Fortinet Document Library

Version:

Version:

Version:


Table of Contents

More Links

Fortinet Security Fabric

Administration Guide

Download PDF
Copy Link

Configuring FortiAnalyzer

FortiAnalyzer is a required component for the Security Fabric. In 6.4.4 and later, either FortiAnalyzer or FortiAnalyzer Cloud can be used to meet this requirement. FortiAnalyzer allows the Security Fabric to show historical data for the Security Fabric topology and logs for the entire Security Fabric.

For more information about using FortiAnalyzer, see the FortiAnalyzer Administration Guide.

Note

FortiAnalyzer 7.0.1 is required for this configuration example.

To authorize a FortiAnalyzer in the Security Fabric:
  1. In FortiAnalyzer, configure the authorization address and port:
    1. Go to System Settings > Admin > Admin Settings.
    2. In the Fabric Authorization section, enter an Authorization Address and Authorization Port. This is used to access the FortiAnalyzer login screen.

    3. Click Apply.
  2. In FortiOS, go to Security Fabric > Fabric Connectors and double-click the FortiAnalyzer Logging card.
  3. Enter the FortiAnalyzer IP.
  4. Click OK. The FortiAnalyzer Status (in the right-side gutter) is Unauthorized.

  5. Click Authorize. You are redirected to a login screen.
  6. Enter the username and password, then click Login.

    The authorization dialog opens.

  7. Select Approve and click OK to authorize the FortiGate.

  8. In FortiOS, refresh the FortiAnalyzer Logging page. The FortiAnalyzer Status is Authorized.

Sending traffic logs to FortiAnalyzer Cloud

FortiGates running version 6.4.4. or later, with a FortiCloud Premium subscription (AFAC) for Cloud-based Central Logging & Analytics, can send traffic logs to FortiAnalyzer Cloud in addition to UTM logs and event logs. After the Premium subscription is registered through FortiCare, FortiGuard will verify the purchase and authorize the AFAC contract. Once the contract is verified, FortiGuard will deliver the contract to FortiGate.

FortiGates with a Standard FortiAnalyzer Cloud subscription (FAZC) can only send UTM and event logs. FortiGates with a Premium subscription will send the UTM and event logs even if the Standard subscription has expired.

For information about cloud logging, see FortiAnalyzer Cloud service

Note

FortiAnalyzer Cloud does not support DLP/IPS archives at this time.

To verify the status a FortiCloud subscription with the CLI:

# diagnose test update info

The FAZC and AFAC fields display the subscription expiration date. The Support contract field displays the FortiCare account information. The User ID field displays the ID for FortiAnalyzer-Cloud instance.

...

FAZC,Tue Sep 24 16:00:00 2030

AFAC,Mon Nov 29 16:00:00 2021

...

Support contract: pending_registration=255 got_contract_info=1

account_id=[****@fortinet.com] company=[Fortinet] industry=[Technology]

User ID: 979090

More Links

Configuring FortiAnalyzer

FortiAnalyzer is a required component for the Security Fabric. In 6.4.4 and later, either FortiAnalyzer or FortiAnalyzer Cloud can be used to meet this requirement. FortiAnalyzer allows the Security Fabric to show historical data for the Security Fabric topology and logs for the entire Security Fabric.

For more information about using FortiAnalyzer, see the FortiAnalyzer Administration Guide.

Note

FortiAnalyzer 7.0.1 is required for this configuration example.

To authorize a FortiAnalyzer in the Security Fabric:
  1. In FortiAnalyzer, configure the authorization address and port:
    1. Go to System Settings > Admin > Admin Settings.
    2. In the Fabric Authorization section, enter an Authorization Address and Authorization Port. This is used to access the FortiAnalyzer login screen.

    3. Click Apply.
  2. In FortiOS, go to Security Fabric > Fabric Connectors and double-click the FortiAnalyzer Logging card.
  3. Enter the FortiAnalyzer IP.
  4. Click OK. The FortiAnalyzer Status (in the right-side gutter) is Unauthorized.

  5. Click Authorize. You are redirected to a login screen.
  6. Enter the username and password, then click Login.

    The authorization dialog opens.

  7. Select Approve and click OK to authorize the FortiGate.

  8. In FortiOS, refresh the FortiAnalyzer Logging page. The FortiAnalyzer Status is Authorized.

Sending traffic logs to FortiAnalyzer Cloud

FortiGates running version 6.4.4. or later, with a FortiCloud Premium subscription (AFAC) for Cloud-based Central Logging & Analytics, can send traffic logs to FortiAnalyzer Cloud in addition to UTM logs and event logs. After the Premium subscription is registered through FortiCare, FortiGuard will verify the purchase and authorize the AFAC contract. Once the contract is verified, FortiGuard will deliver the contract to FortiGate.

FortiGates with a Standard FortiAnalyzer Cloud subscription (FAZC) can only send UTM and event logs. FortiGates with a Premium subscription will send the UTM and event logs even if the Standard subscription has expired.

For information about cloud logging, see FortiAnalyzer Cloud service

Note

FortiAnalyzer Cloud does not support DLP/IPS archives at this time.

To verify the status a FortiCloud subscription with the CLI:

# diagnose test update info

The FAZC and AFAC fields display the subscription expiration date. The Support contract field displays the FortiCare account information. The User ID field displays the ID for FortiAnalyzer-Cloud instance.

...

FAZC,Tue Sep 24 16:00:00 2030

AFAC,Mon Nov 29 16:00:00 2021

...

Support contract: pending_registration=255 got_contract_info=1

account_id=[****@fortinet.com] company=[Fortinet] industry=[Technology]

User ID: 979090