Fortinet black logo

Handbook

Configuring OFTP settings for FortiAnalyzer logs

Configuring OFTP settings for FortiAnalyzer logs

The Optimized Fabric Transfer Protocol (OFTP) is used when information is synchronized between FortiAnalyzer and FortiADC, as well as for other Fortinet products. Remote logging and archiving can be configured on the FortiADC to send logs to a FortiAnalyzer unit.

OFTP listens on port TCP/514.

You can configure the OFTP settings from Log & Report > Log Setting, or directly in your FortiAnalyzer connector configuration (for details, see FortiAnalyzer Connector).

Requirements:
  • Read-Write permission for Log & Report settings.
  • The FortiAnalyzer service is required to be exposed on External IP.

FortiADC supports integration with FortiAnalyzer versions 7.0.2 or later. As earlier versions of FortiAnalyzer is not optimally compatible with FortiADC, unexpected behavior may occur.

To configure OFTP log settings:
  1. Go to Log & Report > Log Setting.
  2. Click the FortiAnalyzer tab.
  3. If the VDOM is enabled, enable/disable Override to determine which server list to use.
    Enable Override to use the VDOM FortiAnalyzer server list. Otherwise, disable Override to use the Global FortiAnalyzer server list.
  4. Click Create New to display the configuration editor.
  5. Configure the following settings:

    Setting

    Description

    Status

    Enable/disable the Fabric Connector object.

    Address Specify the IP address of the FortiAnalyzer Log server.

    Log Level

    Select the lowest severity to log from the following options:

    • Emergency — The system has become unstable.
    • Alert — Immediate action is required.
    • Critical — Functionality is affected.
    • Error — An error condition exists and functionality could be affected.
    • Warning — Functionality might be affected.
    • Notification — Information about normal events.
    • Information — General information about system operations.
    • Debug — Detailed information about the system that can be used to troubleshoot unexpected behavior.

    The exported logs will include the selected severity level and above. For example, if you select Error, the system collects logs with severity level Error, Critical, Alert, and Emergency. If you select Alert, the system collects logs with severity level Alert and Emergency.

    Event

    Enable/disable logging for events.

    Event Category

    If Event is enabled, the Event Category options appear.

    Select one or more of the following event categories to include in the event logs export:

    • Configuration — Configuration changes.
    • Admin — Administrator actions.
    • System — System operations, warnings, and errors.
    • User — Authentication results logs.
    • Health Check — Health check results and client certificate validation check results.
    • SLB — Notifications, such as connection limit reached.
    • LLB — Notifications, such as bandwidth thresholds reached.
    • GLB — Notifications, such as the status of associated local SLB and virtual servers.
    • Firewall — Notifications for the Firewall module, such as SNAT source IP pool is using all of its addresses.

    Traffic

    Enable/disable logging for traffic processed by the load-balancing modules.

    Traffic Category

    If Traffic is enabled, the Traffic Category options appear.

    Select one or more of the following traffic categories to include in the traffic logs export:

    • SLB — Server Load Balancing traffic logs related to sessions and throughput.
    • GLB — Global Load Balancing traffic logs related to DNS requests.
    • LLB — Link Load Balancing traffic logs related to session and throughput.

    Security

    Enable/disable logging for traffic processed by the security modules.

    Security Category

    If Security is enabled, the Security Category options appear.

    Select one or more of the following security categories to include in the security logs export:

    • DDoS — DoS protection logs.
    • IP Reputation — IP Reputation logs.
    • WAF — WAF logs.
    • GEO — Geo IP blocking logs.
    • AV — AV logs.
    • IPS — IPS logs.
    • FW — Firewall logs.
  6. Optionally, click Test Connectivity after entering the Address to check the FortiAnalyzer OFTP connectivity.
    The Connection Status appears showing the OFTP connection status.
    There are three possible OFTP connection statuses:

    Icon

    OFTP Status

    Description

    Connected

    The FortiADC has successfully connected to FortiAnalyzer and is authorized by FortiAnalyzer as a Fabric Device. FortiADC can now send log data to FortiAnalyzer.

    Disconnected

    The FortiADC cannot connect to FortiAnalyzer. Ensure there are no network connectivity issues.

    Need authorization

    The FortiADC has successfully connected to FortiAnalyzer but is not authorized by FortiAnalyzer as a Fabric Device. This status may indicate the authorization is either denied or pending. If pending authorization, the status will change to Connected once authorization is successful on the FortiAnalyzer server.

    If the status is not Connected, edit the FortiAnalyzer connector accordingly to troubleshoot the connection issue.
  7. Click Save.

