Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.2.3 Administration Guide
    7.2.3
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Configuring FortiAnalyzer Cloud service

    Configuring FortiAnalyzer Cloud service

    FortiAnalyzer Cloud differs from FortiAnalyzer in the following ways:

    • You cannot enable FortiAnalyzer Cloud in vdom override-setting when global FortiAnalyzer Cloud is disabled.
    • You must use the CLI to retrieve and display logs sent to FortiAnalyzer Cloud. The FortiOS GUI is not supported.
    • You cannot enable FortiAnalyzer Cloud and FortiGate Cloud at the same time.

    For more information, see Licensing in the FortiAnalyzer Cloud Deployment Guide.

    In the Security Fabric > Fabric Connectors > Cloud Logging card settings, FortiAnalyzer Cloud is grayed out when you do not have a FortiAnalyzer Cloud entitlement. When you have a FortiAnalyzer Cloud entitlement, FortiAnalyzer Cloud is available and you can authenticate by the certificate.

    You can also view the FortiAnalyzer Cloud settings in the Log & Report > Log Settings page.

    In FortiAnalyzer Cloud, you can view logs from FortiOS in the Event > All Types page.

    To configure FortiAnalyzer Cloud logging in the GUI:
    1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Logging card.
    2. Set the Type to FortiAnalyzer Cloud.
    3. Click OK. A prompt appears to verify the FortiAnalyzer Cloud serial number.

    4. Click Accept.
    5. The verified FortiAnalyzer Cloud certificate appears in the settings.

    To enable FortiAnalyzer Cloud logging in the CLI:
    1. Configure the FortiAnalyzer Cloud settings:
      config log fortianalyzer-cloud setting
    set status enable
    set ips-archive disable
    set certificate-verification enable
    set serial "FAZVCLTM19000000"
    set access-config enable
    set enc-algorithm high
    set ssl-min-proto-version default
    set conn-timeout 10
    set monitor-keepalive-period 5
    set monitor-failure-retry-period 5
    set upload-option realtime
end
    2. Configure the FortiAnalyzer Cloud filters:
      config log fortianalyzer-cloud filter
    set severity information
    set forward-traffic disable
    set local-traffic disable
    set multicast-traffic disable
    set sniffer-traffic disable
    set anomaly disable
    set voip disable
    set dlp-archive disable
end
    To disable FortiAnalyzer Cloud logging for a specific VDOM in the CLI:
    1. Enable override FortiAnalyzer in the general log settings:
      config log setting
    set faz-override enable
end
    2. Disable the override FortiAnalyzer Cloud setting:
      config log fortianalyzer-cloud override-setting
    set status disable
end
    To set FortiAnalyzer Cloud logging to filter for a specific VDOM in the CLI:
    1. Enable override FortiAnalyzer in the general log settings:
      config log setting
    set faz-override enable
end
    2. Enable the override FortiAnalyzer Cloud setting:
      config log fortianalyzer-cloud override-setting
    set status enable
end
    3. Configure the override filters for FortiAnalyzer Cloud:
      config log fortianalyzer-cloud override-filter
    set severity information
    set forward-traffic disable
    set local-traffic disable
    set multicast-traffic disable
    set sniffer-traffic disable
    set anomaly disable
    set voip disable
    set dlp-archive disable
end
    To display FortiAnalyzer Cloud logs in the CLI:
    # ​​​​​​​execute log filter device fortianalyzer-cloud
# execute log filter category event
# execute log display​​​​​​​
    Sample log
    date=2019-05-01 time=17:57:45 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:48" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100032002 type="event" subtype="system" level="alert" srcip=10.6.30.254 dstip=10.6.30.9 action="login" msg="Administrator ddd login failed from https(10.6.30.254) because of invalid user name" logdesc="Admin login failed" sn="0" user="ddd" ui="https(10.6.30.254)" status="failed" reason="name_invalid" method="https" eventtime=1556758666274548325 devid="FG5H1E5818900000" vd="root" dtime="2019-05-01 17:57:45" itime_t=1556758668 devname="FortiGate-501E"
    date=2019-05-01 time=17:57:21 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:23" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100044546 type="event" subtype="system" level="information" action="Edit" msg="Edit log.fortianalyzer-cloud.filter " logdesc="Attribute configured" user="admin" ui="ssh(10.6.30.254)" cfgtid=164757536 cfgpath="log.fortianalyzer-cloud.filter" cfgattr="severity[information->critical]" eventtime=1556758642413367644 devid="FG5H1E5818900000" vd="root" dtime="2019-05-01 17:57:21" itime_t=1556758643 devname="FortiGate-501E"
    Previous
    Next

    More Links

    Deploying FortiAnalyzer Cloud

    Configuring FortiAnalyzer Cloud service

    Configuring FortiAnalyzer Cloud service

    FortiAnalyzer Cloud differs from FortiAnalyzer in the following ways:

    • You cannot enable FortiAnalyzer Cloud in vdom override-setting when global FortiAnalyzer Cloud is disabled.
    • You must use the CLI to retrieve and display logs sent to FortiAnalyzer Cloud. The FortiOS GUI is not supported.
    • You cannot enable FortiAnalyzer Cloud and FortiGate Cloud at the same time.

