Fortinet black logo

Administration Guide

Configuring cloud logging

Configuring cloud logging

There are two options available in the Cloud Logging tab of the Logging & Analytics connector card: FortiGate Cloud and FortiAnalyzer Cloud. If there are multiple services enrolled on the FortiGate, the preference is: FortiAnalyzer Cloud logging, FortiAnalyzer logging, then FortiGate Cloud logging.

This topic covers the following cloud logging aspects:

Configuring FortiGate Cloud

FortiGate Cloud is a hosted security management and log retention service for FortiGate devices. It provides centralized reporting, traffic analysis, configuration management, and log retention without the need for additional hardware or software.

FortiGate Cloud offers a wide range of features:

  • Simplified central management

    FortiGate Cloud provides a central GUI to manage individual or aggregated FortiGate and FortiWiFi devices. Adding a device to the FortiGate Cloud management subscription is straightforward. FortiGate Cloud has detailed traffic and application visibility across the whole network.

  • Hosted log retention with large default storage allocated

    Log retention is an integral part of any security and compliance program, but administering a separate storage system is onerous. FortiGate Cloud takes care of this automatically and stores the valuable log information in the cloud. Different types of logs can be stored, including Traffic, System Events, Web, Applications, and Security Events.

  • Monitoring and alerting in real time

    Network availability is critical to a good end-user experience. FortiGate Cloud enables you to monitor your FortiGate network in real time with different alerting mechanisms to pinpoint potential issues. Alerting mechanisms can be delivered via email.

  • Customized or pre-configured reporting and analysis tools

    Reporting and analysis are your eyes and ears into your network’s health and security. Pre-configured reports are available, as well as custom reports that can be tailored to your specific reporting and compliance requirements. The reports can be emailed as PDFs, and can cover different time periods.

  • Maintain important configuration information uniformly

    The correct configuration of the devices within your network is essential for maintaining optimum performance and security posture. In addition, maintaining the correct firmware (operating system) level allows you to take advantage of the latest features.

  • Service security

    All communication (including log information) between the devices and the cloud is encrypted. Redundant data centers are always used to give the service high availability. Operational security measures have been put in place to make sure your data is secure — only you can view or retrieve it.

For more information, refer to the FortiGate Cloud documentation.

Registration and activation

note icon

Before you can activate a FortiGate Cloud account, you must register your device first.

FortiGate Cloud accounts can be registered manually through the FortiGate Cloud website, https://www.forticloud.com, or you can easily register and activate your account directly from your FortiGate.

To activate your FortiGate Cloud account:
  1. On your device, go to Dashboard > Status.

  2. In the FortiGate Cloud widget, click the Not Activated > Activate button in the Status field.

  3. A pane will open asking you to register your FortiGate Cloud account. Click Create Account, enter your information, view and accept the terms and conditions, and then click OK.

  4. A second dialogue window opens, asking you to enter your information to confirm your account. This sends a confirmation email to your registered email. The dashboard widget then updates to show that confirmation is required.

  5. Open your email, and follow the confirmation link it contains.

    A FortiGate Cloud page will open, stating that your account has been confirmed. The Activation Pending message on the dashboard will change to state the type of account you have, and will provide a link to the FortiGate Cloud portal.

Enabling logging to FortiGate Cloud

To enable logging to FortiGate Cloud:
  1. Go to Security Fabric > Fabric Connectors and double-click the Logging & Analytics card.

  2. On the Cloud Logging tab, set Type to FortiGate Cloud.

  3. Select an upload option:

    • Real Time: logs are sent to the cloud device in real time.

    • Every Minute: logs are sent to the cloud device once every minute.

    • Every 5 Minutes: logs are sent to the cloud device once every five minutes (default).

    Note

    If the Security Fabric connection is configured, only the Real Time option is available.

  4. Click OK.

Logging into the FortiGate Cloud portal

Once logging has been configured and you have registered your account, you can log into the FortiGate Cloud portal and begin viewing your logging results. There are two methods to reach the FortiGate Cloud portal:

  • If you have direct network access to the FortiGate:

    1. Go to Dashboard > Status.

    2. In the FortiGate Cloud widget, in the Status field, click Activated > Launch Portal, or, in the Licenses widget, click Support > Login to My Account.

