Fortinet black logo

New Features

FortiAnalyzer Cloud Service

Copy Link
Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:378127
Download PDF

FortiAnalyzer Cloud Service

FortiGate now supports FortiAnalyzer Cloud service for Event Logging.

Note

Traffic and Security logs are not supported in the initial version of FortiAnalyzer Cloud.

When FortiAnalyzer Cloud is licensed and enabled, all Event logs are sent to FortiAnalyzer Cloud by default, and all Traffic logs, Security logs, and archive files are not sent to FortiAnalyzer Cloud.

Limitations:

  • FortiAnalyzer Cloud cannot be enabled in vdom override-setting when global FortiAnalyzer Cloud is disabled.
  • You must use the CLI to retrieve and display logs sent to FortiAnalyzer Cloud. FortiOS GUI is not supported.
  • You cannot enable FortiAnalyzer Cloud and FortiGate Cloud at the same time.

On the Security Fabric > Settings pane in FortiOS, the FortiAnalyzer Cloud tab is grayed out when you do not have a FortiAnalyzer Cloud entitlement:

When you have a FortiAnalyzer Cloud entitlement, the FortiAnalyzer Cloud tab is available on the Security Fabric > Settings pane:

You can also view the FortiAnalyzer Cloud settings on the Log & Report > Log Settings pane:

In FortiAnalyzer Cloud, you can view logs from FortiOS:

To enable fortianalyzer-cloud using the CLI:

config log fortianalyzer-cloud setting

set status enable

set ips-archive disable

set access-config enable

set enc-algorithm high

set ssl-min-proto-version default

set conn-timeout 10

set monitor-keepalive-period 5

set monitor-failure-retry-period 5

set certificate ''

set source-ip ''

set upload-option realtime

end

config log fortianalyzer-cloud filter

set severity information

set forward-traffic disable

set local-traffic disable

set multicast-traffic disable

set sniffer-traffic disable

set anomaly disable

set voip disable

set dlp-archive disable

set dns disable

set ssh disable

set ssl disable

set cifs disable

set filter ''

set filter-type include

end

To disable fortianalyzer-cloud for a specific VDOM using the CLI:

​​​​​​​config log setting

set faz-override enable

end

config log fortianalyzer-cloud override-setting

set status disable

end

To set fortianalyzer-cloud filter for a specific vdom using the CLI:

​​​​​​​config log setting

set faz-override enable

end

config log fortianalyzer-cloud override-setting

set status enable

end

config log fortianalyzer-cloud override-filter

set severity information

set forward-traffic disable

set local-traffic disable

set multicast-traffic disable

set sniffer-traffic disable

set anomaly disable

set voip disable

set dlp-archive disable

set dns disable

set ssh disable

set ssl disable

set cifs disable

set filter ''

set filter-type include

end

To display fortianalyzer-cloud log using the CLI:

​​​​​​​exe log filter device fortianalyzer-cloud

exe log filter category event

exe log display

Sample log:

date=2019-05-01 time=17:57:45 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:48" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100032002 type="event" subtype="system" level="alert" srcip=10.6.30.254 dstip=10.6.30.9 action="login" msg="Administrator ddd login failed from https(10.6.30.254) because of invalid user name" logdesc="Admin login failed" sn="0" user="ddd" ui="https(10.6.30.254)" status="failed" reason="name_invalid" method="https" eventtime=1556758666274548325 devid="FG5H1E5818900076" vd="root" dtime="2019-05-01 17:57:45" itime_t=1556758668 devname="FortiGate-501E"

date=2019-05-01 time=17:57:21 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:23" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100044546 type="event" subtype="system" level="information" action="Edit" msg="Edit log.fortianalyzer-cloud.filter " logdesc="Attribute configured" user="admin" ui="ssh(10.6.30.254)" cfgtid=164757536 cfgpath="log.fortianalyzer-cloud.filter" cfgattr="severity[information->critical]" eventtime=1556758642413367644 devid="FG5H1E5818900076" vd="root" dtime="2019-05-01 17:57:21" itime_t=1556758643 devname="FortiGate-501E"

FortiAnalyzer Cloud Service

FortiGate now supports FortiAnalyzer Cloud service for Event Logging.

Note

Traffic and Security logs are not supported in the initial version of FortiAnalyzer Cloud.

When FortiAnalyzer Cloud is licensed and enabled, all Event logs are sent to FortiAnalyzer Cloud by default, and all Traffic logs, Security logs, and archive files are not sent to FortiAnalyzer Cloud.

Limitations:

  • FortiAnalyzer Cloud cannot be enabled in vdom override-setting when global FortiAnalyzer Cloud is disabled.
  • You must use the CLI to retrieve and display logs sent to FortiAnalyzer Cloud. FortiOS GUI is not supported.
  • You cannot enable FortiAnalyzer Cloud and FortiGate Cloud at the same time.

On the Security Fabric > Settings pane in FortiOS, the FortiAnalyzer Cloud tab is grayed out when you do not have a FortiAnalyzer Cloud entitlement:

When you have a FortiAnalyzer Cloud entitlement, the FortiAnalyzer Cloud tab is available on the Security Fabric > Settings pane:

You can also view the FortiAnalyzer Cloud settings on the Log & Report > Log Settings pane:

In FortiAnalyzer Cloud, you can view logs from FortiOS:

To enable fortianalyzer-cloud using the CLI:

config log fortianalyzer-cloud setting

set status enable

set ips-archive disable

set access-config enable

set enc-algorithm high

set ssl-min-proto-version default

set conn-timeout 10

set monitor-keepalive-period 5

set monitor-failure-retry-period 5

set certificate ''

set source-ip ''

set upload-option realtime

end

config log fortianalyzer-cloud filter

set severity information

set forward-traffic disable

set local-traffic disable

set multicast-traffic disable

set sniffer-traffic disable

set anomaly disable

set voip disable

set dlp-archive disable

set dns disable

set ssh disable

set ssl disable

set cifs disable

set filter ''

set filter-type include

end

To disable fortianalyzer-cloud for a specific VDOM using the CLI:

​​​​​​​config log setting

set faz-override enable

end

config log fortianalyzer-cloud override-setting

set status disable

end

To set fortianalyzer-cloud filter for a specific vdom using the CLI:

​​​​​​​config log setting

set faz-override enable

end

config log fortianalyzer-cloud override-setting

set status enable

end

config log fortianalyzer-cloud override-filter

set severity information

set forward-traffic disable

set local-traffic disable

set multicast-traffic disable

set sniffer-traffic disable

set anomaly disable

set voip disable

set dlp-archive disable

set dns disable

set ssh disable

set ssl disable

set cifs disable

set filter ''

set filter-type include

end

To display fortianalyzer-cloud log using the CLI:

​​​​​​​exe log filter device fortianalyzer-cloud

exe log filter category event

exe log display

Sample log:

date=2019-05-01 time=17:57:45 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:48" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100032002 type="event" subtype="system" level="alert" srcip=10.6.30.254 dstip=10.6.30.9 action="login" msg="Administrator ddd login failed from https(10.6.30.254) because of invalid user name" logdesc="Admin login failed" sn="0" user="ddd" ui="https(10.6.30.254)" status="failed" reason="name_invalid" method="https" eventtime=1556758666274548325 devid="FG5H1E5818900076" vd="root" dtime="2019-05-01 17:57:45" itime_t=1556758668 devname="FortiGate-501E"

date=2019-05-01 time=17:57:21 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:23" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100044546 type="event" subtype="system" level="information" action="Edit" msg="Edit log.fortianalyzer-cloud.filter " logdesc="Attribute configured" user="admin" ui="ssh(10.6.30.254)" cfgtid=164757536 cfgpath="log.fortianalyzer-cloud.filter" cfgattr="severity[information->critical]" eventtime=1556758642413367644 devid="FG5H1E5818900076" vd="root" dtime="2019-05-01 17:57:21" itime_t=1556758643 devname="FortiGate-501E"