Configuring OFTP settings for FortiAnalyzer logs

The Optimized Fabric Transfer Protocol (OFTP) is used when information is synchronized between FortiAnalyzer and FortiADC, as well as for other Fortinet products. Remote logging and archiving can be configured on the FortiADC to send logs to a FortiAnalyzer unit.

OFTP listens on port TCP/514.

You can configure the OFTP settings from Log & Report > Log Setting, or directly in your FortiAnalyzer connector configuration (for details, see FortiAnalyzer Connector).

Requirements:
  • Read-Write permission for Log & Report settings.
  • The FortiAnalyzer service is required to be exposed on External IP.

FortiADC supports integration with FortiAnalyzer versions 7.0.2 or later. As earlier versions of FortiAnalyzer is not optimally compatible with FortiADC, unexpected behavior may occur.

To configure OFTP log settings:
  1. Go to Log & Report > Log Setting.
  2. Click the FortiAnalyzer tab.
  3. If the VDOM is enabled, enable/disable Override to determine which server list to use.
    Enable Override to use the VDOM FortiAnalyzer server list. Otherwise, disable Override to use the Global FortiAnalyzer server list.
  4. Click Create New to display the configuration editor.
  5. Configure the following settings:

    Setting

    Description

    Status

    Enable/disable the Fabric Connector object.

    Address Specify the IP address of the FortiAnalyzer Log server.

    Log Level

    Select the lowest severity to log from the following options:

    • Emergency — The system has become unstable.
    • Alert — Immediate action is required.
    • Critical — Functionality is affected.
    • Error — An error condition exists and functionality could be affected.
    • Warning — Functionality might be affected.
    • Notification — Information about normal events.
    • Information — General information about system operations.
    • Debug — Detailed information about the system that can be used to troubleshoot unexpected behavior.

    The exported logs will include the selected severity level and above. For example, if you select Error, the system collects logs with severity level Error, Critical, Alert, and Emergency. If you select Alert, the system collects logs with severity level Alert and Emergency.

    Event

    Enable/disable logging for events.

    Event Category

    If Event is enabled, the Event Category options appear.

    Select one or more of the following event categories to include in the event logs export:

    • Configuration — Configuration changes.
    • Admin — Administrator actions.
    • System — System operations, warnings, and errors.
    • User — Authentication results logs.
    • Health Check — Health check results and client certificate validation check results.
    • SLB — Notifications, such as connection limit reached.
    • LLB — Notifications, such as bandwidth thresholds reached.
    • GLB — Notifications, such as the status of associated local SLB and virtual servers.
    • Firewall — Notifications for the Firewall module, such as SNAT source IP pool is using all of its addresses.

    Traffic

    Enable/disable logging for traffic processed by the load-balancing modules.

    Traffic Category

    If Traffic is enabled, the Traffic Category options appear.

    Select one or more of the following traffic categories to include in the traffic logs export:

    • SLB — Server Load Balancing traffic logs related to sessions and throughput.
    • GLB — Global Load Balancing traffic logs related to DNS requests.
    • LLB — Link Load Balancing traffic logs related to session and throughput.

    Security

    Enable/disable logging for traffic processed by the security modules.

    Security Category

    If Security is enabled, the Security Category options appear.

    Select one or more of the following security categories to include in the security logs export:

    • DDoS — DoS protection logs.
    • IP Reputation — IP Reputation logs.
    • WAF — WAF logs.
    • GEO — Geo IP blocking logs.
    • AV — AV logs.
    • IPS — IPS logs.
    • FW — Firewall logs.
  6. Optionally, click Test Connectivity after entering the Address to check the FortiAnalyzer OFTP connectivity.
    The Connection Status appears showing the OFTP connection status.
    There are three possible OFTP connection statuses:

    Icon

    OFTP Status

    Description

    Connected

    The FortiADC has successfully connected to FortiAnalyzer and is authorized by FortiAnalyzer as a Fabric Device. FortiADC can now send log data to FortiAnalyzer.

    Disconnected

    The FortiADC cannot connect to FortiAnalyzer. Ensure there are no network connectivity issues.

    Need authorization

    The FortiADC has successfully connected to FortiAnalyzer but is not authorized by FortiAnalyzer as a Fabric Device. This status may indicate the authorization is either denied or pending. If pending authorization, the status will change to Connected once authorization is successful on the FortiAnalyzer server.

    If the status is not Connected, edit the FortiAnalyzer connector accordingly to troubleshoot the connection issue.
  7. Click Save.