Fortinet white logo
Fortinet white logo

Administration Guide

Configuring cloud logging

Configuring cloud logging

There are two options available in the Cloud Logging tab of the Logging & Analytics connector card: FortiGate Cloud and FortiAnalyzer Cloud. If there are multiple services enrolled on the FortiProxy, the preference is: FortiAnalyzer Cloud logging, FortiAnalyzer logging, then FortiGate Cloud logging.

This topic covers the following cloud logging aspects:

Configuring FortiGate Cloud

FortiGate Cloud is a hosted security management and log retention service for FortiProxy devices. It provides centralized reporting, traffic analysis, configuration management, and log retention without the need for additional hardware or software.

FortiGate Cloud offers a wide range of features:

  • Simplified central management

    FortiGate Cloud provides a central GUI to manage individual or aggregated FortiProxy and FortiWiFi devices. Adding a device to the FortiGate Cloud management subscription is straightforward. FortiGate Cloud has detailed traffic and application visibility across the whole network.

  • Hosted log retention with large default storage allocated

    Log retention is an integral part of any security and compliance program, but administering a separate storage system is onerous. FortiGate Cloud takes care of this automatically and stores the valuable log information in the cloud. Different types of logs can be stored, including Traffic, System Events, Web, Applications, and Security Events.

  • Monitoring and alerting in real time

    Network availability is critical to a good end-user experience. FortiGate Cloud enables you to monitor your FortiProxy network in real time with different alerting mechanisms to pinpoint potential issues. Alerting mechanisms can be delivered via email.

  • Customized or pre-configured reporting and analysis tools

    Reporting and analysis are your eyes and ears into your network’s health and security. Pre-configured reports are available, as well as custom reports that can be tailored to your specific reporting and compliance requirements. The reports can be emailed as PDFs, and can cover different time periods.

  • Maintain important configuration information uniformly

    The correct configuration of the devices within your network is essential for maintaining optimum performance and security posture. In addition, maintaining the correct firmware (operating system) level allows you to take advantage of the latest features.

  • Service security

    All communication (including log information) between the devices and the cloud is encrypted. Redundant data centers are always used to give the service high availability. Operational security measures have been put in place to make sure your data is secure — only you can view or retrieve it.

For more information, refer to the FortiGate Cloud documentation.

Registration and activation

Before you can activate a FortiGate Cloud account, you must register your device first.

FortiGate Cloud accounts can be registered manually through the FortiGate Cloud website, https://www.forticloud.com, or you can easily register and activate your account directly from your FortiProxy.

To activate your FortiGate Cloud account:
  1. On your device, go to Dashboard > Status.
  2. In the FortiGate Cloud widget, click the Not Activated > Activate button in the Status field.
  3. A pane will open asking you to register your FortiGate Cloud account. Click Create Account, enter your information, view and accept the terms and conditions, and then click OK.
  4. A second dialogue window opens, asking you to enter your information to confirm your account. This sends a confirmation email to your registered email. The dashboard widget then updates to show that confirmation is required.
  5. Open your email, and follow the confirmation link it contains.

    A FortiGate Cloud page will open, stating that your account has been confirmed. The Activation Pending message on the dashboard will change to state the type of account you have, and will provide a link to the FortiGate Cloud portal.

Enabling logging to FortiGate Cloud

To enable logging to FortiGate Cloud:
  1. Go to Security Fabric > Fabric Connectors and double-click the Logging & Analytics card.

  2. Select the Settings tab, select the Cloud Logging tab, and set the Type to FortiGate Cloud.

  3. Select an upload option:

    • Real Time: logs are sent to the cloud device in real time.

    • Every Minute: logs are sent to the cloud device once every minute.

    • Every 5 Minutes: logs are sent to the cloud device once every five minutes (default).

    If the Security Fabric connection is configured, only the Real Time option is available.

  4. Click OK.

Logging into the FortiGate Cloud portal

Once logging has been configured and you have registered your account, you can log into the FortiGate Cloud portal and begin viewing your logging results. There are two methods to reach the FortiGate Cloud portal:

  • If you have direct network access to the FortiProxy:
    1. Go to Dashboard > Status.
    2. In the FortiGate Cloud widget, in the Status field, click Activated > Launch Portal, or, in the Licenses widget, click FortiCare Support > Launch Portal.
  • If you do not have access to the FortiProxy’s interface, visit the FortiGate Cloud website (https://www.forticloud.com) and log in remotely, using your email and password. It will ask you to confirm the FortiGate Cloud account you are connecting to and then you will be granted access.

Configuring a Security Fabric with FortiGate Cloud logging

A Security Fabric can be created on the root device using FortiGate Cloud for cloud logging. When the FortiCloud account enforcement is enabled (by default), members joining the Fabric must be registered to the same FortiCloud account. Devices that are not activated with FortiCloud are also allowed.

