FortiRecorder™ 1.1 Handbook FortiRecorder 1.1 Handbook January 14, 2013 1st Edition Copyright© 2013 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard® are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Technical Documentation Knowledge Base Forums Customer Service & Support Training Services FortiGuard Threat Research & Response Document Feedback http://docs.fortinet.com http://kb.fortinet.com https://support.fortinet.com/forum https://support.fortinet.com http://training.fortinet.com http://www.fortiguard.com Email:
[email protected] Table of contents Introduction....................................................................................................... 7 Scope....................................................................................................................... 7 Key concepts .................................................................................................... 8 Centralized camera management............................................................................ 8 Third-party cameras ................................................................................................ 8 Discovery ................................................................................................................. 8 Video streaming ....................................................................................................... 9 Motion detection vs. continuous recording ........................................................... 10 Shutdown............................................................................................................... 11 How to use the web UI .......................................................................................... System requirements ....................................................................................... URL for access ................................................................................................ Permissions...................................................................................................... Trusted hosts ............................................................................................. Global web UI & CLI settings ........................................................................... Buttons, menus, & the displays ....................................................................... Deleting entries .......................................................................................... Renaming entries ....................................................................................... How to use the CLI ................................................................................................ Command syntax............................................................................................. Terminology ............................................................................................... Indentation ................................................................................................. Notation ..................................................................................................... Tips & tricks ..................................................................................................... Help............................................................................................................ Shortcuts & key commands....................................................................... Command abbreviation ............................................................................. Special characters ..................................................................................... Editing the configuration file in a text editor .............................................. Top-level commands ....................................................................................... config ......................................................................................................... execute ...................................................................................................... diagnose .................................................................................................... get .............................................................................................................. show........................................................................................................... 11 11 11 12 12 12 14 16 17 18 18 18 20 20 23 23 23 24 24 25 26 26 26 26 26 27 Fortinet Technologies Inc. Page 3 FortiRecorder 1.1 Handbook Subcommands................................................................................................. Table commands ....................................................................................... Example of table commands ..................................................................... Field commands ........................................................................................ Example of field commands................................................................. 28 29 30 30 31 10-minute setup.............................................................................................. 32 How to set up your FortiRecorder NVR & cameras .................................... 33 Registering your FortiRecorder NVR ..................................................................... 33 Planning the network topology .............................................................................. 34 Adding the virtual IP/port mapping to your firewall ......................................... 36 Connecting to the web UI or CLI ........................................................................... Connecting to the web UI ................................................................................ Connecting to the CLI...................................................................................... CLI console in the web UI .......................................................................... Updating the firmware ........................................................................................... Testing new firmware before installing it ......................................................... Installing firmware ............................................................................................ Installing alternate firmware ............................................................................. Booting from the alternate partition ........................................................... Configuring the network settings........................................................................... Configuring the network interfaces.................................................................. Adding a gateway ............................................................................................ Configuring DNS settings ................................................................................ Configuring your or FortiRecorder’s DHCP server ......................................... 37 38 39 42 43 43 45 48 49 53 53 58 62 64 Changing the “admin” account password............................................................. 51 Setting the system time & date.............................................................................. 72 Connecting with the cameras ................................................................................ 75 Updating the cameras’ firmware...................................................................... 82 Adding logins for security personnel & network administrators ........................... 84 Configuring notification email ............................................................................. 102 Configuring logging ............................................................................................ 110 Testing your installation ....................................................................................... 116 Backups ........................................................................................................ 117 Video backups ..................................................................................................... 118 Restoring a previous configuration...................................................................... 119 Advanced/optional system settings ........................................................... 121 Changing the FortiRecorder appliance’s host name ........................................... 121 Customizing the logo graphic & product name .................................................. 122 External video storage ......................................................................................... 122 Secure connections (SSL/TLS) ................................................................... 127 Supported cipher suites & protocol versions ...................................................... 127 Uploading trusted CAs’ certificates..................................................................... 128 Fortinet Technologies Inc. Page 4 FortiRecorder 1.1 Handbook ......... System Information widget ............................................................................................... 141 Downloading or playing older video clips...................................................... MIB support ....................................................................................................... Deleting log files..................................................................................................................................... Log types ........................................................................................................ 136 Revoking certificates ............................................................................................................................................................................................................................ 144 147 151 155 155 157 158 158 158 160 160 161 161 163 164 165 Statuses via the CLI....... 139 Viewing a camera’s recording schedules ........................................................................................................................... Improving performance ................................................................................................................... 139 Watching live video feeds ................................................................................................................. 130 Replacing the default certificate for the web UI ............ 141 Reviewing motion detection notifications............................ Log severity levels............................................................................................................................................................................................................................................................................. Operator access .......................................................................... 166 Fine-tuning & best practices ................................................................................................................................................ System Resources widget ............................................. 137 Revoking certificates by OCSP query............................................................................................................................................................................... Configuring SNMP v3 users.................................. 144 SNMP traps & queries ............. About logs..................... 142 Alert email ................................................................................................................................................... Topology ..................... 167 167 168 170 171 171 171 171 172 172 Regular backups.............................................................................................................................................................. 132 Uploading & selecting to use a certificate ............................................................................................... Logging & alert performance ........... Searching logs ........... The dashboard ........................................................ Video performance...1 Handbook ................................................................ Packet capture performance ............ Logging ............................................................................................................................ Patches ........ Displaying & sorting log columns & rows ...................................................... Page 5 FortiRecorder 1.................... 167 Hardening security.................................. Downloading log messages.........................Example: Downloading the CA’s certificate from Microsoft Windows 2003 Server ................................................................................................................. Administrator access ................................................... Configuring an SNMP community ............................. 138 Monitoring your system ............ System Command widget .......................................................................................................................................................................................................................................................................................................................................................... 131 Generating a certificate signing request .................................... System performance......... 172 Fortinet Technologies Inc............. ......... Diff...................................... Log messages............................ Snapshot notification issues ....................... Bootup issues ................................................................................................................................................................................................................................................................................................................................ Performing a packet trace............................................................................................................................................................................................................................................... Connectivity issues .... Checking routing....................................................................................................................................................................................... Checking hardware connections ................... How to troubleshoot ............................................................................................................ 209 Appendix A: Port numbers............................................. 208 Restoring firmware (“clean install”).................... 214 Index ............................................................................................................. Page 6 FortiRecorder 1.......................... Testing for connectivity with ping ............................................................................................................................................................. 212 Appendix B: Maximum configuration values .........Troubleshooting ....................................................................................................................................................................................................................................... Resetting passwords ................. Packet capture. Solutions by issue type.......................................................................... Examining the ARP table ......................... Determining the source of the problem ........................ Viewing current IP sessions ..................................... Testing routes & latency with traceroute ... Examining the routing table cache....................................................... When an administrator account cannot log in from a specific IP ............................................................................... Live feed delay ................................................ 174 Tools ....................................................................................................................................................... Hard disk corruption or failure .............................................. Login issues .. Power supply failure............................. Facilitating discovery ......................1 Handbook ..................................... Checking port assignments ................................................................................ Ping & traceroute .............................. Resolving IP address conflicts........................................................................................................................... Resource issues.............................................................................................................................. Establishing a system baseline .................................................................................................................................................................................................................................................................................................. Data storage issues ........................................................................... 215 Fortinet Technologies Inc.............. 174 174 175 175 176 183 183 184 184 185 185 185 186 186 186 186 187 187 188 188 189 189 191 195 198 198 200 200 200 202 202 202 204 205 205 206 Resetting the configuration.......................................................................... Unauthorized DHCP clients or DHCP pool exhaustion .. Video viewing issues.. DHCP issues ......................................................... Planning & access privileges ........................................ Video not being sent to the NVR...................................................................................................... It also describes how to use the web user interface (web UI). Scope This document describes how to set up your FortiRecorder appliance. DNS settings.1 Handbook . It describes how to complete first-time system deployment. you can use the rest of this document to use the web UI to: • Update the FortiRecorder appliance. This document is intended for network administrators. Once that basic installation is complete. and supported standards. administrator password. • Use advanced features. configuration limits. • Diagnose problems. It is an integrated video management system (VMS) and network video recorder (NVR): manage cameras. and contains lists of default utilized port numbers. all from one convenient location. Fortinet Technologies Inc. • Reconfigure features. including planning the network topology. if any. If you are accessing a camera managed by FortiRecorder. please contact your system administrator. and network interfaces will be configured. Page 7 FortiRecorder 1. and thank you for selecting Fortinet products for your network protection. After completing “How to set up your FortiRecorder NVR & cameras” on page 33: • You will have administrative access to the web UI and/or CLI. • You will have connected your cameras to FortiRecorder. record.Introduction Welcome. and replay. not end users (“operators”). • You will have completed firmware updates. • The system time. FortiRecorder is designed to be your eyes on your world. Key concepts This chapter defines basic FortiRecorder concepts and terms. or new to digital video surveillance systems. This is because your FortiRecorder NVR will act as your central point for both: • configuring your cameras • recording your video feeds • viewing recordings and live video feeds The FortiRecorder NVR will send your settings to all of your cameras. Discovery Surveillance systems may involve many cameras. their image quality. If you are new to FortiRecorder. Fortinet Technologies Inc. FortiRecorder uses a combination of DHCP and multicast discovery traffic to quickly integrate your cameras into the network and allow the NVR to find them.1 Handbook . Page 8 FortiRecorder 1. all from one convenient place — no matter how many cameras you have. Rather than slowly. this chapter can help you to quickly understand how to use your FortiRecorder system. Third-party cameras Your FortiRecorder network video recorder (NVR) appliance is designed to not only record from. Centralized camera management Don’t manually connect to each of your many individual cameras in order to configure them. Third-party cameras are not supported. It will also control when they record. and much more. manually adding cameras one by one. but also specifically to set up and manage your FortiRecorder cameras. If you have firewalls. the FortiRecorder streams to your computer’s web browser. playing or recording can begin almost immediately. This can be achieved if they all use the same switch. even if you stop playing it. With streams. Stopping the video will cease downloading further data. your FortiRecorder NVR must be plugged into the same subnet. Page 9 FortiRecorder 1. some video has been buffered). or for an end that may never arrive (because the length is not known). or even the Internet between the Fortinet Technologies Inc. your video feeds will travel over your network in a form called a live stream — data that. unlike a file. downloading a file usually continues until it is complete. usually does not have a predetermined length. routers. rather than waiting for an entire file to download. to save network resources. Video streaming Usually. or if you have configured some of the ports on your firewall or router to act as a switch.) Streams will be travelling in multiple directions on your network: your cameras send their streams to the FortiRecorder NVR. If cameras are not on the same subnet.To be able to discover your FortiRecorder cameras. when you view videos. Sometimes the video’s size is not predetermined because the camera is still recording. the discovery probes will not be able to reach the cameras. it will only send the parts that you currently need. Sometimes the video’s file size is not predetermined because you are watching only part of an older clip: since FortiRecorder does not predict in advance how much of the clip you will want to view. you will need to add each one to the FortiRecorder NVR manually.1 Handbook . (In contrast to streams. You can begin playing the video as long as there is enough data to start (that is. In that case. Cameras will stream captured video to your FortiRecorder NVR whenever it commands it. forward the second stream to your web browser. In contrast. motion detection vs. and when to record continuously. usually there will be a couple seconds’ worth of delay compared to events as they are happening: the time required for your FortiRecorder NVR to receive the stream. continuous video records for the entire duration of the schedule. continuous recording. continuous recording Each person will use his or her surveillance system differently. There are two ways you can use to watch a video clip that the NVR has received: • Download the file from the NVR to your computer and watch it there. Some will want to record all periods of activity in order to watch for shoplifting. or copy it to another computer or network share. Motion detection vs. it will record the stream to a file. or via a schedule that you have configured for motion detection-triggered or continuous video capture. as you would any other file.1 Handbook . you must make sure that there are no security policies in place that block your video streams. The resolution is configurable (see “Resolution” on page 78) and therefore file size and bandwidth requirements can vary. Do you want to focus on only sudden movements? Hours upon hours of still video would make for dull viewing. Alternatively. The frame rate is 30 frames per second. • Use your web browser to view a stream from the NVR.FortiRecorder NVR and your computer or the cameras. expand your storage by configuring a network storage location (see “External video storage” on page 122). When the stream reaches your FortiRecorder NVR. and would waste disk space. They also by the degree of movement. If you are viewing the stream. regardless of what the camera detects. Fortinet Technologies Inc. You can configure your FortiRecorder NVR with schedules that it will use to tell each camera when to only send video of sudden activity (motion detection). Page 10 FortiRecorder 1. But others will only want to record potential intrusions when the business is closed. regardless of movement. Motion detection will record a video clip up to about 40 seconds long each time the camera’s sensor detects movement. Video streams and files use variable bit rate to minimize bandwidth use when the recording does not require it. either due to your manual command. and for your computer to buffer a few seconds’ worth of video. For sizing guidelines and estimates on the amount of video that you will be able to store. contact your reseller. and other factors. Shutdown Always properly shut down the FortiRecorder appliance’s operating system before turning off the power switch or unplugging it. and to correctly spin down and park the hard disks. click Shut Down. indicating that power can be safely disconnected. For first-time connection.1.168. Fortinet Technologies Inc. and in the System Information widget. the URL and/or permitted administrative access protocols may no longer be in their default state. Disconnect the power cable from the power supply. Apple Safari 4. For details. the computer’s screen should have a resolution that is a minimum of 1280 x 1024 pixels. This causes it to finish writing any buffered data. Failure to do so could cause data loss and hardware problems. 2. Page 11 FortiRecorder 1. such as.1 or greater plug-in To minimize scrolling. How to use the web UI This topic describes aspects that are general to the use of the web UI. a graphical user interface (GUI) that provides access the FortiRecorder appliance from within a web browser. enter the following command: execute shutdown Alternatively. System requirements The management computer that you use to access the web UI must have: • a compatible web browser.1 Handbook . see “Connecting to the web UI or CLI” on page 37. To power off the FortiRecorder appliance 1.5. You may be able to hear the appliance become more quiet when the appliance halts its hardware and operating system. The default URL to access the web UI through the network interface on port1 is: https://192. Access the CLI or web UI. use either a DNS-resolvable domain name for the FortiRecorder appliance as the URL. 3. Do not unplug or switch off the FortiRecorder appliance without first halting the operating system. From the CLI console. using a network interface on the FortiRecorder appliance that you have configured for administrative access. or Google Chrome 6 or greater • Apple QuickTime 7. In that case.99/ If the network interfaces were configured during installation of the FortiRecorder appliance (see “Configuring the network settings” on page 53). Microsoft Internet Explorer 8. if you are connected to the web UI. or the IP address that was assigned to the network interface during the installation process. Mozilla Firefox 3. URL for access You access the web UI by URL. go to Monitor > System Status > Status. see “Connecting to the web UI” on page 38. 1 Handbook . You might have also configured a private DNS server on your network to resolve fortirecorder.For example. The FortiRecorder appliance will not allow logins for that account from any other IP addresses. Set a strong password for the admin administrator account. FortiRecorder will ignore login attempts from all other computers.com to 10. Permissions Depending on the account that you use to log in to the FortiRecorder appliance. and to the CLI when accessed through Telnet.0.0. including viewing and changing all other administrator accounts. this administrator account has no password.0. Configuring the Trusted hosts setting of your administrator accounts hardens the security of your FortiRecorder appliance by further restricting administrative access.1/. and/or static routes. the CLI console. For more information. Unlike other administrator accounts. Trusted hosts As their name implies. Local console access to the CLI is not affected by trusted hosts. and change the password regularly. For details. If all administrator accounts are configured with specific trusted hosts. see “Adding logins for security personnel & network administrators” on page 84 and “Adding a gateway” on page 58. trusted hosts are assumed to be (to a reasonable degree) safe sources of administrative login attempts. you may not have complete access to all areas of the web UI or CLI. the administrator account named admin exists by default. you must log in with the administrator account named admin. For information on enabling administrative access protocols and configuring IP addresses for the FortiRecorder appliance.com/ or https://10. see “Adding logins for security personnel & network administrators” on page 84.0.0.example. It is the only administrator account that can reset another administrator’s password without being required to enter that administrator’s existing password. an administrator must connect only from the computer or subnets you specify.1 and enabled HTTPS. Fortinet Technologies Inc. and does not occur through the network.0. In this case. User type defines which commands and areas an account can access. In addition to knowing the password. to access the web UI through port2. Page 12 FortiRecorder 1. This eliminates the risk that FortiRecorder could be compromised by a brute force login attack from an untrusted source. see “Configuring the network settings” on page 53. or SSH. Failure to maintain the password of the admin administrator account could compromise the security of your FortiRecorder appliance. you could enter either https://fortirecorder. By default. Global web UI & CLI settings Some settings for connections to the web UI and CLI apply regardless of which administrator account you use to log in. The admin account cannot be deleted and its name and permissions cannot be changed. as the local console is by definition not remote. For complete access to all commands and abilities. The admin account always has full permission to view and change all FortiRecorder configuration options. If the URL is correct and you still cannot access the web UI. Trusted host definitions apply both to the web UI. you may also need to configure from which hosts the FortiRecorder appliance will accept login attempts for your administrator account (that is. trusted hosts).example. you might have configured port2 with the IP address 10.1. Go to System > Configuration > Options. such as 8080. The maximum is 480 minutes (8 hours). For details. This setting has an effect only if HTTP is enabled as an administrative access protocol on at least one network interface. HTTPS port number Type the port number on which the FortiRecorder appliance will listen for HTTPS administrative access. see “Configuring the network interfaces” on page 53. keep the idle timeout at the default value of 5 minutes. To configure web UI & CLI access settings 1. see “Configuring the network interfaces” on page 53. This setting has an effect only if HTTPS is enabled as an administrative access protocol on at least one network interface. 3. or a virtual IP (VIP) on your firewall whose NAT table will forward incoming connections from this public network IP to your FortiRecorder NVR’s private network IP. To maintain security. the SSH port number must be known in order to connect. on your public IP that your Internet router or firewall will redirect to your FortiRecorder NVR’s listening port. see “Permissions” on page 12. Port number Type the port number. . 2.com. The default is 23.example. Administration Ports HTTP port number Type the port number on which the FortiRecorder appliance will listen for HTTP administrative access. Page 13 FortiRecorder 1. The default is 22. or its domain name. To access this part of the web UI. The default is 443.For example. This setting has an effect only if SSH is enabled as an administrative access protocol on at least one network interface. Configure these settings: GUI item Idle Timeout Description Type the number of minutes that a web UI connection can be idle before the administrator must log in again. TELNET port number Type the port number on which the FortiRecorder appliance will listen for Telnet administrative access. SSH port number Type the port number on which the FortiRecorder appliance will listen for secure shell (SSH) administrative access. For details. For details. For details. This is either your Internet router’s WAN IP. For details. before you have logged in. Public Access Host name Type either your network’s IP on the Internet. such as www. The default is 80. see “Configuring the network interfaces” on page 53. This setting has an effect only if TELNET is enabled as an administrative access protocol on at least one network interface.1 Handbook Fortinet Technologies Inc. and therefore before FortiRecorder can apply any of your account-specific settings. see “Configuring the network interfaces” on page 53. your administrator's account access profile must have Read and Write permission to items in the System Configuration category. & the displays Figure 1: Web UI parts Navigation menu Submenu Tab Content pane (may contain tabs or sub-panes) Dashboard widget A navigation menu is located on the left side of the web UI. Each tab or pane (per “Permissions” on page 12) displays or allows you to modify settings. Click Apply. menus. Buttons. you are already viewing the first page. and buttons within the pages of the web UI. simply click it. which are displayed to the right of the navigation menu. Fortinet Technologies Inc. use the navigation menu. Click to expand a hidden area. or click the submenu name itself. click the name of the page. Within each submenu may be one or more tabs or sub-panes. Click to view the first page’s worth of records within the tab. Instead. Do not use your browser’s Back button to navigate — pages may not operate correctly. To expand a submenu item click the + button located next to the submenu name. Page 14 FortiRecorder 1. using a similar set of buttons. (Color of the buttons may vary by which theme you have selected by clicking the Next Theme button at the top of the UI.1 Handbook .) Table 1: Common buttons and menus Icon Description Click to collapse a visible area. in the content pane. To expand a menu item. and the logo may vary depending on appearance customizations in System > Customization > Appearance. If this button is gray. To view the pages located within a submenu. tabs.4. . type the page number and press Enter. If this button is gray.Table 1: Common buttons and menus Icon Description Click to view the previous page’s worth of records within the tab. Clone. Fortinet Technologies Inc. this button is animated. To use this button. To go to a specific page number in the records for that tab. Alternatively. If this button is gray.1 Handbook . Page 15 FortiRecorder 1. Click to view the next page’s worth of records within the tab. you must first click to select an existing entry on which the new entry will be based. you can right-click an entry and select Clone. The total number of pages depends on the number of records per page. Click to create a new entry by duplicating an existing entry. or type the number and press Enter. Click to create a new entry using only typical default values as a starting point. New. While the tab is loading the new display. Click to view the last page’s worth of records within the tab. either click and select one of the numbers in the drop-down list... If this button is gray. The total number of pages depends on the number of records per page.. Click to refresh the tab’s display. you are viewing the last page. you are viewing the first page. you are already viewing the last page. To change the size of each page’s worth of records in the tab. See “Backups” on page 117 and “Restoring a previous configuration” on page 119.1 Handbook . To delete multiple entries. Some pages have unique buttons. Common buttons are not described in subsequent sections of this Handbook. to find the references. or right-click and click Select All. This button may not always be available. For example. Deleting entries To delete a part of the configuration. either mark the check boxes of each entry that you want to delete.. you must first click to select which existing entry you want to modify Alternatively.. Delete. you must first remove all references to it. If you do not know where your configuration refers to the entry that you want to delete. Page 16 FortiRecorder 1. To use this button. or right-click the entry and select Edit. Click to remove an existing entry. you must first click to select which existing entry you want to remove. if you selected a camera network named “Warehouse” in a camera named “EntranceCam”. then click Delete. or special behaviors associated with common buttons. To use this button. you can double-click the existing entry. Deleted items cannot be recovered unless you upload a backup copy of the previous configuration. Those buttons are described in their corresponding section of the Handbook. you can download a backup of the configuration and use a plain text editor to search for the entry’s name. that camera references “Warehouse” and requires it to exist. See “Deleting entries” on page 16. Fortinet Technologies Inc. Alternatively.Table 1: Common buttons and menus Icon Description Click to modify an existing entry. Therefore the appliance will not allow you to delete “Warehouse” until you have reconfigured “EntranceCam” (and any other references) so that “Warehouse” is no longer required and may be safely deleted. Edit.. Back up the configuration before deleting any part of the configuration. you can right-click an entry and select Delete.. Predefined entries included with the firmware cannot be deleted. each entry’s name is not editable after you create and save it. you can achieve the same effect by other means. While you cannot edit Name. and cannot any longer be changed. 2. However. you change your mind about the camera’s name a few times. you can download a backup copy. then restore the modified configuration backup file to the appliance. use a plain text editor to find and replace the entry’s old name. While configuring the camera.1 Handbook . Finally. you can download a backup of the configuration and use a plain text editor to search for the entry’s name. this may save time. if you need to rename an item that is only referenced in the core configuration file. Afterwards. replace the old entry name by selecting the new name. If you do not know where your configuration refers to the entry that you want to delete. Clone the entry. In all areas of the configuration that refer to the old name. Page 17 FortiRecorder 1. Name is greyed-out. and ultimately you change the Name to “EntranceCam”. To rename an entry Alternatively. let’s say you create a camera whose Name is “CameraA”. Fortinet Technologies Inc.Renaming entries In the web UI. if you edit the camera settings. to find the references. 3. For example. you click OK to save the camera. most settings can be changed. 1. Where there are many references. supplying the new name. Delete the item with the old name. Terminology Each command line consists of a command word followed by words for the configuration data or other specific item that the command uses or affects. while. if you do not type the entire object that will receive the action of a command operator such as config. Operators cannot configure system-wide settings. and as a result cannot use the CLI. You can use either interface or both to configure the FortiRecorder appliance. If you are new to Fortinet products. Page 18 FortiRecorder 1. you use buttons. you either type text commands or upload batches of commands from a text file. the CLI requires that you use valid syntax and conform to expected input constraints. For example. It will reject invalid commands. Account types control which commands and areas an administrator account can access. like a configuration script.1 Handbook . Return code is -284 This document uses the following conventions to describe valid command syntax. this section can help you to become familiar. for example: get system admin This document uses terms in Figure 2 to describe the function of each word in the command line. or if you are new to the CLI. This section contains the following topics: • Command syntax • Tips & tricks • Top-level commands • Subcommands Command syntax When entering a command. Fortinet Technologies Inc.How to use the CLI The command line interface (CLI) is an alternative to the web UI. For complete access to all commands. icons. in the CLI. and forms. you may not have complete access to all CLI commands or areas of the web UI. the CLI will return an error message such as: Command fail. Depending on the account that you use to log in to the FortiRecorder appliance. you must log in with the administrator account named admin. In the web UI. (See “Subcommands” on page 28. These named or numbered sets are sometimes referenced by other parts of the configuration that use them. (See “Shortcuts & key commands” on page 23.1 Handbook . (See “Notation” on page 20. Some commands.) Not all top-level commands have subcommands. If you do not enter a known command.) Valid command lines must be unambiguous if abbreviated. • value — A number. require multiple input values which may not be named but are simply entered in sequential order in the same command line. it forms a command line. (See “Notation” on page 20. and the FortiRecorder appliance will discard the invalid table. Failure to configure a required field will result in an invalid object configuration error message.Figure 2: Command syntax terminology Command Subcommand Object Table Option config system interface edit <port_name> set status {up | down} set ip <interface_ipv4mask> next end Field Value • command — A word that begins the command line and indicates an action that the FortiRecorder appliance should perform on a part of the configuration or host on the network. Valid command lines must be specific enough to indicate an individual object. Indentation is used to indicate levels of nested commands. such as fields or values.) • field — The name of a setting. however. Fields in some tables must be configured with values. Exceptions include multi-line command lines. or other type of input that is usually the configuration setting held by a field.) • object — A part of the configuration that contains tables and/or fields.) Optional words or other command line permutations are indicated by syntax notation. err=1 • subcommand — A kind of command that is available only when nested within the scope of another command. or until you descend an additional level into another subcommand. the CLI will return an error message such as: Parsing error at 'ste'. such as config or execute. (See “Command abbreviation” on page 24. Valid input types are indicated by constraint notation. such as an administrator account. • table — A set of fields that is one of possibly multiple similar sets that each have a name or number. Available subcommands vary by their containing scope. which can be entered using an escape sequence. letter. (See “Notation” on page 20. (See “Indentation” on page 20. such as ip or hostname. policy. Page 19 FortiRecorder 1. After entering a command. and by the name of the command for remaining top-level commands. that you terminate by pressing the Enter key. Together with other words. its applicable subcommands are available to you until you exit the scope of the command.) Fortinet Technologies Inc. (See “Notation” on page 20. IP address. or network interface.) • option — A kind of value that must be one or more words from a fixed set of options.) This Handbook is organized alphabetically by object for the config command. which indicate what other subcommands are available from within the scope. Return code is -39 or: integer value check fail! 0.1 Handbook . unless the set of options is surrounded by square brackets [ ]. the edit subcommand is available only within a command that affects tables.all Command fail. and pipes are used to denote valid permutations of the syntax. see “Subcommands” on page 28. For example: [verbose {1 | 2 | 3}] indicates that you may either omit or type both the verbose word and its accompanying option. such as: verbose 3 Curly braces { } A word or series of words that is constrained to a set of options delimited by either vertical bars or spaces. For example. the CLI returns an error message such as: data converting failed 2028 Command fail. If you do not use the expected data type. Constraint notations. You must enter at least one of the options. and the next subcommand is available only from within the edit subcommand: config system interface edit port1 set status up next end For information about available subcommands. For example: {enable | disable} indicates that you must enter either enable or disable. Fortinet Technologies Inc. braces. Return code is -61 and may either reject or discard your settings instead of saving them when you type end. Table 2: Command syntax notation Convention Square brackets [ ] Description A non-required (optional) word or words. indicate which data types or string patterns are acceptable value input.Indentation Indentation indicates levels of nested commands. Page 20 FortiRecorder 1. such as <address_ipv4>. but must not enter both. Notation Brackets. Options delimited by vertical bars | Mutually exclusive options. to add snmp to the previous example. Fortinet Technologies Inc.Table 2: Command syntax notation Convention Options delimited by spaces Description Non-mutually exclusive options. Page 21 FortiRecorder 1. in a space-delimited list. such as: ping https ssh Note: To change the options. or if the list is comma-delimited. you must re-type the entire list. in any order.1 Handbook . instead of replacing it. For example. you would type: ping https snmp ssh If the option adds to or subtracts from the existing list of options. the exception will be noted. For example: {http https ping snmp ssh telnet} indicates that you may enter all or a subset of those options. example. such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.168. such as P@ssw0rd. • <xxx_ipv4/mask> — A dotted decimal IPv4 address and CIDR-notation netmask separated by a slash.99. • <xxx_fqdn> — A fully qualified domain name (FQDN).99 255. • <xxx_url> — A uniform resource locator (URL) and its associated protocol and host name prefix. • <xxx_str> — A string of characters that is not another data type. such as /96.Table 2: Command syntax notation Convention Angle brackets < > Description A word constrained by data type. such as 15 for the number of minutes. Page 22 FortiRecorder 1. • <xxx_int> — An integer number that is not another data type. • <xxx_email> — An email address.99/24.com.com/. such as