  • If you do not have access to the FortiGate’s interface, visit the FortiGate Cloud website (https://www.forticloud.com) and log in remotely, using your email and password. It will ask you to confirm the FortiGate Cloud account you are connecting to and then you will be granted access.

Configuring a Security Fabric with FortiGate Cloud logging

A Security Fabric can be created on the root device using FortiGate Cloud for cloud logging. When the FortiCloud account enforcement is enabled (by default), members joining the Fabric must be registered to the same FortiCloud account. Devices that are not activated with FortiCloud are also allowed.

For example, the root FortiGate (FGT_10_101F) is configured with FortiGate Cloud logging. In the Security Fabric settings, the FortiCloud account enforcement option is enabled by default. The downstream FortiGate, FGT-F-VM, with the same FortiCloud account ID is able to join the Fabric.

To configure a Security Fabric with FortiCloud logging in the GUI:
  1. Configure the Security Fabric settings on the root FortiGate (see Configuring the root FortiGate and downstream FortiGates). The FortiCloud account enforcement setting is enabled by default.

  2. Configure FortiCloud logging on the root FortiGate:

    1. Go to Security Fabric > Fabric Connectors and double-click the Logging & Analytics card.

    2. On the Cloud Logging tab, set Type to FortiGate Cloud.

    3. Click OK.

  3. Configure the FGT-F-VM to join the Security Fabric:

    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.

    2. Set Security Fabric role to Join Existing Fabric.

    3. Click OK. The FortiGate is authorized and successfully joins the Security Fabric.

  4. Check the FortiCloud logging settings:

    1. Go to Security Fabric > Fabric Connectors and double-click the Logging & Analytics card.

    2. Go to the Cloud Logging tab. The settings are automatically retrieved from the root FortiGate and the Account is the same.

To configure a Security Fabric with FortiCloud logging in the CLI:
config log fortiguard setting
    set status enable
    set upload-option realtime
end

The FortiCloud account enforcement setting is enabled by default in the Security Fabric settings:

show system csf
    config system csf
        set status enable
        set group-name "CSF_101"
        set forticloud-account-enforcement enable
    end

Cloud sandboxing

FortiGate Cloud can be used for automated sample tracking, or sandboxing, for files from a FortiGate. This allows suspicious files to be sent to be inspected without risking network security. If the file exhibits risky behavior, or is found to contain a virus, a new virus signature is created and added to the FortiGuard antivirus signature database.

See Configuring sandboxing for instructions to configure FortiGate Cloud Sandbox. Sandboxing results are shown on the Sandbox tab in the FortiGate Cloud portal.

Configuring FortiAnalyzer Cloud

FortiAnalyzer Cloud differs from FortiAnalyzer in the following ways:

  • You cannot enable FortiAnalyzer Cloud in vdom override-setting when global FortiAnalyzer Cloud is disabled.

  • You must use the CLI to retrieve and display logs sent to FortiAnalyzer Cloud. The FortiOS GUI is not supported.

  • You cannot enable FortiAnalyzer Cloud and FortiGate Cloud at the same time.

For more information, see Licensing in the FortiAnalyzer Cloud Deployment Guide.

In the Security Fabric > Fabric Connectors > Logging & Analytics card settings, FortiAnalyzer Cloud is grayed out when you do not have a FortiAnalyzer Cloud entitlement. When you have a FortiAnalyzer Cloud entitlement, FortiAnalyzer Cloud is available and you can authenticate by the certificate.

In FortiAnalyzer Cloud, you can view logs from FortiOS in the Event > All Types page.

To configure FortiAnalyzer Cloud logging in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Logging & Analytics card.

  2. Select the Cloud Logging tab and set the Type to FortiAnalyzer Cloud.

  3. Optionally, configure the remaining log settings:

    Upload option

    Select the frequency of log uploads to the remote device:

    • Real Time: logs are sent to the remote device in real time.

