Fortinet black logo

Administration Guide

Sending traffic logs to FortiAnalyzer Cloud

Sending traffic logs to FortiAnalyzer Cloud

FortiGates with a FortiCloud Premium subscription (AFAC) for Cloud-based Central Logging & Analytics, can send traffic logs to FortiAnalyzer Cloud in addition to UTM logs and event logs. After the Premium subscription is registered through FortiCare, FortiGuard will verify the purchase and authorize the AFAC contract. Once the contract is verified, FortiGuard will deliver the contract to FortiGate.

FortiGates with a Standard FortiAnalyzer Cloud subscription (FAZC) can only send UTM and event logs. FortiGates with a Premium subscription will send the UTM and event logs even if the Standard subscription has expired.

Note

FortiAnalyzer Cloud does not support DLP/IPS archives at this time.

Example

In the following example, you will configure a FortiGate with a valid Premium subscription (AFAC) and expired Standard subscription (FAZC) to send traffic logs to FortiAnalyzer Cloud.

  1. Configure the log delivery.

    config log fortianalyzer-cloud setting

    set status enable

    set ips-archive disable

    set access-config enable

    set enc-algorithm high

    set ssl-min-proto-version default

    set conn-timeout 10

    set monitor-keepalive-period 5

    set monitor-failure-retry-period 5

    set certificate ''

    set source-ip ''

    set interface-select-method auto

    set upload-option realtime

    set priority default

    set max-log-rate 0

    end

  2. Verify the status of the FortiCloud Premium subscription (AFAC) and standard FortiAnalyzer Cloud subscription (FAZC).

    The FAZC and AFAC fields display the subscription expiration date. The Support contract field displays the FortiCare account information. The User ID field displays the ID for FortiAnalyzer-Cloud instance.

    # diagnose test update info

    ...

    FAZC,Tue Sep 24 16:00:00 2030

    AFAC,Mon Nov 29 16:00:00 2021

    ...

    Support contract: pending_registration=255 got_contract_info=1

    account_id=[****@fortinet.com] company=[Fortinet] industry=[Technology]

    User ID: 979090

    The FAZC and AFAC subscriptions are valid (date of verification is November 29, 2020).

  3. Check the status of FortiAnalyzer Cloud.

    # execute log fortianalyzer-cloud test-connectivity

    FortiAnalyzer Host Name: FAZVM64-VIO-CLOUD

    FortiAnalyzer Adom Name: root

    FortiGate Device ID: FG101FTK19000000

    Registration: registered

    Connection: allow

    Adom Disk Space (Used/Allocated): 50351453B/53687091200B

    Analytics Usage (Used/Allocated): 41368925B/37580963840B

    Analytics Usage (Data Policy Days Actual/Configured): 60/60 Days

    Archive Usage (Used/Allocated): 8982528B/16106127360B

    Archive Usage (Data Policy Days Actual/Configured): 235/365 Days

    Log: Tx & Rx (log not received)

    IPS Packet Log: Tx & Rx

    Content Archive: Tx & Rx

    Quarantine: Tx & Rx

    Certificate of Fortianalyzer valid and serial number is:FAZVCLTM20000000

  4. When the FortiCloud Premium (AFAC) and standard FortiAnalyzer Cloud (FAZC) subscriptions are valid, the FortiGate sends the traffic, event, and UTM logs to the remote FortiAnalyzer Cloud.

    Traffic:

    # execute log filter device fortianalyzer-cloud

    # execute log filter category traffic

    # execute log filter dump

    category: traffic

    device: fortianalyzer-cloud

    start-line: 1

    view-lines: 10

    max-checklines: 0

    HA member:

    Oftp search string:

    # execute log display

    6512 logs found.

    10 logs returned.

    1: date=2020-11-29 time=13:57:33 id=6900668351836585985 itime="2020-11-29 13:57:34" euid=3 epid=1027 dsteuid=3 dstepid=101 logflag=1 logver=604041797 type="traffic" subtype="forward" level="notice" action="accept" policyid=1 sessionid=46536 srcip=10.1.100.72 dstip=172.16.100.55 transip=172.16.200.7 srcport=40797 dstport=53 transport=40797 trandisp="snat" duration=190 proto=17 sentbyte=268 rcvdbyte=0 sentpkt=4 rcvdpkt=0 logid=0000000013 service="DNS" app="DNS" appcat="unscanned" srcintfrole="undefined" dstintfrole="undefined" srcserver=0 dstserver=0 policytype="policy" eventtime=1606687054554969021 poluuid="c041939c-2930-51eb-1448-34c44a663331" srcmac="00:0c:29:eb:86:d6" mastersrcmac="00:0c:29:eb:86:d6" dstmac="e8:1c:ba:c2:86:63" masterdstmac="e8:1c:ba:c2:86:63" srchwvendor="VMware" osname="Linux" srccountry="Reserved" dstcountry="Reserved" srcintf="dmz" dstintf="wan1" policyname="to_WAN" tz="-0800" devid="FG101FTK19000000" vd="root" dtime="2020-11-29 13:57:33" itime_t=1606687054 devname="FortiGate-101F_F"

    Event:

    # execute log filter device fortianalyzer-cloud

    # execute log filter category event

    # execute log filter dump

    category: event

    device: fortianalyzer-cloud

    start-line: 1

    view-lines: 10

    max-checklines: 0

    HA member:

    Oftp search string:

    # execute log display

    1067 logs found.

