a command prompt, which are not part of the packet capture. If you do not delete them, they could interfere with the script in the next step. 14.Convert the plain text file to a format recognizable by your network protocol analyzer application. You can convert the plain text file to a format (.pcap) recognizable by Wireshark (formerly called Ethereal) using the fgt2eth.pl Perl script. To download fgt2eth.pl, see the Fortinet Knowledge Base article Using the FortiOS built-in packet sniffer.
The fgt2eth.pl script is provided as-is, without any implied warranty or technical support, and requires that you first install a Perl module compatible with your operating system.
To use fgt2eth.pl, open a command prompt, then enter a command such as the following: Methods to open a command prompt vary by operating system. On Windows XP, go to Start > Run and enter cmd. On Windows 7, select the Start (Windows logo) menu to open it, then enter cmd. fgt2eth.pl -in packet_capture.txt -out packet_capture.pcap where: • fgt2eth.pl is the name of the conversion script; include the path relative to the current directory, which is indicated by the command prompt • packet_capture.txt is the name of the packet capture’s output file; include the directory path relative to your current directory • packet_capture.pcap is the name of the conversion script’s output file; include the directory path relative to your current directory where you want the converted output to be saved
Fortinet Technologies Inc.
Page 505
FortiScan v5.0 MR1 Administration Guide
Figure 268: Converting sniffer output to .pcap format
15.Open the converted file in your network protocol analyzer application. For further instructions, see the documentation for that application. Figure 269: Viewing sniffer output in Wireshark
For additional information on packet capture, see the Fortinet Knowledge Base article Using the FortiOS built-in packet sniffer. For more information on CLI commands, see the FortiScan CLI Reference.
Fortinet Technologies Inc.
Page 506
FortiScan v5.0 MR1 Administration Guide
Troubleshooting basics If you are new to troubleshooting this appliance, or to network appliances in general, this section explains how.
Establishing a system baseline Before you can define an abnormal operation, you need to know what normal operation is. When there is a problem, a baseline for normal operation helps you to define what is wrong or changed. Baseline information can include: • Logging (see “Logs” on page 464) • Monitoring performance statistics such as memory usage (see “System resources widget” on page 430 and “SNMP traps and queries” on page 457) • Regular backups of the FortiScan appliance's configuration (see “Backup your FortiScan” on page 167) If you accidently change something, the backup can help you restore normal operation quickly and easily. Backups also can aid in troubleshooting: you can use a tool such as diff to find the parts of the configuration that have changed.
Defining the type of problem Before you can solve a problem, you need to understand it. Consider these questions: • Where and when did the problem occur? • Has it ever worked before? If the appliance never worked properly, you may not want to spend time troubleshooting something that could well be defective. • Where does the problem lie? Be specific. Do not assume the problem being experienced is the actual problem. First determine if the FortiScan appliance's problem lies elsewhere (somewhere in the network, perhaps) before starting to troubleshoot the appliance. • Is it a connectivity issue? Can your FortiScan appliance communicate with your network and the Internet? Is there connection to a DNS server? • Is there more than one thing not working? • Is it partly working? If so, what parts are working? • Can the problem be reproduced at will or is it intermittent? An intermittent problem can be difficult to troubleshoot due to the difficulty reproducing the issue. • What has changed? Do not assume that nothing has changed in the network. Use the FortiScan event log to see if something changed in the configuration. If something did change, see what the effect is when you roll back the change. • After determining the scope of the problem and isolating it, what servers does if affect? Once the problem is defined, you can search for a solution and then create a troubleshooting plan to solve it.
Fortinet Technologies Inc.
Page 507
FortiScan v5.0 MR1 Administration Guide
Searching for a known solution Check within your organization. You can save time and effort during the troubleshooting process by checking if other FortiScan administrators experienced a similar problem before. Also search resources provided by Fortinet: • the Release Notes provided with your firmware • Technical documentation (references, installation guides, and other documents) • Knowledge base (technical support articles and white papers) • Online campus (tutorials and training materials)
Creating a plan Once you fully define the problem or problems, begin creating a troubleshooting plan. The plan should list all possible causes of the problems that you can think of, and how to test each cause. The plan will act as a checklist so that you know what you have tried and what is left to check. The checklist is helpful if more than one person will be troubleshooting: without a written plan, people can become easily confused and steps skipped. Also, if you have to pass the problem-solving to someone else, providing a detailed list of what data you gathered and what solutions you tried can prevent duplicated efforts. Partway through, you may discover that you forgot some tests, or a test you performed discovered new information. If so, adjust your plan.
Obtaining access & privileges for equipment Make sure your administrator account has the permissions you need to run all diagnostic tests and to make configuration changes. Also, you may need access to other networking equipment such as switches, routers, and servers to help you test. If you do not normally have access to this equipment, contact your network administrator for assistance.
Check to make sure the FortiScan appliance’s attack signature update license has not expired. You should be working with the latest attack signatures and other updates.
Troubleshooting by issue type Recommended steps for troubleshooting vary by the type of issue.
Connectivity issues One of your first tests when configuring a new policy should be to determine whether allowed traffic is flowing to your web servers. • Is there a server policy applied to the web server or servers FortiScan was installed to protect? If it is operating in reverse proxy mode, FortiScan will not allow any traffic to reach a protected web server unless there is a matching server policy that permits it. • If your network utilizes secure connections (HTTPS) and there is no traffic flow, is there a problem with your certificate? • If you run a test attack from a browser aimed at your web site, does it show up in the attack log? Fortinet Technologies Inc.
Page 508
FortiScan v5.0 MR1 Administration Guide
To execute a simple attack, append the cmd.exe command to your site's URL, for example www.example.com/cmd.exe Under normal circumstances, you should see a new common exploit entry, such as a start page violation, in the Attack Log widget of the system dashboard.
Checking hardware connections If there is no traffic flowing from the FortiScan appliance, it may be a hardware problem. To check hardware connections: • Ensure the network cables are properly plugged in to the interfaces on the FortiScan appliance. • Ensure there are connection lights for the network cables on the appliance. • Change the cable if the cable or its connector are damaged or you are unsure about the cable’s type or quality. • Connect the FortiScan appliance to different hardware to see if that makes a difference. • In the Web-based Manager, select Status > Network > Interface and ensure the link status is up for the interface. If the status is down (down arrow on red circle), select Bring Up next to it in the Status column. You can also enable an interface in CLI, for example: config global config system interface edit port2 set status up end If any of these checks solve the problem, it was a hardware connection issue. You should still perform some basic software tests to ensure complete connectivity. If the hardware connections are correct and the appliance is powered on but you cannot connect using the CLI or Web-based Manager, you may be experiencing bootup problems. See “Bootup issues” on page 518.
Examining the ARP table When you have poor connectivity, another good place to look for information is the address resolution protocol (ARP) table. A functioning ARP is especially important in high-availability configurations. To check the ARP table in the CLI, enter: diagnose network arp list
Checking routing ping and traceroute are useful tools in network connectivity and route troubleshooting. Since you typically use these tools to troubleshoot, you can allow ICMP, the protocol used by these tools, in firewall policies and on interfaces only when you need them. Otherwise, disable ICMP for improved security and performance. By default, FortiScan appliances will respond to ping and traceroute. However, if the appliance does not respond, and there are no firewall policies that block them, ICMP type 0 (ECHO_REPSPONSE) might be effectively disabled.
Fortinet Technologies Inc.
Page 509
FortiScan v5.0 MR1 Administration Guide
To enable ping and traceroute responses from FortiScan: 1. From Current ADOM, select Global. Network interfaces are configured for the entire appliance, and are not specific to each ADOM. The menu in the next step is available only if Current ADOM is Global. 2. Go to System > Network >Interface. 3. In the row for the network interface which you want to respond to ICMP type 8 (ECHO_REQUEST) for ping and UDP for traceroute, select Edit. A dialog appears. 4. Enable PING. Disabling PING only prevents FortiScan from receiving ICMP type 8 (ECHO_REQUEST) and traceroute-related UDP. It does not disable FortiScan CLI commands such as execute ping or execute traceroute that send such traffic. 5. Select OK. The appliance should now respond when another device such as your management computer sends a ping or traceroute to that network interface. To verify routes between clients and your FortiScan: 1. Use the ping command on both the client and the FortiScan to verify that a route exists between the two. Test traffic movement in both directions: from the client to the FortiScan, and the FortiScan to the client. If you will not be using remote vulnerability scans, FortiScan appliances do not need to be able to initiate a connection, but must be able to send reply traffic along a return path. For details, see “Testing for connectivity with ping” on page 511.
In networks using features such as asymmetric routing, routing success in one direction does not guarantee success in the other.
If the routing test succeeds, continue with step 3. If the routing test fails, continue to the next step. 2. Use the tracert or traceroute command on both the client and the FortiScan (depending on their operating systems) to locate the point of failure along the route. For details, see “Testing routes & latency with traceroute” on page 514. If the route is broken when it reaches the FortiScan appliance, first examine its network interfaces and routes. To display network interface addresses and subnets, enter the CLI command: show system interface To display all recently-used routes with their priorities, enter the CLI command: diagnose network route list You may need to verify that the physical cabling is reliable and not loose or broken, that there are no IP address or MAC address conflicts or blacklisting, misconfigured DNS records, and otherwise rule out problems at the physical, network, and transport layer. If these tests succeed, a route exists, but clients still cannot submit surveys, an application-layer problem is preventing connectivity.
Fortinet Technologies Inc.
Page 510
FortiScan v5.0 MR1 Administration Guide
3. For application-layer problems, on the FortiScan, on routers and firewalls between the host and the FortiScan appliance, verify that they permit HTTP and/or HTTPS connectivity between them.
Testing for connectivity with ping The ping command sends a small data packet to the destination and waits for a response. The response has a timer that may expire, indicating that the destination is unreachable via ICMP.
Connectivity via ICMP only proves that a route exists. It does not prove that connectivity also exists via other protocols at other layers such as HTTP.
ICMP is part of Layer 3 on the OSI Networking Model. ping sends Internet Control Message Protocol (ICMP) ECHO_REQUEST packets to the destination, and listens for ECHO_RESPONSE packets in reply. Some networks block ICMP packets because they can be used in a ping flood or denial of service (DoS) attack if the network does not have anti-DoS capabilities, or because ping can be used by an attacker to find potential targets on the network. Beyond basic existence of a possible route between the source and destination, ping tells you the amount of packet loss (if any), how long it takes the packet to make the round trip (latency), and the variation in that time from packet to packet (jitter). If ping shows some packet loss, investigate: • cabling to eliminate loose connections • ECMP, split horizon, or network loops • all equipment between the ICMP source and destination to minimize hops If ping shows total packet loss, investigate: • cabling to eliminate incorrect connections • all firewalls, routers, and other devices between the two locations to verify correct IP addresses, routes, MAC lists, and policy configurations If ping finds an outage between two points, use traceroute to locate exactly where the problem is. To ping a device from the FortiScan CLI: 1. Log in to the CLI via either SSH, Telnet, or You can ping from the FortiScan appliance in the CLI Console widget of the Web-based Manager. 2. If you want to adjust the behavior of execute ping, first use the execute ping-options command. For details, see the FortiScan CLI Reference. 3. Enter the command: execute ping where is the IP address of the device that you want to verify that the appliance can connect to, such as 192.168.1.1. To verify that routing is bi-directionally symmetric, you should also ping the appliance. See “To enable ping and traceroute responses from FortiScan:” on page 510 and “To ping a device from a Microsoft Windows computer:” on page 512 or “To ping a device from a Linux or Mac OS X computer:” on page 513.
Fortinet Technologies Inc.
Page 511
FortiScan v5.0 MR1 Administration Guide
If the appliance can reach the host via ICMP, output similar to the following appears: PING 192.168.1.1 (192.168.1.1): 56 data bytes 64 bytes from 192.168.1.1: icmp_seq=0 ttl=253 time=6.5 ms 64 bytes from 192.168.1.1: icmp_seq=1 ttl=253 time=7.4 ms 64 bytes from 192.168.1.1: icmp_seq=2 ttl=253 time=6.0 ms 64 bytes from 192.168.1.1: icmp_seq=3 ttl=253 time=5.5 ms 64 bytes from 192.168.1.1: icmp_seq=4 ttl=253 time=7.3 ms --- 192.168.1.1 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 5.5/6.5/7.4 ms If the appliance cannot reach the host via ICMP, output similar to the following appears: PING 10.0.0.1 (10.0.0.1): 56 data bytes Timeout ... Timeout ... Timeout ... Timeout ... Timeout ... --- 10.0.0.1 ping statistics --5 packets transmitted, 0 packets received, 100% packet loss “100% packet loss” and “Timeout” indicates that the host is not reachable. For more information, see the FortiScan CLI Reference. To ping a device from a Microsoft Windows computer: 1. Select the Start (Windows logo) menu to open it. If the host is running Windows XP, instead, go to Start > Run... 2. Type cmd then press Enter. The Windows command line appears. 3. Enter the command: ping where: • is the IP address of the device that you want to verify that the computer can connect to, such as 192.168.1.1. • are zero or more options, such as: • -t — Send packets until you press Control-C. • -a — Resolve IP addresses to domain names where possible. • -n x — Where x is the number of packets to send. For example, you might enter: ping -n 5 192.168.1.1 If the computer can reach the destination, output similar to the following appears: Pinging 192.168.1.1 with 32 bytes of data: Reply from 192.168.1.1: bytes=32 time=7ms TTL=253 Reply from 192.168.1.1: bytes=32 time=6ms TTL=253 Reply from 192.168.1.1: bytes=32 time=11ms TTL=253 Reply from 192.168.1.1: bytes=32 time=5ms TTL=253
Fortinet Technologies Inc.
Page 512
FortiScan v5.0 MR1 Administration Guide
Ping statistics for 192.168.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 5ms, Maximum = 11ms, Average = 7ms If the computer cannot reach the destination, output similar to the following appears: Pinging 10.0.0.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), “100% loss” and “Request timed out.” indicates that the host is not reachable. To ping a device from a Linux or Mac OS X computer: 1. Open a command prompt.
Alternatively, on Mac OS X, you can use the Network Utility application.
2. Enter the following command: ping where: • is the IP address of the device that you want to verify that the computer can connect to, such as 192.168.1.1. • are zero or more options, such as: • -W y — Wait y seconds for ECHO_RESPONSE. • -c x — Where x is the number of packets to send. If the command is not found, you can either enter the full path to the executable or add its path to your shell environment variables. The path to the ping executable varies by distribution, but may be /bin/ping. If you do not supply a packet count, output will continue until you terminate the command with Control-C. For more information on options, enter man ping. For example, you might enter: ping -c 5 -W 2 192.168.1.1 If the computer can reach the destination via ICMP, output similar to the following appears: PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=253 time=6.85 ms 64 bytes from 192.168.1.1: icmp_seq=2 ttl=253 time=7.64 ms 64 bytes from 192.168.1.1: icmp_seq=3 ttl=253 time=8.73 ms 64 bytes from 192.168.1.1: icmp_seq=4 ttl=253 time=11.0 ms 64 bytes from 192.168.1.1: icmp_seq=5 ttl=253 time=9.72 ms --- 192.168.1.1 ping statistics --5 packets transmitted, 5 received, 0% packet loss, time 4016ms Fortinet Technologies Inc.
Page 513
FortiScan v5.0 MR1 Administration Guide
rtt min/avg/max/mdev = 6.854/8.804/11.072/1.495 ms If the computer cannot reach the destination via ICMP, if you specified a wait and packet count rather than having the command wait for your Control-C, output similar to the following appears: PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. --- 10.0.0.1 ping statistics --5 packets transmitted, 0 received, 100% packet loss, time 5999ms “100% packet loss” indicates that the host is not reachable. Otherwise, if you terminate by pressing Control-C (^C), output similar to the following appears: PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. From 172.20.120.2 icmp_seq=31 Destination Host Unreachable From 172.20.120.2 icmp_seq=30 Destination Host Unreachable From 172.20.120.2 icmp_seq=29 Destination Host Unreachable ^C --- 10.0.0.1 ping statistics --41 packets transmitted, 0 received, +9 errors, 100% packet loss, time 40108ms pipe 3 “100% packet loss” and “Destination Host Unreachable” indicates that the host is not reachable.
Testing routes & latency with traceroute traceroute sends ICMP packets to test each hop along the route. It sends three packets to the destination, and then increases the time to live (TTL) setting by one, and sends another three packets to the destination. As the TTL increases, packets go one hop farther along the route until they reach the destination. Most traceroute commands display their maximum hop count — that is, the maximum number of steps it will take before declaring the destination unreachable — before they start tracing the route. The TTL setting may result in routers or firewalls along the route timing out due to high latency. Where ping only tells you if the signal reached its destination and returned successfully, traceroute shows each step of its journey to its destination and how long each step takes. If you specify the destination using a domain name, the traceroute output can also indicate DNS problems, such as an inability to connect to a DNS server. By default, traceroute uses UDP with destination ports numbered from 33434 to 33534. The traceroute utility usually has an option to specify use of ICMP ECHO_REQUEST (type 8) instead, as used by the Windows tracert utility. If you have a firewall and you want traceroute to work from both machines (Unix-like systems and Windows) you will need to allow both protocols inbound through your firewall (UDP ports 33434 - 33534 and ICMP type 8). To trace the route to a device from the FortiScan CLI: 1. Log in to the CLI via either SSH, Telnet, or You can ping from the FortiScan appliance in the CLI Console widget of the Web-based Manager. 2. Enter the command: execute traceroute { | } where { | } is a choice of either the device’s IP address or its fully qualified domain name (FQDN). For example, you might enter: Fortinet Technologies Inc.
Page 514
FortiScan v5.0 MR1 Administration Guide
execute traceroute www.example.com If the appliance has a complete route to the destination, output similar to the following appears: traceroute to www.fortinet.com (66.171.121.34), 32 hops max, 84 byte packets 1 172.16.1.2 0 ms 0 ms 0 ms 2 209.87.254.221 2 ms 2 ms 2 ms 3 209.87.239.129 2 ms 1 ms 2 ms 4 67.69.228.161 2 ms 2 ms 3 ms 5 64.230.164.17 3 ms 3 ms 2 ms 6 64.230.132.234 20 ms 20 ms 20 ms 7 64.230.132.58 24 ms 21 ms 24 ms 8 64.230.138.154 8 ms 9 ms 8 ms 9 64.230.185.145 23 ms 23 ms 23 ms 10 12.89.71.9 23 ms 22 ms 22 ms 11 12.122.134.238 100 ms 12.123.10.130 101 ms 102 ms 12 12.122.18.21 101 ms 100 ms 99 ms 13 12.122.4.121 100 ms 98 ms 100 ms 14 12.122.1.118 98 ms 98 ms 100 ms 15 12.122.110.105 96 ms 96 ms 96 ms 16 12.116.52.42 94 ms 94 ms 94 ms 17 203.78.181.10 88 ms 87 ms 87 ms 18 203.78.181.130 90 ms 89 ms 90 ms 19 66.171.121.34 91 ms 89 ms 91 ms 20 66.171.121.34 91 ms 91 ms 89 ms Each line lists the routing hop number, the IP address and FQDN (if any) of that hop, and the 3 response times from that hop. Typically a value of <1ms indicates a local router. If the appliance does not have a complete route to the destination, output similar to the following appears: traceroute to 10.0.0.1 (10.0.0.1), 32 hops max, 84 byte packets 1 172.16.1.2 0 ms 0 ms 0 ms 2 172.16.1.10 0 ms 0 ms 0 ms 3 * * * 4 * * * The asterisks ( * ) indicate no response from that hop in the network routing. For more information, see the FortiScan CLI Reference. To trace the route to a device from a Microsoft Windows computer: 1. Select the Start (Windows logo) menu to open it. If the host is running Windows XP, instead, go to Start > Run... 2. Type cmd then press Enter. The Windows command line appears. 3. Enter the command:
Fortinet Technologies Inc.
Page 515
FortiScan v5.0 MR1 Administration Guide
tracert { | } If the appliance has a complete route to the destination, output similar to the following appears: Tracing route to www.fortinet.com [66.171.121.34] over a maximum of 30 hops: 1 2
<1 ms <1 ms 2 ms 2 ms [209.87.254.221]
<1 ms 2 ms
172.16.1.2 static-209-87-254-221.storm.ca
3
2 ms 2 ms [209.87.239.129] 3 ms 3 ms 3 ms 2 ms [64.230.164
22 ms
core-2-g0-1-1104.storm.ca
4 5
.17] (Output abbreviated.) 15 97 ms 97 ms 16 94 ms 94 ms 17 87 ms 87 ms 18 89 ms 89 ms 19 89 ms 89 ms 20 90 ms 90 ms Trace complete.
2 ms 67.69.228.161 3 ms core2-ottawa23_POS13-1-0.net.bell.ca
97 ms gar2.sj2ca.ip.att.net [12.122.110.105] 94 ms 12.116.52.42 87 ms 203.78.181.10 90 ms 203.78.181.130 90 ms fortinet.com [66.171.121.34] 91 ms fortinet.com [66.171.121.34]
Each line lists the routing hop number, the 3 response times from that hop, and the IP address and FQDN (if any) of that hop. Typically a value of <1ms indicates a local router. If the appliance does not have a complete route to the destination, output similar to the following appears: Tracing route to 10.0.0.1 over a maximum of 30 hops 1 <1 ms 2 <1 ms 3 * 4 * 5 ^C
<1 ms <1 ms * *
<1 ms <1 ms * *
172.16.1.2 172.16.1.10 Request timed out. Request timed out.
The asterisks ( * ) and “Request timed out.” indicate no response from that hop in the network routing. To trace the route to a device from a Linux or Mac OS X computer: 1. Open a command prompt. 2. Enter (the path to the executable varies by distribution): traceroute { | } If the appliance has a complete route to the destination, output similar to the following appears: traceroute to www.fortinet.com (66.171.121.34), 30 hops max, 60 byte packets 1 172.16.1.2 (172.16.1.2) 0.189 ms 0.277 ms 0.226 ms 2 static-209-87-254-221.storm.ca (209.87.254.221) 2.554 ms 2.549 ms 2.503 ms
Fortinet Technologies Inc.
Page 516
FortiScan v5.0 MR1 Administration Guide
3
core-2-g0-1-1104.storm.ca (209.87.239.129) 2.461 ms 2.516 ms 2.417 ms 4 67.69.228.161 (67.69.228.161) 3.041 ms 3.007 ms 2.966 ms 5 core2-ottawa23_POS13-1-0.net.bell.ca (64.230.164.17) 3.004 ms 2.998 ms 2.963 ms (Output abbreviated.) 16 12.116.52.42 (12.116.52.42) 94.379 ms 94.114 ms 94.162 ms 17 203.78.181.10 (203.78.181.10) 122.879 ms 120.690 ms 119.049 ms 18 203.78.181.130 (203.78.181.130) 89.705 ms 89.411 ms 89.591 ms 19 fortinet.com (66.171.121.34) 89.717 ms 89.584 ms 89.568 ms Each line lists the routing hop number, the IP address and FQDN (if any) of that hop, and the 3 response times from that hop. Typically a value of <1ms indicates a local router. If the appliance does not have a complete route to the destination, output similar to the following appears: traceroute to 10.0.0.1 (10.0.0.1), 30 hops max, 60 byte packets 1 * * * 2 172.16.1.10 (172.16.1.10) 4.160 ms 4.169 ms 4.144 ms 3 * * * 4 * * *^C The asterisks ( * ) indicate no response from that hop in the network routing. Repeatedly, if the computer’s DNS query cannot resolve the host name, output similar to the following appears: example.lab: Name or service not known Cannot handle "host" cmdline arg `example.lab' on position 1 (argc 1)
Checking port assignments There are 65,535 ports available for each of the TCP and UDP stacks that applications can use when communicating with each other. If someone recently changed a FortiScan or other network port, and the same port is used by another application, that may be part of your problem. For a list of ports used by FortiScan, see “Appendix B: Port Numbers” on page 525. In addition, some ports may be assigned to other Fortinet appliances on your network. See “Traffic Types and TCP/UDP Ports used by Fortinet Products” on the Fortinet Knowledge Base: http://kb.fortinet.com
Performing a packet trace When troubleshooting networks and routing in particular, it helps to look inside the headers of packets to determine if they are traveling along the route you expect. Packet tracing is also called sniffing, a network tap, packet capture, or logic analysis. Packet traces can tell you if the traffic is reaching its destination, what the port of entry is on the FortiScan appliance, if the ARP resolution is correct, and if the traffic is being sent back to the source as expected. Packet sniffing can also tell you if the FortiScan appliance is silently dropping packets. For instructions, see “Packet capture” on page 502.
