VA QuickStart

This guide leads you through the process that results in the creation of a vulnerability-assessment report for one of your target databases.

Note: All GUI fields marked with an asterisk (*) must be filled in or specified.
The example below assumes you will be assessing an Oracle target database. Therefore you will need to make sure that the FortiDB user for your Oracle target database has the privileges shown below. If your target database is other than Oracle, refer to the Required Privileges for Assessment column of Privileges for Assessment
RDBMS Type Required Privilege(s)
Oracle
  • CREATE SESSION
  • SELECT_CATALOG_ROLE
  • SELECT ON:
    • SYS.AUDIT$
    • SYS.REGISTRY$HISTORY
    • SYS.USER$
    • SYS.LINK$
    • SYSTEM.SQLPLUS_PRODUCT_PROFILE
  1. Login to FortiDB as the FortiDB admin user using fortidb1!$ for the password .
  2. Create a FortiDB user who can create a target database group, run an assessment, and review a report about that assessment.
    1. Go to Administration > User Management in the left-side tree menu.
    2. On the User Management page, select the Add button.
    3. On the Add New User page, select the General tab.
      Note: All GUI fields marked with an asterisk (*) must be filled in or specified.
    4. On the General-tab form, fill in the text boxes marked with an asterisk (*). (Assume a user name of vauser and a password of fdb!23.)
    5. On the Add New User page, select the Roles tab.
    6. On the Roles-tab, select these roles from the Available Roles list box:
      • Target Manager
      • Operations Manager
      • Report Manager
    7. Select the button in order to move those role names to the Assigned Roles text box.
    8. Select the Save button.
    9. Select the Logout link at the top-right of the screen in order to logout the admin user.
  3. As the newly created user, create a target-database connection.
    1. Login to FortiDB as the FortiDB vauser user using fdb!23 for the password. You should notice the absence of an Administration section in the left-side navigation menu. (vauser cannot create, or even view, other users from within the FortiDB application.)
    2. Go to Target Database Server > Targets in the left-side tree menu.
    3. Select the Add button.
    4. On the Target page, select the General tab.
    5. Enter the information in the text boxes marked with an asterisk (*) with settings appropriate to your target database. Assume an Oracle target with these parameters:
      • Name: Enter a name (ex. vatarget)
      • Type: Select your database type (Oracle)
      • DB Host Name/IP: Enter IP address or computer name on your system that contains the Oracle target database (ex. test_machie or 172.30.12.112)
      • Port: Enter the port number or leave the default (1521)
      • DB Name: Enter the name of your target database. (ex. orcl)
      • User Name: Enter the name of the your target database
      • Password: Enter the password of your target database.
    6. Select the Test Connection button to verify that your target database is reachable and that your connection parameters are correct. You should see a 'Success' message.
    7. Select the Save button. vatarget should appear on the Targets page under the Name column header.
  4. Create a new group and add the newly created connection to your group.
    Note: FortiDB runs assessments against target-database groups not individual database connections. And a group can consist of one or more target database.
    1. Go to Target Database Server > Targets Groups in the left-side tree menu.
    2. On the Target Groups page, select the Add button.
    3. On the Targets page, enter a name for your group in the Group Name text box. (Here assume the group name is mygroup.)
    4. Build a filter by filling in the following:
      • In the Column dropdown list, choose Name.
      • In the Operator dropdown list, choose Contains.
      • In the Value text box, enter all or part of the Name of the target you created above (For example, use targ, a substring of the name, vatarget, that you assigned above.)
    5. Select the Search button in order to see if this filter selects the target you created above.
    6. Select the Save Group icon near the top of the page.
    7. Verify that the target group you just created is then listed on the Target Groups page.
  5. Assess the vulnerability of the target database in your group.
    1. Go to Vulnerability Assessment > Assessments in the left-side tree menu.
    2. On the Assessments page, select the Add button.
    3. Enter a name for your new assessment in the Assessment Name text box. (Here assume the assessment name is myscan.)
    4. Associate your newly created target-database group with your assessment. On the Assessment page, select the Targets tab.
    5. In the Available Target Groups list box in the Target Groups-tab, select mygroup, the target-database group you just created, and then select the button in order to move mygroup to the Assigned Target Groups text box.
    6. Associate the appropriate group of FortiDB-shipped policies with your assessment. On the Add Assessment page, select the Policies tab.
    7. In the Available Policy Groups list box in the Policy Groups-tab, select Oracle Policy Group (assuming you are assessing an Oracle target database) and then select the button in order to move that group name to the Assigned Policy Groups text box. If you select a Policy Group in the Available Policy Groups or Assigned Policy Groups list box, policies that belong to the Policy Group are displayed in the Active Policies list box.
      Note: Although the active policies can be highlighted, you cannot choose an individual or group of active policies to execute.
    8. Select the Save button. You should then see a ready-to-run assessment called myscan on the Assessments page.
  6. Run your newly created assessment.
    Note: FortiDB offers assessment scheduling as well as email and SNMP-trap notifications of assessment results. Here, however, we will simply run the assessment created above which does not incorporate these features.
    1. Mark the check box to the left of the myscan row.
    2. Select the Run button. After a minute or so, you should see the Last Run Time column in the myscan row get populated with a stop date and time for the assessment you just ran.
  7. FortiDB ships with several pre-defined reports that will help you analyze your assessments. Here we will examine our assessment with the Summary Failed Report which summarizes failed-policy results.
    1. Go to Report > Pre-Defined VA Reports in the left-side tree menu.
    2. On the Pre-Defined Reports page, select Summary Failed Report.
    3. On the Vulnerability Assessment Summary Failed Report page, select:
      • myscan from the Assessment Name dropdown list
      • The start date and time associated with myscan from the Assessment Time dropdown list.
      • From the Target dropdown list, the target group (here vatarget) associated with myscan
      On the Target Information tab of the Vulnerability Assessment Summary Failed Report page, you should see the fields get populated with the parameters of your assessment.
    4. Select the Preview Report tab of the Vulnerability Assessment Summary Failed Report page and, after it is compiled, a Summary Failed Report will appear in your browser.
    5. In order to view your report in another of the supported formats, scroll down to the Export as drop down list, select the file format you want, and select the Export button.
      Note: The following file formats are supported:
      • PDF
      • Excel
      • Tab-delimited
      • Comma-separated values
Parent topic: FortiDB Quick Start
Related reference
Privileges for Assessment


FortiDB 5.0.0 Handbook
1st Edition , July 11 2013
© Copyright 2013 Fortinet Inc. All rights reserved.
Latest documentation: http://docs.fortinet.com/fdb.html