    • Every Minute: logs are sent to the remote device once every minute. This option is unavailable if the Security Fabric connection is configured.

    • Every 5 Minutes: logs are sent to the remote device once every five minutes. This is the default option. This option is unavailable if the Security Fabric connection is configured.

    Allow access to FortiGate REST API

    Define access to FortiGate REST API:

    • Enable: the REST API accesses the FortiGate topology and shares data and results.

    • Disable: the REST API does not share data and results.

    Verify FortiAnalyzer Cloud certificate

    Define the FortiAnalyzer Cloud certificate verification process:

    • Enable: the FortiGate will verify the FortiAnalyzer Cloud serial number against the FortiAnalyzer certificate. When verified, the serial number is stored in the FortiGate configuration.

    • Disable: the FortiGate will not verify the FortiAnalyzer Cloud certificate against the serial number.

  4. Click OK. A prompt appears to verify the FortiAnalyzer Cloud serial number.

  5. Click Accept.

  6. The verified FortiAnalyzer Cloud certificate appears in the settings.

To enable FortiAnalyzer Cloud logging in the CLI:
  1. Configure the FortiAnalyzer Cloud settings:

    config log fortianalyzer-cloud setting
        set status enable
        set ips-archive disable
        set certificate-verification enable
        set serial "FAZVCLTM19000000"
        set access-config enable
        set enc-algorithm high
        set ssl-min-proto-version default
        set conn-timeout 10
        set monitor-keepalive-period 5
        set monitor-failure-retry-period 5
        set upload-option realtime
    end
  2. Configure the FortiAnalyzer Cloud filters:

    config log fortianalyzer-cloud filter
        set severity information
        set forward-traffic disable
        set local-traffic disable
        set multicast-traffic disable
        set sniffer-traffic disable
        set anomaly disable
        set voip disable
        set dlp-archive disable
    end
To disable FortiAnalyzer Cloud logging for a specific VDOM in the CLI:
  1. Enable override FortiAnalyzer in the general log settings:

    config log setting
        set faz-override enable
    end
  2. Disable the override FortiAnalyzer Cloud setting:

    config log fortianalyzer-cloud override-setting
        set status disable
    end
To set FortiAnalyzer Cloud logging to filter for a specific VDOM in the CLI:
  1. Enable override FortiAnalyzer in the general log settings:

    config log setting
        set faz-override enable
    end
  2. Enable the override FortiAnalyzer Cloud setting:

    config log fortianalyzer-cloud override-setting
        set status enable
    end
  3. Configure the override filters for FortiAnalyzer Cloud:

    config log fortianalyzer-cloud override-filter
        set severity information
        set forward-traffic disable
        set local-traffic disable
        set multicast-traffic disable
        set sniffer-traffic disable
        set anomaly disable
        set voip disable
        set dlp-archive disable
    end
To display FortiAnalyzer Cloud logs in the CLI:
# ​​​​​​​execute log filter device fortianalyzer-cloud
# execute log filter category event
# execute log display​​​​​​​
Sample log
date=2019-05-01 time=17:57:45 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:48" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100032002 type="event" subtype="system" level="alert" srcip=10.6.30.254 dstip=10.6.30.9 action="login" msg="Administrator ddd login failed from https(10.6.30.254) because of invalid user name" logdesc="Admin login failed" sn="0" user="ddd" ui="https(10.6.30.254)" status="failed" reason="name_invalid" method="https" eventtime=1556758666274548325 devid="FG5H1E5818900000" vd="root" dtime="2019-05-01 17:57:45" itime_t=1556758668 devname="FortiGate-501E"
date=2019-05-01 time=17:57:21 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:23" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100044546 type="event" subtype="system" level="information" action="Edit" msg="Edit log.fortianalyzer-cloud.filter " logdesc="Attribute configured" user="admin" ui="ssh(10.6.30.254)" cfgtid=164757536 cfgpath="log.fortianalyzer-cloud.filter" cfgattr="severity[information->critical]" eventtime=1556758642413367644 devid="FG5H1E5818900000" vd="root" dtime="2019-05-01 17:57:21" itime_t=1556758643 devname="FortiGate-501E"

Configuring cloud logging

There are two options available in the Cloud Logging tab of the Logging & Analytics connector card: FortiGate Cloud and FortiAnalyzer Cloud. If there are multiple services enrolled on the FortiGate, the preference is: FortiAnalyzer Cloud logging, FortiAnalyzer logging, then FortiGate Cloud logging.