Fortinet Technologies Inc.
Page 517
FortiScan v5.0 MR1 Administration Guide
Bootup issues This section addresses problems you may experience in rare cases when powering on your FortiScan appliance. When you cannot connect to the FortiScan appliance through the network using CLI or the Web-based Manager, connect a PC directly to the FortiScan appliance's management console using a serial connection. Open a terminal emulation interface, such as HyperTerminal, to act as the console. The issues covered in this section all refer to various potential bootup issues. Once you have a direct cable link to the FortiScan appliance, work through the following steps and keep a copy of the console's output messages. If you have multiple problems, go the problem closest to the top of the list first, and work your way down. • A. Do you see the boot options menu? • B. Do you have problems with the console text? • C. Do you have visible power problems? • D. You have a suspected defective FortiScan appliance?
A. Do you see the boot options menu? 1. Do you see the boot options menu? • If no, ensure your serial communication parameters are set to no flow control, check that the correct baud rate is correctly set (usually 9600, data bits 8, parity none, stop bits 1), and reboot the FortiScan appliance by powering off and on. • If that fixes your problem, you are done. • If it does not fix your problem, go to C. Do you have visible power problems?
B. Do you have problems with the console text? 1. Do you see any console messages? • If no, go to C. Do you have visible power problems? • If yes, continue. 2. Are there console messages but text is garbled on the screen? • If yes, ensure your console communication settings are correct for your appliance (such as, baud rate 9600, data bits 8, parity none, stop bits 1). Check the FortiScan Quick Start Guide for settings specific to your model. • If that fixes the problem, you are done. 3. Do the console messages stop before the prompt: Press Any Key to Download Boot Image? • If yes, go to D. You have a suspected defective FortiScan appliance? • If no, follow the console instruction Press any key to Download Boot Image and go to the next step. 4. When pressing a key, do you see one of the following messages? [G] Get Firmware image from TFTP server [F] Format boot device [B] Boot with backup firmware and act as default [Q] Quit menu and continue to boot with default firmware [H] Display this list of options • If yes, go to D. You have a suspected defective FortiScan appliance? Fortinet Technologies Inc.
Page 518
FortiScan v5.0 MR1 Administration Guide
• If no, ensure you serial communication parameters are set to no flow control, check that the correct baud rate is set. • To find the appliance's current baud rate using CLI, enter these commands: config system console get •Change settings if needed and reboot the FortiScan appliance by powering off and on. 5. Did the reboot fix the problem? • If that fixes your problem, you are done. • If that does not fix your problem, go to D. You have a suspected defective FortiScan appliance?
C. Do you have visible power problems? 1. Is there any LED on the FortiScan appliance? • If no, ensure power is on. If that fixes the problem you are done. If not, continue. • If yes, continue. 2. Do you have an external power adapter? • If no, go to D. You have a suspected defective FortiScan appliance? • If yes, try replacing the power adapter. 3. Is the power supply defective? • If no, go to D. You have a suspected defective FortiScan appliance? • If yes, replace the power supply and begin the tests again at A. Do you see the boot options menu?
D. You have a suspected defective FortiScan appliance? If you followed the previous steps and determined there is a good chance your appliance is defective, contact Fortinet Technical Support: https://support.fortinet.com
Restoring firmware (“clean install”) Restoring the firmware can be useful if: • you are unable to connect to the FortiScan appliance using the Web-based Manager or the CLI • you want to install firmware without preserving any existing configuration (i.e. a “clean install”) • a firmware version that you want to install requires a different size of system partition (see the FortiScan Release Notes accompanying the firmware) • a firmware version that you want to install requires that you format the boot device (see the Release Notes accompanying the firmware) Unlike installing firmware, restoring firmware re-images the boot device, including the signatures that were current at the time that the firmware image file was created.Also, restoring firmware can only be done during a boot interrupt, before network connectivity is available, and
Fortinet Technologies Inc.
Page 519
FortiScan v5.0 MR1 Administration Guide
therefore requires a local console connection to the CLI. It cannot be done through a network connection. Alternatively, if you cannot physically access the appliance’s local console connection, connect the appliance’s local console port to a terminal server to which you have network access. Once you have used a client to connect to the terminal server over the network, you will be able to use the appliance’s local console through it. However, be aware that from a remote location, you may not be able to power cycle the appliance if abnormalities occur.
Downgrading to previous firmware versions is not supported.
To restore the firmware: Back up your configuration before beginning this procedure, if possible. Restoring firmware resets the configuration, including the IP addresses of network interfaces. For information on backups, see “Backup your FortiScan” on page 167. For information on reconnecting to a FortiScan appliance whose network interface configuration has been reset, see “Connecting to your FortiScan” on page 52 1. Download the firmware file from the Fortinet Technical Support web site: https://support.fortinet.com/ 2. Connect your management computer to the FortiScan console port using a RJ-45-to-DB-9 RS-232 serial cable or a null-modem cable. 3. Initiate a local console connection from your management computer to the CLI of the FortiScan appliance, and log in as the admin administrator. For details, see “Connecting to the CLI” on page 54. 4. Connect port1 of the FortiScan appliance directly or to the same subnet as a TFTP server. 5. Copy the new firmware image file to the root directory of the TFTP server. 6. Verify that the TFTP server is currently running, and that the FortiScan appliance can reach the TFTP server. To use the FortiScan CLI to verify connectivity, enter the following commands: config global execute ping where is the IP address of the TFTP server, such as 192.168.1.168. 7. Enter the following command to restart the FortiScan appliance: execute reboot 8. As the FortiScan appliances starts, a series of system startup messages appear. Press any key to display configuration menu........ 9. Immediately press a key to interrupt the system startup.
You have only 3 seconds to press a key. If you do not press a key soon enough, the FortiScan appliance reboots and you must log in and repeat the execute reboot command.
Fortinet Technologies Inc.
Page 520
FortiScan v5.0 MR1 Administration Guide
If you successfully interrupt the startup process, the following messages appears: [G]: [F]: [B]: [Q]: [H]:
Get firmware image from TFTP server. Format boot device. Boot with backup firmware and set as default. Quit menu and continue to boot with default firmware. Display this list of options.
Enter G,F,B,Q,or H: Please connect TFTP server to Ethernet port "1". 10.If the firmware version requires that you first format the boot device before installing firmware, type F. Format the boot disk before continuing. 11.Type G to get the firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]: 12.Type the IP address of the TFTP server and press Enter. The following message appears: Enter local address [192.168.1.188]: 13.Type a temporary IP address that can be used by the FortiScan appliance to connect to the TFTP server. The following message appears: Enter firmware image file name [image.out]: 14.Type the file name of the firmware image and press Enter. The FortiScan appliance downloads the firmware image file from the TFTP server and displays a message similar to the following: Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]? 15.Type D. The FortiScan appliance downloads the firmware image file from the TFTP server. The FortiScan appliance installs the firmware and restarts. The time required varies by the size of the file and the speed of your network connection. The FortiScan appliance reverts the configuration to default values for that version of the firmware. 16.To verify that the firmware was successfully installed, log in to the CLI as the admin administrator and type: config global get system status The firmware version number is displayed. 17.Either reconfigure the FortiScan appliance or restore the configuration file. For details, see the rest of this Administration Guide and the FortiScan CLI Reference. 18.Update the vulnerability and compliance definitions. Installing firmware replaces the current vulnerability and compliance definitions with those included with the firmware release that you are installing. After you install the new firmware, make sure that your definitions are up-to-date. For more information, see “Connecting to FortiGuard Services” on page 72.
Fortinet Technologies Inc.
Page 521
FortiScan v5.0 MR1 Administration Guide
19.Continue by configuring administrative domains (ADOMs). See “Configuring administrator accounts” on page 101. Later, you must install or update the FortiScan agents on your assets to use software whose version matches the firmware. See “Agent Setup” on page 117.
Fortinet Technologies Inc.
Page 522
FortiScan v5.0 MR1 Administration Guide
Appendix A: Maximum Values These tables show the maximum number of configuration objects or limits that vary by them, and are not a guarantee of performance. For values such as hardware specifications that do not vary by software version or configuration, see your model’s QuickStart Guide. Table 28: Maximum configuration objects (physical appliances) FortiScan model Feature
FSC-1000B
Protected assets
FSC-1000C 2,000
20,000
Routes
32
SNMP communities per system, including community hosts
31
Total administrator accounts
FSC-3000C/3000D
100
200
ADOMs
200
Table 29: Maximum configuration objects (virtual appliances) FortiScan VM model SKU Feature
Protected assets‡
15-day Trial 10
FSC-VM-100-UG FSC-VM-1000-UG FSC-VM-5000-UG 100
1,000
Routes
32
SNMP communities per system, including community hosts
31
Total administrator accounts
500
ADOMs
200
Maximum vRAM
16 GB
Page 523
5,000
Table 29: Maximum configuration objects (virtual appliances) (continued) FortiScan VM model SKU Feature
15-day Trial
FSC-VM-100-UG FSC-VM-1000-UG FSC-VM-5000-UG
Maximum Internal Storage*
2 TB
* Maximum file size varies by your configured VMFS block size if the virtual appliance stores data internally. See the FortiScan VM Install Guide. ‡ FortiScan VM is sold as stackable licenses. For example, purchasing FSC-VM-100-UG adds 100 protected assets to the initial 10 assets supported by the 15-day trial license, for a total of 110. Upgrading a FSC-VM-100-UG to FSC-VM-5000-UG results in a total maximum of 5,110 protected assets. To view your limit, see “Number of Assets Allowed” on page 427.
Appendix A: Maximum Values
Page 524
FortiScan v5.0 MR1 Administration Guide
Appendix B: Port Numbers Communications between the FortiScan appliance, FortiScan agents, push installer, agentless hosts, and FortiGuard Distribution Network (FDN) require that any routers and firewalls between them permit specific protocols and port numbers.
FortiScan appliances The following tables list the default port assignments used by FortiScan. Table 30: Default ports used for incoming traffic (listening) Port number Protocol
Purpose
22
TCP
SSH administrative CLI access
23
TCP
Telnet administrative CLI access
80
TCP
• HTTP administrative Web-based Manager access • Predefined HTTP service
161
UDP
SNMP queries
443
TCP
• HTTPS administrative Web-based Manager access • Predefined HTTPS service
3128
TCP
FortiScan agent executable download
3129
TCP
Secure download
4443
TCP
FortiScan agent registration
5432
TCP
ODBC client
8445
TCP
FortiScan agent check for dispatch
8446
TCP
FortiScan agent long and short surveys
8447
TCP
Push installer certificate downloads
8448
TCP
FortiScan agent command channel
8449
TCP
Push installer certificate updates
8451
TCP
FortiScan agent dispatch response
Page 525
Table 31: Default ports used for outgoing traffic Port number Protocol
Purpose
N/A
• Asset discovery scan (may also use DNS, reverse DNS (RDNS), DNS zone transfer, and other TCP and UDP protocols; see “Discovering your Network’s Hosts” on page 109)
ICMP
• Remote vulnerability scan* (may also use other TCP and UDP protocols, depending on your configuration; see “Agentless Vulnerability Scans” on page 228) 25
TCP
SMTP for alert email
53
UDP/TCP
DNS
69
UDP
TFTP back up, restore, or update
123
UDP
NTP synchronization
162
UDP
SNMP traps
443
TCP
• Firmware updates from the FDN • FortiGuard Vulnerability and Compliance Management service updates
514
UDP
Syslog
* Many additional ports are used if you use the remote vulnerability scan feature. Protocols and port numbers vary by your scan configuration. For more information, see “Agentless Vulnerability Scans” on page 228.
FortiScan agents The following tables list the default port assignments used by FortiScan agents. Table 32: Required outbound port numbers Port number Protocol
Purpose
443
TCP
Download of appliance’s PKI server certificate
3128
TCP
FortiScan agent executable download (HTTP) Note: By default, this port is not used. It is required only if HTTPS_PROXY is not set the agent configuration file, SEClient.conf (on Linux or Solaris) or seclient.conf (on Windows). See “Editing a FortiScan agent’s settings file” on page 135.
3129
TCP
FortiScan agent executable download (HTTPS)
4443
TCP
Registration
8445
TCP
Dispatch poll
8446
TCP
Long and short surveys
Appendix B: Port Numbers
Page 526
FortiScan v5.0 MR1 Administration Guide
Table 32: Required outbound port numbers (continued) Port number Protocol
Purpose
8448
TCP
Command channel
8449
TCP
Update of appliance’s PKI server certificate
8451
TCP
Dispatch response
MSI installer All hosts must be able to make outgoing connections to the FortiScan appliance in order to complete registration and other normal operations. Table 33: MSI installer — Required outbound port numbers on target hosts Port number Protocol
Purpose
443
TCP
Download of appliance’s PKI server certificate
4443
TCP
Registration
8449
TCP
Update of appliance’s PKI server certificate
Push installer The push installer must be able to communicate with hosts where you want to install the FortiScan agent. Firewalls and routers between the two must be configured to allow required port numbers, access methods, and files. In addition to accepting incoming connections from the push installer, all hosts must be able to make outgoing connections to the FortiScan appliance in order to complete registration and other normal operations. For more information on how to configure target hosts to be able to communicate with the push installer, see “Network and firewall requirements” on page 121. These ports are required by the push installer, but are not required by the FortiScan agent itself. If you will not be running authenticated network vulnerability scans from the FortiScan appliance, and the host does not require them during its normal operations, you can close them again after running the push installer in order to tighten security. Table 34: Push installer: Required listening port numbers on target hosts Port number Protocol
Purpose
22
TCP
SSH (Solaris and Linux)
139
TCP
File and printer sharing (Common internet file system (CIFS)/server message block (SMB) share; Windows)
445
TCP
File and printer sharing (Common internet file system (CIFS)/server message block (SMB) share; Windows)
Appendix B: Port Numbers
Page 527
FortiScan v5.0 MR1 Administration Guide
Table 34: Push installer: Required listening port numbers on target hosts (continued) Port number Protocol
Purpose
137
UDP
File and printer sharing (Login and WINS/NetBIOS host name query; Windows)
138
UDP
File and printer sharing (Login and NetBIOS datagram; Windows)
Table 35: Push installer: Required outbound port numbers on target hosts Port number Protocol
Purpose
443
TCP
Download of appliance’s PKI server certificate
4443
TCP
Registration
8449
TCP
Update of appliance’s PKI server certificate
Agentless hosts Hosts that do not have the FortiScan agent installed are not required by FortiScan to receive any incoming traffic, nor to permit any outgoing traffic. However, the FortiScan appliance may attempt to contact them using various port numbers and protocols, including ICMP, TCP, and UDP, during a remote vulnerability scan in order to detect if they are potentially vulnerable. Exceptions include authenticated vulnerability scans. Table 36: Required listening port numbers on target hosts Port number Protocol
Purpose
22
TCP
SSH (Solaris and Linux)
139
TCP
File and printer sharing (Common internet file system (CIFS)/server message block (SMB) share; Windows)
445
TCP
File and printer sharing (Common internet file system (CIFS)/server message block (SMB) share; Windows)
137
UDP
File and printer sharing (Login and WINS/NetBIOS host name query; Windows)
138
UDP
File and printer sharing (Login and NetBIOS datagram; Windows)
For more information, see “Agentless Vulnerability Scans” on page 228.
Appendix B: Port Numbers
Page 528
FortiScan v5.0 MR1 Administration Guide
Appendix C: Supported RFCs This release of FortiScan firmware supports the following standards. • RFC 792 (Internet Control Message Protocol): see • RFC 793 (Transmission Control Protocol): see • RFC 1213 (Management Information Base for Network Management of TCP/IP-based internets: MIB-II): see • RFC 1918 (Address Allocation for Private Internets): see • RFC 2616 (Hypertext Transfer Protocol -- HTTP/1.1): see • RFC 2665 (Definitions of Managed Objects for the Ethernet-like Interface Types): see , • RFC 5321 (Simple Mail Transfer Protocol -- SMTP): • RFC 2818 (HTTP Over TLS -- HTTPS): • OVAL (Open Vulnerability and Assessment Language) • CVE (Common Vulnerabilities and Exposures)
Page 529
Appendix D: ODBC Support FortiScan appliances have a database interface that provides direct, read-only access to its data, allowing you to use a variety of third-party tools to create, modify, and distribute extensively customized reports. This topic includes: • System requirements • Connecting your computer to the FortiScan database • About the FortiScan database schema
System requirements FortiScan database access requires: • PostgreSQL 8.3 ODBC driver (for Microsoft Windows, this is psqlodbc.msi) • Reporting software that supports open database connectivity (ODBC) connections (Crystal Reports, DbVisualizer, Microsoft Excel, etc.) The instructions in “Connecting your computer to the FortiScan database” assume the computer that will be running reports has Microsoft Windows XP, Vista, or 2008 (either 32-bit or 64-bit versions). However, you can adapt the instructions to any operating system that supports PostgreSQL ODBC.
Connecting your computer to the FortiScan database To use third-party reporting tools with access to the FortiScan database, you must do all of the following: • Step 1: Configure the FortiScan appliance to accept ODBC connections • Step 2: Install the ODBC driver for PostgreSQL • Step 3: Configure the ODBC data source name (DSN)
Step 1: Configure the FortiScan appliance to accept ODBC connections FortiScan appliances do not accept ODBC connections until they are configured to accept queries from the IP address of your report-generating computer, and to have an ODBC user account for that computer. To configure the FortiScan appliance for ODBC: 1. Add your client computer as a new ODBC host. For details, see “Configuring allowed database clients” on page 489. 2. Create a new ODBC user account for your client. For details, see “Configuring database users” on page 489.
Page 530
Step 2: Install the ODBC driver for PostgreSQL Before you can access the FortiScan database from a Windows client computer, you must install the ODBC driver for PostgreSQL 8.3 on the computer from which you will be accessing the database.
This procedure requires Internet access from the computer on which you are installing the ODBC driver.
To install the Windows ODBC driver for PostgreSQL: 1. From the Internet, locate the PostGreSQL 8.3 ODBC driver for Windows (psqlodbc.msi) and download it to the Windows desktop. You can find this driver at: http://www.postgresql.org/ftp/odbc/versions/msi/ 2. Double-click the psqlodbc.msi file. The psql ODBC Installation Wizard appears. 3. Follow the prompts in the wizard to complete the installation.
Step 3: Configure the ODBC data source name (DSN) Before you can access FortiScan data from your Windows applications, you must set up a a data source name (DSN) for the ODBC driver for PostgreSQL. To set up a DSN: 1. On your Windows computer, go to Start > Settings > Control Panel. 2. In the Administrative Tools folder, double-click Data Sources (ODBC) to open the ODBC Data Source Administrator (in Windows 98 and ME, this may be called ODBC Data Sources). 3. Select the User DSN tab. 4. Select the Add button to add a new database to the User Data Sources list. 5. From the list, select the PostgreSQL driver for this database. 6. Select Finish. The PostgreSQL ODBC Driver (psqlODBC) Setup dialog appears. Figure 270:PostgreSQL ODBC Driver (psqlODBC) Setup dialog
7. Configure the following settings: Data Source
PostgreSQL driver name
Description
Enter an optional description for this data source.
Database
The FortiScan database server name. Enter: em_db
Server
Enter the IP address of the FortiScan appliance.
Appendix D: ODBC Support
Page 531
FortiScan v5.0 MR1 Administration Guide
Port
The FortiScan database server port number. Enter: 5432
User Name
Enter the name of the ODBC user account you created on the FortiScan appliance in Step 2.
Password
Enter the password of the ODBC user account you created on the FortiScan appliance in Step 2.
8. Select the Save button to save this data source. Read-only access to the FortiScan appliance database is now enabled for your Windows reporting tools. 9. Configure your third-party reporting software to connect to the FortiScan appliance using the ODBC connection. Methods vary by the reporting software. For instructions, please refer to your reporting software’s documentation. 10.Create your reports. For a listing of available FortiScan data that you may want to include in your custom reports, see “About the FortiScan database schema”.
About the FortiScan database schema When designing reports in third-party tools that access the FortiScan database, you may need to know the FortiScan appliance’s database schema. The following sections describe its tables and attributes.
Entities in the database Table 37 lists the database view entities that are available for reporting. The data in these entities is based on the information contained in the most recent agent surveys received by the FortiScan appliance. The data in the database may not be up-to-date if: • the FortiScan appliance is not running • the FortiScan agent is not running on an asset • network disruptions prevent an agent from reporting • an asset’s survey interval is too long Table 37: Entities available for reporting Entity name
Number of attributes
alert_view
15
applied_policy_view
9
asset_details_view
32
asset_log_view
9
asset_retired_view
18
asset_uptime_view
8
users_view
9
Appendix D: ODBC Support
Page 532
FortiScan v5.0 MR1 Administration Guide
Table 37: Entities available for reporting (continued) Entity name
Number of attributes
installed_device_view
7
installed_device_summary_odbc_view
3
installed_application_view
7
installed_patch_view
6
killed_process_view
15
running_process_view
11
ungrouped_assets_view
8
unprotected_assets_view
8
violated_policy_view
9
summary_elements_view
3
assets_with_multi_ip_view
7
asset_remediation_history_view
11
asset_vuln_history_view
9
installed_app_summary_odbc_view
3
user_activity_log_view
9
unique_alert_view
5
unapplied_policy_asset_view
8
benchmark_view
41
Attributes of each entity This section describes each view entity and its available attributes within the FortiScan database schema.
alert_view The alert_view entity returns information of security risks in your enterprise, with status information about how they are being addressed. It corresponds to Vulnerability Alert and Policy Alert in Events & Tickets. Table 38 lists the attributes that can be used to report on events detected on assets in your enterprise. Table 38: alert_view attributes Attribute Name
Data Type
Not Null
Unique Description
id
Numeric
Yes
No
Asset ID
alert_id
Numeric
Yes
Yes
alert ID
Appendix D: ODBC Support
Page 533
FortiScan v5.0 MR1 Administration Guide
Table 38: alert_view attributes (continued) host_name
Varchar(x)
No
No
Name of the asset for which an alert has been generated.
ip_address
Varchar(x)
No
No
IP address of the asset.
criticality
Varchar(x)
Yes
No
Asset criticality level. Valid values: Lowest, Low, Medium, High, Highest.
event
Varchar(x)
Yes
No
The specific security alert detected on the asset. Types of events: Vulnerability Event or Policy Event.
event_status
Varchar(x)
Yes
No
Status of the alert. Valid values: Pending, In Progress, Scheduled, Failed, Resolved.
Reason
Varchar(x)
No
No
Reason to accept risk
alert_name_old
Varchar(x)
No
No
Descriptive name of the alert (violation).
remediation_strategy Varchar(x)
No
No
How vulnerabilities are to be remediated on the asset: Valid values: Automatic, Approval.
operating_system
Varchar(x)
No
No
Operating system of the asset.
detected
Timestamp
Yes
No
Date and time FortiScan detected the alert.
applied_policy_view The applied_policy_view entity reports on which assets a policy has been applied to. Table 39 lists the attributes that can be used to report on which assets a policy has been applied. Table 39: applied_policy_view attributes Attribute Name
Data Type
Not Null
Unique Description
id
Numeric
Yes
No
Asset ID
asset_user_group
Varchar(x)
Yes
No
Group name asset belongs to
host_name
Varchar(x)
No
No
Name of the asset for which the policy has been applied.
ip_address
Varchar(x)
No
No
IP address of the asset.
criticality
Varchar(x)
Yes
No
Asset criticality level. Valid values: Lowest, Low, Medium, High, Highest.
policy_name
Varchar(x)
Yes
No
Name of the applied policy.
policy_description
Varchar(x)
No
No
Descriptive text about the policy.
enforce_date
Timestamp
Yes
No
Date and time FortiScan enforced the policy.
