Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    Home FortiADC 7.2.2 Handbook
    7.2.2
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.1
    6.0.0
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.7

    FortiAnalyzer Connector

    FortiAnalyzer Connector

    When you create a connector for FortiAnalyzer, you are specifying how FortiADC can communicate with FortiAnalyzer for pushing logs to FortiAnalyzer. You can choose between two protocol types for sending logs to FortiAnalyzer: Syslog or OFTP.

    Using the Syslog protocol will allow FortiADC to connect to FortiAnalyzer by UDP, TCP or TCP SSL depending on the FortiAnalyzer connector setting.

    OFTP (Optimized Fabric Transfer Protocol) is used to synchronize information between FortiAnalyzer and other Fortinet products. So, this is the recommended protocol to use for pushing logs to FortiAnalyzer.

    Requirements:
    • The FortiAnalyzer service is required to be exposed on External IP.

    FortiADC supports integration with FortiAnalyzer versions 7.0.2 or later. As earlier versions of FortiAnalyzer is not optimally compatible with FortiADC, unexpected behavior may occur.
    To create a FortiAnalyzer Connector:
    1. Go to Security Fabric > Fabric Connectors.
    2. Click Create New.
    3. Under Other Fortinet Products, click FortiAnalyzer to display the configuration editor.
    4. Configure the following Server Type settings:

      Setting

      Description

      Type

      Select either of the following options:

      • Syslog — To send logs to FortiAnalyzer using the syslog protocol.
      • FortiAnalyzer — To send logs to FortiAnalyzer using the OFTP.
      Depending on your Type selection, either the Syslog Server or FortiAnalyzer configuration section will appear.
    5. If the Server Type is Syslog, configure the following Syslog Server settings:

      Setting

      Description

      Status

      Enable/disable the Fabric Connector object.

      Address Specify the IP address of the FortiAnalyzer Log server.
      Port

      Specify the port that FortiADC uses to communicate with the log server.

      This is the listening port number of the syslog server. Usually this is UDP port 514.

      Proto

      Select the protocol used for log transfer from the following:

      • UDP

      • TCP

      • TCP SSL

      TCP Framing

      If Proto is TCP or TCP SSL, the TCP Framing options appear.

      Select one of the following options:

      • Traditional

      • Octet Counted

      Log Level

      Select the lowest severity to log from the following options:

      • Emergency — The system has become unstable.
      • Alert — Immediate action is required.
      • Critical — Functionality is affected.
      • Error — An error condition exists and functionality could be affected.
      • Warning — Functionality might be affected.
      • Notification — Information about normal events.
      • Information — General information about system operations.
      • Debug — Detailed information about the system that can be used to troubleshoot unexpected behavior.

      The exported logs will include the selected severity level and above. For example, if you select Error, the system sends the syslog server logs with level Error, Critical, Alert, and Emergency. If you select Alert, the system collects logs with severity level Alert and Emergency.

      CSV

      Enable to export the logs as a CSV file.

      Facility

      Select the source facility of the logs. We only support the local use facilities which are not reserved and are available for general use.

      Event

      Enable/disable logging for events.

      Event Category

      If Event is enabled, the Event Category options appear.

      Select one or more of the following event categories to include in the event logs export:

      • Configuration — Configuration changes.
      • Admin — Administrator actions.
      • System — System operations, warnings, and errors.
      • User — Authentication results logs.
      • Health Check — Health check results and client certificate validation check results.
      • SLB — Notifications, such as connection limit reached.
      • LLB — Notifications, such as bandwidth thresholds reached.
      • GLB — Notifications, such as the status of associated local SLB and virtual servers.
      • Firewall — Notifications for the Firewall module, such as SNAT source IP pool is using all of its addresses.

      Traffic

      Enable/disable logging for traffic processed by the load-balancing modules.

      Traffic Category

      If Traffic is enabled, the Traffic Category options appear.

      Select one or more of the following traffic categories to include in the traffic logs export:

      • SLB — Server Load Balancing traffic logs related to sessions and throughput.
      • GLB — Global Load Balancing traffic logs related to DNS requests.
      • LLB — Link Load Balancing traffic logs related to session and throughput.

