Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.2.3 Administration Guide
7.2.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

Configuring FortiAnalyzer Cloud service

Configuring FortiAnalyzer Cloud service

FortiAnalyzer Cloud differs from FortiAnalyzer in the following ways:

  • You cannot enable FortiAnalyzer Cloud in vdom override-setting when global FortiAnalyzer Cloud is disabled.
  • You must use the CLI to retrieve and display logs sent to FortiAnalyzer Cloud. The FortiOS GUI is not supported.
  • You cannot enable FortiAnalyzer Cloud and FortiGate Cloud at the same time.

For more information, see Licensing in the FortiAnalyzer Cloud Deployment Guide.

In the Security Fabric > Fabric Connectors > Cloud Logging card settings, FortiAnalyzer Cloud is grayed out when you do not have a FortiAnalyzer Cloud entitlement. When you have a FortiAnalyzer Cloud entitlement, FortiAnalyzer Cloud is available and you can authenticate by the certificate.

You can also view the FortiAnalyzer Cloud settings in the Log & Report > Log Settings page.

In FortiAnalyzer Cloud, you can view logs from FortiOS in the Event > All Types page.

To configure FortiAnalyzer Cloud logging in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Logging card.
  2. Set the Type to FortiAnalyzer Cloud.
  3. Click OK. A prompt appears to verify the FortiAnalyzer Cloud serial number.

  4. Click Accept.
  5. The verified FortiAnalyzer Cloud certificate appears in the settings.

To enable FortiAnalyzer Cloud logging in the CLI:
  1. Configure the FortiAnalyzer Cloud settings:
    config log fortianalyzer-cloud setting
    set status enable
    set ips-archive disable
    set certificate-verification enable
    set serial "FAZVCLTM19000000"
    set access-config enable
    set enc-algorithm high
    set ssl-min-proto-version default
    set conn-timeout 10
    set monitor-keepalive-period 5
    set monitor-failure-retry-period 5
    set upload-option realtime
end
  2. Configure the FortiAnalyzer Cloud filters:
    config log fortianalyzer-cloud filter
    set severity information
    set forward-traffic disable
    set local-traffic disable
    set multicast-traffic disable
    set sniffer-traffic disable
    set anomaly disable
    set voip disable
    set dlp-archive disable
end
To disable FortiAnalyzer Cloud logging for a specific VDOM in the CLI:
  1. Enable override FortiAnalyzer in the general log settings:
    config log setting
    set faz-override enable
end
  2. Disable the override FortiAnalyzer Cloud setting:
    config log fortianalyzer-cloud override-setting
    set status disable
end
To set FortiAnalyzer Cloud logging to filter for a specific VDOM in the CLI:
  1. Enable override FortiAnalyzer in the general log settings:
    config log setting
    set faz-override enable
end
  2. Enable the override FortiAnalyzer Cloud setting:
    config log fortianalyzer-cloud override-setting
    set status enable
end
  3. Configure the override filters for FortiAnalyzer Cloud:
    config log fortianalyzer-cloud override-filter
    set severity information
    set forward-traffic disable
    set local-traffic disable
    set multicast-traffic disable
    set sniffer-traffic disable
    set anomaly disable
    set voip disable
    set dlp-archive disable
end
To display FortiAnalyzer Cloud logs in the CLI:
# ​​​​​​​execute log filter device fortianalyzer-cloud
# execute log filter category event
# execute log display​​​​​​​
Sample log
date=2019-05-01 time=17:57:45 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:48" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100032002 type="event" subtype="system" level="alert" srcip=10.6.30.254 dstip=10.6.30.9 action="login" msg="Administrator ddd login failed from https(10.6.30.254) because of invalid user name" logdesc="Admin login failed" sn="0" user="ddd" ui="https(10.6.30.254)" status="failed" reason="name_invalid" method="https" eventtime=1556758666274548325 devid="FG5H1E5818900000" vd="root" dtime="2019-05-01 17:57:45" itime_t=1556758668 devname="FortiGate-501E"
date=2019-05-01 time=17:57:21 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:23" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100044546 type="event" subtype="system" level="information" action="Edit" msg="Edit log.fortianalyzer-cloud.filter " logdesc="Attribute configured" user="admin" ui="ssh(10.6.30.254)" cfgtid=164757536 cfgpath="log.fortianalyzer-cloud.filter" cfgattr="severity[information->critical]" eventtime=1556758642413367644 devid="FG5H1E5818900000" vd="root" dtime="2019-05-01 17:57:21" itime_t=1556758643 devname="FortiGate-501E"
Previous
Next

More Links

Deploying FortiAnalyzer Cloud

Configuring FortiAnalyzer Cloud service

FortiAnalyzer Cloud differs from FortiAnalyzer in the following ways:

  • You cannot enable FortiAnalyzer Cloud in vdom override-setting when global FortiAnalyzer Cloud is disabled.
  • You must use the CLI to retrieve and display logs sent to FortiAnalyzer Cloud. The FortiOS GUI is not supported.
  • You cannot enable FortiAnalyzer Cloud and FortiGate Cloud at the same time.