Appendix D: ODBC Support
Page 534
FortiScan v5.0 MR1 Administration Guide
asset_details_view The asset_details_view entity reports detailed information about assets in the system. Table 40 lists the attributes that can be used to report on the details of an asset. Table 40: asset_details_view attributes Attribute Name
Data Type
Not Null
Unique Description
id, asset_id
Numeric
Yes
Yes
Asset ID
asset_user_group
Varchar(x)
Yes
No
Group name asset belongs to
host_name
Varchar(x)
No
No
Name of the asset.
ce_id
Varchar(x)
No
No
Asset agent ID
ce_version
Varchar(x)
No
No
Agent version on asset
ip_address
Varchar(x)
No
No
IP address of the asset.
description
Varchar(x)
No
No
User-defined description of the asset.
criticality
Varchar(x)
Yes
No
Asset criticality level. Valid values: Lowest, Low, Medium, High, Highest.
confidence
Varchar(x)
Yes
No
Level of assurance assigned to collection of asset data, based on the collection method. Valid values: Low, Medium, High.
status
Varchar(x)
Yes
No
Connectivity and protection status of the asset managed by the FortiScan agent (see “Agent scan status” on page 26). Assets can be in status of Unprotected, Disconnected, Protected, Registered, Removed or Retired.
remediation_strategy Varchar(x)
Yes
No
How alerts are addressed. Types of remediation strategies: Automatic or Approval.
boot_time
Timestamp
No
No
Date and time the asset was started.
most_recent_survey
Timestamp
No
No
Date and time of the last survey (standard or detailed) run on the asset.
operating_system
Varchar(x)
No
No
Operating system for the asset.
os_version
Varchar(x)
No
No
Version/release information for the operating system.
hard_drive_capacity
Numeric
No
No
Size of the drive(s) installed in the asset.
hard_drive_free
Numeric
No
No
Amount of free disk space on the asset’s hard drives.
ram_total
Numeric
No
No
Amount of installed RAM in megabytes
ram_virtual
Numeric
No
No
Amount of available virtual RAM in megabytes
bios_manufacturer
Varchar(x)
No
No
Name of the company that produced the BIOS in the asset.
Appendix D: ODBC Support
Page 535
FortiScan v5.0 MR1 Administration Guide
Table 40: asset_details_view attributes (continued) bios_version
Varchar(x)
No
No
Version/release information for the BIOS.
cpu_family
Varchar(x)
No
No
Processor information of the CPU in the asset.
cpu_model
Varchar(x)
No
No
Make/model information of the CPU in the asset.
cpu_speed
Numeric
No
No
Processor speed information of the CPU in the asset.
cpu_count
Numeric
No
No
Number of CPUs in the asset.
cpu_utilization
Numeric
No
No
Percentage of time the asset’s CPU is working.
detailed_survey_inter Numeric val
No
No
How often a detailed survey is run on the asset, in minutes. If it is -1, it is set as global default value.
standard_survey_int erval
Numeric
No
No
How often a standard survey is run on the asset, in minutes. If it is -1, it is set as global default value.
macaddress
Varchar(x)
No
No
MAC address of asset.
asset_log_view The asset_log_view entity displays the asset audit log information. Table 42 lists the attributes that are available in the asset audit log view. Table 41: asset_retired_view attributes Attribute Name
Data Type
Not Null
Unique Description
id
Numeric
Yes
No
Asset ID
asset_user_group
Varchar(x)
Yes
No
Name of asset group to which the asset belongs.
ip_address
Varchar(x)
No
No
IP address of the asset.
host_name
Varchar(x)
No
No
Host name of the asset.
attribute
Varchar(x)
Yes
No
Asset attribute that was modified.
change date
Timestamp
Yes
No
Date and time that asset attribute was modified.
changed_by
Varchar(x)
Yes
No
System internal account which changed the asset attribute.
old_value
Varchar(x)
No
No
Original asset attribute value.
new_value
Varchar(x)
No
No
New asset attribute value.
Appendix D: ODBC Support
Page 536
FortiScan v5.0 MR1 Administration Guide
asset_retired_view The asset_retired_view entity contains information about assets that have been retired from service in FortiScan. Table 42 lists the attributes that are available for assets that have been retired. Table 42: asset_retired_view attributes Attribute Name
Data Type
Not Null
Unique Description
id
Numeric
Yes
Yes
Asset ID
asset_user_group
Varchar(x)
Yes
No
Group name asset belongs to
host_name
Varchar(x)
No
No
Name of the asset.
ip_address
Varchar(x)
No
No
IP address of the asset.
description
Varchar(x)
No
No
User-defined description of the asset.
operating_system
Varchar(x)
No
No
Operating system for the asset.
os_version
Varchar(x)
No
No
Version/release information for the operating system.
hard_drive_capacity
Numeric
No
No
Size of the drive(s) installed in the asset.
hard_drive_free
Numeric
No
No
Amount of free disk space on the asset’s hard drives.
ram_total
Numeric
No
No
Amount of installed RAM in megabytes
ram_virtual
Numeric
No
No
Amount of available virtual RAM in megabytes
bios_manufacturer
Varchar(x)
No
No
Name of the company that produced the BIOS in the asset.
bios_version
Varchar(x)
No
No
Version/release information for the BIOS.
cpu_family
Varchar(x)
No
No
Processor information of the CPU in the asset.
cpu_model
Varchar(x)
No
No
Make/model information of the CPU in the asset.
cpu_speed
Numeric
No
No
Processor speed information of the CPU in the asset.
cpu_count
Numeric
No
No
Number of CPUs in the asset.
retire_date
Timestamp
Yes
No
Date and time the asset was retired.
asset_uptime_view The asset_uptime_view entity contains information about asset boot time, last survey time and how long an asset has been available. Table 43 lists the attributes that can be used to report on the stability of an asset. Table 43: asset_uptime_view attributes Attribute Name
Data Type
Not Null
Unique Description
id
Numeric
Yes
Yes
Appendix D: ODBC Support
Page 537
Asset ID FortiScan v5.0 MR1 Administration Guide
Table 43: asset_uptime_view attributes (continued) asset_user_group
Varchar(x)
Yes
No
Asset group name asset belongs to
host_name
Varchar(x)
No
No
Name of the asset.
ip_address
Varchar(x)
No
No
IP address of the asset.
criticality
Varchar(x)
Yes
No
Asset criticality level. Valid values: Lowest, Low, Medium, High, Highest.
boot_time
Timestamp
No
No
Date and time the asset was started.
most_recent_survey
Timestamp
No
No
Date and time of the last survey (standard or detailed) run on the asset.
up_time
Interval
No
No
How long the asset has been available, based on boot_time and the current time.
users_view The users_view entity reports information of administrator accounts on the appliance. Table 44 lists the attributes that can be used to report on FortiScan administrator account information. Table 44: users_view attributes Attribute Name
Data Type
Not Null
Unique Description
id
Numeric
Yes
Yes
Identification number assigned to the administrator account.
user_name
Varchar(x)
Yes
Yes
Name of the FortiScan administrator account.
user_role
Varchar(x)
Yes
No
The type of administrator account. Valid value: admin, operator, auditor
first_name
Varchar(x)
No
No
Administrator’s first name.
last_name
Varchar(x)
No
No
Administrator’s last name.
email
Varchar(x)
No
No
Email address of the administrator.
phone
Varchar(x)
No
No
Telephone number for the administrator.
fax
Varchar(x)
No
No
Fax number for the administrator.
pager
Varchar(x)
No
No
Pager number for the administrator.
installed_device_view The installed_device_view contains a list of installed devices available in the system by asset. Table 45 lists the attributes that can be used to report on installed devices in the network. Table 45: installed_device_view attributes Attribute Name
Data Type
Not Null
Unique Description
id
Numeric
Yes
No
Asset ID
asset_user_ group
Varchar(x)
Yes
No
Asset group name asset belongs to
Appendix D: ODBC Support
Page 538
FortiScan v5.0 MR1 Administration Guide
Table 45: installed_device_view attributes (continued) host_name
Varchar(x)
No
No
Asset host name
Ip_address
Varchar(x)
No
No
Asset IP address
criticality
Varchar(x)
Yes
No
Asset Criticality. Valid values: Lowest, Low, Medium, High, Highest.
device_name
Varchar(x)
Yes
No
Device name
device_location
Varchar(x)
Yes
No
Device location
installed_device_summary_odbc_view The installed_device_summary_odbc_view contains a summary of installed devices available in the system, grouped by device name. Table 46 lists the attributes that report on summary of installed devices in the network. Table 46: installed_device_summary_odbc_view attributes Attribute Name
Data Type
Not Null
Unique Description
device_name
Varchar(x)
Yes
Yes
Device name
device_location
Varchar(x)
Yes
Yes
Device location
total_count
Numeric
Yes
No
Total count of occurrence
installed_application_view The installed_application_view entity returns information of software on assets in your network that may or may not conform to your software licensing guidelines. Table 47 lists the attributes that can be used to report on software on assets. Table 47: installed_application_view attributes Attribute Name
Data Type
Not Null
Unique Description
id
Numeric
Yes
No
Asset ID
asset_user_group
Varchar(x)
Yes
No
Asset group name asset belongs to
host_name
Varchar(x)
No
No
Name of the asset.
ip_address
Varchar(x)
No
No
IP address of the asset.
criticality
Varchar(x)
Yes
No
Asset criticality level. Valid values: Lowest, Low, Medium, High, Highest.
app_name
Varchar(x)
Yes
No
Name of the application program installed on the asset
app_version
Varchar(x)
No
No
Version/release information for the application (app_name).
Appendix D: ODBC Support
Page 539
FortiScan v5.0 MR1 Administration Guide
installed_patch_view The installed_patch_view entity reports installed patches on assets. Table 48 lists the attributes that can be used to monitor whether assets are up-to-date on their maintenance and corrections to installed applications. Table 48: installed_patch_view attributes Attribute Name
Data Type
Not Null
Unique Description
id
Numeric
Yes
No
Asset ID
asset_user_group
Varchar(x)
Yes
No
Asset group name asset belongs to
host_name
Varchar(x)
No
No
Name of the asset.
ip_address
Varchar(x)
No
No
IP address of the asset.
criticality
Varchar(x)
Yes
No
Asset criticality level. Valid values: Lowest, Low, Medium, High, Highest.
patch_name
Varchar(x)
Yes
Yes
Name of the patch or fix installed on the asset.
killed_process_view The killed_process_view entity provides information about any processes that have been killed on protected assets, either through policy enforcement, remediation, or manual action. Table 49 lists the attributes that can be used to view the killed processes in your network. Table 49: killed_processes_view attributes Attribute Name
Data Type
Not Null
Unique Description
id
Numeric
Yes
No
Asset ID
asset_user_group
Varchar(x)
Yes
No
Asset group name asset belongs to
ip_address
Varchar(x)
No
No
IP address of the asset where the process was killed.
host_name
Varchar(x)
No
No
Name of the asset where the process was killed. Otherwise, null.
parameter
Varchar(x)
No
No
The action parameter specified by the administrator (in this case, process name)
value
Varchar(x)
No
No
Target process name entered by the administrator.
action
Varchar(x)
Yes
No
Name of the action that killed the process (either Kill action by name or Kill action by PID)
description
Varchar(x)
No
No
Description of action that killed the process.
rem_action_name
Varchar(x)
No
No
Name of the remediation template used to kill the process.
rem_action_desc
Text
No
No
Description of the remediation template used to kill the process, if a description has been entered by the administrator.
Appendix D: ODBC Support
Page 540
FortiScan v5.0 MR1 Administration Guide
Table 49: killed_processes_view attributes (continued) alert_name
Varchar(x)
No
No
Name of the alert that caused the process to be killed, if an alert is involved. If a process is killed by manually dispatching a remediation, this field is empty.
alert_description
Varchar(x)
No
No
Description information from the alert that caused the process to be killed, if an alert is involved. If a process is killed by manually dispatching a remediation, this field is empty.
status
Varchar(x)
No
No
Status of the alert that caused the process to be killed, if an alert is involved. If a process is killed by manually dispatching a remediation, this field is empty.
changed_date
Timestamp
No
No
Date and time the process was killed.
changed_by
Varchar(x)
No
No
Name of the administrator account making the change. Currently limited to reporting the system administrator name.
running_process_view The running_process_view entity reports information of running processes on assets. Table 50 lists the attributes that can be used to analyze the activity of running processes. Table 50: running_process attributes Attribute Name
Data Type
Not Null
Unique Description
id
Numeric
Yes
No
Asset ID
asset_user_group
Varchar(x)
Yes
No
Asset group name asset belongs to
host_name
Varchar(x)
No
No
Name of the asset.
ip_address
Varchar(x)
No
No
IP address of the asset.
criticality
Varchar(x)
Yes
No
Asset criticality level. Valid values: Lowest, Low, Medium, High, Highest.
sps_version
Varchar(x)
No
No
Version of agent on asset
os_type
Varchar(x)
No
No
Asset OS type
os_version
Varchar(x)
No
No
Asset OS version
process_id
Varchar(x)
Yes
No
Unique identifier of the running process (process_name).
process_name
Varchar(x)
Yes
No
Name of the running process.
md5
Varchar(x)
No
No
MD5 value for the running process.
Appendix D: ODBC Support
Page 541
FortiScan v5.0 MR1 Administration Guide
ungrouped_assets_view The ungrouped_assets_view entity provides information on all protected assets that have not been assigned to a administrator-created asset group. Table 51 lists the attributes that can be used to analyze the activity of ungrouped assets. Table 51: ungrouped_assets attributes Attribute Name
Data Type
Not Null
Unique Description
id
Numeric
Yes
Yes
Asset ID
host_name
Varchar(x)
No
No
Name of the asset.
ip_address
Varchar(x)
No
No
IP address of the asset.
status
Varchar(x)
Yes
No
Asset status. Valid values: Unprotected, Disconnected, Protected, Registered, Removed or Retired
date_created
Timestamp
Yes
No
Date and time the asset was registered with FortiScan.
boot_time
Timestamp
No
No
Date and time the asset was last booted.
os_type
Varchar(x)
No
No
The type of operating system installed on the asset.
os_version
Varchar(x)
No
No
The version of the operating system installed on the asset.
unprotected_assets_view The unprotected_assets_view entity provides information of assets which have not installed an agent. They are assets imported from discovery scan. Table 52 lists the attributes that can be used to view unprotected assets. Table 52: ungrouped_assets attributes Attribute Name
Data Type
Not Null
Unique Description
id
Numeric
Yes
Yes
Asset ID
host_name
Varchar(x)
No
No
Name of the asset.
ip_address
Varchar(x)
No
No
IP address of the asset.
status
Varchar(x)
Yes
No
Asset status. Valid values: Unprotected
date_created
Timestamp
Yes
No
Date and time the asset was detected by FortiScan.
boot_time
Timestamp
No
No
Date and time the asset was last booted. Value is empty
os_type
Varchar(x)
No
No
The type of operating system installed on the asset.
os_version
Varchar(x)
No
No
The version of the operating system installed on the asset.
Appendix D: ODBC Support
Page 542
FortiScan v5.0 MR1 Administration Guide
violated_policy_view The violated_policy_view entity provides information about security policy violations on an asset. Table 53 lists the attributes that can be used to monitor adherence to policies for an asset. Table 53: violated_view attributes Attribute Name
Data Type
Not Null
Unique Description
id
Numeric
Yes
No
Asset ID
asset_user_group
Varchar(x)
Yes
No
Asset group name asset belongs to
host_name
Varchar(x)
No
No
Name of the asset that has policy violations.
ip_address
Varchar(x)
No
No
IP address of the asset.
criticality
Varchar(x)
Yes
No
Asset criticality level. Valid values: Lowest, Low, Medium, High, Highest.
policy_name
Varchar(x)
Yes
No
Name of the policy that was violated.
policy_description
Varchar(x)
No
No
Descriptive text about the policy.
violation_date
Timestamp
Yes
No
Date and time FortiScan detected the policy violation on the asset.
summary_elements_view The summary_elements_view entity provides information on each of the reported summary elements. Table 54 lists the attributes that can be used to access summary elements. Table 54: summary_elements_view attributes Attribute Name
Data Type
Not Null
Unique Description
module_name
Varchar(x)
Yes
No
Name of module
element_name
Varchar(x)
Yes
No
Name of the summary element
display_order
Numeric
Yes
No
Display order
assets_with_multi_ip_view The assets_with_multi_ip_view entity provides information of assets which have been assigned more than one IP address. Table 55 lists the attributes that can be used to determine which assets have been assigned more than one IP address. Table 55: assets_with_multi_ip_view attributes Attribute Name
Data Type
Not Null
Unique Description
id
Numeric
Yes
No
Asset ID
asset_user_group
Varchar(x)
Yes
No
Asset group name asset belongs to
host_name
Varchar(x)
No
No
Host name of asset
os_type
Varchar(x)
No
No
Asset OS type
Appendix D: ODBC Support
Page 543
FortiScan v5.0 MR1 Administration Guide
Table 55: assets_with_multi_ip_view attributes (continued) boot_time
Varchar(x)
No
No
Time asset booted
old_ip_address
Varchar(x)
Yes
No
Previous IP address of asset
new_ip_address
Varchar(x)
Yes
No
Current IP address of asset
asset_remediation_history_view The asset_remediation_history_view entity provides information of distinctive dispatched remediation which has completed its action. Table 56 lists the attributes that can be used to retrieve information about asset remediation history. Table 56: asset_remediation_history_view attributes Attribute Name
Data Type
Not Null
Unique Description
last_status_update
Timestamp
Yes
No
Date and time of last status update of a remediation action
ip_address
Varchar(x)
No
No
Asset IP address
ce_id
Varchar(x)
Yes
No
Asset ID
rem_action_name
Varchar(x)
Yes
Yes
Remediation action name
rem_action_type
Varchar(x)
No
No
Remediation action type
current_status
Varchar(x)
Yes
No
Remediation action mort current status. Valid values: Resolved, Failed Asset, Resolved, Reboot needed
remediated_by
Varchar(x)
Yes
No
Name of the FortiScan administrator account who dispatched the remediation
version_major
Numeric
Yes
No
Remediation major version number
version_minor
Numeric
Yes
No
Remediation minor version number
Asset_id
Numeric
Yes
No
Asset ID
asset_user_group
Varchar(x)
Yes
No
Asset group name asset belongs to
asset_vuln_history_view The asset_vuln_history_view entity provides vulnerability history per asset. Vulnerabilities are detected either by agent based OVAL scan or agent-less based network scan. Table 57 lists the attributes that can be used to show vulnerabilities history per asset. Table 57: asset_vuln_history_view attributes Attribute Name
Data Type
Not Null
Unique Description
asset_id
Numeric
Yes
No
Asset ID
asset_user_group
Varchar(x)
Yes
No
Asset group name asset belongs to
ip_address
Varchar(x)
No
No
IP address of asset
Appendix D: ODBC Support
Page 544
FortiScan v5.0 MR1 Administration Guide
Table 57: asset_vuln_history_view attributes (continued) Attribute Name
Data Type
Not Null
Unique Description
ce_id
Varchar(x)
No
No
Asset ID
scan_time
Timestamp
Yes
No
Time of scan
scan_source
Varchar(x)
Yes
No
Name of scanner
vulnerability_name
Varchar(x)
Yes
No
Name of vulnerability
date_detected
Timestamp
Yes
No
Data vulnerability detected
severity
Varchar(x)
No
No
Vulnerability severity
installed_app_summary_odbc_view The installed_app_summary_odbc_view entity identifies applications installed across the enterprise, grouped by application name. Table 58 lists the attributes that can be used to enumerate installed applications. Table 58: installed_app_summary_odbc_view attributes Attribute Name
Data Type
Not Null
Unique Description
product
Varchar(x)
Yes
Yes
Application name
version
Varchar(x)
No
No
Application version
total_count
Numeric
Yes
No
Number of copies installed
user_activity_log_view The user_activity_log_view entity provides an audit trail of who did what using FortiScan. Table 59 lists the attributes that can be used to produce an audit trail of administrator activities. Table 59: user_activity_log_view attributes Attribute Name
Data Type
Not Null
Unique Description
user_name
Varchar(x)
Yes
No
Name of the FortiScan administrator
operation
Varchar(x)
No
No
Activity name
description
Varchar(x)
No
No
Activity description
entity
Varchar(x)
No
No
Database table name that is affected
attribute
Varchar(x)
No
No
Database table column name that is affected
record_id
Numeric
No
No
Record
change_date
Timestamp
No
No
Date change
old_value
Varchar(x)
No
No
Previous field value
new_value
Varchar(x)
No
No
Updated field value
Appendix D: ODBC Support
Page 545
FortiScan v5.0 MR1 Administration Guide
unique_alert_view The unique_alert_view entity displays unique vulnerability alerts. Unique is defined as vulnerability vendor id + status. Table 60 lists the attributes that can be used to view unique vulnerability alerts. Table 60: unique_alert_view attributes Attribute Name
Data Type
Not Null
Unique Description
vuln_vendor_id
Varchar(x)
Yes
No
Vulnerability Vendor ID
status
Varchar(x)
Yes
No
Alert Status
available_remediatio Varchar(x) ns
Yes
No
List of Remediations available
no_of_alerts
Numeric
Yes
No
Number of alerts occurrence
alert_name
Varchar(x)
Yes
No
Alert Name
unapplied_policy_asset_view The unapplied_policy_asset_view entity displays a list of policies that are not applied to FortiScan protected assets. Table 61 lists the attributes that can be viewed. Table 61: unapplied_policy_asset_view attributes Attribute Name
Data Type
Not Null
Unique Description
policy_name
Varchar(x)
Yes
No
Policy name
policy_description
Varchar(x)
No
No
Policy description
policy_id
Varchar(x)
Yes
No
Policy ID
asset_id
Varchar(x)
Yes
No
Asset ID
host_name
Varchar(x)
No
No
Asset host name
connected_ip_addre Varchar(x) ss
No
No
Asset IP address
status
Varchar(x)
Yes
No
Asset status. Valid values: Disconnected, Protected, Registered, Retired
criticality
Varchar(x)
Yes
No
Asset criticality. Valid values: Lowest, Low, Medium, High, Highest
benchmark_view The benchmark_view view entity identifies benchmark compliance scan results. Table 62 lists the attributes that can be used to access compliance results. Table 62: benchmark_view attributes Attribute Name
Data Type
Not Null
Unique Description
asset_id
Numeric
Yes
No
Appendix D: ODBC Support
Page 546
Asset ID ID
FortiScan v5.0 MR1 Administration Guide
Table 62: benchmark_view attributes (continued) host_name
Varchar(x)
No
No
Asset host name
ip_address
Varchar(x)
No
No
Asset IP address
asset_criticality
Varchar(x)
Yes
No
Asset criticality. Valid values: Lowest, Low, Medium, High, Highest
asset_user_group
Varchar(x)
Yes
No
Asset group name asset belongs to
compliance_scan_ti me
Timestamp
No
No
Date and time of scan start
benchmark
Varchar(x)
Yes
No
Description of benchmark
benchmark_name
Varchar(x)
Yes
No
Benchmark name
job_name
Varchar(x)
Yes
No
Name of scan job
benchmark_title
Varchar(x)
Yes
No
Title of benchmark
user_name
Varchar(x)
Yes
No
Administrator who started the benchmark scan
benchmark_score
Numeric
Yes
No
Overall benchmark score between 0 and 100 percent.
benchmark_id
Varchar(x)
Yes
No
Benchmark ID
rule_id
Varchar(x)
Yes
No
Rule ID
rule_title
Varchar(x)
Yes
No
Rule title
profile_source_id
Varchar(x)
Yes
No
Profile source ID
profile_id
Varchar(x)
Yes
No
Profile ID
profile_name
Varchar(x)
Yes
No
Profile name
profile_title
Varchar(x)
Yes
No
Profile title
oval_id
Varchar(x)
No
No
OVAL ID
cce_reference
Varchar(x)
No
No
CCE references
nist_reference
Varchar(x)
No
No
NIST references
disa_stig_reference
Varchar(x)
No
No
DISA STIG references
disa_gold_reference
Varchar(x)
No
No
DISA Gold references
nsa_reference
Varchar(x)
No
No
NSA references
pdi_reference
Varchar(x)
No
No
PDI references
other_reference
Varchar(x)
No
No
Other references (not above)
rule_score_weight
Numeric
No
No
Rule weight, zero or greater, currently always 1
Appendix D: ODBC Support
Page 547
FortiScan v5.0 MR1 Administration Guide
Table 62: benchmark_view attributes (continued) status
Varchar(x)
No
No
Status of scan. Valid values: Not Started, Pending, In Progress, Completed, Error, Expired
reason
Varchar(x)
No
No
Reason asset does not pass rule
Appendix D: ODBC Support
Page 548
FortiScan v5.0 MR1 Administration Guide
Appendix E: Remediation Actions The following is a list of available actions for remediation templates and policies. Actions can be combined together as needed to create a complex action list. For more information, see: • “Adding actions to a remediation template” on page 406 • “Adding remediation actions to a compliance policy” on page 358 Table 63: Remediation actions Remediation Action & Parameters
Description
Supported Platform
Add group
Adds a new local group on the host asset.