For example, the root FortiProxy is configured with FortiGate Cloud logging. In the Security Fabric settings, the FortiCloud account enforcement option is enabled by default. The downstream FortiProxy with the same FortiCloud account ID is able to join the Fabric.

To configure a Security Fabric with FortiCloud logging in the GUI:
  1. Configure the Security Fabric settings on the root FortiProxy (see Fabric Connectors). The FortiCloud account enforcement setting is enabled by default.
  2. Configure FortiCloud logging on the root FortiProxy:
    1. Go to Security Fabric > Fabric Connectors and double-click the Logging & Analytics card.
    2. Select the Settings tab, select the Cloud Logging tab, and set the Type to FortiGate Cloud.
    3. Click OK.
  3. Configure the FortiProxy to join the Security Fabric:
    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. Select the Settings tab, and set the Security Fabric role to Join Existing Fabric.
    3. Click OK. The FortiProxy is authorized and successfully joins the Security Fabric.
  4. Check the FortiCloud logging settings:
    1. Go to Security Fabric > Fabric Connectors and double-click the Logging & Analytics card.
    2. Select the Settings tab, select the Cloud Logging tab. The settings are automatically retrieved from the root FortiProxy and the Account is the same.
To configure a Security Fabric with FortiCloud logging in the CLI:
config log fortiguard setting
    set status enable
    set upload-option realtime
end

The FortiCloud account enforcement setting is enabled by default in the Security Fabric settings:

show system csf
    config system csf
        set status enable
        set group-name "CSF_101"
        set forticloud-account-enforcement enable
    end

Configuring FortiAnalyzer Cloud

FortiAnalyzer Cloud differs from FortiAnalyzer in the following ways:

  • You cannot enable FortiAnalyzer Cloud in vdom override-setting when global FortiAnalyzer Cloud is disabled.
  • You must use the CLI to retrieve and display logs sent to FortiAnalyzer Cloud. The FortiProxy GUI is not supported.
  • You cannot enable FortiAnalyzer Cloud and FortiGate Cloud at the same time.

For more information, see Licensing in the FortiAnalyzer Cloud Deployment Guide.

In the Security Fabric > Fabric Connectors > Logging & Analytics card settings, FortiAnalyzer Cloud is grayed out when you do not have a FortiAnalyzer Cloud entitlement. When you have a FortiAnalyzer Cloud entitlement, FortiAnalyzer Cloud is available and you can authenticate by the certificate.

In FortiAnalyzer Cloud, you can view logs from FortiProxy in the Event > All Types page.

To configure FortiAnalyzer Cloud logging in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Logging & Analytics card.
  2. Select the Settings tab, select the Cloud Logging tab, and set the Type to FortiAnalyzer Cloud.
  3. Optionally, configure the remaining log settings:

    Upload option

    Select the frequency of log uploads to the remote device:

    • Real Time: logs are sent to the remote device in real time.

    • Every Minute: logs are sent to the remote device once every minute. This option is unavailable if the Security Fabric connection is configured.

    • Every 5 Minutes: logs are sent to the remote device once every five minutes. This is the default option. This option is unavailable if the Security Fabric connection is configured.

    Allow access to FortiGate REST API

    Define access to FortiProxy REST API:

    • Enable: the REST API accesses the FortiProxy topology and shares data and results.

    • Disable: the REST API does not share data and results.

    Verify FortiAnalyzer Cloud certificate

    Define the FortiAnalyzer Cloud certificate verification process:

    • Enable: the FortiProxy will verify the FortiAnalyzer Cloud serial number against the FortiAnalyzer certificate. When verified, the serial number is stored in the FortiProxy configuration.

    • Disable: the FortiProxy will not verify the FortiAnalyzer Cloud certificate against the serial number.

