| Solution |
Checkpoints:
- Before commencing, compare the version information for FortiClient, FortiClient EMS, and FortiAnalyzer as provided in the following document:
FortiClient EMS Compatibility Chart
- Attention: It is important to note that a 3rd party antivirus application may potentially obstruct the transmission of traffic logs from the machine where FortiClient is installed. In case of encountering any issues, remember to configure exclusions or allow connection between FortiClient and FortiAnalyzer within the 3rd party Antivirus software.
FortiGate Side:
FortiClient and FortiClient EMS utilize port 514 for the purpose of sending logs to FortiAnalyzer. It is essential to ensure that port 514 is permitted on the Firewall. For additional information, consult the document provided below:
Required services and ports
EMS Side:
To establish synchronization of FortiClient Web Traffic Logs with FortiAnalyzer, the configuration explained must be implemented within FortiClient EMS.
- EMS -> Endpoint Profiles -> Web Filter -> Advanced -> General -> Log All URLs (Enable).
EMS -> Endpoint Profiles -> Web Filter -> Advanced -> General -> Log User Initiated Traffic (Enable).
 1.png
-
EMS -> Endpoint Profiles -> System Settings -> Advanced -> Log -> Upload UTM Logs (Chromebook).
 2.png
For more details: System Settings.
-
EMS -> Endpoint Profiles -> System Settings -> Advanced -> Log.
Specify the log type intended to be sent to FortiAnalyzer. In this example, all options are currently selected.
 3.png
For more details: System settings.
-
EMS -> Endpoint Profiles -> System Settings -> Advanced -> Log.
Input the FortiAnalyzer IP address or FQDN. If using a specific port for communication, provide it in the format 'IP:port' or 'FQDN:port'.
 4.png
-
EMS -> System Settings -> Log Settings -> FortiAnalyzer.
Enter the FortiAnalyzer’s IP address in the designated 'FortiAnalyzer Server Address' field and proceed to save the settings.
 5.png
For more details: Systems settings.
FortiAnalyzer Side:
- FortiAnalyzer -> System Settings -> ADOMs -> Add Device.
Create a new ADOM as follows:
 6.png
-
Change the Adom with the newly created one.
 7.png
-
FortiAnalyzer -> Device Manager -> Add Device.
Integrate FortiClient EMS with FortiAnalyzer as illustrated in the screenshot provided.
 8.png
 9.png
 10.png
-
FortiAnalyzer -> Fabric View -> Fabric Connection.
Initiate a fabric connection between FortiClient EMS and FortiAnalyzer as demonstrated below:
 11.png
Provide the connection credentials in accordance with the usage of either FortiClient EMS or FortiClient EMS Cloud in the designated field below:
FortiClient EMS on-premises:
 12.png
FortiClient EMS Cloud:
 13.png
 14.png
 15.png
FortiClient Side:
- Verify if the traffic logs commence their creation within the 'C:\Program Files\Fortinet\FortiClient\logs' folder and subsequently monitor the logs for any signs of disappearance, indicating their transmission to FortiAnalyzer.
 16.png
-
It is also possible to verify, if necessary, using 'Wireshark' whether the logs sent by FortiClient to FortiAnalyzer are correctly filtered with the destination as indicated below:
 17.png
 18.png
Finally, it is possible to review the initiated traffic logs by navigating to the 'FortiAnalyzer -> Log View -> Traffic' menu.
 19.png
Additionally, it is possible to perform a check under FortiAnalyzer CLI using the following script to ensure that traffic reception is occurring from the specified host address.
'diag sniffer packet any ' host 10.xxx.xx.xx ' 3 0 a'
 20.png
Key points and important considerations regarding the FortiClient EMS Cloud.
To enable communication between the FortiClient EMS Cloud and on-premises FortiAnalyzer, it is imperative to permit the port 514 connection on the firewall. Locate the IP address of FortiClient EMS Cloud in the 'About' tab on the portal as a source address.
 21.png
|