Windows, Solaris, Linux (See note 1)
Group name Add metabase data
Specify the name of the new user group Adds data to a Microsoft IIS metabase. For information about metabase data parameters, properties and attributes, go to: http://msdn.microsoft.com/en-us/library/ms524578.aspx
Key path
Specify the path in the metabase that uniquely identifies the hierarchical position of a node.
Data ID
Specify the IIS identifiers. These are assigned from a pool of reserved numbers. To create new identifiers in the metabase, use identifier numbers greater than 65535 (0x0000ffff) to avoid conflicts with reserved system data.
Attributes
Specify the metabase property attributes, such as the INHERIT attribute.
Data type
Specify the type of data to retrieve.
User type
Specify the DWORD that specifies how the property value is used.
Data
Specify the metabase data
Add route
Adds a route to the asset’s route table
Address
Specify the destination IP address or network.
Netmask
Specify the destination IP address netmask.
Gateway
Specify the specified gateway IP address.
Add user
Adds a local user account on the asset.
User Name
Specify the local user name for the account.
Group Name
Required for Red Hat/Solaris. Specify the name of the user group to which the account should be added. The group name must already exist. Page 549
Microsoft IIS with metabase supported. For IIS 7 and IIS 6, metabase compatibility must be enabled.
Windows, Solaris, Linux
Windows, Solaris, Linux
Table 63: Remediation actions (continued) Remediation Action & Parameters
Description
Supported Platform
Additional Groups Optional. Specify any the names of any additional user groups to which you want to add the account. All specified groups must already exist. Default Shell
Specify the name of the default shell for the new user. (Red Hat/Solaris only)
Home Directory
Optional. Specify the full home directory path name for the new user. (Red Hat/Solaris only)
Add user with password
Adds a local user account on the asset and sets the password
Windows, Solaris, Linux
User name
Specify the local user name
Group name
Required for Red Hat/Solaris. Specify the name of the user group to which the account should be added. The group name must already exist.
Password
Specify the user password.
Additional groups Optional. Specify any the names of any additional user groups to which you want to add the account. All specified groups must already exist. Default Shell
Specify the name of the default shell for the new user. (Red Hat/Solaris only)
Home Directory
Optional. Specify the full path name to the home directory for the new user. (Red Hat/Solaris only)
Change file permissions
Changes Linux file permissions on the asset
Full path name
Specify the full path name of the file
New permissions
Specify the numeric permissions string. For example, enter 755 to set permissions to rwxr-xr-x.
Change password
Changes a user’s password on the asset.
User name
Specify the local user name.
New password
Specify the new user password.
Configure service start Sets the start state for an installed Windows service Service name
Specify the service name, e.g. network
Start state
Select the service start state: Automatic, Manual or Disable
Appendix E: Remediation Actions
Page 550
Solaris, Linux
Windows, Solaris, Linux
Windows
FortiScan v5.0 MR1 Administration Guide
Table 63: Remediation actions (continued) Remediation Action & Parameters
Description
Supported Platform
Control service
Issues a control command to a named service
Windows Solaris (see note 2) Linux (see note 2)
Service name
Specify the service name, e.g. network
Command
Specify the command to be issued: Pause, Resume, Start or Stop
Copy file
Copies a file from one path to another on the asset
Full source path name
Specify the source full path name
Full destination path name
Specify the destination full path name
Copy user account
Windows, Solaris, Linux
Copies a user account on the asset
Windows, Solaris, Linux
User name
Specify the name of the original user to be copied
New user name
Specify the user name to be used for the new (duplicate) account
Copy user account with password
Copies a user account on the asset and sets the password Windows, Solaris, Linux on the new (duplicate) account
User name
Specify the name of the original user to be copied
New user name
Specify the user name to be used for the new (duplicate) account
New password
Specify the user password to be used for the new (duplicate) account
Create metabase key Key path Create registry key Key path Create text file
Creates a metabase key on a Windows platform
Windows with IIS
Specify the path in the metabase that uniquely identifies the hierarchical position of a node. Creates a registry key on a Windows platform
Windows
Specify the full key path and name in the Windows registry that uniquely identifies the hierarchical position of a node. Creates a text file
Windows, Solaris, Linux
Full path name
Specify the full path name for the text file, including the file name.
Line ending type
Specify the end-of-line (EOL) character to be used in the text file: UNIX (LF) or Windows (CRLF)
File contents
Specify the file contents
Appendix E: Remediation Actions
Page 551
FortiScan v5.0 MR1 Administration Guide
Table 63: Remediation actions (continued) Remediation Action & Parameters
Description
Supported Platform
Overwrite if exists Select one of the following options from the list: • TRUE: overwrite an existing file with the same name. (default) • FALSE: do not overwrite an existing file with the same name. Delete file Full path name Delete group Group name Delete metabase data
Deletes a file on the asset
Windows, Solaris, Linux
Specify the full path name of the file to be deleted. Deletes a local user group on the asset
Windows, Solaris, Linux
Specify the name of the user group to be deleted. Deletes metabase data corresponding to the specified ID on an asset with a Windows operating system
Key Path
Specify the path in the metabase that uniquely identifies the hierarchical position of a node.
Data ID
Identifiers used by IIS are assigned from a pool of reserved numbers.
Delete metabase key Key Path Delete registry key Key Path Delete registry key tree Key Path Delete registry value
Deletes a metabase key on an asset with a Windows operating system
Windows with IIS
Specify the path in the metabase that uniquely identifies the hierarchical position of a node. Deletes the specified registry key (fails if the key has child Windows entries) Specify the full key path and name to be deleted from the Windows registry. Deletes the specified key and all child entries
Windows
Specify the key path (subtree node) to be deleted from the Windows registry. Deletes the value for the specified key
Windows
Key Path
Specify the full key path and name in the Windows registry of the key whose value you want to delete.
Value Name
Specify the name of the value to be deleted.
Delete route
Windows with IIS
Deletes a route from the asset’s route table
Windows, Solaris, Linux
Address
Specify the destination IP address or network of the route to be deleted.
Gateway
Specify the gateway IP address of the route to be deleted.
Appendix E: Remediation Actions
Page 552
FortiScan v5.0 MR1 Administration Guide
Table 63: Remediation actions (continued) Remediation Action & Parameters
Description
Supported Platform
Delete user
Deletes a local user account from the asset
Windows, Solaris, Linux
User name Disable interface Interface name Disable user User name Edit file
Specify the user name for the account to be deleted Disables the specified network interface on the asset
Windows, Solaris, Linux
Specify the network interface name Disables the specified user account on the asset
Windows, Solaris, Linux
Specify the name of the user account to be disabled. Edits a file on the asset using basic regular (not extended) Windows, Solaris, Linux sed command expressions.
Full path name
Specify the full path name of the file to be edited
Sed Statement
Specify the sed command expression to be used to edit the file, such as: s/old/new/g. Only substitution command expressions are supported; for example: s/^/n$// would remove empty lines. See http://www.regular-expressions.info/reference.html for more information on expressions.
Edit registry key value
Edits a registry key value on an asset with a Windows operating system (adds the key if the key is not present)
Full key path
Specify the full key path in the Windows registry.
Name
Specify the name of the registry key.
Type
Select the key type from the drop down list, for example:
Windows
REG_DWORD Value Enable interface Interface name Enable user User name
Enter the key value Enables the specified network interface on the asset
Windows, Solaris, Linux
Specify the name of the interface to be enabled (set to UP). Enables the specified user account on the asset
Windows, Solaris, Linux
Specify the user name to be enabled.
Get ARP table
Retrieves the ARP table on the asset. The value will be returned in the Policy Alert details.
Get BIOS manufacturer
Retrieves the manufacturer of the asset’s BIOS. The value Windows, Solaris, Linux will be returned in the Policy Alert details.
Appendix E: Remediation Actions
Page 553
Windows, Solaris, Linux
FortiScan v5.0 MR1 Administration Guide
Table 63: Remediation actions (continued) Remediation Action & Parameters
Description
Supported Platform
Get BIOS version
Retrieves the version of the asset’s BIOS. The value will be Windows, Solaris, Linux returned in the Policy Alert details.
Get boot time
Retrieves the boot time of the asset. The value will be returned in the Policy Alert details.
Windows, Solaris, Linux
Get connected users
Retrieves the list of connected users from the asset. The value will be returned in the Policy Alert details.
Windows, Solaris, Linux
Get CPU count
Retrieves the number of CPUs in the asset. The value will be returned in the Policy Alert details.
Windows, Solaris, Linux
Get CPU family
Retrieves the asset CPU family name. The value will be returned in the Policy Alert details.
Windows, Solaris, Linux
Get CPU model
Retrieves the asset CPU model name. The value will be returned in the Policy Alert details.
Windows, Solaris, Linux
Get CPU speed
Retrieves the asset CPU speed. The value will be returned Windows, Solaris, Linux in the Policy Alert details.
Get CPU utilization
Retrieves the asset CPU utilization (average percent of utilization across CPUs). The value will be returned in the Policy Alert details.
Windows, Solaris, Linux
Get device drivers
Retrieves the list of device drivers on the asset. The value will be returned in the Policy Alert details.
Windows, Solaris, Linux
Get drives
Retrieves the list of storage drives on the asset. The value Windows, Solaris, Linux will be returned in the Policy Alert details.
Get files
Retrieves all the files in the specified asset directory. The value will be returned in the Policy Alert details.
Windows, Solaris, Linux
Full directory path Specify the full path name for the directory. name Get groups
Retrieves the list of local groups on the asset. The value will be returned in the Policy Alert details.
Get hostname
Retrieves the simple host name of the asset (stops at the Windows, Solaris, Linux first “,” character). The value will be returned in the Policy Alert details.
Get hostname extended
Retrieves the extended host name of the asset. The value will be returned in the Policy Alert details.
Get installed applications
Retrieves the list of applications installed on the asset. The Windows, Solaris, Linux value will be returned in the Policy Alert details.
Get installed patches
Retrieves the list of patches installed on the asset. The value will be returned in the Policy Alert details.
Appendix E: Remediation Actions
Page 554
Windows, Solaris, Linux
Windows, Solaris, Linux
Windows, Solaris, Linux
FortiScan v5.0 MR1 Administration Guide
Table 63: Remediation actions (continued) Remediation Action & Parameters
Description
Supported Platform
Get NETSTAT listing
Retrieves the output of the netstat utility on the asset. The Windows, value will be returned in the Policy Alert details. Solaris (Partial) Linux (Partial)
Get network interfaces Retrieves the list of network interfaces on the asset. The value will be returned in the Policy Alert details.
Windows, Solaris, Linux
Get OS type
Retrieves the OS type of the asset. The value will be returned in the Policy Alert details.
Windows, Solaris, Linux
Get OS version
Retrieves the OS version of the asset. The value will be returned in the Policy Alert details.
Windows, Solaris, Linux
Get partition free space
Retrieves the amount of free space in the partition containing the specified path name. The value will be returned in the Policy Alert details.
Windows, Solaris, Linux
Path name
Specify the full path name for the partition.
Get partitions
Retrieves the list of partitions on the asset. The value will be returned in the Policy Alert details.
Windows, Solaris, Linux
Get partition size
Retrieves the size of the partition containing the specified path name. The value will be returned in the Policy Alert details.
Windows, Solaris, Linux
Path name
Specify the full path name for the partition.
Get physical RAM total Retrieves the amount of physical RAM on the asset
Windows, Solaris, Linux
Get processes
Retrieves the list of running processes on the asset (name Windows, Solaris, Linux and PID only)
Get process file info
Retrieves the list of running processes on the asset (name, Windows, Solaris, Linux path, owner, PID, size, owner, permissions, creation time, modification time, and MD5 value)
Get RAM page size
Retrieves the RAM page size of the asset
Windows, Solaris, Linux
Get RAM utilization
Retrieves the RAM utilization of the asset
Windows, Solaris, Linux
Get route table
Retrieves the asset’s route table
Windows, Solaris, Linux
Get users
Retrieves the list of local user accounts on the asset
Windows, Solaris, Linux
Get virtual address space size
Retrieves the size of the asset’s virtual address space
Windows, Solaris, Linux
Install a set of patches Installs a set of patches on the asset. Reboots the asset after installing the final patch. Reboot cannot be suppressed when manually dispatched. Patch URLs
Windows
Specify the URL of each patch that will be downloaded.
Appendix E: Remediation Actions
Page 555
FortiScan v5.0 MR1 Administration Guide
Table 63: Remediation actions (continued) Remediation Action & Parameters Type
Description
Supported Platform
Optional. For Windows platforms, select the patch type from the list. For more information, see Notes 3 and 4. For Red Hat/Solaris patches, leave this field empty.
Additional
Enter any patch command options, for example: options[0]=/q /z
Install a set of signed patches
Installs a set of signed patches on the asset. Reboots the asset after installing the final patch. Reboot cannot be suppressed when manually dispatched.
Patch URLs
Specify the URL of each patch that will be downloaded.
Patch Signatures
Specify the patch signatures (for example, MD5:md5_value or SHA1:sha1_value) for the patches in the Patch URLs list above.
Windows
Note: Each signature occupies one row. The row number must correctly correlate with the associated patch URL in the list above. Type
Optional. For Windows platforms, select the patch type from the list. For more information, see Notes 3 and 4. For Red Hat/Solaris patches, leave this field empty.
Additional
Enter any patch command options, for example: options[0]=/q /z
Install a signed patch
Installs a signed patch on the asset. Reboots the asset after installing the patch. Reboot cannot be suppressed when manually dispatched.
Patch URL
Specify the patch URL to be downloaded.
Patch Signature
Specify the patch signature (for example, MD5:md5_value or SHA1:sha1_value).
Type
Optional. For Windows platforms, select the patch type from the list. For more information, see Notes 3 and 4.
Windows
For Red Hat/Solaris patches, leave this field empty. Additional
Enter any patch command options, for example: options[0]=/q /z
Install patch
Patch URL
Installs a patch on the asset. Reboots the asset after installing the patch. Reboot cannot be suppressed when manually dispatched.
Windows
Specify patch URL which can be downloaded.
Appendix E: Remediation Actions
Page 556
FortiScan v5.0 MR1 Administration Guide
Table 63: Remediation actions (continued) Remediation Action & Parameters Type
Description
Supported Platform
Optional. For Windows platforms, select the patch type from the list. For more information, see Notes 3 and 4. For Red Hat/Solaris patches, leave this field empty.
Additional
Enter any patch command options, for example: options[0]=/q /z.
Kill process by name Process name Kill process by PID Process PID Modify user
Kills all processes with the specified name on the asset.
Windows, Solaris, Linux
Enter the exact process name, e.g., regedit.exe (case sensitive) Kills a process with the specified PID on the asset
Windows, Solaris, Linux
Enter the process PID number Modifies a local user account on the asset
User Name
Enter the user name
Group Name
Enter the name of the user group to which the user belongs.
Windows, Solaris, Linux
Additional Groups Optional. Enter any additional groups to which the user account belongs. Default Shell* Move file
Specify the name of the default shell for the new user. (Red Hat/Solaris only) Moves a file from one path to another on the asset.
Full source file path name
Enter the full path name of the source file
Full destination file path name
Specify the full path name of the destination file.
Reboot Command options Reboot if needed Set reboot if needed Run a program
Windows, Solaris, Linux
Reboots the asset
Windows, Solaris, Linux
For Windows, no option is needed. For UNIX, specify the reboot command options. For use by the Fortinet Remediation Team only; do not use.
Windows
Specify 0 for no reboot, or 1 if reboot is needed. Runs a program on the asset
Windows, Solaris, Linux
Program
Specify the full path name of the program executable.
Arguments
Specify the parameters for the program, if any.
Appendix E: Remediation Actions
Page 557
FortiScan v5.0 MR1 Administration Guide
Table 63: Remediation actions (continued) Remediation Action & Parameters
Description
Supported Platform
Set reboot needed
Indicates that a reboot is needed.
Windows, Solaris, Linux
Shutdown
Shuts down the asset
Solaris, Linux
Command options
Specify the shutdown command options.
Start daemon
Starts a daemon on the asset
Full path name
Specify the full path name of the daemon.
Arguments
Specify the arguments for the daemon.
Windows, Solaris, Linux
Note: Some programs which need user interaction (e.g. tty) cannot run as daemons. Survey, detailed
Retrieve detailed survey information from the asset.
Windows, Solaris, Linux
Survey, standard
Retrieve standard survey information from the asset.
Windows, Solaris, Linux
Uninstall patch
Uninstalls a patch on the asset
Windows
Patch name
Specify the patch name, for example KB840374.
Notes: 1. Red Hat 9 requires the group name to be specified in all lowercase. 2. Control Service (Linux and Solaris) has an issue that is sometimes seen on the Linux and Solaris platforms when you issue a Control Service Stop. Depending on how the services’ init script is written, you could see a return of “Failed: Asset” when the Control Service Stop was successful. This is a result of the return code from the init script itself. You can verify this by manually running the init script and inspecting the return code. For example, we start and stop sendmail # /etc/init.d/sendmail start # /etc/init.d/sendmail stop And inspect the return code. # echo $? 208 Any non-zero return code is an error. # ps -aef | grep sendmail # However, the results of the ps command proves that sendmail has indeed been stopped. Here is what the command string /etc/init.d/sendmail stop executes: 'stop') [ -f $SERVER_PID_FILE ] && check_and_kill $SERVER_PID_FILE if [ -f $CLIENT_PID_FILE ]; then check_and_kill $CLIENT_PID_FILE rm -f $CLIENT_PID_FILE fi /usr/bin/pkill -x -u 0 -z ${_INIT_ZONENAME:=`/sbin/zonename`} sendmail
Appendix E: Remediation Actions
Page 558
FortiScan v5.0 MR1 Administration Guide
;; The return code is being sent by pkill. Since check_and_kill is successfully killing the server and client PIDs, the catchall pkill has nothing to kill, and returns non-zero. 3. The FortiScan appliance regularly downloads the latest patches from Microsoft and several other authorized vendors (for a full list, see Note 4). Normally, these patches are installed on assets using standard Fortinet remediation templates, which contain pre-defined actions, where the patch type is pre-specified, as one of the following: • adv: a security advisory patch • exe: an executable file • hotfix: a fix that requires no reboot. • msp: a service pack for Vista machines • servicepack: a service pack for earlier Windows (Windows XP, etc.) machines • custom: an embedded script that performs multiple actions. In addition to the standard patch types, Fortinet also provides the following special patch type: • direct: allows an administrator to download the patch directly from a specified URL, rather than through the FortiScan appliance. For example, you can use this type to download patches for proprietary in-house software from a network server. Or you can download updates for third-party applications that are not included in the standard list of authorized vendors accessed through the FortiScan appliance. 4. The FortiScan appliance only allows patch downloads from the following authorized vendors: • fortinet.com • microsoft.com • freebsd.org • sun.com • redhat.com • fedoralegacy.org • apple.com • speedera.net • fujitsu.com • suse.com • novell.com • akamai.net
Appendix E: Remediation Actions
Page 559
FortiScan v5.0 MR1 Administration Guide
Appendix F: Policy Conditions This table shows the list of conditions that you can use when creating policies. Table 64: Policy conditions Condition Name
Condition Operation
Description
BIOS Manufacturer
Asset attribute change Condition will be triggered if BIOS Manufacturer from recent survey is changed. Non-numeric does not Condition will be triggered if BIOS Manufacturer from recent equal survey is not equal to specified value. Non-numeric equals
BIOS Version
Condition will be triggered if BIOS Manufacturer from recent survey is equal to specified value.
Asset attribute change Condition will be triggered if BIOS Version from recent survey is changed. Non-numeric does not Condition will be triggered if BIOS Version from recent survey is equal not equal to specified value. Non-numeric equals
Boot Time
Condition will be triggered if BIOS Version from recent survey is equal to specified value.
Asset attribute change Condition will be triggered if boot time from recent survey is changed. In a range (date value) Condition will be triggered if boot time from recent survey is in the specified date range. In a range (time values) Condition will be triggered if boot time from recent survey is in the specified time range.
CPU Count
Out of a range (date values)
Condition will be triggered if boot time from recent survey is NOT in the specified date range.
Out of a range (time values)
Condition will be triggered if boot time from recent survey is NOT in the specified time range.
Arithmetic comparison Condition will be triggered if CPU Count from recent survey equals (equals) the specified comparison value. Arithmetic comparison Condition will be triggered if CPU Count from recent survey is (greater than) greater than the specified comparison value. Arithmetic comparison Condition will be triggered if CPU Count from recent survey is less (less than) than the specified comparison value. Arithmetic comparison Condition will be triggered if CPU Count from recent survey does (not equals) NOT equal the specified comparison value. Asset attribute change Condition will be triggered if CPU Count from recent survey is changed.
Page 560
Table 64: Policy conditions (continued) Condition Name
Condition Operation
Description
CPU Family
Asset attribute change Condition will be triggered if CPU Family from recent survey is changed. Non-numeric does not Condition will be triggered if CPU Family from recent survey is not equal equal to specified value. Non-numeric equals
CPU Model
Condition will be triggered if CPU Family from recent survey is equal to specified value.
Asset attribute change Condition will be triggered if CPU Model from recent survey is changed. Non-numeric does not Condition will be triggered if CPU Model from recent survey is not equal equal to specified value. Non-numeric equals
CPU Speed
Condition will be triggered if CPU Model from recent survey is equal to specified value.
Arithmetic comparison Condition will be triggered if CPU Speed from recent survey equals (equals) the specified comparison value. Arithmetic comparison Condition will be triggered if CPU Speed from recent survey is (greater than) greater than the specified comparison value. Arithmetic comparison Condition will be triggered if CPU Speed from recent survey is less (less than) than the specified comparison value. Arithmetic comparison Condition will be triggered if CPU Speed from recent survey does (not equals) NOT equal the specified comparison value. Asset attribute change Condition will be triggered if CPU Speed from recent survey is changed.
CPU Utilization
Arithmetic comparison Condition will be triggered if CPU Utilization from recent survey is (greater than) greater than the specified comparison value. Arithmetic comparison Condition will be triggered if CPU Utilization from recent survey is (less than) less than the specified comparison value.
Connected IP Address
Asset attribute change Condition will be triggered if Connected IP Address from recent survey is changed. In a range (IP address values)
Condition will be triggered if Connected IP Address is between maximum value and minimum value.
Out of a range (IP address values)
Condition will be triggered if Connected IP Address is NOT between maximum value and minimum value.
Appendix F: Policy Conditions
Page 561
FortiScan v5.0 MR1 Administration Guide
Table 64: Policy conditions (continued) Condition Name
Condition Operation
Connected Users
Asset attribute change Condition will be triggered if any one of Connected Users from recent survey is changed. List Excludes
Description
Condition will be triggered if any one of specified item in the list is NOT in Connected Users list. Items are separated by commas.
List Includes
Condition will be triggered if any one of Connected Users is in the specified list. Items are separated by commas.
Devices
Asset attribute change Condition will be triggered if any one of Devices from recent survey is changed. List Excludes
Condition will be triggered if any one of specified item in the list is NOT in Devices list. Items are separated by commas.
List Includes
Condition will be triggered if any one of Devices is in the specified list. Items are separated by commas.