[email protected]. which together form a uniform resource identifier (URI). • <xxx_v6mask> — An IPv6 netmask. such as 192.com. such as http://www. Data types include: • <xxx_name> — A name referring to another part of the configuration. such as such as 192.255.255. such as 192.168. For example: <retries_int> indicates that you should enter a number of retries. such as 0 for the first static route.1 Handbook .1. • <xxx_pattern> — A regular expression or word with wild cards that matches possible variations. such as 255. such as policy_A. • <xxx_ipv6mask> — An IPv6 address and netmask separated by a space. • <xxx_ipv4mask> — A dotted decimal IPv4 address and netmask separated by a space. • <xxx_ipv6> — A colon( : )-delimited hexadecimal IPv6 address. To define acceptable input.255.com to match all e-mail addresses ending in @example. Fortinet Technologies Inc. • <xxx_index> — An index number referring to another part of the configuration. Strings containing spaces or special characters must be surrounded in quotes or use escape sequences.0. such as 5. the angled brackets contain a descriptive name followed by an underscore ( _ ) and suffix that indicates the valid data type. such as mail.example.1. • <xxx_v4mask> — A dotted decimal IPv4 netmask. such as *@example.168.255.fortinet. • <xxx_ipv4> — An IPv4 address. Move the cursor to the beginning of the command line. Move the cursor backwards one word. Move the cursor to the end of the command line. Recall the previous command. or Ctrl + P Down arrow Left or Right arrow Ctrl + A Ctrl + E Ctrl + B Ctrl + F Ctrl + D Tab Keys ? Fortinet Technologies Inc. Move the cursor forwards one word. • Type a word or part of a word. Command memory is limited to the current session.Tips & tricks Basic features and characteristics of the CLI environment provide support and ease of use for many CLI tasks. display all possible completions with helpful descriptions of each. then press the question mark (?) key to display a list of valid word completions or subsequent words. Delete the current character. Move the cursor left or right within the command line. Press the key multiple times to cycle through available matches. Shortcuts & key commands Table 3: Shortcuts and key commands Action List valid word completions or subsequent words. This section includes: • Help • Shortcuts & key commands • Command abbreviation • Special characters • Editing the configuration file in a text editor Help To display brief help during command entry. Up arrow. Recall the next command. and to display a description of each. If multiple words could complete your entry. press the question mark (?) key. • Press the question mark (?) key at the command prompt to display a list of the commands available and a description of each. Complete the word with the next available match.1 Handbook . Page 23 FortiRecorder 1. • Press the question mark (?) key after a command keyword to display a list of the objects available with that command and a description of each. \ then Enter Ctrl + C Command abbreviation You can abbreviate words in the command line to their smallest number of non-ambiguous characters.). For each line that you want to continue. '. If you are not currently within an interactive command such as config or edit. such as when entering multiple lines. not to Precede the space with a backslash: Security\ end the string) Administrator. If you use them. value. this closes the CLI connection. Table 4: Entering special characters Character ? Tab Space Keys Ctrl + V then ? Ctrl + V then Tab Enclose the string in quotation marks: “Security Administrator”. terminate it with a backslash ( \ ). err=2 Command fail. terminate it by pressing the spacebar and then the Enter key. Return code is -284 Some may be enclosed in quotes or preceded with a backslash ( \ ) character. To complete the command line. ' (to be interpreted as part of a string value. without an immediately preceding backslash. Return code is -284 Special characters Special characters <. the CLI returns an error message such as: Parsing error at 's'. (to be interpreted as Enclose the string in single quotes: 'Security part of a string Administrator'. the command get system status could be abbreviated to: g sy st If you enter an ambiguous command. (. err=1 Command fail. and " are usually not permitted in CLI. #. Continue typing a command on the next line for a multi-line command.Table 3: Shortcuts and key commands Abort current interactive commands. >. not to end the string) \' Fortinet Technologies Inc.1 Handbook . the CLI will often return an error message such as: Parsing error at 'word2'. Page 24 FortiRecorder 1. For example. The first lines of the configuration file (preceded by a # character) contains information about the firmware version and FortiRecorder model. If the configuration file is valid. or batch changes across multiple files. Fortinet Technologies Inc. Use “To upload a configuration via the CLI from a TFTP server” on page 119 to upload the modified configuration file back to the FortiRecorder appliance. Several free text editors are available with these features. • are not sure where the setting is in the CLI. Do not use a rich text editor such as Microsoft Word. the FortiRecorder appliance will reject the configuration file when you attempt to restore it. The FortiRecorder appliance downloads the configuration file and checks that the model information is correct. Use “To back up the configuration via the CLI to a TFTP server” on page 118 to download the configuration file to a TFTP server. not to end the string) \ \\ \" Editing the configuration file in a text editor Editing the configuration file with a plain text editor can be time-saving if: • you have many changes to make. 3. Edit the configuration file using a plain text editor that supports Unix-style line endings. If it is. which may corrupt the configuration file. Rich text editors insert special characters into the file in order to apply formatting. If a command is invalid. Page 25 FortiRecorder 1. and/or • own several FortiRecorder appliances This is true especially if your plain text editor provides advanced features such as regular expressions for find-and-replace. 2. Do not edit the first line. such as Text Wrangler and Notepad++. To edit the configuration on your computer 1. If you change the model number. the FortiRecorder appliance restarts and loads the new configuration. such as your management computer.1 Handbook .Table 4: Entering special characters " (to be interpreted as part of a string value. the FortiRecorder appliance loads the configuration file and checks each command for errors. the FortiRecorder appliance ignores the command. For example.0 cache : disable Notice that the command displays the setting for the secondary DNS server. most execute commands do not result in any configuration change. for that reason. For example.19 secondary : 0. Page 26 FortiRecorder 1. Unlike show. and “Troubleshooting” on page 174. These commands do not have an equivalent in the web UI.1.16.10 ping statistics --5 packets transmitted. Fortinet Technologies Inc.1.Top-level commands The FortiRecorder CLI has the following top-level commands (see “Terminology” on page 18): • config • execute • diagnose • get • show config The config commands configure your FortiRecorder appliance’s settings.10): 56 data bytes ^C --. 100% packet loss diagnose The diagnose commands display diagnostic information that help you troubleshoot problems. you might get the current DNS settings: FortiRecorder# get system dns primary : 172. even if they are still in their default state. and are used exclusively for troubleshooting. Most of them are used for testing and troubleshooting. get requires that you specify the object or table whose settings you want to display. Also unlike show. get The get command displays parts of your FortiRecorder appliance’s configuration in the form of a list of settings and their values. unless used from within an object or table. get displays all settings.95. these lines show commands used to configure DNS query settings: FortiRecorder# config system dns FortiRecorder# set primary 172. should be used with care.172.0. 0 packets received. or has reverted to its default value.10 PING 172.1 Handbook .10 (172.1. FortiRecorder# execute ping 172.16. See “Troubleshooting” on page 174.16. even though it has not been configured.19 FortiRecorder# end execute The execute command has an immediate and decisive effect on your FortiRecorder appliance and.95. Unlike config commands.16. See configuration testing instructions described in this document for each features.0.16.16.1. show The show command displays parts of your FortiRecorder appliance’s configuration in the form of commands that are required to achieve that configuration from the firmware’s default state.168.For example. such as get system performance.19 : 0. If you were to now enter end. get may display one of two different outputs: either the configuration that you have just entered but not yet saved. can be a useful way to remind yourself. are used to display system information that is not configurable.0.1. Page 27 FortiRecorder 1. respectively.16. However.95. this command would be valid: FortiRecorder# get system dns and this command would not be: FortiRecorder# get Depending on whether or not you have specified an object. get output for both syntactical forms would again match. with and without the object name. If you have entered settings but cannot remember how they differ from the existing configuration. the second output from get indicates the value that was last saved to disk.95. or has reverted to its default value.16. you might show the current DNS settings: FortiRecorder# show system dns config system dns set primary 172.1. the FortiRecorder appliance’s configuration would therefore match the second output. For example. For example. Other get commands. immediately after configuring the secondary DNS server setting but before saving it. not the first.168.1 Handbook . show does not display settings that are assumed to remain in their default state. get displays two different outputs (differences highlighted in bold): FortiRecorder# FortiRecorder# FortiRecorder# primary secondary FortiRecorder# primary secondary config system dns set secondary 192. Fortinet Technologies Inc. Most get commands.0 The first output from get indicates the value that you have configured but not yet saved.10 get : 172. saving your setting to disk.10 get system dns : 172. Unlike get. You can find relevant information about such commands where this document describes the corresponding config commands.1. like show. such as get system dns.10 end Notice that the command does not display the setting for the secondary DNS server. This indicates that it has not been configured. the two different forms of get.0. at the root prompt. are used to display configured settings.16. or the configuration as it currently exists on the disk.19 : 192. if you were to enter abort at this point and discard your recently entered secondary DNS setting instead of saving it to disk. See “Statuses via the CLI” on page 166. immediately after configuring the secondary DNS server setting but before saving it. show displays two different outputs (differences highlighted in bold): FortiRecorder# config system dns FortiRecorder# set secondary 192. the FortiRecorder appliance’s configuration would therefore match the second output. For example.1.10 set secondary 192. However. the command prompt changes to indicate the name of the current command scope. you can enter commands. Fortinet Technologies Inc. If you have entered settings but cannot remember how they differ from the existing configuration. can be a useful way to remind yourself. saving your setting to disk.168.1. after entering: config system admin the command prompt becomes: FortiRecorder (admin)# Applicable subcommands are available to you until you exit the scope of the command. like get. for example: get system admin Subcommands are available from within the scope of some commands. show output for both syntactical forms would again match.16.10 end FortiRecorder# show system dns config system dns set primary 172. Page 28 FortiRecorder 1.168. For example.16. or until you descend an additional level into another subcommand. show may display one of two different outputs: either the configuration that you have just entered but not yet saved.10 FortiRecorder# show config system dns set primary 172. Each command line consists of a command word that is usually followed by words for the configuration data or other specific item that the command uses or affects. Subcommands Once you connect to the CLI. If you were to now enter end.Depending on whether or not you have specified an object. respectively.1. if you were to enter abort at this point and discard your recently entered secondary DNS setting instead of saving it to disk.When you enter a subcommand level.1 Handbook . with and without the object name. the two different forms of show.1. or the configuration as it currently exists on the disk. the second output from show indicates the value that was last saved to disk.10 end The first output from show indicates the value that you have configured but not yet saved. not the first. Page 29 FortiRecorder 1. For example.1 Handbook . you should assume that subcommands applicable for that level of scope are available. when nested scope is demonstrated. edit <table_ name> Create or edit a table in the current object. This returns you to the top-level command prompt. such as newadmin’s first-name and email-address. delete is only available within objects containing tables. Table commands Table 5: Commands for tables delete <table_ name> Remove a table from the current object. in config system admin. the edit subcommand is available only within a command that affects tables. Fortinet Technologies Inc. However. two types of subcommands might become available: • commands that affect fields (see “Field commands” on page 30) • commands that affect tables (see “Table commands” on page 29) Subcommand scope is indicated in this Handbook by indentation. edit is an interactive subcommand: further subcommands are available from within edit. edit is only available within objects containing tables.For example. • add a new administrator account with the name newadmin and edit newadmin‘s settings by typing edit newadmin. See “Indentation” on page 20. the next subcommand is available only from within the edit subcommand: config system interface edit port1 set status up next end Available subcommands vary by command. in config system admin: • edit the settings for the default admin administrator account by typing edit admin. edit changes the prompt to reflect the table you are currently editing. Syntax examples for each top-level command in this Handbook do not show all available subcommands. you could delete an administrator account named newadmin by typing delete newadmin and pressing Enter. For example.From a command prompt within config. end Save the changes to the current object and exit the config command. This deletes newadmin and all its fields. To restore purged tables. get lists the table names (if present). you could type get to see the list of all local user names. the configuration must be restored from a backup. (To exit without saving. purge is only available for objects containing tables. get lists the fields and their values. see “Backups” on page 117.Table 5: Commands for tables get List the configuration of the current object or table. use abort instead. Save the changes made to the current table or object fields. or fields and their values. then type purge and then y to confirm that you want to delete all users. Example of table commands From within the system user object. Caution: Do not purge system interface or system user tables. • In a table. in config user local-user. Caution: Back up the FortiRecorder appliance before performing a purge because it cannot be undone. requiring the FortiRecorder appliance to be formatted and restored. Changes are listed in the form of configuration commands. get lists the fields and their values. This can result in being unable to connect or log in. and exit the config command. end get Fortinet Technologies Inc. • In objects. you might enter: edit admin_1 The CLI acknowledges the new table. Page 30 FortiRecorder 1. purge Remove all tables in the current object. or fields and their values. • In a table. • In objects.1 Handbook . show Display changes to the default configuration. For details.) List the configuration of the current object or table. and changes the command prompt to show that you are now within the admin_1 table: Add new entry 'admin_1' for node 78 (admin_1)# Field commands Table 6: Commands for fields abort Exit both the edit and/or config commands without saving the fields. get lists the table names (if present). For example. and exit the edit command to the object prompt. set <field> <new-value> will replace the list with the <new-value> rather than appending <new-value> to the list.Table 6: Commands for fields next Save the changes you have made in the current table’s fields. in config system admin. in config system admin.) next is useful when you want to create or edit several tables in the same object. (To save and exit completely to the root prompt.1 Handbook . you might enter: set password my1stExamplePassword to assign the value my1stExamplePassword to the password field. Changes are listed in the form of configuration commands. For example. without leaving and re-entering the config command each time. it is not available from an object prompt. For example. next is only available from a table prompt. type the whole new list. Note: When using set to change a field containing a space-delimited list. you could type set password newpass to change the password of the admin1 administrator to newpass. after typing edit admin1. show Display changes to the default configuration. after typing edit admin1. Fortinet Technologies Inc. Reset the table or object’s fields to default values. For example. use end instead. typing unset password resets the password of the admin1 administrator account to the default (in this case. Page 31 FortiRecorder 1. unset <field_ name> Example of field commands From within the admin_1 table. set <field_ name> <value> Set a field’s value. no password). You might then enter the next command to save the changes and edit the next administrator’s table. Setting the system time & date Accurate time is required for cameras and your NVR to be in sync. complete the steps below. Configuring your or FortiRecorder’s DHCP server Initially. 3. the cameras require a DHCP server so that they can get network settings to connect to your network. the time/date. If you do not want your surveillance system to be accessible from the Internet. you use your FortiRecorder NVR to configure cameras with a static IP. 6.1 Handbook . need specific details. skip this step. Page 32 FortiRecorder 1. Later. Configuring notification email 9. Adding logins for security personnel & network administrators 8. Connecting with the cameras Plug in the cameras. don’t worry — just follow the detailed instructions and troubleshooting in “How to set up your FortiRecorder NVR & cameras” on page 33 from start to finish. 2. or are not familiar with Fortinet products or networking equipment. If you have questions. Registering your FortiRecorder NVR Fortinet Technical Support will link your appliance with your account. your firewall or Internet router must direct these connections from the Internet to your FortiRecorder NVR. so that the DHCP server is no longer required. 1. Testing your installation Fortinet Technologies Inc. The steps below are a summary. 5. Adding the virtual IP/port mapping to your firewall If you want to view motion detection notifications or use your FortiRecorder NVR while you are away from the office. and network settings. 7. Configuring the network settings 4. then use your FortiRecorder NVR to discover their locations and configure them with schedules.10-minute setup To set up your FortiRecorder surveillance system. Fortinet Technologies Inc. take a moment to register your Fortinet product at the Fortinet Technical Support web site: https://support.com Many Fortinet customer services such as firmware updates. and FortiGuard services require product registration. For more information. and to fine-tune your configuration. Page 33 FortiRecorder 1. see the Fortinet Knowledge Base article Registration Frequently Asked Questions.fortinet. you can begin to use optional features such as logo customization.How to set up your FortiRecorder NVR & cameras These instructions will guide you to the point where you have a simple. technical support.1 Handbook . From there. working installation. Time required to deploy varies by: • Number of your cameras • Complexity of your network Registering your FortiRecorder NVR Before you begin. verifiable. DHCP is no longer required. if cameras now use static IPs. Figure 3: Cameras with reserved DHCP IPs provided by FortiRecorder NVR Fortinet Technologies Inc.3af Power over Ethernet) • Cameras require connectivity with the FortiRecorder NVR for video & control • Snapshot notifications require port mapping from your Internet IP to the FortiRecorder NVR Unless snapshots and the web UI should only be viewable from your local network (LAN).1 Handbook . Failure to do so could allow thieves and attackers to use your cameras. and whether you prefer your cameras to use DHCP or not. discovery requires the same subnet for both the FortiRecorder NVR & cameras • During setup. Similarly. there are a few ways that you can arrange your cameras and FortiRecorder NVR on your network. protect the power and network signals from physical access that could allow an attacker to disrupt or replace the camera signal. on your FortiGate. if any. Isolate your cameras from the Internet and any other untrusted network. Consider: • Cameras require PoE (IEEE 802. After setup. See “Appendix A: Port numbers” on page 212. the physical layout of your buildings. Page 34 FortiRecorder 1. firewall. or the FortiRecorder NVR. Below are three possible arrangements. or Internet gateway router. cameras require DHCP This can be provided by either your own DHCP server. create a public virtual IP (VIP) and/or port mapping that forwards snapshot view requests from your computer to the FortiRecorder NVR’s private network address. • During setup.Planning the network topology Depending on your equipment. Fortinet Technologies Inc. your computer must be able to connect with the FortiRecorder NVR. your FortiRecorder NVR must be able to connect to them through your network. Additional network requirements can be found in “Appendix A: Port numbers” on page 212.1 Handbook . To reply with live video feeds (“streams”) to your web browser when you are using the web UI or snapshot notifications. Page 35 FortiRecorder 1. this means that you must verify that signals passing back and forth between the FortiRecorder NVR and cameras are not blocked.Figure 4: Cameras with reserved DHCP IPs provided by 3rd-party DHCP Figure 5: Cameras with static IPs To send commands and receive requested video feeds from your cameras. If you are using a virtual IP to connect through a FortiGate or other NAT device. it must be configured to: • Allow and forward HTTP requests for the web UI (port 80 or 443) from your computer to the FortiRecorder NVR • Allow web UI replies and RTSP video streams (port 554) from the FortiRecorder NVR to your computer. If you have a firewall on your network. when connecting through the Internet. While you are directly connected to your office network.16. FortiRecorder NVR listens for connections to its web UI on port 80 for HTTP and port 443 for HTTPS. usually you will be able to connect. your computer must be able to know how to find your office network. network mask. and DNS settings to your new cameras until you are ready to configure them with permanent. and your office network only has one IP address on the Internet (that is. To prevent future accidental video feed disruptions that can be caused by IP address conflicts or by DHCP pool exhaustion.0.1.0. you would configure your firewall with a port mapping from 10.0. and the port number on which it listens.0. you do not want to add a virtual IP).16. static IP addresses.) Keep in mind that if they are not directly connected (e.1 port 443. where your video clips are stored. This is so that they can connect to your network and the FortiRecorder NVR can find them. the cameras will not permanently consume IPs in your DHCP pool. you should use the FortiRecorder NVR to assign static IP addresses to your cameras. Page 36 FortiRecorder 1. Internet service providers (ISPs) often block inbound connections to port 80. Fortinet Technologies Inc. Adding the virtual IP/port mapping to your firewall To be able to use snapshot notifications on the go — whether you are at home or in a far city — you must be able to connect back to your FortiRecorder NVR. gateway.g.During installation. they are separated by routers) you may also need to add routes so that the firewall or router knows how to deliver the connection. (By default. router. if you will connect through your FortiGate’s Internet address at https://10. For example. later.0.0. or Linux or Windows server. Map the connections that it receives on this IP/port to your FortiRecorder NVR’s IP address on your private network.1 Handbook .1:4443 to your FortiRecorder NVR’s private network address at https://172. However. and your firewall or Internet router must know to forward those connections to your FortiRecorder NVR — not to other computers on your office network. To do this. if you have an existing DHCP server such as a cable modem. so you may need to configure your firewall to open a higher numbered port such as 8080. you can use it to allocate temporary IP address.1 port 4443 to 172. As a result. configure your firewall or router with a port mapping and/or virtual IP on its WAN (Internet-facing) network interface. Connecting to the web UI or CLI To configure, maintain, and use the FortiRecorder appliance, you need to connect to it. There are two methods: • Web UI — A graphical user interface (GUI), from within a web browser. It can display video, but lacks many advanced diagnostic commands. Navigation menu Submenu Tab Content pane (may contain tabs or sub-panes) Dashboard widget • Command line interface (CLI) — A text interface similar to DOS or UNIX shell commands, from a Secure Shell (SSH) or Telnet terminal, or from the JavaScript CLI console in the web UI (Monitor > System Status > Console). It provides access to many advanced diagnostic commands as well as configuration, but lacks video. Access to the CLI and/or web UI through your network is not yet configured if: • you are connecting for the first time • you have just reset the configuration to its default state • you have just restored the firmware In these cases, you must initially attach your computer directly to FortiRecorder, and connect using the default settings. Fortinet Technologies Inc. Page 37 FortiRecorder 1.1 Handbook Via the direct connection, use the web UI, or CLI to configure FortiRecorder’s basic network settings. Once this is done, you will be able to place FortiRecorder on your network, and use FortiRecorder through your network. Until the FortiRecorder appliance is configured with an IP address and connected to your network, you may prefer to connect the FortiRecorder appliance directly to your management computer, or through a switch, in a peer network that is isolated from your overall network. This will improve security during setup. However, isolation is not required. Connecting to the web UI You can connect to the web UI using its default settings. (By default, HTTPS access to the web UI is enabled.) Table 7: Default settings for connecting to the web UI Network Interface URL Administrator Account Password Requirements • a computer with an RJ-45 Ethernet network port • a web browser such as Microsoft Internet Explorer 8, Mozilla Firefox 3.5, Apple Safari 4, or Google Chrome 6 or greater • a crossover Ethernet cable To connect to the web UI 1. On your management computer, configure the Ethernet port with the static IP address 192.168.1.2 with a netmask of 255.255.255.0. 2. Using the Ethernet cable, connect your computer’s Ethernet port to the FortiRecorder appliance’s port1. port1 https://192.168.1.99/ admin Fortinet Technologies Inc. Page 38 FortiRecorder 1.1 Handbook 3. Start your browser and enter the URL: https://192.168.1.99/ (Remember to include the “s” in https://.) Your browser connects the appliance. If you do not see the login page due to an SSL cipher error during the connection, and you are connecting to a LENC version of FortiRecorder, then your browser must be configured to accept encryption of 64-bit strength or less during the handshake. (RC2, RC4, and DES with less than 64-bit strength is supported. AES and 3DES is not supported in these versions.) For example, in Mozilla Firefox, if you receive this error message: ssl_error_no_cypher_overlap you may need to enter about:config in the URL bar, then set security.ssl3.rsa.rc4_40_md5 to true. To support HTTPS authentication, the FortiRecorder appliance ships with a self-signed security certificate, which it presents to clients whenever they initiate an HTTPS connection to the FortiRecorder appliance. When you connect, depending on your web browser and prior access of the FortiRecorder appliance, your browser might display two security warnings related to this certificate: • The certificate is not automatically trusted because it is self-signed, rather than being signed by a valid certificate authority (CA). Self-signed certificates cannot be verified with a proper CA, and therefore might be fraudulent. You must manually indicate whether or not to trust the certificate. • The certificate might belong to another web site. The common name (CN) field in the certificate, which usually contains the host name of the web site, does not exactly match the URL you requested. This could indicate server identity theft, but could also simply indicate that the certificate contains a domain name while you have entered an IP address. You must manually indicate whether this mismatch is normal or not. Both warnings are normal for the default certificate. SSL v3 and TLS v1.0 are supported. 4. Verify and accept the certificate, either permanently (the web browser will not display the self-signing warning again) or temporarily. You cannot log in until you accept the certificate. For details on accepting the certificate, see the documentation for your web browser. 5. In the Name field, type admin, then click Login. (In its default state, there is no password for this account.) Login credentials entered are encrypted before they are sent to the FortiRecorder appliance. If your login is successful, the web UI appears. To continue by updating the firmware, see “Updating the firmware” on page 43. Otherwise, to continue by setting an administrative password, see “Changing the “admin” account password” on page 51. Connecting to the CLI Using its default settings, you can access the CLI in two ways: • Locally — Connect your computer, terminal server, or console directly to the FortiRecorder appliance’s console port. • Through the network — Connect your computer through any network attached to one of the FortiRecorder appliance’s network ports. To connect using an Secure Shell (SSH) , enable the network interface for Telnet or SSH administrative access. (By default, only SSH is enabled.) To connect using Monitor > System Status > Console in the web UI, see “Connecting to the web UI” on page 38. Local access is required in some cases. • If you are installing your FortiRecorder appliance for the first time and it is not yet configured to connect to your network, unless you reconfigure your computer’s network settings for a Fortinet Technologies Inc. Page 39 FortiRecorder 1.1 Handbook peer connection, you may only be able to connect to the CLI using a local console connection. • Restoring the firmware utilizes a boot interrupt. Network access to the CLI is not available until after the boot process completes, and therefore local CLI access is the only viable option. Secure Shell (SSH) provides both secure authentication and secure communications to the CLI. Supported SSH protocol versions, ciphers, and bit strengths include SSH version 2 with AES-128, 3DES, Blowfish, and SHA-1. Table 8: Default settings for connecting to the CLI by SSH Network Interface IP Address SSH Port Number Administrator Account Password If you are not connecting for the first time, nor have you just reset the configuration to its default state or restored the firmware, administrative access settings may have already been configured. In this case, access the CLI using the IP address, administrative access protocol, administrator account and password already configured, instead of the default settings. You may need to use either the web UI or local console to enable network access to the CLI. See “SSH” on page 56 and related settings. The following procedures describe connection using PuTTY software; steps may vary with other terminal emulators. Requirements • a computer with an available serial communications (COM) port • the RJ-45-to-DB-9 or null modem cable included in your FortiRecorder package • terminal emulation software such as PuTTY To connect to the CLI using a local console connection 1. Using the RJ-45-to-DB-9 or null modem cable, connect your computer’s serial communications (COM) port to the FortiRecorder appliance’s console port. 2. Verify that the FortiRecorder appliance is powered on. 3. On your management computer, start PuTTY. 4. In the Category tree on the left, go to Connection > Serial and configure the following: Serial line to connect to COM1 (or, if your computer has multiple serial ports, the name of the connected serial port) Speed (baud) Data bits Stop bits Parity Flow control 9600 8 1 None None port1 192.168.1.99 22 admin 5. In the Category tree on the left, go to Session (not the sub-node, Logging) and from Connection type, select Serial. Fortinet Technologies Inc. Page 40 FortiRecorder 1.1 Handbook this is normal. In Host Name (or IP Address). 8. start PuTTY.168. On your management computer. In Port. 9.) If three incorrect login or password attempts occur in a row. The login prompt appears. type 192. Press the Enter key to initiate a connection. Fortinet Technologies Inc. Click Yes to verify the fingerprint and accept the FortiRecorder appliance’s SSH key.1 Handbook . To continue by updating the firmware. The SSH client may display a warning if this is the first time you are connecting to the FortiRecorder appliance and its SSH key is not yet recognized by your SSH client.1. see “Changing the “admin” account password” on page 51. 3. 7. or if you have previously connected to the FortiRecorder appliance but it used a different IP address or SSH key. there is no password for the admin account. see “Updating the firmware” on page 43. 8. configure the Ethernet port with the static IP address 192.1. see “Adding a gateway” on page 58.2 with a netmask of 255. Initially. 10. You may need to connect directly first in order to configure a static route so that. to continue by setting an administrative password. Type admin and press Enter. Click Open. 6. Otherwise.) • an SSH client.255. (In its default state. For details. Verify that the FortiRecorder appliance is powered on. port1 accepts SSH. You cannot log in until you accept the key. there is no password for this account. 5. Page 41 FortiRecorder 1. later. (In its default state. the Session category of settings is displayed. connect your computer’s Ethernet port to the FortiRecorder appliance’s port1.255. you will be disconnected.0. From Connection type. Requirements • a computer with an RJ-45 Ethernet port • a crossover Ethernet cable (if connecting directly) or straight-through Ethernet cable (if connecting through a switch or router) • a FortiRecorder network interface configured to accept SSH connections (In its default state. Wait one minute. you can connect through routers. The CLI displays a login prompt. such as PuTTY To connect to the CLI using an SSH connection 1. select SSH.6. The SSH client connects to the FortiRecorder appliance.168. followed by a command line prompt: Welcome! You can now enter commands. type 22.) The CLI displays the following text. On your management computer. Select Open. 2. Type admin then press Enter twice. then reconnect to attempt the login again. 7.99. 4. Using the Ethernet cable. If your management computer is directly connected to the FortiRecorder appliance with no network hosts between them. To change the host name. The prompt. see the instructions in this document associated with the feature that you want to use or configure. or local console connection to access the CLI.1 Handbook . Otherwise. Instructions will include both methods for the web UI and CLI. To use the console. CLI console in the web UI Monitor > System Status > Console enables you to enter CLI commands such as get system status through the web UI. For available CLI commands. Page 42 FortiRecorder 1. you can copy and paste commands from or into the console. To continue by updating the firmware. Doing so automatically logs you in using the same administrator account you used to access the web UI. SSH. see “Changing the FortiRecorder appliance’s host name” on page 121. see “Changing the “admin” account password” on page 51. without making a separate Telnet. You can then type commands into the CLI console. Alternatively. see “Updating the firmware” on page 43.The CLI displays a prompt. The CLI console in the web UI requires that your web browser support JavaScript. by default the model number such as FortiRecorder-200D #. contains the host name of the FortiRecorder appliance. to continue by setting an administrative password. such as: FortiRecorder # You can now enter commands. first click within the console area. Fortinet Technologies Inc. Fortinet Technologies Inc. you should install it before you continue the installation. and log in as the admin administrator.fortinet. you do not have to re-install your previous firmware. For details. start your TFTP server. you must first register your FortiRecorder appliance with Fortinet Technical Support. 4. if the evaluation fails. without saving it to disk.) Fortinet periodically releases FortiRecorder firmware updates to include enhancements and address issues. or Linux) on your management computer. see “Connecting to the web UI or CLI” on page 37.com New firmware can introduce new features which you must configure for the first time. In addition to major releases that contain new features. immediately turn off tftpd off when you are done. Copy the new firmware image file to the root directory of the TFTP server. If necessary. Instead. you can temporarily install and run one such as tftpd (Windows. After you register your FortiRecorder appliance. By keeping your existing firmware on disk. Before you can download firmware updates for your FortiRecorder appliance.1 Handbook .fortinet. Initiate a connection from your management computer to the CLI of the FortiRecorder appliance. Connect port1 of the FortiRecorder appliance directly or to the same subnet as a TFTP server. never on computers directly connected to the Internet. after you have connected your cameras to the appliance. If possible. (Camera firmware is updated later.com/ or contact Fortinet Technical Support. you should only run it on trusted administrator-only networks. Page 43 FortiRecorder 1. Testing new firmware before installing it You can test a new firmware image by temporarily running it from memory.com/ 2. and because it does not support authentication and could allow anyone to have read and write access.Updating the firmware Your new FortiRecorder appliance comes with the latest operating system (firmware) when shipped. (If you do not have one. See “Updating the cameras’ firmware” on page 82. It is recommended to download and install patch releases as soon as they are available. 6. FortiRecorder firmware is available for download at: https://support. However. 3. For late-breaking information specific to the firmware release version. To test a new firmware image 1. you can quickly revert to your existing firmware by simply rebooting the FortiRecorder appliance. Mac OS X. 5. For details.) Because TFTP is not secure. Download the firmware file from the Fortinet Technical Support web site: https://support. go to https://support. see the Release Notes available with that release. Fortinet releases patch releases that resolve specific issues without containing new features and/or changes to existing features.fortinet. Connect your management computer to the FortiRecorder console port using a RJ-45-to-DB-9 serial cable or a null-modem cable. if a new version has been released since your appliance was shipped. 168 where 192. 11. the FortiRecorder appliance reboots and you must log in and repeat the execute reboot command.1 Handbook . a series of system startup messages appear.out]: 14. without saving the new firmware image to disk. Format boot device.. If you successfully interrupt the startup process.168. Verify that the TFTP server is currently running.168.168 is the IP address of the TFTP server. the following messages appears: [G]: [F]: [B]: [Q]: [H]: Get firmware image from TFTP server.1. Type the firmware image file name and press Enter.168.7.. Immediately press a key to interrupt the system startup.168..Q.168]: 12. Enter G.. Quit menu and continue to boot with default firmware.1.188]: 13. As the FortiRecorder appliances starts.. Type G to get the firmware image from the TFTP server. log in to the CLI and type: get system status Fortinet Technologies Inc. Display this list of options. To use the FortiRecorder CLI to verify connectivity..1. The following message appears: Enter local address [192. If you do not press a key soon enough.. 10. You have only three seconds to press a key. The following message appears: Enter TFTP server address [192. enter the following command: execute ping 192. Type a temporary IP address that can be used by the FortiRecorder appliance to connect to the TFTP server. The FortiRecorder appliance downloads the firmware image file from the TFTP server and displays a message similar to the following: Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]? 15.1.or H: Please connect TFTP server to Ethernet port "1". The following message appears: Enter firmware image file name [image. Enter the following command to restart the FortiRecorder appliance: execute reboot 9. 16. To verify that the new firmware image was loaded. Type the IP address of the TFTP server and press Enter.B. Press any key to display configuration menu. The FortiRecorder image is loaded into memory and uses the current configuration. Type R.F. 8. and that the FortiRecorder appliance can reach the TFTP server. Boot with backup firmware and set as default. Page 44 FortiRecorder 1. 120821 changing to FortiRecorder-200D v1. indicates that you are reverting. you may be required to format the boot device before installing the firmware by re-imaging the boot device.0. 3. (Alternatively. • If the new firmware image operates successfully. Instead.120824 an earlier build number (65) and date (120821 means August 21. For information on reconnecting to a FortiRecorder appliance whose network interface configuration was reset. Fortinet Technologies Inc. Firmware changes are either: • • an update to a newer version a reversion to an earlier version To determine if you are updating or reverting the firmware. see the Firmware Version row. Test the new firmware image.0. For information on backups. see “Restoring firmware (“clean install”)” on page 209. Download the firmware file from the Fortinet Technical Support web site: https://support. overwriting the existing firmware. Consult the Release Notes. If you are installing a firmware version that requires a different size of system partition. in the CLI. if your current firmware version is: FortiRecorder-200D v1.17. using the procedure “Installing firmware” on page 45. see “Connecting to the web UI or CLI” on page 37. enter the command get system status. Page 45 FortiRecorder 1. • If the new firmware image does not operate successfully. To install firmware via the web UI 1. do not install the firmware using this procedure. Go to Monitor > System Status > Status. you can install it to disk. Back up your configuration before beginning this procedure.build0066. go to Monitor > System Status > Status and in the System Information widget. Log in to the web UI of the FortiRecorder appliance as the admin administrator. Installing firmware You can use either the web UI or the CLI to upgrade or downgrade the appliance’s operating system. 2012). see “Backups” on page 117.fortinet. Reverting to an earlier firmware version could reset settings that are not compatible with the new firmware. reboot the FortiRecorder appliance to discard the temporary firmware and resume operation using the existing firmware.com/ 2.1 Handbook .build0065.) For example. In that case. Figure 6: System Information widget 4. then click OK. Connect your management computer to the FortiRecorder console port using a RJ-45-to-DB-9 serial cable or a null-modem cable. follow “Installing alternate firmware” on page 48. Fortinet Technologies Inc. Click Browse to locate and select the firmware file that you want to install.fortinet.com/ 2. and by the amount of time that the specific model requires to reboot. the FortiRecorder appliance may either remove incompatible settings. To verify that the firmware was successfully installed. 9. For details. click Update. The time required varies by the size of the file and the speed of your network connection. and log in as the admin administrator. or use the feature’s default values for that version of the firmware. in the Firmware version row. Click OK. 6. 5. 7. The Firmware Upgrade/Downgrade dialog appears. log in to the web UI and go to Monitor > System Status > Status. Over a LAN connection. 4. Clear the cache of your web browser and restart it to ensure that it reloads the web UI and correctly displays all interface changes. see “Connecting to the web UI or CLI” on page 37. the Firmware version row indicates the currently installed firmware version. The FortiRecorder appliance installs the firmware and restarts. To install firmware via the CLI 1. If you want to install alternate firmware on the secondary partition. 5. Connect port1 of the FortiRecorder appliance directly or to the same subnet as a TFTP server. see your browser's documentation. You may need to reconfigure some settings. Initiate a connection from your management computer to the CLI of the FortiRecorder appliance. Your management computer uploads the firmware image to the FortiRecorder appliance. it should only take a couple minutes until the appliance becomes available again. Continue with “Changing the “admin” account password” on page 51. If you are downgrading the firmware to a previous version. 8.1 Handbook . For details. In the System Information widget. 10. and the settings are not fully backwards compatible. Page 46 FortiRecorder 1. In the System Information widget. Download the firmware file from the Fortinet Technical Support web site: https://support. Copy the new firmware image file to the root directory of the TFTP server. 3. and because it does not support authentication and could allow anyone to have read and write access. Continue with “Changing the “admin” account password” on page 51. Enter the following command to download the firmware image from the TFTP server to the FortiRecorder appliance: execute restore image tftp <name_str> <tftp_ipv4> where <name_str> is the name of the firmware image file and <tftp_ipv4> is the IP address of the TFTP server. enter: execute restore image tftp image. You will need to reconfigure the FortiRecorder appliance or restore the configuration file from a backup. 11.1 Handbook .1. Verify that the TFTP server is currently running. (If you do not have one.168 One of the following message appears: This operation will replace the current firmware version! Do you want to continue? (y/n) or: Get image from tftp server OK.1.168. If possible. see “Connecting to the web UI or CLI” on page 37 and. For example. If you want to install alternate firmware on the secondary partition.out and the IP address of the TFTP server is 192.168.1. or Linux) on your management computer. if you opt to restore the configuration. “Restoring a previous configuration” on page 119.) Because TFTP is not secure. 7. you should only run it on trusted administrator-only networks. The FortiRecorder appliance installs the firmware and restarts. For details. 12. This operation will downgrade the current firmware version! Do you want to continue? (y/n) 9. Check image OK.168 is the IP address of the TFTP server. Fortinet Technologies Inc. log in to the CLI and type: get system status The firmware version number is displayed. 10.168.168. if the firmware image file name is image. Type y. The FortiRecorder appliance downloads the firmware image file from the TFTP server. If necessary. you can temporarily install and run one such as tftpd (Windows. and that the FortiRecorder appliance can reach the TFTP server. the FortiRecorder appliance reverts the configuration to default values for that version of the firmware. start your TFTP server.168 where 192. The time required varies by the size of the file and the speed of your network connection.1.6. follow “Installing alternate firmware” on page 48. Mac OS X.168. never on computers directly connected to the Internet. To verify that the firmware was successfully installed. enter the following command: execute ping 192. Page 47 FortiRecorder 1.out 192. 8. If you are downgrading the firmware to a previous version. To use the FortiRecorder CLI to verify connectivity. immediately turn off tftpd off when you are done. Enter G. Quit menu and continue to boot with default firmware. Copy the new firmware image file to the root directory of the TFTP server. 7. 10. To use the FortiRecorder CLI to verify connectivity. This can be accomplished via the CLI. never on computers directly connected to the Internet. Page 48 FortiRecorder 1. Connect your management computer to the FortiRecorder console port using a RJ-45-to-DB-9 serial cable or a null-modem cable. enter the following command: execute ping 192. you should only run it on trusted administrator-only networks. 3. Boot with backup firmware and set as default. Display this list of options. 8..Q.B. Format boot device. If you do not press a key soon enough. To install alternate firmware via the CLI 1. and log in as the admin administrator....F.. Press any key to display configuration menu. Initiate a connection from your management computer to the CLI of the FortiRecorder appliance. Download the firmware file from the Fortinet Technical Support web site: https://support. see “Connecting to the web UI or CLI” on page 37. the following messages appears: [G]: [F]: [B]: [Q]: [H]: Get firmware image from TFTP server. start your TFTP server.1. As the FortiRecorder appliances starts.or H: Fortinet Technologies Inc..168. Verify that the TFTP server is currently running. Connect port1 of the FortiRecorder appliance directly or to the same subnet as a TFTP server..) Because TFTP is not secure. Enter the following command to restart the FortiRecorder appliance: execute reboot 9. immediately turn off tftpd off when you are done. (If you do not have one. the FortiRecorder appliance reboots and you must log in and repeat the execute reboot command.Installing alternate firmware You can install alternate firmware which can be loaded from its separate partition if the primary firmware fails.fortinet. If necessary. and that the FortiRecorder appliance can reach the TFTP server.1 Handbook .com/ 2. If possible. you can temporarily install and run one such as tftpd (Windows. Mac OS X. and because it does not support authentication and could allow anyone to have read and write access. 4.168 is the IP address of the TFTP server. For details.168 where 192. or Linux) on your management computer.1. a series of system startup messages appear. You have only 3 seconds to press a key. If you successfully interrupt the startup process.168. 6. Immediately press a key to interrupt the system startup. 5. As the FortiRecorder appliances starts. a series of system startup messages appear. Initiate a connection from your management computer to the CLI of the FortiRecorder appliance. Connect your management computer to the FortiRecorder console port using a RJ-45-to-DB-9 serial cable or a null-modem cable. Type the firmware image file name and press Enter. the following messages appears: [G]: [F]: [B]: Fortinet Technologies Inc. Page 49 FortiRecorder 1..out]: 14. You have only 3 seconds to press a key. Type G to get the firmware image from the TFTP server.Please connect TFTP server to Ethernet port "1". Install firmware onto the alternate partition (see “Installing alternate firmware” on page 48). For details. Type a temporary IP address that can be used by the FortiRecorder appliance to connect to the TFTP server. The FortiRecorder appliance downloads the firmware image file from the TFTP server and displays a message similar to the following: Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]? 15. 2.168. 3.1.1. 4.168]: 12. The following message appears: Enter firmware image file name [image.168.. it is running the primary firmware. 11. Get firmware image from TFTP server. The following message appears: Enter TFTP server address [192. Type B. The following message appears: Enter local address [192.. Enter the following command to restart the FortiRecorder appliance: execute reboot 5. see “Connecting to the web UI or CLI” on page 37.. Immediately press a key to interrupt the system startup. When the FortiRecorder appliance reboots. Each firmware version is stored in a separate disk partition.... Boot with backup firmware and set as default. To boot into alternate firmware via the local console CLI 1.1 Handbook . If you successfully interrupt the startup process. Type the IP address of the TFTP server and press Enter. Format boot device. and log in as the admin administrator. the FortiRecorder appliance reboots and you must log in and repeat the execute reboot command. If you do not press a key soon enough.188]: 13. The FortiRecorder appliance saves the backup firmware image and restarts. Press any key to display configuration menu. Booting from the alternate partition Each appliance can have up to two firmware versions installed. [Q]: [H]: Quit menu and continue to boot with default firmware. Display this list of options. Enter G,F,B,Q,or H: Please connect TFTP server to Ethernet port "1". 6. Type B to reboot and use the backup firmware. Fortinet Technologies Inc. Page 50 FortiRecorder 1.1 Handbook Changing the “admin” account password The default administrator account, named admin, initially has no password. Unlike other administrator accounts, the admin administrator account exists by default and cannot be deleted. The admin administrator account is similar to a root administrator account. This administrator account always has full permission to view and change all FortiRecorder configuration options, including viewing and changing all other administrator accounts. Its name and permissions cannot be changed. Before you connect the FortiRecorder appliance to your overall network, you should configure the admin account with a password to prevent others from logging in to the FortiRecorder and changing its configuration.Computers or devices directly connected to the Internet with default logins can be compromised in seconds. Set a strong password for the admin administrator account, and change the password regularly. Failure to maintain the password of the admin administrator account could compromise the security of your FortiRecorder appliance. As such, it is against best practices. Strong passwords prevent unauthorized people from guessing your password, and thereby gaining access to your surveillance system. To be strong, your password should be: • At least 8 characters • Contain a mixture of letters, numbers, and punctuation • Not repeat characters • Not contain: • Personal names • Place names or addresses • Words • Birthdays • Anniversary dates The best passwords are random, but also easily remembered. For example, you could think of a memorable sentence, then take the first or last letters and numbers in each word to make your password. To change the admin administrator password via the web UI 1. Log in to the admin administrator account. Other accounts may not have permissions necessary to change this setting. For details, see “Permissions” on page 12. 2. Go to System > User > User. 3. In the row corresponding to the admin administrator account, click Change password. 4. In the Old Password field, do not enter anything. (In its default state, there is no password for the admin account.) 5. In the New Password field, enter a password with sufficient complexity and number of characters to deter brute force and other attacks. 6. In the Confirm Password field, enter the new password again to confirm its spelling. 