      Security

      Enable/disable logging for traffic processed by the security modules.

      Security Category

      If Security is enabled, the Security Category options appear.

      Select one or more of the following security categories to include in the security logs export:

      • DDoS — DoS protection logs.
      • IP Reputation — IP Reputation logs.
      • WAF — WAF logs.
      • GEO — Geo IP blocking logs.
      • AV — AV logs.
      • IPS — IPS logs.
      • FW — Firewall logs.
    6. If the Server Type is FortiAnalyzer, configure the following FortiAnalyzer settings:

      Setting

      Description

      Status

      Enable/disable the Fabric Connector object.

      Address Specify the IP address of the FortiAnalyzer Log server.

      Log Level

      Select the lowest severity to log from the following options:

      • Emergency — The system has become unstable.
      • Alert — Immediate action is required.
      • Critical — Functionality is affected.
      • Error — An error condition exists and functionality could be affected.
      • Warning — Functionality might be affected.
      • Notification — Information about normal events.
      • Information — General information about system operations.
      • Debug — Detailed information about the system that can be used to troubleshoot unexpected behavior.

      The exported logs will include the selected severity level and above. For example, if you select Error, the system collects logs with severity level Error, Critical, Alert, and Emergency. If you select Alert, the system collects logs with severity level Alert and Emergency.

      Event

      Enable/disable logging for events.

      Event Category

      If Event is enabled, the Event Category options appear.

      Select one or more of the following event categories to include in the event logs export:

      • Configuration — Configuration changes.
      • Admin — Administrator actions.
      • System — System operations, warnings, and errors.
      • User — Authentication results logs.
      • Health Check — Health check results and client certificate validation check results.
      • SLB — Notifications, such as connection limit reached.
      • LLB — Notifications, such as bandwidth thresholds reached.
      • GLB — Notifications, such as the status of associated local SLB and virtual servers.
      • Firewall — Notifications for the Firewall module, such as SNAT source IP pool is using all of its addresses.

      Traffic

      Enable/disable logging for traffic processed by the load-balancing modules.

      Traffic Category

      If Traffic is enabled, the Traffic Category options appear.

      Select one or more of the following traffic categories to include in the traffic logs export:

      • SLB — Server Load Balancing traffic logs related to sessions and throughput.
      • GLB — Global Load Balancing traffic logs related to DNS requests.
      • LLB — Link Load Balancing traffic logs related to session and throughput.

      Security

      Enable/disable logging for traffic processed by the security modules.

      Security Category

      If Security is enabled, the Security Category options appear.

      Select one or more of the following security categories to include in the security logs export:

      • DDoS — DoS protection logs.
      • IP Reputation — IP Reputation logs.
      • WAF — WAF logs.
      • GEO — Geo IP blocking logs.
      • AV — AV logs.
      • IPS — IPS logs.
      • FW — Firewall logs.
      1. Optionally, click Test Connectivity after entering the Address to check the FortiAnalyzer OFTP connectivity.
        The Connection Status appears showing the OFTP connection status.
        There are three possible OFTP connection statuses:

        Icon

        OFTP Status

        Description

        Connected

        		The FortiADC has successfully connected to FortiAnalyzer and is authorized by FortiAnalyzer as a Fabric Device. FortiADC can now send log data to FortiAnalyzer.

        Disconnected

        The FortiADC cannot connect to FortiAnalyzer. Ensure there are no network connectivity issues.

        Need authorization

        The FortiADC has successfully connected to FortiAnalyzer but is not authorized by FortiAnalyzer as a Fabric Device. This status may indicate the authorization is either denied or pending. If pending authorization, the status will change to Connected once authorization is successful on the FortiAnalyzer server.

        If the status is not Connected, edit the FortiAnalyzer connector accordingly to troubleshoot the connection issue.
    7. Click Save.

    After the connector is created, FortiADC will push the logs to the FortiAnalyzer server. The above configurations are also available in Log&Report > Log Setting > Syslog Server tab or FortiAnalyzer tab.

