Sending traffic logs to FortiAnalyzer Cloud
FortiGates with a FortiCloud Premium subscription (AFAC) for Cloud-based Central Logging & Analytics, can send traffic logs to FortiAnalyzer Cloud in addition to UTM logs and event logs. After the Premium subscription is registered through FortiCare, FortiGuard will verify the purchase and authorize the AFAC contract. Once the contract is verified, FortiGuard will deliver the contract to FortiGate.
FortiGates with a Standard FortiAnalyzer Cloud subscription (FAZC) can only send UTM and event logs. FortiGates with a Premium subscription will send the UTM and event logs even if the Standard subscription has expired.
|
FortiAnalyzer Cloud does not support DLP/IPS archives at this time. |
Example
In the following example, you will configure a FortiGate with a valid Premium subscription (AFAC) and expired Standard subscription (FAZC) to send traffic logs to FortiAnalyzer Cloud.
- Configure the log delivery.
config log fortianalyzer-cloud setting
set status enable
set ips-archive disable
set access-config enable
set enc-algorithm high
set ssl-min-proto-version default
set conn-timeout 10
set monitor-keepalive-period 5
set monitor-failure-retry-period 5
set certificate ''
set source-ip ''
set interface-select-method auto
set upload-option realtime
set priority default
set max-log-rate 0
end
- Verify the status of the FortiCloud Premium subscription (AFAC) and standard FortiAnalyzer Cloud subscription (FAZC).
The
FAZCandAFACfields display the subscription expiration date. TheSupport contractfield displays the FortiCare account information. TheUser IDfield displays the ID for FortiAnalyzer-Cloud instance.# diagnose test update info
...
FAZC,Tue Sep 24 16:00:00 2030
AFAC,Mon Nov 29 16:00:00 2021
...
Support contract: pending_registration=255 got_contract_info=1
account_id=[****@fortinet.com] company=[Fortinet] industry=[Technology]
User ID: 979090
The
FAZCandAFACsubscriptions are valid (date of verification is November 29, 2020). - Check the status of FortiAnalyzer Cloud.
# execute log fortianalyzer-cloud test-connectivity
FortiAnalyzer Host Name: FAZVM64-VIO-CLOUD
FortiAnalyzer Adom Name: root
FortiGate Device ID: FG101FTK19000000
Registration: registered
Connection: allow
Adom Disk Space (Used/Allocated): 50351453B/53687091200B
Analytics Usage (Used/Allocated): 41368925B/37580963840B
Analytics Usage (Data Policy Days Actual/Configured): 60/60 Days
Archive Usage (Used/Allocated): 8982528B/16106127360B
Archive Usage (Data Policy Days Actual/Configured): 235/365 Days
Log: Tx & Rx (log not received)
IPS Packet Log: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx
Certificate of Fortianalyzer valid and serial number is:FAZVCLTM20000000
- When the FortiCloud Premium (AFAC) and standard FortiAnalyzer Cloud (FAZC) subscriptions are valid, the FortiGate sends the traffic, event, and UTM logs to the remote FortiAnalyzer Cloud.
Traffic:
# execute log filter device fortianalyzer-cloud
# execute log filter category traffic
# execute log filter dump
category: traffic
device: fortianalyzer-cloud
start-line: 1
view-lines: 10
max-checklines: 0
HA member:
Oftp search string:
# execute log display
6512 logs found.
10 logs returned.
1: date=2020-11-29 time=13:57:33 id=6900668351836585985 itime="2020-11-29 13:57:34" euid=3 epid=1027 dsteuid=3 dstepid=101 logflag=1 logver=604041797 type="traffic" subtype="forward" level="notice" action="accept" policyid=1 sessionid=46536 srcip=10.1.100.72 dstip=172.16.100.55 transip=172.16.200.7 srcport=40797 dstport=53 transport=40797 trandisp="snat" duration=190 proto=17 sentbyte=268 rcvdbyte=0 sentpkt=4 rcvdpkt=0 logid=0000000013 service="DNS" app="DNS" appcat="unscanned" srcintfrole="undefined" dstintfrole="undefined" srcserver=0 dstserver=0 policytype="policy" eventtime=1606687054554969021 poluuid="c041939c-2930-51eb-1448-34c44a663331" srcmac="00:0c:29:eb:86:d6" mastersrcmac="00:0c:29:eb:86:d6" dstmac="e8:1c:ba:c2:86:63" masterdstmac="e8:1c:ba:c2:86:63" srchwvendor="VMware" osname="Linux" srccountry="Reserved" dstcountry="Reserved" srcintf="dmz" dstintf="wan1" policyname="to_WAN" tz="-0800" devid="FG101FTK19000000" vd="root" dtime="2020-11-29 13:57:33" itime_t=1606687054 devname="FortiGate-101F_F"
Event:
# execute log filter device fortianalyzer-cloud
# execute log filter category event
# execute log filter dump
category: event
device: fortianalyzer-cloud
start-line: 1
view-lines: 10
max-checklines: 0
HA member:
Oftp search string:
# execute log display
1067 logs found.
10 logs returned.
1: date=2020-11-29 time=14:12:16 id=6900672144292708352 itime="2020-11-29 14:12:17" euid=3 epid=3 dsteuid=3 dstepid=3 logver=604041797 logid=0100038404 type="event" subtype="system" level="error" msg="unable to resolve FortiGuard hostname" logdesc="FortiGuard hostname unresolvable" hostname="service.fortiguard.net" eventtime=1606687936888734117 tz="-0800" devid="FG101FTK19000000" vd="root" dtime="2020-11-29 14:12:16" itime_t=1606687937 devname="FortiGate-101F_F"
UTM:
# execute log filter device fortianalyzer-cloud
# execute log filter category utm-virus
# execute log filter dump
category: virus
device: fortianalyzer-cloud
start-line: 1
view-lines: 10
max-checklines: 0
HA member:
Oftp search string:
# execute log display
4 logs found.
4 logs returned.
1: date=2020-11-27 time=15:53:41 id=6899956121704857638 itime="2020-11-27 15:53:45" euid=1027 epid=101 dsteuid=3 dstepid=101 logver=604041797 type="utm" subtype="virus" level="warning" action="passthrough" sessionid=1957747803 policyid=1 srcip=168.10.199.186 dstip=172.252.3.20 srcport=22765 dstport=80 proto=6 vrf=32 logid=0212008448 service="NNTP" user="user3" group="group1" eventtime=1606521221884991620 crscore=5 craction=2 crlevel="low" srcintfrole="undefined" dstintfrole="undefined" direction="incoming" filefilter="file-pattern" filetype="ignored" filename="file_test" checksum="12345" eventtype="filename" srcintf="ssl.root" dstintf="x1" msg="File is blocked." tz="-0800" devid="FG101FTK19000000" vd="root" dtime="2020-11-27 15:53:41" itime_t=1606521225 devname="FortiGate-101F_F"
- When the FortiGate has a valid Premium FortiCloud subscription (AFAC) and an expired Standard FortiCloud subscription (FAZC), the FortiGate still sends the logs to the remote FortiAnalyzer Cloud.