7. Click OK. Fortinet Technologies Inc. Page 51 FortiRecorder 1.0 Handbook 8. Click Logout. The FortiRecorder appliance logs you out. To continue using the web UI, you must log in again. The new password takes effect the next time that administrator account logs in. To change the admin administrator password via the CLI 1. Log in to the admin administrator account. Other accounts may not have permissions necessary to change this setting. For details, see “Permissions” on page 12. 2. Enter the following commands: config system admin edit admin set password <new-password_str> '' end exit where <new-password_str> is the password for the administrator account named admin. The new password will take effect only for newly initiated sessions in the CLI or web UI. Fortinet Technologies Inc. Page 52 FortiRecorder 1.0 Handbook Configuring the network settings When shipped, each of the FortiRecorder appliance’s physical network adapter ports has a default IP address and netmask. If these IP addresses and netmasks are not compatible with the design of your unique network, you must configure them. Table 9: Default IP addresses and netmasks Network Interface* port1 port2 port3 port4 IP Address 192.168.1.99 192.168.2.99 192.168.3.99 192.168.4.99 Netmask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 * The number of network interfaces may vary by model. You also must configure the FortiRecorder NVR with the IP address of your DNS servers and gateway router. You can use either the web UI or CLI to configure these basic network settings. Configuring the network interfaces To connect to the CLI and web UI, you must assign at least one FortiRecorder network interface (usually port1) with an IP address and netmask so that it can receive your connections. Depending on your network, you usually must configure others so that the FortiRecorder NVR can connect to the Internet and cameras. Configure each network interface that will connect to your network or computer. To configure a physical network interface’s IP address via the web UI 1. Log in to the admin administrator account. 2. Go to System > Network > Interface. If the network interface’s Status column is a red “down” arrow, its administrative status is currently “down” and it will not receive or emit packets, even if you otherwise configure it. To bring up the network interface, edit the Administrative status setting. This Status column is not the detected physical link status (see “System Command widget” on page 165); it is the administrative status that indicates whether you permit network interface to receive and/or transmit packets. For example, if the cable is physically unplugged, diagnose netlink interface list port1 may indicate that the link is down, even though you have administratively enabled it by Administrative status. 3. Double-click the row to select the physical network interface that you want to modify. A dialog appears. At the top if it is the name and media access control (MAC) address of this network interface. Each physical network interface is directly associated with one physical link as indicated by its name, such as port2. IP/Netmask Fortinet Technologies Inc. Page 53 FortiRecorder 1.1 Handbook 255. e.255.1 Handbook . Two network interfaces cannot have IP addresses on the same subnet. Page 54 FortiRecorder 1.0. IPv4 subnet masks should be provided in CIDR format. Fortinet Technologies Inc. If you want the FortiRecorder NVR to also retrieve DNS and default route (“gateway”) settings.g.4. The IP address must be on the same subnet as the network to which the interface connects. If you want to manually assign an IP address and subnet mask to this network interface. Otherwise. select Manual and then provide the IP address and netmask in IP/Netmask. /24 instead of 255. if any. select DHCP and enable Connect to server to retrieve a DHCP lease when you save this configuration. Retrieve default gateway and DNS from server will overwrite the existing DNS and default route. also enable Retrieve default gateway and DNS from server. Access Enable the types of administrative access that you want to permit to this interface. Failure to restrict administrative access could compromise the security of your FortiRecorder appliance. Neither do they govern traffic destined for a web server or virtual server. Fortinet Technologies Inc. For more information. see “Discovery” on page 8 and step 5 in “Connecting with the cameras” on page 75.5.1 Handbook . see “Replacing the default certificate for the web UI” on page 131. If possible. see “Global web UI & CLI settings” on page 12. Configure these settings: Setting name Description Discover cameras Enable to send multicast camera discovery traffic from this network on this port interface. enable only secure administrative access protocols such as HTTPS or SSH. which are governed by policies. such as update polling connections to the FDN or outgoing ICMP resulting from a CLI command such as execute ping. To configure the listening port number. To upload a certificate. HTTPS Enable to allow secure HTTPS connections to the web UI through this network interface. Page 55 FortiRecorder 1. These options only govern incoming connections destined for the appliance itself. These options do not disable outgoing administrative connections. Caution: Enable administrative access only on network interfaces connected to trusted private networks or directly to your management computer. 1 Handbook . SSH SNMP Enable to allow SSH connections to the CLI through this network interface.Setting name PING Description Enable to allow: • ICMP type 8 (ECHO_REQUEST) • UDP ports 33434 to 33534 for ping and traceroute to be received on this network interface. HTTP Enable to allow HTTP connections to the web UI through this network interface. Caution: HTTP connections are not secure. Enable to allow SNMP queries to this network interface. To configure the listening port number. see “Global web UI & CLI settings” on page 12. Page 56 FortiRecorder 1. It does not disable FortiRecorder CLI commands such as execute ping or execute traceroute that send such traffic. Caution: Telnet connections are not secure. or directly to your management computer. enable this option only for network interfaces connected to a trusted private network. FortiRecorder will reply with ICMP type 0 (ECHO_RESPONSE). or directly to your management computer. Enable to allow Telnet connections to the CLI through this network interface. if queries have been configured and the sender is a configured SNMP manager. enable this option only for network interfaces connected to a trusted private network. TELNET Fortinet Technologies Inc. If possible. Note: Disabling PING only prevents FortiRecorder from receiving ICMP type 8 (ECHO_REQUEST) and traceroute-related UDP. Failure to restrict administrative access through this protocol could compromise the security of your FortiRecorder appliance. and can be intercepted by a third party. To configure the listening port number and configure queries and traps. and can be intercepted by a third party. Failure to restrict administrative access through this protocol could compromise the security of your FortiRecorder appliance. see “SNMP traps & queries” on page 144. If possible. When it receives an ECHO_REQUEST. in your web browser. you would browse to: https://10.10. The default value is 1500 bytes. Page 57 FortiRecorder 1. • Down — Disable (that is. Log in to the admin administrator account. you are now disconnected from it.10. resulting in reduced network performance. Adjusting the MTU to match your network can improve network performance. and your computer is directly connected to the FortiRecorder appliance. 7. Change this if you need a lower value. If network devices between the FortiRecorder unit and its traffic destinations require smaller or larger units of traffic. you may also need to modify the IP address and subnet of your computer to match the FortiRecorder appliance’s new IP address. if you configured the network interface with the IP address 10. Click OK.5 If the new IP address is on a different subnet than the previous IP address. The MTU size must be between 576 and 1500 bytes. bring up) the network interface so that it can send and receive traffic. modify the URL t to match the new IP address of the network interface. For example.Setting name MTU Description Enable to change the maximum transmission unit (MTU) value.10. RFC 2516 prescribes a value of 1492 for PPPoE. Fortinet Technologies Inc. For example. 6.10. To configure a physical network interface’s IP address via the CLI 1. Administrative status Select either: • Up — Enable (that is. To access the web UI again.1 Handbook . If you were connected to the web UI through this network interface. packets may require additional processing at each node in the network to fragment or defragment the units. bring down) the network interface so that it cannot send or receive traffic.5. then enter the maximum packet or Ethernet frame size in bytes. Page 58 FortiRecorder 1.1 Handbook . You may need to configure multiple static routes if you have multiple gateway routers (e. If you used DHCP and Retrieve default gateway and DNS from server when configuring your network interfaces. you would connect to that IP address. you may also need to modify the IP address and subnet of your computer to match the FortiRecorder appliance’s new IP address. redundant Internet/ISP links). or other special routing cases. and can be intercepted by a third party. Your FortiRecorder itself does not need to know the full route. modify the address to match the new IP address of the network interface. often you will only need to configure one route: a default route. Adding a gateway Static routes direct traffic exiting the FortiRecorder appliance — you can specify through which network interface a packet will leave. If you were connected to the CLI through this network interface. Enter the following commands: config system interface edit <interface_name> set ip <address_ipv4> <netmask_ipv4mask> [set ip6 <address_ipv6> <netmask_ipv6mask>] set allowaccess {http https ping snmp ssh telnet} end where: • <interface_name> is the name of a network interface • <address_ipv4> is the IP address assigned to the network interface • <netmask_ipv4mask> is its netmask in dotted decimal format • {http https ping snmp ssh telnet} is a space-delimited list of zero or more administrative protocols that you want to allow to access the FortiRecorder appliance through the network interface HTTP and Telnet connections are not secure. For example. if you configured the network interface with the IP address 172. If the new IP address is on a different subnet than the previous IP address. in your terminal client. Fortinet Technologies Inc. To access the CLI again. If possible. each of which should receive packets destined for a different subset of IP addresses). and your computer is directly connected to the FortiRecorder appliance. Routers are aware of which IP addresses are reachable through various network pathways.16. Failure to restrict administrative access through this protocol could compromise the security of your FortiRecorder appliance.g. You must configure FortiRecorder with at least one static route that points to a router. you are now disconnected from it. redundant routers (e. as long as the routers can pass along the packet.2. or directly to your management computer.g. and can forward those packets along pathways capable of reaching the packets’ ultimate destinations. skip this step — the default route was configured automatically.1. often a router that is the gateway to the Internet. However. enable this option only for network interfaces connected to a trusted private network. and the IP address of a next-hop router that is reachable from that network interface.20. (Egress port for a route cannot be manually configured. 3. you might need to add only one route: a default route that indicates the gateway router through which the FortiRecorder appliance can send traffic in the direction towards the Internet. To add a static route via the web UI 1.1 Handbook . if a web server is directly attached to one physical port on the FortiRecorder. To determine which route a packet will be subject to. are located on distant networks. see “Permissions” on page 12. Fortinet Technologies Inc. 2. Other accounts may not have permissions necessary to change this setting. such as connecting clients.For example. Go to System > Network > Routing. but all other destinations. It will forward the packet along to the route with the largest prefix match. The index number of the route in the list of static routes is not necessarily the same as its position in the cached routing table (diagnose netlink rtcache list). automatically egressing from the network interface on that network. If no route having the same destination exists in the list of static routes. For details. you may also require a static route so that your management computer is able to connect with the web UI and CLI. using the next unassigned route index number. Click New. FortiRecorder examines each packet’s destination IP address and compares it to those of the static routes. the FortiRecorder appliance evaluates the route to determine if it represents a different route compared to any other route already present in the list of static routes. Page 59 FortiRecorder 1. the FortiRecorder appliance adds the static route.) When you add a static route through the web UI. Log in to the admin administrator account. A dialog appears. such as the Internet. If your management computer is not directly attached to one of the physical ports of the FortiRecorder appliance. and if there is a gap in your routes where no route matches a packet’s destination IP address.0. • If these tests succeed. To verify connectivity.0. then use the equivalent tracert or traceroute command on the computer (depending on its operating system) to test routability for traffic traveling in the opposite direction: from the host to the FortiRecorder. For a direct Internet connection. in effect. packets passing through the FortiRecorder towards those IP addresses will. This router must know how to route packets to the destination IP addresses that you have specified in Destination IP/netmask. that there are no IP address or MAC address conflicts or blacklisting.0 results in a default route. first examine the static route configuration on both the host and FortiRecorder. The FortiRecorder appliance should now be reachable to connections with networks indicated by the mask. Also examine routers and firewalls between the host and the FortiRecorder appliance to verify that they Fortinet Technologies Inc. but you cannot connect using HTTP or HTTPS. attempt to ping one of FortiRecorder’s network interfaces that should be reachable from that location. which matches all packets. from a computer on the route’s network destination. A default route ensures that this kind of locally-caused “destination unreachable” problem cannot occur. Click OK. you can use the CLI commands: execute ping <destination_ipv4> to determine if a complete route exists from the FortiRecorder to the host.0. Configure these settings: Setting name Destination IP/netmask Description Type the destination IP address and network mask of packets that will be subject to this static route. and execute traceroute <destination_ipv4> to determine the point of connectivity failure. The value 0. and could belong to your ISP. and pass it to a gateway router so that the packet can reach its destination.0/0.1 Handbook . a route exists. and transport layer. If the connectivity test fails. Verify that you have enabled HTTPS and/or HTTP on the network interface. a default route will match the packet. or if you do not want to enable PING. network.0. be null routed. Page 60 FortiRecorder 1. or forward packets to another router with this information. Gateway Type the IP address of the next-hop router where the FortiRecorder appliance will forward packets subject to this static route. separated by a slash ( / ). this will be the router that forwards traffic towards the Internet. more specific static route defined for a packet’s destination IP address. 5. Making a default route for your FortiRecorder is a typical best practice: if there is no other. Note: The gateway IP address must be in the same subnet as a network interface’s IP address.4. Also enable PING on the FortiRecorder’s network interface. • If these tests fail. enter the CLI command: diagnose netlink rtcache list You may also need to verify that the physical cabling is reliable and not loose or broken. To display the cached routing table. 6. If you do not define a default route. and otherwise rule out problems at the physical. an application-layer problem is preventing connectivity. and httpsd are running and not overburdened. attempt to ping one of FortiRecorder’s network interfaces that should be reachable from that location. you can use the CLI commands: execute ping <destination_ipv4> to determine if a complete route exists from the FortiRecorder to the host. that there are no IP address or MAC address conflicts or blacklisting. • If these tests succeed. Verify that you have enabled http and/or http on the network interface (“To configure a physical network interface’s IP address via the CLI” on page 57). you can also use the CLI command: diagnose system top 5 30 to verify that the daemons for the web UI and CLI. Page 61 FortiRecorder 1. To display all routes with their priorities. newcli. and otherwise rule out problems at the physical. Finally. or if you do not want to enable PING. To add a default route via the CLI 1. and transport layer. To verify connectivity. a route exists. first examine the static route configuration on both the host and FortiRecorder. enter the CLI command: diagnose netlink rtcache list You may also need to verify that the physical cabling is reliable and not loose or broken. such as sshd. such as sshd. from a computer on the route’s network destination.permit HTTP and/or HTTPS connectivity between them. Also examine routers and firewalls between the host and the FortiRecorder appliance to verify that they permit HTTP and/or HTTPS connectivity between them. Fortinet Technologies Inc. but you cannot connect using HTTP or HTTPS. you can also use the CLI command: diagnose system top 5 30 to verify that the daemons for the web UI and CLI. • If these tests fail. and execute traceroute <destination_ipv4> to determine the point of connectivity failure. 2. an application-layer problem is preventing connectivity. network. Enter the following commands: config router static edit <route_index> set gateway <gateway_ipv4> set device <interface_name> end where: • <route_index> is the index number of the route in the list of static routes • <gateway_ipv4> is the IP address of the gateway router • <interface_name> is the name of through which packets will egress. such as port1 The FortiRecorder appliance should now be reachable to connections with networks indicated by the mask. If the connectivity test fails. Finally. and httpsd are running and not overburdened. Also enable ping on the FortiRecorder (see “To configure a physical network interface’s IP address via the CLI” on page 57). then use the equivalent tracert or traceroute command on the host (depending on its operating system) to test routability for traffic traveling in the opposite direction: from the host to the FortiRecorder. newcli.1 Handbook . FortiRecorder appliances require connectivity to DNS servers for DNS lookups. In Primary DNS Server. FortiGuard services. see “Permissions” on page 12. 4. The appliance will query the DNS servers whenever it needs to resolve a domain name into an IP address. 2. 6.1 Handbook .com. use DNS servers on your local network. or you may want to use the IP addresses of your own DNS servers. 5. type the IP address of the primary DNS server. Your Internet service provider (ISP) may supply IP addresses of DNS servers. Fortinet Technologies Inc. For improved performance. including the NTP system time. such as for NTP system time. Click Apply. enter the following commands: execute traceroute <server_fqdn> where <server_fqdn> is a domain name such as www. To configure DNS settings via the web UI 1. Other accounts may not have permissions necessary to change this setting. Incorrect DNS settings or unreliable DNS connectivity can cause issues with other features. 3. Log in to the admin administrator account. If you will use the settings DHCP and Retrieve default gateway and DNS from server when you configure your network interfaces.example. in the CLI. type the IP address of the secondary DNS server. DNS tests may not succeed if you have not yet completed “Adding a gateway” on page 58. Page 62 FortiRecorder 1. In Secondary DNS Server. For details.Configuring DNS settings Like many other types of network devices. Go to System > Network > DNS. To verify your DNS settings. skip this step — DNS is configured automatically. or web servers defined by their domain names (“domain servers”). 357 ms . Page 63 FortiRecorder 1. such as for NTP defined by their domain names (“domain servers”). and that your firewalls or routers do not block or proxy UDP port 53.334 ms If the DNS query fails. you should see results that indicate that the host name resolved into an IP address.238 ms 0. 2.example. but introduce the risk that the results could be out-of-date compared to the DNS server’s current records The appliance will query the DNS servers whenever it needs to resolve a domain name into an IP address.storm. DNS tests may not succeed until you have completed “Adding a gateway” on page 58.426 ms 0. 60 byte packets 1 172.130.ca (209.any.43. enter the following commands: execute traceroute <server_fqdn> where <server_fqdn> is a domain name such as www.0. To verify your DNS settings.1 Handbook . you will see an error message such as: www.20.0.storm.10) 57.146 ms 57. routing.239.com: Temporary failure in name resolution Cannot handle "host" cmdline arg `www.87.example.43. Enter the following commands: config system dns set primary <address_ipv4> set secondary <address_ipv4> set cache {enable | disable} end where: • <address_ipv4> is the IP address of a DNS server • {enable | disable} indicates whether or not to cache DNS query results to improve performance.254.ca (209.icann.20.example. Fortinet Technologies Inc..552 ms 3 core-g0-0-1105. and the route from FortiRecorder to that IP address: traceroute to www.2 (172.. To configure DNS settings via the CLI 1.com' on position 1 (argc 3) Verify your DNS server IPs.2) 0.491 2 static-209-87-254-221.221) ms 2. 30 hops max.079 ms 3.com.org (192.374 ms 2.example.10).223 ms 2.com (192.If the DNS query for the domain name succeeds.001 3.130.161) 3. in the CLI.87. 16 ms 43-10.243 ms 57. 87.239.com: Temporary failure in name resolution Cannot handle "host" cmdline arg `www. 30 hops max.ca (209.com (192. use your existing DHCP server to configure your cameras’ network settings. you would connect the cameras to the PoE switch The Fortinet Technologies Inc..2 (172. or at some other. 60 byte packets 1 172..0.any.221) ms 2. Configure the DHCP server so that it will provide basic network settings to cameras when you plug them in — either through a PoE switch directly connected to the FortiRecorder NVR (shown in the illustration below). and the route from FortiRecorder to that IP address: traceroute to www.43.ca (209.254. if you already have a DHCP server (perhaps your router. you should see results that indicate that the host name resolved into an IP address.374 ms 2.storm.552 ms 3 core-g0-0-1105.87.491 2 static-209-87-254-221.example. In order for the FortiRecorder NVR to be able to discover cameras and receive video.0.2) 0.130.com' on position 1 (argc 3) Verify your DNS server IPs.icann. routing.130.357 ms .43. Configuring your or FortiRecorder’s DHCP server To quickly add new cameras to your network.243 ms 57.079 ms 3. cameras must be configured with network settings. you will see an error message such as: www. if you configured the built-in DHCP server to provide DHCP service through port2.If the DNS query for the domain name succeeds.example.334 ms If the DNS query fails. use FortiRecorder’s built-in DHCP server.example. more distant point on your network.storm.10) 57.426 ms 0.238 ms 0.223 ms 2.20. and that your firewalls or routers do not block or proxy UDP port 53. cable modem.161) 3.146 ms 57.1 Handbook . as long as the cameras can receive DHCP service. and port2 is connected to a PoE switch.001 3. instead of configuring the FortiRecorder NVR’s built-in DHCP server. Alternatively. or a Windows or Linux server) and you want to avoid conflicts. Page 64 FortiRecorder 1. For example.20.10).org (192. 16 ms 43-10. Go to System > Network > DHCP. • You can move the cameras to a remote location on your network that would not ordinarily be reachable by your DHCP server. you can either: • Continue using DHCP— Leave the cameras plugged into their current network location. Page 65 FortiRecorder 1. Failure to do this may appear to work initially. the FortiRecorder NVR should detect the camera’s IP address change. yet will provide the advantage that IP addresses remain centrally managed. Connectivity interruptions are usually self-correcting: within a few minutes. Then detach the camera and plug it into its intended location on your network. 2. it will receive a new. Configure the DHCP server to reserve a specific IP lease for each camera. and the NVR will not be notified. and through it. but eventually could periodically. when the camera next requests a lease. or discover the camera again (see “Connecting with the cameras” on page 75). This removes the requirement of your cameras to remain within reach of the DHCP server. If this happens. Later. which provides 2 advantages: • You can disable DHCP if not otherwise required (recommended for better security). either manually update the camera’s definition on the NVR to reflect the new IP. or if a misconfigured computer accidentally takes a camera’s DHCP lease: the DHCP server will ultimately be forced to assign the camera’s IP address to a different client. the cameras would be able to access the DHCP server. temporarily interrupt connectivity with the NVR. • Switch the camera to a static IP — In the next phase (“Connecting with the cameras” on page 75). resulting in lost video. different IP address. Click New. after each camera has network settings from DHCP. To restore connectivity manually. the equivalent setting). This will mimic configuring the cameras with a static IP address. This can happen if either the DHCP pool is too small for the number of cameras. on a third-party DHCP server.1 Handbook . Fortinet Technologies Inc. If you continue to let your cameras use DHCP. cameras are usually plugged in directly to the office’s router. you should configure Reserved IP Address (or.switch would supply power to the cameras. (On smaller networks. use the FortiRecorder NVR to configure the camera with a static IP address.) To configure the DHCP server via the web UI 1. this is usually the same router that FortiRecorder uses. Type the IP address that DHCP clients will use as their next-hop router. Page 66 FortiRecorder 1. On smaller networks. It could be your office’s router. DNS options Select either: • Default — Leave DHCP clients’ DNS settings at their default values. or cable/DSL modem. • Specify — Configure DHCP clients with the DNS servers that you specify in DNS server 1 and DNS server 2.3. 4. Configure these settings: Setting name Interface Gateway Description Select the name of the network interface where this DHCP server will listen for requests from DHCP clients. Fortinet Technologies Inc. Mark the check box for Enable DHCP server.1 Handbook . Type the domain name. Page 67 FortiRecorder 1. DNS server 2 Type the IP address of an alternative DNS server that DHCP clients can use to resolve domain names.Setting name DNS server 1 Description Type the IP address of a DNS server that DHCP clients can use to resolve domain names. it is preferable to use a DNS server on your local network. For performance reasons. if you have one. that DHCP clients will use when resolving host names on the local domain. Fortinet Technologies Inc. if any. Type the subnet mask that DHCP clients will use in conjunction with the IP address that is assigned by FortiRecorder’s DHCP server. This setting is available only if DNS options is set to Specify. if you have one.1 Handbook . For performance reasons. This setting is available only if DNS options is set to Specify. Domain Netmask Optional. it is preferable to use a DNS server on your local network. 1 Handbook . If the ping test is successful. If your network is smaller or typically has low latency to ping replies. and in rare cases. the DHCP client must either request a new IP address from the DHCP server or renew its existing lease. not just to cameras. 3 seconds is enough. that if the DHCP server is attached to your overall network rather than directly to cameras. before the DHCP server can determine if the ping test is successful. This slows down the search for an available IP address. when a client request a new DHCP lease. could cause a significant delay before the DHCP client receives its assigned IP address and other network settings. DHCP IP Range To configure the DHCP lease pool — the range of IP addresses that the DHCP server can assign to its clients — click New and configure the first and last IP address in the range. and allocating it also to the DHCP client would cause an IP address conflict. you can safely decrease this setting’s value to improve DHCP speed and performance. To avoid DHCP pool exhaustion that can occur in some cases. the built-in DHCP server will ping an unused IP address in the pool first. To prevent this.g. To ensure that the DHCP server does not cause IP address conflicts with misconfigured computers that are accidentally using the pool of IP addresses used for DHCP. The default is 1.800 seconds (7 days).5. the it must first wait to see if there is any reply. Tip: The built-in DHCP server can provide IP addresses to the computers on your network too. the pool should be slightly larger than the total number of clients. however. and therefore safe to allocate to a DHCP client that is requesting an IP address. The default is 604. (It will not try abandoned IPs again until the pool is exhausted. Page 68 FortiRecorder 1. the DHCP server may attempt to assign it to the next DHCP client that requests an IP. also configure DHCP Excluded Range. If you need to exclude some IP addresses from this range (e. When the lease expires. then a misconfigured computer is currently using that IP. Fortinet Technologies Inc. you can decrease the lease. This will free up IP addresses from inactive clients so that IPs are available to give to clients that are currently in need of IP addresses. configure these settings: GUI item Conflicted IP timeout (Seconds) Description Type the maximum amount of time that the DHCP server will wait for an ICMP ECHO (ping) response from an IP before it determines that it is not used. available IP to give to the DHCP client. this will slightly increase traffic volume and slightly decrease performance. Keep in mind. the DHCP server will temporarily abandon that IP (mark it as used by a static host) and look for an other. printers permanently occupy static IPs in the middle of the range). If you have more or almost as many DHCP clients (cameras) as the number of IP addresses available to give to DHCP clients. Otherwise. Lease time (Seconds) Type the maximum amount of time that the DHCP client can use the IP address assigned to it by the server.) However. In most cases.800 seconds (3 minutes). If you want to fine-tune the behavior. that DHCP clients will use when resolving host names on the local domain Fortinet Technologies Inc. causing an IP address conflict. guaranteeing that the DHCP server will never assign it to another DHCP client. such as port2.1 Handbook . if any. Page 69 FortiRecorder 1. click New. click New. and breaking the FortiRecorder NVR’s connection with the camera. To bind specific MAC addresses to a specific DHCP lease. Reserved IP Address 6.GUI item DHCP Excluded Range Description To configure IPs that should be omitted from the DHCP pool and never given to DHCP clients (such if there are printers with manually assigned static IP addresses in the middle of your DHCP range). Enter these commands: config system dhcp server edit 0 set interface <port_name> set netmask <subnet_ipv4> set default-gateway <router_ipv4> set dns-service specify set dns-server1 <dns1_ipv4> set dns-server2 <dns2_ipv4> [set domain <search-domain_fqdn>] set enable enable end where: • <port_name> is the name of the network interface. See “Resolving IP address conflicts” on page 188. configure reserved IP addresses. To configure the DHCP server via the CLI 1. Click Create. yet still provide the benefit that IP addresses are still centrally managed and configured on your DHCP server. Caution: Reserved leases cannot prevent misconfigured computers from taking the IP address. Tip: To mimic a static IP address for your cameras. where you want the FortiRecorder NVR to listen for DHCP queries • <subnet_ipv4> is the network mask that DHCP clients must use • <router_ipv4> is the IP address of a gateway router that DHCP clients must use • <dns1_ipv4> and <dns2_ipv4> are the IP addresses of DNS servers that DHCP clients can use • <search-domain_fqdn> is the domain name. 2. For example. if there are 3 printers with manually assigned static IP addresses 192. Otherwise. • <last_ipv4> is the last IP address in the DHCP lease pool (the IP addresses the DHCP server can assign to its clients).e. you would type 192. guaranteeing a specific DHCP lease.2. and therefore safe to allocate (i.70-72 in the middle of your DHCP range. For example.1 Handbook . When the lease expires.50.168. for this value. the DHCP client must either request a new IP address from the DHCP server or renew its existing lease. you would type 192.168.168.2. if there are 3 printers with manually assigned static IP addresses 192. Fortinet Technologies Inc. the DHCP server may attempt to assign it to the next DHCP client that requests an IP.2.168. also enter these commands: config system dhcp server edit <dhcp-server_index> set conflicted-ip-timeout <ping-seconds_int> set lease-time <lease-seconds_int> config ip-range edit 0 set start-ip <first_ipv4> set end-ip <last_ipv4> end config exclude-range edit 0 set start-ip <excluded-first_ipv4> set end-ip <excluded-last_ipv4> end config reserved-address edit 0 set ip <client_ipv4> set mac <mac_str> end end where: • <ping-seconds_int> is the maximum amount of time that the DHCP server will wait for an ICMP ECHO (ping) response from an IP before it determines that it is not used. For example. • <first_ipv4> is the first IP address in the DHCP lease pool (the IP addresses the DHCP server can assign to its clients). if 192. Page 70 FortiRecorder 1. you would type 192. • <excluded-last_ipv4> is the last IP address that should be omitted from the DHCP pool and never given to DHCP clients.2.2.2.168. If you want to fine-tune the behavior. if 192.2.70-72 in the middle of your DHCP range. For example.2.50-99 will be DHCP clients.70. for this value.168.99. you would type 192.168. for this value. • <client_ipv4> is an IP address to bind to a specific MAC address. • <excluded-first_ipv4> is the first IP address that should be omitted from the DHCP pool and never given to DHCP clients. will not cause IP address conflicts) to a DHCP client that is requesting an IP address • <lease-seconds_int> is the maximum amount of time that the DHCP client can use the IP address assigned to it by the server.168.72.50-99 will be DHCP clients. The built-in DHCP server will never assign it to another DHCP client. for this value. Reserved leases cannot prevent misconfigured computers from taking the IP address. Page 71 FortiRecorder 1.1 Handbook . To mimic a static IP address for your cameras. causing an IP address conflict. • <mac_str> is the MAC address that a client must have in order to be able to receive or renew the DHCP lease for this reserved IP address. yet still provide the benefit that IP addresses are still centrally managed and configured on your DHCP server. and breaking the FortiRecorder NVR’s connection with the camera. configure reserved IP addresses. Fortinet Technologies Inc. See “Resolving IP address conflicts” on page 188. Type the IP address or domain name of an NTP server. Your cameras will also need to be able to connect to the Internet for NTP. enable Automatically adjust clock for daylight saving changes. NTP requires that your FortiRecorder be able to connect to the Internet on UDP port 123. Setting Synchronize with NTP Server Description Select this option to automatically synchronize the date and time of the FortiRecorder appliance’s clock with an NTP server. your FortiRecorder NVR will synchronize cameras’ clocks with its own to keep them in agreement. the FortiRecorder system clock must be accurate. logging. select Synchronize with NTP Server. Correct time is crucial for correlating events recorded by your cameras. If you want FortiRecorder to user NTP. scheduling. then identify the server in Server.1 Handbook . Later. 2.The clock will be initialized with your manually specified time when you click Apply. You can define up to 10 total NTP servers. including camera synchronization. Page 72 FortiRecorder 1. to allow these connections. if any.ntp. To find an NTP server that you can use. then configure Server before you click Apply. You can either manually set the FortiRecorder system time or configure the FortiRecorder appliance to automatically keep its system time correct by synchronizing with a Network Time Protocol (NTP) server. select Set date.org To define backup NTP servers. NTP is recommended to achieve better time accuracy. Fortinet Technologies Inc. Go to System > Configuration > Time. and SSL/TLS-dependent features. Adjust your firewall. Server Otherwise. click the + icon. To configure the system time via the web UI 1. select the time zone where the FortiRecorder appliance is located. and for providing accurate times to polices or other authorities.Setting the system time & date For many features to work. go to: http://www. then manually set the current date and time. If you want FortiRecorder to automatically adjust its own clock when its time zone changes between daylight saving time (DST) and standard time. From Time Zone. when cameras are added to your surveillance system. NTP will adjust the clock slowly to avoid incongruous jumps in log message timestamps and other time-dependent features. you may need to wait a couple of seconds. set the time zone and time manually first. Fortinet Technologies Inc. If you want the time to be corrected immediately. See “Configuring the network settings” on page 53. or if you enabled NTP and the NTP query for the current time succeeds. the system clock will continue without adjustment. then switch to NTP. If FortiRecorder’s time was 3 hours late. and that your firewalls or routers do not block or proxy UDP port 123. Verify your DNS server IPs. and NTP fails. (If the query reply is slow. Click Apply. routing.) If the NTP query fails. NTP queries may fail until you have configured gateway and DNS settings.1 Handbook . If you manually configured the time. for example. NTP on FortiRecorder complies with RFC 5905. then click Refresh to update the display in System time. Page 73 FortiRecorder 1. the time will still be exactly 3 hours late. If the current system time differs greatly from the actual time. your NTP server IP or name. the new clock time should appear in System time.3. the new clock time should appear when you enter the command: get system status If the NTP query fails. set the time zone and time manually first. such as pool. See “Configuring the network settings” on page 53. the system clock will continue without adjustment. mm is the minute.To configure NTP via the CLI To synchronize with an NTP server. Verify your DNS server IPs. enter the following commands: config system global set ntpsync disable set timezone <timezone_index> set daylight-saving-time {enable | disable} end execute date <date_str> <time_str> where: • <timezone_index> is the index number of the time zone in which the FortiRecorder appliance is located (to view the list of valid time zones and their associated index numbers.org. If the current system time differs greatly from the actual time. To manually set the date & time via the CLI To manually configure the FortiRecorder appliance’s system time and disable the connection to an NTP server. your NTP server IP or name. If your NTP query succeeds. formatted as mm/dd/yyyy (yyyy is the year. If you want the time to be corrected immediately. mm is the month. and dd is the day) • <time_str> is the time for the time zone in which the FortiRecorder appliance is located according to a 24-hour clock. NTP on FortiRecorder complies with RFC 5905. Page 74 FortiRecorder 1. and ss is the second) Fortinet Technologies Inc. and NTP fails. for example. routing.1 Handbook . see the web UI) • daylight-saving-time {enable | disable} is a choice between enabling or disabling daylight saving time (DST) clock adjustments • <date_str> is the date for the time zone in which the FortiRecorder appliance is located. formatted as hh:mm:ss (hh is the hour. If FortiRecorder’s time was 3 hours late. NTP will adjust the clock slowly to avoid incongruous jumps in log message timestamps and other time-dependent features. and that your firewalls or routers do not block NTP.ntp. enter the following commands: config system time ntp set ntpsync enable set ntpserver {<server_fqdn> | <server_ipv4>} end where {<server_fqdn> | <server_ipv4>} is a choice of either the IP address or fully qualified domain name (FQDN) of the NTP server. NTP queries may fail until you have configured gateway and DNS settings. the time will still be exactly 3 hours late. then switch to NTP. 1. Page 75 FortiRecorder 1. power over Ethernet (PoE) This could be provided by a FortiSwitch-80-PoE or perhaps your ISP’s cable modem. see your camera’s QuickStart Guide.168. Fortinet recommends that you configure camera connections using the web UI.1 Handbook .168. you would go to: https://192. and continue by configuring the FortiRecorder NVR to connect to and configure your cameras. Log in to the admin administrator account. After the FortiRecorder NVR is attached to your network. the Apple QuickTime 7. Requirements • On your computer. To connect FortiRecorder to your cameras via the web UI 1.Connecting with the cameras At this stage. if in “Configuring the network interfaces” you configured port1 of FortiRecorder with 192. For example. not the CLI. Detach your computer and place the FortiRecorder NVR at its intended point on your network. open a web browser and go to the new URL of the FortiRecorder NVR’s web UI. On your computer. the FortiRecorder NVR’s basic network settings have been configured — but not the cameras.1 or greater plug-in installed for your web browser(s) • At the camera’s location on the network. Fortinet Technologies Inc. 4.99 3. If you don’t want to use one of the predefined schedule/recording trigger types. reconnect your computer to your network.99. go to Camera > Schedule > Recording Schedule and click New to configure your own.1. Because camera configuration often requires that you be able to see video in order to determine if the live feed and motion detection area is functioning properly. 2. Plug in each camera at a PoE port on your network where the camera can: • receive power • retrieve initial network settings from a DHCP server • be discovered by the FortiRecorder NVR For additional advice and hardware specifications. 1 Handbook . in addition to the settings described in step 6. by using the manual control buttons on Monitor > Video Monitor > Live Video Feed. if uPNP is disabled on your network. schedules are recommended.) Schedules are not required.(“Schedules” actually combine 2 things: schedule. you will have to specify each camera’s hardware Model. for set-it-and-forget-it ease of use. and their Status column will contain Not Configured. 5. However. Newly discovered cameras will be highlighted in yellow. a list of discovered cameras should appear. you can click New to add each camera manually. Alternatively. then click Force Discover. You can manually record without a schedule. and to enable the FortiRecorder NVR to monitor for unexpected camera IP address changes and other connectivity interruptions. In this case. Page 76 FortiRecorder 1. Fortinet Technologies Inc. Go to Camera > Configuration > Camera. and whether recording is continuous or triggered by motion detection. After several seconds. FortiRecorder will use the discovery protocol to find cameras on the same subnet as the FortiRecorder NVR (see “Appendix A: Port numbers” on page 212). Location Fortinet Technologies Inc. Optional.1 Handbook . click its row to select it. then configure these settings: GUI item Name Description Type a name (such as front-door1) that can be referenced by other parts of the configuration. The maximum length is 35 characters. Do not use spaces or special characters. in case it is forgotten or lost. For each discovered camera.6. Type a description of the camera’s physical location that can be used if the camera is hidden. click Configure. Page 77 FortiRecorder 1. IP If the camera will not continue to use DHCP. the DHCP server could change the IP address lease. High resolution may therefore be preferable if the camera is recording a large space such as a parking lot. you might assign the camera a static IP address of 192. For example. • High — 1280 x 1024 pixels • Medium — 640 x 512 pixels • Low — 320 x 256 pixels Lower resolution is faster to transmit and results in less delay between reality and live video. in some cases.200 so that it will free an IP in the pool for other clients that need to use DHCP.168. where small details could in reality be large objects such as people or cars. Note: Resolution greatly impacts performance and the rate at which disk space is consumed. Page 78 FortiRecorder 1. enter the static (non-DHCP) IP address that the camera will use.168. See “Video performance” on page 171.GUI item IP mode Description Select either: • Manual — Configure the camera with a static IP address in IP. Until it discovers that the IP address has changed. Caution: Ether configure your cameras with a static IP. the IP address provided by the DHCP server may appear to work initially.2-50 range to its DHCP clients. Connections with that camera will be broken and all video from that camera during that interruption will be lost. FortiRecorder will still be trying to control the camera’s old address. but shows less detail. if your DHCP server assigns IP addresses in the 192. the DHCP server will not update the list of known cameras with the camera’s new dynamic IP. This setting is available only when IP mode is set to Manual. but later. which no longer works.1 Handbook . or configure your DHCP server with lease reservations (see “Configuring your or FortiRecorder’s DHCP server” on page 64).1. • Auto — Allow the camera continue using DHCP to determine its IP address. Resolution Select the amount of detail (the number of pixels) in the image. If this happens.1. Without reservations. Fortinet Technologies Inc. Click the Preview button to retrieve a single still image from the camera for the purpose of assessing camera image settings. This can break communications between them: if you reconfigure the IP while the camera is disabled. Schedules From the Available column. an error message such as the following will appear: Schedules motion and continuous conflict on Tuesday at 08:25 If a camera is disabled while you change its settings. Note: Only non-overlapping. also configure the maximum amount of time to keep video recording files from this camera. or while it would normally be scheduled to begin continuous or motion detection recording. then apply your changes while the camera definition is enabled. non-conflicting schedules should be selected.) According to your selected schedules. revert the settings. This option requires that you have configured network storage (see “External video storage” on page 122). because they will not receive time setting changes while disabled. Fortinet Technologies Inc. the FortiRecorder NVR will not connect to the camera. but the camera will still be using the old address/gateway. If you select conflicting schedules. To fix this. the FortiRecorder NVR will tell the camera to start and stop continuous or motion-triggered recording. follow both a continuous and motion-detecting schedule at the same time. (Available contains both the list of predefined schedules and schedules that you configured in step 4. when you try to click OK to save the camera settings. The camera cannot. enable the camera definition again. In that case. If you choose to delete old video.1 Handbook . It will periodically poll the camera to make sure that it is following the prescribed schedule. the oldest part of the recording will be deleted first. 7. select one or more schedules that you want this camera to follow. for example. if any. Large recordings will be stored on the hard disk as multiple video files. • Move — Relocate video to external storage when it exceeds a maximum age. then click the right arrow to move them into the Selected column. your FortiRecorder NVR may later attempt to communicate with the camera at the new address/gateway. Files whose start time is older than this age will be deleted in order to free disk space for new video recordings. disable the camera definition. It can also cause cameras to become out-of-sync.GUI item Storage option Description Select whether to: • Keep — Retain video until all available disk space is consumed • Delete — Remove video when it exceeds a maximum age. Page 79 FortiRecorder 1. white border will appear over the preview image. configure these settings: GUI item Video Horizontal flip Enable if the camera is positioned looking at a mirror or on a ceiling.8. Enable if the camera is positioned on a ceiling. Motion detection area Fortinet Technologies Inc. click and drag the edges of the rectangle. Description Vertical flip 9. hold down the Shift key while you click and drag it. Page 80 FortiRecorder 1. To resize it to your intended area. A rectangle with a thick. By default. such as a fan or strobe light. would inadvertently trigger motion detection. click the Add button. while using motion detection. indicating the area that will be monitored for movement. To move it. If the preview image’s orientation is incorrect.1 Handbook . cameras will be triggered to record if any motion occurs within their entire field of vision. and the preview image appears to be reversed left to right. in the Motion detection windows area. If some parts of the view. and the preview image appears to be upside down. Normally. Click Create. as the sun rises and sets. such as a dim light being switched on. FortiRecorder configures the camera with: • the camera’s new IP and other network settings (if IP mode is set to Manual) • NTP settings (if you configured them for FortiRecorder during “Setting the system time & date”) Afterwards. FortiRecorder connects to the camera’s discovered IP address. During the day. if the camera watches a whole parking lot a tiny flashing light could be flashing headlights from a car alarm. FortiRecorder will periodically connect to the camera’s configured IP address. A tiny movement could be a whole car leaving the parking lot. and therefore significant. you would increase sensitivity to detail by decreasing this setting. configure these settings: GUI item Video Pixel change Type the percentage of pixels in the motion detection area that must change in order to trigger the camera to begin recording. But if the camera watches a large area. for example. increase this setting. Sensitivity Type the percentage of color change of a pixel in the motion detection area that must occur over time in order to constitute a pixel change. small changes to the image should not trigger motion detection — they might be. in order to control the camera according to your selected schedules. at this time. natural lighting in an area gradually changes. The default is 10. rendered by only a few pixels. The default is 80. In this case. If using motion detection and it is too easily triggered.1 Handbook . gradual color or brightness changes should not trigger motion detection. Description Fortinet Technologies Inc. For example. Page 81 FortiRecorder 1. Small pixel changes could be large objects in reality. If the camera needs to be more sensitive to details. a blinking light.10. Reflected light can also subtly change the image perceived by the camera. It will also keep video recordings sent by that camera from its new IP address. decrease this setting. 