This topic covers the following cloud logging aspects:

Configuring FortiGate Cloud

FortiGate Cloud is a hosted security management and log retention service for FortiGate devices. It provides centralized reporting, traffic analysis, configuration management, and log retention without the need for additional hardware or software.

FortiGate Cloud offers a wide range of features:

  • Simplified central management

    FortiGate Cloud provides a central GUI to manage individual or aggregated FortiGate and FortiWiFi devices. Adding a device to the FortiGate Cloud management subscription is straightforward. FortiGate Cloud has detailed traffic and application visibility across the whole network.

  • Hosted log retention with large default storage allocated

    Log retention is an integral part of any security and compliance program, but administering a separate storage system is onerous. FortiGate Cloud takes care of this automatically and stores the valuable log information in the cloud. Different types of logs can be stored, including Traffic, System Events, Web, Applications, and Security Events.

  • Monitoring and alerting in real time

    Network availability is critical to a good end-user experience. FortiGate Cloud enables you to monitor your FortiGate network in real time with different alerting mechanisms to pinpoint potential issues. Alerting mechanisms can be delivered via email.

  • Customized or pre-configured reporting and analysis tools

    Reporting and analysis are your eyes and ears into your network’s health and security. Pre-configured reports are available, as well as custom reports that can be tailored to your specific reporting and compliance requirements. The reports can be emailed as PDFs, and can cover different time periods.

  • Maintain important configuration information uniformly

    The correct configuration of the devices within your network is essential for maintaining optimum performance and security posture. In addition, maintaining the correct firmware (operating system) level allows you to take advantage of the latest features.

  • Service security

    All communication (including log information) between the devices and the cloud is encrypted. Redundant data centers are always used to give the service high availability. Operational security measures have been put in place to make sure your data is secure — only you can view or retrieve it.

For more information, refer to the FortiGate Cloud documentation.

Registration and activation

note icon

Before you can activate a FortiGate Cloud account, you must register your device first.

FortiGate Cloud accounts can be registered manually through the FortiGate Cloud website, https://www.forticloud.com, or you can easily register and activate your account directly from your FortiGate.

To activate your FortiGate Cloud account:
  1. On your device, go to Dashboard > Status.

  2. In the FortiGate Cloud widget, click the Not Activated > Activate button in the Status field.

  3. A pane will open asking you to register your FortiGate Cloud account. Click Create Account, enter your information, view and accept the terms and conditions, and then click OK.

  4. A second dialogue window opens, asking you to enter your information to confirm your account. This sends a confirmation email to your registered email. The dashboard widget then updates to show that confirmation is required.

  5. Open your email, and follow the confirmation link it contains.

    A FortiGate Cloud page will open, stating that your account has been confirmed. The Activation Pending message on the dashboard will change to state the type of account you have, and will provide a link to the FortiGate Cloud portal.

Enabling logging to FortiGate Cloud

To enable logging to FortiGate Cloud:
  1. Go to Security Fabric > Fabric Connectors and double-click the Logging & Analytics card.

  2. On the Cloud Logging tab, set Type to FortiGate Cloud.

  3. Select an upload option:

    • Real Time: logs are sent to the cloud device in real time.

    • Every Minute: logs are sent to the cloud device once every minute.

    • Every 5 Minutes: logs are sent to the cloud device once every five minutes (default).

    Note

    If the Security Fabric connection is configured, only the Real Time option is available.

  4. Click OK.

Logging into the FortiGate Cloud portal

Once logging has been configured and you have registered your account, you can log into the FortiGate Cloud portal and begin viewing your logging results. There are two methods to reach the FortiGate Cloud portal:

  • If you have direct network access to the FortiGate:

    1. Go to Dashboard > Status.

    2. In the FortiGate Cloud widget, in the Status field, click Activated > Launch Portal, or, in the Licenses widget, click Support > Login to My Account.