    For more information, see Licensing in the FortiAnalyzer Cloud Deployment Guide.

    In the Security Fabric > Fabric Connectors > Cloud Logging card settings, FortiAnalyzer Cloud is grayed out when you do not have a FortiAnalyzer Cloud entitlement. When you have a FortiAnalyzer Cloud entitlement, FortiAnalyzer Cloud is available and you can authenticate by the certificate.

    You can also view the FortiAnalyzer Cloud settings in the Log & Report > Log Settings page.

    In FortiAnalyzer Cloud, you can view logs from FortiOS in the Event > All Types page.

    To configure FortiAnalyzer Cloud logging in the GUI:
    1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Logging card.
    2. Set the Type to FortiAnalyzer Cloud.
    3. Click OK. A prompt appears to verify the FortiAnalyzer Cloud serial number.

    4. Click Accept.
    5. The verified FortiAnalyzer Cloud certificate appears in the settings.

    To enable FortiAnalyzer Cloud logging in the CLI:
    1. Configure the FortiAnalyzer Cloud settings:
      config log fortianalyzer-cloud setting
    set status enable
    set ips-archive disable
    set certificate-verification enable
    set serial "FAZVCLTM19000000"
    set access-config enable
    set enc-algorithm high
    set ssl-min-proto-version default
    set conn-timeout 10
    set monitor-keepalive-period 5
    set monitor-failure-retry-period 5
    set upload-option realtime
end
    2. Configure the FortiAnalyzer Cloud filters:
      config log fortianalyzer-cloud filter
    set severity information
    set forward-traffic disable
    set local-traffic disable
    set multicast-traffic disable
    set sniffer-traffic disable
    set anomaly disable
    set voip disable
    set dlp-archive disable
end
    To disable FortiAnalyzer Cloud logging for a specific VDOM in the CLI:
    1. Enable override FortiAnalyzer in the general log settings:
      config log setting
    set faz-override enable
end
    2. Disable the override FortiAnalyzer Cloud setting:
      config log fortianalyzer-cloud override-setting
    set status disable
end
    To set FortiAnalyzer Cloud logging to filter for a specific VDOM in the CLI:
    1. Enable override FortiAnalyzer in the general log settings:
      config log setting
    set faz-override enable
end
    2. Enable the override FortiAnalyzer Cloud setting:
      config log fortianalyzer-cloud override-setting
    set status enable
end
    3. Configure the override filters for FortiAnalyzer Cloud:
      config log fortianalyzer-cloud override-filter
    set severity information
    set forward-traffic disable
    set local-traffic disable
    set multicast-traffic disable
    set sniffer-traffic disable
    set anomaly disable
    set voip disable
    set dlp-archive disable
end
    To display FortiAnalyzer Cloud logs in the CLI:
    # ​​​​​​​execute log filter device fortianalyzer-cloud
# execute log filter category event
# execute log display​​​​​​​
    Sample log
    date=2019-05-01 time=17:57:45 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:48" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100032002 type="event" subtype="system" level="alert" srcip=10.6.30.254 dstip=10.6.30.9 action="login" msg="Administrator ddd login failed from https(10.6.30.254) because of invalid user name" logdesc="Admin login failed" sn="0" user="ddd" ui="https(10.6.30.254)" status="failed" reason="name_invalid" method="https" eventtime=1556758666274548325 devid="FG5H1E5818900000" vd="root" dtime="2019-05-01 17:57:45" itime_t=1556758668 devname="FortiGate-501E"
    date=2019-05-01 time=17:57:21 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:23" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100044546 type="event" subtype="system" level="information" action="Edit" msg="Edit log.fortianalyzer-cloud.filter " logdesc="Attribute configured" user="admin" ui="ssh(10.6.30.254)" cfgtid=164757536 cfgpath="log.fortianalyzer-cloud.filter" cfgattr="severity[information->critical]" eventtime=1556758642413367644 devid="FG5H1E5818900000" vd="root" dtime="2019-05-01 17:57:21" itime_t=1556758643 devname="FortiGate-501E"
    Previous
    Next