11. large objects will be a small percentage of the image. If the camera is not detecting some significant changes. or not sensitive enough. Normally. If you kept the Enabled check box marked. or Linux) on your management computer. To update your cameras’ firmware 1. Updating the cameras’ firmware Once the FortiRecorder NVR is connected to your cameras.1 Handbook . Fortinet Technologies Inc. If possible.) Because TFTP is not secure. 13. start your TFTP server. To receive notifications if the camera’s connection when the FortiRecorder NVR is interrupted. to locate the point of failure on the network. confirm that the camera is actually located at that address. see “Configuring notification email” on page 102.com/ 2. go to Camera > Configuration > Camera Group. enter the command: execute traceroute <camera_ipv4> • Firewalls and routers. support streaming video If you did not discover the camera but instead manually configured FortiRecorder with the camera’s IP address.. you should only run it on trusted administrator-only networks. and because it does not support authentication and could allow anyone to have read and write access.. you can use it to command them to update themselves with the latest camera firmware. never on computers directly connected to the Internet. If you receive messages such as Timeout . immediately turn off tftpd off when you are done. 3. Download the firmware file from the Fortinet Technical Support web site: https://support. allow both RTSP and RTCP components of the RTP streaming video protocol between FortiRecorder and the camera and between your computer and FortiRecorder (see “Appendix A: Port numbers” on page 212) • Web proxies or firewalls. If you will allow security guards or other personnel’s accounts to view video only from a specific subset of cameras. To confirm that FortiRecorder can receive video from the camera at its new IP address.) • A route exists to the camera’s new IP address To confirm. Connect the appliance directly or to the same subnet as a TFTP server. Page 82 FortiRecorder 1. go to Monitor > Video Monitor > Live Video Feed. if any. go to Monitor > System Status > Console and enter the command: execute ping <camera_ipv4> where <camera_ipv4> is the camera’s IP address.. if any.12. If no video is available from that camera. then click New and configure a subset of those cameras. If necessary. (If you do not have one. 4. Mac OS X. Copy the new firmware image file to the root directory of the TFTP server. you can temporarily install and run one such as tftpd (Windows. verify that: • Other video software such as Windows Media Player or VLC has not stolen the RTSP file type association from QuickTime (Installing other video software after QuickTime is a common cause of changes to media file type associations.fortinet. 5. Fortinet Technologies Inc.1 Handbook .1.168. Page 83 FortiRecorder 1. the camera will not be able to record video if it was scheduled.168 is the IP address of the TFTP server. then connects to the camera via HTTP and uploads the firmware to it. 6. Enter this command: execute camera upgrade <camera_name> tftp <firmware-file_str> <tftp_ipv4> where: • <camera_name> is the name of the camera in your FortiRecorder NVR’s configuration • <firmware-file_str> is the name of the camera firmware file on your TFTP server • <tftp_ipv4> is the IP address of your TFTP server The FortiRecorder appliance downloads the camera’s new firmware from the TFTP server. During this time.1. you may notice a gap in the recorded video clips. and that the FortiRecorder appliance can reach the TFTP server. enter the following command: execute ping 192. To use the FortiRecorder CLI to verify connectivity. The camera installs the new firmware. Verify that the TFTP server is currently running.168 where 192.168. This administrator has permissions that grant full access to FortiRecorder’s settings and features. Multiple administrators should not be logged in simultaneously. first follow either: • “To configure an Active Directory or LDAP query via the web UI” on page 91 or • “To configure a RADIUS query via the web UI” on page 99 then follow “To configure an account via the web UI” on page 84 or “To configure an account via the CLI” on page 90. To access this part of the web UI. Fortinet Technologies Inc. but should not change any of the network settings. If configuring the same item at the same time. FortiRecorder has one administrator account named admin. To prevent accidental changes to the configuration. For details. the administrators could inadvertently overwrite each others’ changes. To configure an account via the web UI 1. Go to System > User > User. just follow “To configure an account via the web UI” on page 84 or “To configure an account via the CLI” on page 90.Adding logins for security personnel & network administrators In its factory default configuration. you could create an operator account for a security guard who must be able to use the video feeds and recordings. Page 84 FortiRecorder 1. only a single person — use the admin account. your account’s User type must be Administrator. Accounts can be for: • security personnel that need to view video feeds (called “operators” in the web UI) • other network administrators For example. Administrators may be able to access both the web UI and the CLI through the network. it’s best if only network administrators — and if possible. see “Permissions” on page 12. 2. If you have a large network and want to use accounts that you already have configured on another server. You can use the admin administrator account to configure more accounts for other people. Click New.1 Handbook . A dialog appears. depending on: • the account’s trusted hosts (“Trusted hosts” on page 12) • the protocols enabled for each of the FortiRecorder appliance’s network interfaces (“Configuring the network interfaces” on page 53) If your network is relatively simple. Note: This is the user name that the person must provide when logging in to the CLI or web UI. This field is available only when Auth type is Local or RADIUS + Local. if any. sent by FortiRecorder (see “Configuring notification email” on page 102). you can use a utility such as Microsoft’s password strength meter. This field is available only when Auth type is Local or RADIUS + Local.3. Additionally. as you want it to appear in snapshot notifications. The person still will be able to view camera-related notifications whenever he or she logs in to the FortiRecorder NVR. such as admin@example. sent by FortiRecorder. that will receive snapshot notifications. Type the person’s email address. when he or she logs in. such as FortiRecorder admin. If you do not know the email address and cannot provide it.com. and be changed regularly. that can be referenced in other parts of the configuration. such as IT or guard. Page 85 FortiRecorder 1. the person can configure his or her own email address later. Configure these settings: GUI item Username Description Type the name of the account. The maximum length is 35 characters. Fortinet Technologies Inc. To check the strength of your password. Display name Type a name for the recipient. don’t worry. Tip: For improved security. Do not use spaces or special characters. Confirm Password Re-enter the password to confirm its spelling.1 Handbook . if any. Email address Password Type a password for the account. the password should be at least eight characters long. be sufficiently complex. 255 Caution: If you configure trusted hosts. restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in. Camera selection Select which group of camera video feeds and recordings the account will be able to access (see “Connecting with the cameras” on page 75).0.0. To allow login attempts from any IP address. Tip: For improved security. It can change its own password and account settings. see “Configuring the network interfaces” on page 53.0.168.0.0. Fortinet Technologies Inc.e.0/0. which by definition is always an administrator. the FortiRecorder appliance must allow login attempts on all network interfaces where remote administrative protocols are enabled. This option does not appear for the admin administrator account. 0. • Operator — The account can view assigned camera feeds. but otherwise cannot change the FortiRecorder NVR or camera configuration. For information on administrative access protocols.255. For more information.50/255. set a longer and more complex Password. User type Select either: • Administrator — The account can configure all FortiRecorder NVR network and camera settings.0/0.1. You can specify up to 10 trusted network areas.0). such as: 172.GUI item Trusted hosts Description Type the IP address and netmask from which the account is allowed to log in to the FortiRecorder appliance. This is because if you leave even one account unrestricted (i.0. or a mixture. enter 0. a whole subnet.0.255. Page 86 FortiRecorder 1. and view video feeds from all cameras. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. enter its IP address and a 32-bit netmask. do so for all accounts. and enable only secure administrative access protocols (HTTPS and SSH) to minimize the security risk. To allow logins only from a single computer.0. create accounts. Tip: If you allow login from the Internet. and wait until after a login attempt has been received in order to check that user name’s trusted hosts list.0.1 Handbook . Each area can be a single computer. see “Trusted hosts” on page 12. • RADIUS — Authenticate by querying the remote RADIUS server that stores the account’s name and password. Also configure LDAP profile. Page 87 FortiRecorder 1. RADIUS profile Select a RADIUS authentication profile that defines the RADIUS connection settings. This field appears only when Auth type is RADIUS or RADIUS+Local. all query traffic to it.1 Handbook . password. • LDAP — Authenticate by querying a remote LDAP server that stores the account’s name and password. Also configure RADIUS profile and Check permission attribute on RADIUS server. See “To configure a RADIUS query via the web UI” on page 99.GUI item Auth type Description Select one of: • Local — Authenticate using an account whose name. Compromise of the authentication server could allow attackers to gain administrative access to your FortiRecorder appliance. and other settings are stored locally. if possible. or by querying the accounts stored locally. Also configure RADIUS profile and Check permission attribute on RADIUS server. • RADIUS+Local — Authenticate either by querying the remote RADIUS server that stores the account’s name and password. in the FortiRecorder appliance’s configuration. Caution: Secure your authentication server and. in the FortiRecorder NVR’s configuration. Fortinet Technologies Inc. For an example VSA dictionary.1 Handbook . In this case. This option requires that: • Your RADIUS server must support vendor-specific attributes (VSAs) similar to RFC 2548. in decimal. This field appears only when Auth type is RADIUS or RADIUS+Local. so that the RADIUS server can RADIUS server specify the account’s permissions.GUI item Description Check permission Enable to let the RADIUS server override User type when it attribute on replies to authentication queries.g. e. It should be present in Access-Request packets from FortiRecorder. Fortinet Technologies Inc. The vendor ID is an ID for the Fortinet client types. Vendor ID Type the vendor ID for Fortinet. For instructions. The default value is 0. you must configure your server. Also configure Vendor ID and Subtype ID. as it is defined on your RADIUS server. Fortinet’s default vendor ID is 12356. consult its documentation. Otherwise. see the article FortiGate RADIUS VSA Dictionary. On many RADIUS servers. for example. telling your RADIUS server which settings are supported by accounts on FortiRecorder. (If your server does not support them. Methods varies by vendor — FreeRADIUS and Internet Authentication Services for Microsoft Windows 2008 Server. are configured differently. Page 88 FortiRecorder 1. it may reply with an “attribute not supported” error. Fortinet-Access-Profile = Administrator or Fortinet-Access-Profile = Operator Some RADIUS servers already include the Fortinet vendor ID and subtype ID in their default dictionaries. no server-side configuration is necessary. It should also be present when the RADIUS server replies with an Access-Accept packet.) • Your RADIUS server’s dictionary must have: • • a vendor ID for Fortinet/FortiRecorder an attribute ID for user types (“access profile” names) • Each FortiRecorder account on your RADIUS server must have a user type attribute with a value that specifies which User type to apply. Theme Select this administrator account’s preference for the initial web UI color scheme or click Use Current to choose the theme currently in effect for your own web UI session. Administrator) on FortiRecorder. Page 89 FortiRecorder 1. If the packet does not have this attribute-value pair. 4. and he or she will receive a “permission denied” error message: you do not have rights to view this page The default value is 0. even if successfully authenticated.1 Handbook . Click Create. authorization will be null. If the packet does not contain the attribute-value pair and you have not configured User type. when the person attempts to authenticate. The administrator may switch the theme at any time after he or she logs in by clicking Next Theme in the top right corner.g. On many RADIUS servers. FortiRecorder will use whichever permissions you defined locally for the account in User type. if possible. See “To configure an Active Directory or LDAP query via the web UI” on page 91. Compromise of the authentication server could allow attackers to gain administrative access to your FortiRecorder appliance. but is not required to be. It should be. LDAP profile Select an LDAP authentication profile that defines the connection settings.GUI item Subtype ID Description Type the subtype ID for account permissions as it is defined on your RADIUS server. Fortinet Technologies Inc. Packets from your RADIUS server should use this attribute’s value to refer to the name of a User type (e. all query traffic to it. present in Access-Accept reply packets from your RADIUS server to FortiRecorder. The account should now be able to log in. The subtype ID is an ID for the user type (permissions) attribute. Caution: Secure your authentication server and. Fortinet’s default subtype ID for access profiles is 6. This is the user name that the person must provide when logging in to the CLI or web UI. • {local | ldap | local-plus-radius | radius} is the choice of whether the account’s password will be stored locally (on the appliance) or on your existing. • <notification_email> is the person’s email address. If you do not know the email address and cannot provide it.To configure an account via the CLI 1. etc. sent by FortiRecorder (see “Configuring notification email” on page 102). The maximum length is 35 characters. such as IT or guard. that can be referenced in other parts of the configuration. Additionally. Do not use spaces or special characters. Enter these commands: config system admin edit <account_name> set name <display_name> set email <notification_email> set type {admin | operator} set camera-selection <camera-group_name> set auth-strategy {local | ldap | local-plus-radius | radius} where: • <account_name> is the name of the account. • {admin | operator} is the choice of either giving the account system administrator permissions or operator (security guard. don’t worry. if any. Fortinet Technologies Inc. that will receive snapshot notifications. external authentication server. such as admin@example. the person can configure his or her own email address later. as you want it to appear in snapshot notifications.com. Page 90 FortiRecorder 1. sent by FortiRecorder. if any. such as FortiRecorder admin.1 Handbook . Microsoft Active Directory servers can provide authentication through an LDAP query. • <display_name> is the name for the recipient. when he or she logs in.) permissions • <camera-group_name> is the name of which group of camera video feeds and recordings the account will be able to access (see “Connecting with the cameras” on page 75). The person still will be able to view camera-related notifications whenever he or she logs in to the FortiRecorder NVR. A dialog appears. if the account will authenticate by querying a RADIUS server.1 Handbook . Enable to let the RADIUS server override type when it replies to authentication queries.2. Fortinet’s default subtype ID for access profiles is 6. On many RADIUS servers. If the account will authenticate using a locally stored password. • <vendor_int> is the vendor ID for Fortinet. so that the RADIUS server can specify the account’s permissions. Page 91 FortiRecorder 1. enter these commands: set radius-profile <profile_name> set radius-permission-check {enable | disable} set radius-vendor-id <vendor_int> set radius-subtype-id <subtype_int> end where: • <profile_name> is the name of the profile whose settings will be used for the query • {enable | disable} is a choice of whether to override the locally configured permissions. 2. Go to System > Authentication > LDAP. you must also configure radius-vendor-id and radius-subtype-id. On many RADIUS servers. Fortinet’s default vendor ID is 12356. To configure an Active Directory or LDAP query via the web UI 1. The account should now be able to log in.) The account should now be able to log in. • <subtype_int> is the subtype ID for account permissions as it is defined on your RADIUS server. If you enable this setting. enter these commands: set password <password_str> end where <password_str> is the account’s initial password. Otherwise. The account should now be able to log in. in decimal. enter these commands: set ldap-profile <profile_name> end where <profile_name> is the name of the profile whose settings will be used for the query. (This setting appears only after auth-strategy is set to ldap. as it is defined on your RADIUS server. Click New. Fortinet Technologies Inc. If the account will authenticate by querying an LDAP or Microsoft Active Directory server. Configure these settings: GUI item Profile name Description Type a name (such as RADIUS-query) that can be referenced by other parts of the configuration. The IANA standard port number for LDAP is 389. Page 92 FortiRecorder 1. if any. Type the fully qualified domain name (FQDN) or IP address of a secondary LDAP or Active Directory server. Server name/IP Fallback server name/IP Port Fortinet Technologies Inc.1 Handbook . Do not use spaces or special characters. The maximum length is 35 characters. that can be queried if the primary server fails to respond according to the threshold configured in Timeout.3. LDAPS (SSL/TLS-secured LDAP) is 636. Type the fully qualified domain name (FQDN) or IP address of the LDAP or Active Directory server that will be queried when an account referencing this profile attempts to authenticate. Type the port number on which the authentication server listens for queries. Otherwise.GUI item Use secure connection Description If your directory server uses SSL to encrypt query connections. Enable to perform the query without authenticating. such as cn=FortiRecorderA. This automatically configures the query string to match that schema style. and Advanced Options. then manually configure the query string in LDAP user query. then configure: GUI item Schema Description If your LDAP directory’s user objects uses one of these common schema style: • InetOrgPerson • InetLocalMailRecipient • Active Directory • Lotus Domino select the schema style.dc=example. User Authentication Options. or if you need to configure a query string. Allow unauthenticated bind 4. Disable to authenticate when querying. Leave this field blank if you have enabled Allow unauthenticated bind. Bind DN Enter the bind DN. select User Defined. If your directory does not use OpenLDAP’s default schema. such as ou=People.dc=com. Bind password. click the arrows to expand User Query Options. and User Authentication Options. User objects should be child nodes of this location. of an LDAP user account with permissions to query the Base DN. or how the query will be authenticated (the bind DN). Page 93 FortiRecorder 1. Base DN Enter the distinguished name (DN) of the part of the LDAP directory tree within which FortiRecorder will search for user objects. query cache. Also configure Bind DN. Fortinet Technologies Inc. you can enable this option to improve performance. select SSL then upload the certificate of the CA that signed the LDAP server’s certificate (see “Uploading trusted CAs’ certificates” on page 128). if your LDAP server does not require binding.dc=com. However. LDAP protocol version.1 Handbook . Many LDAP servers require LDAP queries to be authenticated (“bound”) by supplying a bind DN and password to determine the scope of permissions for the directory search.dc=example. For example. Scope Select which level of depth to query.GUI item Bind password Description Enter the password of the Bind DN. • Subtree — Query recursively all levels below the Base DN in the LDAP directory tree. such as Microsoft Active Directory-style schemas. or need to look up attribute names. Page 94 FortiRecorder 1. If the email address ($m) as it appears in the authentication attempt is different from the user’s email address as it appears in the LDAP directory. • One level — Query only the one level directly below the Base DN in the LDAP directory tree. if the Base DN is unknown. such as when you have enabled recipient tagging. Bind DN. Click Browse to locate the LDAP directory from the location that you specified in Base DN. refer to any standard LDAP query filter reference manual. or. Before using. Use secure connection. Browsing the LDAP tree can be useful if you need to locate your Base DN. and Protocol version. first configure Server name/IP. if user objects in your directory have two distinguishing characteristics. For example. the query filter might be: (& (objectClass=inetOrgPerson) (mail=$m)) where $m is the FortiRecorder variable for a user's email address. The query string filters the result set. and should be based upon any attributes that are common to all user objects but also exclude non-user objects. browsing can help you to locate it. For some schemas. starting from Base DN. this query will retrieve both the user’s primary email address and the user’s alias email addresses. then click Create or OK. These fields provide minimum information required to establish the directory browsing connection. This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined. In this case. their objectClass and mail attributes. LDAP user query Enter an LDAP query filter that selects a set of user objects from the LDAP directory. Bind password. Fortinet Technologies Inc. a query for the user by the email address ($m) may fail.1 Handbook . For details on query syntax. beginning from the root of the LDAP directory tree. if you have not yet entered a Base DN. you can modify the query filter to subtract prepended or appended text from the user name portion of the email address before performing the LDAP query. • Always — Always dereference. Also enter the name of the user objects’ common name attribute. Protocol version Fortinet Technologies Inc.GUI item Derefer Description Select when. Timeout Type the number of seconds that the FortiRecorder appliance will wait for a reply to the query before assuming that the primary LDAP server has failed. • Search user and try bind DN — Select to form the user’s bind DN by using the DN retrieved for that user by User Query Options. Select the LDAP protocol version (either 2 or 3) used by the LDAP server. • Find — Dereference only when finding the base search object. This can be useful if users authenticate with a domain other than the mail server’s principal domain name. such as cn or uid into the field.com). By default. if the query requires authentication. • Try common name with base DN as bind DN — Select to form the user’s bind DN by prepending a common name to the base DN. and will therefore query the secondary LDAP server. if ever. the FortiRecorder appliance will use the mail domain as the UPN. enter that UPN in the field named Alternative UPN suffix. • Search — Dereference only when searching.1 Handbook . Page 95 FortiRecorder 1. If you want to use a UPN other than the mail domain. to dereference attributes whose values are references. the FortiRecorder appliance will form the bind DN: • Try UPN or email address as bind DN — Select to form the user’s bind DN by prepending the user name portion of the email address ($u) to the User Principle Name (UPN. User Authentication Options Select how. such as example. • Never — Do not dereference. The default value is 20. Click Test. The default TTL value is 1440 minutes (one day). This option is applicable only if Enable cache is enabled. a dialog should appear to let you know that either the query succeeded.1 Handbook . After the TTL has elapsed. refreshing the cache. and any subsequent request for that information causes the FortiRecorder appliance to query the LDAP server. that the FortiRecorder unit will cache query results. click Edit. inspect the value of TTL. Click OK. but also has the benefit of reducing the amount of LDAP network traffic associated with frequent queries for information that does not change frequently. Fortinet Technologies Inc. Alternatively. Page 96 FortiRecorder 1. After a few seconds. or the reason for its failure. Caching LDAP queries can introduce a delay between when you update LDAP directory information and when the FortiRecorder appliance begins using that new information.GUI item Enable cache Description Enable to cache LDAP query results. cached results expire. The maximum value is 10080 minutes (one week). click the row to select the query. then attempt to authenticate using that account’s credentials. Entering a TTL value of 0 effectively disables caching. then click Test LDAP Query. To test the query. select this profile when configuring an account (“To configure an account via the web UI” on page 84). If this option is enabled but queries are not being cached. choose Authentication. 5. in minutes. Entering a value of 0 effectively disables caching. then complete the Password and Mail address fields that appear. TTL Enter the amount of time. such as a connectivity error. 6. From the Select query type drop-down list. if your LDAP server does not require binding. • {none | ssl} is the choice of either none (no encryption) or SSL (if your directory server uses SSL to encrypt query connections) • {enable | disable} is the choice of whether or not to to authenticate when querying. such as ldap-query. • <listening-port_int> is the port number on which the authentication server listens for queries. • {<server_fqdn> | <server_ipv4>} is a choice of either the fully qualified domain name (FQDN) or IP address of the LDAP or Active Directory server that will be queried when an account referencing this profile attempts to authenticate. If you enable this setting. Fortinet Technologies Inc.1 Handbook . Do not use spaces or special characters. bind-password.To configure an LDAP or Active Directory query via the CLI 1. that can be referenced in other parts of the configuration. you can enable this option to improve performance. and auth-bind-dn. The IANA standard port number for LDAP is 389. LDAPS (SSL/TLS-secured LDAP) is 636. you must also configure bind-dn. However. Many LDAP servers require LDAP queries to be authenticated (“bound”) by supplying a bind DN and password to determine the scope of permissions for the directory search. Page 97 FortiRecorder 1. Enter these commands: config profile ldap edit <query_name> set authstate enable set server {<server_fqdn> | <server_ipv4>} set port <listening-port_int> set secure {none | ssl} set unauth-bind {enable | disable} where: • <query_name> is the name of the query. The maximum length is 35 characters. enter that UPN in the field named Fortinet Technologies Inc. If it includes spaces or special characters. to dereference attributes whose values are references • <bind-dn_str> is the bind DN.2. and should be based upon any attributes that are common to all user objects but also exclude non-user objects.dc=example. do not configure this setting.1 Handbook . also enter these commands: set schema {activedirectory | dominoperson | inetlocalmailrcpt | inetorgperson | userdefined} set base-dn <base-dn_str> set query <filter_str> set scope {base | one | sub} set dereferencing {always | find | never | search} set bind-dn <bind-dn_str> set bind-password <bind-password_str> set auth-bind-dn {cnid | none | searchuser | upn} set cnid-name <cn-attr_str> set upn-suffix <upn_str> set cache-state {enable | disable} set cache-ttl <minutes_int> set timeout <seconds_int> set fallback-server {<server_fqdn> | <server_ipv4>} set fallback-port <listening-port_int> where: • <query_name> is the name of the query you are currently configuring. such as '(&(objectClass=inetOrgPerson)(mail=$m))'. the appliance will use the query filter string that matches your selected schema style. or if you need to configure a query string. If the query is unauthenticated. • <filter_str> is an LDAP query filter. such as example. If you want to use a UPN other than the mail domain.dc=example. • upn — Select to form the user’s bind DN by prepending the user name portion of the email address ($u) to the User Principle Name (UPN. • {base | one | sub} is which level of depth to query. If you select userdefined.g. • {activedirectory | dominoperson | inetlocalmailrcpt | inetorgperson | userdefined} is the schema style of your LDAP directory’s user objects. By default. LDAP protocol version. Otherwise. do not configure this setting. you use Microsoft Active Directory). such as cn=FortiRecorderA. If your directory does not use OpenLDAP’s default schema (e. query cache. the FortiRecorder appliance will form the bind DN. If the query is unauthenticated.dc=com. such as ou=People. if the query requires authentication. if ever. that selects a set of user objects from the LDAP directory. • <bind-password_str> is the password for the bind DN. or how the query will be authenticated (the bind DN). surround the string with quotes. the FortiRecorder appliance will use the mail domain as the UPN. • {cnid | none | searchuser | upn} is how.com). Page 98 FortiRecorder 1. User objects should be child nodes of this location.dc=com. • <base-dn_str> is the distinguished name (DN) of the part of the LDAP directory tree within which FortiRecorder will search for user objects. starting from the base DN • {always | find | never | search} is when. The query filter string filters the result set. you must configure query. of an LDAP user account with permissions to query the base DN. and therefore you do not need to configure query. 3. if you want to use it. To configure a RADIUS query via the web UI 1. cached results expire. • <cn-attr_str> is the name of the user objects’ common name attribute. and will therefore query the secondary LDAP server.upn-suffix. • cnid — Select to form the user’s bind DN by prepending a common name to the base DN.1 Handbook . Also enter the name of the user objects’ common name attribute. select this profile when configuring an account (“To configure an account via the web UI” on page 84). and the primary server fails to respond within the query timeout. A dialog appears. • {<server_fqdn> | <server_ipv4>} is a choice of either the fully qualified domain name (FQDN) or IP address of the LDAP or Active Directory server that will be queried when an account referencing this profile attempts to authenticate. then attempt to authenticate using that account’s credentials. • <listening-port_int> is the port number on which the fallback authentication server listens for queries. such as cn or uid • cache-state {enable | disable} is the choice of whether to to cache LDAP query results • cache-ttl <minutes_int> is the amount of time. After the TTL has elapsed. This can be useful if users authenticate with a domain other than the mail server’s principal domain name. refreshing the cache. Enter this command to save and apply the configuration: end 4. in minutes. Fortinet Technologies Inc. The IANA standard port number for LDAP is 389. Click New. To test the query. such as cn or uid into the field. Alternatively. you can use the query test feature in the web UI. 2. This can be useful if users authenticate with a domain other than the mail server’s principal domain name. and any subsequent request for that information causes the FortiRecorder appliance to query the LDAP server. Also configure fallback-server and fallback-port. Page 99 FortiRecorder 1. Go to System > Authentication > RADIUS. that the FortiRecorder unit will cache query results. • searchuser — Select to form the user’s bind DN by using the DN retrieved for that user by the base DN. • <upn_str> is a UPN other than the mail domain. LDAPS (SSL/TLS-secured LDAP) is 636. • timeout <seconds_int> is the number of seconds that the FortiRecorder appliance will wait for a reply to the query before assuming that the primary LDAP server has failed. see RFC 2548 Microsoft Vendor-specific RADIUS Attributes). The maximum length is 35 characters. Do not use spaces or special characters. Type the port number on which the authentication server listens for queries. then attempt to authenticate using that account’s credentials. Click OK. the IP address of the FortiRecorder network interface used to communicate with the RADIUS server will be applied. Type the secret required by the RADIUS server. The IANA standard port number for RADIUS is 1812. Type the fully qualified domain name (FQDN) or IP address of the RADIUS server that will be queried when an account referencing this profile attempts to authenticate. Configure these settings: GUI item Profile name Description Type a name (such as RADIUS-query) that can be referenced by other parts of the configuration.3. Fortinet Technologies Inc.1 Handbook . If you do not enter an IP address. It must be the same as the secret that is configured on the RADIUS server. Page 100 FortiRecorder 1. select this profile when configuring an account (“To configure an account via the web UI” on page 84). Enable if the authentication server requires that users authenticate using their full email address (such as
[email protected]) and not just the user name (such as user1). To test the query. Select which authentication method is used by the RADIUS server: • Password Authentication • Challenge Handshake Authentication (CHAP) • Microsoft Challenge Handshake Authentication (CHAP) • Microsoft Challenge Handshake Authentication V2 (CHAP version 2) • Default Authentication Scheme Server name/IP Server port Protocol NAS IP/Called station ID Type the NAS IP address or Called Station ID (for more information about RADIUS Attribute 31. Server secret Server requires domain 4. To test the query. Fortinet Technologies Inc. It must be the same as the secret that is configured on the RADIUS server. • {auto | chap | mschap | mschap2 | pap} is which authentication method is used by the RADIUS server • <called-station-id_ipv4> is the NAS IP address or Called Station ID (for more information about RADIUS Attribute 31. • send-domain {enable | disable} is enabled if if the authentication server requires that users authenticate using their full email address (such as user1@example. select this profile when configuring an account (“To configure an account via the web UI” on page 84). Page 101 FortiRecorder 1. that can be referenced in other parts of the configuration. • {<server_fqdn> | <server_ipv4>} is a choice of either the fully qualified domain name (FQDN) or IP address of the RADIUS server that will be queried when an account referencing this profile attempts to authenticate. the IP address of the FortiRecorder network interface used to communicate with the RADIUS server will be applied.1 Handbook .To configure a RADIUS query via the CLI 1. The IANA standard port number for RADIUS is 1812. If you do not enter an IP address. The maximum length is 35 characters. 2. see RFC 2548 Microsoft Vendor-specific RADIUS Attributes).com) and not just the user name (such as user1). such as radius-query. then attempt to authenticate using that account’s credentials. • <secret_str> is the secret required by the RADIUS server. • <listening-port_int> is the port number on which the authentication server listens for queries. Enter these commands: config profile authentication radius edit <query_name> set server {<server_fqdn> | <server_ipv4>} set port <listening-port_int> set secret <secret_str> set auth-prot {auto | chap | mschap | mschap2 | pap} set nas-ip <called-station-id_ipv4> set send-domain {enable | disable} end where: • <query_name> is the name of the query. Do not use spaces or special characters. when operators log in to your FortiRecorder NVR. It also means that QuickTime is not required on the smart phone or computer where you usually check your email. camera-based notifications will include a few key frame still images from each motion detection-triggered recording. Page 102 FortiRecorder 1. Fortinet Technologies Inc. However.Configuring notification email When a significant event happens. your FortiRecorder NVR can notify you. such as motion-triggered video recording or the hard disk being full. if you prefer that the email instead link to the full video clip for that recording. configure this by going to Monitor > System Status > Console and entering these CLI commands: config system admin edit <operator_name> set embed-email-images no next end Optionally or in addition to receiving email. Go to System > Configuration > Mail Server Settings.1 Handbook . This means you can review your motion detection alarms even if you are away from the office and cannot connect to your NVR. By default. To configure FortiRecorder to send notification email via the web UI 1. Configure it with SMTP settings so that it can send you email — both camera snapshot notifications and NVR system event alerts. it will notify them of camera-related events that have occurred since they last logged in. it uses the SMTP AUTH command).example. or a 3rd-party email server such as Yahoo! or Gmail. Configure these settings: Setting name Mail server name Description Type the fully-qualified domain name (FQDN) of your SMTP server. If the email server requires SMTP authentication (i. Use SMTPS Enable to initiate SSL. also enable Authentication Required. Fortinet Technologies Inc.e. 3.and TLS-secured connections to the email server if it supports SSL/TLS. When disabled. Mail server port Type the port number on which your email server or SMTP relay listens for connections from clients.2. Page 103 FortiRecorder 1. it is port 465. then configure these settings: Setting name User name Description Type the name of the account that FortiRecorder will use to log in to the SMTP server. enabled. it is port 25. SMTP connections from the FortiRecorder appliance’s built-in email client to the SMTP server will occur as clear text. This option must be enabled to initiate SMTPS-secured connections.com. unencrypted. If you do not have your own email server. such as mail. The default varies by whether you enable Use SMTPS: disabled. this is often the name of your ISP’s SMTP relay.1 Handbook . scrambled password.com. • PLAIN — Provides an unencrypted. with hash replay prevention. 4. Click Create. • LOGIN — Provides an unencrypted.Setting name Password Authentication type Description Type the password for the account on the SMTP server. Click New. These will be configured in step 10. • CRAM-MD5 — Provides an encrypted MD5 hash of the password. See also “Data storage issues” on page 204. Type your email address. This setting is the recipient only for appliance-related notifications. See “Connecting with the cameras” on page 75. 5. combined with a challenge and response mechanism. Mark the check boxes of all appliance events that you want to trigger an alert email to be sent. 6. Camera communications Fortinet Technologies Inc. 7. scrambled password. (The FortiRecorder NVR will not control or record video from a camera that is not enabled in its list of known.) Enable to notify when there has been a network error during communications between the NVR and camera. Enable to notify when the disk partition that stores log data is full. Go to Logs and Alerts > Alert Email > Categories. Enable to notify when a defined camera configuration has been enabled or disabled.1 Handbook . Go to Logs and Alerts > Alert Email > Configuration. or if there are problems with the camera. such as: Setting name Critical events Disk is full Camera device Description Enable to notify when serious system events occur such as daemon crashes. such as the hard disk being full. 8. Select one of the following authentication methods: • AUTO — Automatically detect and use the most secure SMTP authentication type supported by the email server. configured devices. It does not configure the recipient of camera-related notifications. such as motion detection. Page 104 FortiRecorder 1. such as admin@example. See also “Connectivity issues” on page 187. • DIGEST-MD5 — Provides an encrypted MD5 hash of the password. Enable to notify when the disk partition that stores video data is full.1 Handbook . See also “Data storage issues” on page 204. 10. Go to Camera > Notification > Camera Notification. Fortinet Technologies Inc. Page 105 FortiRecorder 1. See also “Video viewing issues” on page 185 and “Connectivity issues” on page 187. Camera disk 9.Setting name Camera recording Description Enable to notify when an issue prevents a camera from recording. Click Apply. 13. Page 106 FortiRecorder 1.11. which cameras will be involved.g. Click New.1 Handbook . snapshot notifications) at the email address. and the FortiRecorder administrator or operator accounts that will receive camera-related notifications (e. configured for their accounts. 12. Fortinet Technologies Inc. Configure the rate of motion detection events that will trigger an alert. if any. Click Create. applicable days and times. you must configure both your network and the NVR.) Remote access opens ports and can weaken the strength of your network security. if you want video clips (if configured) in snapshot notifications to allow remote access. To prevent attackers on the Internet from gaining access to your surveillance system. Fortinet Technologies Inc. such as www. if the SMTP server is configured to respond to ICMP ECHO_REQUEST (ping). from FortiRecorder. Description 15. (See “Appendix A: Port numbers” on page 212. To verify email connectivity. Port number Type the port number. or its domain name. go to Monitor > System Status > Console and enter the CLI command: execute traceroute <syslog_ipv4> where <syslog_ipv4> is the IPv4 address of your email server. This is either your Internet router’s WAN IP. Then. check your email.14. verify that your alert email has not been classified as spam by checking your junk mail folder. If that connectivity succeeds. If you are not sure what your network’s Internet address is. or a virtual IP (VIP) on your firewall whose NAT table will forward incoming connections from this public network IP to your FortiRecorder NVR’s private network IP. you can use an online utility such as: http://ping. while connected to your office network. restrict which IP addresses can use your port forward/virtual IP. such as 8080. Next. First. If you do not receive an alert email within a few minutes.com. configure port forwarding and/or a a virtual IP (VIP) to forward remote access connections from the Internet to your FortiRecorder NVR’s private network IP. verify that you have configured an email address for the account. on your office’s firewall or Internet router. on your public IP that your Internet router or firewall will redirect to your FortiRecorder NVR’s listening port. go to System > Configuration > Options and configure these settings: Setting name Public Access Host name Type either your network’s IP on the Internet. (They must allow SMTP traffic from the FortiRecorder network interface that is connected to the gateway between it and the email server. and scan requests for viruses and hacking attempts.example. verify the FortiRecorder NVR’s static routes (see “Adding a gateway” on page 58) and the policies on any firewalls or routers between the appliance and the SMTP relay.eu/ Next. If you want remote access — connecting from a home or a branch office through the Internet to your FortiRecorder NVR— for either using the web UI or snapshot notification video clips while you are out of the office. Page 107 FortiRecorder 1.1 Handbook . trigger an alert event that matches the type and severity levels that you have chosen. To prevent classification as spam. it usually helps to add the FortiRecorder NVR’s email address to your address book. configure your firewall or router to require authentication.) To determine the point of connectivity failure along the network path. motion detections) per minute that must occur in order to cause this camera-based notification to send an email to the operator or administrator Fortinet Technologies Inc. • <begin-time_str> is the hour and minute according to a 24-hour clock and in the format hh-mm. • <stop-time_str> is the hour and minute according to a 24-hour clock and in the format hh-mm.. enter these commands: config camera notification edit <notification_name> set status enable set cameras {<camera_name>.. This setting is available only if all-day is set to disable. you must configure the hours during which the camera-based notification is applicable (time-start and time-end).. } is the name of one or more administrator and/or operator accounts that will receive the notification • {su mo tu we th fr sa} is a space-delimited list of the days of the week during which the camera-based notification will be applicable • all-day {enable | disable} is whether or not the camera notification is applicable during the entire day. such as 22-01 for 10:01 PM.. } set days {su mo tu we th fr sa} set all-day {enable | disable} set time-start <begin-time_str> set time-end <stop-time_str> set num-triggers <count_int> set trigger-time-period <minutes_int> end where: • <notification_name> is the name of the camera-based notification • {<camera_name>. Page 108 FortiRecorder 1. If you want FortiRecorder to send motion detection-triggered notifications. when this camera-based notification will come out of force. } is the name of one or more cameras that will trigger this notification • {<account_name>. • <count_int> and <minutes_int> is the number of triggers (e.To configure FortiRecorder to send notification email via the CLI 1. when this camera-based notification will come in to force.. such as 14-01 for 2:01 PM. } set users {<account_name>.... If disabled.g. This setting is available only if all-day is set to disable.1 Handbook . 3. (See “Appendix A: Port numbers” on page 212. go to Monitor > System Status > Console and enter these CLI commands: config system global set public-address {<Internet_ipv4> | <Internet_fqdn>} set public-port <port-forward_int> end where: • {<Internet_ipv4> | <Internet_fqdn>} is either your network’s IP on the Internet.2.com. This setting is the recipient only for appliance-related notifications. such as critical (such as system crashes). restrict which IP addresses can use your port forward/virtual IP. such as www. This is either your Internet router’s WAN IP. To prevent attackers on the Internet from gaining access to your surveillance system. such as motion detection. If you want FortiRecorder to send appliance-related alert email. or its domain name. • <port-forward_int> is the port number.eu/ Next. such as 8080. • {camera-communications camera-device camera-disk camera-recording critical diskfull} is a space-delimited list of all appliance events that you want to trigger an alert email to be sent. First. such as admin@example. enter these commands: config log alertemail recipient edit <recipient_email> end config log alertemail setting set categories {camera-communications camera-device camera-disk camera-recording critical diskfull} end where: • <recipient_email> is your email address. while connected to your office network. configure port forwarding and/or a a virtual IP (VIP) to forward remote access connections from the Internet to your FortiRecorder NVR’s private network IP. you can use an online utility such as: http://ping. you must configure both your network and the NVR.) Remote access opens ports and can weaken the strength of your network security. Fortinet Technologies Inc. or a virtual IP (VIP) on your firewall whose NAT table will forward incoming connections from this public network IP to your FortiRecorder NVR’s private network IP.example. on your public IP that your Internet router or firewall will redirect to your FortiRecorder NVR’s listening port.1 Handbook . on your office’s firewall or Internet router. These are configured in step 1. such as the hard disk being full. Page 109 FortiRecorder 1. and scan requests for viruses and hacking attempts. configure your firewall or router to require authentication. if you want video clips (if configured) in snapshot notifications to allow remote access.com. If you are not sure what your network’s Internet address is. If you want remote access — connecting from a home or a branch office through the Internet to your FortiRecorder NVR— for either using the web UI or snapshot notification video clips while you are out of the office. It does not configure the recipient of camera-related notifications. if the SMTP server is configured to respond to ICMP ECHO_REQUEST (ping). To verify email connectivity.1 Handbook . If you do not receive an alert email within a few minutes. Go to either Logs and Alerts > Log Setting > Local Log Settings or Log > Log Setting > Remote Log Settings (depending on whether you want logs to be stored on FortiRecorder’s hard drive. To configure logging via the web UI 1. Configuring logging Even if you decide not to receive notifications via email. Fortinet Technologies Inc. If that connectivity succeeds.4. or remotely. it usually helps to add the FortiRecorder NVR’s email address to your address book. Next. Log messages can record camera and/or FortiRecorder appliance events. verify that you have configured an email address for the account. on a Syslog server or FortiAnalyzer). verify the FortiRecorder NVR’s static routes (see “Adding a gateway” on page 58) and the policies on any firewalls or routers between the appliance and the SMTP relay. Page 110 FortiRecorder 1. configure the FortiRecorder appliance to record log messages.) To determine the point of connectivity failure along the network path. (They must allow SMTP traffic from the FortiRecorder network interface that is connected to the gateway between it and the email server. go to Monitor > System Status > Console and enter the CLI command: execute traceroute <syslog_ipv4> where <syslog_ipv4> is the IPv4 address of your email server. check your email. trigger an alert event that matches the type and severity levels that you have chosen. Then. your FortiRecorder NVR can keep a record of significant events. To diagnose problems or to track actions that the FortiRecorder appliance does as it receives and processes video. To prevent classification as spam. from FortiRecorder. verify that your alert email has not been classified as spam by checking your junk mail folder. log) with a file name indicating its sequential relationship to other log files of that type (elog2. the log file will be rotated at 23 o’clock of the 10th day.2. Log time Type the time (in days) of the file age limit. At hour Fortinet Technologies Inc. If configuring local log storage.log. If the log is older than this limit. configure the following settings: Setting name Log file size Description Type the file size limit of the current log file in megabytes (MB).1 Handbook . if you set the log time to 10 days at hour 23. it renames the current log file (elog. Note: Large log files may decrease display and search performance. even if has not exceeded the maximum file size. then creates a new current log file. Select the hour of the day (24-hour format) when the file rotation should start. For example. Valid range is between 1 and 366 days. the FortiRecorder appliance rotates the current log file: that is. The log file size limit must be between 1 MB and 1000 MB. Page 111 FortiRecorder 1. a new current log file will be started. and so on). When a log file reaches either the age or size limit. For information about severity levels. 