  4. Click OK. A prompt appears to verify the FortiAnalyzer Cloud serial number.
  5. Click Accept.
  6. The verified FortiAnalyzer Cloud certificate appears in the settings.
To enable FortiAnalyzer Cloud logging in the CLI:
  1. Configure the FortiAnalyzer Cloud settings:
    config log fortianalyzer-cloud setting
        set status enable
        set ips-archive disable
        set certificate-verification enable
        set serial "FAZVCLTM19000000"
        set access-config enable
        set enc-algorithm high
        set ssl-min-proto-version default
        set conn-timeout 10
        set monitor-keepalive-period 5
        set monitor-failure-retry-period 5
        set upload-option realtime
    end
  2. Configure the FortiAnalyzer Cloud filters:
    config log fortianalyzer-cloud filter
        set severity information
        set forward-traffic disable
        set local-traffic disable
        set multicast-traffic disable
        set sniffer-traffic disable
        set anomaly disable
        set voip disable
        set dlp-archive disable
    end
To disable FortiAnalyzer Cloud logging for a specific VDOM in the CLI:
  1. Enable override FortiAnalyzer in the general log settings:
    config log setting
        set faz-override enable
    end
  2. Disable the override FortiAnalyzer Cloud setting:
    config log fortianalyzer-cloud override-setting
        set status disable
    end
To set FortiAnalyzer Cloud logging to filter for a specific VDOM in the CLI:
  1. Enable override FortiAnalyzer in the general log settings:
    config log setting
        set faz-override enable
    end
  2. Enable the override FortiAnalyzer Cloud setting:
    config log fortianalyzer-cloud override-setting
        set status enable
    end
  3. Configure the override filters for FortiAnalyzer Cloud:
    config log fortianalyzer-cloud override-filter
        set severity information
        set forward-traffic disable
        set local-traffic disable
        set multicast-traffic disable
        set sniffer-traffic disable
        set anomaly disable
        set voip disable
        set dlp-archive disable
    end
To display FortiAnalyzer Cloud logs in the CLI:
# ​​​​​​​execute log filter device fortianalyzer-cloud
# execute log filter category event
# execute log display​​​​​​​
Sample log
date=2019-05-01 time=17:57:45 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:48" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100032002 type="event" subtype="system" level="alert" srcip=10.6.30.254 dstip=10.6.30.9 action="login" msg="Administrator ddd login failed from https(10.6.30.254) because of invalid user name" logdesc="Admin login failed" sn="0" user="ddd" ui="https(10.6.30.254)" status="failed" reason="name_invalid" method="https" eventtime=1556758666274548325 devid="FG5H1E5818900000" vd="root" dtime="2019-05-01 17:57:45" itime_t=1556758668 devname="FortiProxy-501E"
date=2019-05-01 time=17:57:21 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:23" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100044546 type="event" subtype="system" level="information" action="Edit" msg="Edit log.fortianalyzer-cloud.filter " logdesc="Attribute configured" user="admin" ui="ssh(10.6.30.254)" cfgtid=164757536 cfgpath="log.fortianalyzer-cloud.filter" cfgattr="severity[information->critical]" eventtime=1556758642413367644 devid="FG5H1E5818900000" vd="root" dtime="2019-05-01 17:57:21" itime_t=1556758643 devname="FortiProxy-501E"

Configuring cloud logging

Configuring cloud logging

There are two options available in the Cloud Logging tab of the Logging & Analytics connector card: FortiGate Cloud and FortiAnalyzer Cloud. If there are multiple services enrolled on the FortiProxy, the preference is: FortiAnalyzer Cloud logging, FortiAnalyzer logging, then FortiGate Cloud logging.

This topic covers the following cloud logging aspects:

Configuring FortiGate Cloud

FortiGate Cloud is a hosted security management and log retention service for FortiProxy devices. It provides centralized reporting, traffic analysis, configuration management, and log retention without the need for additional hardware or software.

FortiGate Cloud offers a wide range of features:

  • Simplified central management

    FortiGate Cloud provides a central GUI to manage individual or aggregated FortiProxy and FortiWiFi devices. Adding a device to the FortiGate Cloud management subscription is straightforward. FortiGate Cloud has detailed traffic and application visibility across the whole network.

  • Hosted log retention with large default storage allocated

    Log retention is an integral part of any security and compliance program, but administering a separate storage system is onerous. FortiGate Cloud takes care of this automatically and stores the valuable log information in the cloud. Different types of logs can be stored, including Traffic, System Events, Web, Applications, and Security Events.

  • Monitoring and alerting in real time

    Network availability is critical to a good end-user experience. FortiGate Cloud enables you to monitor your FortiProxy network in real time with different alerting mechanisms to pinpoint potential issues. Alerting mechanisms can be delivered via email.

  • Customized or pre-configured reporting and analysis tools

    Reporting and analysis are your eyes and ears into your network’s health and security. Pre-configured reports are available, as well as custom reports that can be tailored to your specific reporting and compliance requirements. The reports can be emailed as PDFs, and can cover different time periods.

  • Maintain important configuration information uniformly

    The correct configuration of the devices within your network is essential for maintaining optimum performance and security posture. In addition, maintaining the correct firmware (operating system) level allows you to take advantage of the latest features.

  • Service security

    All communication (including log information) between the devices and the cloud is encrypted. Redundant data centers are always used to give the service high availability. Operational security measures have been put in place to make sure your data is secure — only you can view or retrieve it.

For more information, refer to the FortiGate Cloud documentation.

Registration and activation

Before you can activate a FortiGate Cloud account, you must register your device first.

FortiGate Cloud accounts can be registered manually through the FortiGate Cloud website, https://www.forticloud.com, or you can easily register and activate your account directly from your FortiProxy.

