Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    Home SOCaaS User Guide

    Sending logs from an on-premise FortiAnalyzer

    Sending logs from an on-premise FortiAnalyzer

    For a deployment where FortiGate sends logs to an on-premise FortiAnalyzer, you must configure FortiAnalyzer to forward logs to SOCaaS.

    Configuring FortiAnalyzer to forward to SOCaaS

    When the Fortinet SOC team is setting up the service, they will provide you with the server IP and port numbers that you need for the configuration.

    For information about log forwarding, see Log Forwarding in the FortiAnalyzer Administration Guide.

    To create a new log forwarding entry:

    1. Log in to FortiAnalyzer, and go to log forwarding settings.

      1. In versions prior to 7.4.0, go to System Settings > Log Forwarding.

      2. In 7.4.0 and later, go to System Settings > Advanced > Log Forwarding.

    2. In the toolbar, click Create New. The Create New Log Forwarding window opens.

    3. Configure the following mandatory settings:

      Remote Server Type

      FortiAnalyzer
      Server FQDN/IP

      Enter the FQDN provided by the Fortinet SOC team.

      Note

      FQDNs are supported for log forwarding in FortiAnalyzer 7.0.0 and later. If you are using an earlier version of FortiAnalyzer, you can use the resolved IP address of the FQDN instead.

      Reliable Connection

      On

      Sending Frequency

      Real-time

    4. (Optional) Configure the device filters.

      1. Under Log Forwarding Filters, click Select Device.

      2. Select the devices from the list and click OK.

    5. (Optional) Configure the log filters. This step is optional but is strongly recommended.

      1. Enable Log Filters.

      2. Set the Log messages that match criteria:

        Log Field Select Log Type from the dropdown.
        Match Criteria Select Equal to from the dropdown.
        Value Select Traffic, Event, or UTM from the dropdown.

    6. (Optional) Set Enable Exclusions to ON.

      Note

      To exclude fields related to user privacy, create individual filters for the Any and Traffic log types, and one for each UTM subtype (Antivirus, Application, DNS, Data Leak Prevention, Web Application Firewall, Email Filter, File Filter, Intrusion Prevention, SSH, SSL, and Web Filter).

      1. Configure the exclusion criteria.

        Setting

        Exclusion criteria
        Device Type Select FortiGate.
        Log Type Select a log type from the dropdown list.
        Exclusion List

        Click Fields to open the Select Log Field pane at the right side of the page.

        Use the following fields to exclude logs related to user privacy:
        Log type Select Log Field
        Any

        • User

        Traffic

        • Destination Unauthenticated User (dstunauthuser)

        • Destination User (dstuser)

        • Unauthenticated User (unauthuser)
        Antivirus

        • Unauthenticated User (unauthuser)

        Application
        DNS
        Data Leak Prevention
        Email Filter
        File Filter
        Intrusion Prevention
        SSH
        SSL
        Web Application Firewall
        Web Filter

      2. Click OK.

    7. Repeat the step above for each exclusion filter type.

    8. Verify the settings are configured properly using the following command:

      show system log-forward

    9. Configure a log buffer cache size that accommodates 24 hours of logs in your FortiAnalyzer device to avoid log dropping in case of abrupt disconnection between your FortiAnalyzer and SOCaaS.

    Previous
    Next

    Sending logs from an on-premise FortiAnalyzer

    Sending logs from an on-premise FortiAnalyzer

    For a deployment where FortiGate sends logs to an on-premise FortiAnalyzer, you must configure FortiAnalyzer to forward logs to SOCaaS.

    Configuring FortiAnalyzer to forward to SOCaaS

    When the Fortinet SOC team is setting up the service, they will provide you with the server IP and port numbers that you need for the configuration.

    For information about log forwarding, see Log Forwarding in the FortiAnalyzer Administration Guide.

    To create a new log forwarding entry:

    1. Log in to FortiAnalyzer, and go to log forwarding settings.

      1. In versions prior to 7.4.0, go to System Settings > Log Forwarding.

      2. In 7.4.0 and later, go to System Settings > Advanced > Log Forwarding.

    2. In the toolbar, click Create New. The Create New Log Forwarding window opens.

    3. Configure the following mandatory settings:

      Remote Server Type

      FortiAnalyzer
      Server FQDN/IP

      Enter the FQDN provided by the Fortinet SOC team.

      Note

      FQDNs are supported for log forwarding in FortiAnalyzer 7.0.0 and later. If you are using an earlier version of FortiAnalyzer, you can use the resolved IP address of the FQDN instead.

      Reliable Connection

      On

      Sending Frequency

      Real-time

    4. (Optional) Configure the device filters.

      1. Under Log Forwarding Filters, click Select Device.

      2. Select the devices from the list and click OK.

    5. (Optional) Configure the log filters. This step is optional but is strongly recommended.

      1. Enable Log Filters.

      2. Set the Log messages that match criteria:

        Log Field Select Log Type from the dropdown.
        Match Criteria Select Equal to from the dropdown.
        Value Select Traffic, Event, or UTM from the dropdown.

    6. (Optional) Set Enable Exclusions to ON.

      Note

      To exclude fields related to user privacy, create individual filters for the Any and Traffic log types, and one for each UTM subtype (Antivirus, Application, DNS, Data Leak Prevention, Web Application Firewall, Email Filter, File Filter, Intrusion Prevention, SSH, SSL, and Web Filter).

      1. Configure the exclusion criteria.

        Setting

        Exclusion criteria
        Device Type Select FortiGate.
        Log Type Select a log type from the dropdown list.
        Exclusion List

        Click Fields to open the Select Log Field pane at the right side of the page.

        Use the following fields to exclude logs related to user privacy:
        Log type Select Log Field
        Any

        • User

        Traffic

        • Destination Unauthenticated User (dstunauthuser)

        • Destination User (dstuser)

        • Unauthenticated User (unauthuser)
        Antivirus

        • Unauthenticated User (unauthuser)

        Application
        DNS
        Data Leak Prevention
        Email Filter
        File Filter
        Intrusion Prevention
        SSH
        SSL
        Web Application Firewall
        Web Filter

      2. Click OK.

    7. Repeat the step above for each exclusion filter type.

    8. Verify the settings are configured properly using the following command:

      show system log-forward

    9. Configure a log buffer cache size that accommodates 24 hours of logs in your FortiAnalyzer device to avoid log dropping in case of abrupt disconnection between your FortiAnalyzer and SOCaaS.

    Previous
    Next