5. 3. Level Select the severity level that a log message must equal or exceed in order to be recorded to this storage location. mark the check boxes of all events that you want to cause a log message.Setting name Log level Description Select the severity level that a log message must equal or exceed in order to be recorded to this storage location. 6. A low log severity threshold is one possible cause of frequent logging. Mark the check box for Enable. Note: Do not enable this option if the remote host is a FortiAnalyzer. either: • Do not log — Discard all new log messages. Caution: Avoid recording log messages using low severity thresholds such as Information or Notification to the local hard disk for an extended period of time. If configuring remote log storage.1 Handbook . Log options when disk is full Select what the FortiRecorder will do when the local disk is full and a new log message is caused. see “Log severity levels” on page 161. such as When configuration has changed. then configure the following settings: Setting name IP Port Description Type the IP address of a Syslog server or FortiAnalyzer. Type the UDP port number on which the Syslog server listens for log messages. and store the new log message. FortiAnalyzer does not support CSV-formatted log messages. A low log severity threshold is one possible cause of frequent logging. Caution: Avoid recording log messages using low severity thresholds such as Information or Notification to the local hard disk for an extended period of time. see “Log severity levels” on page 161. CSV format Enable if your Syslog server requires comma-separated values (CSV). To easily identify log messages from the FortiRecorder when they are stored on a remote logging server. Fortinet Technologies Inc. For information about severity levels. click New. Facility Select the facility identifier the FortiRecorder will use to identify itself to the Syslog server if it receives logs from multiple devices. Click Apply or Create. 4. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure. The default is 514. • Overwrite — Delete the oldest log file in order to free disk space. enter a unique facility identifier. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure. Page 112 FortiRecorder 1. and verify that no other network devices use the same facility identifier. In the Logging Policy Configuration area. you must add the FortiRecorder NVR to its device list. A low log severity threshold is one possible cause of frequent logging. Fortinet Technologies Inc. depending on its configuration for unknown devices. enter these commands: config log setting local set status enable set camera-log-status {enable | disable} set event-log-status {enable | disable} set event-log-category {configuration admin system smtp dhcp} set loglevel {alert | critical | debug | emergency | error | information | notification | warning} set disk-full {nolog | overwrite} set rotation-size <file-size_int> set rotation-period <days_int> set rotation-hour <time_int> end where: • {enable | disable} is whether to enable or disable messages about events on the cameras or NVR • {configuration admin system smtp dhcp} is a space-delimited list of the types of NVR events that you want to record • {alert | critical | debug | emergency | error | information | notification | warning} is the severity level that a log message must meet or exceed in order to cause the FortiRecorder appliance to record it Avoid recording log messages using low severity thresholds such as Information or Notification to the local hard disk for an extended period of time. go to Monitor > System Status > Console and enter the command: execute traceroute <syslog_ipv4> where <syslog_ipv4> is the IPv4 address of your FortiAnalyzer or Syslog server. To determine the point of connectivity failure along the network path. Page 113 FortiRecorder 1. and allocate enough disk space. from FortiRecorder. if the FortiAnalyzer or Syslog server is configured to respond to ICMP ECHO_REQUEST (ping). If the remote host does not receive the log messages. trigger a log message that matches the type and severity levels that you have chosen to store on the remote Syslog server or FortiAnalyzer. it may drop subsequent logs. When the allocated disk space is full. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure. confirm that it has received that log message.1 Handbook . Otherwise. on the remote host. If you want to store logs on the FortiRecorder NVR’s local disk. If you will be sending logs to a FortiAnalyzer appliance. verify the FortiRecorder’s static routes (see “Adding a gateway” on page 58) and the policies on any intermediary firewalls or routers (they must allow Syslog traffic from the FortiRecorder network interface that is connected to the gateway between it and the Syslog server). To verify logging connectivity.7. Then. To configure logging via the CLI 1. FortiAnalyzer may ignore the logs. the log file will be rotated at 23 o’clock of the 10th day. it renames the current log file (elog.000 MB. and so on). the current log file is saved to a file with a new name. When the log file reaches the maximum size the log file is rolled (that is.• {nolog | overwrite} is what the FortiRecorder appliance will do when the local disk is full and a new log message is caused. then creates a new current log file.log) with a file name indicating its sequential relationship to other log files of that type (elog2. Large log files may decrease display and search performance. • overwrite — Delete the oldest log file in order to free disk space. When a log file reaches either the age or size limit. Valid range is between 1 and 366 days. • <time_int> is the hour of the day (24-hour format) when the file rotation should start. • <file-size_int> is the maximum size in megabytes (MB) of the current log file. For example. The valid range is between 1 and 1. if you set the log time to 10 days at hour 23. the FortiRecorder appliance rotates the current log file: that is. Page 114 FortiRecorder 1.1 Handbook . either: • nolog — Discard the new log message. enter these commands: config log setting remote edit 0 set status enable set camera-log-status {enable | disable} set event-log-status {enable | disable} set event-log-category {configuration admin system smtp dhcp} set loglevel {alert | critical | debug | emergency | error | information | notification | warning} set server <server_ipv4 set port <port_int> set comma-separated-value {enable | disable} set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kern | local0 | local1 | local2 | local3 | Fortinet Technologies Inc. and a new log file is started). • <days_int> is the time (in days) of file age limit.log. then store the new log message. If you want to store logs on a FortiAnalyzer or Syslog server. 2. Then. • {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kern | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp} is the facility identifier that the FortiRecorder appliance will use to identify itself when sending log messages. Page 115 FortiRecorder 1. enter a unique facility identifier. from FortiRecorder. depending on its configuration for unknown devices. FortiAnalyzer may ignore the logs. verify the FortiRecorder’s static routes (see “Adding a gateway” on page 58) and the policies on any intermediary firewalls or routers (they must allow Syslog traffic from the FortiRecorder network interface that is connected to the gateway between it and the Syslog server). To easily identify log messages from the FortiRecorder appliance when they are stored on a remote logging server. confirm that it has received that log message. FortiAnalyzer appliances do not support CSV-formatted log messages. and allocate enough disk space. 3. To determine the point of connectivity failure along the network path. and for FortiAnalyzer appliances. If you will be sending logs to a FortiAnalyzer appliance. on the remote host. To verify logging connectivity. if the FortiAnalyzer or Syslog server is configured to respond to ICMP ECHO_REQUEST (ping). Do not enable this option if the remote host is a FortiAnalyzer. and verify that no other network devices use the same facility identifier. If the remote host does not receive the log messages.local4 | local5 | local6 | local7 | lpr | mail | news | ntp} next end where settings that differ from local logging are: • <server_ipv4> is the IP address of the Syslog server or FortiAnalyzer where the FortiRecorder appliance will store the logs • <port_int> is the UDP port number on which the Syslog server listens for connections. By default. it may drop subsequent logs. When the allocated disk space is full.1 Handbook . this is 514. • {enable | disable} is whether or not to send log messages in comma-separated values (CSV) format. enter the command: execute traceroute <syslog_ipv4> where <syslog_ipv4> is the IPv4 address of your FortiAnalyzer or Syslog server. Fortinet Technologies Inc. trigger a log message that matches the type and severity levels that you have chosen to store on the remote Syslog server or FortiAnalyzer. Otherwise. you must add the FortiRecorder NVR to its device list. Fortinet Technologies Inc. finish your basic setup with “Backups” on page 117. For details. and that the account has the permissions to view it. see the other chapters in this Handbook. Page 116 FortiRecorder 1. Also revisit troubleshooting recommendations included with each feature’s instructions. Once testing is complete. test it by logging in to each account.Testing your installation When the configuration is complete. If a connection fails. See “Troubleshooting” on page 174. and viewing the video feed for each camera to make sure that FortiRecorder can receive it. Your FortiRecorder appliance has many additional features you can use.1 Handbook . you can use tools included in FortiRecorder to determine whether the problem is local to the appliance or elsewhere on the network. Go to Monitor > System Status > Status. The default file name is fcm. In the System Information widget. There are multiple methods that you can use to create a FortiRecorder configuration backup.cfg. navigate to the folder where you want to save the configuration file. Page 117 FortiRecorder 1. For video backups. Your browser downloads the configuration file. Time required varies by the size of the file and the speed of your network connection. Other administrator accounts do not have the required permissions. Use whichever one meets your needs: • “To back up the configuration via the web UI” • “To back up the configuration via the CLI to a TFTP server” To back up the configuration via the web UI 1. but could take several seconds. this “clean” backup can be used to: • troubleshoot a non-functional configuration by comparing it with this functional baseline (via a tool such as diff) • rapidly restore your installation to a simple yet working point (see “Restoring a previous configuration” on page 119) • batch-configure FortiRecorder appliances by editing the file in a plain text editor. back up the configuration again after any changes. 2.Backups Once you have tested your basic installation and verified that it functions correctly.1 Handbook . 3. If your browser prompts you. in the System configuration row. Configuration backups do not include backups of video data or logs. create a backup. click Backup. Fortinet Technologies Inc. Log in to the web UI as the admin administrator. see “Video backups” on page 118. Click Save. This is separate. Aside from being an IT best practice. then uploading the finalized configuration to multiple appliances (see “Restoring a previous configuration” on page 119) After you have a working deployment. This will ensure that you can rapidly restore your configuration exactly to its previous state if a change does not work as planned. If possible. If necessary. or an SSH or Telnet connection. you should only run it on trusted administrator-only networks. (If you do not have one.1 Handbook . You will need to enter this same password when restoring the backup file in order for the appliance to successfully decrypt the file.10. FortiRecorder will store sensitive and important video data.1. immediately turn off tftpd off when you are done. Enter the following command: execute backup config tftp <file-name_str> <server_ipv4> [<backup-password_str>] where: • <file-name_str> is the file name of the backup • <server_ipv4> is the IP address of the TFTP server Domain names are not currently valid input for this command. Fortinet Technologies Inc. Other administrator accounts do not have the required permissions. you may be able to manually download it before the appliance is destroyed (see “Downloading or playing older video clips” on page 142).cfg tftp 172. For example. flood. • [<backup-password_str>] is the password. 3. but could take several seconds. Mac OS X.1. 2. or fire that it is recording.conf in the current directory on the TFTP server 172. encrypting the backup file using the salt string P@ssw0rd1: FortiRecorder-200D # exec backup full-config fcm. or Linux) on your management computer. start your TFTP server. in a physically separate location (see “External video storage” on page 122). Log in to the CLI as the admin administrator using either the local console.16. assuming that you access the video quickly enough. The best way to do this is to store your surveillance videos off-site. If you cannot remember the password. you can temporarily install and run one such as tftpd (Windows. if any.) Because TFTP is not secure. Monitor > System Status > Console in the web UI. the following command backs up a FortiRecorder 200D’s configuration file to a file named FortiRecorder-200D. Video backups Once you begin recording. you should ensure that your surveillance data is safe. that will be used to encrypt the backup file. If this is not possible.16.10 P@ssw0rd1 Time required varies by the size of the file and the speed of the network connection. and because it does not support authentication and could allow anyone to have read and write access. It is optional. the backup cannot be used. Do not lose this password. Especially if your FortiRecorder is located on the premises where it could be destroyed by the intrusion. Page 118 FortiRecorder 1. never on computers directly connected to the Internet.To back up the configuration via the CLI to a TFTP server 1. 10. simply refresh the web page and log in again. 2. 3. Choose a FortiRecorder configuration backup file. Go to Monitor > System Status > Status. you would browse to: https://10.5 If the new IP address is on a different subnet than the previous IP address. Monitor > System Status > Console in the web UI. to access the web UI again.1 Handbook . in the System configuration row. Uploading a configuration file can also be used to configure many features of the FortiRecorder appliance in a single batch: download a configuration file backup. Time required to restore varies by the size of the file and the speed of your network connection. Page 119 FortiRecorder 1.cfg file extension. To continue using the web UI. if you configured port1 with the IP address 10. you may also need to modify the IP address and subnet of your computer to match the FortiRecorder appliance’s new IP address.5. Your web browser uploads the configuration file and the FortiRecorder appliance restarts with the new configuration. modify the URL to match the new IP address of the network interface.10. edit the file in a plain text editor.10. you can upload one to revert the appliance’s configuration to that point. Your web UI session will be terminated when the FortiRecorder appliance restarts. In the System Information widget. Fortinet Technologies Inc. (It has a . or an SSH or Telnet connection.Restoring a previous configuration If you have downloaded configuration backups. Log in to the CLI as the admin administrator using either the local console.) 4. Otherwise. Click Upload to start the restoration of the selected configuration. then upload the finalized configuration. 5. and your computer is directly connected to the FortiRecorder appliance. in your web browser. Other administrator accounts do not have the required permissions. To upload a configuration via the web UI 1. To upload a configuration via the CLI from a TFTP server 1.10. For example. if you have not changed the IP address and static routes of the web UI. click Restore. 10. you should only run it on trusted administrator-only networks. immediately turn off tftpd off when you are done. Mac OS X. Page 120 FortiRecorder 1.conf in the current directory on the TFTP server 172. and your computer is directly connected to the FortiRecorder appliance. you would browse to: https://10. Enter the following command: execute restore config tftp <file-name_str> <server_ipv4> [<backup-password_str>] where: • <file-name_str> is the file name of the backup • <server_ipv4> is the IP address of the TFTP server Domain names are not currently valid input for this command.10. For example.10. • [<backup-password_str>] is the password. or Linux) on your management computer. and because it does not support authentication and could allow anyone to have read and write access. modify the IP address and port number to match the new settings of the network interface. If necessary.10.) Because TFTP is not secure.10. For example. Fortinet Technologies Inc. you can temporarily install and run one such as tftpd (Windows. if any. never on computers directly connected to the Internet. to access the CLI again. To continue using the CLI. start your TFTP server. The backup was encrypted using the salt string P@ssw0rd1: FortiRecorder-200D # exec restore full-config frec. If possible. (If you do not have one. 4.5.1.10 P@ssw0rd1 FortiRecorder downloads the configuration file from the TFTP server. in your terminal emulator. Your CLI connection will be reset when the FortiRecorder appliance restarts.16.16. 3.cfg tftp 172. and the FortiRecorder appliance restarts with the new configuration. if you have not changed the IP address and static routes of the web UI. that was used to encrypt the backup file. simply re-connect to the CLI and log in again. Otherwise.2. you may also need to modify the IP address and subnet of your computer to match the FortiRecorder appliance’s new IP address. the following command uploads a FortiRecorder 200D’s configuration file named FortiRecorder-200D.1. if you reconfigured port1 with the IP address 10. Time required to restore varies by the size of the file and the speed of your network connection.5 If the new IP address is on a different subnet than the previous IP address.1 Handbook . This section only contains optional settings that can be configured later. It can include US-ASCII letters. The command prompt should immediately change to reflect your changes. For information about SNMP. The get system status CLI command display the full host name. Many system settings are required during the initial installation.Advanced/optional system settings After you have a basic working setup. type your domain. It can include US-ASCII letters. if the host name is FortiRecorder1234567890. If you also want to provide a domain name (the name of the individual host plus its domain forms a full-qualified domain name (FQDN) that could be globally DNS-resolvable). Go to System > Configuration > Mail Server Settings. you should now see this prompt: icecream # Fortinet Technologies Inc. you may want to configure some advanced or optional settings. • It is used as the SNMP system name. For example. Click Apply. but not spaces and special characters. hyphens. For required system settings. To change the host name of the FortiRecorder appliance via the CLI 1. numbers. and underscores. the CLI prompt would be: FortiRecorder123456789~# Administrators whose access profiles permit Write access to items in the System Configuration category can change the host name. For example. • It is used in the command prompt of the CLI. in Local domain name. numbers. in the Host Name row. It can be up to 35 characters in length. Enter these commands: config system global set hostname <hostname_str> end where <hostname_str> is the host name. 3. Page 121 FortiRecorder 1. see the appropriate section of “How to set up your FortiRecorder NVR & cameras” on page 33. and underscores. if you changed the host name to icecream. depending on your specific requirements. hyphens.com 4. but are not displayed. If the host name is longer than 16 characters. The host name can be up to 35 characters in length. such as: example. see “SNMP traps & queries” on page 144. Changing the FortiRecorder appliance’s host name The host name of the FortiRecorder appliance is used in multiple places. To change the host name of the FortiRecorder appliance via the web UI 1. but not spaces and special characters. type a new host name. 2. the name may be truncated and end with a tilde ( ~ ) to indicate that additional characters exist. In the Local Host area.1 Handbook . Go to System > Configuration > Remote Storage. your FortiRecorder appliance’s system resources are not continuously consumed by transferring video that may not be needed. you can configure your FortiRecorder appliance to either delete old videos. The graphic will appear pressed against the top left corner.2. Page 122 FortiRecorder 1. configure your FortiRecorder appliance to store its video at a remote location such as a branch office or cloud storage provider. Initially. it will continue to do so. use a PNG image with a transparent background. File formats that do not support partial transparency. Choose the instructions that match your storage media: • “To configure local external USB storage via the web UI” or “To configure local external USB storage via the CLI” • “To configure network storage via the web UI” or “To configure network storage via the CLI” To configure local external USB storage via the web UI 1. the web UI may not preserve the transparent padding. Fortinet Technologies Inc. such as GIF. such as example. But on a per-camera basis. you can upload your own graphic and change the product name by going to System > Customization > Appearance. If you also want to provide a domain name (the name of the individual host plus its domain forms a full-qualified domain name (FQDN) that could be globally DNS-resolvable). intrusion. regardless of the video clip’s age. resulting in a visible rectangle around your logo graphic. your FortiRecorder appliance will store video data on its internal hard drive. default language. place 1 grey pixel in the upper left corner. For best results.com. or other event that it is recording. External video storage If you need to store video for longer periods of time. until all available space is consumed. By storing files locally first. or to move older videos to an external location. This will force the web UI to preserve the transparent padding. If your image does not completely occupy the pixel dimensions and there are some transparent pixels around it. The image’s dimensions must be 460 pixels wide by 36 pixels tall at 72 ppi (pixels per inch). 2.1 Handbook . Customizing the logo graphic & product name If your organization wants to replace the logo. To safeguard your surveillance video in the event that your FortiRecorder appliance is destroyed by the fire. Mark the Enabled check box. flood. also enter these commands: config system global set local-domain-name <domain_str> end where <domain_str> is the domain name. and model name prefix (“FortiRecorder”) in the web UI. usually result in ragged edges. you can extended your FortiRecorder appliance’s built-in storage. Non-transparent backgrounds will not blend with the underlying theme graphic. By default. nor by transferring them while it is recording (which is itself bandwidth-intensive). To prevent this. Unlike the other USB option. Go to Camera > Configuration > Camera. select the age threshold that will cause FortiRecorder to move the video clips to external storage. Configure these settings: GUI item Protocol Description Select one of the following types of storage media: • External USB Device — An external hard drive connected to the FortiRecorder appliance’s USB port. Valid key lengths are between 6 and 64 single-byte characters.1 Handbook . 7. 5. Valid key lengths are between 6 and 64 single-byte characters. whose older video you want to move to external storage • <age_int> and {days | months | weeks | years} is the age of videos that will be moved to external storage To configure network storage via the web UI 1. such as lobby1. • External USB Device (auto detect) — An external disk connected to the FortiRecorder appliance’s USB port. Click Apply. then click Edit. Enter these commands: config camera devices edit <camera_name> set retention-disposition move set retention-period <age_int> set retention-period-units {days | months | weeks | years} end where: • <camera_name> is the name of the camera. Mark the Enabled check box.3. then click to select a camera’s row. In the After n options that appear. External USB Device (auto detect) only creates a backup when you connect the USB disk. 6. Encryption Key Enter the private key that will be used to encrypt data stored on this location. 2. To configure local external USB storage via the CLI 1. rather than according to a schedule. Fortinet Technologies Inc. select Move. Go to System > Configuration > Remote Storage. Click Apply. Enter these commands: config system remote-storage set status enable set protocol ext-usb set encryption-key '<key_str>' end where <key_str> is the private key that will be used to encrypt data stored on this location. Page 123 FortiRecorder 1. 4. 2. From Storage option. Domain If the account on the server is not local (e. Page 124 FortiRecorder 1. Many Linux-based NAS solutions have been tested and are supported. and 3260 for iSCSI. • SSH File System — A server that supports secure shell (SSH) connections. the storage server queries an Active Directory server for centralized authentication). Type the port number on which the server listens for connections.example. Type either the IP address or fully-qualified domain name (such as nas. Windows 2003 R2 and Windows 2008 Service for NFS are not supported. • NFS — A network file system (NFS) server.1 Handbook . • SMB/Windows Server — A Windows-style file share. Configure these settings: GUI item Protocol Description Select one of the following types of storage media: • ISCSI Server — An iSCSI (Internet Small Computer System Interface). Alternatively. Username Type the user name of the FortiRecorder’s account on the server. Note: Support for NFS varies. if using iSCSI.com) of the server. 22 for SSH. This setting appears only if Protocol is SMB/Windows Server. The default is 2049 for NFS. enter the domain to which the account belongs.g. Type the password corresponding to the user name. select Initiator name as username to authenticate using a name that follows RFC 3721.3. server. 445 for SMB. Password Hostname/IP Address Port Fortinet Technologies Inc. Extended Unique Identifier (EUI). such as: • Share\SurveillanceVideos (Windows share) • /home/fortirecorder/video (SSH) This setting appears only if Protocol is SMB/Windows Server. In the After n options that appear.com. To configure network storage via the CLI 1. such as nas. From Storage option. Click Apply. 5.1 Handbook . select Move. or SSH. 445 for SMB. NFS. This will cause the storage to fail. Do not use special characters such as a tilde ( ~ ) if Protocol is NFS or SSH. 22 for SSH. Enter these commands: config system remote-storage set status enable set protocol {iscsi_server | nfs | smb-winserver set host {<server_fqdn> | <server_ipv4>} set port <listening_int> where: • {iscsi_server | nfs | smb-winserver | ssh} is a choice of the network share type: either a iSCSI (Internet Small Computer System Interface) server. where the FortiRecorder appliance will store the data. The default is 2049 for NFS. This setting appears only if Protocol is ISCSI Server. Encryption Key Enter the private key that will be used to encrypt data stored on this location. Do not type a forward slash ( / ) before the path if Protocol is SMB/Windows Server. Go to Camera > Configuration > Camera.example. network file system (NFS) share.GUI item Share or Directory (Name varies by selection in Protocol) Description Enter the path of the folder on the server. such as an iSCSI Qualified Name (IQN). relative to the mount point or user’s login directory. then click to select a camera’s row. iSCSI ID Enter the iSCSI identifier in the format expected by the iSCSI server. 4. or IP address of the server • <listening_int> is the port number on which the server listens for connections. Note: Valid settings vary by configuration of Protocol. This setting appears only if Protocol is ISCSI Server or External USB Device. and 3260 for iSCSI. | ssh} Fortinet Technologies Inc. 6. Valid key lengths are between 6 and 64 single-byte characters. select the age threshold that will cause FortiRecorder to move the video clips to external storage. Page 125 FortiRecorder 1. server message block (Microsoft Windows SMB) share. or T11 Network Address Authority (NAA). Click Apply. 7. or secure shell (SSH/SCP) share • {<server_fqdn> | <server_ipv4>} is the fully-qualified domain name (FQDN). then click Edit. whose older video you want to move to external storage • <age_int> and {days | months | weeks | years} is the age of videos that will be moved to external storage Fortinet Technologies Inc. • <iscsi-id_str> is the iSCSI identifier in the format expected by the iSCSI server. or you can authenticate using an initiator ID that follows RFC 3721. Enter this command to save the configuration: end 6. you can either provide a user name using those commands. This will cause the storage to fail. enter these commands: set folder <directory_str> where <directory_str> is path of the folder on the server. or T11 Network Address Authority (NAA). such as an iSCSI Qualified Name (IQN). If you selected SSH or SMB.To do this. either the full path of the mount point or relative to the user’s login directory. Do not type a forward slash ( / ) before the path if Protocol is SMB/Windows Server. SMB (Windows share). such as: • Share\SurveillanceVideos (Windows share) • /home/fortirecorder/video (SSH) Valid settings vary by configuration of Protocol. enter these commands: set iscsi-use-initiator enable set password <password_str> set encryption-key '<key_str>' set iscsi-id <iscsi-id_str> where: • <key_str> is the private key that will be used to encrypt data stored on this location. Page 126 FortiRecorder 1. enter these commands: set username <account_str> set password <password_str> 4.1 Handbook . Valid key lengths are between 6 and 64 single-byte characters. where the FortiRecorder appliance will store the data. Do not use special characters such as a tilde ( ~ ) if Protocol is NFS or SSH. or SSH storage. 5. If you selected NFS. such as lobby1.2. Enter these commands: config camera devices edit <camera_name> set retention-disposition move set retention-period <age_int> set retention-period-units {days | months | weeks | years} end where: • <camera_name> is the name of the camera. 3. If using iSCSI. Extended Unique Identifier (EUI). (When you connect to the web UI via HTTPS. when sending alert email via SMTPS.) Because security settings must agree. including encryption bit strength and encryption algorithms. the result depends both on the appliance and your web browser. Fortinet Technologies Inc. For example. Certificates can be used in secure connections for: • encryption • authentication of servers FortiRecorder may require you to upload certificates and CRLs even if you do not use HTTPS. it will use certificates. See “Uploading trusted CAs’ certificates” on page 128 and “Revoking certificates” on page 137. FortiRecorder will validate the server’s certificate by comparing the server certificate’s CA signature with the certificates of CAs that are known and trusted by the FortiRecorder appliance. Supported cipher suites & protocol versions How secure is an HTTPS connection? A secure connection’s protocol version and cipher suite.Secure connections (SSL/TLS) When a FortiRecorder appliance initiates or receives an SSL or TLS connection. Page 127 FortiRecorder 1. your FortiRecorder appliance is the SSL terminator.1 Handbook . is negotiated between the client and the SSL terminator during the handshake. or querying an authentication server via LDAPS. these can be cracked quickly. AES and DES (e.0 • Older hash algorithms. such as MD5.) Uploading trusted CAs’ certificates In order to authenticate other devices’ certificates.1 Handbook . To protect clients with incorrect CBC implementations for AES and DES. prioritize RC4.0 • TLS 1.) • Encryption bit strengths less than 128 • Older styles of re-negotiation (These are vulnerable to man-in-the-middle (MITM) attacks. Generally speaking.) • Ciphers with known vulnerabilities.0 • RC4-MD5 — 40-bit & 128-bit • SSL 3.FortiRecorder supports: • SSL 2.0 • AES-SHA — 256-bit & 128-bit • CAMELLIA-SHA — 128-bit & 256-bit • DES-CBC3-SHA — 168-bit • DES-CBC-SHA — 40-bit & 56-bit • DHE-RSA-AES-SHA — 256-bit & 128-bit • DHE-RSA-CAMELLIA-SHA — 256-bit & 128-bit • DHE-RSA-SEED-SHA — 128-bit • EDH-RSA-DES-CBC3-SHA — 168-bit • EDH-RSA-DES-CBC-SHA — 40-bit & 56-bit • RC4-SHA — 128-bit • RC4-MD5 — 40-bit & 128-bit • SEED-SHA — 128-bit • TLS 1. Until you upload at least one CA certificate.0 • AES-SHA — 256-bit & 128-bit • CAMELLIA-SHA — 128-bit & 256-bit • DES-CBC3-SHA — 168-bit • DES-CBC-SHA — 40-bit & 56-bit • DHE-RSA-AES-SHA — 256-bit & 128-bit • DHE-RSA-CAMELLIA-SHA — 256-bit & 128-bit • DHE-RSA-SEED-SHA — 128-bit • EDH-RSA-DES-CBC3-SHA — 168-bit • EDH-RSA-DES-CBC-SHA — 40-bit & 56-bit • RC4-SHA — 128-bit • RC4-MD5 — 40-bit & 128-bit • SEED-SHA — 128-bit AES-256 and SHA-1 are preferable. for security reasons. FortiRecorder does not know and Fortinet Technologies Inc. such as some implementations of RC4.g. avoid using: • SSL 2. (On modern computers. Page 128 FortiRecorder 1. FortiRecorder has a store of trusted CAs’ certificates. Next to Certificate file. then click View. this proves that the certificate can be trusted. click a certificate’s row to select it. If you are using a commercial CA. Verify that your private CA’s certificate does not contain its private keys. The maximum length is 35 characters. it cannot validate any other client or device’s certificate. Click Import. To test your configuration. 3. that CA’s own certificate must likewise be signed by one or more other intermediary CAs. FortiRecorder may require you to upload certificates and CRLs even if you do not use HTTPS. Click OK. Go to System > Certificate > CA Certificate. Like a direct signature by a known CA. If you are using your own private CA. when sending alert email via SMTPS. cause your appliance to initiate a secure connection to an LDAPS server (see “To configure an Active Directory or LDAP query via the web UI” on page 91 and “To configure an account via the web UI” on page 84). If they were. 6. See “Example: Downloading the CA’s certificate from Microsoft Windows 2003 Server” on page 130. type a name for the certificate that can be referenced by other parts of the configuration. and therefore the client or device’s certificate is legitimate. In Certificate name. When FortiRecorder needs to know whether a client or device’s certificate is genuine. 4. Verify that both the appliance and LDAP server support the same Fortinet Technologies Inc. see “Uploading & selecting to use a certificate” on page 136. Page 129 FortiRecorder 1. until both the FortiRecorder appliance and the client or device can demonstrate a signing chain that ultimately leads to a mutually trusted (shared “root”) CA that they have in common. subject. 5. If the signing CA is not known. download a copy from your CA’s server. comparing it with the copy of the CA’s certificate that you have uploaded in order to determine if they were both made using the same private key. Do not use spaces or special characters. your web browser should already contain a copy in its CA trust store. To view the selected certificate’s issuer.trust any CAs. Obtain a copy of your CA’s certificate file. 2. the CA’s signature is genuine. To upload a CA’s certificate 1. FortiRecorder will validate the server’s certificate by comparing the server certificate’s CA signature with the certificates of CAs that are known and trusted by the FortiRecorder appliance. If the query fails. 7. and will require you to revoke and regenerate all certificates signed by that CA. or querying an authentication server via LDAPS. verify that your CA is the same one that signed the LDAP server’s certificate. Disclosure of private keys compromises the security of your network. and range of dates within which the certificate is valid. For example. and all of those secure connections will fail. A dialog appears. Time required to upload the file varies by the size of the file and the speed of your network connection. it will examine the CA’s signature. click the Browse button and select your CA’s certificate file. Export a copy of the file to your desktop or other folder. Certificate authorities (CAs) validate and sign others’ certificates.1 Handbook . and that its certificate’s extensions indicate that the certificate can be used to sign other certificates. For more information on how to include a signing chain. or CRL link. Page 130 FortiRecorder 1. The Microsoft Certificate Services home page for your server’s CA should appear. To download a CA certificate from Microsoft Windows 2003 Server 1.1 Handbook . The Download a CA Certificate. or CRL page appears. Go to: https://<ca-server_ipv4>/certsrv/ where <ca-server_ipv4> is the IP address of your CA server. 2. certificate chain. Certificate Chain. you must download the CA’s certificate and provide it to the FortiRecorder appliance so that it will be able to verify the CA signature on the certificate. 3. 4. Also verify that your routers and firewalls are configured to allow the connection. Fortinet Technologies Inc. Example: Downloading the CA’s certificate from Microsoft Windows 2003 Server If you are generated and signed your LDAP server’s certificate using Microsoft Certificate Services on Microsoft Windows 2003 or 2008 Server. Other accounts may not have sufficient privileges. On your management computer. start your web browser. Log in as Administrator. Click the Download CA certificate.cipher suites and SSL/TLS protocols. 1 Handbook . Replacing the default certificate for the web UI For HTTPS connections with the web UI. Otherwise. If your browser prompts you. indicating that the connection may have been intercepted. you can go to System > Certificate > Local Certificate to replace the certificate with one that is signed by your own CA so that it will be trusted. To prevent this false alarm. 7. FortiRecorder has its own X. start with “Uploading & selecting to use a certificate” on page 136. Page 131 FortiRecorder 1. select a location to save the CA’s certificate file. select Base64. By default. a security alert will only occur if: • the certificate expires • your CA revokes the certificate • the connection has been compromised by a man-in-the-middle attack If you have not yet requested a certificate from your CA.509 server certificate. From Encoding Method. the FortiRecorder appliance presents the “Factory” certificate.5. This will cause your web browser to display a security alert. you must first generate a certificate signing request (see “Generating a certificate signing request” on page 132). 6. Fortinet Technologies Inc. Thereafter. and if it requires one. but whose authenticity cannot be guaranteed and therefore may not be trusted by your web browser. Click Download CA certificate. which can be used to encrypt the connection. see “Uploading & selecting to use a certificate” on page 136.1 Handbook . Click to download the selected certificate’s entry in certificate (. Import Name Subject Status Displays the status of the certificate. Certificate backups can also be made by downloading a configuration file backup. then click this button. If the row contains a certificate request which has not yet been signed. and imported before it can be used as a server certificate. signed. this field is empty. The Status column will change to reflect the new status. Click to upload a certificate. For details. Click to generate a certificate signing request. Click OK. Displays the distinguished name (DN) located in the Subject: field of the certificate.Table 10: System > Certificate > Local Certificate GUI item View Generate Download Description Click to view the selected certificate’s issuer. Set status To configure your FortiRecorder appliance to use a certificate. For details. Only one certificate can be in use at any given time. See “Backups” on page 117. which includes all certificates and keys. To use the certificate. This will not be visible to clients.p12). PKCS #12 is recommended if you require a certificate backup that includes the private key. but must be downloaded. A CSR is an unsigned certificate file that the CA will Fortinet Technologies Inc. click its row to select it. subject. • OK — Indicates that the certificate was successfully imported. A confirmation dialog will appear. asking if you want to use it as the “default” (currently in use) certificate. see “Generating a certificate signing request” on page 132. PKCS #12 (. • Default — Indicates that this certificate will be used whenever a client attempts to connect to the appliance.cer). Page 132 FortiRecorder 1. and range of dates within which the certificate is valid. or certificate signing request (. • Pending — Indicates that the certificate request (CSR) has been generated. then use Set status to change its status. Generating a certificate signing request Many commercial certificate authorities (CAs) will provide a web site where you can generate your own certificate signing request (CSR). Displays the name of the certificate according to the appliance’s configuration file.csr) file format. select it. To generate a certificate request 1. or if you have your own private CA such as a Linux server with OpenSSL. Fortinet Technologies Inc.example. This can be the name of your appliance. If your CA does not provide this. When the CSR is generated. Configure the certificate signing request: GUI item Certification name Description Enter a unique name for the certificate request.com. Go to System > Certificate > Local Certificate. 3. A dialog appears. 2. such as fortirecorder.sign. Click Generate. This CSR can then be submitted for verification and signing by the CA.1 Handbook . you can use the appliance generate a CSR and private key. Page 133 FortiRecorder 1. the associated private key that the appliance will use to sign and/or encrypt connections with clients is also generated. if your FortiRecorder appliance has both a static IP address and a domain name. such as admin@example. If the FortiRecorder appliance does not have a public IP address. Page 134 FortiRecorder 1. this should be its public IP address on the Internet.0.com. The IP address should be the one that is visible to clients. you might prefer to generate a certificate based upon the domain name of the FortiRecorder appliance.com. Fortinet Technologies Inc. Enter the FQDN of the FortiRecorder appliance. a fully-qualified domain name (FQDN). This option appears only if ID Type is Host IP. Do not include the protocol specification (http://) or any port number or path names. but you will primarily use the local certificate for HTTPS connections to the web UI by the domain name of the FortiRecorder appliance.1. Use this if the appliance does not require either a static IP address or a domain name. • Domain Name — Select if the FortiRecorder appliance has a static IP address and subscribes to a dynamic DNS service. use E-Mail or Domain Name instead. For example.example. rather than its IP address. • E-Mail — Select and enter the email address of the owner of the FortiRecorder appliance in the E-mail field. This option appears only if ID Type is E-Mail. such as fortirecorder. see “Configuring the network interfaces” on page 53. in the Domain Name field. or a virtual IP that you use NAT to map to the appliance’s IP address on your private network.com. The domain name must resolve to the static IP address of the FortiRecorder appliance or protected server. IP Type the static IP address of the FortiRecorder appliance.GUI item Subject Information ID Type Description Select the type of identifier to use in the certificate to identify the FortiRecorder appliance: • Host IP — Select if the FortiRecorder appliance has a static IP address and enter the public IP address of the FortiRecorder appliance in the IP field. such as www. and by the primary intended use of the certificate. such as 10.1 Handbook . Domain Name Type the fully qualified domain name (FQDN) of the FortiRecorder appliance. E-mail Type the email address of the owner of the FortiRecorder appliance.0. Usually. The type you should select varies by whether or not your FortiRecorder appliance has a static IP address. This option appears only if ID Type is Domain Name. For more information.example. domain name. Upload the certificate request to your CA. and enter each OU separately in each field. Description Country/Region Optional. Organization Locality(City) State/Province Optional. 6. Type the name of your organizational unit (OU). 4. Optional. Type the legal name of your organization. When you receive the signed certificate from the CA. the CA will verify the information in the certificate. but appears in order to indicate that only RSA is currently supported. If you want to. This option cannot be changed. Standard dialogs appear with buttons to save the file at a location you select. 1536 Bit or 2048 Bit. Type the name of the city or town where the FortiRecorder appliance is located. Optional. Select the name of the country where the FortiRecorder appliance is located.) 10. Click Download. Your web browser downloads the certificate request (. Type the name of the state or province where the FortiRecorder appliance is located. Key size Select a secure key size of 512 Bit. After you submit the request to a CA. download your CA’s root certificate.csr) file. Optional. such as admin@example. click the + icon. Time required varies by the size of the file and the speed of your network connection.com. 8. The FortiRecorder appliance creates a private and public key pair. but provide better security. then install it on all computers that will be connecting to your appliance. Click to select the row that corresponds to the certificate request. E-mail 5. Larger keys are slower to generate. 7. 9. To enter more than one OU name. and sign it with the public key of the CA. Type an email address that may be used for contact purposes. or if your CA requires you to provide identifying information. give it a serial number. Page 135 FortiRecorder 1. The generated request includes the public key of the FortiRecorder appliance and information such as the FortiRecorder appliance’s IP address. an expiration date. (If you do not install these. Fortinet Technologies Inc. 1024 Bit. The FortiRecorder appliance’s private key remains confidential on the FortiRecorder appliance. upload the certificate to the FortiRecorder appliance (see “Uploading & selecting to use a certificate” on page 136). Click OK. configure these settings: GUI item Optional Information Organization unit Optional. or email address.GUI item Key type Description Displays the type of algorithm used to generate the key.1 Handbook . such as the name of your department. If you are not using a commercial CA whose root certificate is already installed by default on web browsers. those computers may not trust your new certificate. The Status column of the entry is Pending. A dialog appears. who signed the server certificate> -----END CERTIFICATE---------BEGIN CERTIFICATE----<certificate of intermediate CA 2. Append the certificate of each intermediary CA in order from the intermediary CA who signed the local certificate to the intermediary CA whose certificate was signed directly by a trusted root CA. 2. Open the certificate file in a plain text editor. Go to System > Certificate > Local Certificate. such as you may be able to for clients in an internal Microsoft Active Directory domain. Page 136 FortiRecorder 1. before uploading the server certificate to the FortiRecorder appliance 1. and whether you often refresh the server certificate. • Installing each intermediary CA’s certificate in clients’ trust store (list of trusted CAs). an appliance’s certificate that includes a signing chain might use the following structure: -----BEGIN CERTIFICATE----<server certificate> -----END CERTIFICATE---------BEGIN CERTIFICATE----<certificate of intermediate CA 1. Which method is best for you often depends on whether you have a convenient method for deploying CA certificates to clients. may vary. and whether or not it includes the private key.1 Handbook . Configure these settings: Fortinet Technologies Inc. You can demonstrate this chain of trust either by: • Appending a signing chain in the server certificate. The format of the certificate file that you have. who signed the certificate of intermediate CA 1 and whose certificate was signed by a trusted root CA> -----END CERTIFICATE----3. you must demonstrate a link with root CAs that the clients trust.Uploading & selecting to use a certificate You can import (upload) either: • Base64-encoded • PKCS #12 RSA-encrypted X. To upload a certificate 1. To append a signing chain in the certificate itself.509 server certificates and private keys to the FortiRecorder appliance. For example. Save the certificate. Click Import. 3. before clients will trust the server certificate. 2. thereby proving that the server certificate is genuine. If a server certificate is signed by an intermediate certificate authority (CA) rather than a root CA. 6.1 Handbook . This option is available only if Type is Certificate. To upload a CRL file 1. In Certificate name. Key file Click Browse to locate the private key file that you want to upload with the certificate. Page 137 FortiRecorder 1. This option is available only if Type is Certificate or PKCS12 Certificate. which may be provided by certificate authorities (CA). type the name of the certificate as it will be referred to in the appliance’s configuration file. The private key is in a separate file. you can use HTTP or online certificate status protocol (OCSP) to query for certificate status. 3. Alternatively. click its row to select it. Go to System > Certificate > Certificate Revocation List. 2. 5. Certificate file Click Browse to locate the certificate file that you want to upload. see “Revoking certificates by OCSP query” on page 138. Revoking certificates To ensure that your FortiRecorder appliance validates only certificates that have not been revoked. • PKCS12 Certificate — A PKCS #12 encrypted certificate with private key.GUI item Type Description Select the type of certificate file to upload. • Certificate — An unencrypted certificate in PEM format. Click OK. Fortinet Technologies Inc. enabling the FortiRecorder appliance to decrypt and install the certificate. This option is available only if Type is Certificate or Local Certificate. Other available settings vary depending on this selection. either: • Local Certificate — An unencrypted certificate in PEM format. then click Set status to put it in force. For more information. Click Import. you should periodically upload a current certificate revocation list (CRL). download it and add it to your web browser’s trust store so that it will be able to validate the appliance’s certificate (see “Uploading trusted CAs’ certificates” on page 128). Click Browse to locate the PKCS #12 certificate-with-key file that you want to upload. Certificate with key file Password 4. This option is available only if Type is PKCS12 Certificate. Type the password that was used to encrypt the file. If your web browser does not yet have your CA’s certificate installed. To use a certificate. click Browse. Page 138 FortiRecorder 1. 