  • If you do not have access to the FortiGate’s interface, visit the FortiGate Cloud website (https://www.forticloud.com) and log in remotely, using your email and password. It will ask you to confirm the FortiGate Cloud account you are connecting to and then you will be granted access.

Configuring a Security Fabric with FortiGate Cloud logging

A Security Fabric can be created on the root device using FortiGate Cloud for cloud logging. When the FortiCloud account enforcement is enabled (by default), members joining the Fabric must be registered to the same FortiCloud account. Devices that are not activated with FortiCloud are also allowed.

For example, the root FortiGate (FGT_10_101F) is configured with FortiGate Cloud logging. In the Security Fabric settings, the FortiCloud account enforcement option is enabled by default. The downstream FortiGate, FGT-F-VM, with the same FortiCloud account ID is able to join the Fabric.

To configure a Security Fabric with FortiCloud logging in the GUI:
  1. Configure the Security Fabric settings on the root FortiGate (see Configuring the root FortiGate and downstream FortiGates). The FortiCloud account enforcement setting is enabled by default.

  2. Configure FortiCloud logging on the root FortiGate:

    1. Go to Security Fabric > Fabric Connectors and double-click the Logging & Analytics card.

    2. On the Cloud Logging tab, set Type to FortiGate Cloud.

    3. Click OK.

  3. Configure the FGT-F-VM to join the Security Fabric:

    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.

    2. Set Security Fabric role to Join Existing Fabric.

    3. Click OK. The FortiGate is authorized and successfully joins the Security Fabric.

  4. Check the FortiCloud logging settings:

    1. Go to Security Fabric > Fabric Connectors and double-click the Logging & Analytics card.

    2. Go to the Cloud Logging tab. The settings are automatically retrieved from the root FortiGate and the Account is the same.

To configure a Security Fabric with FortiCloud logging in the CLI:
config log fortiguard setting
    set status enable
    set upload-option realtime
end

The FortiCloud account enforcement setting is enabled by default in the Security Fabric settings:

show system csf
    config system csf
        set status enable
        set group-name "CSF_101"
        set forticloud-account-enforcement enable
    end

Cloud sandboxing

FortiGate Cloud can be used for automated sample tracking, or sandboxing, for files from a FortiGate. This allows suspicious files to be sent to be inspected without risking network security. If the file exhibits risky behavior, or is found to contain a virus, a new virus signature is created and added to the FortiGuard antivirus signature database.

See Configuring sandboxing for instructions to configure FortiGate Cloud Sandbox. Sandboxing results are shown on the Sandbox tab in the FortiGate Cloud portal.

Configuring FortiAnalyzer Cloud

FortiAnalyzer Cloud differs from FortiAnalyzer in the following ways:

  • You cannot enable FortiAnalyzer Cloud in vdom override-setting when global FortiAnalyzer Cloud is disabled.

  • You must use the CLI to retrieve and display logs sent to FortiAnalyzer Cloud. The FortiOS GUI is not supported.

  • You cannot enable FortiAnalyzer Cloud and FortiGate Cloud at the same time.

For more information, see Licensing in the FortiAnalyzer Cloud Deployment Guide.

In the Security Fabric > Fabric Connectors > Logging & Analytics card settings, FortiAnalyzer Cloud is grayed out when you do not have a FortiAnalyzer Cloud entitlement. When you have a FortiAnalyzer Cloud entitlement, FortiAnalyzer Cloud is available and you can authenticate by the certificate.

In FortiAnalyzer Cloud, you can view logs from FortiOS in the Event > All Types page.

To configure FortiAnalyzer Cloud logging in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Logging & Analytics card.

  2. Select the Cloud Logging tab and set the Type to FortiAnalyzer Cloud.

  3. Optionally, configure the remaining log settings:

    Upload option

    Select the frequency of log uploads to the remote device:

    • Real Time: logs are sent to the remote device in real time.

    • Every Minute: logs are sent to the remote device once every minute. This option is unavailable if the Security Fabric connection is configured.