    10 logs returned.

    1: date=2020-11-29 time=14:12:16 id=6900672144292708352 itime="2020-11-29 14:12:17" euid=3 epid=3 dsteuid=3 dstepid=3 logver=604041797 logid=0100038404 type="event" subtype="system" level="error" msg="unable to resolve FortiGuard hostname" logdesc="FortiGuard hostname unresolvable" hostname="service.fortiguard.net" eventtime=1606687936888734117 tz="-0800" devid="FG101FTK19000000" vd="root" dtime="2020-11-29 14:12:16" itime_t=1606687937 devname="FortiGate-101F_F"

    UTM:

    # execute log filter device fortianalyzer-cloud

    # execute log filter category utm-virus

    # execute log filter dump

    category: virus

    device: fortianalyzer-cloud

    start-line: 1

    view-lines: 10

    max-checklines: 0

    HA member:

    Oftp search string:

    # execute log display

    4 logs found.

    4 logs returned.

    1: date=2020-11-27 time=15:53:41 id=6899956121704857638 itime="2020-11-27 15:53:45" euid=1027 epid=101 dsteuid=3 dstepid=101 logver=604041797 type="utm" subtype="virus" level="warning" action="passthrough" sessionid=1957747803 policyid=1 srcip=168.10.199.186 dstip=172.252.3.20 srcport=22765 dstport=80 proto=6 vrf=32 logid=0212008448 service="NNTP" user="user3" group="group1" eventtime=1606521221884991620 crscore=5 craction=2 crlevel="low" srcintfrole="undefined" dstintfrole="undefined" direction="incoming" filefilter="file-pattern" filetype="ignored" filename="file_test" checksum="12345" eventtype="filename" srcintf="ssl.root" dstintf="x1" msg="File is blocked." tz="-0800" devid="FG101FTK19000000" vd="root" dtime="2020-11-27 15:53:41" itime_t=1606521225 devname="FortiGate-101F_F"

  5. When the FortiGate has a valid Premium FortiCloud subscription (AFAC) and an expired Standard FortiCloud subscription (FAZC), the FortiGate still sends the logs to the remote FortiAnalyzer Cloud.

Sending traffic logs to FortiAnalyzer Cloud

FortiGates with a FortiCloud Premium subscription (AFAC) for Cloud-based Central Logging & Analytics, can send traffic logs to FortiAnalyzer Cloud in addition to UTM logs and event logs. After the Premium subscription is registered through FortiCare, FortiGuard will verify the purchase and authorize the AFAC contract. Once the contract is verified, FortiGuard will deliver the contract to FortiGate.

FortiGates with a Standard FortiAnalyzer Cloud subscription (FAZC) can only send UTM and event logs. FortiGates with a Premium subscription will send the UTM and event logs even if the Standard subscription has expired.

Note

FortiAnalyzer Cloud does not support DLP/IPS archives at this time.

Example

In the following example, you will configure a FortiGate with a valid Premium subscription (AFAC) and expired Standard subscription (FAZC) to send traffic logs to FortiAnalyzer Cloud.

  1. Configure the log delivery.

    config log fortianalyzer-cloud setting

    set status enable

    set ips-archive disable

    set access-config enable

    set enc-algorithm high

    set ssl-min-proto-version default

    set conn-timeout 10

    set monitor-keepalive-period 5

    set monitor-failure-retry-period 5

    set certificate ''

    set source-ip ''

    set interface-select-method auto

    set upload-option realtime

    set priority default

    set max-log-rate 0

    end

  2. Verify the status of the FortiCloud Premium subscription (AFAC) and standard FortiAnalyzer Cloud subscription (FAZC).

    The FAZC and AFAC fields display the subscription expiration date. The Support contract field displays the FortiCare account information. The User ID field displays the ID for FortiAnalyzer-Cloud instance.

    # diagnose test update info

    ...

    FAZC,Tue Sep 24 16:00:00 2030

    AFAC,Mon Nov 29 16:00:00 2021

    ...

    Support contract: pending_registration=255 got_contract_info=1

    account_id=[****@fortinet.com] company=[Fortinet] industry=[Technology]

    User ID: 979090

    The FAZC and AFAC subscriptions are valid (date of verification is November 29, 2020).