4. click Browse. Fortinet Technologies Inc. download its server certificate. and because delay between the release and install of the CRL represents a vulnerability window. type the name of the certificate as it will be referred to in the appliance’s configuration file. Next to Certificate file. 5. Click OK. Click OK. Click Import. TIme required varies by the size of the file and the speed of the network connection. TIme required varies by the size of the file and the speed of the network connection. you must first install the certificates of trusted OCSP/CRL servers. 3. In Certificate name. Go to System > Certificate > Remote. Revoking certificates by OCSP query Online certificate status protocol (OCSP) enables you to revoke or validate certificates by query. then select the certificate file.4. rather than by importing certificate revocation list (CRL) files. then select the certificate file. To view or upload a remote certificate 1. 2. this can often be preferable. To use OCSP queries. Next to Certificate file. From your OCSP/CRL server. 6. The certificate is uploaded to the appliance. but is typically only a few seconds. but is typically only a few seconds.1 Handbook . Since distributing and installing CRL files can be a considerable burden in large organizations. 5. The certificate is uploaded to the appliance. Operators should use the instructions found in the FortiRecorder Operator Guide. the current live video feed should appear. When buffering is done. administrators can use the web UI to view live video feeds from the cameras. and your computer. Administrators will use the surveillance system slightly differently than other users (“operators”) such as security guards. Log in. To view live video from your cameras as an administrator 1. Buffering (a blue “Q” appears. Page 139 FortiRecorder 1. Watching live video feeds Once the cameras are connected and configured. but administrators can also view the live video feeds from cameras.Monitoring your system To get the most value out of your FortiRecorder system. with an oscillating dotted line underneath) may take a few seconds. Live video feed Panel expansion arrows Fortinet Technologies Inc. 2. Go to Monitor > Video Monitor > Live Video Feed. depending on the network. use it to monitor your property — not just to analyze after-the-fact. Your FortiRecorder NVR has a variety of monitoring tools for the appliance itself. the Resolution of the camera.1 Handbook . Fortinet Technologies Inc.1 Handbook . motion detection or manually) with an annotation (marker). operators can insert markers with notes about what is currently being seen. • Blue — A continuous recording that was initiated by schedule. • Red — A motion detection-based recording that was initiated by schedule. Page 140 FortiRecorder 1. If you logged in as an administrator. If a camera is not currently recording a continuous or motion detection-triggered video. • Dark blue — A recording (triggered either via continuous schedule. in the Selection area. 5.3. choose which cameras you want to view. There are very thin arrows at the bottom and (for administrators) right of the video viewer frame. Time line panel Previously recorded video clips Camera image selection & image adjustment panel Time periods in the time line panel are color-coded: • Yellow — A system event such as a software update or reboot. While a camera is recording. If they are not correct. your cameras have already been selected for you. • Grey — A manually initiated recording. Recordings cannot be stored while FortiRecorder is unavailable. operators can manually trigger the camera to record video using the Control pane. If you logged in using a non-administrator account. If you are an administrator. ask an administrator to reconfigure your account. 4. click the arrow on the right to expand the image adjustment control panels. on the right pane. You can’t stop a scheduled continuous or motion detection-based recording schedule. You can only start/stop manual recording. double-click it. use the scroll wheel on your mouse. it won’t be possible to adjust the image quality again unless you download the file and use video editing software. select the interval of each segment of the time line in minutes. See also “Viewing a camera’s recording schedules” on page 141. then click the buttons to pause or record.buttons to adjust Brightness. Set these settings with care. click the Download button. from Start date. click to select a blue or red time frame in the time line. Once viewing… • To zoom in or out of a time frame. type your note in the text area. Alternatively. • To adjust the image quality. these accounts will also receive an email Fortinet Technologies Inc. For more information. and Sharpness. click the Control bar to expand it. • To manually control the camera to pause or start recording. select the beginning date of the recording. (Alternatively. to download the clip for archival or viewing on another computer. in the pane on the right side.g. each camera’s calendar of regularly scheduled motion-triggered or continuous recording periods were defined (see step 4 in “Connecting with the cameras” on page 75). in the pane on the right side. in the pane on the right side. then from the interval drop-down menu to the right. click the Control bar to expand it. Saturation. Viewing a camera’s recording schedules During setup. accounts configured to be notified can log in to the web UI in order to review the video clips. The chosen cameras’ time line will appear in a new tab. hover your mouse cursor over its colored bar to display the tool tip. Only administrators can use these controls.6. click a camera’s row to select it (or hold down the Shift key while clicking rows to select multiple cameras). • To play a previously recorded video clip in a pop-up window. on the time line To view the name and time period of a schedule. Contrast.1 Handbook . Video editing software may not be able to successfully correct for excessively bad image quality • To add a note to the video (e. Page 141 FortiRecorder 1. • To scroll through the time line. If you have configured email settings. then click View Schedule. to prevent operators from accidentally or maliciously blacking-out the view. then click the Insert Marker button. click the Control bar to expand it. use your mouse to click and drag. • To set the time span of the time line. with each schedule being indicated by a colored bar. Reviewing motion detection notifications If you have configured camera-based notifications (see “Configuring notification email” on page 102). If you need to verify the continuity or type of these schedules. After video is recorded.) A pop-up window will appear with player controls for that specific clip. go to Camera > Configuration > Camera. then click the + or . “Suspicious light”). then click the Show button. see “Downloading or playing older video clips” on page 142. for example. and other platforms using QuickTime. or just a false alarm. The list of notifications will be filtered by the recipient criteria. From Select recipient. Notifications contain snapshot images from the video clip of the detected motion or. Only matching notifications will appear. Fortinet Technologies Inc. In the Message column. VLC or other compatible players. Occasionally. depending on your configuration. In this way. To view a video clip from the notification. You can do this from the web UI. Alternatively. remotely. This applies to files stored locally. 3. To review camera-based notifications via web UI 1. 4.1 Handbook . you may sometimes be required to review these notifications if.264 video codec. Page 142 FortiRecorder 1.mp4 file format with the H. if any. click its key frame image. you can add yourself to the list of people that will receive a notification via email (see “Configuring notification email” on page 102). Your FortiRecorder NVR uses the . click the link to view the corresponding notification. recipients can quickly assess whether or not the event is serious. select either All (any recipient) or the name of an account that should have received the notification. which can be viewed on Windows. a link directly to the video clip. Downloading or playing older video clips If your cameras have recorded a crime or other incident. as an administrator. Go to Monitor > Camera Notifications > Notification Events. The notification includes some images that are key frames from the motion detection video clip. you may need to provide the video clip to the police or other authorities. The notification window will be replaced with a video clip player. All video files are signed with an RSA 2048-bit signature to provide tamper protection.when a camera-based event occurs. Mac OS X. A pop-up window displays the notification that was included in the email body. the usual recipient is on vacation. and downloaded. Linux. 2. without logging in to a separate operator account. then press Command-I and select the media player in Open with.mp4 files are handled by compatible software. if you only need to view the video in your web browser instead of downloading the file. If it is a motion detection clip. select the file. right-click the file and select Open with. Fortinet Technologies Inc. 2. In the time line panel. 3. the clip will be outlined in bright yellow.To download a video clip 1. Click the Download button in the time line panel. Time required to download the file varies by the size of the file and the speed of the network. Open the video feed viewer’s time line panel (see “To view live video from your cameras as an administrator” on page 139). double-click either a red or blue time span to select its recording clip. To dismiss the preview images. • On Microsoft Windows. When selected. click Show. 4. Double-click the . If you double-click the file but it opens in software that does not understand the file format. Alternatively. • On Apple Mac OS X.mp4 file to open it in QuickTime or another compatible media player. click elsewhere in the timeline.1 Handbook . select a name and location for the video clip file. Page 143 FortiRecorder 1. If your web browser prompts you. a few key frames from the video will appear over the time line. then try again. you may need to adjust the file type associations so that . giving you a preview of the clip. Alert email To notify you when the disk is full or a motion-detecting camera begins recording. Go to System > Configuration > SNMP. To configure the SNMP agent via the web UI 1. FortiRecorder can send an alert e-mail or snapshot notification. Before you can use SNMP. you must also verify that the SNMP manager is a member of the community to which the FortiRecorder appliance belongs. Especially when motion detection has been triggered. Failure to configure the SNMP manager as a host in a community to which the FortiRecorder appliance belongs. For instructions.1 Handbook . or to supply it with required MIBs. Add the MIBs to your SNMP manager so that you will be able to receive traps and perform queries. For information on MIBs. To view snapshots. you must activate the FortiRecorder appliance’s SNMP agent and add it as a member of at least one community. See “Configuring notification email” on page 102. will make the SNMP monitor unable to query or receive traps from the FortiRecorder appliance. You must also enable SNMP access on the network interface through which the SNMP manager connects. Alerts for system events such as upgrades. see “MIB support” on page 155. or reboots will be a short text-only e-mail describing the event. Alerts for camera events such as motion detection will include snapshot images. Fortinet Technologies Inc. SNMP traps & queries You can configure the FortiRecorder appliance’s simple network management protocol (SNMP) agent to allow queries for system information and to send traps (alarms or event messages) to the computer that you designate as its SNMP manager. In this way you can use an SNMP manager to monitor the FortiRecorder appliance.) On the SNMP manager. configuration changes. and compile the necessary Fortinet-proprietary management information blocks (MIBs) and Fortinet-supported standard MIBs. Page 144 FortiRecorder 1. for example. (See “SNMP” on page 56. this can help you to quickly identify false alarms while you are out of the building. your computer or mobile device must be able to connect to the FortiRecorder NVR’s IP address. FortiRecorder can only send e-mail to alert you if you have configured email settings. 2. see the documentation for your SNMP manager. such as a phone number (555-5555) or name (jdoe). and can contain only letters (a-z. For more information on communities. A-Z). see “Configuring an SNMP community” on page 147. so that the FortiRecorder appliance can send traps for the communities in which you enabled queries and traps. hyphens ( . and can contain only letters (a-z. Page 145 FortiRecorder 1. numbers.) and underscores ( _ ). Type the contact information for the administrator or other person responsible for this FortiRecorder appliance. such as floor2. numbers. hyphens ( . The location can be up to 35 characters long. Type the physical location of the FortiRecorder appliance. such as dont-reboot.) and underscores ( _ ). To receive queries.) and underscores ( _ ). Description Type a comment about the FortiRecorder appliance. The contact information can be up to 35 characters long. also SNMP on a network interface.3. numbers. and can contain only letters (a-z. hyphens ( .1 Handbook . Location Contact Fortinet Technologies Inc. A-Z). Configure the following: GUI item Description SNMP agent enable Enable to activate the SNMP agent. The description can be up to 35 characters long. A-Z). If the trigger value is exceeded. so that one or more samples are taken per time period. Click to edit. this counts as an event. and which hosts will receive traps. The maximum length is 35 characters. See “Configuring an SNMP community”. then type the percentage that when met or exceeded will be considered an event. the SNMP trap will be sent. memory (RAM) usage. If using SNMPv3. then type the amount of time in seconds during which the appliance will count the number of trigger-exceeding events. Enter these commands: config system snmp sysinfo set status enable [set contact <contact_str>] [set description <description_str>] [set location <location_str>] end where: • <contact_str> is the contact information for the administrator or other person responsible for this FortiRecorder appliance.) and underscores ( _ ). A-Z). Note: This must be equal to or greater than Sample Freq (s). To configure the SNMP agent via the CLI 1. 7. then configure these settings for each trap type: GUI item Trigger Threshold Sample Period (s) Description Click to edit. Fortinet Technologies Inc. Click to edit. numbers. Note: This must be equal to or less than Sample Period (s). Sample Freq (s) Click to edit. so that one or more samples are taken per time period. A-Z). You will not receive traps faster than this rate. Click Apply. Page 146 FortiRecorder 1. depending on the selected sample period. then type the interval in seconds between measurements of the trap condition.) and underscores ( _ ). If you want to use non-default thresholds to trigger SNMP traps such as high CPU usage. • <description_str> is a description of the FortiRecorder appliance. • <location_str> is the physical location of the FortiRecorder appliance.1 Handbook . hyphens ( . 6.4. or disk/partition usage. hyphens ( . 5. click the disclosure arrow next to SNMP Threshold to expand the area. If the count exceeds the threshold number. see “Configuring SNMP v3 users”. A-Z). The maximum length is 35 characters. then type the number of events that must be exceeded during the sample period in order to cause the SNMP trap. The string can contain only letters (a-z. The maximum length is 35 characters.) and underscores ( _ ). The string can contain only letters (a-z. such as a phone number or name. numbers. The contact information can contain only letters (a-z. hyphens ( . Create at least one SNMP community to define which hosts are allowed to query. numbers. See “To configure the SNMP agent via the web UI” on page 144. the SNMP trap will be sent. and which hosts will receive traps.2. On FortiRecorder. You can add up to three SNMP communities. Configuring an SNMP community An SNMP community is a grouping of equipment for network administration purposes. SNMP communities are also where you enable the traps that will be sent to that group of hosts. memory (RAM) usage. enter these commands: config system snmp thresholds set cpu <threshold_int> <count_int> <period_int> <frequency_int> set logdisk <threshold_int> <count_int> <period_int> <frequency_int> set mem <threshold_int> <count_int> <period_int> <frequency_int> set videodisk <threshold_int> <count_int> <period_int> <frequency_int> end where: • <threshold_int> is the percentage that when met or exceeded will be considered an event • <count_int> is the number of events that must be exceeded during the sample period in order to cause the SNMP trap • <period_int> is the amount of time in seconds during which the appliance will count the number of trigger-exceeding events. A dialog appears. You must configure your FortiRecorder appliance to belong to at least one SNMP community so that community’s SNMP managers can query the FortiRecorder appliance’s system information and receive SNMP traps from the FortiRecorder appliance. If using SNMPv3. Page 147 FortiRecorder 1. 2. If the count exceeds the threshold number. If you want to use non-default thresholds to trigger SNMP traps such as high CPU usage. In the community row. depending on the selected sample period. Fortinet Technologies Inc. To add an SNMP community via the web UI 1. click New. Create at least one SNMP community to define which hosts are allowed to query. 3. See “Configuring an SNMP community”. this counts as an event. • <frequency-full_int> is the interval in seconds between measurements of the trap condition. You will not receive traps faster than this rate. 3. Go to System > Configuration > SNMP. If the trigger value is exceeded. Each community can have a different configuration for queries and traps. If you have not already configured the agent.1 Handbook . You can also add the IP addresses of up to 8 SNMP managers to each community to designate the destination of traps and which IP addresses are permitted to query the FortiRecorder appliance. and the set of events that trigger a trap. see “Configuring SNMP v3 users”. 4. or disk/partition usage. Mark the check box named Enable. 4. do so before continuing. Caution: Fortinet strongly recommends that you do not add FortiRecorder to the community named public. Page 148 FortiRecorder 1. and an SNMP manager may not accept the trap if its community name does not match. trap packets from the FortiRecorder appliance will include community name. Configure these settings: GUI item Name Description Type the name of the SNMP community to which the FortiRecorder appliance and at least one SNMP manager belongs. Similarly. The FortiRecorder appliance will not respond to SNMP managers whose query packets do not contain a matching community name. such as public. Fortinet Technologies Inc. This popular default name is well-known. and attackers that gain access to your network will often try this name first.5.1 Handbook . see “MIB support” on page 155. If you do not want to disable traps. Queries Type each port number (161 by default) on which the FortiRecorder appliance listens for SNMP queries from the SNMP managers in this community. You can add up to 8.0. Port numbers vary by SNMP v1 and SNMP v2c. then enable it. To test queries. To verify your SNMP configuration and network connectivity between your SNMP manager and your FortiRecorder appliance. 7. Page 149 FortiRecorder 1. this is not recommended.0. see “To configure the SNMP agent via the web UI” on page 144. To test traps. cause one of the events that should trigger a trap. and therefore verifying one does not necessarily verify that the other is also functional.GUI item Community Hosts IP Address Description Type the IP address of the SNMP manager that. For more information on supported traps and queries. Traps and queries typically occur on different port numbers. Click OK.0. query the FortiRecorder appliance. Enable the types of SNMP traps that you want the FortiRecorder appliance to send to the SNMP managers in this community. enter 0. While most trap events are described by their names. from your SNMP manager.1 Handbook . To allow any IP address using this SNMP community name to query the FortiRecorder appliance. Note: If there are no other host IP entries. and only to administrative equipment. which should be sent only over a trusted network. you must add at least one other entry that specifies the IP address of an SNMP manager. entering only 0.0.0 effectively disables traps because there is no specific destination for trap packets. Port numbers vary by SNMP v1 and SNMP v2c. Type each port number (162 by default) that will be the source (Local) port number and destination (Remote) port number for trap packets sent to SNMP managers in this community. the following events occur when a threshold has been exceeded: • CPU Overusage • Memory Low • Log Disk Usage Threshold • Video Disk Usage Threshold To configure their thresholds. then enable it. Fortinet Technologies Inc. if traps or queries are enabled in this community: • will receive traps from the FortiRecorder appliance • will be permitted to query the FortiRecorder appliance SNMP managers have read-only access. Traps SNMP Event 6. be sure to test both traps and queries (assuming you have enabled both).0. Caution: FortiRecorder sends security-sensitive traps. however. For security best practice reasons. trap packets from the FortiRecorder appliance will include community name. and an SNMP manager may not accept the trap if its community name does not match. such as public. The FortiRecorder appliance will not respond to SNMP managers whose query packets do not contain a matching community name.535.1 Handbook . and therefore verifying one does not necessarily verify that the other is also functional. To test queries. Enter these commands: config system snmp community edit 0 set status enable set name <community_str> config host edit 0 set ip <manager_ipv4> next end set queryv1-status {enable | disable} set queryportv1 <port_int> set queryv2c-status {enable | disable} set queryportv2c <port_int> set trapv1-status {enable | disable} set trapportv1-local <port_int> set trapportv1-remote <port_int> set trapv2c-status {enable | disable} set trapportv2c-local <port_int> set trapportv2c-remote <port_int> set trapevent {camera cpu ip-change logdisk mem remote-storage system videodisk} next end where: • <community_str> is the name of the SNMP community. be sure to test both traps and queries (assuming you have enabled both). To verify your SNMP configuration and network connectivity between your SNMP manager and your FortiRecorder appliance. Traps will be sent to the SNMP managers in this community. Fortinet Technologies Inc.To add an SNMP community via the CLI 1. • {enable | disable} is whether or not to enable traps/queries for SNMPv1/SNMPv2 • <port_int> is the port number on which the FortiRecorder appliance will listen for SNMPv1/SNMPv2 queries from the SNMP managers of the community. query the FortiRecorder appliance. The maximum length is 35 characters. Traps and queries typically occur on different port numbers. “remote” is the destination port. cause one of the events that should trigger a trap. from your SNMP manager. or send traps to them. “Local” is the source port of the packet. Page 150 FortiRecorder 1. 2. The valid range is from 1 to 65. • {camera cpu ip-change logdisk mem remote-storage system videodisk} is a space-delimited list of one or more SNMP event names in order to cause the FortiRecorder appliance to send traps when those events occur. The default varies by queries (161) versus traps (162). To test traps. Similarly. to which the FortiRecorder appliance and at least one SNMP manager belongs. Mark the check box named Enable. you can specify which of its user accounts is permitted to access information about your FortiRecorder appliance. In the community row. A dialog appears. 4. click New. Page 151 FortiRecorder 1.Configuring SNMP v3 users If your SNMP manager supports SNMP v3. Go to System > Configuration > SNMP. Fortinet Technologies Inc. If you have not already configured the agent. To specify access for an SNMP user via the web UI 1. do so before continuing. 3. This provides greater granularity of control over who can access potentially sensitive system information.1 Handbook . See “To configure the SNMP agent via the web UI” on page 144. 2. You can add up to 16 users.5.1 Handbook . Configure these settings: GUI item User name Description Type the name of the SNMP user. Fortinet Technologies Inc. Page 152 FortiRecorder 1. This must match the name of the account as it is configured on your SNMP manager. • Authentication. Also configure a salt in Password. Both the protocols and passwords on the SNMP manager and FortiRecorder must match. Also configure a salt in Password. Also configure Authentication protocol. Also configure Privacy protocol. query the FortiRecorder appliance. Traps and queries typically occur on different port numbers. Fortinet Technologies Inc. and therefore verifying one does not necessarily verify that the other is also functional. no privacy — Enables authentication only. To test traps. To verify your SNMP configuration and network connectivity between your SNMP manager and your FortiRecorder appliance. 8. Page 153 FortiRecorder 1. be sure to test both traps and queries (assuming you have enabled both). Click OK. no privacy — Causes SNMP v3 to behave similar to SNMP v1 and v2. • Authentication. guaranteeing the authenticity of the message.GUI item Security level Description Choose one of the three security levels: • No authentication. privacy — Enables both authentication and encryption. guaranteering authenticity as well as secrecy.1 Handbook . cause one of the events that should trigger a trap. from your SNMP manager. 6. and therefore is not secure. Both the protocols and passwords on the SNMP manager and FortiRecorder must match. and trap events (see “Configuring an SNMP community” on page 147). Authentication protocol Select either SHA-1 or MD5 hashes for authentication. configure the other settings to specify the trap recipient IP. Similar to confiugring the SNMP community. Privacy protocol Select either AES or DES encryption algorithms. which provides neither secrecy nor guarantees authenticity. allowed query source IPs. but not safeguarding it from eavesdropping. To test queries. 7. This option should only be used on private management networks. This setting becomes visible when security-level is set to authpriv. • {authnopriv | authpriv | noauthnopriv} is one of the three security levels: • noauthnopriv — Causes SNMP v3 to behave similar to SNMP v1 and v2. Page 154 FortiRecorder 1.1 Handbook . • <password_str> is a salt for encryption and/or authentication hashes. 2. • authpriv — Enables both authentication and encryption. Also configure Privacy protocol. Also configure Authentication protocol. If you enabled authentication and/or privacy. “Local” is the source port of the packet. 3. The default varies by queries (161) versus traps (162). Both the protocols and passwords on the FortiRecorder and SNMP manager must match. This setting becomes visible when security-level is set to either authpriv or authnopriv. guaranteeing the authenticity of the message. guaranteering authenticity as well as secrecy. but not safeguarding it from eavesdropping. enter these commands: set auth-proto {md5 | sha1} set auth-pwd <password_str> set priv-proto {aes | des} set priv-pwd <password_str> where: • {md5 | sha1} is either a SHA-1 or MD5 hash for authentication. Enter these commands: next end Fortinet Technologies Inc. • {camera cpu ip-change logdisk mem remote-storage system videodisk} is a space-delimited list of one or more SNMP event names in order to cause the FortiRecorder appliance to send traps when those events occur. • {enable | disable} is whether or not to enable queries/traps for SNMPv3 • <port_int> is the port number on which the FortiRecorder appliance will listen for SNMPv1/SNMPv2 queries from the SNMP managers of the community. Enter these commands: config system snmp user edit <user_str> set status enable set query-status {enable | disable} set queryport <port_int> set trap-status {enable | disable} set trapport-local <port_int> set trapport-remote <port_int> set trapevent {camera cpu ip-change logdisk mem remote-storage system videodisk} set security-level {authnopriv | authpriv | noauthnopriv} where: • <user_str> is the name of the SNMP user. The valid range is from 1 to 65. or send traps to them. and therefore is not secure. This must match the name of the account as it is configured on your SNMP manager. “remote” is the destination port. • {aes | des} is either AES or DES encryption (privacy) algorithms. which provides neither secrecy nor guarantees authenticity.To add an SNMP user via the CLI 1.535. • authnopriv — Enables authentication only. You can add up to 16 SNMP users. This option should only be used on private management networks. These settings become visible when security-level is set to either authpriv or authnopriv. cause one of the events that should trigger a trap. If the standard MIBs used by the SNMP agent are already compiled into your SNMP manager.4. open its MIB file in a plain text editor. except: • There is no support for the EGP group from MIB II (RFC 1213. ICMP. TCP. and therefore verifying one does not necessarily verify that the other is also functional. • Protocol statistics returned for MIB II groups (IP. and so on. indicates its contents. To communicate with your FortiRecorder appliance’s SNMP agent. such as Message (msg field when viewing a raw. Logging Log messages. Page 155 FortiRecorder 1. if you configured them (see “Configuring logging” on page 110).11 and 6. https://support. you do not have to compile them again. To verify your SNMP configuration and network connectivity between your SNMP manager and your FortiRecorder appliance. from your SNMP manager. query the FortiRecorder appliance.fortinet. and host name. To test queries. Traps and queries typically occur on different port numbers. be sure to test both traps and queries (assuming you have enabled both).1 Handbook .) Log messages are in human-readable format. UDP. the FortiRecorder appliance’s serial number. This Fortinet-proprietary MIB enables your SNMP manager to query for FortiRecorder-specific information and to receive FortiRecorder-specific traps. except the dot3Tests and dot3Errors groups. RFC-2665 (Ethernet-like MIB) The FortiRecorder SNMP agent supports Ethernet-like MIB information. record important events on your FortiRecorder system. MIB support The FortiRecorder SNMP agent supports the following management information blocks (MIBs): Table 11: Supported MIBs MIB or RFC Fortinet Core MIB Description This Fortinet-proprietary MIB enables your SNMP manager to query for system information and to receive traps that are common to multiple Fortinet devices. For instructions on how to configure traps and queries. FortiRecorder MIB RFC-1213 (MIB II) You can obtain these MIB files from the Fortinet Technical Support web site.com/. downloaded log file). All traps sent include the message. More accurate information can be obtained from the information reported by the FortiRecorder MIB. see “SNMP traps & queries” on page 144. (You cannot use the web UI to view log messages that are stored remotely on Syslog or FortiAnalyzer devices. The FortiRecorder SNMP agent supports MIB II groups. Fortinet Technologies Inc. and description.) do not accurately capture all FortiRecorder traffic activity. where each log field’s name. section 3. object identifier (OID). To view a trap or query’s name.10). you must first compile these MIBs into your SNMP manager. You can use the web UI to view and download locally stored log messages. To test traps. Click to return to the list of log files stored on FortiRecorder’s hard drive. starting with the most recent log message. Select a subcategory (corresponding to the Subtype column) to hide log messages whose subtype field does not match. 2. Columns and appearance varies slightly by the log type. the same as they are within the log file. the index numbers of the first 3 rows could be 14. Note: In the current log file. when sorting by the Message column’s contents. this is the log’s time field. the rows are sorted by timestamp in descending order. Fortinet Technologies Inc. each log’s index number changes as new log messages are added. Type the index number of the log message (corresponding to the # column) that you want to jump to in the display. these index numbers won’t be in the same order as the rows. Page 156 FortiRecorder 1. not its #. in the top row. By default. If you change the row sorting criteria (see “Displaying & sorting log columns & rows” on page 157). Click to keep your current log view settings for subsequent views and sessions (see “Displaying & sorting log columns & rows” on page 157). number 1. # Date Time The date on which the log message was recorded. When in raw format. not the order of rows in the web UI. pushing older logs further down the stack. 9. Click to find log messages matching specific criteria (see “Searching logs” on page 158). The time at which the log message was recorded. To find the same log message later. remember its timestamp and Message. so the rows are in sequential order. Go to either Monitor > Log > Event (to view event logs about the appliance itself) or Monitor > Log > Camera (to view logs about connected cameras).1 Handbook . Double-click the row of a log file to view the log messages that it contains. Table 12: Monitor > Video Monitor > Event (viewing the contents of a log file) GUI item Level Subtype Go to line Search Back Save View Description Select a severity level to hide log messages that are below this threshold (see “Log severity levels” on page 161). For example. The index number of the log message within the log file.To view log messages 1. 15. this is the log’s date field. When in raw format. Initially. the page displays a list of log files of that type. hide and re-order most columns — each column corresponds to a field in the log messages — to display only relevant categories of information. When in raw format. An arrow will appear on the right side of the heading. and IP address are different. When in raw format. Page 157 FortiRecorder 1. you can download the log file as a raw or CSV-formatted file for loading into external log or spreadsheet software (see “Downloading log messages” on page 158). Column settings will not usually persist when changing pages. The page refreshes immediately. 4. click the Back button. such as admin for events such as authentication or configuration changes. nor from session to session. Log ID Message 3. The log view settings will not apply to other accounts. If you want to keep the settings. The log message that describes the specific occurrence of a recordable event. Click the arrow to display a drop-down menu.16. Hover your mouse cursor over one of the column headings. then hover your mouse cursor over the Columns item in the menu to display a list of check boxes — one for each column. Go to one of the log types. Displaying & sorting log columns & rows You can display. this is the log’s subtype field. or system for events such as disk consumption or connection failures. clear its check box. in your preferred order. When in raw format. For example. this is the log’s log_id field. To disable the display of a column. indicative of the cause nor necessarily a unique identifier. but the exact message varies if the account name.GUI item Subtype Description The category of the log message.5). displaying the columns that you selected. If you need to sort and filter the log messages based on more complex criteria. To return to the list of log files. 6. To display a column such as Time. connection method. 3. you must click Save View. Each administrator must configure their own settings. 2. mark the check box next to its name. A dynamic log identifier within the system. Fortinet Technologies Inc.1 Handbook . this is the log’s msg field. Double-click the row of a log file to view the log messages that it contains. To display or hide columns 1. Select which columns to hide or display: 5. such as Monitor > Log > Event. not predictable. all logout events follow a format similar to User admin logout from GUI(172.1. you can locate a specific log using the event log search function.log file. you must click Save View. An arrow will appear on the right side of the heading. Fortinet Technologies Inc. Either: • To delete all log files. • To delete some log files. • CSV Format — A comma-separated values (CSV) file that can be opened in spreadsheet software such as Microsoft Excel or OpenOffice Calc. then click either Sort Ascending or Sort Descending to cause the rows to be sorted from either first to last.. Column settings will not usually persist when changing pages. or if you no longer require them. To search an attack log 1. Select either: • Normal Format — A plain text . 2. If a file download dialog appears. 4. 3.e. Page 158 FortiRecorder 1. All rows’ check boxes will become marked. such as Monitor > Log > Event. Hover your mouse cursor over one of the column headings. mark the check box next to each file that you want to delete. Deleting log files If you have downloaded log files to an external backup. or last to first. such as Monitor > Log > Event. Go to one of the log types. Time required varies by the size of the file and the speed of the network connection. you can delete one or more locally stored log files to free disk space. Click Download. on the FortiRecorder appliance’s hard drive) to your computer. Your browser downloads the log file. nor from session to session. Go to one of the log types.To arrange the columns & rows 1. mark the check box of the log message that you want to download. Click the arrow to display a drop-down menu. Searching logs When viewing attack logs. mark the check box in the column heading. Click and drag the column into the position where you want it to be.1 Handbook .log file in a . choose the directory where you want to save the file. 2. 3. Hover your mouse cursor over the column heading. If you want to keep the settings. Click Delete. Go to one of the log types. In the list of log files. To delete a log file 1. • Compressed Format — A plain text . 4. 2. A drop-down menu appears. such as Monitor > Log > Event. (You can only download one log file at a time.) 3. 5.gz compressed archive. Downloading log messages You can download logs that are stored locally (i. To download a log file 1. based upon the contents of that column. Action and/or Message). For example. entering User logout would not yield any results. in any part of that field’s value. However. because in the log messages. Message Type all or part of the exact value of the Message (msg) field of the log messages that you want to find.1 Handbook . Page 159 FortiRecorder 1. This setting is optional. The word may appear in any of the fields of the log message (e. This setting is optional.1. 3.g. Log ID Fortinet Technologies Inc. Depending on your setting of Match condition. those two words are always interrupted by the name of the account. If entering multiple words. Configure these settings: GUI item Keyword Description Type all or part of the exact word or phrase you want to search for. This setting is optional.15) where part of the word appears in the middle of the log message. Type all or part of the ID number of the log messages that you want to find. A dialog appears. Click Search. and therefore do not exactly match your search key phrase.2.16. entering admin as a keyword will include results such as User admin2 logout from GUI(172. they must occur uninterrupted in that exact order. you may be able to use asterisks as wild cards to match multiple words. About logs FortiRecorder appliances can log many different activities including: • camera recording events • administrator-triggered events including logouts and configuration changes • system-triggered events including system failures For more information about log types. Page 160 FortiRecorder 1. This setting is optional. Click Apply to initiate the search. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure. see “Log severity levels” on page 161. Displays start/stop recording events. Match condition Select whether your match criteria are specified exactly (Contain) or you have indicated multiple possible matches using an asterisk in Keyword (Wildcard). Log types Each log message contains a Type (type) field that indicates its category. 4. FortiRecorder appliances can record the following categories of log messages: Table 13: Log types Log type Event Camera Description Displays administrative events. such as downloading a backup copy of the configuration. For more information.1 Handbook . see “Configuring notification email” on page 102. Fortinet Technologies Inc. and in which log file it is stored. and hardware failures. The FortiRecorder appliance can save log messages to its memory. and other camera events. For more information.GUI item Time Description Select the date and time range that contains the attack log that you are searching for. Ensure the date fields are set to the actual date range that you want to search. Note: The date fields default to the current date. see “Log types” on page 160. Avoid recording highly frequent log types such as traffic logs to the local hard disk for an extended period of time. The web UI displays log messages that match your search on a new tab. or to a remote location such as a Syslog server or FortiAnalyzer appliance. You can select a priority level that log messages must meet in order to be recorded. factory reset. The dashboard Monitor > System Status > Status appears when you log in to the web UI. An error condition exists and functionality could be affected.1 Handbook . Immediate action is required. Table 14: Log severity levels Level (0 is greatest) 0 1 2 3 4 5 6 Emergency Alert Critical Error Warning Notification Information The system has become unusable. Functionality is affected. if you select Error. and Emergency. Syslog or FortiAnalyzer). Critical. you can define a severity threshold. Avoid recording log messages using low log severity thresholds such as information or notification to the local hard disk for an extended period of time. General information about system operations. It contains a dashboard with widgets that each indicate performance level or other system statuses. see “Configuring notification email” on page 102. Name Description For each location where the FortiRecorder appliance can store log files (disk. Information about normal events. the dashboard contains the following widgets: • System Information widget • System Resources widget • System Command widget Fortinet Technologies Inc. such as pri=warning.Log severity levels Each log message contains a Severity (pri) field that indicates the severity of the event that caused the log message. For more information. For example. By default. Page 161 FortiRecorder 1. Functionality could be affected. the FortiRecorder appliance will store log messages whose log severity level is Error. A low log severity threshold is one possible cause of frequent logging. The FortiRecorder appliance will store all log messages equal to or exceeding the log severity level you select. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure. Alert. To customize the dashboard. To display any of the widgets not currently shown on Monitor > System Status > Status. Fortinet Technologies Inc. and whether they are minimized or maximized. click Add Content. select which widgets to display. Options vary slightly from widget to widget. Figure 9: A minimized widget Widget title Disclosure arrow Refresh Close GUI item Widget Title Description The name of the widget. host name.1 Handbook . position your mouse cursor on the widget’s title bar. minimize or maximize the widget.Figure 7: Viewing the dashboard (Monitor > System Status > Status) In the default dashboard setup. then enable or disable each widget in the drop-down menu that appears. system time and other statuses. software version. but always include options to close. Page 162 FortiRecorder 1. system resource usage. position your mouse cursor over the icons in the widget’s title bar. then click and drag the widget to its new location. where they are located on the page. widgets display the serial number and current system status of the FortiRecorder appliance. Figure 8: Adding a widget To see the available options for a widget. including uptime. To move a widget. For details.Disclosure arrow Click to maximize or minimize the widget.1 Handbook . This option does not appear on the System Command widget. Setting The System Resource widget title bar includes a Setting icon. Refresh Close Click to close the widget on the dashboard. click Add Content near the top of the page. System Information widget The System Information widget on the dashboard displays the: • up time • system time • serial number • firmware version • disk usages In addition to displaying system information. Click it to change the refresh interval for the widget. you must have an administrator account. FortiRecorder administrators can change the system time and software. the System Information widget enables you to change the firmware. To access the dashboard. To show the widget again. Table 15: System Information widget Fortinet Technologies Inc. This arrow replaces the widget’s icon when you place your mouse cursor over the title bar. Page 163 FortiRecorder 1. Operator accounts do not have permission. see “Permissions” on page 12. Click to update the displayed information. You will be prompted to confirm the action. the serial number (e. load. hours. Click Change to change the time or configure the FortiRecorder appliance to get the time from an NTP server. Up time Displays the time in days.g. On hardware appliance models of FortiRecorder. and memory usage. Page 164 FortiRecorder 1. Use this number when registering the hardware or virtual appliance with Fortinet Technical Support. System configuration Log disk Video disk Click the links to either download (Backup) or upload (Restore) a configuration file. See “Setting the system time & date” on page 72. FK200D00RD000001) is specific to the FortiRecorder appliance’s hardware and does not change with firmware upgrades. To view a graph of the change in these resource levels over the last few minutes. click History >>. Displays the capacity and disk usage of the hard disk or partition used to store video files. and minutes since the FortiRecorder appliance last started or rebooted. Displays the capacity and disk usage of the hard disk or partition used to store log files. System time Firmware version Displays the version of the software currently installed on the FortiRecorder appliance. Displays the current date and time according to the FortiRecorder appliance’s internal clock. disk usage. Click Update to upload and install new firmware. System Resources widget The System Resource widget on the dashboard displays CPU. Fortinet Technologies Inc. See “Updating the firmware” on page 43.1 Handbook .GUI item Serial number Description Displays the serial number of the FortiRecorder appliance. 1 Handbook . for HTTPS connections to the web UI) is excluded.Figure 10:System Resource widget The widget displays CPU and memory usage as a percentage of the usage for core processes only. System Command widget The System Command widget on the dashboard contains some simple buttons that enable you to reboot and shut down the appliance. CPU and memory usage for management processes (for example. Figure 11:System Command widget Fortinet Technologies Inc. Page 165 FortiRecorder 1. or to reload the configuration in memory from the one currently stored on disk. 1 Handbook . Page 166 FortiRecorder 1.build0102. you can obtain information about performance and resource consumption by entering commands in the CLI.28%) . Free 705 GB Hostname: FK200D00RD000001 Distribution: International Branch point: 102 Uptime: 0 days 3 hours 2 minutes Last reboot: Mon Nov 05 10:05:07 EST 2012 System time: Mon Nov 05 13:07:15 EST 2012 FortiRecorder-200D# get system performance CPU usage: 0% used. FortiRecorder-200D# get system status Version: FortiRecorder-200D v4. Free 91 GB Video disk: Capacity 823 GB. Used 333 MB ( 0.121105 (Interim) Architecture: 32-bit Serial-Number: FK200D3A12000001 BIOS version: 00010003 Log disk: Capacity 91 GB.0 MR4 Patch 1. 