Hard Drive Space Free (Compare in MB)
Arithmetic comparison Condition will be triggered if Hard Drive Free Space from recent (greater than) survey is greater than the specified comparison value. Arithmetic comparison Condition will be triggered if Hard Drive Free Space from recent (less than) survey is less than the specified comparison value.
Hard Drive Space Total
Arithmetic comparison Condition will be triggered if Hard Drive Space Total from recent (greater than) survey is greater than the specified comparison value. Arithmetic comparison Condition will be triggered if Hard Drive Space Total from recent (less than) survey is less than the specified comparison value. Asset attribute change Condition will be triggered if Hard Drive Space Total from recent survey is changed.
Host Name
Asset attribute change Condition will be triggered if Host Name from recent survey is changed. Non-numeric does not Condition will be triggered if Host Name from recent survey is not equal equal to specified value. Non-numeric equals
Appendix F: Policy Conditions
Condition will be triggered if Host Name from recent survey is equal to specified value.
Page 562
FortiScan v5.0 MR1 Administration Guide
Table 64: Policy conditions (continued) Condition Name
Condition Operation
Description
Installed Applications
Allowed Software
Condition will be triggered if any one of Installed Applications from recent survey is NOT in specified list. Items are separated by commas.
Asset attribute change Condition will be triggered if Installed Applications from recent survey is changed. Asset attribute remains constant
Condition will be triggered if Installed Applications from recent survey is NOT changed.
Disallowed Software
Condition will be triggered if any one of Installed Applications from recent survey is in specified list. Items are separated by commas.
List excludes
Condition will be triggered if any one of specified item in the list is NOT in Installed Applications list.
List includes
Condition will be triggered if any one of Installed Applications is in the specified list. Items are separated by commas.
Required Software Local User Accounts
Condition will be triggered if any one of items in the specified list is NOT in the Install Applications list from recent survey.
Asset attribute change Condition will be triggered if any one of Local User Accounts from recent survey is changed. List Excludes
Condition will be triggered if any one of specified item in the list is NOT in Local User Accounts list. Items are separated by commas.
List Includes
Condition will be triggered if any one of Local User Accounts is in the specified list. Items are separated by commas.
Local User Groups
Asset attribute change Condition will be triggered if any one of Local User Groups from recent survey is changed. List Excludes
Condition will be triggered if any one of specified item in the list is NOT in Local User Groups list. Items are separated by commas.
List Includes
Condition will be triggered if any one of Local User Groups is in the specified list. Items are separated by commas.
Appendix F: Policy Conditions
Page 563
FortiScan v5.0 MR1 Administration Guide
Table 64: Policy conditions (continued) Condition Name
Condition Operation
Description
Operating System Asset attribute change Condition will be triggered if Operating System Name from recent Name survey is changed. Non-numeric does not Condition will be triggered if Operating System Name from recent equal survey is not equal to specified value. Non-numeric equals
Condition will be triggered if Operating System Name from recent survey is equal to specified value.
Operating System Asset attribute change Condition will be triggered if Operating System Version from recent Version survey is changed. Asset attribute remains constant
Condition will be triggered if Operating System Version from recent survey is NOT changed.
Non-numeric does not Condition will be triggered if Operating System Version from recent equal survey is not equal to specified value. Non-numeric equals Partition Name
Condition will be triggered if Operating System Version from recent survey is equal to specified value.
Asset attribute change Condition will be triggered if any one of Partition Name from recent survey is changed. List Excludes
Condition will be triggered if any one of specified item in the list is NOT in Partition Name list. Items are separated by commas.
List Includes
Condition will be triggered if any one of Partition Name is in the specified list. Items are separated by commas.
Patches
Asset attribute change Condition will be triggered if any one of Patches from recent survey is changed. Asset attribute remains constant
Condition will be triggered if Patches from recent survey is NOT changed.
List Excludes
Condition will be triggered if any one of specified item in the list is NOT in Patches list. Items are separated by commas.
List Includes
Condition will be triggered if any one of Patches is in the specified list. Items are separated by commas.
Appendix F: Policy Conditions
Page 564
FortiScan v5.0 MR1 Administration Guide
Table 64: Policy conditions (continued) Condition Name
Condition Operation
Description
Processes
List Excludes
Condition will be triggered if any one of specified item in the list is NOT in Processes list. Items are separated by commas.
List Includes
Condition will be triggered if any one of Processes is in the specified list. Items are separated by commas.
Process List MD5 RAM Total
Condition will be triggered if any one of MD5 process in the specified list is in the processes list from recent survey.
Arithmetic comparison Condition will be triggered if RAM Total from recent survey equals (equals) the specified comparison value. Arithmetic comparison Condition will be triggered if RAM Total from recent survey is (greater than) greater than the specified comparison value. Arithmetic comparison Condition will be triggered if RAM Total from recent survey is less (less than) than the specified comparison value. Asset attribute change Condition will be triggered if RAM Total from recent survey is changed.
RAM Utilization
Arithmetic comparison Condition will be triggered if RAM Utilization from recent survey is (greater than) greater than the specified comparison value. Arithmetic comparison Condition will be triggered if RAM Utilization from recent survey is (less than) less than the specified comparison value.
RAM Virtual
Arithmetic comparison Condition will be triggered if RAM Virtual from recent survey is (greater than) greater than the specified comparison value. Arithmetic comparison Condition will be triggered if RAM Virtual from recent survey is less (less than) than the specified comparison value.
Time Range
Hour Based Schedule
Condition will be triggered if the current time is in the range of selected time range. Note: If you select All, the condition will be triggered every hour.
Appendix F: Policy Conditions
Page 565
FortiScan v5.0 MR1 Administration Guide
Appendix G: About CVE The following information about Common Vulnerabilities and Exposures (CVE) is provided in compliance with the CVE compatibility requirement. To view the source material, or to obtain further information, visit: http://www.cve.mitre.org/about/introduction.html.
What does it mean to be CVE-compatible? CVE-compatible means that a tool, Web site, database, or service uses CVE names in a way that allows it to cross-link with other repositories that use CVE names. CVE-compatible products and services must meet these four requirements: • CVE Searchable: An administrator can search using a CVE name to find related information. • CVE Output: Information is presented which includes the related CVE name(s). • Mapping: The repository owner has provided a mapping relative to a specific version of CVE, and has made a good faith effort to ensure accuracy of that mapping. • Documentation: The organization’s standard documentation includes a description of CVE, CVE compatibility, and the details of how its customers can use the CVE-related functionality of its product or service.
What is CVE? CVE is a list or dictionary that provides common names for publicly known information security vulnerabilities and exposures. Using a common name makes it easier to share data across separate databases and tools that previously were not easily integrated. This makes CVE the key to information sharing. If a report from one of your security tools incorporates CVE names, you can quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem. CVE is: • One name for one vulnerability or exposure • One standardized description for each vulnerability or exposure • A dictionary rather than a database • How disparate databases and tools can communicate in the same language • The way to interoperability and better security coverage • A basis for evaluation among tools and databases • Accessible for review or download from the Internet • Industry-endorsed by the CVE Editorial Board
Why CVE? Most information security tools include a database of security vulnerabilities and exposures; however, there is significant variation among them and no easy way to determine when different databases are referring to the same problem. The consequences are potential gaps in security coverage and no effective interoperability among the disparate databases and tools. In addition, each tool vendor currently uses different metrics to state the number of vulnerabilities or exposures they detect, which means there is no standardized basis for evaluation among the tools. Page 566
With a standard list of vulnerabilities and exposures such as CVE, your databases and tools can communicate with each other. And, you’ll know exactly what each tool covers because CVE provides you with a baseline for evaluating the coverage of your tools. This means you can determine which tools are most effective and appropriate for your organization’s needs. In short, CVE-compatible tools and databases will give you better coverage, easier interoperability, and enhanced security. CVE is also endorsed by leading representatives from the information security community. CVE’s content results from the collaborative efforts of the CVE Editorial Board, which includes representatives from numerous information security-related organizations.
CVE Editorial Board The CVE Editorial Board consists of representatives from numerous information security-related organizations including commercial security tool vendors, members of academia, research institutions, government agencies, and other prominent security experts. Through open and collaborative discussions, the Board identifies which vulnerabilities or exposures are included in CVE, then determines the common name and description for each entry. The MITRE Corporation created the Editorial Board, moderates Board discussions, and provides guidance throughout the process to ensure that CVE serves the public interest. Archives of Board meetings and discussions are available for review on the CVE web site. Other information security experts will be invited to participate on the Board on an as-needed basis based upon recommendations from Board members.
Candidate Numbering Authority After a potential security vulnerability or exposure is discovered, it is assigned a CVE candidate number by the CVE Candidate Numbering Authority (CNA). Only the CNA can assign candidate numbers. As part of its role of managing CVE, MITRE functions as the CNA.
CVE Editor After the candidate number is assigned, the CVE Editor proposes the candidate to the Editorial Board. Members discuss the candidate, modify it, and vote on whether to accept or reject the candidate for inclusion in CVE. If accepted, the candidate becomes an official CVE entry and is added to the CVE list on the Web site. In addition to its role as CNA, MITRE also functions as the CVE Editor.
From Candidate to CVE Entry The process begins with the discovery of a potential security vulnerability or exposure. When the vulnerability or exposure is being considered for acceptance into CVE, it is called a CVE Candidate.
Appendix G: About CVE
Page 567
FortiScan v5.0 MR1 Administration Guide
The Candidate Numbering Process Candidates are assigned special numbers by the CVE Candidate Numbering Authority (CNA). to distinguish them from CVE entries. Each candidate has three primary items associated with it: • Number • Description • References The number, also referred to as a name, is an encoding of the year that the candidate number was assigned and a unique number N for the Nth candidate assigned that year, e.g. CAN-1999-0067. Established practices are followed when a candidate is created. The assignment of a candidate number is not a guarantee that it will become an official CVE entry. Candidates can be searched on the site, but the official CVE and candidates lists are separate.
The CVE Candidate-to-Permanent Process The next step of the process requires that the candidate be proposed to the Board by the CVE Editor. The Board discusses the candidate and votes on whether or not it should become a CVE entry. If the candidate is rejected, the reason for rejection is noted on the CVE Web site. If the Editorial Board accepts the candidate, an official CVE entry is created that includes the description and references. The candidate number is converted into a CVE name by replacing the CAN with CVE. For example, when the Editorial Board accepted the candidate CAN-1999-0067, the candidate number was converted to CVE-1999-0067, and the resulting new entry was added to CVE. After the Editorial Board accepts a candidate, it is now part of CVE and is published on the CVE Web site. CVE entries include the name (also referred to as the CVE number), a brief description of the security vulnerability or exposure, and any pertinent references.
Appendix G: About CVE
Page 568
FortiScan v5.0 MR1 Administration Guide
Appendix H: EULA and Copyright The Fortinet products End User License Agreement (EULA) is available from Fortinet’s web site. FortiScan appliances and agents contain software components developed by third party companies and organizations. The following sections provide the copyright and licensing statements required by these products: • OpenSSL FIPS object module by Open Source Software Institute • Open SSL toolkit • Open Vulnerability Assessment Language (OVAL) • eXtensible Configuration Checklist Description Format (XCCDF) • Common Vulnerabilities and Exposures (CVE®) • Common Configuration Enumeration (CCETM) • Common Platform Enumeration (CPETM) • Common Vulnerability Scoring System (CVSS) • Red Hat Linux & Applications license • PostgreSQL license • Java Terms of Use • Apache license • Microsoft Terms of Use • Microsoft End-User Agreement • JasperReports GLGPL
OpenSSL FIPS object module by Open Source Software Institute The following is an illustration of the FIPS 140-2 Validation Certificate for the Open SSL FIPS Object Module:
Page 569
Figure 271:FIPS 140-2 validation certificate
Appendix H: EULA and Copyright
Page 570
FortiScan v5.0 MR1 Administration Guide
Open SSL toolkit The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact [email protected]. Table 65: Open SSL license Open SSL License ==================================================================== Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected]. 5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ==================================================================== This product includes cryptographic software written by Eric Young ([email protected]). This product includes software written by Tim Hudson ([email protected]).
Appendix H: EULA and Copyright
Page 571
FortiScan v5.0 MR1 Administration Guide
Table 66: Original license Original License ==================================================================== Copyright (C) 1995-1998 Eric Young ([email protected]) All rights reserved. This package is an SSL implementation written by Eric Young ([email protected]). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson ([email protected]). Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic software written by Eric Young ([email protected])" 4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This product includes software written by Tim Hudson ([email protected])" The word 'cryptographic' can be left out if the rouines from the library being used are not cryptographic related :-) THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.]
Appendix H: EULA and Copyright
Page 572
FortiScan v5.0 MR1 Administration Guide
Open Vulnerability Assessment Language (OVAL) OVAL is an international, information security community baseline standard describing how to check for the presence of vulnerabilities and configuration issues on computer systems. OVAL was produced for the U. S. Government by Mitre under contract 0706H300-OV, and is subject to the Rights in Data-General Clause 52.227-14 (JUNE 1987) MITRE MAKES OVAL AVAILABLE ON AN “AS IS” BASIS AND MAKES NO WARRANTY, EXPRESS OR IMPLIED, AS TO THE ACCURACY, CAPABILITY, EFFICIENCY MERCHANTABILITY, OR FUNCTIONING OF OVAL. IN NO EVENT WILL MITRE BE LIABLE FOR ANY GENERAL, CONSEQUENTIAL, INDIRECT, INCIDENTAL, EXEMPLARY, OR SPECIAL DAMAGES, EVEN IF MITRE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
eXtensible Configuration Checklist Description Format (XCCDF) The National Security Agency (NSA) and the National Institute of Standards and Technology (NIST) jointly announce the public availability of the specification for the Extensible Configuration Checklist Description Format (XCCDF). To promote the use, standardization, and sharing of effective security checklists, the NSA and NIST collaborated with representatives of private industry to develop the XCCDF specification. The specification is vendor-neutral, flexible, and suited for a wide variety of checklist applications. The intent of the XCCDF is to provide a uniform foundation for expression of security checklists, benchmarks, and other configuration guidance, thereby fostering a more widespread application of good security practices. Such checklists can markedly reduce the vulnerability exposure of an organization when combined with well-developed guidance, accompanied with tools, and leveraged with high quality security expertise, vendor product knowledge, and operational experience. The XCCDF specification document is available for download from the NIST security checklists web site. The site also offers access to a mailing list where industry and the public can make suggestions and comments about the specification. NSA and NIST look forward to working with the security community to make XCCDF a practical and useful data format for the security needs of the public and private sectors.
Common Vulnerabilities and Exposures (CVE®) CVE and the CVE logo are trademarks of The MITRE Corporation. All rights reserved. International in scope and free for public use, CVE is a dictionary of publicly known information security vulnerabilities and exposures. CVE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. Copyright 2008, The MITRE Corporation. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE-Compatible and CCE are trademarks of The MITRE Corporation. MITRE MAKES CVE AVAILABLE ON AN "AS IS" BASIS AND MAKES NO WARRANTY, EXPRESS OR IMPLIED, AS TO THE ACCURACY, CAPABILITY, EFFICIENCY MERCHANTABILITY, OR FUNCTIONING OF CVE. IN NO EVENT WILL MITRE BE LIABLE FOR ANY GENERAL, CONSEQUENTIAL, INDIRECT, INCIDENTAL, EXEMPLARY, OR SPECIAL DAMAGES, EVEN IF MITRE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Appendix H: EULA and Copyright
Page 573
FortiScan v5.0 MR1 Administration Guide
Common Configuration Enumeration (CCETM) CCE and the CCE logo are trademarks of The MITRE Corporation. All rights reserved. MITRE MAKES CCE AVAILABLE ON AN "AS IS" BASIS AND MAKES NO WARRANTY, EXPRESS OR IMPLIED, AS TO THE ACCURACY, CAPABILITY, EFFICIENCY MERCHANTABILITY, OR FUNCTIONING OF CCE. IN NO EVENT WILL MITRE BE LIABLE FOR ANY GENERAL, CONSEQUENTIAL, INDIRECT, INCIDENTAL, EXEMPLARY, OR SPECIAL DAMAGES, EVEN IF MITRE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Common Platform Enumeration (CPETM) CPE and the CPE logo are trademarks of The MITRE Corporation. All rights reserved. MITRE MAKES CPE AVAILABLE ON AN "AS IS" BASIS AND MAKES NO WARRANTY, EXPRESS OR IMPLIED, AS TO THE ACCURACY, CAPABILITY, EFFICIENCY MERCHANTABILITY, OR FUNCTIONING OF CPE. IN NO EVENT WILL MITRE BE LIABLE FOR ANY GENERAL, CONSEQUENTIAL, INDIRECT, INCIDENTAL, EXEMPLARY, OR SPECIAL DAMAGES, EVEN IF MITRE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Common Vulnerability Scoring System (CVSS) CVSS is provided as a public service by the National Institute of Standards and Technology (NIST). With the exception of material marked as copyrighted, information available from NIST web pages is considered public information and may be distributed or copied. Use of appropriate byline/photo/image credits is requested.
Red Hat Linux & Applications license The FortiScan VCM platform is based on the Red Hat Enterprise Server (RHES) 4 operating system. Table 67: Red Hat Linux & Application license LICENSE AGREEMENT RED HAT® ENTERPRISE LINUX® AND RED HAT® APPLICATIONS This end user license agreement ("EULA") governs the use of any of the versions of Red Hat Enterprise Linux, any Red Hat Applications (as set forth at www.redhat.com/licenses/products), and any related updates, source code, appearance, structure and organization (the "Programs"), regardless of the delivery mechanism. 1. License Grant. Subject to the following terms, Red Hat, Inc. ("Red Hat") grants to you ("User") a perpetual, worldwide license to the Programs pursuant to the GNU General Public License v.2. The Programs are either a modular operating system or an application consisting of hundreds of software components. With the exception of certain image files identified in Section 2 below, the license agreement for each software component is located in the software component's source code and permits User to run, copy, modify, and redistribute (subject to certain obligations in some cases) the software component, in both source code and binary code forms. This EULA pertains solely to the Programs and does not limit User's rights under, or grant User rights that supersede, the license terms of any particular component. Appendix H: EULA and Copyright
Page 574
FortiScan v5.0 MR1 Administration Guide
Table 67: Red Hat Linux & Application license (continued) 2. Intellectual Property Rights. The Programs and each of their components are owned by Red Hat and others and are protected under copyright law and under other laws as applicable. Title to the Programs and any component, or to any copy, modification, or merged portion shall remain with the aforementioned, subject to the applicable license. The "Red Hat" trademark and the "Shadowman" logo are registered trademarks of Red Hat in the U.S. and other countries. This EULA does not permit User to distribute the Programs or their components using Red Hat's trademarks, regardless of whether the copy has been modified. User should read the information found at http://www.redhat.com/about/corporate/trademark/ before distributing a copy of the Programs. User may make a commercial redistribution of the Programs only if, (a) a separate agreement with Red Hat authorizing such commercial redistribution is executed or other written permission is granted by Red Hat or (b) User modifies any files identified as "REDHAT-LOGOS" to remove and replace all images containing the "Red Hat" trademark or the "Shadowman" logo. Merely deleting these files may corrupt the Programs. 3. Limited Warranty. Except as specifically stated in this Section 3, a separate agreement with Red Hat, or a license for a particular component, to the maximum extent permitted under applicable law, the Programs and the components are provided and licensed "as is" without warranty of any kind, expressed or implied, including the implied warranties of merchantability, non-infringement or fitness for a particular purpose. Red Hat warrants that the media on which the Programs and the components are furnished will be free from defects in materials and manufacture under normal use for a period of 30 days from the date of delivery to User. Red Hat does not warrant that the functions contained in the Programs will meet User's requirements or that the operation of the Programs will be entirely error free, appear precisely as described in the accompanying documentation, or comply with regulatory requirements. This warranty extends only to the party that purchases services pertaining to the Programs from Red Hat or a Red Hat authorized distributor. 4. Limitation of Remedies and Liability. To the maximum extent permitted by applicable law, User's exclusive remedy under this EULA is to return any defective media within 30 days of delivery along with a copy of User's payment receipt and Red Hat, at its option, will replace it or refund the money paid by User for the media. To the maximum extent permitted under applicable law, neither Red Hat, any Red Hat authorized distributor, nor the licensor of any component provided to User under this EULA will be liable to User for any incidental or consequential damages, including lost profits or lost savings arising out of the use or inability to use the Programs or any component, even if Red Hat, such authorized distributor or licensor has been advised of the possibility of such damages. In no event shall Red Hat's liability, an authorized distributor's liability or the liability of the licensor of a component provided to User under this EULA exceed the amount that User paid to Red Hat under this EULA during the twelve months preceding the action.
Appendix H: EULA and Copyright
Page 575
FortiScan v5.0 MR1 Administration Guide
Table 67: Red Hat Linux & Application license (continued) 5. Export Control. As required by the laws of the United States and other countries, User represents and warrants that it: (a) understands that the Programs and their components may be subject to export controls under the U.S. Commerce Department's Export Administration Regulations ("EAR"); (b) is not located in a prohibited destination country under the EAR or U.S. sanctions regulations (currently Cuba, Iran, Iraq, North Korea, Sudan and Syria, subject to change as posted by the United States government); (c) will not export, re-export, or transfer the Programs to any prohibited destination or persons or entities on the U.S. Bureau of Industry and Security Denied Parties List or Entity List, or the U.S. Office of Foreign Assets Control list of Specially Designated Nationals and Blocked Persons, or any similar lists maintained by other countries, without the necessary export license(s) or authorization(s); (d) will not use or transfer the Programs for use in connection with any nuclear, chemical or biological weapons, missile technology, or military end-uses where prohibited by an applicable arms embargo, unless authorized by the relevant government agency by regulation or specific license; (e) understands and agrees that if it is in the United States and exports or transfers the Programs to eligible end users, it will, to the extent required by EAR Section 740.17(e), submit semi-annual reports to the Commerce Department's Bureau of Industry and Security, which include the name and address (including country) of each transferee; and (f) understands that countries including the United States may restrict the import, use, or export of encryption products (which may include the Programs and the components) and agrees that it shall be solely responsible for compliance with any such import, use, or export restrictions. 6. Third Party Programs. Red Hat may distribute third party software programs with the Programs that are not part of the Programs. These third party programs are not required to run the Programs, are provided as a convenience to User, and are subject to their own license terms. The license terms either accompany the third party software programs or can be viewed at http://www.redhat.com/licenses/thirdparty/eula.html. If User does not agree to abide by the applicable license terms for the third party software programs, then User may not install them. If User wishes to install the third party software programs on more than one system or transfer the third party software programs to another party, then User must contact the licensor of the applicable third party software programs. 7. General. If any provision of this agreement is held to be unenforceable, that shall not affect the enforceability of the remaining provisions. This agreement shall be governed by the laws of the State of New York and of the United States, without regard to any conflict of laws provisions. The rights and obligations of the parties to this EULA shall not be governed by the United Nations Convention on the International Sale of Goods. Copyright © 2003 Red Hat, Inc. All rights reserved. "Red Hat" and the Red Hat "Shadowman" logo are registered trademarks of Red Hat, Inc. "Linux" is a registered trademark of Linus Torvalds. All other trademarks are the property of their respective owners.