  3. Check the status of FortiAnalyzer Cloud.

    # execute log fortianalyzer-cloud test-connectivity

    FortiAnalyzer Host Name: FAZVM64-VIO-CLOUD

    FortiAnalyzer Adom Name: root

    FortiGate Device ID: FG101FTK19000000

    Registration: registered

    Connection: allow

    Adom Disk Space (Used/Allocated): 50351453B/53687091200B

    Analytics Usage (Used/Allocated): 41368925B/37580963840B

    Analytics Usage (Data Policy Days Actual/Configured): 60/60 Days

    Archive Usage (Used/Allocated): 8982528B/16106127360B

    Archive Usage (Data Policy Days Actual/Configured): 235/365 Days

    Log: Tx & Rx (log not received)

    IPS Packet Log: Tx & Rx

    Content Archive: Tx & Rx

    Quarantine: Tx & Rx

    Certificate of Fortianalyzer valid and serial number is:FAZVCLTM20000000

  4. When the FortiCloud Premium (AFAC) and standard FortiAnalyzer Cloud (FAZC) subscriptions are valid, the FortiGate sends the traffic, event, and UTM logs to the remote FortiAnalyzer Cloud.

    Traffic:

    # execute log filter device fortianalyzer-cloud

    # execute log filter category traffic

    # execute log filter dump

    category: traffic

    device: fortianalyzer-cloud

    start-line: 1

    view-lines: 10

    max-checklines: 0

    HA member:

    Oftp search string:

    # execute log display

    6512 logs found.

    10 logs returned.

    1: date=2020-11-29 time=13:57:33 id=6900668351836585985 itime="2020-11-29 13:57:34" euid=3 epid=1027 dsteuid=3 dstepid=101 logflag=1 logver=604041797 type="traffic" subtype="forward" level="notice" action="accept" policyid=1 sessionid=46536 srcip=10.1.100.72 dstip=172.16.100.55 transip=172.16.200.7 srcport=40797 dstport=53 transport=40797 trandisp="snat" duration=190 proto=17 sentbyte=268 rcvdbyte=0 sentpkt=4 rcvdpkt=0 logid=0000000013 service="DNS" app="DNS" appcat="unscanned" srcintfrole="undefined" dstintfrole="undefined" srcserver=0 dstserver=0 policytype="policy" eventtime=1606687054554969021 poluuid="c041939c-2930-51eb-1448-34c44a663331" srcmac="00:0c:29:eb:86:d6" mastersrcmac="00:0c:29:eb:86:d6" dstmac="e8:1c:ba:c2:86:63" masterdstmac="e8:1c:ba:c2:86:63" srchwvendor="VMware" osname="Linux" srccountry="Reserved" dstcountry="Reserved" srcintf="dmz" dstintf="wan1" policyname="to_WAN" tz="-0800" devid="FG101FTK19000000" vd="root" dtime="2020-11-29 13:57:33" itime_t=1606687054 devname="FortiGate-101F_F"

    Event:

    # execute log filter device fortianalyzer-cloud

    # execute log filter category event

    # execute log filter dump

    category: event

    device: fortianalyzer-cloud

    start-line: 1

    view-lines: 10

    max-checklines: 0

    HA member:

    Oftp search string:

    # execute log display

    1067 logs found.

    10 logs returned.

    1: date=2020-11-29 time=14:12:16 id=6900672144292708352 itime="2020-11-29 14:12:17" euid=3 epid=3 dsteuid=3 dstepid=3 logver=604041797 logid=0100038404 type="event" subtype="system" level="error" msg="unable to resolve FortiGuard hostname" logdesc="FortiGuard hostname unresolvable" hostname="service.fortiguard.net" eventtime=1606687936888734117 tz="-0800" devid="FG101FTK19000000" vd="root" dtime="2020-11-29 14:12:16" itime_t=1606687937 devname="FortiGate-101F_F"

    UTM:

    # execute log filter device fortianalyzer-cloud

    # execute log filter category utm-virus

    # execute log filter dump

    category: virus

    device: fortianalyzer-cloud

    start-line: 1

    view-lines: 10

    max-checklines: 0

    HA member:

    Oftp search string:

    # execute log display

    4 logs found.

    4 logs returned.

    1: date=2020-11-27 time=15:53:41 id=6899956121704857638 itime="2020-11-27 15:53:45" euid=1027 epid=101 dsteuid=3 dstepid=101 logver=604041797 type="utm" subtype="virus" level="warning" action="passthrough" sessionid=1957747803 policyid=1 srcip=168.10.199.186 dstip=172.252.3.20 srcport=22765 dstport=80 proto=6 vrf=32 logid=0212008448 service="NNTP" user="user3" group="group1" eventtime=1606521221884991620 crscore=5 craction=2 crlevel="low" srcintfrole="undefined" dstintfrole="undefined" direction="incoming" filefilter="file-pattern" filetype="ignored" filename="file_test" checksum="12345" eventtype="filename" srcintf="ssl.root" dstintf="x1" msg="File is blocked." tz="-0800" devid="FG101FTK19000000" vd="root" dtime="2020-11-27 15:53:41" itime_t=1606521225 devname="FortiGate-101F_F"

  5. When the FortiGate has a valid Premium FortiCloud subscription (AFAC) and an expired Standard FortiCloud subscription (FAZC), the FortiGate still sends the logs to the remote FortiAnalyzer Cloud.