100% idle Memory usage: 7% used System Load: 1 Uptime: 0 days 3 hours 1 minutes Fortinet Technologies Inc. Used 117 GB (14.36%).Statuses via the CLI Similar to the dashboard in the web UI. risk. the Internet is connected to port2.1 Handbook . • Disable all network interfaces that should not receive any traffic. • If remote access while travelling or at home is not necessary. It always should be protected by a network firewall. Hardening security FortiRecorder NVRs are designed to manage IP cameras and store video.Fine-tuning & best practices This topic is a collection of fine-tuning and best practice tips and guidelines to help you configure your FortiRecorder appliances for the most secure and reliable operation. Should you wish to protect the appliance from accidental or malicious misuse from people within your private network. and harden all accounts and administrative access (see “Administrator access” on page 168 and “Operator access” on page 170) as well as keeping the FortiRecorder software up-to-date (see “Patches” on page 171). do not configure Public Access Host name nor Port number. some practices are generally a good idea because they reduce complication. For feature-specific recommendations. and do not configure your Internet firewall to forward traffic to FortiRecorder. FortiRecorder is not a firewall. or to your overall network environment. Figure 12:Disabling port4 in System > Network > Interface For example. accessing the cameras directly. Page 167 FortiRecorder 1. FortiRecorder appliances are designed specifically to manage cameras and store video. Fortinet Technologies Inc. to the entire appliance. • Make sure traffic cannot bypass the FortiRecorder appliance in a complex network environment. Topology • To protect your surveillance system from hackers and unauthorized network access. its primary focus is surveillance. see the tips in each feature’s instructions. While many features are optional or flexible such that they can be used in many ways. you would disable (“bring down”) port4. This would prevent an attacker with physical access from connecting a cable to port4 and thereby gaining access if the configuration inadvertently allows it. if administrative access is typically through port1. This section includes only recommendations that apply to a combination of multiple features. or potential issues. While FortiRecorder does have some security features. this section lists tips to further enhance security. If you do require remote access. and cameras are connected to port3. install the FortiRecorder appliance and cameras behind a network firewall such as a FortiGate. and physically kept in a restricted access area. be sure to apply strict firewall policies to the connection. Administrator access • As soon as possible during initial FortiRecorder setup, give the default administrator, admin, a password. This super-administrator account has the highest level of permissions possible, and access to it should be limited to as few people as possible. • Administrator passwords should be at least 8 characters long and include both numbers and letters. • Change all passwords regularly. Set a policy — such as every 60 days — and follow it. Figure 13:Edit Password dialog in System > Admin > Administrators • Instead of allowing administrative access to the FortiRecorder appliance from any source, restrict it to trusted internal hosts. See “Trusted hosts” on page 12. On those computers that you have designated for management, apply strict patch and security policies. Always password-encrypt any FortiRecorder configuration backup that you download to those computers to mitigate the information that attackers can gain from any potential compromise. If your computer’s operating system does not support this, you can use third-party software to encrypt the file. Fortinet Technologies Inc. Page 168 FortiRecorder 1.1 Handbook Figure 14:Trusted hosts in System > Admin > Administrators • Do not give administrator-level access to all people who use the system. Usually, only a network administrator should have access to the network settings. Others should have operator accounts. This prevents others from accidentally or maliciously breaking the appliance’s connections with cameras and computers. See “Adding logins for security personnel & network administrators” on page 84. • By default, an administrator login that is idle for more than five minutes times out. You can change this to a longer period in Idle Timeout, but Fortinet does not recommend it. Left unattended, a web UI or CLI session could allow anyone with physical access to your computer to change FortiRecorder settings. Small idle timeouts mitigate this risk. • Restrict administrative access to a single network interface (usually port1), and allow only the management access protocols needed. Fortinet Technologies Inc. Page 169 FortiRecorder 1.1 Handbook Figure 15:Restricting accepted administrative protocols in the Edit Interface dialog in System > Network > Interface Use only the most secure protocols. Disable PING, except during troubleshooting. Disable HTTP, SNMP, and TELNET unless the network interface only connects to a trusted, private administrative network. See “Configuring the network interfaces” on page 53. • Disable all network interfaces that should not receive any traffic. (i.e. Set the Administrative status to Down.) Figure 16:Disabling port4 in System > Network > Interface For example, if administrative access is typically through port1, the Internet is connected to port2, and cameras are connected to port3, you would disable (“bring down”) port4. This would prevent an attacker with physical access from connecting a cable to port4 and thereby gaining access if the configuration inadvertently allows it. Operator access • Authenticate users only over encrypted channels such as HTTPS. Authenticating over non-secure channels such as Telnet or HTTP exposes the password to any eavesdropper. For certificate-based server/FortiRecorder authentication, see “Replacing the default certificate for the web UI” on page 131. • Immediately revoke certificates that have been compromised. If possible, automate the distribution of certificate revocation lists (see “Revoking certificates” on page 137). Fortinet Technologies Inc. Page 170 FortiRecorder 1.1 Handbook Patches • Upgrade to the latest available firmware to take advantage of new security features and stability enhancements (see “Updating the firmware” on page 43). Improving performance When configuring your FortiRecorder appliance and its features, there are many settings and practices that can yield better performance. Video performance Video performance is a combination of the video input (from the cameras) and the video output (to the browser for live views and playback). Input performance factors • Peak number of cameras streaming to the NVR simultaneously • The camera recording type (motion detection only or continuous) • The camera resolution, frame rate, and image quality Output performance factors • Number of administrator/operator sessions • Number of live camera views per administrator/operator session • Peak number of simultaneous administrator/operator live views Resolution has the largest impact on the overall NVR performance. • Low resolution — n MB/s • Medium resolution — 2n MB/s • High resolution — 6n MB/s In other words, high resolution video will generate 3 times as much raw data as the default, medium resolution. Depending on how efficiently a specific raw stream can be compressed, higher resolutions can multiply the bandwidth and/or disk space required per camera, and per login session. For example, assuming a FortiCam 20A camera, the NVR can store on its local hard drive about 36 days’ worth of high resolution video, but about 240 days’ worth of low resolution video. Degree of motion in the camera’s field of view also affects video performance. Constant and/or extreme motion will result in larger files/streams, because the compression method cannot encode it as efficiently. To improve compression, exclude areas of irrelevant motion such as fans or blinking lights from the camera’s field of view. For sizing guidelines and estimates on the amount of video that you will be able to store, contact your reseller. Alternatively, expand your storage by configuring a network storage location (see “External video storage” on page 122). System performance • Delete or disable unused cameras. FortiRecorder allocates memory with each camera, regardless of whether it is actually in active use. Configuring extra cameras will unnecessarily consume memory and decrease performance. • To reduce latency associated with DNS queries, use a DNS server on your local network as your primary DNS. See “Configuring DNS settings” on page 62. Fortinet Technologies Inc. Page 171 FortiRecorder 1.1 Handbook ) To minimize the performance impact on your FortiRecorder appliance. • If you do not need a log or alert. Page 172 FortiRecorder 1. See “Configuring logging” on page 110. • Avoid recording log messages using low severity thresholds. store FortiRecorder’s logs on the FortiAnalyzer to avoid resource usage associated with writing logs to FortiRecorder’s own hard disks.1 Handbook . use packet capture only during periods of minimal traffic. such as information or notification. Use a local console CLI connection rather than a Telnet or SSH CLI connection. Excessive logging frequency saps system resources and can cause undue wear on the hard disk and may cause premature failure. See “Configuring logging” on page 110. such as: • Upgrading the firmware • Running the CLI commands execute factoryreset or execute restore • Clicking the Restore button in the System Information widget on the dashboard Fortinet Technologies Inc. to the local hard disk for an extended period of time. Regular backups Make a backup before executing operations that can cause large configuration changes. (See “Packet capture” on page 176. Figure 17:Logs and Alerts > Log Setting > Local Log Settings Packet capture performance Packet capture can be useful for troubleshooting but can be resource intensive. disable it to reduce the use of system resources.Logging & alert performance • If you have a FortiAnalyzer. and be sure to stop the command when you are finished. See “Configuring logging” on page 110. To mitigate impact in the event of a network compromise.1 Handbook . see “Backups” on page 117. Fortinet Technologies Inc. Page 173 FortiRecorder 1. always password-encrypt your backups. For details. you can encrypt the file using third-party software. If your operating system does not support this feature. 10): 56 data bytes 64 bytes from 172.172.16.10: icmp_seq=4 ttl=64 time=1. You can do this from the FortiRecorder appliance using CLI commands. try using ICMP (ping and traceroute) to determine if the host is reachable or to locate the point on your network at which connectivity fails. Page 174 FortiRecorder 1.20.4 64 bytes from 172.16. third-party tools on external hosts can test connections from perspectives that cannot be achieved locally. such as when static routes are incorrectly configured.16.10: icmp_seq=0 ttl=64 time=2. you might use ping to determine that 172.1 Handbook .1.16.1.1.1.10: icmp_seq=3 ttl=64 time=0.4 64 bytes from 172. Troubleshooting methods and tips may use: • the command line interface (CLI) (see “How to use the CLI” on page 18) • the web UI • external third-party tools Some CLI commands provide troubleshooting information not available through the web UI.1. you can contact Fortinet Technical Support.16.8 64 bytes from 172.1.10 is reachable: execute ping 172.1. FortiRecorder appliances feature several troubleshooting tools.1. Keep in mind that if you cannot resolve the issue on your own.10 PING 172.16.120. This topic includes: • Tools • How to troubleshoot • Solutions by issue type • Resetting the configuration • Restoring firmware (“clean install”) Tools To locate network errors and other issues that may prevent connections to or from the FortiRecorder appliance.10: icmp_seq=2 ttl=64 time=1.8/1.167 ping statistics --5 packets transmitted.4 ms ms ms ms ms --.16.4 ms Fortinet Technologies Inc.1.10 (172. Ping & traceroute If your FortiRecorder appliance cannot connect to other hosts. 5 packets received.16.10: icmp_seq=1 ttl=64 time=1. 0% packet loss round-trip min/avg/max = 0.4 64 bytes from 172.16. For example.4/2.Troubleshooting This topic provides guidelines to help you resolve issues if your FortiRecorder appliance is not behaving as you expect. 168.1.10 is not reachable: execute ping 192.1.1.168.. and you are not sure what in the configuration has changed. Diff You can compare backups of the core configuration file with your current configuration. Timeout ..10 ping statistics --5 packets transmitted.192.1. To enable logging.168. Timeout . for example: • A previously configured feature is no longer functioning. --. • You want to recreate something configured previously..1.1.1.. If you have disabled responses to ICMP on your network. FortiRecorder appliances can record log messages when errors occur that cause failures... Both ping and traceroute require that network nodes respond to ICMP..10 traceroute to 192. you can use traceroute to determine the router hop or host at which the connection fails: execute traceroute 192.. or upon significant changes that could correspond to your problem.168. Difference programs can help you to quickly find all changes..1.10): 56 data bytes Timeout . 32 hops max.or that 192. hosts may appear to be unreachable to ping and traceroute.2 2 ms 0 ms 1 ms 2 * * * For more information on troubleshooting connectivity. but do not remember what the settings were.10 (192. 72 byte packets 1 192. Page 175 FortiRecorder 1. This can be useful if. 100% packet loss If the host is not reachable. go to Logs and Alerts > Log Setting. 0 packets received.10 PING 192.10 (192.. see “Resource issues” on page 200. Fortinet Technologies Inc.1. Timeout . For instructions to enable debug logging. see “Connectivity issues” on page 187.168.10).168. Log messages Log messages often contain clues that can aid you in determining the cause of a problem.1 Handbook .168.168. even if connections using other protocols can succeed. Timeout .168. and highlight parts that are new. modified. you can trace connection states to the exact point at which they fail. line by line.Figure 18:Configuration differences highlighted in WinMerge There are many such difference-finding programs. or deleted. such as WinMerge and the original diff. Packet capture on FortiRecorder appliances is similar to that of FortiGate appliances. To use the built-in sniffer. For instructions. They can compare your configurations. By recording packets. FortiRecorder appliances have a built-in sniffer.1 Handbook . records some or all of the packets seen by a network interface (that is. the network interface is used in promiscuous mode). see your difference program’s documentation. Page 176 FortiRecorder 1. Packet capture Packet capture. also known as sniffing or packet analysis. connect to the CLI and enter the following command: diagnose sniffer packet [{any | <interface_name>} [{none | '<filter_str>'} [{1 | 2 | 3 | 4 | 5 | 6} [<packets_int> [{a | <any_str>}]]]]] Fortinet Technologies Inc. which may help you to diagnose some types of problems that are otherwise difficult to detect. and destination port number.130. or enter none for no filters. the destination IP address.g.: interfaces=[port2] filters=[none] 0. the command captures all packets on all network interfaces. protocol name. such as port1. plus the packet payload in both hexadecimal and ASCII. it omits: • IP version number bits • Internet header length (ihl) • type of service/differentiated services code point (tos) • explicit congestion notification • total packet or fragment length • packet ID • IP header checksum • time to live (TTL) • IP flag • fragment offset • options bits e.where: • <interface_name> is either the name of a network interface. or enter any for all interfaces.g.130. plus basic fields of the IP header: the source IP address.: Fortinet Technologies Inc.655224 172.20. • '<filter_str>' is the sniffer filter that specifies which protocols and port numbers that you do or do not want to capture.20.2264 -> 172. If you omit this and the following parameters for the command. or sees: • 1 — Display the packet capture timestamp. packet headers. receives. such as 'tcp port 80'.1 Handbook . • {1 | 2 | 3 | 4 | 5 | 6} is an integer indicating whether to display the network interface names. Does not display all fields of the IP header. and/or payloads for each packet that the network interface sends. e. Page 177 FortiRecorder 1.15.42574: udp 113 • 2 — All of the output from 1.16. Filters use tcpdump syntax. 2264 -> 172.: interfaces=[port2] filters=[none] 0..!...E.. • 4 — All of the output from 1.15./.v.8.N.8..y.42574: udp 38 Fortinet Technologies Inc.x| 0x0080 fc1a f25a dc18 735d f090 8e05 c3e8 c14f .20.... 0x0030 e961 93bc 21c9 3197 a030 a709 76dc 0ed8 .9/J.g..n.130.20.. 0x0040 98f8 ceef 6afb e7f2 7773 98e1 5ef7 bfbf ..20.&.interfaces=[port2] filters=[none] 0.A....N.... 0x0020 71b8 d617 38fa 3fd8 419b 5006 053c 99c1
[email protected].. plus the network interface name...}@. 0x0040 810a e049 e5e9 380a f8 .Y..8.X.2264 -> 172..130.....O.15..20.......130.ws...2264 -> 172. and need to know which packet was seen by which interface.h.......a.?.^..1 Handbook ..?.<..@..'..Z..}..-0C.{ 0x0060 b84f 932d 3043 cbdd c2dc da77 0b73 70fc .. e... 0x0020 820f 08d8 a64e 0027 ea3c 80e0 981e 7474 .20..130..317960 172.16.rop. 0x0010 ac14 820f 08d8 a64e 0084 b75a 80e0 3dee ...Z. Page 178 FortiRecorder 1..=.. 0x0010 003b 2cad 4000 4011 b1bc ac14 8210 ac14 .... e..I..16.O 0x0090 3466 57c0 4688 58b8 4fW..1....... 0x0070 158a 1868 eee0 793b c09e 7dc0 59f5 787c .j.172.P.sp.: interfaces=[port2] filters=[none] 0..I.tt 0x0030 6ddf 38fa 3fd8 419b 6e06 00f0 8dd5 e01d m.w.42574: udp 31 0x0000 50e5 49e8 dc3d 000f 7c08 2ff5 0800 4500 P...... This can be necessary if you are capturing packets from multiple network interfaces at once..<
[email protected] 172..42574: udp 124 0x0000 4500 0098 d27d 4000 4011 0b8f ac14 8210 E. • 3 — All of the output from 2...20...=.0...16..15. 0x0050 2f0d 726f 70cf 26cd d986 392f 4a0b f97b /. plus the link layer (Ethernet) header.|.918575 port2 -.F.s]. • 5 — All of the output from 2, plus the network interface name. e.g.: interfaces=[port2] filters=[none] 0.508965 port2 -- 172.20.130.16.2265 -> 172.20.130.15.42575: udp 44 0x0000 4500 0048 03ab 4000 4011 dab1 ac14 8210 E..H..@.@....... 0x0010 ac14 820f 08d9 a64f 0034 df2e 80c8 0006 .......O.4...... 0x0020 38fa 3fd8 d39f 1ee5 7597 80ba 75f0 bb05 8.?.....u...u... 0x0030 0000 3064 0831 856b 81ca 0003 38fa 3fd8 ..0d.1.k....8.?. 0x0040 0105 6c6f 6262 7900 ..lobby. • 6 — All of the output from 3, plus the network interface name. e.g.: interfaces=[port2] filters=[none] 0.169046 port2 -- 172.20.130.16.2268 -> 172.20.130.15.35552: udp 46 0x0000 50e5 49e8 dc3d 000f 7c08 2ff5 0800 4500 P.I..=..|./...E. 0x0010 004a 8989 4000 4011 54d1 ac14 8210 ac14 .J..@
[email protected]....... 0x0020 820f 08dc 8ae0 0036 43eb 80e0 590e 5ad4 .......6C...Y.Z. 0x0030 6e1a 53b4 db17 419b d006 02bd e02d f92e n.S...A......-.. 0x0040 f809 35ac 020e f4a0 3ac4 7097 7cd9 01b3 ..5.....:.p.|... 0x0050 cdd5 42dc 9e6c 0ec0 ..B..l.. • <packets_int> is the number of packets the sniffer reads before stopping. Packet capture output is printed to your CLI display until you stop it by pressing Ctrl+C, or until it reaches the number of packets that you have specified to capture. • {a | <any_str>} is either a (to include an absolute, full UTC timestamp in the format yyyy-mm-dd hh:mm:ss.ms), or any other text (to include a timestamp that is the amount of time since he start of the packet capture, in the format ss.ms) Packet capture can be very resource intensive. To minimize the performance impact on your FortiRecorder appliance, use packet capture only during periods of minimal traffic, with a local console CLI connection rather than a Telnet or SSH CLI connection, and be sure to stop the command when you are finished. For example, you might capture all TCP port 443 (typically HTTPS) traffic occurring through port1, regardless of its source or destination IP address. The capture uses a high level of verbosity (indicated by 3). A specific number of packets to capture is not specified. As a result, the packet capture continues until the administrator presses Ctrl+C. The sniffer then confirms that five packets were seen by that network interface. Fortinet Technologies Inc. Page 179 FortiRecorder 1.1 Handbook (Verbose output can be very long. As a result, output shown below is truncated after only one packet.) FortiRecorder# diagnose sniffer packet port1 'tcp port 443' 3 interfaces=[port1] filters=[tcp port 443] 10.651905 192.168.0.1.50242 -> 192.168.0.2.443: syn 761714898 0x0000 0009 0f09 0001 0009 0f89 2914 0800 4500 ..........)...E. 0x0010 003c 73d1 4000 4006 3bc6 d157 fede ac16 .<s.@.@.;..W.... 0x0020 0ed8 c442 01bb 2d66 d8d2 0000 0000 a002 ...B..-f........ 0x0030 16d0 4f72 0000 0204 05b4 0402 080a 03ab ..Or............ 0x0040 86bb 0000 0000 0103 0303 .......... Instead of reading packet capture output directly in your CLI display, you usually should save the output to a plain text file using your CLI client. Saving the output provides several advantages. Packets can arrive more rapidly than you may be able to read them in the buffer of your CLI display, and many protocols transfer data using encodings other than US-ASCII. It is often, but not always, preferable to analyze the output by loading it into in a network protocol analyzer application such as Wireshark (http://www.wireshark.org/). For example, you could use PuTTY or Microsoft HyperTerminal to save the sniffer output to a file. Methods may vary. See the documentation for your CLI client. Requirements • terminal emulation software such as PuTTY • a plain text editor such as Notepad • a Perl interpreter • network protocol analyzer software such as Wireshark To view packet capture output using PuTTY and Wireshark 1. On your management computer, start PuTTY. 2. Use PuTTY to connect to the FortiRecorder appliance using either a local console, SSH, or Telnet connection. For details, see “Connecting to the CLI” on page 39. 3. Type the packet capture command, such as: diag sniffer packet port1 'src host 10.0.0.1 and tcp port 443' 3 but do not press Enter yet. Fortinet Technologies Inc. Page 180 FortiRecorder 1.1 Handbook 4. In the upper left corner of the window, click the PuTTY icon to open its drop-down menu, then select Change Settings. A dialog appears where you can configure PuTTY to save output to a plain text file. 5. In the Category tree on the left, go to Session > Logging. 6. In Session logging, select Printable output. 7. In Log file name, click the Browse button, then choose a directory path and file name such as C:\Users\MyAccount\packet_capture.txt to save the packet capture to a plain text file. (You do not need to save it with the .log file extension.) 8. Click Apply. 9. Press Enter to send the CLI command to the FortiRecorder appliance, beginning packet capture. 10. If you have not specified a number of packets to capture, when you have captured all packets that you want to analyze, press Ctrl + C to stop the capture. 11. Close the PuTTY window. 12. Open the packet capture file using a plain text editor such as Notepad. Fortinet Technologies Inc. Page 181 FortiRecorder 1.1 Handbook 13. Delete the first and last lines, which look like this: =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.07.25 11:34:40 =~=~=~=~=~=~=~=~=~=~=~= FortiRecorder-200 # These lines are a PuTTY timestamp and a command prompt, which are not part of the packet capture. If you do not delete them, they could interfere with the script in the next step. 14. Convert the plain text file to a format recognizable by your network protocol analyzer application. You can convert the plain text file to a format (.pcap) recognizable by Wireshark (formerly called Ethereal) using the fgt2eth.pl Perl script. To download fgt2eth.pl, see the Fortinet Knowledge Base article Using the FortiOS built-in packet sniffer. The fgt2eth.pl script is provided as-is, without any implied warranty or technical support, and requires that you first install a Perl module compatible with your operating system. To use fgt2eth.pl, open a command prompt, then enter a command such as the following: Methods to open a command prompt vary by operating system. On Windows XP, go to Start > Run and enter cmd. On Windows 7, click the Start (Windows logo) menu to open it, then enter cmd. fgt2eth.pl -in packet_capture.txt -out packet_capture.pcap where: • fgt2eth.pl is the name of the conversion script; include the path relative to the current directory, which is indicated by the command prompt • packet_capture.txt is the name of the packet capture’s output file; include the directory path relative to your current directory • packet_capture.pcap is the name of the conversion script’s output file; include the directory path relative to your current directory where you want the converted output to be saved Figure 19:Converting sniffer output to .pcap format Fortinet Technologies Inc. Page 182 FortiRecorder 1.1 Handbook Figure 20:Viewing sniffer output in Wireshark For additional information on packet capture. or to troubleshooting network appliances in general. How to troubleshoot If you are new to troubleshooting FortiRecorder. you need to know what normal operation is. Baseline information can include: • Logging (see “Configuring notification email” on page 102) • Monitoring performance statistics such as memory usage (see “System Resources widget” on page 164) • Regular backups of the FortiRecorder appliance's configuration (see “Backups” on page 117) Fortinet Technologies Inc. see the documentation for that application.15. this section outlines some basic skills. Page 183 FortiRecorder 1. Open the converted file in your network protocol analyzer application. a baseline for normal operation helps you to define what is wrong or changed. When there is a problem. see the Fortinet Knowledge Base article Using the FortiOS built-in packet sniffer. • Establishing a system baseline • Planning & access privileges • Determining the source of the problem Establishing a system baseline Before you can define an abnormal operation.1 Handbook . For further instructions. they may need to ask you to adjust a setting on the other equipment if interoperation is a problem. Use Diff and Backups to see if something changed in the configuration. If you need access to other networking equipment such as switches. This prevents duplicated efforts.1 Handbook . Backups also can aid in troubleshooting: you can use a tool such as diff to find the parts of the configuration that have changed. However. See “Connectivity issues” on page 187. see “Bootup issues” on page 205. and servers to help you test. regardless of which camera or computer you use to connect to FortiRecorder? If the problem is intermittent. routers. To find a working solution. • Does the problem affect only specific cameras? Are they all of the same model? • Is the problem intermittent or random? Or can you reproduce it reliably. a problem has more than one possible source. Determining the source of the problem To know which solutions to try. the backup can help you restore normal operation quickly and easily. you will need to determine the exact source of the problem. If the configuration did change. contact your network administrator. and Logging to see if an unusual condition occurred.If you accidently change something. • Did FortiRecorder’s hardware and software both start properly? If not. Fortinet Technologies Inc. See “Resource issues” on page 200. If you are not using the admin account on FortiRecorder. you first need to locate the source of the problem. • Does the problem originate on the camera. or your computer? There are two sides to every connection. see what the effect is when you roll back the change. and minimizes the time required to resolve your ticket. Fortinet Technical Support will not have access to this other equipment. Page 184 FortiRecorder 1. FortiRecorder. and what is left to check. verify that your account has the permissions you need to run all diagnostic s. • Are you having Login issues? • What has recently changed? Do not assume that nothing has changed in the network. it helps to provide a list of what data you gathered and what solutions you tried. If you need to contact Fortinet Technical Support. you can use the System Resources widget to see whether the problem corresponds to FortiRecorder processor or RAM exhaustion. Occasionally. Planning & access privileges Create a checklist so that you know what you have tried. Live feed delay Before QuickTime will begin playing a video stream. For some Windows computers. and suddenly could no longer view live video streams. first check that you have installed software that can view live streams (which use RTP) and files (which use . If you have installed a suitable media player but still cannot view the video. this can solve the problem. (This QuickTime issue does not affect Mac OS X computers.1 Handbook . Video viewing issues If you can connect to FortiRecorder. some installers take file type associations previously belonging to other players and re-assign them to the new software. • Video viewing issues • Snapshot notification issues • DHCP issues • Connectivity issues • Resource issues • Login issues • Data storage issues • Bootup issues Fortinet also provides these resources: • the Release Notes provided with your firmware • Technical documentation (references. and is capable of displaying H. and if you have installed multiple codecs for the same format. try clicking the panel arrows to hide and then show the panel again. see “Connecting with the cameras” on page 75 and “Downloading or playing older video clips” on page 142. The time that QuickTime requires to do this may result in a few seconds’ difference between what you see happening in the live video feed. for example. and what is happening in reality now.Solutions by issue type Recommended solutions vary by the type of issue. and your cameras can connect with your FortiRecorder. but you cannot view video that is streamed or stored on FortiRecorder. Fortinet Technologies Inc. display problems can arise. By default. Different media players can interfere with each other. For requirements. it rmust buffer a few seconds’ worth of data. If you installed software to view downloaded video files. installation guides. make sure that its codec software does not have any conflicts. Page 185 FortiRecorder 1.264 video. You can save time and effort during the troubleshooting process by checking if other FortiRecorder administrators experienced a similar problem before. you might need to fix the file associations for RTP and/or MP4.mp4 format). Media players’ codec plug-ins can come from many sources. and other documents) • Knowledge base (technical support articles) • Forums • Online campus (tutorials and training materials) Check within your organization.) If this does not trigger the video to play. By default. has network connectivity. first verify that your FortiRecorder NVR’s SMTP email settings are correct. Unless you have configured FortiRecorder with your public IP. and that they are not serving requests on the same network segment (which could create a race condition). first verify that both are not using the same pool of IP addresses (which could lead to IP address conflicts — see “Resolving IP address conflicts” on page 188). but you have configured camera notifications. you must configure port forwarding and/or a virtual IP (VIP) on your firewall or Internet router. Verify that your computer can connect to the FortiRecorder NVR’s IP address. such as fans or blinking lights. and can only be reached when you are connected to your office’s network. DHCP issues The FortiRecorder NVR has a built-in DHCP server. this is a private network IP address. first try to reboot the camera: execute camera reboot <camera_name> If this does not solve the problem. 2. it is disabled. compare the MAC address of each device’s network Fortinet Technologies Inc. and there are video links (that is. Then check that notifications are not being blocked or sent to your spam or junk mail folder. change the configuration so that your FortiRecorder NVR will only send snapshot notifications during suspicious periods. and configure the FortiRecorder NVR to link to this public IP address in snapshot notifications. a router. cameras may be unable to get or retain an IP address. For details.1 Handbook . (Some anti-spam systems mistakenly mark repeated or frequent email as spam. FortiRecorder has not been configured to email still iamges — see “Configuring notification email” on page 102). It cannot be viewed from the Internet. Unauthorized DHCP clients or DHCP pool exhaustion If computers or other devices are accidentally using IP addresses that the FortiRecorder NVR should be allocating to cameras. see “Adding the virtual IP/port mapping to your firewall” on page 36. If you want to log in to the web UI and/or view video clips while out of the office. but you cannot view the video from the email: 1. If you are receiving too many notifications. then re-configuring it (see the camera’s QuickStart Guide). Verify that you have installed the QuickTime video player software on your computer. you can try either upgrading the camera’s firmware (see “Updating the cameras’ firmware” on page 82) or resetting the camera to factory defaults. and you have configured a recording schedule on the NVR. and the pool of available DHCP IP addresses becomes exhausted. and focuses motion detection only on areas that do not cause false alerts. Page 186 FortiRecorder 1. If your network has another DHCP server. although it has booted. Snapshot notification issues If you are not receiving any email when motion detection begins recording.You can minimize this by: • Improving the bandwidth and latency of your network • Changing the camera’s Resolution setting to the lowest acceptable resolution Video not being sent to the NVR If the camera itself does not seem to be sending video to the NVR. or a Windows or Linux server. and that it can connect to your email server to send email. such as your ISP’s cable modem.) If you are receiving the email. To determine which devices are using your pool of DHCP IP addresses. 8 where port3 is the network interface where the built-in DHCP server is listening for requests for IP addresses. To display the list of current DHCP clients. Second.100 20:10:7a:5a:28:d1 Thu Oct 4 15:01:22 2012 192. they have a static IP address) and their IP address is not in the range used by the DHCP pool.8 udhcp 0. enter this command in the CLI: execute dhcp lease-list Output will resemble the following: port3 IP MAC-Address Expiry 192.adapter to the list of current DHCP clients. Checking hardware connections If there is no traffic whatsoever arriving to the FortiRecorder appliance.) Connectivity issues One of your first tests when configuring a new device should be to determine whether video is being received from your camera.168. To correct this situation. Fortinet Technologies Inc. first configure those devices so that they do not use DHCP (that is. execute dhcp clear-lease New clients that were previously unable to get an IP address will obtain an IP address for the first time.200. clear the list of DHCP clients to allow legitimate DHCP clients (your cameras) to obtain a lease. it may be a hardware problem.1 Handbook .168.101 20:10:7a:5a:29:38 Wed Oct 3 11:17:12 2012 VCI udhcp 0. (This may result in temporary IP address conflicts and therefore connectivity interruptions while the DHCP server assigns new leases.9. and hexadecimal numbers such as 20:10:7a:5a:28:d1 are MAC addresses. and may assign them a new IP address if another client has claimed that IP address first.9. Page 187 FortiRecorder 1. Returning clients’ s IP addresses may change as the built-in DHCP server no longer has any memory of their previous lease. even though the configuration appears to be correct.200. there was a hardware connection issue.1 Handbook . Only one of those identically addressed devices can have IP-layer connectivity at a given time. If the status is down (a down arrow on red circle). Facilitating discovery Discovery of the cameras by the FortiRecorder NVR uses uPNP. • Change the cable if the cable or its connector are damaged or you are unsure about the cable’s type or quality. and are each independently assigning their clients the same IPs Fortinet Technologies Inc. You should still perform some basic software tests to ensure complete connectivity. • In the web UI. you may be experiencing bootup problems. effectively causing it to behave as if it were disconnected. See “Bootup issues” on page 205. cameras generally must be on the same subnet as the NVR. use a loopback jack to test. If you are not sure whether the cable is faulty or not. If you do not know which device is impeding discovery. such as a local switch or directly to the FortiRecorder NVR.To check hardware connections • Ensure the network cables are firmly plugged in to the interfaces on the FortiRecorder appliance. you can either: • temporarily attach the cameras to a closer point on the network. The other will be ignored. routers and switches would not be able to determine with certainty where to deliver a packet destined for that IP address. go to System > Network > Interface and ensure the link status is up for the interface. Page 188 FortiRecorder 1. For it to work. You can also enable an interface in CLI. (If multiple devices were to use the same IP address. If the hardware connections are correct and the appliance is powered on but you cannot connect using the CLI (even the local console) or web UI. • Connect the FortiRecorder appliance to different hardware to see if that makes a difference. • Verify that the LEDs for the ports light when you plug network cables into the appliance. To prevent this. so that discovery is not blocked • manually add the camera to the FortiRecorder NVR’s list of known cameras. for example: config system interface edit port2 set status up end If any of these checks solve the problem. this will cause a problem called an IP address conflict. and must not be impeded by firewalls or other network filtering. click Bring Up next to it in the Status column. skipping discovery Resolving IP address conflicts If two or more devices are configured to use the same IP address on your network. routers and switches will only let one of the devices use the IP.) Typically IP conflicts are caused when either: • you have accidentally configured 2 devices with the same static IP address • you have accidentally configured a device with a static IP address that belongs to the DHCP pool • 2 DHCP servers accidentally have pools in the same range of IP addresses. if FortiRecorder does not respond. Fortinet Technologies Inc. A dialog appears. failovers may not work. enter: diagnose network arp list Checking routing ping and traceroute are useful tools in network connectivity and route troubleshooting. 2.Your cameras. on interfaces only when you need them. it may periodically complain of an IP address conflict. See “Unauthorized DHCP clients or DHCP pool exhaustion” on page 186. Go to System > Network > Interface. and cannot display any IP address conflict error message. first verify that it is not using the same DHCP pool as another DHCP server on your network. However. you can allow ICMP. you may notice symptoms such as interrupted video streams whenever a new device connects to the network or reboots. have no screen. but hardware is not an issue. and there are no firewall policies that block it. This computer may be the source of the conflict. Examining the ARP table When connectivity is interrupted or cannot be established. To enable ping and traceroute responses from FortiRecorder 1. click Edit. • Use the ARP table of either your FortiRecorder NVR (see “Examining the ARP table” on page 189) or router to determine which MAC address (and therefore which computer/device’s network adapter) has taken the IP address. Next. In the row for the network interface which you want to respond to ICMP type 8 (ECHO_REQUEST) for ping and UDP for traceroute. you can use the CLI to determine whether MAC addresses from other devices’ network adapters have stolen IP addresses that should belong to your cameras. configure that computer or device to use a unique IP address that is not used by any other device on your network. ICMP type 0 (ECHO_REPSPONSE or “pong”) might be effectively disabled. the first place to look is the address resolution protocol (ARP) table. such as your cameras. A functioning ARP is especially important in high-availability configurations. Since you typically use these tools to troubleshoot. you have transitioned your cameras to use static IP addresses. To access this part of the web UI. FortiRecorder appliances will respond to ping and traceroute. Once you have found the source of the problem. however. disable ICMP for improved security and performance. see “Permissions” on page 12. If you have configured your FortiRecorder NVR’s built-in DHCP server. By default. However. For details. Otherwise. the protocol used by these tools. If. If changes in which MAC address resolves to which IP address are not correctly propagated through your network. you must use another method. To check the ARP table in the CLI. • If a computer is using the same IP address as another device.1 Handbook . you must have Read and Write permission in your administrator's account access profile to items in the Router Configuration category. of course. Page 189 FortiRecorder 1. an application-layer problem is preventing connectivity. but you cannot receive video feeds or use FortiRecorder to update the camera’s network settings. 4. If these tests succeed. using the camera’s usual IP address. Page 190 FortiRecorder 1. 2. If the routing test succeeds. The appliance should now respond when another device such as your management computer sends a ping or traceroute to that network interface. To verify routes between cameras and your FortiRecorder 1. enter the CLI command: diagnose netlink rtcache list You may need to verify that the physical cabling is reliable and not loose or broken. Disabling PING only prevents FortiRecorder from receiving ICMP type 8 (ECHO_REQUEST) and traceroute-related UDP. Use FortiRecorder’s execute ping command with the camera’s IP address to verify that a route exists between the two.1 Handbook . HTTPS. routing success in one direction does not guarantee success in the other. To display network interface addresses and subnets. Use the tracert or traceroute command on both the camera (temporarily. examine the: • camera network settings (these may have become out-of-sync if you modified them while the camera was disabled) • certificates (if connecting via HTTPS) On routers and firewalls between the host and the FortiRecorder appliance. If possible. In networks using features such as asymmetric routing. first examine its network interfaces and routes. the computer) and FortiRecorder to locate the point of failure along the route. Enable PING. and RTP connectivity between them. If the routing test fails. and the FortiRecorder to the camera. If the route is broken when it reaches the FortiRecorder. 4. and transport layer. a route exists. misconfigured DNS records. Click OK. continue to the next step.3. on the FortiRecorder. continue with step 4. the computer) to the FortiRecorder. temporarily connect a computer at the camera’s usual physical location. For application-layer problems. that there are no IP address or MAC address conflicts or blacklisting. and otherwise rule out problems at the physical. 3. It does not disable FortiRecorder CLI commands such as execute ping or execute traceroute that send such traffic. Fortinet Technologies Inc. enter the CLI command: show system interface To display all recently-used routes with their priorities. so that you can use its ping command to test traffic movement along the path in both directions: from the location of the camera (temporarily. verify that they permit HTTP. network. or network loops • all equipment between the ICMP source and destination to minimize hops If ping shows total packet loss. investigate: • cabling to eliminate incorrect connections • all firewalls. ICMP is part of Layer 3 on the OSI Networking Model. or because ping can be used by an attacker to find potential targets on the network.Testing for connectivity with ping The ping command sends a small data packet to the destination and waits for a response. Log in to the CLI via either SSH.1. you should also ping the appliance. Some networks block ICMP packets because they can be used in a ping flood or denial of service (DoS) attack if the network does not have anti-DoS capabilities. 3. how long it takes the packet to make the round trip (latency). It does not prove that connectivity also exists via other protocols at other layers such as HTTP. investigate: • cabling to eliminate loose connections • ECMP. See “To enable ping and traceroute responses from FortiRecorder” on page 189 and “To ping a device from a Microsoft Windows computer” on page 192 or “To ping a device from a Linux or Mac OS X computer” on page 193. such as 192. routes. ping sends Internet Control Message Protocol (ICMP) ECHO_REQUEST packets to the destination. or You can ping from the FortiRecorder appliance in the CLI Console widget of the web UI. To ping a device from the FortiRecorder CLI 1. 2. Telnet.1 Handbook . and policy configurations If ping finds an outage between two points. If you want to adjust the behavior of execute ping. indicating that the destination is unreachable via ICMP. If ping shows some packet loss. Enter the command: execute ping <destination_ipv4> where <destination_ipv4> is the IP address of the device that you want to verify that the appliance can connect to. ping tells you the amount of packet loss (if any). and other devices between the two locations to verify correct IP addresses. routers. The response has a timer that may expire. Beyond basic existence of a possible route between the source and destination.1. To verify that routing is bidirectionally symmetric. Connectivity via ICMP only proves that a route exists. split horizon. use traceroute to locate exactly where the problem is.168. Page 191 FortiRecorder 1. and listens for ECHO_RESPONSE packets in reply. first use the execute ping-options command. MAC lists. Fortinet Technologies Inc. and the variation in that time from packet to packet (jitter). 168...1: icmp_seq=0 ttl=253 time=6..1.1 ping statistics --5 packets transmitted. Timeout . instead. Click the Start (Windows logo) menu to open it.3 ms --.192.0..0.1: icmp_seq=4 ttl=253 time=7.4 ms 64 bytes from 192. 5 packets received..168.0. --.1: icmp_seq=2 ttl=253 time=6.168.1 Handbook . 0 packets received. Page 192 FortiRecorder 1.168.1 (192.. 0% packet loss round-trip min/avg/max = 5. Timeout .1.168.0.1 (10.1): 56 data bytes 64 bytes from 192.1..5/7.0. Timeout . output similar to the following appears: PING 10. Fortinet Technologies Inc. go to Start > Run.1: icmp_seq=1 ttl=253 time=7.5 ms 64 bytes from 192.168.168. The Windows command line appears.1.1..1 ping statistics --5 packets transmitted. If the host is running Windows XP. To ping a device from a Microsoft Windows computer 1.4 ms If the appliance cannot reach the host via ICMP..5 ms 64 bytes from 192.168. Timeout ..1.1. output similar to the following appears: PING 192..If the appliance can reach the host via ICMP.5/6.1): 56 data bytes Timeout .1.0. Type cmd then press Enter. 100% packet loss “100% packet loss” and “Timeout” indicates that the host is not reachable.10. 2.1: icmp_seq=3 ttl=253 time=5.0 ms 64 bytes from 192.. Lost = 0 (0% loss).168.1. Open a command prompt.1: bytes=32 time=7ms TTL=253 Reply from 192. “100% loss” and “Request timed out.3.168.1. Enter the command: ping <options_str> <destination_ipv4> where: • <destination_ipv4> is the IP address of the device that you want to verify that the computer can connect to. on Mac OS X. output similar to the following appears: Pinging 192. Received = 4.1.1: bytes=32 time=11ms TTL=253 Reply from 192.168.0.1 Handbook .168. Fortinet Technologies Inc. Ping statistics for 10. Request timed out. you might enter: ping -n 5 192.1: Packets: Sent = 4.1. Received = 0.1.1 with 32 bytes of data: Reply from 192.168. • -n x — Where x is the number of packets to send.1: Packets: Sent = 4.0. Approximate round trip times in milli-seconds: Minimum = 5ms. such as 192. such as: • -t — Send packets until you press Control-C. Request timed out.168.1.168.” indicates that the host is not reachable.1.1 If the computer can reach the destination.0. • <options_str> are zero or more options. Average = 7ms If the computer cannot reach the destination. Lost = 4 (100% loss).1: bytes=32 time=6ms TTL=253 Reply from 192. you can use the Network Utility application. For example.168. • -a — Resolve IP addresses to domain names where possible. Request timed out.1.1: bytes=32 time=5ms TTL=253 Ping statistics for 192.1 with 32 bytes of data: Request timed out.0. output similar to the following appears: Pinging 10. Maximum = 11ms.1. To ping a device from a Linux or Mac OS X computer 1. Alternatively. Page 193 FortiRecorder 1. 64 ms 64 bytes from 192.0. such as: • -W y — Wait y seconds for ECHO_RESPONSE.10.192. --.1 ping statistics --5 packets transmitted.2 icmp_seq=31 Destination Host Unreachable From 172.0. Fortinet Technologies Inc. 0 received.0. For more information on options.168. If you do not supply a packet count.1.168.1) 56(84) bytes of data. output similar to the following appears: PING 10. For example.1 ping statistics --41 packets transmitted. output will continue until you terminate the command with Control-C. Enter the following command: ping <options_str> <destination_ipv4> where: • <destination_ipv4> is the IP address of the device that you want to verify that the computer can connect to.854/8.0. but may be /bin/ping.168.1. 100% packet loss.0. output similar to the following appears: PING 10.120.73 ms 64 bytes from 192.20.85 ms 64 bytes from 192. enter man ping.168.1: icmp_seq=3 ttl=253 time=8. • <options_str> are zero or more options. 0% packet loss.20. Page 194 FortiRecorder 1.0.1: icmp_seq=5 ttl=253 time=9. time 5999ms “100% packet loss” indicates that the host is not reachable.168.1.0.1.1 (10.0. Otherwise.072/1.120. output similar to the following appears: PING 192. time 40108ms pipe 3 “100% packet loss” and “Destination Host Unreachable” indicates that the host is not reachable. • -c x — Where x is the number of packets to send.2.1. you can either enter the full path to the executable or add its path to your shell environment variables.120.0 ms 64 bytes from 192.1.1 If the computer can reach the destination via ICMP. If the command is not found. such as 192.1: icmp_seq=1 ttl=253 time=6.1. 0 received.804/11. time 4016ms rtt min/avg/max/mdev = 6.1.495 ms If the computer cannot reach the destination via ICMP.0. 64 bytes from 192.168.1 ping statistics --5 packets transmitted.168.1: icmp_seq=4 ttl=253 time=11. if you terminate by pressing Control-C (^C).0.1) 56(84) bytes of data.0.2 icmp_seq=29 Destination Host Unreachable ^C --.1) 56(84) bytes of data.72 ms --.1: icmp_seq=2 ttl=253 time=7. if you specified a wait and packet count rather than having the command wait for your Control-C. From 172. you might enter: ping -c 5 -W 2 192.1 (192.1.0.168.1 (10.168.1. 5 received. 100% packet loss.168. +9 errors. The path to the ping executable varies by distribution.1.10.1 Handbook .2 icmp_seq=30 Destination Host Unreachable From 172.20. traceroute uses UDP with destination ports numbered from 33434 to 33534. The traceroute utility usually has an option to specify use of ICMP ECHO_REQUEST (type 8) instead. If you specify the destination using a domain name. or You can ping from the FortiRecorder appliance in the CLI Console widget of the web UI. Where ping only tells you if the signal reached its destination and returned successfully. To trace the route to a device from the FortiRecorder CLI 1.1 Handbook . Fortinet Technologies Inc.Testing routes & latency with traceroute traceroute sends ICMP packets to test each hop along the route. such as an inability to connect to a DNS server. Log in to the CLI via either SSH. The TTL setting may result in routers or firewalls along the route timing out due to high latency. If you have a firewall and you want traceroute to work from both machines (Unix-like systems and Windows) you will need to allow both protocols inbound through your firewall (UDP ports 33434 . As the TTL increases. and sends another three packets to the destination. the maximum number of steps it will take before declaring the destination unreachable — before they start tracing the route. By default. It sends three packets to the destination. the traceroute output can also indicate DNS problems. Page 195 FortiRecorder 1. packets go one hop farther along the route until they reach the destination. traceroute shows each step of its journey to its destination and how long each step takes. as used by the Windows tracert utility. Most traceroute commands display their maximum hop count — that is. Telnet.33534 and ICMP type 8). and then increases the time to live (TTL) setting by one. 78.181.154 <bx4-toronto63_so-2-0-0-0.122.att.bell.sj2ca.16.1.0.ca> 2 ms 2 ms 2 ms 3 209.ca> 8 ms 9 ms 8 ms 9 64.105 <gar2.230.bell.att.example.234 <core2-ottawatc_POS5-0-0.fortinet..10 0 ms 0 ms 0 ms 3 * * * 4 * * * The asterisks ( * ) indicate no response from that hop in the network routing.121 <cr1. output similar to the following appears: traceroute to 10.130 <cr2. If the host is running Windows XP.net.78.att.171.89.221 <static-209-87-254-221.1 Handbook . To trace the route to a device from a Microsoft Windows computer 1. Page 196 FortiRecorder 1.com (66.1.cgcil.com> 91 ms 89 ms 91 ms 20 66.185.att.net> 100 ms 98 ms 100 ms 14 12.42 94 ms 94 ms 94 ms 17 203.att.sffca.1.0.34). 84 byte packets 1 172.121.ca> 23 ms 23 ms 23 ms 10 12.ca> 2 ms 1 ms 2 ms 4 67.2 0 ms 0 ms 0 ms 2 209.122.230.ip.2 0 ms 0 ms 0 ms 2 172.181.bell.1).121.164.ip.122.16.sj2ca. 32 hops max. output similar to the following appears: traceroute to www. Typically a value of <1ms indicates a local router. If the appliance does not have a complete route to the destination.9 23 ms 22 ms 22 ms 11 12.wswdc.18.34 <fortinet. Fortinet Technologies Inc.ip.230.4. Click the Start (Windows logo) menu to open it.161 2 ms 2 ms 3 ms 5 64.71.net.bell.wswdc.ca> 24 ms 21 ms 24 ms 8 64.17 <core2-ottawa23_POS13-1-0.ip.ca> 20 ms 20 ms 20 ms 7 64.16.net> 98 ms 98 ms 100 ms 15 12.238 <cr2.com> 91 ms 91 ms 89 ms Each line lists the routing hop number.121.230.10 88 ms 87 ms 87 ms 18 203.230.net. the IP address and FQDN (if any) of that hop.122.171.34 <fortinet.1 (10.storm.228. go to Start > Run. For example.ip.ip.ca> 3 ms 3 ms 2 ms 6 64.134. 84 byte packets 1 172.132.116. instead. and the 3 response times from that hop.0.145 <bx2-ashburn_so2-0-0.10.0.att. Enter the command: execute traceroute {<destination_ipv4> | <destination_fqdn>} where {<destination_ipv4> | <destination_fqdn>} is a choice of either the device’s IP address or its fully qualified domain name (FQDN).storm.69.. you might enter: execute traceroute www.110.122.58 <core4-toronto21_POS0-12-4-0.21 <cr1.bell.87.net. 32 hops max.com If the appliance has a complete route to the destination.138.net> 100 ms 12.net> 96 ms 96 ms 96 ms 16 12.118 <cr81.123.132.87.2.171.129 <core-2-g0-1-1104.net.254.net> 101 ms 102 ms 12 12.52.130 90 ms 89 ms 90 ms 19 66.1.239.net> 101 ms 100 ms 99 ms 13 12. 