Appendix H: EULA and Copyright
Page 576
FortiScan v5.0 MR1 Administration Guide
PostgreSQL license PostgreSQL is an open source database available from http://www.postgresql.org, the license is available at http://www.postgresql.org/about/licence. Table 68: PostgreSQL License License PostgreSQL is released under the BSD license. PostgreSQL Database Management System (formerly known as Postgres, then as Postgres95) Portions Copyright (c) 1996-2005, The PostgreSQL Global Development Group Portions Copyright (c) 1994, The Regents of the University of California Permission to use, copy, modify, and distribute this software and its documentation for any purpose, without fee, and without a written agreement is hereby granted, provided that the above copyright notice and this paragraph and the following two paragraphs appear in all copies. IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. THE UNIVERSITY OF CALIFORNIA SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS ON AN "AS IS" BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS
Java Terms of Use Java is a programming language originally developed by Sun Microsystems and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++ but has a simpler object model and fewer low-level facilities. Java applications are typically compiled to bytecode that can run on any Java virtual machine (JVM) regardless of computer architecture. The original and reference implementation Java compilers, virtual machines, and class libraries were developed by Sun from 1995. As of May 2007, in compliance with the specifications of the Java Community Process, Sun made available most of their Java technologies as free software under the GNU General Public License (http://www.linux.org/info/gnu.html). The GNU General Public License (GNU GPL or simply GPL) is a widely used free software license, originally written by Richard Stallman for the GNU project. It is the license used by the Linux kernel. The GPL is the most popular and well-known example of the type of strong copyleft license that requires derived works to be available under the same copyleft. Under this philosophy, the GPL is said to grant the recipients of a computer program the rights of the free software definition and uses copyleft to ensure the freedoms are preserved, even when the work is changed or added to. This is in distinction to permissive free software licenses, of which the BSD licenses are the standard examples. Table 69: Java Terms of Use GNU GENERAL PUBLIC LICENSE Version 2, June 1991
Appendix H: EULA and Copyright
Page 577
FortiScan v5.0 MR1 Administration Guide
Table 69: Java Terms of Use (continued) Copyright (C) 1989, 1991 Free Software Foundation, Inc. 675 Mass Ave, Cambridge, MA 02139, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Appendix H: EULA and Copyright
Page 578
FortiScan v5.0 MR1 Administration Guide
Table 69: Java Terms of Use (continued) Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
Appendix H: EULA and Copyright
Page 579
FortiScan v5.0 MR1 Administration Guide
Table 69: Java Terms of Use (continued) b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.
Appendix H: EULA and Copyright
Page 580
FortiScan v5.0 MR1 Administration Guide
Table 69: Java Terms of Use (continued) It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
Appendix H: EULA and Copyright
Page 581
FortiScan v5.0 MR1 Administration Guide
Table 69: Java Terms of Use (continued) 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS
Apache license The Apache Software Foundation provides support for the Apache community of open-source software projects, including Tomcat and Quarts to name just two. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. Table 70: Apache license Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity
Appendix H: EULA and Copyright
Page 582
FortiScan v5.0 MR1 Administration Guide
Table 70: Apache license (continued) exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but
Appendix H: EULA and Copyright
Page 583
FortiScan v5.0 MR1 Administration Guide
Table 70: Apache license (continued) excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions:
Appendix H: EULA and Copyright
Page 584
FortiScan v5.0 MR1 Administration Guide
Table 70: Apache license (continued) (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with
Appendix H: EULA and Copyright
Page 585
FortiScan v5.0 MR1 Administration Guide
Table 70: Apache license (continued) the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all
Appendix H: EULA and Copyright
Page 586
FortiScan v5.0 MR1 Administration Guide
Table 70: Apache license (continued) other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS
Microsoft Terms of Use The following table outlines Microsoft terms of use. Table 71: Microsoft Terms of Use Microsoft - Information on Terms of Use Updated: March 9, 2007 ACCEPTANCE OF TERMS. The services that Microsoft provides to you are subject to the following Terms of Use ("TOU"). Microsoft reserves the right to update the TOU at any time without notice to you. The most current version of the TOU can be reviewed by clicking on the "Terms of Use" hypertext link located at the bottom of our Web pages. DESCRIPTION OF SERVICES. Through its network of Web properties, Microsoft provides you with access to a variety of resources, including developer tools, download areas, communication forums and product information (collectively "Services"). The Services, including any updates, enhancements, new features, and/or the addition of any new Web properties, are subject to the TOU. PERSONAL AND NON-COMMERCIAL USE LIMITATION. Unless otherwise specified, the Services are for your personal and non-commercial use. You may not modify, copy, distribute, transmit, display, perform, reproduce, publish, license, create derivative works from, transfer, or sell any information, software, products or services obtained from the Services.
Appendix H: EULA and Copyright
Page 587
FortiScan v5.0 MR1 Administration Guide
Table 71: Microsoft Terms of Use (continued) PRIVACY AND PROTECTION OF PERSONAL INFORMATION. See the Privacy Statement disclosures relating to the collection and use of your information. NOTICE SPECIFIC TO SOFTWARE AVAILABLE ON THIS WEB SITE. Any software that is made available to download from the Services ("Software") is the copyrighted work of Microsoft and/or its suppliers. Use of the Software is governed by the terms of the end user license agreement, if any, which accompanies or is included with the Software ("License Agreement"). An end user will be unable to install any Software that is accompanied by or includes a License Agreement, unless he or she first agrees to the License Agreement terms. The Software is made available for download solely for use by end users according to the License Agreement. Any reproduction or redistribution of the Software not in accordance with the License Agreement is expressly prohibited by law, and may result in severe civil and criminal penalties. Violators will be prosecuted to the maximum extent possible. WITHOUT LIMITING THE FOREGOING, COPYING OR REPRODUCTION OF THE SOFTWARE TO ANY OTHER SERVER OR LOCATION FOR FURTHER REPRODUCTION OR REDISTRIBUTION IS EXPRESSLY PROHIBITED, UNLESS SUCH REPRODUCTION OR REDISTRIBUTION IS EXPRESSLY PERMITTED BY THE LICENSE AGREEMENT ACCOMPANYING SUCH SOFTWARE. THE SOFTWARE IS WARRANTED, IF AT ALL, ONLY ACCORDING TO THE TERMS OF THE LICENSE AGREEMENT. EXCEPT AS WARRANTED IN THE LICENSE AGREEMENT, MICROSOFT CORPORATION HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS WITH REGARD TO THE SOFTWARE, INCLUDING ALL WARRANTIES AND CONDITIONS OF MERCHANTABILITY, WHETHER EXPRESS, IMPLIED OR STATUTORY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. FOR YOUR CONVENIENCE, MICROSOFT MAY MAKE AVAILABLE AS PART OF THE SERVICES OR IN ITS SOFTWARE PRODUCTS, TOOLS AND UTILITIES FOR USE AND/OR DOWNLOAD. MICROSOFT DOES NOT MAKE ANY ASSURANCES WITH REGARD TO THE ACCURACY OF THE RESULTS OR OUTPUT THAT DERIVES FROM SUCH USE OF ANY SUCH TOOLS AND UTILITIES. PLEASE RESPECT THE INTELLECTUAL PROPERTY RIGHTS OF OTHERS WHEN USING THE TOOLS AND UTILITIES MADE AVAILABLE ON THE SERVICES OR IN MICROSOFT SOFTWARE PRODUCTS. RESTRICTED RIGHTS LEGEND. Any Software which is downloaded from the Services for or on behalf of the United States of America, its agencies and/or instrumentalities ("U.S. Government"), is provided with Restricted Rights. Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 or subparagraphs (c)(1) and (2) of the Commercial Computer Software - Restricted Rights at 48 CFR 52.227-19, as applicable. Manufacturer is Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399. NOTICE SPECIFIC TO DOCUMENTS AVAILABLE ON THIS WEB SITE.
Appendix H: EULA and Copyright
Page 588
FortiScan v5.0 MR1 Administration Guide
Table 71: Microsoft Terms of Use (continued) Permission to use Documents (such as white papers, press releases, datasheets and FAQs) from the Services is granted, provided that (1) the below copyright notice appears in all copies and that both the copyright notice and this permission notice appear, (2) use of such Documents from the Services is for informational and non-commercial or personal use only and will not be copied or posted on any network computer or broadcast in any media, and (3) no modifications of any Documents are made. Accredited educational institutions, such as K-12, universities, private/public colleges, and state community colleges, may download and reproduce the Documents for distribution in the classroom. Distribution outside the classroom requires express written permission. Use for any other purpose is expressly prohibited by law, and may result in severe civil and criminal penalties. Violators will be prosecuted to the maximum extent possible. Documents specified above do not include the design or layout of the Microsoft.com Web site or any other Microsoft owned, operated, licensed or controlled site. Elements of Microsoft Web sites are protected by trade dress, trademark, unfair competition, and other laws and may not be copied or imitated in whole or in part. No logo, graphic, sound or image from any Microsoft Web site may be copied or retransmitted unless expressly permitted by Microsoft. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED AS PART OF THE SERVICES FOR ANY PURPOSE. ALL SUCH DOCUMENTS AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION, INCLUDING ALL WARRANTIES AND CONDITIONS OF MERCHANTABILITY, WHETHER EXPRESS, IMPLIED OR STATUTORY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT SHALL MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF INFORMATION AVAILABLE FROM THE SERVICES. THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THE SERVICES COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED HEREIN AT ANY TIME. NOTICES REGARDING SOFTWARE, DOCUMENTS AND SERVICES AVAILABLE ON THIS WEB SITE. IN NO EVENT SHALL MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF SOFTWARE, DOCUMENTS, PROVISION OF OR FAILURE TO PROVIDE SERVICES, OR INFORMATION AVAILABLE FROM THE SERVICES. MEMBER ACCOUNT, PASSWORD, AND SECURITY.
Appendix H: EULA and Copyright
Page 589
FortiScan v5.0 MR1 Administration Guide
Table 71: Microsoft Terms of Use (continued) If any of the Services requires you to open an account, you must complete the registration process by providing us with current, complete and accurate information as prompted by the applicable registration form. You also will choose a password and a user name. You are entirely responsible for maintaining the confidentiality of your password and account. Furthermore, you are entirely responsible for any and all activities that occur under your account. You agree to notify Microsoft immediately of any unauthorized use of your account or any other breach of security. Microsoft will not be liable for any loss that you may incur as a result of someone else using your password or account, either with or without your knowledge. However, you could be held liable for losses incurred by Microsoft or another party due to someone else using your account or password. You may not use anyone else's account at any time, without the permission of the account holder. NO UNLAWFUL OR PROHIBITED USE. As a condition of your use of the Services, you will not use the Services for any purpose that is unlawful or prohibited by these terms, conditions, and notices. You may not use the Services in any manner that could damage, disable, overburden, or impair any Microsoft server, or the network(s) connected to any Microsoft server, or interfere with any other party's use and enjoyment of any Services. You may not attempt to gain unauthorized access to any Services, other accounts, computer systems or networks connected to any Microsoft server or to any of the Services, through hacking, password mining or any other means. You may not obtain or attempt to obtain any materials or information through any means not intentionally made available through the Services. USE OF SERVICES The Services may contain e-mail services, bulletin board services, chat areas, news groups, forums, communities, personal web pages, calendars, photo albums, file cabinets and/or other message or communication facilities designed to enable you to communicate with others (each a "Communication Service" and collectively "Communication Services"). You agree to use the Communication Services only to post, send and receive messages and material that are proper and, when applicable, related to the particular Communication Service. By way of example, and not as a limitation, you agree that when using the Communication Services, you will not: • Use the Communication Services in connection with surveys, contests, pyramid schemes, chain letters, junk email, spamming or any duplicative or unsolicited messages (commercial or otherwise). • Defame, abuse, harass, stalk, threaten or otherwise violate the legal rights (such as rights of privacy and publicity) of others. • Publish, post, upload, distribute or disseminate any inappropriate, profane, defamatory, obscene, indecent or unlawful topic, name, material or information. • Upload, or otherwise make available, files that contain images, photographs, software or other material protected by intellectual property laws, including, by way of example, and not as limitation, copyright or trademark laws (or by rights of privacy or publicity) unless you own or control the rights thereto or have received all necessary consent to do the same. • Use any material or information, including images or photographs, which are made available through the Services in any manner that infringes any copyright, trademark, patent, trade secret, or other proprietary right of any party.
Appendix H: EULA and Copyright
Page 590
FortiScan v5.0 MR1 Administration Guide
Table 71: Microsoft Terms of Use (continued) • Upload files that contain viruses, Trojan horses, worms, time bombs, cancelbots, corrupted files, or any other similar software or programs that may damage the operation of another's computer or property of another. • Advertise or offer to sell or buy any goods or services for any business purpose, unless such Communication Services specifically allows such messages. • Download any file posted by another user of a Communication Service that you know, or reasonably should know, cannot be legally reproduced, displayed, performed, and/or distributed in such manner. • Falsify or delete any copyright management information, such as author attributions, legal or other proper notices or proprietary designations or labels of the origin or source of software or other material contained in a file that is uploaded. • Restrict or inhibit any other user from using and enjoying the Communication Services. • Violate any code of conduct or other guidelines which may be applicable for any particular Communication Service. • Harvest or otherwise collect information about others, including e-mail addresses. • Violate any applicable laws or regulations. • Create a false identity for the purpose of misleading others. • Use, download or otherwise copy, or provide (whether or not for a fee) to a person or entity any directory of users of the Services or other user or usage information or any portion thereof. Microsoft has no obligation to monitor the Communication Services. However, Microsoft reserves the right to review materials posted to the Communication Services and to remove any materials in its sole discretion. Microsoft reserves the right to terminate your access to any or all of the Communication Services at any time, without notice, for any reason whatsoever. Microsoft reserves the right at all times to disclose any information as Microsoft deems necessary to satisfy any applicable law, regulation, legal process or governmental request, or to edit, refuse to post or to remove any information or materials, in whole or in part, in Microsoft's sole discretion. Always use caution when giving out any personally identifiable information about yourself or your children in any Communication Services. Microsoft does not control or endorse the content, messages or information found in any Communication Services and, therefore, Microsoft specifically disclaims any liability with regard to the Communication Services and any actions resulting from your participation in any Communication Services. Managers and hosts are not authorized Microsoft spokespersons, and their views do not necessarily reflect those of Microsoft. Materials uploaded to the Communication Services may be subject to posted limitations on usage, reproduction and/or dissemination; you are responsible for adhering to such limitations if you download the materials. MATERIALS PROVIDED TO MICROSOFT OR POSTED AT ANY MICROSOFT WEB SITE.
Appendix H: EULA and Copyright
Page 591
FortiScan v5.0 MR1 Administration Guide
Table 71: Microsoft Terms of Use (continued) Microsoft does not claim ownership of the materials you provide to Microsoft (including feedback and suggestions) or post, upload, input or submit to any Services or its associated services for review by the general public, or by the members of any public or private community, (each a "Submission" and collectively "Submissions"). However, by posting, uploading, inputting, providing or submitting ("Posting") your Submission you are granting Microsoft, its affiliated companies and necessary sublicensees permission to use your Submission in connection with the operation of their Internet businesses (including, without limitation, all Microsoft Services), including, without limitation, the license rights to: copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate and reformat your Submission; to publish your name in connection with your Submission; and the right to sublicense such rights to any supplier of the Services. No compensation will be paid with respect to the use of your Submission, as provided herein. Microsoft is under no obligation to post or use any Submission you may provide and Microsoft may remove any Submission at any time in its sole discretion. By Posting a Submission you warrant and represent that you own or otherwise control all of the rights to your Submission as described in these Terms of Use including, without limitation, all the rights necessary for you to provide, post, upload, input or submit the Submissions. In addition to the warranty and representation set forth above, by Posting a Submission that contain images, photographs, pictures or that are otherwise graphical in whole or in part ("Images"), you warrant and represent that (a) you are the copyright owner of such Images, or that the copyright owner of such Images has granted you permission to use such Images or any content and/or images contained in such Images consistent with the manner and purpose of your use and as otherwise permitted by these Terms of Use and the Services, (b) you have the rights necessary to grant the licenses and sublicenses described in these Terms of Use, and (c) that each person depicted in such Images, if any, has provided consent to the use of the Images as set forth in these Terms of Use, including, by way of example, and not as a limitation, the distribution, public display and reproduction of such Images. By Posting Images, you are granting (a) to all members of your private community (for each such Images available to members of such private community), and/or (b) to the general public (for each such Images available anywhere on the Services, other than a private community), permission to use your Images in connection with the use, as permitted by these Terms of Use, of any of the Services, (including, by way of example, and not as a limitation, making prints and gift items which include such Images), and including, without limitation, a non-exclusive, world-wide, royalty-free license to: copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate and reformat your Images without having your name attached to such Images, and the right to sublicense such rights to any supplier of the Services. The licenses granted in the preceding sentences for a Images will terminate at the time you completely remove such Images from the Services, provided that, such termination shall not affect any licenses granted in connection with such Images prior to the time you completely remove such Images. No compensation will be paid with respect to the use of your Images. NOTICES AND PROCEDURE FOR MAKING CLAIMS OF COPYRIGHT INFRINGEMENT. Pursuant to Title 17, United States Code, Section 512(c)(2), notifications of claimed copyright infringement should be sent to Service Provider's Designated Agent. ALL INQUIRIES NOT RELEVANT TO THE FOLLOWING PROCEDURE WILL NOT RECEIVE A RESPONSE. See Notice and Procedure for Making Claims of Copyright Infringement. LINKS TO THIRD PARTY SITES.
Appendix H: EULA and Copyright
Page 592
FortiScan v5.0 MR1 Administration Guide
Table 71: Microsoft Terms of Use (continued) THE LINKS IN THIS AREA WILL LET YOU LEAVE MICROSOFT'S SITE. THE LINKED SITES ARE NOT UNDER THE CONTROL OF MICROSOFT AND MICROSOFT IS NOT RESPONSIBLE FOR THE CONTENTS OF ANY LINKED SITE OR ANY LINK CONTAINED IN A LINKED SITE, OR ANY CHANGES OR UPDATES TO SUCH SITES. MICROSOFT IS NOT RESPONSIBLE FOR WEBCASTING OR ANY OTHER FORM OF TRANSMISSION RECEIVED FROM ANY LINKED SITE. MICROSOFT IS PROVIDING THESE LINKS TO YOU ONLY AS A CONVENIENCE, AND THE INCLUSION OF ANY LINK DOES NOT IMPLY ENDORSEMENT BY MICROSOFT OF THE SITE. UNSOLICITED IDEA SUBMISSION POLICY. MICROSOFT OR ANY OF ITS EMPLOYEES DO NOT ACCEPT OR CONSIDER UNSOLICITED IDEAS, INCLUDING IDEAS FOR NEW ADVERTISING CAMPAIGNS, NEW PROMOTIONS, NEW PRODUCTS OR TECHNOLOGIES, PROCESSES, MATERIALS, MARKETING PLANS OR NEW PRODUCT NAMES. PLEASE DO NOT SEND ANY ORIGINAL CREATIVE ARTWORK, SAMPLES, DEMOS, OR OTHER WORKS. THE SOLE PURPOSE OF THIS POLICY IS TO AVOID POTENTIAL MISUNDERSTANDINGS OR DISPUTES WHEN MICROSOFT'S PRODUCTS OR MARKETING STRATEGIES MIGHT SEEM SIMILAR TO IDEAS SUBMITTED TO MICROSOFT. SO, PLEASE DO NOT SEND YOUR UNSOLICITED IDEAS TO MICROSOFT OR ANYONE AT MICROSOFT. IF, DESPITE OUR REQUEST THAT YOU NOT SEND US YOUR IDEAS AND MATERIALS, YOU STILL SEND THEM, PLEASE UNDERSTAND THAT MICROSOFT MAKES NO ASSURANCES THAT YOUR IDEAS AND MATERIALS WILL BE TREATED AS CONFIDENTIAL OR PROPRIETARY. COPYRIGHT NOTICE & FAQ. © 2007 Microsoft Corporation. All rights reserved.
Microsoft End-User Agreement The following table outlines the Microsoft End User Agreement. Table 72: Microsoft End-User Agreement Everett VSPro 1 Final 11.04.02 END-USER LICENSE AGREEMENT FOR MICROSOFT SOFTWARE IMPORTANT—READ CAREFULLY: This End-User License Agreement (“EULA”) is a legal agreement between you (either an individual or a single entity) and Microsoft Corporation (“Microsoft”) for the Microsoft software that accompanies this EULA, which includes computer software and may include associated media, printed materials, “online” or electronic documentation, and Internet-based services (“Software”). An amendment or addendum to this EULA may accompany the Software. YOU AGREE TO BE BOUND BY THE TERMS OF THIS EULA BY INSTALLING, COPYING, OR OTHERWISE USING THE SOFTWARE. IF YOU DO NOT AGREE, DO NOT INSTALL, COPY, OR USE THE SOFTWARE; YOU MAY RETURN IT TO YOUR PLACE OF PURCHASE (IF APPLICABLE) FOR A FULL REFUND. MICROSOFT SOFTWARE LICENSE
Appendix H: EULA and Copyright
Page 593
FortiScan v5.0 MR1 Administration Guide
Table 72: Microsoft End-User Agreement (continued) 1. GRANTS OF LICENSE. Microsoft grants you the rights described in this EULA provided that you comply with all terms and conditions of this EULA. NOTE: Microsoft is not licensing to you any rights with respect to Crystal Reports for Microsoft Visual Studio .NET; your use of Crystal Reports for Microsoft Visual Studio .NET is subject to your acceptance of the terms and conditions of the enclosed (hard copy) end user license agreement from Crystal Decisions for that product. 1.1 General License Grant. Microsoft grants to you as an individual, a personal, nonexclusive license to use the Software, and to make and use copies of the Software for the purposes of designing, developing, testing, and demonstrating your software product(s), provided that you are the only individual using the Software. If you are an entity, Microsoft grants to you a personal, nonexclusive license to use the Software, and to make and use copies of the Software, provided that for each individual using the Software within your organization, you have acquired a separate and valid license for each such individual. 1.2 Documentation. You may make and use an unlimited number of copies of any documentation, provided that such copies shall be used only for personal purposes and are not to be republished or distributed (either in hard copy or electronic form) beyond your premises. 1.3 Storage/Network Use. You may also store or install a copy of the Software on a storage device, such as a network server, used only to install or run the Software on computers used by licensed end users in accordance with Section 1.1. A single license for the Software may not be shared or used concurrently by multiple end users. 1.4 Visual Studio—Effect of EULA. As a suite of development tools and other Microsoft software programs (each such tool or software program, a “Component”), Components that you receive as part of the Software may include a separate end-user license agreement (each, a “Component EULA”). Except as provided in Section 4 (“Prerelease Code”), in the event of inconsistencies between this EULA and any Component EULA, the terms of this EULA shall control. The Software may also contain third-party software programs. Any such software is provided for your use as a convenience and your use is subject to the terms and conditions of any license agreement contained in that software. 2. ADDITIONAL LICENSE RIGHTS -- REDISTRIBUTABLE CODE. In addition to the rights granted in Section 1, certain portions of the Software, as described in this Section 2, are provided to you with additional license rights. These additional license rights are conditioned upon your compliance with the distribution requirements and license limitations described in Section 3. 2.1 Sample Code. Microsoft grants you a limited, nonexclusive, royalty-free license to: (a) use and modify the source code version of those portions of the Software identified as “Samples” in REDIST.TXT or elsewhere in the Software (“Sample Code”) for the sole purposes of designing, developing, and testing your software product(s), and (b) reproduce and distribute the Sample Code, along with any modifications thereof, in object and/or source code form. For applicable redistribution requirements for Sample Code, see Section 3.1 below. 2.2 Redistributable Code—General. Microsoft grants you a limited, nonexclusive, royalty-free license to reproduce and distribute the object code form of any portion of the Software listed in REDIST.TXT (“Redistributable Code”). For general redistribution requirements for Redistributable Code, see Section 3.1 below.