    Previous
    Next

    FortiAnalyzer Connector

    FortiAnalyzer Connector

    When you create a connector for FortiAnalyzer, you are specifying how FortiADC can communicate with FortiAnalyzer for pushing logs to FortiAnalyzer. You can choose between two protocol types for sending logs to FortiAnalyzer: Syslog or OFTP.

    Using the Syslog protocol will allow FortiADC to connect to FortiAnalyzer by UDP, TCP or TCP SSL depending on the FortiAnalyzer connector setting.

    OFTP (Optimized Fabric Transfer Protocol) is used to synchronize information between FortiAnalyzer and other Fortinet products. So, this is the recommended protocol to use for pushing logs to FortiAnalyzer.

    Requirements:
    • The FortiAnalyzer service is required to be exposed on External IP.

    FortiADC supports integration with FortiAnalyzer versions 7.0.2 or later. As earlier versions of FortiAnalyzer is not optimally compatible with FortiADC, unexpected behavior may occur.
    To create a FortiAnalyzer Connector:
    1. Go to Security Fabric > Fabric Connectors.
    2. Click Create New.
    3. Under Other Fortinet Products, click FortiAnalyzer to display the configuration editor.
    4. Configure the following Server Type settings:

      Setting

      Description

      Type

      Select either of the following options:

      • Syslog — To send logs to FortiAnalyzer using the syslog protocol.
      • FortiAnalyzer — To send logs to FortiAnalyzer using the OFTP.
      Depending on your Type selection, either the Syslog Server or FortiAnalyzer configuration section will appear.
    5. If the Server Type is Syslog, configure the following Syslog Server settings:

      Setting

      Description

      Status

      Enable/disable the Fabric Connector object.

      Address Specify the IP address of the FortiAnalyzer Log server.
      Port

      Specify the port that FortiADC uses to communicate with the log server.

      This is the listening port number of the syslog server. Usually this is UDP port 514.

      Proto

      Select the protocol used for log transfer from the following:

      • UDP

      • TCP

      • TCP SSL

      TCP Framing

      If Proto is TCP or TCP SSL, the TCP Framing options appear.

      Select one of the following options:

      • Traditional

      • Octet Counted

      Log Level

      Select the lowest severity to log from the following options:

      • Emergency — The system has become unstable.
      • Alert — Immediate action is required.
      • Critical — Functionality is affected.
      • Error — An error condition exists and functionality could be affected.
      • Warning — Functionality might be affected.
      • Notification — Information about normal events.
      • Information — General information about system operations.
      • Debug — Detailed information about the system that can be used to troubleshoot unexpected behavior.

      The exported logs will include the selected severity level and above. For example, if you select Error, the system sends the syslog server logs with level Error, Critical, Alert, and Emergency. If you select Alert, the system collects logs with severity level Alert and Emergency.

      CSV

      Enable to export the logs as a CSV file.

      Facility

      Select the source facility of the logs. We only support the local use facilities which are not reserved and are available for general use.

      Event

      Enable/disable logging for events.

      Event Category

      If Event is enabled, the Event Category options appear.

      Select one or more of the following event categories to include in the event logs export:

      • Configuration — Configuration changes.
      • Admin — Administrator actions.
      • System — System operations, warnings, and errors.
      • User — Authentication results logs.
      • Health Check — Health check results and client certificate validation check results.
      • SLB — Notifications, such as connection limit reached.
      • LLB — Notifications, such as bandwidth thresholds reached.
      • GLB — Notifications, such as the status of associated local SLB and virtual servers.
      • Firewall — Notifications for the Firewall module, such as SNAT source IP pool is using all of its addresses.

      Traffic

      Enable/disable logging for traffic processed by the load-balancing modules.

      Traffic Category

      If Traffic is enabled, the Traffic Category options appear.

      Select one or more of the following traffic categories to include in the traffic logs export:

      • SLB — Server Load Balancing traffic logs related to sessions and throughput.
      • GLB — Global Load Balancing traffic logs related to DNS requests.
      • LLB — Link Load Balancing traffic logs related to session and throughput.