105] 94 ms 12.181.52.129] 3 ms 3 ms 3 ms 2 ms [64.1 Handbook .87. you can use the Network Utility application.storm.1.110.42 87 ms 203.171.0.com [66. The asterisks ( * ) and “Request timed out.221] 2 ms 2 ms [209.com [66.121. on Mac OS X.16.2.87. To trace the route to a device from a Linux or Mac OS X computer 1.ca 2 ms 67. 97 ms gar2.2 static-209-87-254-221.34] over a maximum of 30 hops: 1 2 <1 ms <1 ms 2 ms 2 ms [209. and the IP address and FQDN (if any) of that hop. If the appliance does not have a complete route to the destination.239.181. output similar to the following appears: Tracing route to www.ca 3 4 5 22 ms core-2-g0-1-1104.10 Request timed out.sj2ca. Enter the command: tracert {<destination_ipv4> | <destination_fqdn>} If the appliance has a complete route to the destination.ca .130 90 ms fortinet.69.34] Each line lists the routing hop number.164 <1 ms 2 ms 172. the 3 response times from that hop. Page 197 FortiRecorder 1.com [66.171. Type cmd then press Enter. The Windows command line appears.16.2 172.bell.) 15 97 ms 97 ms 16 94 ms 94 ms 17 87 ms 87 ms 18 89 ms 89 ms 19 89 ms 89 ms 20 90 ms 90 ms Trace complete.” indicate no response from that hop in the network routing.122.78.fortinet. output similar to the following appears: Tracing route to 10.116. Request timed out. Typically a value of <1ms indicates a local router. Alternatively. Fortinet Technologies Inc.121.ip. 3.1.121.net [12.storm.230.net.78.1. Open a command prompt.228.34] 91 ms fortinet.171.16.0.17] (Output abbreviated.161 3 ms core2-ottawa23_POS13-1-0.254.att.10 90 ms 203.1 over a maximum of 30 hops 1 <1 ms 2 <1 ms 3 * 4 * 5 ^C <1 ms <1 ms * * <1 ms <1 ms * * 172. 42 (12.963 ms (Output abbreviated.storm.1.411 ms 89.049 ms 18 203.0.705 ms 89. Page 198 FortiRecorder 1.87. output similar to the following appears: traceroute to www.161) 3.554 ms 2.2.130) 89.162 ms 17 203.584 ms 89.2) 0. If the appliance does not have a complete route to the destination. output similar to the following appears: example.549 ms 2. output similar to the following appears: traceroute to 10. the IP address and FQDN (if any) of that hop.164.bell.879 ms 120.42) 94. You can view a snapshot of FortiRecorder’s session table according to the IP layer.169 ms 4.fortinet.78.1.1. 30 hops max.516 ms 2.52.277 ms 0.78.17) 3.181.ca (209. If the routing table is full and a new route must be added.2 (172.161 (67.129) 2.568 ms Each line lists the routing hop number.0.181.com (66.10 (203.966 ms 5 core2-ottawa23_POS13-1-0.1 (10. 60 byte packets 1 172.181.114 ms 94.690 ms 119.171.52. Enter (the path to the executable varies by distribution): traceroute {<destination_ipv4> | <destination_fqdn>} If the appliance has a complete route to the destination.10 (172.com (66. Go to Monitor > System Status > Sessions Fortinet Technologies Inc.239. but there appears to be a problem establishing or maintaining communications between FortiRecorder and a computer or camera on your IP network. The routing table is where the FortiRecorder appliance caches recently used routes. 30 hops max.121. 60 byte packets 1 * * * 2 172.78. the oldest. some protocols may not be accepted. it saves time and resources that would otherwise be required for a route lookup.1). examine the routing table.69.254. Typically a value of <1ms indicates a local router.221) 2.228.130 (203.379 ms 94.417 ms 4 67.10) 122. and the 3 response times from that hop.116.171.503 ms 3 core-2-g0-1-1104.87.10) 4.230.116.16.226 ms 2 static-209-87-254-221.591 ms 19 fortinet.78.189 ms 0.228.121.ca (64. To check the routing table in the CLI.net.69. or some hosts may not be able to establish an IP session.34).717 ms 89.004 ms 2.0. If a route is cached in the routing table.lab: Name or service not known Cannot handle "host" cmdline arg `example.34) 89.0. enter: diagnose netlink rtcache list Viewing current IP sessions If a route exists.lab' on position 1 (argc 1) Examining the routing table cache When a route does not exist. if the computer’s DNS query cannot resolve the host name. or when hops have high latency.144 ms 3 * * * 4 * * *^C The asterisks ( * ) indicate no response from that hop in the network routing.041 ms 3.998 ms 2.1 Handbook .461 ms 2.ca (209.) 16 12.16.16.181. least-used route is deleted to make room.1.160 ms 4. Relatedly.storm.007 ms 2.16. Table 16: IP session table Refresh GUI item Protocol Description The protocol of the session according to the “protocol” ID number field (or. see “Appendix A: Port numbers” on page 212. for IPv6. Page 199 FortiRecorder 1. and select either Sort Ascending or Sort Descending. “next header”) in the IP header of the packets. indicating that the session is still active. The source port number. this is not necessarily the IP in the original frame from the client. If source NAT is occurring. hover your mouse cursor over the column’s heading then click the arrow that appears on the right side of the heading.) From IP The source of the session according the source field in the IP header. From Port To IP The destination according to the destination field in the IP header. • icmp — 1 (Due to the speed of ICMP messages. To refresh the session list snapshot with the most current list. this will almost never be seen in the session list. To sort the session list based upon the contents of a column. this may be seen in the session list only rarely. The expiry counter is reset when packets are sent or received. Fortinet Technologies Inc. click the dotted circle (Refresh) icon to the left of Records per page.) • tcp — 6 • udp — 17 (Due to the speed of UDP datagrams. For a list of port numbers that can originate from the FortiRecorder NVR. The destination port number. For a list of port numbers that can be received by the FortiRecorder NVR.1 Handbook . To Port Expire (secs) The session timeout in seconds. this is not necessarily the IP in the original frame from the client. If destination NAT is occurring. see “Appendix A: Port numbers” on page 212. For instructions. The report provides the process names. By default. For example: diagnose system top delay 10 The above command generates a report of processes every 10 seconds. This may show processes that are hogging resources. To minimize the performance impact on your FortiRecorder appliance.1 Handbook . Fortinet Technologies Inc. use the CLI to view a list of the most system-intensive processes. Their sessions will almost immediately expire and be removed from the session list. be aware that due that some protocol designs (notably UDP) do not feature persistent connections. and expected functionality is not working even though it is enabled and configured. and the connection is expected to occur on a different port number. the connection will fail.If you expect sessions that do not exist. Debug logging can be very resource intensive. and therefore TCP connections will persist in the session table for a much longer time. status. TCP features persistent connections. see “Packet capture” on page 176. They can only be enabled and viewed from the CLI. and be sure to stop the command when you are finished. Performing a packet trace When troubleshooting malformed packet or protocol errors. their process ID (pid). For a list of ports used by FortiRecorder. where the socket is maintained until the data transmission either is confirmed to be finished or times out. logs at the severity level of Debug are disabled and hidden. Page 200 FortiRecorder 1. and memory usage. Packet sniffing can also tell you if the FortiRecorder appliance is silently dropping packets. Due to their usually unnecessary nature. If you see sessions with the FortiRecorder web UI or CLI that should not be allowed to exist. and with the flags and other options you expect. The report continues to refresh and display in the CLI window until you enter q (quit). Typically this is done only if your configuration seems to be correct. be sure to configure all accounts’ Trusted hosts setting. CPU usage. use packet capture only during periods of minimal traffic. verify that your firewall or router allows traffic to or from those IP addresses. If a process quits unexpectedly. Resource issues If FortiRecorder is experiencing sluggish or stalled performance. with a local console CLI connection rather than a Telnet or SSH CLI connection. and possibly suspect that you may have found either a hardware failure or software bug. you can enable debug logging in order to provide details to Fortinet Technical Support so that they can resolve the issue. the most verbose logging that is available from the web UI for any log type is the Information severity level. and therefore it may be very difficult to capture a session list snapshot during the brief moment that the datagram is being transmitted. see “Appendix A: Port numbers” on page 212. you cannot diagnose the problem without more information. If you still do not see the sessions that you expect. it helps to look inside the protocol headers of packets to determine if they are traveling along the route you expect. Checking port assignments If you are attempting to connect to FortiRecorder on a given network port. on all expected source and destination port numbers (see “Appendix A: Port numbers” on page 212). ) 2. via a debug log command such as: diagnose debug application camerad -1 Fortinet Technologies Inc.To generate debug logs 1.1 Handbook . Page 201 FortiRecorder 1. Set the verbosity level for the specific module whose debugging information you want to view. (Alternatively. you can configure these settings before establishing the connection. If you want to save the debug logs to a file. The images below show how to configure PuTTY to save display output to a file after a connection has already been established. configure your terminal emulator or SSH client. 1:554/lobby to file /var/spool/videos/FK200D3A12000006/lobby/normal/1355750700-0000 000000-1-000-001. such as your office.0. 0. while camerad debugging is enabled. ret: OK 4.mp4.0. name: lobby: 12/12/17-11:22:46 status lobby: 6.1:554/lobby to /var/spool/videos/FK200D3A12000006/lobby/normal/1355761375-0000 000000-1-000-001. the admin account can reset other accounts’ passwords (see “Resetting passwords” on page 202). you can use the command: diagnose debug reset • Close your terminal emulator. but should not be too broad. If the person has lost or forgotten his or her password. Fortinet Technologies Inc.0. examine that account’s trusted host definitions (see “Trusted hosts” on page 86). name: back: 12/12/17-11:22:46 status back: 3. It should include all locations where that person is allowed to log in. the admin administrator can reset the password. 3 12/12/17-11:22:56 start recording from rtsp://127. Resetting passwords If someone has forgotten or lost his or her password. For example.1 Handbook . Page 202 FortiRecorder 1. 1. but cannot log in from some or all computers. you might occasionally see output such as: FK200D00RD000001 # 12/12/17-11:22:46 got msg: cmd: 4.mp4. pid 12181 12/12/17-11:22:56 stop recording from rtsp://127.0. enter: diagnose debug enable Output will be displayed in the CLI. When an administrator account cannot log in from a specific IP If an administrator is entering his or her correct account name and password. To do this. • Send a termination signal to the console by pressing Ctrl+C. it is usually actually a connectivity issue (see “Ping & traceroute” on page 174 and “Configuring the network settings” on page 53) unless all accounts are configured to accept logins only from specific IP addresses (see “Trusted hosts” on page 86). To reset all verbosity levels simultaneously. or if you need to change an account’s password. Login issues If the person cannot access the login page at all. thereby ending your administrative session.3. Enable debug logs overall. The CLI will display debug logs as they occur until you either: • Disable it by either typing: diagnose debug disable or setting all modules’ debug log verbosity back to 0. pid 10959 12/12/17-11:22:56 created finalization thread 1098308464 12/12/17-11:22:56 finalizing /var/spool/videos/FK200D3A12000006/lobby/normal/1355750700-0000 000000-1-000-001.mp4 12/12/17-11:22:56 waiting for process 10959 to finish 12/12/17-11:23:00 finalization thread 1098308464 finished. 3 12/12/17-11:22:46 got msg: cmd: 4. (Typing it slowly may cause the login to time out. copy the serial number. type the new password. reboot the FortiRecorder NVR. Click Edit.If you forget the password of the admin administrator. see “To connect to the CLI using a local console connection” on page 40. In the New Password and Confirm Password fields. 6. Fortinet Technologies Inc. On your management computer. If you have previously registered the appliance with Fortinet Technical Support. see “Restoring firmware (“clean install”)” on page 209. 2. however. 4. Click OK. Page 203 FortiRecorder 1. This is usually on the bottom of the appliance.1 Handbook . To reset the admin account’s password 1. You can either: • reset the FortiRecorder NVR to its default state (including the default administrator account and password) by restoring the firmware. On your computer. For instructions. • connect to the local console. For details. you will not be able to reset its password through the web UI. 4. Click the row to select the account whose password you want to change. connect the local console port of your appliance to your computer. Power on self-test (POST) and other messages should begin to appear in the console. Power off the FortiRecorder NVR. While the appliance is shut down. Power on the FortiRecorder NVR. The new password takes effect the next time that account logs in. Go to System > User > User. 5. 3. Find the serial number of the FortiRecorder NVR. 5. 2. 6.) The serial number is case sensitive. you can also retrieve it from the web site. 3. This is so that you are ready to quickly paste it into the terminal emulator. Log in as the admin administrator account. and set the password (see “To reset the admin account’s password” on page 203) To reset an account’s password 1. start a terminal emulator such as PuTTY. such as: Filesystem none none none none none /dev/sdb1 /dev/sda2 /dev/sda3 //172. Between 15 . See “SNMP Event” on page 149 and “Disk is full” on page 104. For fixes. (Keep in mind. To free disk space.) Fortinet Technologies Inc.7.) If you are successful. however. (If you have copied it. Page 204 FortiRecorder 1. You can also configure FortiRecorder to overwrite old logs rather than stopping logging when the disk is full. the CLI will welcome you. Data storage issues If FortiRecorder cannot locally store any data such as logs. reports. instead of typing it in. it might have a damaged or corrupted hard disk. in PuTTY. delete files such as old reports and video that you no longer need.10. This will prevent the login from timing out. and video. you can right-click to quickly paste it.200/NVR Size 180M 0 0 0 10M 284M 92G 824G 226G Used Avail Use% Mounted on 104M 0 0 0 32K 54M 333M 118G 25G 77M 0 0 0 10M 230M 87G 665G 201G 58% / /proc /sys /dev/pts 1% /dev/shm 19% /data 1% /var/log 16% /var/spool 11% /mnt/remote You can use alerts to notify you when FortiRecorder has almost consumed its hard disk space. power cycle the appliance. first verify that FortiRecorder has not used all of its local storage capacity by entering this CLI command: diagnose hardware sysinfo df which will include disk usage for all mounted file systems.1 Handbook . the console will display an error message: The hashed password length is invalid To attempt the login again. see “Hard disk corruption or failure” on page 205. immediately enter: maintainer then enter: bcpb<serial-number_str> where <serial-number_str> is the serial number.16. If FortiRecorder has been storing data but has suddenly stopped. See “Log options when disk is full” on page 112. and you can then enter the following commands to reset the admin account’s password: config system admin edit admin set password <new-password_str> end exit where <new-password_str> is the password for the administrator account named admin. that this may not prevent full disk problems for other features. If you do not enter both the correct user name and the password within the correct time frame.30 seconds after the login prompt appears. If this fails due to errors. FortiRecorder stores its firmware (operating system) and configuration files in a flash disk. Hard disk corruption or failure FortiRecorder appliances usually have multiple disks. Fortinet Technologies Inc. verify that the disk’s file system has not been mounted in read-only mode. you may be able to fix the problem. You may notice that you cannot connect at all. To determine if one of FortiRecorder’s internal disks may either: • have become corrupted • have experienced mechanical failure enter these commands: diagnose system file-system fscheck logdisk diagnose system file-system fsreport logdisk or: diagnose system file-system fscheck videodisk diagnose system file-system fsreport videodisk If the file system check reports any minor errors. hardware and firmware components must be present and functional. enter: diagnose hardware sysinfo which will include the number and names of mounted file systems. in the CLI.Depending on the cause of failure. /etc/mtab). If neither of those indicate the cause of the problem. enter this command: diagnose system file-system fsfix logdisk or: diagnose system file-system fsfix videodisk Pressing the Enter key will cause FortiRecorder to check the hard disk’s file system to attempt to resolve any problems discovered with that disk’s file system. and to determine if the disk can be mounted (mounted disks should appear in the internal list of mounted file systems. Bootup issues While FortiRecorder is booting up. you may notice that features such as reports do not work. after FortiRecorder loads its boot loader. or startup will fail. which can occur if the hard disk is experiencing problems with its write capabilities (see “Hard disk corruption or failure” on page 205).If a full disk is not the problem. FortiRecorder will attempt to mount its data disk. If you can connect.1 Handbook . Depending on the degree of failure. Page 205 FortiRecorder 1. FortiRecorder may appear to be partially functional. During startup. examine the configuration to determine if an administrator has disabled those features that store data. but most models of FortiRecorder also have an internal hard disk or RAID that is used to store non-configuration/firmware data such as logs and video data. you will have the opportunity to attempt to recover the disk. If the problem occurs while FortiRecorder is still running (or after an initial reboot and attempt to repair the file system). com Fortinet Technologies Inc.g. which would prevent new logs and other data from being recorded. If the data disk’s file system is listed and appears to be the correct size. and to prevent possible physical damage. the power supply may have failed. To prevent file system corruption in the future. there still could be other problems preventing the file system from functioning.For example.com Power supply failure If you have supplied power. Contact Fortinet Customer Service: https://support. such as being mounted in read-only mode. Try to reboot and run the file system check. FortiRecorder did not successfully mount it. always make sure to shut down FortiRecorder’s operating system before disconnecting the power. on a FortiRecorder 200D with a single properly functioning internal hard disk plus its internal flash disk. If that command does not list the data disk’s file systems. this is caused by either: • failing to shut down FortiRecorder’s operating system before disconnecting the power (e. contact Fortinet Customer Service: https://support. but the power indicator LEDs are not lit and the hardware has not started. If the file system could not be fixed by the file system check. logging very frequent logs like information logs or debug logs for an extended period of time to the local hard drive) For hardware replacement. Page 206 FortiRecorder 1. someone pulled the power plug while FortiRecorder was running) • logging misconfiguration (e.1 Handbook . However. FortiRecorder could mount it. this command should show: ### Disk info major minor #blocks 8 8 8 8 8 8 8 0 1 2 3 16 17 18 name sda sda1 sda2 sda3 sdb sdb1 sdb2 976762584 2000061 97470703 877240234 1965056 300000 300000 where sda and sbd are the hard disk partitions used to store non-configuration/firmware data.fortinet. Most commonly.fortinet.g. it may be physically damaged or components may have worn out prematurely. boot device capacity: 1880MB. Typically. verify your terminal emulator’s settings are correct for your hardware. Does the hardware successfully complete the hardware power on self test (POST) and BIOS memory tests? If not. parity none. open a terminal emulator such as PuTTY.B. do you see the following boot loader options? [G]: [F]: [B]: [Q]: [H]: Get firmware image from TFTP server.. these are baud rate 9600. Press any key to display configuration menu. power cycle the appliance and observe the FortiRecorder’s output to your terminal emulator. you can either: • restore the firmware “Restoring firmware (“clean install”)” on page 209 (This solves most typically occurring issues. stop bits 1. Quit menu and continue to boot with default firmware. connect your computer directly to FortiRecorder’s local console port. You will be looking for some specific diagnostic indicators.com 4.or H: Fortinet Technologies Inc.F.fortinet. Are there console messages but text is garbled on the screen? If yes. Does the boot loader start? You should see a message such as: FortiBootLoader FortiRecorder-200D (17:52-09. Configure it to log all printable console output to a file so that you have a copy of the console's output messages in case you need to send it to Fortinet Technical Support. if the power indicator LEDs are lit but a few minutes have passed and you still cannot connect to the FortiRecorder appliance through the network using CLI or the web UI. however.Q. you may need to restore it.After powering on.fortinet.. contact Fortinet Customer Service: https://support. Page 207 FortiRecorder 1.1 Handbook . When pressing a key during the boot loader. 1. Display this list of options. For assistance. contact Fortinet Technical Support: https://support. Enter G. If the boot loader does not start. Once connected.com 3. For assistance. Power disruption while the OS is running can cause damage to the disks and/or software. then on your computer.) Always halt (shut down) the FortiRecorder OS before disconnecting the power. you may need to replace the hardware. Boot with backup firmware and set as default.2011) Ver:00010018 Serial number:FK200D00RD000001 Total RAM: 3072MB Boot up. 2.08. Format boot device. data bits 8. • verify that FortiRecorder can successfully complete bootup To verify bootup. Resetting the configuration If you will be selling your FortiRecorder appliance. or if the login prompt is interrupted by error messages. last known good. Does the login prompt appear? You should see a prompt like this: FortiRecorder login: If not.com If you can see and use the login prompt on the local console.com 6. If restoring the firmware does not solve the problem. you can reset it and its cameras to their default settings and Fortinet Technologies Inc.. If the configuration appears correct. Page 208 FortiRecorder 1.? System is started.fortinet. but no network connections are successful. restore the OS software (see “Restoring firmware (“clean install”)” on page 209). you can restore the firmware (see “Restoring firmware (“clean install”)” on page 209). Contact Fortinet Technical Support: https://support. first examine a backup copy of the configuration file to verify that it is not caused by a misconfiguration. If not. Reboot and use the boot loader to switch to the other partition. the image may be corrupted. Contact Fortinet Technical Support: https://support. depending on your selection in the boot loader)? You should see a message such as the following: Reading boot image 2479460 bytes. If you recently upgraded the firmware. The network interface and administrator accounts must be configured to allow your connection and login attempt (see “Configuring the network settings” on page 53 and “Trusted hosts” on page 86). If the firmware cannot be successfully restored. You can also use this command to verify that resource exhaustion is not the problem: diagnose system top delay 5 The process system usage statistics continues to refresh and display in the CLI until you press q (quit). For assistance. If this is not possible. If you still cannot restore the firmware.Please connect TFTP server to Ethernet port "1". format the boot partition. try downgrading by restoring the previously installed.fortinet. there could be either a boot loader or disk issue.. version. Initializing FortiRecorder. and try again. Can the boot loader read the image of the OS software in the selected boot partition (primary or backup/secondary. if any (see “Booting from the alternate partition” on page 49). or if you are not sure what part of your configuration is causing a problem. there could be a data or boot disk issue.1 Handbook . first try restoring the firmware to rule out corrupted data that could be causing problems (see “Restoring firmware (“clean install”)” on page 209). If the boot loader does not start. you may need to restore it. SSH or Telnet). contact Fortinet Technical Support: https://support. but cannot successfully establish a session through the network (web UI.fortinet.com 5. connect the appliance’s local console port to a terminal server to which you have network access. see “Backups” on page 117.) Back up your configuration before beginning this procedure. For information on reconnecting your cameras. restoring firmware can only be done during a boot interrupt. you may not be able to power cycle the appliance if abnormalities occur. (If you have not updated the firmware. To reset your cameras’ configuration. see “Connecting to the web UI or CLI” on page 37. For information on backups. you will be able to use the appliance’s local console through it. Restoring firmware (“clean install”) Restoring the firmware can be useful if: • you are unable to connect to the FortiRecorder appliance using the web UI or the CLI • you want to install firmware without preserving any existing configuration (i. connect to the CLI and enter these commands: config camera devices edit <camera_name> set status disable end execute camera factoryreset <camera_name> To delete your data from the NVR. Also. Fortinet Technologies Inc. if possible.e. see “Connecting with the cameras” on page 75. including the signatures that were current at the time that the firmware image file was created.1 Handbook . this is the same as resetting to the factory default settings. connect to the CLI and enter this command: execute factoryreset Alternatively. a “clean install”) • a firmware version that you want to install requires a different size of system partition (see the Release Notes accompanying the firmware) • a firmware version that you want to install requires that you format the boot device (see the Release Notes accompanying the firmware) Unlike updating firmware. connect to the CLI and enter this command: execute formatlogdisk To reset the NVR’s configuration. if you cannot physically access the appliance’s local console connection. restoring firmware re-images the boot device. See “Restoring firmware (“clean install”)” on page 209. However. before network connectivity is available. you can reset the NVR’s configuration to its default values for a specific software version by restoring the firmware during a reboot (a “clean install”). It cannot be done through an SSH or Telnet connection. Once you have used a client to connect to the terminal server over the network. Resetting the configuration could include the IP addresses of network interfaces. Alternatively. and therefore requires a local console connection to the CLI.erase data. Page 209 FortiRecorder 1. For information on reconnecting to a FortiRecorder appliance whose network interface configuration was reset. be aware that from a remote location. 3. 6. 4.168 is the IP address of the TFTP server. Enter the following command to restart the FortiRecorder appliance: execute reboot 9. enter the following command: execute ping 192. Initiate a local console connection from your management computer to the CLI of the FortiRecorder appliance.com/ 2. see “Connecting to the web UI or CLI” on page 37. Mac OS X. which could include the IP addresses of network interfaces. If you successfully interrupt the startup process.168 where 192.fortinet. Connect port1 of the FortiRecorder appliance directly or to the same subnet as a TFTP server. you should only run it on trusted administrator-only networks.... see “Connecting to the web UI or CLI” on page 37. For information on reconnecting to a FortiRecorder appliance whose network interface configuration was reset. Download the firmware file from the Fortinet Technical Support web site: https://support.. Immediately press a key to interrupt the system startup.1 Handbook .) Because TFTP is not secure. Connect your management computer to the FortiRecorder console port using a RJ-45-to-DB-9 serial cable or a null-modem cable. a series of system startup messages appear. Restoring firmware resets the configuration. Format boot device. For information on backups.1.. Boot with backup firmware and set as default. see “Backups” on page 117.. Display this list of options. If you do not press a key soon enough. If necessary.168. and log in as the admin administrator.1. 1. Press any key to display configuration menu. if possible. never on computers directly connected to the Internet. the FortiRecorder appliance reboots and you must log in and repeat the execute reboot command.. 10. Verify that the TFTP server is currently running. 8. To use the FortiRecorder CLI to verify connectivity. Quit menu and continue to boot with default firmware. You have only 3 seconds to press a key. 7.To restore the firmware Back up your configuration before beginning this procedure. Page 210 FortiRecorder 1. start your TFTP server. (If you do not have one. you can temporarily install and run one such as tftpd (Windows. or an administrator account whose access profile contains Read and Write permissions in the Maintenance category. As the FortiRecorder appliances starts. 5. If possible. and because it does not support authentication and could allow anyone to have read and write access. immediately turn off tftpd off when you are done. Copy the new firmware image file to the root directory of the TFTP server. the following messages appears: [G]: [F]: [B]: [Q]: [H]: Fortinet Technologies Inc. Get firmware image from TFTP server. and that the FortiRecorder appliance can reach the TFTP server.168. or Linux) on your management computer. For details. 168. and the settings are not fully backwards compatible. Format the boot disk before continuing. The time required varies by the size of the file and the speed of your network connection.Q. log in to the CLI and type: get system status The firmware version number is displayed. The following message appears: Enter firmware image file name [image. For details. Type D. 18. 17. Fortinet Technologies Inc. Either reconfigure the FortiRecorder appliance or restore the configuration file.B. type F. The FortiRecorder appliance downloads the firmware image file from the TFTP server and displays a message similar to the following: Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]? 16. If you are downgrading the firmware to a previous version. To verify that the firmware was successfully installed.out]: 15.or H: Please connect TFTP server to Ethernet port "1". The FortiRecorder appliance installs the firmware and restarts. or use the feature’s default values for that version of the firmware. see “How to set up your FortiRecorder NVR & cameras” on page 33 and “Restoring a previous configuration” on page 119. The FortiRecorder appliance downloads the firmware image file from the TFTP server. If the firmware version requires that you first format the boot device before installing firmware. 11. Type the file name of the firmware image and press Enter. Type a temporary IP address that can be used by the FortiRecorder appliance to connect to the TFTP server. 12.1. Page 211 FortiRecorder 1.168]: 13.1. The FortiRecorder appliance reverts the configuration to default values for that version of the firmware.Enter G. Type the IP address of the TFTP server and press Enter. You may need to reconfigure some settings. the FortiRecorder appliance may either remove incompatible settings.168.188]: 14. Type G to get the firmware image from the TFTP server.F. The following message appears: Enter TFTP server address [192. The following message appears: Enter local address [192.1 Handbook . and firmware updates. Sending network settings and recording signals to cameras. See “Configuring the network interfaces” on page 53. 80 HTTP 123 443 UDP HTTPS 514 554 UDP TCP/UDP Table 18: Default ports used by FortiRecorder for incoming traffic (listening) Port number Protocol N/A 21 22 23 ICMP TCP TCP TCP Purpose ping and traceroute responses. See “Configuring the network interfaces” on page 53. FTP for receiving motion detection clips from cameras. SSH administrative CLI access. TFTP for backups. . See “Configuring logging” on page 110. DNS queries. restoration. See commands such as execute backup or execute restore. Multicast to 239. Syslog. See “Configuring DNS settings” on page 62. Sending network settings and recording signals to cameras. execute ping and execute traceroute. protected web servers.255. Telnet administrative CLI access. Table 17: Default ports used by FortiRecorder for outgoing traffic Port number Protocol 1900 N/A 25 53 69 UDP ICMP TCP UDP UDP Purpose Discovery of cameras via uPNP. clients. Page 212 FortiRecorder 1. and FortiGuard Distribution Network (FDN) require that any routers and firewalls between them permit specific protocols and port numbers. NTP synchronization. See “Connecting with the cameras” on page 75. The following tables list the default port assignments used by FortiRecorder. See “Connecting with the cameras” on page 75.1 Handbook Fortinet Technologies Inc.Appendix A: Port numbers Communications between the FortiRecorder appliance.250. See “Configuring notification email” on page 102.255. SMTP for alert email and snapshot notifications. See “Configuring the network interfaces” on page 53. See “Connecting with the cameras” on page 75. Controlling video recording (RTCP). See “Setting the system time & date” on page 72. See “Configuring the network interfaces” on page 53 and “How to use the web UI” on page 11. Page 213 FortiRecorder 1. Receiving video from cameras (RTP). Only occurs if the destination address is a network interface’s IP address.Table 18: Default ports used by FortiRecorder for incoming traffic (listening) Port number Protocol 80 TCP Purpose HTTP administrative web UI access. Video feeds (RTP) in the HTTP/HTTPS administrative web UI. See “Connecting with the cameras” on page 75. 443 TCP Dynamic 554 UDP TCP Fortinet Technologies Inc. HTTPS administrative web UI access.1 Handbook . See “Configuring the network interfaces” on page 53 and “How to use the web UI” on page 11. See “Monitoring your system” on page 139. Appendix B: Maximum configuration values This table shows the maximum number of configuration objects or limits that vary by them. see your model’s QuickStart Guide. Page 214 FortiRecorder 1. For values such as hardware specifications that do not vary by software version or configuration.1 Handbook . Table 19: Maximum configuration objects FortiRecorder model FortiRecorder 200D Cameras connected Total network interfaces Routes Administrator accounts 16 10 250 50 Fortinet Technologies Inc. and are not a guarantee of performance. 164 firmware 48 password 168 video 118. 154 age of logs 111 of video 79. 87. 185 attack brute force login 86 man-in-the-middle 131 ping 56 attribute 31 100. 86 administrator "admin" account 38. 119 baud rate 40 best practices 60. 75. 142 tos 177 bits per second (bps) 40 black video 141 Blowfish 40 blurry video 141 boot device 209 interrupt 40. 190 ARP table 189 troubleshooting 189 ASCII 177 B backup 172 configuration 117. 38 application layer 60. 212 severity level 161 upon motion detection 102 upon NVR appliance events 102 algorithm SSL/TLS 127 ambiguous command 19. 48 password 51. 89 administrator 87 local 87 RADIUS 87. 51 account 45. 40 -61 20 802. 84. 89 SNMP 153. error 39 -284 18. 24 -39 20 3DES 39. 92.1 Handbook Fortinet Technologies Inc. 40. 61. 85 permissions 51 trusted host 86 AES 39. 185. 185 Safari 11. 119 access 11 requirements 38 resolution 11 warnings 39 brute force login 86 Page 215 FortiRecorder 1. 153. 128. 154 authorization error 89 Numerics 113. 128. 97. 25. 24 annotation 140 Apple Mac OS X 142. 40.mp4 142. 127. 193. 169 Active Directory 91. 57. 101 common name (CN) 99 ID 88 vendor-specific 88 authentication 39. 58 restricting 12. 122 alert email 102. 98.Index Symbols . 95. 117 bind DN 93. 99. 40. 124 administrative access 13 interface settings 55 protocols 55. 141 bring up 53 browser 37. 97. 55. 99 BIOS 207 bit rate. 209 loader 207 up 207 brightness 81.3af 34 A abort 30 access control web UI 12 access profile 18. 122 bandwidth 186 Base64 131 baseline 117 batch changes 18. variable 10 stop 40 strength 39. 197 Network Utility 197 QuickTime 11. 58. 41. . 37. 171 third-party 8 time 81 certificate 127 authority (CA) 39. 164 restore 119 script 18 upload 164 conflict codec 185 DHCP 188 file type association 185 IP address 36. 164. 138 upload 137 revoke 137 self-signed 39 signing chain 136 signing request (CSR) 132 generating 132 submit 135 trust 136 warning 39 chain of trust 136 CHAP 100 checksum header 177 SNMP 153 Chrome 11. 132. 158 common name (CN) 39 community 147 name 148 SNMP 144 compression 171 config 26 configuration backup 117 batch 119 download 119. 96. 166. 186 providing DHCP 64 cabling 190 cache browser 46 LDAP query 93. 200 custom dashboard 162 logo 122 D dashboard 161 customize 162 data type CLI 20 daylight saving time (DST) 72 Fortinet Technologies Inc. 53. 84. 99 routing table 59 Called Station ID 100. 24 prompt 23. 137 default 39. 74. 129. 70. 28 scope 19. 20 syntax 18 command line interface (CLI) 12. 187. 188. 164 camera 81 cloud 122 codec 142.buffer 9. SNMP 145 continuous recording 76 contrast 141 CPU 165 usage 146. 24 completion 23 help 23 incomplete 19 interactive 24 multi-line 19. 131 factory 131 mismatch 39 revocation list (CRL) 137. 38 CIDR format 22. 75. 101 Camellia 128 camera connect 8. Page 216 FortiRecorder 1.1 Handbook . 212 connecting to 39 diagnose 189 network 189 prompt 121 comma-separated values (CSV) 112. 189 plug-in 185 connecting cameras 75 CLI 39 from home or remote office 36 web UI 38 console port 39 constraint CLI 18 contact information. 160 reboot 186 resolution 78. 136. 68. 42. 115. 75 discovery 76 flip 80 log 156. 186. 10 QuickTime 139. 185 color 141 command 19 abbreviation 24 ambiguous 19. 147. 185 C cable modem 36. 54 cipher 40 block chaining (CBC) 128 clean install 209 clock 72. 98. 38. 198 netlink 53 diff 176 differentiated services 177 Diffie-Hellman (DHE) 128 discovery 9. 212 troubleshooting 188 disk encrypt 123 external 123 full 102. 176. 41. 45. 204 usage 146. 39. 189. 48. 70 reservations 78 pool 36. 24 -39 20 -61 20 ambiguous 24 CLI 18. 143 dropping logs 113 dynamic host configuration protocol (DHCP) client 54. 78. 188 interface 66 E ECHO_REQUEST 56. 153. 57. 20. 68. 144 encryption 123 password 168 SNMP 153. 178 event log 156. 128. 79. 41. 126 F facility 115 factory default settings 38. 195 detail 78 diagnose 26. 51. 160 search 158 SNMP 149 system 102 Excel 158 execute 26 shutdown 11 expected input CLI 18 Extended Unique Identifier (EUI) 125. 104.debug 200 default administrator account 12. 58 settings 38. 19. 64 false alarm 144 fcm. 190.cfg 117 feed. 158. 164. 69 troubleshooting 195 used by DHCP clients 67 used by DHCP clients 67 dot3Errors 155 dot3Tests 155 dotted decimal 22 downgrade 45 download certificate 135 configuration 119 logs 158 video 141. 69 test connection 195 settings 36. 187 server 36. 119 delay 78. 78. 24 invalid object 19 IP address conflict 189 log 156 parsing CLI 19 protocol 200 schedule conflict 79 severity level 161 XSS 24 ERROR_SSL_VERSION_OR_CIPHER_MISMATCH 39 Ethernet 38. 204 distinguished name (DN) 132 domain name certificate 39 fully qualified (FQDN) 196 system (DNS) server 62. 40. 41. 40. 38. 75. 204 operating system (DOS) 37 space 78. 40. 147. 54. 189. 203 reset to 208 route 54. 113. 191 ECMP 191 EGP 155 egress 59 _email 22 e-mail 102. 158 status 163. 69. 154 SSL/TLS 127 strength 39 weak 39 error 113 39 -284 18. 51 certificate 39. 68. 76. 187 lease 54. 131 configuration 84 IP address 53 password 7. 191 ECHO_RESPONSE 56. 189.1 Handbook Fortinet Technologies Inc. 84. video 139 field 19 Page 217 FortiRecorder 1. 209 certificate 131 failure in name resolution 63. 64. 40 URL 38. 70. 154 destination unreachable 60. 105. 155. . 112. 185 delete configuration object 16 log file 158 video 122 denial of service (DoS) and ping 191 deployment 33 DES 39. 143 log 164 password 168 system check 206 type association 82.1 Handbook Fortinet Technologies Inc. 209 CIDR 54 CSV 112 dotted decimal 58 file 142. 213 port number 13 httpsd 61 I ICMP 56. 58. 69 route 60 used by DHCP clients 66 get 26. 109. 212 ECHO_REQUEST 56. 166 first-time system setup 7 flag IP 177 protocol 200 video 141 flip 80 flow control 40 forgotten password 202 format boot device 44. 134 G gateway 36. 166 HTTP 56. 190. 171 H H. 39 firewall 35. 54. 212 administrative access 13. 167 blocking discovery of cameras 188 blocking FortiRecorder 195. 121. 212 administrative access 13. 38. 61. 212 firmware 43 alternate 48 change 163 downgrade 45 restore 209 test 43 update 45 version 164. 38 graphical user interface (GUI) 11. 164 filter logs 157 packet 177 fingerprint SSH 41 Firefox 11. 85. 189. 121 Google Chrome 11. 58. 37 grey video 141 guidelines 10. 191. 155. 131. 65. 171 import certificate 136 CRL 137 incomplete command 19 indentation 20 _index 22 Page 218 FortiRecorder 1. 155 FortiCam 20A 171 FortiGate 34. web site 33 FortiRecorder 200D 206 FortiSwitch 75 _fqdn 22 fragment 177 frame rate 10. 35. 189 hardware failure 161 specifications 75 troubleshooting 187 hash 153. 195 ID log 157 packet 177 process 200 idle 13 IEEE 802. 55. 189.264 142. 38. 134. 213 port number 13 HTTPS 39.3af 34 image detail 78 in notification email 102 logo 122 quality 141. registering with 33 Technical Support. 127. 204 hexadecimal 177. . 107. 167. 143 video 10. 190 ECHO_RESPONSE 189 type 0 56. 36. 155. 171 FTP 212 full disk 105 fully qualified domain name (FQDN) 22. 129. 185 handshake 39. 162. 82. 60. 189 type 8 56. 164 format 142. 154. 42. 36 FortiGuard services 33 Fortinet Technical Support 155 Technical Support. 187 host name 39. 115. 58. 127 hard drive external 123 failure 205 internal 122 hardening security 12. 143 FortiAnalyzer 113.file configuration 117. 109 _ipv4 22 _ipv4/mask 22 _ipv4mask 22 _ipv6 22 _ipv6mask 22 iSCSI 125. 126 ISO/IEC 29341 212 J JavaScript 42 jitter 191 K key frame 102 length 125. 58. 61. 155 man-in-the-middle (MITM) attack 128. 62 IP address 39.index number 22 InetLocalMailRecipient 93 InetOrgPerson 93 input constraint CLI 18 installing 33 _int 22 interface administrative access 55 network 53 Internet Explorer 11. 67 network 69 Fortinet Technologies Inc. 142. 40. 69. 61. 131 marker 140 mask 36. 147. 98 bind DN 93. DHCP 54. 132. 202 administrator 85. 188 temporary 36 conflict 36. 98 TTL 96. 98 schema 93. 53. 126 type. 187 line endings 25 link layer 178 status 53. 186. certificate 135 word. 198 3 191 4 60. search 159 LDAP bind 93. 95. 38 Internet service provider (ISP) 60. 39. 166 local certificate 131 console access 12. 137 SSH 41 storage encryption 125. 99 LDAPS 127. 78 FortiRecorder NVR 54 static 65. 97. 99 password 94 query 94. 189 sessions 198 virtual 13. 78. Page 219 FortiRecorder 1. 99 cache 96. 70. 191. 149. 188. 71. 193. 187. 197 live video 139 buffering 139 delay 185 performance 171 load 164. 69. 90 prompt 41 security guard 84 timeout 169 logo 122 loop network 191 lost password 202 Lotus Domino 93 low encryption (LENC) 39 L language 122 latency 186. 126 pair 135 private 123. 53. 37. 197 management information block (MIB) 144 support 155 management protocols 169 manager SNMP 144.1 Handbook . 54. 129. 42 logs 155 location 77 log 110 about 160 capacity 164 debug 200 disk 166 download 158 dropped 113 ID 157 level 161 timestamp 72 type 160 login 39. 129 lease. 107. 70. 98. 63 camera 78 default 53 dynamic 54. 136. 195 Layer 1 60. 193. 68. 68. 61 M Mac OS X 142. 188 Linux 36. 60. 78. 178 2 60. 94. 93. 54. 35. 61. 39. 154 strength 85 strong 168 with certificate 137 _pattern 22 pattern 22 PEM 137 performance 166. 8 Network Address Authority (NAA) 125. 49. 40. 69 settings for cameras 64 time protocol (NTP) 72 problems 62 used by cameras 81 topology 7 video recorder (NVR) 7. 209 password 38. 41. 39 multicast 212 multi-line command 19. 147. 97 log search 114 on dashboard 161 packet capture 179 tuning 171 video 78. 96. 176 loss 175. 124 Excel 158 Internet Explorer 11. 99. 60 Fortinet Technologies Inc. 70 conflict 190 media player 142 memory test 207 usage 146. 186. 166. 200 menus 14 messages error 189 log 155 types 160 SNMP 144 Microsoft Active Directory 92. 186 address translation (NAT) 13.1 Handbook N _name 22 name community 148 host 121 netmask 36. 51 admin. 38. 164. 24 null modem 40 route 60 O object 18. 58 layer 60. 190 loop 191 mask 54. 171. 53. 184 CLI 18 denied 89 full 51 router 189 permissions 18 physical layer 60.maximum age 79. 58. 61. 84 option 19 P packet capture 172. 40. 111 transmission unit (MTU) 57 values 214 MD5 128. 189 binding to a DHCP lease 69. 85 backup 168 forgotten 202 LDAP bind 94 length 204 lost 12 reset 12. 67 factors in configuration 214 LDAP query 93. 154 media access control (MAC) address 53. 109 file system (NFS) 124 interface 38. 126 newcli 61 next-hop router 58. 190 link status 53 network interface 53 port 53. 146. 60 administrator account 86 DHCP client 67 network adapter 53. 38 Windows 142 monitor false alarms 144 live video 139 using SNMP 144 motion detection 76. 107. 153. 19 identifier (OID) 155 objectClass 94 online certificate status protocol (OCSP) 138 OpenOffice Calc 158 operating system (OS) 43. 202 SNMP 153. changing 202 administrator 7. 48. 45 operator 18. 59 Page 220 FortiRecorder 1. 147. . 189 debug logs 200 DHCP 68 DNS 62. 81 Mozilla Firefox 11. 97. 171 permission access 12. 191 trace 200 parity 40 partition 45. 183. 107. 101 2665 155 3721 124. 107. 174 read-only 206 real-time streaming protocol (RTSP) 82 reboot 43. 61. 187 port assignment 200 forwarding 13. 164. 136. 144. 74 792 56 risk 86 RJ-45 38 RJ-45-to-DB-9 40 root administrator account 51 CA 129. 61. 109 blocking FortiRecorder 212 gateway 34. 60 providing DHCP 64 used by DHCP clients 66 RSA 128. 128 reachable 58. 208. 212 physical 53. 56. 198 router 36. 171 resource consumption 166 restore CLI command 47 configuration 119 firmware 209 retention of logs and recordings 79 RFC 1213 155 2326 82. 99 DHCP 69 DNS 212 filter 94. 82 route static 58 table 59. 126 5905 73. 98 cache 93. 99. 58. 101 SNMP 56. 107. 149. 165 camera 186 record by motion detection 76 by schedule 76 manually 140 registering with Fortinet Technical Support 33 regular expression 22 regular expressions 25 re-imaging 45. 155 string 93. 119. 60. 142 RTP 213 Page 221 FortiRecorder 1. 120.1 Handbook . 69 hop 175 Internet 34 next hop 58. RC4 39. 92. 98 NTP 73 OCSP 138 RADIUS 87. 169. 212 flood 56 pixel dimensions 78 PKCS #12 136 plain text editor 25 planning 7 play video 141 plug-in 75. 60. 202 resolution 11. 191. 94. 213 2548 88. 190. 177. 61. 149. 75 buffering 139. 185 pool. 109 remote authentication dial-in user service (RADIUS) 87 query 87 vendor-specific attributes (VSAs) 88 rename 17 reset configuration 172. 210 password 12. 53 port2 53 port3 53 port4 53 power off 11 on 207 over Ethernet (PoE) 64. 36 number 13. 75 private key 123 process ID (pid) 200 product registration 33 prompt 42 protocol 95. 98 QuickTime 11. 189. 97. 195 USB 123 port1 38. 60. 70. 100. 209 reload 165 remote access 107. 185 R RC2 39 Fortinet Technologies Inc. 115. 174. 140. 59 RJ-45 53 serial 40 SNMP 149 TCP/UDP 212 troubleshooting 200 UDP 56. 177. 78. 109. 109 IP 35 local console 209 mapping 34. 212 header 200 proxy 82 Q query Active Directory 89 cache 96.ping 55. DHCP 68. 136 directory 48. 190. 40. 98 LDAP 89. 145. 44. 100. 195. 98 script 18 secret RADIUS 100. 28. 188 synchronization NTP 212 syntax 18 Syslog 115. 82 strength bit 40. 144. 155 MIB 155 OID 155 query 149 system name 121 v1 149. 164. 29 Subject 132 subject information.RTSP 82. 37. 20.1 Handbook . 147 agent 144. 154 SMTPS 127. 154 manager 149. 121. 56. 129 version 39 ssl_error_no_cypher_overlap 39 standard time 72 static IP address 65. 110 special characters 121 split horizon 191 sshd 61 SSL 72. 58. 103. 79. 130 signing chain 136 simple mail transport protocol (SMTP) 212 simple network management protocol (SNMP) 56. 124 administrative access 212 key 41 version 40 security certificate 39 guard 84 hardening 12. 150 v2 149. 163. Page 222 FortiRecorder 1. 213 S Safari 11. 85. 154 share 124 sharpness 141 shell 37. 155. 39. 161. 144 sniffer 176 software version 164 spam 107. 55. 145 contact information 145 event 150. 164 Fortinet Technologies Inc. 167. 105. 13. 129 snapshot notification 102. 188 switch 9. 104. 42. certificate 134 submit CSR 135 subnet 54. 128. 212 system load 166 status 45. 150 v3 151. 35. 58. 69. 203 session administrator 171 table 198 severity log levels 161 severity level 200 SHA-1 40. 124 shoplifting 10 show 27 shut down 11. 165. 207 signature 142 CA 129. 189 idle timeout 13 key size 135 passwords 85 TLS 129 trusted host 86 SEED 128 self-signed 39 serial communications (COM) port 40 number 155. 137 disk 102. 101 Secure Shell (SSH) 12. 38 saturation 141 save settings 27 schedule 76. 204 enable 113 FortiRecorder 161 link 188 process 200 system 121. 166 time 72. 141 overlapping 79 troubleshooting 72 schema LDAP directory 93. 58. 153. 38. 78 route 58 status camera 209 certificate 132. 128 password 85 string 22 sub-command 19. 162 still image 102 _str 22 stream 9. 65. 142 virtual IP (VIP) 13. 164. ICMP 56. 98 SNMP 152. 147. 115. 154 User Principle Name (UPN) 95. 212 terminal 37 server 209 TFTP 43. 198 video no longer being received 78. 82. 161. 36. 147. 109 web browser 11. 57.1 Handbook . 195. 86. local 136 certificate. 204 memory 164 RAM 146. 177. 99 LDAP 96. 60. 189 video plug-ins 185 trust store 136 trusted certificate 39 host 12. 46. 122 time 62. 39. 202 type 0. 164 line 140. 212 UNIX 37 unknown action 19 update 140 upgrade firmware 45 Fortinet Technologies Inc. 119 _url 22 usage CPU 146. 162 wild cards 22 Windows Media Player 82 U UDP 56. 119 compatible 11 warnings 39 web user interface (web UI) 38 navigation 14 requirements 11 timeout 13 URL 11 white video 141 widget 14. 38. 22 variable bit rate 10 vendor-specific attribute 88 version 166 video capacity 164 delay 78. 145. 147. 197 transport layer 60. 13. 155. 37. 58. 48. 42. 166. ICMP 56. 168. 57. 190. 61 DHCP 186 hardware 187 routing 60. 107. 180 USB 123 user FortiRecorder 84 name 85. 212 tracert 60. 98 V _v4mask 22 _v6mask 22 value 19 parse error 19. 212 uptime 164. 35. 190. 189. 61. 72. 166 disk 146. remote 138 configuration 119 CRL 137 firmware 164 uPNP 188. 99 timeout idle 13 web UI 13 timestamp packet capture 179 PuTTY 182 tips and tricks 23 TLS 103 version 39 top 61 topology 7 trace connection state 176 traceroute 56. 212 theme 14. 39. 61. 141 to live (TTL) 177. 191. 166 URL 38. Page 223 FortiRecorder 1. 195. 190. 163. 109 W WAN 13. 90 query 94. 174. 34. 190 layer security (TLS) 129 trap 144. 170. 164. 195. 155 trigger 75 troubleshooting 26. 163. 37. 195 cache 96. 61. 56. 195 type of service (tos) bits 177 upload certificate.T table 19 tamper protection 142 TCP 155. 189 type 8. 166 US-ASCII 121. 149. 174 bootup 207 connectivity 60. 185 disk 166 management system (VMS) 7 no longer being received 189 note 141 play 141 Video LAN (VLC) media player 82. 212 tcpdump 177 Telnet 12. 107. 37. 136 Fortinet Technologies Inc. Page 224 FortiRecorder 1.1 Handbook .X X.509 131.