What are the various ways Fortinet devices can be registered to FortiAnalyzer?
Discussing the different methods for establishing trust in data sources for FAZ.
💡
This is part of an on-going series in cybersecurity foundations. Check the cyber 101 article tag index from time to time for more content.
In order for FortiAnalyzer to store logs from an upstream Fortinet device, it needs to know about that data source in advance and trust it. That mechanism for establishing trust is called "Device Registration" and there are a variety of ways to perform this work. Here are the most common methods:
- Request from Fortinet device (direct to FAZ) - The operative term here is "from". In this example, the Fortinet device itself (e.g. FortiGate, FortiAP, etc) submits a registration request directly to the FortiAnalyzer. This is a manual process and requires the device admin to know the IP address of the FortiAnalyzer. Once the request is submitted, the FAZ admin can see the pending request and choose to accept it.
- Request from Fortinet device (indirect through security fabric) - This is similar to the prior method, but the difference is that the registration request is reaching the FortiAnalyzer via Fortinet Security Fabric.
- Registration from FortiAnalyzer to Fortinet device (using serial number) - Instead of the device submitting a registration request to FAZ, it's the other way around here. In this case, FAZ is initiating a request to the datasource/device. During this process, admins can specify the serial number as a means of authentication.
- Registration from FortiAnalyzer to FortiGate device (using pre-shared key) - Very similar again but this option is specific to FortiGates. In this case, FAZ is initiating a request to the datasource/device. During this process, admins can specify a pre-shared key as a means of authentication.
For more information, check out the following resources:
Adding devices | Administration Guide
Authorizing devices | Administration Guide