      Security

      Enable/disable logging for traffic processed by the security modules.

      Security Category

      If Security is enabled, the Security Category options appear.

      Select one or more of the following security categories to include in the security logs export:

      • DDoS — DoS protection logs.
      • IP Reputation — IP Reputation logs.
      • WAF — WAF logs.
      • GEO — Geo IP blocking logs.
      • AV — AV logs.
      • IPS — IPS logs.
      • FW — Firewall logs.
    6. If the Server Type is FortiAnalyzer, configure the following FortiAnalyzer settings:

      Setting

      Description

      Status

      Enable/disable the Fabric Connector object.

      Address Specify the IP address of the FortiAnalyzer Log server.

      Log Level

      Select the lowest severity to log from the following options:

      • Emergency — The system has become unstable.
      • Alert — Immediate action is required.
      • Critical — Functionality is affected.
      • Error — An error condition exists and functionality could be affected.
      • Warning — Functionality might be affected.
      • Notification — Information about normal events.
      • Information — General information about system operations.
      • Debug — Detailed information about the system that can be used to troubleshoot unexpected behavior.

      The exported logs will include the selected severity level and above. For example, if you select Error, the system collects logs with severity level Error, Critical, Alert, and Emergency. If you select Alert, the system collects logs with severity level Alert and Emergency.

      Event

      Enable/disable logging for events.

      Event Category

      If Event is enabled, the Event Category options appear.

      Select one or more of the following event categories to include in the event logs export:

      • Configuration — Configuration changes.
      • Admin — Administrator actions.
      • System — System operations, warnings, and errors.
      • User — Authentication results logs.
      • Health Check — Health check results and client certificate validation check results.
      • SLB — Notifications, such as connection limit reached.
      • LLB — Notifications, such as bandwidth thresholds reached.
      • GLB — Notifications, such as the status of associated local SLB and virtual servers.
      • Firewall — Notifications for the Firewall module, such as SNAT source IP pool is using all of its addresses.

      Traffic

      Enable/disable logging for traffic processed by the load-balancing modules.

      Traffic Category

      If Traffic is enabled, the Traffic Category options appear.

      Select one or more of the following traffic categories to include in the traffic logs export:

      • SLB — Server Load Balancing traffic logs related to sessions and throughput.
      • GLB — Global Load Balancing traffic logs related to DNS requests.
      • LLB — Link Load Balancing traffic logs related to session and throughput.

      Security

      Enable/disable logging for traffic processed by the security modules.

      Security Category

      If Security is enabled, the Security Category options appear.

      Select one or more of the following security categories to include in the security logs export:

      • DDoS — DoS protection logs.
      • IP Reputation — IP Reputation logs.
      • WAF — WAF logs.
      • GEO — Geo IP blocking logs.
      • AV — AV logs.
      • IPS — IPS logs.
      • FW — Firewall logs.
      1. Optionally, click Test Connectivity after entering the Address to check the FortiAnalyzer OFTP connectivity.
        The Connection Status appears showing the OFTP connection status.
        There are three possible OFTP connection statuses:

        Icon

        OFTP Status

        Description

        Connected

        		The FortiADC has successfully connected to FortiAnalyzer and is authorized by FortiAnalyzer as a Fabric Device. FortiADC can now send log data to FortiAnalyzer.

        Disconnected

        The FortiADC cannot connect to FortiAnalyzer. Ensure there are no network connectivity issues.

        Need authorization

        The FortiADC has successfully connected to FortiAnalyzer but is not authorized by FortiAnalyzer as a Fabric Device. This status may indicate the authorization is either denied or pending. If pending authorization, the status will change to Connected once authorization is successful on the FortiAnalyzer server.

        If the status is not Connected, edit the FortiAnalyzer connector accordingly to troubleshoot the connection issue.
    7. Click Save.

    After the connector is created, FortiADC will push the logs to the FortiAnalyzer server. The above configurations are also available in Log&Report > Log Setting > Syslog Server tab or FortiAnalyzer tab.

    Previous
    Next