For more information, see Licensing in the FortiAnalyzer Cloud Deployment Guide.

In the Security Fabric > Fabric Connectors > Cloud Logging card settings, FortiAnalyzer Cloud is grayed out when you do not have a FortiAnalyzer Cloud entitlement. When you have a FortiAnalyzer Cloud entitlement, FortiAnalyzer Cloud is available and you can authenticate by the certificate.

You can also view the FortiAnalyzer Cloud settings in the Log & Report > Log Settings page.

In FortiAnalyzer Cloud, you can view logs from FortiOS in the Event > All Types page.

To configure FortiAnalyzer Cloud logging in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Logging card.
  2. Set the Type to FortiAnalyzer Cloud.
  3. Click OK. A prompt appears to verify the FortiAnalyzer Cloud serial number.

  4. Click Accept.
  5. The verified FortiAnalyzer Cloud certificate appears in the settings.

To enable FortiAnalyzer Cloud logging in the CLI:
  1. Configure the FortiAnalyzer Cloud settings:
    config log fortianalyzer-cloud setting
    set status enable
    set ips-archive disable
    set certificate-verification enable
    set serial "FAZVCLTM19000000"
    set access-config enable
    set enc-algorithm high
    set ssl-min-proto-version default
    set conn-timeout 10
    set monitor-keepalive-period 5
    set monitor-failure-retry-period 5
    set upload-option realtime
end
  2. Configure the FortiAnalyzer Cloud filters:
    config log fortianalyzer-cloud filter
    set severity information
    set forward-traffic disable
    set local-traffic disable
    set multicast-traffic disable
    set sniffer-traffic disable
    set anomaly disable
    set voip disable
    set dlp-archive disable
end
To disable FortiAnalyzer Cloud logging for a specific VDOM in the CLI:
  1. Enable override FortiAnalyzer in the general log settings:
    config log setting
    set faz-override enable
end
  2. Disable the override FortiAnalyzer Cloud setting:
    config log fortianalyzer-cloud override-setting
    set status disable
end
To set FortiAnalyzer Cloud logging to filter for a specific VDOM in the CLI:
  1. Enable override FortiAnalyzer in the general log settings:
    config log setting
    set faz-override enable
end
  2. Enable the override FortiAnalyzer Cloud setting:
    config log fortianalyzer-cloud override-setting
    set status enable
end
  3. Configure the override filters for FortiAnalyzer Cloud:
    config log fortianalyzer-cloud override-filter
    set severity information
    set forward-traffic disable
    set local-traffic disable
    set multicast-traffic disable
    set sniffer-traffic disable
    set anomaly disable
    set voip disable
    set dlp-archive disable
end
To display FortiAnalyzer Cloud logs in the CLI:
# ​​​​​​​execute log filter device fortianalyzer-cloud
# execute log filter category event
# execute log display​​​​​​​
Sample log
date=2019-05-01 time=17:57:45 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:48" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100032002 type="event" subtype="system" level="alert" srcip=10.6.30.254 dstip=10.6.30.9 action="login" msg="Administrator ddd login failed from https(10.6.30.254) because of invalid user name" logdesc="Admin login failed" sn="0" user="ddd" ui="https(10.6.30.254)" status="failed" reason="name_invalid" method="https" eventtime=1556758666274548325 devid="FG5H1E5818900000" vd="root" dtime="2019-05-01 17:57:45" itime_t=1556758668 devname="FortiGate-501E"
date=2019-05-01 time=17:57:21 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:23" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100044546 type="event" subtype="system" level="information" action="Edit" msg="Edit log.fortianalyzer-cloud.filter " logdesc="Attribute configured" user="admin" ui="ssh(10.6.30.254)" cfgtid=164757536 cfgpath="log.fortianalyzer-cloud.filter" cfgattr="severity[information->critical]" eventtime=1556758642413367644 devid="FG5H1E5818900000" vd="root" dtime="2019-05-01 17:57:21" itime_t=1556758643 devname="FortiGate-501E"
Previous
Next