Appendix H: EULA and Copyright
Page 594
FortiScan v5.0 MR1 Administration Guide
Table 72: Microsoft End-User Agreement (continued) 2.3 Redistributable Code—Microsoft Merge Modules (“MSM”). Microsoft grants you a limited, nonexclusive, royalty-free license to reproduce and distribute the content of MSM file(s) listed in REDIST.TXT in the manner described in the Software documentation only so long as you redistribute such content in its entirety and do not modify such content in any way. For all other applicable redistribution requirements for MSM files, see Section 3.1 below. 2.4 Redistributable Code—Microsoft Foundation Classes (MFC), Active Template Libraries (ATL), and C runtimes (CRTs). In addition to the rights granted in Section 1, Microsoft grants you a license to use and modify the source code version of those portions of the Software that are identified as MFC, ATL, or CRTs (collectively, the “VC Redistributables”), for the sole purposes of designing, developing, and testing your software product(s). Provided you comply with Section 3.1 and you rename any files created by you that are included in the Licensee Software (defined below), Microsoft grants you a limited, nonexclusive, royalty-free license to reproduce and distribute the object code version of the VC Redistributables, including any modifications you make. For purposes of this section, “modifications” shall mean enhancements to the functionality of the VC Redistributables. For all other applicable redistribution requirements for VC Redistributables, see Section 3.1 below. 3. DISTRIBUTION REQUIREMENTS AND OTHER LICENSE RIGHTS AND LIMITATIONS. If you choose to exercise your rights under Section 2, any redistribution by you is subject to your compliance with Section 3.1; some of the Redistributable Code has additional limited use rights described in Section 3.2. 3.1 General Distribution Requirements. (a) If you choose to redistribute Sample Code, or Redistributable Code (collectively, the “Redistributables”) as described in Section 2, you agree: (i) except as otherwise noted in Section 2.1 (Sample Code), to distribute the Redistributables only in object code form and in conjunction with and as a part of a software application product developed by you that adds significant and primary functionality to the Redistributables (“Licensee Software”); (ii) that the Redistributables only operate in conjunction with Microsoft Windows platforms; (iii) that if the Licensee Software is distributed beyond Licensee’s premises or externally from Licensee’s organization, to distribute the Licensee Software containing the Redistributables pursuant to an end user license agreement (which may be “break-the-seal”, “click-wrap” or signed), with terms no less protective than those contained in this EULA; (iv) not to use Microsoft’s name, logo, or trademarks to market the Licensee Software; (v) to display your own valid copyright notice which shall be sufficient to protect Microsoft’s copyright in the Software; (vi) not to remove or obscure any copyright, trademark or patent notices that appear on the Software as delivered to you; (vii) to indemnify, hold harmless, and defend Microsoft from and against any claims or lawsuits, including attorney’s fees, that arise or result from the use or distribution of the Licensee Software; (viii) to otherwise comply with the terms of this EULA; and (ix) agree that Microsoft reserves all rights not expressly granted. You also agree not to permit further distribution of the Redistributables by your end users except you may permit further redistribution of the Redistributables by your distributors to your end-user customers if your distributors only distribute the Redistributables in conjunction with, and as part of, the Licensee Software, you comply with all other terms of this EULA, and your distributors comply with all restrictions of this EULA that are applicable to you.
Appendix H: EULA and Copyright
Page 595
FortiScan v5.0 MR1 Administration Guide
Table 72: Microsoft End-User Agreement (continued) (b) If you use the Redistributables, then in addition to your compliance with the applicable distribution requirements described for the Redistributables, the following also applies. Your license rights to the Redistributables are conditioned upon your not (i) creating derivative works of the Redistributables in any manner that would cause the Redistributables in whole or in part to become subject to any of the terms of an Excluded License; or (ii) distributing the Redistributables (or derivative works thereof) in any manner that would cause the Redistributables to become subject to any of the terms of an Excluded License. An “Excluded License” is any license that requires as a condition of use, modification and/or distribution of software subject to the Excluded License, that such software or other software combined and/or distributed with such software be (x) disclosed or distributed in source code form; (y) licensed for the purpose of making derivative works; or (z) redistributable at no charge. 3.2 Additional Distribution Requirements for Certain Redistributable Code. If you choose to redistribute the files discussed in this Section, then in addition to the terms of Section 3.1, you must ALSO comply with the following. (a) Microsoft SQL Server Desktop Engine (“MSDE”). If you redistribute MSDE you agree to comply with the following additional requirements: (a) Licensee Software shall not substantially duplicate the capabilities of Microsoft Access or, in the reasonable opinion of Microsoft, compete with same; and (b) unless Licensee Software requires your customers to license Microsoft Access in order to operate, you shall not reproduce or use MSDE for commercial distribution in conjunction with a general purpose word processing, spreadsheet or database management software product, or an integrated work or product suite whose components include a general purpose word processing, spreadsheet, or database management software product except for the exclusive use of importing data to the various formats supported by Microsoft Access. A product that includes limited word processing, spreadsheet or database components along with other components which provide significant and primary value, such as an accounting product with limited spreadsheet capability, is not considered to be a “general purpose” product. (b) Microsoft Data Access Components. If you redistribute the Microsoft Data Access Component file identified as MDAC_TYP.EXE, you also agree to redistribute such file in object code only in conjunction with and as a part of a Licensee Software developed by you with a Microsoft development tool product that adds significant and primary functionality to MDAC_TYP.EXE. 3.3 Separation of Components. The Software is licensed as a single product. Its component parts may not be separated for use by more than one user. 3.4 Benchmark Testing. The Software may contain the Microsoft .NET Framework. You may not disclose the results of any benchmark test of the .NET Framework component of the Software to any third party without Microsoft’s prior written approval. 4. PRERELEASE CODE. Portions of the Software may be identified as prerelease code (“Prerelease Code”). Such Prerelease Code is not at the level of performance and compatibility of the final, generally available product offering. The Prerelease Code may not operate correctly and may be substantially modified prior to first commercial shipment. Microsoft is not obligated to make this or any later version of the Prerelease Code commercially available. The grant of license to use Prerelease Code expires upon availability of a commercial release of the Prerelease Code from Microsoft. NOTE: In the event that Prerelease Code contains a separate end-user license agreement, the terms and conditions of such end-user license agreement shall govern your use of the corresponding Prerelease Code.
Appendix H: EULA and Copyright
Page 596
FortiScan v5.0 MR1 Administration Guide
Table 72: Microsoft End-User Agreement (continued) 5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in this EULA. The Software is protected by copyright and other intellectual property laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the Software. The Software is licensed, not sold. 6. LIMITATIONS ON REVERSE ENGINEERING, DECOMPILATION, AND DISASSEMBLY. You may not reverse engineer, decompile, or disassemble the Software, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation. 7. NO RENTAL/COMMERCIAL HOSTING. You may not rent, lease, lend or provide commercial hosting services with the Software. 8. CONSENT TO USE OF DATA. You agree that Microsoft and its affiliates may collect and use technical information gathered as part of the product support services provided to you, if any, related to the Software. Microsoft may use this information solely to improve our products or to provide customized services or technologies to you and will not disclose this information in a form that personally identifies you. 9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Software. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the contents of any third party sites, any links contained in third party sites, or any changes or updates to third party sites. Microsoft is not responsible for webcasting or any other form of transmission received from any third party sites. Microsoft is providing these links to third party sites to you only as a convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party site. 10. ADDITIONAL SOFTWARE/SERVICES. This EULA applies to updates, supplements, add-on components, or Internet-based services components, of the Software that Microsoft may provide to you or make available to you after the date you obtain your initial copy of the Software, unless we provide other terms along with the update, supplement, add-on component, or Internet-based services component. Microsoft reserves the right to discontinue any Internet-based services provided to you or made available to you through the use of the Software. 11. UPGRADES/DOWNGRADES 11.1 Upgrades. To use a version of the Software identified as an upgrade, you must first be licensed for the software identified by Microsoft as eligible for the upgrade. After upgrading, you may no longer use the software that formed the basis for your upgrade eligibility. 11.2 Downgrades. Instead of installing and using the Software, you may install and use copies of an earlier version of the Software, provided that you completely remove such earlier version and install the current version of the Software within a reasonable time. Your use of such earlier version shall be governed by this EULA, and your rights to use such earlier version shall terminate when you install the Software. 11.3 Special Terms for Version 2003 Upgrade Editions of the Software. If the Software accompanying this EULA is the version 2003 edition of the Software and you have acquired it as an upgrade from the corresponding “2002” edition of the Microsoft software product with the same product name as the Software (the “Qualifying Software”), then Section 11.1 does not apply to you. Instead, you may continue to use the Qualifying Software AND the version 2003 upgrade for so long as you continue to comply with the terms of this EULA and the EULA governing your use of the Qualifying Software. Qualifying Software does not include non-Microsoft software products.
Appendix H: EULA and Copyright
Page 597
FortiScan v5.0 MR1 Administration Guide
Table 72: Microsoft End-User Agreement (continued) 12. NOT FOR RESALE SOFTWARE. Software identified as “Not For Resale” or “NFR,” may not be sold or otherwise transferred for value, or used for any purpose other than demonstration, test or evaluation. 13. ACADEMIC EDITION SOFTWARE. To use Software identified as “Academic Edition” or “AE,” you must be a “Qualified Educational User.” For qualification-related questions, please contact the Microsoft Sales Information Center/One Microsoft Way/Redmond, WA 98052-6399 or the Microsoft subsidiary serving your country. 14. EXPORT RESTRICTIONS. You acknowledge that the Software is subject to U.S. export jurisdiction. You agree to comply with all applicable international and national laws that apply to the Software, including the U.S. Export Administration Regulations, as well as end-user, enduse, and destination restrictions issued by U.S. and other governments. For additional information see . 15. SOFTWARE TRANSFER. The initial user of the Software may make a one-time permanent transfer of this EULA and Software to another end user, provided the initial user retains no copies of the Software. This transfer must include all of the Software (including all component parts, the media and printed materials, any upgrades (including any Qualifying Software as defined in Section 11.3), this EULA, and, if applicable, the Certificate of Authenticity). The transfer may not be an indirect transfer, such as a consignment. Prior to the transfer, the end user receiving the Software must agree to all the EULA terms. 16. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this EULA if you fail to comply with the terms and conditions of this EULA. In such event, you must destroy all copies of the Software and all of its component parts.
Appendix H: EULA and Copyright
Page 598
FortiScan v5.0 MR1 Administration Guide
Table 72: Microsoft End-User Agreement (continued) 17. LIMITED WARRANTY FOR SOFTWARE ACQUIRED IN THE US AND CANADA. Except for the “Redistributables,” which are provided AS IS without warranty of any kind, Microsoft warrants that the Software will perform substantially in accordance with the accompanying materials for a period of ninety (90) days from the date of receipt. If an implied warranty or condition is created by your state/jurisdiction and federal or state/provincial law prohibits disclaimer of it, you also have an implied warranty or condition, BUT ONLY AS TO DEFECTS DISCOVERED DURING THE PERIOD OF THIS LIMITED WARRANTY (NINETY DAYS). AS TO ANY DEFECTS DISCOVERED AFTER THE NINETY-DAY PERIOD, THERE IS NO WARRANTY OR CONDITION OF ANY KIND. Some states/jurisdictions do not allow limitations on how long an implied warranty or condition lasts, so the above limitation may not apply to you. Any supplements or updates to the Software, including without limitation, any (if any) service packs or hot fixes provided to you after the expiration of the ninety day Limited Warranty period are not covered by any warranty or condition, express, implied or statutory. LIMITATION ON REMEDIES; NO CONSEQUENTIAL OR OTHER DAMAGES. Your exclusive remedy for any breach of this Limited Warranty is as set forth below. Except for any refund elected by Microsoft, YOU ARE NOT ENTITLED TO ANY DAMAGES, INCLUDING BUT NOT LIMITED TO CONSEQUENTIAL DAMAGES, if the Software does not meet Microsoft’s Limited Warranty, and, to the maximum extent allowed by applicable law, even if any remedy fails of its essential purpose. The terms of Section 19 (“Exclusion of Incidental, Consequential and Certain Other Damages”) are also incorporated into this Limited Warranty. Some states/jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so the above limitation or exclusion may not apply to you. This Limited Warranty gives you specific legal rights. You may have other rights which vary from state/jurisdiction to state/jurisdiction. YOUR EXCLUSIVE REMEDY. Microsoft’s and its suppliers’ entire liability and your exclusive remedy for any breach of this Limited Warranty or for any other breach of this EULA or for any other liability relating to the Software shall be, at Microsoft’s option from time to time exercised subject to applicable law, (a) return of the amount paid (if any) for the Software, or (b) repair or replacement of the Software, that does not meet this Limited Warranty and that is returned to Microsoft with a copy of your receipt. You will receive the remedy elected by Microsoft without charge, except that you are responsible for any expenses you may incur (e.g. cost of shipping the Software to Microsoft). This Limited Warranty is void if failure of the Software has resulted from accident, abuse, misapplication, abnormal use or a virus. Any replacement Software will be warranted for the remainder of the original warranty period or thirty (30) days, whichever is longer, and Microsoft will use commercially reasonable efforts to provide your remedy within a commercially reasonable time of your compliance with Microsoft’s warranty remedy procedures. Outside the United States or Canada, neither these remedies nor any product support services offered by Microsoft are available without proof of purchase from an authorized international source. To exercise your remedy, contact: Microsoft, Attn. Microsoft Sales Information Center/One Microsoft Way/Redmond, WA 98052-6399, or the Microsoft subsidiary serving your country. 18. DISCLAIMER OF WARRANTIES. The Limited Warranty that appears above is the only express warranty made to you and is provided in lieu of any other express warranties or similar obligations (if any) created by any advertising, documentation, packaging, or other communications. EXCEPT FOR THE LIMITED WARRANTY AND TO THE MAXIMUM
Appendix H: EULA and Copyright
Page 599
FortiScan v5.0 MR1 Administration Guide
Table 72: Microsoft End-User Agreement (continued) EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND ITS SUPPLIERS PROVIDE THE SOFTWARE AND SUPPORT SERVICES (IF ANY) AS IS AND WITH ALL FAULTS, AND HEREBY DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY (IF ANY) IMPLIED WARRANTIES, DUTIES OR CONDITIONS OF MERCHANTABILITY, OF FITNESS FOR A PARTICULAR PURPOSE, OF RELIABILITY OR AVAILABILITY, OF ACCURACY OR COMPLETENESS OF RESPONSES, OF RESULTS, OF WORKMANLIKE EFFORT, OF LACK OF VIRUSES, AND OF LACK OF NEGLIGENCE, ALL WITH REGARD TO THE SOFTWARE, AND THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT OR OTHER SERVICES, INFORMATION, SOFTWARE, AND RELATED CONTENT THROUGH THE SOFTWARE OR OTHERWISE ARISING OUT OF THE USE OF THE SOFTWARE. ALSO, THERE IS NO WARRANTY OR CONDITION OF TITLE, QUIET ENJOYMENT, QUIET POSSESSION, CORRESPONDENCE TO DESCRIPTION OR NON-INFRINGEMENT WITH REGARD TO THE SOFTWARE. 19. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, PUNITIVE, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE, THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT OR OTHER SERVICES, INFORMATION, SOFTWARE, AND RELATED CONTENT THROUGH THE SOFTWARE OR OTHERWISE ARISING OUT OF THE USE OF THE SOFTWARE, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), MISREPRESENTATION, STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 20. LIMITATION OF LIABILITY AND REMEDIES. NOTWITHSTANDING ANY DAMAGES THAT YOU MIGHT INCUR FOR ANY REASON WHATSOEVER (INCLUDING, WITHOUT LIMITATION, ALL DAMAGES REFERENCED HEREIN AND ALL DIRECT OR GENERAL DAMAGES IN CONTRACT OR ANYTHING ELSE), THE ENTIRE LIABILITY OF MICROSOFT AND ANY OF ITS SUPPLIERS UNDER ANY PROVISION OF THIS EULA AND YOUR EXCLUSIVE REMEDY HEREUNDER (EXCEPT FOR ANY REMEDY OF REPAIR OR REPLACEMENT ELECTED BY MICROSOFT WITH RESPECT TO ANY BREACH OF THE LIMITED WARRANTY) SHALL BE LIMITED TO THE GREATER OF THE ACTUAL DAMAGES YOU INCUR IN REASONABLE RELIANCE ON THE SOFTWARE UP TO THE AMOUNT ACTUALLY PAID BY YOU FOR THE SOFTWARE OR US$5.00. THE FOREGOING LIMITATIONS, EXCLUSIONS AND DISCLAIMERS (INCLUDING SECTIONS 17, 18, AND 19) SHALL APPLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, EVEN IF ANY REMEDY FAILS ITS ESSENTIAL PURPOSE. 21. U.S. GOVERNMENT LICENSE RIGHTS. All Software provided to the U.S. Government pursuant to solicitations issued on or after December 1, 1995 is provided with the commercial license rights and restrictions described elsewhere herein. All Software provided to the U.S. Government pursuant to solicitations issued prior to December 1, 1995 is provided with “Restricted Rights” as provided for in FAR, 48 CFR 52.227-14 (JUNE 1987) or DFAR, 48 CFR 252.227-7013 (OCT 1988), as applicable.
Appendix H: EULA and Copyright
Page 600
FortiScan v5.0 MR1 Administration Guide
Table 72: Microsoft End-User Agreement (continued) 22. APPLICABLE LAW. If you acquired this Software in the United States, this EULA is governed by the laws of the State of Washington. If you acquired this Software in Canada, unless expressly prohibited by local law, this EULA is governed by the laws in force in the Province of Ontario, Canada; and, in respect of any dispute which may arise hereunder, you consent to the jurisdiction of the federal and provincial courts sitting in Toronto, Ontario. If you acquired this Software in the European Union, Iceland, Norway, or Switzerland, then local law applies. If you acquired this Software in any other country, then local law may apply. 23. ENTIRE AGREEMENT; SEVERABILITY. This EULA (including any addendum or amendment to this EULA which is included with the Software) are the entire agreement between you and Microsoft relating to the Software and the support services (if any) and they supersede all prior or contemporaneous oral or written communications, proposals and representations with respect to the Software or any other subject matter covered by this EULA. To the extent the terms of any Microsoft policies or programs for support services conflict with the terms of this EULA, the terms of this EULA shall control. If any provision of this EULA is held to be void, invalid, unenforceable or illegal, the other provisions shall continue in full force and effect. The following MICROSOFT GUARANTEE applies to you if you acquired this Software in any other country: Statutory rights not affected - The following guarantee is not restricted to any territory and does not affect any statutory rights that you may have from your reseller or from Microsoft if you acquired the Software directly from Microsoft. If you acquired the Software or any support services in Australia, New Zealand or Malaysia, please see the “Consumer rights” section below. The guarantee - The Software is designed and offered as a general-purpose software, not for any user’s particular purpose. You accept that no Software is error free and you are strongly advised to back-up your files regularly. Provided that you have a valid license, Microsoft guarantees that a) for a period of 90 days from the date of receipt of your license to use the Software or the shortest period permitted by applicable law it will perform substantially in accordance with the written materials that accompany the Software; and b) any support services provided by Microsoft shall be substantially as described in applicable written materials provided to you by Microsoft and Microsoft support engineers will use reasonable efforts, care and skill to solve any problem issues. In the event that the Software fails to comply with this guarantee, Microsoft will either (a) repair or replace the Software or (b) return the price you paid. This guarantee is void if failure of the Software results from accident, abuse or misapplication. Any replacement Software will be guaranteed for the remainder of the original guarantee period or 30 days, whichever period is longer. You agree that the above guarantee is your sole guarantee in relation to the Software and any support services. Exclusion of All Other Terms - To the maximum extent permitted by applicable law and subject to the guarantee above, Microsoft disclaims all warranties, conditions and other terms, either express or implied (whether by statute, common law, collaterally or otherwise) including but not limited to implied warranties of satisfactory quality and fitness for particular purpose with respect to the Software and the written materials that accompany the Software. Any implied warranties that cannot be excluded are limited to 90 days or to the shortest period permitted by applicable law, whichever is greater.
Appendix H: EULA and Copyright
Page 601
FortiScan v5.0 MR1 Administration Guide
Table 72: Microsoft End-User Agreement (continued) Limitation of Liability - To the maximum extent permitted by applicable law and except as provided in the Microsoft Guarantee, Microsoft and its suppliers shall not be liable for any damages whatsoever (including without limitation, damages for loss of business profits, business interruption, loss of business information or other pecuniary loss) arising out of the use or inability to use the Software, even if Microsoft has been advised of the possibility of such damages. In any case Microsoft’s entire liability under any provision of this Agreement shall be limited to the amount actually paid by you for the Software. These limitations do not apply to any liabilities that cannot be excluded or limited by applicable laws. Consumer rights - Consumers in Australia, New Zealand or Malaysia may have the benefit of certain rights and remedies by reason of the Trade Practices Act and similar state and territory laws in Australia, the Consumer Guarantees Act in New Zealand and the Consumer Protection Act in Malaysia in respect of which liability cannot lawfully be modified or excluded. If you acquired the Software in New Zealand for the purposes of a business, you confirm that the Consumer Guarantees Act does not apply. If you acquired the Software in Australia and if Microsoft breaches a condition or warranty implied under any law which cannot lawfully be modified or excluded by this agreement then, to the extent permitted by law, Microsoft’s liability is limited, at Microsoft’s option, to: (i) in the case of the Software: a) repairing or replacing the Software; or b) the cost of such repair or replacement; and (ii) in the case of support services: a) re-supply of the services; or b) the cost of having the services supplied again. Should you have any questions concerning this EULA, or if you desire to contact Microsoft for any reason, please use the address information enclosed in this Software to contact the Microsoft subsidiary serving your country or visit Microsoft on the World Wide Web at http://www.microsoft.com.
JasperReports GLGPL JasperReports provides an open source alternative to java reporting. It is available from http://www.jaspersoft.com/JasperSoft_JasperReports.html. JasperReports is covered by the GNU LESSER GENERAL PUBLIC LICENSE available at http://www.gnu.org/licenses/lgpl-3.1.txt:
Table 73: JasperReports GLGPL GNU LESSER GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. This version of the GNU Lesser General Public License incorporates the terms and conditions of version 3 of the GNU General Public License, supplemented by the additional permissions listed below. 0. Additional Definitions.
Appendix H: EULA and Copyright
Page 602
FortiScan v5.0 MR1 Administration Guide
Table 73: JasperReports GLGPL (continued) As used herein, "this License" refers to version 3 of the GNU Lesser General Public License, and the "GNU GPL" refers to version 3 of the GNU General Public License. "The Library" refers to a covered work governed by this License, other than an Application or a Combined Work as defined below. An "Application" is any work that makes use of an interface provided by the Library, but which is not otherwise based on the Library. Defining a subclass of a class defined by the Library is deemed a mode of using an interface provided by the Library. A "Combined Work" is a work produced by combining or linking an Application with the Library. The particular version of the Library with which the Combined Work was made is also called the "Linked Version". The "Minimal Corresponding Source" for a Combined Work means the Corresponding Source for the Combined Work, excluding any source code for portions of the Combined Work that, considered in isolation, are based on the Application, and not on the Linked Version. The "Corresponding Application Code" for a Combined Work means the object code and/or source code for the Application, including any data and utility programs needed for reproducing the Combined Work from the Application, but excluding the System Libraries of the Combined Work. 1. Exception to Section 3 of the GNU GPL. You may convey a covered work under sections 3 and 4 of this License without being bound by section 3 of the GNU GPL. 2. Conveying Modified Versions. If you modify a copy of the Library, and, in your modifications, a facility refers to a function or data to be supplied by an Application that uses the facility (other than as an argument passed when the facility is invoked), then you may convey a copy of the modified version: a) under this License, provided that you make a good faith effort to ensure that, in the event an Application does not supply the function or data, the facility still operates, and performs
Appendix H: EULA and Copyright
Page 603
FortiScan v5.0 MR1 Administration Guide
Table 73: JasperReports GLGPL (continued) whatever part of its purpose remains meaningful, or b) under the GNU GPL, with none of the additional permissions of this License applicable to that copy. 3. Object Code Incorporating Material from Library Header Files. The object code form of an Application may incorporate material from a header file that is part of the Library. You may convey such object code under terms of your choice, provided that, if the incorporated material is not limited to numerical parameters, data structure layouts and accessors, or small macros, inline functions and templates (ten or fewer lines in length), you do both of the following: a) Give prominent notice with each copy of the object code that the Library is used in it and that the Library and its use are covered by this License. b) Accompany the object code with a copy of the GNU GPL and this license document. 4. Combined Works. You may convey a Combined Work under terms of your choice that, taken together, effectively do not restrict modification of the portions of the Library contained in the Combined Work and reverse engineering for debugging such modifications, if you also do each of the following: a) Give prominent notice with each copy of the Combined Work that the Library is used in it and that the Library and its use are covered by this License. b) Accompany the Combined Work with a copy of the GNU GPL and this license document. c) For a Combined Work that displays copyright notices during execution, include the copyright notice for the Library among these notices, as well as a reference directing the user to the copies of the GNU GPL and this license document. d) Do one of the following: 0) Convey the Minimal Corresponding Source under the terms of this License, and the Corresponding Application Code in a form suitable for, and under terms that permit, the user to
Appendix H: EULA and Copyright
Page 604
FortiScan v5.0 MR1 Administration Guide
Table 73: JasperReports GLGPL (continued) recombine or relink the Application with a modified version of the Linked Version to produce a modified Combined Work, in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source. 1) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (a) uses at run time a copy of the Library already present on the user's computer system, and (b) will operate properly with a modified version of the Library that is interface-compatible with the Linked Version. e) Provide Installation Information, but only if you would otherwise be required to provide such information under section 6 of the GNU GPL, and only to the extent that such information is necessary to install and execute a modified version of the Combined Work produced by recombining or relinking the Application with a modified version of the Linked Version. (If you use option 4d0, the Installation Information must accompany the Minimal Corresponding Source and Corresponding Application Code. If you use option 4d1, you must provide the Installation Information in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source.) 5. Combined Libraries. You may place library facilities that are a work based on the Library side by side in a single library together with other library facilities that are not Applications and are not covered by this License, and convey such a combined library under terms of your choice, if you do both of the following: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities, conveyed under the terms of this License. b) Give prominent notice with the combined library that part of it
Appendix H: EULA and Copyright
Page 605
FortiScan v5.0 MR1 Administration Guide
Table 73: JasperReports GLGPL (continued) is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 6. Revised Versions of the GNU Lesser General Public License. The Free Software Foundation may publish revised and/or new versions of the GNU Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library as you received it specifies that a certain numbered version of the GNU Lesser General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that published version or of any later version published by the Free Software Foundation. If the Library as you received it does not specify a version number of the GNU Lesser General Public License, you may choose any version of the GNU Lesser General Public License ever published by the Free Software Foundation. If the Library as you received it specifies that a proxy can decide whether future versions of the GNU Lesser General Public License shall apply, that proxy's public statement of acceptance of any version is permanent authorization for you to choose that version for the Library.
