Description
This article describes that up until FortiOS 6.4.3, FortiGate only supported the FortiAnalyzer Cloud service for event logging.
Starting in FortiOS 6.4.4, traffic and security logs are also supported.
For Limitations of FortiAnalyzer Cloud relative to FortiAnalyzer VM or Appliance, see the FortiAnalyzer Cloud Release Notes.
This article describes how to configure the FortiAnalyzer Cloud service.
Scope
System requirements.
To set up the Security Fabric, units that need to be included have to meet the Product Integration and Support requirements in the FortiOS release notes.
Some features of the Security Fabric are only available in certain firmware versions and models.
Not all FortiGates can run the FortiGuard security rating service if there is the root FortiGate in a Security Fabric.
For more information, see the Special Notices in the FortiOS Release Notes.
Prerequisites:
- If units are not already installed in the network, complete basic installation and configuration tasks by following the instructions in the device documentation.
- FortiGate units have to either have VDOMs disabled or be running in split-task VDOM mode to be added to the Security Fabric. See the Virtual Domains.
- FortiGate units have to be operating in NAT mode.
Solution
Sample settings panes.
In Security Fabric -> Fabric Connectors, the Cloud Logging card settings page, FortiAnalyzer Cloud is greyed out.
When there is a FortiAnalyzer Cloud entitlement, FortiAnalyzer Cloud is available.
View the FortiAnalyzer Cloud settings in Log & Report -> Log Settings.
View the FortiAnalyzer Cloud settings in Log & Report -> Log Settings.
In FortiAnalyzer Cloud, view logs from FortiOS in the Event -> All Types pane.
To enable fortianalyzer-cloud using the CLI:
config log fortianalyzer-cloud setting
set status enable
set ips-archive disable
set access-config enable
set enc-algorithm high
set ssl-min-proto-version default
set conn-timeout 10
set monitor-keepalive-period 5
set monitor-failure-retry-period 5
set certificate ''
set source-ip ''
set upload-option realtime
end
set status enable
set ips-archive disable
set access-config enable
set enc-algorithm high
set ssl-min-proto-version default
set conn-timeout 10
set monitor-keepalive-period 5
set monitor-failure-retry-period 5
set certificate ''
set source-ip ''
set upload-option realtime
end
config log fortianalyzer-cloud filter
set severity information
set forward-traffic disable
set local-traffic disable
set multicast-traffic disable
set sniffer-traffic disable
set anomaly disable
set voip disable
set dlp-archive disable
set dns disable
set ssh disable
set ssl disable
set cifs disable
set filter ''
set filter-type include
end
set severity information
set forward-traffic disable
set local-traffic disable
set multicast-traffic disable
set sniffer-traffic disable
set anomaly disable
set voip disable
set dlp-archive disable
set dns disable
set ssh disable
set ssl disable
set cifs disable
set filter ''
set filter-type include
end
To disable fortianalyzer-cloud for a specific VDOM using the CLI.
config log setting
set faz-override enable
end
set faz-override enable
end
config log fortianalyzer-cloud override-setting
set status disable
end
set status disable
end
To set fortianalyzer-cloud filter for a specific VDOM using the CLI.
config log setting
set faz-override enable
end
set faz-override enable
end
config log fortianalyzer-cloud override-setting
set status enable
end
set status enable
end
config log fortianalyzer-cloud override-filter
set severity information
set forward-traffic disable
set local-traffic disable
set multicast-traffic disable
set sniffer-traffic disable
set anomaly disable
set voip disable
set dlp-archive disable
set dns disable
set ssh disable
set ssl disable
set cifs disable
set filter ''
set filter-type include
end
set severity information
set forward-traffic disable
set local-traffic disable
set multicast-traffic disable
set sniffer-traffic disable
set anomaly disable
set voip disable
set dlp-archive disable
set dns disable
set ssh disable
set ssl disable
set cifs disable
set filter ''
set filter-type include
end
To display the fortianalyzer-cloud log using the CLI.
execute log filter device fortianalyzer-cloud
execute log filter category event
execute log display
Sample log
date=2019-05-01 time=17:57:45 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:48" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100032002 type="event" subtype="system" level="alert" srcip=10.6.30.254 dstip=10.6.30.9 action="login" msg="Administrator ddd login failed from https(10.6.30.254) because of invalid user name" logdesc="Admin login failed" sn="0" user="ddd" ui="https(10.6.30.254)" status="failed" reason="name_invalid" method="https" eventtime=1556758666274548325 devid="FG5H1E5818900076" vd="root" dtime="2019-05-01 17:57:45" itime_t=1556758668 devname="FortiGate-501E"
date=2019-05-01 time=17:57:21 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:23" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100044546 type="event" subtype="system" level="information" action="Edit" msg="Edit log.fortianalyzer-cloud.filter " logdesc="Attribute configured" user="admin" ui="ssh(10.6.30.254)" cfgtid=164757536 cfgpath="log.fortianalyzer-cloud.filter" cfgattr="severity[information->critical]" eventtime=1556758642413367644 devid="FG5H1E5818900076" vd="root" dtime="2019-05-01 17:57:21" itime_t=1556758643 devname="FortiGate
Related article:
