Fortinet black logo

Administration Guide

Configuring FortiAnalyzer

Configuring FortiAnalyzer

FortiAnalyzer is a required component for the Security Fabric. In 6.4.4 and above, either FortiAnalyzer or FortiAnalyzer Cloud can be used to meet this requirement. FortiAnalyzer allows the Security Fabric to show historical data for the Security Fabric topology and logs for the entire Security Fabric.

For more information about using FortiAnalyzer, see the FortiAnalyzer Administration Guide.

To connect a FortiAnalyzer to the Security Fabric:
  1. Enable FortiAnalyzer Logging on the root FortiGate. See Configure the root FortiGate.
  2. On the FortiAnalyzer, go to System Settings > Network and click All Interfaces.
  3. Edit the port that connects to the root FortiGate.
  4. Set the IP Address/Netmask to the IP address that is used for the Security Fabric on the root FortiGate.

  5. Click OK.

    If the FortiGates have already been configured, it will now be listed as an unauthorized device.

  6. Go to Device Manager > Devices Unauthorized. The unauthorized FortiGate devices are listed.

  7. Select the root FortiGate and downstream FortiGate devices in the list, then click Authorize. The Authorize Device page opens.
  8. Click OK to authorize the selected devices.

  9. On the FortiGate devices, go to Security Fabric > Fabric Connectors and double-click the FortiAnalyzer Logging card. The page will now show the ADOM on the FortiAnalyzer that the FortiGate is in, and the storage, analytics, and archive usage.

Sending traffic logs to FortiAnalyzer Cloud

FortiGates running version 6.4.4. or later, with a FortiCloud Premium subscription (AFAC) for Cloud-based Central Logging & Analytics, can send traffic logs to FortiAnalyzer Cloud in addition to UTM logs and event logs. After the Premium subscription is registered through FortiCare, FortiGuard will verify the purchase and authorize the AFAC contract. Once the contract is verified, FortiGuard will deliver the contract to FortiGate.

FortiGates with a Standard FortiAnalyzer Cloud subscription (FAZC) can only send UTM and event logs. FortiGates with a Premium subscription will send the UTM and event logs even if the Standard subscription has expired.

For information about cloud logging, see FortiAnalyzer Cloud service

Note

FortiAnalyzer Cloud does not support DLP/IPS archives at this time.

To verify the status a FortiCloud subscription with the CLI:

# diagnose test update info

The FAZC and AFAC fields display the subscription expiration date. The Support contract field displays the FortiCare account information. The User ID field displays the ID for FortiAnalyzer-Cloud instance.

...

FAZC,Tue Sep 24 16:00:00 2030

AFAC,Mon Nov 29 16:00:00 2021

...

Support contract: pending_registration=255 got_contract_info=1

account_id=[****@fortinet.com] company=[Fortinet] industry=[Technology]

User ID: 979090

Configuring FortiAnalyzer

FortiAnalyzer is a required component for the Security Fabric. In 6.4.4 and above, either FortiAnalyzer or FortiAnalyzer Cloud can be used to meet this requirement. FortiAnalyzer allows the Security Fabric to show historical data for the Security Fabric topology and logs for the entire Security Fabric.

For more information about using FortiAnalyzer, see the FortiAnalyzer Administration Guide.

To connect a FortiAnalyzer to the Security Fabric:
  1. Enable FortiAnalyzer Logging on the root FortiGate. See Configure the root FortiGate.
  2. On the FortiAnalyzer, go to System Settings > Network and click All Interfaces.
  3. Edit the port that connects to the root FortiGate.
  4. Set the IP Address/Netmask to the IP address that is used for the Security Fabric on the root FortiGate.

  5. Click OK.

    If the FortiGates have already been configured, it will now be listed as an unauthorized device.

  6. Go to Device Manager > Devices Unauthorized. The unauthorized FortiGate devices are listed.

  7. Select the root FortiGate and downstream FortiGate devices in the list, then click Authorize. The Authorize Device page opens.
  8. Click OK to authorize the selected devices.

  9. On the FortiGate devices, go to Security Fabric > Fabric Connectors and double-click the FortiAnalyzer Logging card. The page will now show the ADOM on the FortiAnalyzer that the FortiGate is in, and the storage, analytics, and archive usage.

Sending traffic logs to FortiAnalyzer Cloud

FortiGates running version 6.4.4. or later, with a FortiCloud Premium subscription (AFAC) for Cloud-based Central Logging & Analytics, can send traffic logs to FortiAnalyzer Cloud in addition to UTM logs and event logs. After the Premium subscription is registered through FortiCare, FortiGuard will verify the purchase and authorize the AFAC contract. Once the contract is verified, FortiGuard will deliver the contract to FortiGate.

FortiGates with a Standard FortiAnalyzer Cloud subscription (FAZC) can only send UTM and event logs. FortiGates with a Premium subscription will send the UTM and event logs even if the Standard subscription has expired.

For information about cloud logging, see FortiAnalyzer Cloud service

Note

FortiAnalyzer Cloud does not support DLP/IPS archives at this time.

To verify the status a FortiCloud subscription with the CLI:

# diagnose test update info

The FAZC and AFAC fields display the subscription expiration date. The Support contract field displays the FortiCare account information. The User ID field displays the ID for FortiAnalyzer-Cloud instance.

...

FAZC,Tue Sep 24 16:00:00 2030

AFAC,Mon Nov 29 16:00:00 2021

...

Support contract: pending_registration=255 got_contract_info=1

account_id=[****@fortinet.com] company=[Fortinet] industry=[Technology]

User ID: 979090