Appendix H: EULA and Copyright
Page 606
FortiScan v5.0 MR1 Administration Guide
Index Symbols .ceid 150, 152 .ceid file 25, 128, 134, 135, 145, 150, 152, 497, 499
Numerics 3DES 53, 55, 56, 120, 122, 139
A access control 33 account on an asset 184, 192 on the FortiScan appliance 101, 489 on the Oracle web site 107 actions 403, 407, 410, 549 Active Directory 98, 99, 107 Active Directory (AD) 124, 136, 137, 146, 154, 184, 191, 192, 199 address resolution protocol (ARP) table 24, 223, 225 admin 56 ADMIN$ share 122 administrative access interface settings 63 protocols 63, 65 restricting 63, 65 administrative domain (ADOM). See ADOMs administrator "admin" account 39, 52, 55, 84, 85, 88, 520 default account 101 disconnect 169, 173, 457 maximum number 457, 523 password 102 permissions 57 restricting access 62, 101 role 34 Adobe 72 ADOMs 33, 34, 39, 101, 184, 190, 192 "admin" account privileges 39, 93 access privileges 39, 93 assigning assets 100, 149 Global 39, 93 maximum number 523 permissions 39, 93 AES 53, 55, 56, 120, 122, 139 agent. See FortiScan agent alert event 368 alerts 348, 368 for assets with multiple IP addresses 22 policy 368 receiving by e-mail 390 vulnerability 258, 368 aliased IP addresses 22 All Assets asset group 182 Android 21
Index
Apple Mac OS X 513, 516 applet 121, 180 appliance. See FortiScan appliance application layer 69, 510 ARP resolution 517 table 509 troubleshooting 509 asset 20, 21 assigning to an ADOM 100, 149 authentication of the appliance with 189 change history 210 criticality 27, 193 delete 199 details 207, 217 disconnected 107 discovery 111 failure 340, 344 filter 33, 39, 100 FortiScan agent 189 group 181, 182 criticality 187 rename 187 history 207, 210, 279 host name 180, 208, 218, 453 inventory 100, 149, 181 IP address 39, 180, 208, 214, 216, 218 last received survey 217 maximum number 523 multiple IP addresses 22 operating system (OS) 217 patches 220, 297, 300 processes 221 reset 494 retire 199 retired 200 status 26, 179 summary 279 survey 24 users and groups 219 vulnerability 268, 279, 399 attack buffer overflow 29 command injection 29 crash 29 DoS 29 ping 63 remote code execution 29 rootkit 29 spam 29 spoofing 29 Trojan 29 worm 29 XSS 29 zero-day 31
Page 607
FortiScan v5.0 MR1 Administration Guide
audit 153, 212, 302, 308, 314, 320, 346 asset 466, 536 log 466, 467 operation 467 trail 480, 484, 545 auditor 34 authentication 53, 98, 153, 184, 189, 192 authorized software policy posture 456 index 456 summary 456 automatic remediation 348
B backdoor 29 backup database 169, 173 firmware 87 baseline 167 basic input/output system (BIOS) 24, 209 benchmark 212, 302, 308, 314, 318, 320, 325, 333, 335, 44 9 definition 310, 316, 573 FDCC 333 rules 316 update 78 upload 309 version 331 best practices 57, 69, 314, 347 bit strength 53, 55, 56, 120, 122, 139 bits per second (bps) 55 black list 30 Blowfish 55 Blue Screen of Death 29 boot interrupt 87, 519 time 24 up 518 botnets 29 bring down 62 browser 33, 52, 53, 64, 171 warnings 53 brute-force login 54, 57 buffer 430 overflow 29, 258 underflow 258 Business Impact 187 By Criticality asset group 182 By OS Family asset group 182 By Status asset group 182
C cabling 510 cache 85 Candidate Numbering Authority (CNA) 567 CEID 25, 150, 152, 544, 545 Center for Internet Security 314
Index
CentOS 118, 149 central processing unit (CPU) 24, 25 certificate 129, 130, 137, 144, 150, 151, 152 authority (CA) 53 default 53 mismatch 53 revocation 122 self-signed 53 server 148 warning 53 change history 210 Check4Dispatch.exe 150 child processes 494 cipher 55, 56 Citrix XenCenter 55 CLASS 5 AVR server 20 clean install 519 CLI 60 client-server model 20 clock 58, 426 command channel 198 command injection 29 command line interface (CLI) 16, 52, 101, 424, 429 connecting to 54 NTP configuration 60 command prompt 138 comment 420 Common Configuration Enumeration (CCE) 343 common internet file system (CIFS) 98, 184, 192 common name (CN) 53 Common Vulnerabilities and Exposures (CVE) 72, 258, 267, 271, 566 compatible 566 editor 567 escalation 568 MITRE Corporation 567 numbering authority 567 rationale for 566 web site 566 Common Vulnerability Scoring System (CVSS) 260, 453 community 458, 460 completion status 325 compliance FDCC 15 HIPAA 15 history 279 PCI DSS 15 scan results 325 SOX 15 USGCB 15 compliance posture 449 failed tests 346, 347 index 450 summary 450
Page 608
FortiScan v5.0 MR1 Administration Guide
compliance scan benchmark 78, 309, 314, 316, 449 OVAL definitions 310, 316, 573 error 340 failure 340, 342, 344 FISMA report 333 modified score 341 results 325, 331, 333 by asset group 329 by benchmark 331 violations 335 waiver 342, 344 compromise 28 condition 356 configuration restore 171 connecting CLI 54 web UI 52 console 55 crash 29 criticality 182, 187, 191, 205 level 27, 193 cron 487 cross-site scripting (XSS) 29 Crystal Reports 530 custom field definitions exporting 421 importing 421 custom fields 418 importing data 422 custom_prompts.properties 138 CVE identifier (CVE ID) 310
D daemon 20, 152, 153, 221, 228, 492 dashboard 424 data source name (DSN) 531 database 169, 173, 489 connection 530 DbVisualizer 530 debugging parameters 493 default administrator account 52, 55, 56, 84, 85, 88, 101, 520 certificate 53, 122 criticality level 193 IP address 61 password 15, 29, 56, 57, 101 route 67 settings 52, 55 shell 550 URL 52, 64, 171 degraded RAID 434 denial of service (DoS) 28 and ping 511 severity level 29 vulnerability scan 154 deployment 19, 49 Index
DES 53, 56, 120, 122, 139 destination unreachable 69, 514 detailed survey 106 deviation 327, 335, 346 diagnose 502, 509 diff 167, 502 digital signature algorithm (DSA) 99, 185, 193 disconnect administrator 457 disconnected 107 Disconnected status 27 discovery scan 109, 132 report 111 DNS server 91 DNS server 65, 66 query to 111 test connection 514 documentation Release Notes 519 domain 154, 184, 192 controller 99, 107, 124, 136, 137, 146, 155, 184, 191, 192, 199 name certificate 53 fully qualified (FQDN) 514 service (DNS) server 33 service (DNS), reverse 109 Domino 24 DOS 52 down 62, 65 drivers 24, 223
E ECHO_REQUEST 63, 510, 511 ECHO_RESPONSE 63, 509, 511 ECMP 511 e-mail server 91 testing 92 encrypted 107 encryption weak 53, 120, 122, 139 environment variable 153, 165 error 264, 290, 323, 368 waive 344 Error 113 53 error message 258, 308, 322, 343, 344, 368, 496 ERROR_SSL_VERSION_OR_CIPHER_MISMATCH 53 Ethernet 53, 56 EULA 569 events 368, 457 execute shutdown 48 exploit 15, 258 extensible configuration checklist description format (XCCDF) 309 extensible firmware interface (EFI) 209
Page 609
FortiScan v5.0 MR1 Administration Guide
F failure 340 to install 117 waive 344 false negative 153, 156, 160 false positive 24, 153, 156, 160 false positives 209, 218, 280, 299, 339 feature-based access control 33 federal desktop core configuration (FDCC) 15, 72, 309, 328, 333 Federal Information Security Management Act (FISMA) 328, 333, 451 Fedora 118, 149 file permissions 146 file shares 153 file system 225 filter icon 45 fingerprint 153, 209, 218, 280, 299, 339 fingerprinting 23, 28, 29 Firefox 53 firewall 120, 122, 154, 527 blocking FortiWeb 514 firmware 80, 426 backup 87 default settings 52, 55 FDN downloads 85 install, backup firmware image 87 restore 52, 519 test 81 testing new firmware 81 update 83 version 424 first-time system setup 15 flow control 55 forgotten password 102 formatting the boot device 519 FortiGuard Distribution Network (FDN) 249 scheduling updates 76 services 49 subscriptions registering 73 Vulnerability Management 72 Vulnerability Management Service 15, 72 Fortinet Distribution Network (FDN) 20, 72 Distribution Server (FDS) 72 ID 235 registry keys 142 Technical Support 72, 85, 86, 136, 142, 145, 426 Technical Support, registering with 49 Technical Support, web site 49 Fortinet Distribution Network (FDN) 72
FortiScan agent 20, 492 configuration 189 files 149 installer 180 registration 24 removing 496 reset 494 version 426 appliance 426 components 20 VCM platform architecture 20 FortiScan-VM 48, 49, 53, 55, 61, 120, 122, 139 FortiWeb 490 fully qualified domain name (FQDN) 111, 145
G gateway 67, 69, 70 globally unique identifier (GUID) 150, 152 graphical user interface (GUI) 33, 52 greedy matching 46 group assets 181, 182 criticality 187 policy object 146 rename 187 user 24, 219
H halt 48 handshake 53, 120, 122, 139 hang 494 hard drive 434 capacity 210 hardening security 30, 509 hardware, troubleshooting 509 Health Insurance Portability and Accountability Act (HIPAA) 15 hidden asset data 39 menu items 33, 34 history 338 home directory 550 host name 53, 218 of an asset 24, 115, 116, 180, 194, 208, 453 of the FortiScan appliance 175, 424, 426 hot fix 24, 153, 220 hot swap 176 hotfix 29 HTML 238 HTTP 64, 65 CONNECT 76 HTTPS 53, 62, 63, 65 httpsd 70
I IBM Lotus Domino 24
Index
Page 610
FortiScan v5.0 MR1 Administration Guide
ICMP 63, 509, 511 ECHO_REQUEST 63, 510 ECHO_RESPONSE 509 type 0 63, 509 type 8 63, 510, 514 idle 41 IIS 549 image Ghost 145 importance 28 installation 19, 49, 52 failure 117, 128, 132 FortiScan agent 180 FortiScan-VM 15 location 149 interface administrative access 63 Internet service provider (ISP) 66 IP address 53, 55, 61, 65, 67, 126, 133, 135, 141, 143, 180, 208, 214, 216, 218 alias handling 22 multiple for an asset 22 of an asset 24, 39, 224 private network 93 iPhone 21
J Java 121, 180 applet 121 jitter 511
K kernel 164 key chain 99, 185, 193 private 99 public 99 SSH 56 keychain 185, 193 keylogger 31
L language 41 web UI 41 latency 511, 514 Layer 1 69 2 69 3 511 4 69 LDAP 24, 98 LENC 56 license 53, 56, 120, 122, 139 validation 72 limit configuration 523 link status 439, 509
Index
Linux 118, 138, 149, 228, 513, 516 CentOS 118, 149 Fedora 118, 149 Red Hat 164, 184, 185, 193, 204, 549, 550 superuser 128, 134, 164 load network 106 local console 55 logical devices 223 login prompt 56 logs 58, 368 LongSurvey.exe 24 loop network 511 lost password 102 Lotus 24 low encryption (LENC) 53, 120, 122, 139
M Mac OS X 513, 516 mail server 92 malware 227 managed security service provider (MSSP) 49, 93 management information block (MIB) 458 manager, SNMP 458, 461 maximum values 523 maximum transmission unit (MTU) 64 MD5 24 media access control (MAC) address 24, 63, 224 conflict 510 media access control (MAC) address 225 Microsoft 72 .Net 139 Active Directory 24, 98, 99, 107 Active Directory (AD) 124, 136, 137, 146, 154, 184, 191, 192, 199 Excel 133, 530 IIS 549 Installer 139, 409 Internet Explorer 33, 53 Management Console (MMC) 146, 155, 159 Windows 118, 139, 149, 204, 205, 228, 530 MITRE Corporation 567 modified score 333, 341, 342, 344 monitor events and attacks 424 Mozilla Firefox 33, 53 MSI installer 138 syntax 141 multiple IP addresses on an asset 22
N National Institute of Standards and Technology (NIST) 309 netmask 61, 65, 224 netstat 24 Page 611
FortiScan v5.0 MR1 Administration Guide
network layer 69 loop 511 topology 15 network address translation (NAT) 50, 154 network interface 52, 55, 61, 65, 70, 224 on an asset 24, 223, 224 network interface card (NIC) 22 network layer 70, 510 network share 148 Network Time Protocol (NTP) 58 network topology 49 network vulnerability scan 228 newcli 70 next-hop router 67, 69 Norton Ghost 145 null modem 55
O offline 199 offloading vulnerability scans 490 open database connectivity (ODBC) 530 Open Vulnerability Assessment Language (OVAL) 72, 267 definitions 310, 316, 573 download 309 ID 260, 394 OpenLDAP 24 operating system (OS) 20, 24, 80, 153, 180, 204, 207, 209, 217 operation unit (OU) 146 operator 34 Oracle Solaris 107, 118, 138, 149, 164, 184, 185, 193, 204, 228, 549, 550
P packet capture 502 loss 501, 511, 512 troubleshooting 517 paged memory 25 parity 55 partition 24, 84, 87, 226, 519 password 56, 57, 101, 102, 156, 160 administrator 15 default 29 for an account on an asset 184, 192 for an asset 192 for connecting to an asset 550 forgotten 102 reset 39, 102 patch 24, 30, 153, 220, 283, 314, 358 third-party download login 107
Index
patch posture index 455 summary 455 viewing 455 patch scan 283, 297 definitions 283, 285 results 292, 293 results by OS 295 running 288 statistics 291 wizard 285, 288 Payment Card Industry Data Security Standard (PCI DSS) 15, 302 performance 19, 22, 25, 154, 357, 424, 490, 507, 509, 523 and Active Directory 107 and large numbers of users 107 DNS 66 vulnerability scan 228 permissions 22, 39, 57, 93, 101, 128, 132, 137, 149, 151, 15 2, 154, 164 access 508 ADOMs 39, 93 by role 34 file 550 superuser 184, 193 physical layer 69, 70, 510 topology 49 ping 63, 65, 69, 70, 500, 509, 510, 511, 514 flood 63 pkginfo 164 planning 15 policy adding remediations 358 affected assets 364 apply 181 enforcement 24 from remediation template 358 from remediation templates 359 managing 361, 363 violation 348 port down 62, 65 number 72, 114, 120, 122, 135, 461, 525, 527 parameters 518 scan 23, 153 SNMP 461 TCP/UDP used 525, 526 troubleshooting 517 UDP 514 port1 52, 55, 61 port2 61, 62, 65 port3 61, 62, 65 port4 61, 62, 65 port5 61 port6 61 PostgreSQL 530
Page 612
FortiScan v5.0 MR1 Administration Guide
power indicator 47 off 48 on 518 supply unit (PSU) 47 Preferred Assets asset group 182 printer 21 private key 99 private key 193 private network address 93 privilege escalation 29 privileges 34, 39, 93, 137, 154 escalation 28 process ID (PID) 221 name 152 process ID (PID) 221 product registration 49 progress bar 329 Protected status 26 proxy FortiGuard 76 web 73 ps 132 pseudo-code 316 public community 185, 193 public key 193 public key infrastructure (PKI) 129, 130, 131, 141, 144, 150, 151, 152 push installer 180 dependencies 137
Q query 111 SNMP 458, 461
R random access memory (RAM) 24, 210 virtual 25 rate limit vulnerability scan 154 RC2 53, 56, 120, 122, 139 RC4 53, 56, 120, 122, 139 reachable 67 reactivating retired assets 200 read only access level administrator account 58 read-only 152 reboot 171, 264, 290, 323, 324, 358, 383 Red Hat Linux 118, 149, 164, 184, 185, 193, 204, 228, 549, 550 Red Hat Linux 138 redundant array of independent disks (RAID) 175 levels 177 Registered status 24, 26
Index
registering FortiScan agent with appliance 148 the agent with the appliance 24 with Fortinet Technical Support 49, 426 registry 124, 163, 358 keys 142, 153, 154, 497 relay 91 Release Notes 80, 519 remediation 30, 181, 399 action 348, 406, 549 adding to a policy 358 automatic 348 by CVE ID 310 dispatch 181 history 279 manual 348 of vulnerabilities 271 template 358 remote code execution 29 remote vulnerability scan (RVS) 23 removing the FortiScan agent 496 report 476 compliance scan 325 discovery scan 111 FISMA 333 network vulnerability scan 244 output template 238 patch scan 292 vulnerability scan 273 reset 368 firmware 102 password 39 resolution 33 restore configuration 171 database 169, 173 retire 199, 200 Retired status 27 reverse DNS (RDNS) 109 RFC 1213 462 2616 76 2665 462 792 63 793 225 risk 15, 24, 27, 28, 368, 376 management 27, 29 Rivest, Shamir and Adleman (RSA) 99, 185, 193 RJ-45 53 RJ-45-to-DB-9 55 role 33, 34, 101, 109 root 99 administrator account 57 rootkit 29 route 24, 62, 65 maximum number 523 static 67 table 510
Page 613
FortiScan v5.0 MR1 Administration Guide
router 21, 70 gateway 69 hop 501 next hop 67, 69 routing table 68, 69, 70, 71 rpm 164
S Sarbanes-Oxley (SOX) 15 scheduling 27, 58, 81, 247, 258, 263, 277, 283, 288, 308, 3 20, 333, 339, 368, 369, 383, 385, 386, 404, 409, 412, 463, 464, 482, 534 discovery scan 109 updates 76 score 215, 260, 267, 331, 333, 335, 337, 340, 342, 34 4, 449 modified 341 SEClient.conf 152 seclient.conf 151 Secure Shell (SSH) 64 secure shell (SSH) 52, 62, 63, 65, 184, 192 key 56, 99 version 55, 56 security advisory 72 certificate 53 Security Content Automation Program (SCAP) 72, 318 security posture 302 authorized software 456 compliance 323 patch 455 viewing 449 self-signed 53 sendmail 337 serial communications (COM) port 55 serial number 426 server message block (SMB) 98, 184, 192 service 20, 153 Windows 20, 152, 221, 228, 492 sessions 169, 440, 457 SHA-1 55 shared folder 148 shell. See command line interface (CLI) shut down 48 simple file sharing (SFS) 154, 157, 161 simple network management protocol (SNMP) 61, 185, 193, 457, 461 community 99, 457 event 461 manager 457 query 461 system name 175 SMTP server configuring 91 sniffer 502 socket 225 Solaris Index
107, 118, 138, 149, 164, 184, 185, 193, 204, 22 8, 549, 550 spam 29 special characters 175 split horizon 511 spoofing 28, 29 sps.exe 151, 152 sshd 70 SSL 58 error 130 version 53 ssl_error_no_cypher_overlap 53 standalone 155, 159 static route 67 status 26, 179, 180 su 99, 121, 164 subnet 65 sudo 99, 121, 164, 184, 193 superuser 99, 121, 128, 134, 164, 184, 193 survey 24, 181, 217 detailed 106 interval 25, 106, 348 standard 106 system-wide settings 105 survey.exe 24 switch 21 sync interval 59 syntax 141 system resource usage 424 system time 58, 424
T TCP 525, 526 Telnet 52, 64, 65 terminal 52 server 520 test configuration 166 TFTP 82, 520 ticket 368, 392 history 396 time 58, 66, 426 time to live (TTL) 514 time zone 58, 72, 75 timeout 41 idle 41 sessions 441 TLS version 53 top 69 topology 15, 49, 153, 228 trace 502 traceroute 63, 69, 70, 500, 509, 510, 511, 514 tracert 69, 510, 514, 516 traffic vulnerability scan 154
Page 614
FortiScan v5.0 MR1 Administration Guide
transport layer 69, 510 transport layer 70 trap 457, 461 trial license 53, 56, 120, 122, 139 Trojan 29 troubleshooting 25, 122, 131, 141, 150, 322, 494, 500 bootup 518 connectivity 69, 70 hardware 509 packet sniffing 517 plan 508 routing 69 trust certificate 53 trust chain 122 trusted networks 62, 64 tunnel 76 type 0, ICMP 63, 509 type 8, ICMP 63, 510, 514
U UDP 63, 514, 525, 526 uname 164 unauthorized software 227 Ungrouped Assets asset group 182 uninstall the FortiScan agent 496, 497, 498 unique identifier 25 United States government configuration baseline (USGCB) 15, 309 UNIX 52, 164, 228 unix-login-commands.properties 138 Unprotected status 26 up 62, 65 update 83, 426, 494 FortiGuard Vulnerability Management Service 72 FortiScan agent 117, 135, 146 upload FortiWeb configuration 171 uptime 424, 426 URL 52, 53, 64, 171 US-ASCII 175, 503 user 107 account on an asset 24 account on the FortiScan appliance 101 credentials 107 groups 107 on an asset 184, 192
V verify configuration 166 version 164, 494 firmware 426 FortiGuard VCM package 428 FortiScan agent 426, 492 vi 165 View Filters asset group 182 violation policy 348 Index
virtual machine 25 virus 29, 117 visudo 165 VMware vSphere Client 55 vNIC 61 vulnerability 28 alert 258, 268 CVE ID 310 database 249 details 269 history 279 on IP address aliases 22 remediation 271 scan 263 definition 259 results 273, 274 signatures 249 update 78 vulnerability management host status 247 scheduling scans 241 sensors 229 summary 247 vulnerability posture index 452 summary 452 vulnerability scan 258, 279 definition 260 without the FortiScan agent 228
W waive 337, 344 error 344 failure 342 waiver 337 web browser 33, 52, 53, 64, 171 warnings 53 web user interface (web UI) 52, 101 language 41 settings 41 widget 42, 424 wild cards 312 Windows 118, 149, 154, 204, 205 2008 125 7 125 network share 148 registry 142, 497 Vista 119, 125, 149 wizard 261, 263, 285, 288, 318, 320 worm 29
X X.509 53 XCCDF 309 XML 316
Z zero-day vulnerabilities 15
Page 615
FortiScan v5.0 MR1 Administration Guide