    • Every 5 Minutes: logs are sent to the remote device once every five minutes. This is the default option. This option is unavailable if the Security Fabric connection is configured.

    Allow access to FortiGate REST API

    Define access to FortiGate REST API:

    • Enable: the REST API accesses the FortiGate topology and shares data and results.

    • Disable: the REST API does not share data and results.

    Verify FortiAnalyzer Cloud certificate

    Define the FortiAnalyzer Cloud certificate verification process:

    • Enable: the FortiGate will verify the FortiAnalyzer Cloud serial number against the FortiAnalyzer certificate. When verified, the serial number is stored in the FortiGate configuration.

    • Disable: the FortiGate will not verify the FortiAnalyzer Cloud certificate against the serial number.

  4. Click OK. A prompt appears to verify the FortiAnalyzer Cloud serial number.

  5. Click Accept.

  6. The verified FortiAnalyzer Cloud certificate appears in the settings.

To enable FortiAnalyzer Cloud logging in the CLI:
  1. Configure the FortiAnalyzer Cloud settings:

    config log fortianalyzer-cloud setting
        set status enable
        set ips-archive disable
        set certificate-verification enable
        set serial "FAZVCLTM19000000"
        set access-config enable
        set enc-algorithm high
        set ssl-min-proto-version default
        set conn-timeout 10
        set monitor-keepalive-period 5
        set monitor-failure-retry-period 5
        set upload-option realtime
    end
  2. Configure the FortiAnalyzer Cloud filters:

    config log fortianalyzer-cloud filter
        set severity information
        set forward-traffic disable
        set local-traffic disable
        set multicast-traffic disable
        set sniffer-traffic disable
        set anomaly disable
        set voip disable
        set dlp-archive disable
    end
To disable FortiAnalyzer Cloud logging for a specific VDOM in the CLI:
  1. Enable override FortiAnalyzer in the general log settings:

    config log setting
        set faz-override enable
    end
  2. Disable the override FortiAnalyzer Cloud setting:

    config log fortianalyzer-cloud override-setting
        set status disable
    end
To set FortiAnalyzer Cloud logging to filter for a specific VDOM in the CLI:
  1. Enable override FortiAnalyzer in the general log settings:

    config log setting
        set faz-override enable
    end
  2. Enable the override FortiAnalyzer Cloud setting:

    config log fortianalyzer-cloud override-setting
        set status enable
    end
  3. Configure the override filters for FortiAnalyzer Cloud:

    config log fortianalyzer-cloud override-filter
        set severity information
        set forward-traffic disable
        set local-traffic disable
        set multicast-traffic disable
        set sniffer-traffic disable
        set anomaly disable
        set voip disable
        set dlp-archive disable
    end
To display FortiAnalyzer Cloud logs in the CLI:
# ​​​​​​​execute log filter device fortianalyzer-cloud
# execute log filter category event
# execute log display​​​​​​​
Sample log
date=2019-05-01 time=17:57:45 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:48" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100032002 type="event" subtype="system" level="alert" srcip=10.6.30.254 dstip=10.6.30.9 action="login" msg="Administrator ddd login failed from https(10.6.30.254) because of invalid user name" logdesc="Admin login failed" sn="0" user="ddd" ui="https(10.6.30.254)" status="failed" reason="name_invalid" method="https" eventtime=1556758666274548325 devid="FG5H1E5818900000" vd="root" dtime="2019-05-01 17:57:45" itime_t=1556758668 devname="FortiGate-501E"
date=2019-05-01 time=17:57:21 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:23" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100044546 type="event" subtype="system" level="information" action="Edit" msg="Edit log.fortianalyzer-cloud.filter " logdesc="Attribute configured" user="admin" ui="ssh(10.6.30.254)" cfgtid=164757536 cfgpath="log.fortianalyzer-cloud.filter" cfgattr="severity[information->critical]" eventtime=1556758642413367644 devid="FG5H1E5818900000" vd="root" dtime="2019-05-01 17:57:21" itime_t=1556758643 devname="FortiGate-501E"