To activate your FortiGate Cloud account:
  1. On your device, go to Dashboard > Status.
  2. In the FortiGate Cloud widget, click the Not Activated > Activate button in the Status field.
  3. A pane will open asking you to register your FortiGate Cloud account. Click Create Account, enter your information, view and accept the terms and conditions, and then click OK.
  4. A second dialogue window opens, asking you to enter your information to confirm your account. This sends a confirmation email to your registered email. The dashboard widget then updates to show that confirmation is required.
  5. Open your email, and follow the confirmation link it contains.

    A FortiGate Cloud page will open, stating that your account has been confirmed. The Activation Pending message on the dashboard will change to state the type of account you have, and will provide a link to the FortiGate Cloud portal.

Enabling logging to FortiGate Cloud

To enable logging to FortiGate Cloud:
  1. Go to Security Fabric > Fabric Connectors and double-click the Logging & Analytics card.

  2. Select the Settings tab, select the Cloud Logging tab, and set the Type to FortiGate Cloud.

  3. Select an upload option:

    • Real Time: logs are sent to the cloud device in real time.

    • Every Minute: logs are sent to the cloud device once every minute.

    • Every 5 Minutes: logs are sent to the cloud device once every five minutes (default).

    If the Security Fabric connection is configured, only the Real Time option is available.

  4. Click OK.

Logging into the FortiGate Cloud portal

Once logging has been configured and you have registered your account, you can log into the FortiGate Cloud portal and begin viewing your logging results. There are two methods to reach the FortiGate Cloud portal:

  • If you have direct network access to the FortiProxy:
    1. Go to Dashboard > Status.
    2. In the FortiGate Cloud widget, in the Status field, click Activated > Launch Portal, or, in the Licenses widget, click FortiCare Support > Launch Portal.
  • If you do not have access to the FortiProxy’s interface, visit the FortiGate Cloud website (https://www.forticloud.com) and log in remotely, using your email and password. It will ask you to confirm the FortiGate Cloud account you are connecting to and then you will be granted access.

Configuring a Security Fabric with FortiGate Cloud logging

A Security Fabric can be created on the root device using FortiGate Cloud for cloud logging. When the FortiCloud account enforcement is enabled (by default), members joining the Fabric must be registered to the same FortiCloud account. Devices that are not activated with FortiCloud are also allowed.

For example, the root FortiProxy is configured with FortiGate Cloud logging. In the Security Fabric settings, the FortiCloud account enforcement option is enabled by default. The downstream FortiProxy with the same FortiCloud account ID is able to join the Fabric.

To configure a Security Fabric with FortiCloud logging in the GUI:
  1. Configure the Security Fabric settings on the root FortiProxy (see Fabric Connectors). The FortiCloud account enforcement setting is enabled by default.
  2. Configure FortiCloud logging on the root FortiProxy:
    1. Go to Security Fabric > Fabric Connectors and double-click the Logging & Analytics card.
    2. Select the Settings tab, select the Cloud Logging tab, and set the Type to FortiGate Cloud.
    3. Click OK.
  3. Configure the FortiProxy to join the Security Fabric:
    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. Select the Settings tab, and set the Security Fabric role to Join Existing Fabric.
    3. Click OK. The FortiProxy is authorized and successfully joins the Security Fabric.
  4. Check the FortiCloud logging settings:
    1. Go to Security Fabric > Fabric Connectors and double-click the Logging & Analytics card.
    2. Select the Settings tab, select the Cloud Logging tab. The settings are automatically retrieved from the root FortiProxy and the Account is the same.
To configure a Security Fabric with FortiCloud logging in the CLI:
config log fortiguard setting
    set status enable
    set upload-option realtime
end

The FortiCloud account enforcement setting is enabled by default in the Security Fabric settings:

show system csf
    config system csf
        set status enable
        set group-name "CSF_101"
        set forticloud-account-enforcement enable
    end

Configuring FortiAnalyzer Cloud

FortiAnalyzer Cloud differs from FortiAnalyzer in the following ways:

  • You cannot enable FortiAnalyzer Cloud in vdom override-setting when global FortiAnalyzer Cloud is disabled.
  • You must use the CLI to retrieve and display logs sent to FortiAnalyzer Cloud. The FortiProxy GUI is not supported.
  • You cannot enable FortiAnalyzer Cloud and FortiGate Cloud at the same time.

For more information, see Licensing in the FortiAnalyzer Cloud Deployment Guide.

In the Security Fabric > Fabric Connectors > Logging & Analytics card settings, FortiAnalyzer Cloud is grayed out when you do not have a FortiAnalyzer Cloud entitlement. When you have a FortiAnalyzer Cloud entitlement, FortiAnalyzer Cloud is available and you can authenticate by the certificate.

In FortiAnalyzer Cloud, you can view logs from FortiProxy in the Event > All Types page.

To configure FortiAnalyzer Cloud logging in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Logging & Analytics card.
  2. Select the Settings tab, select the Cloud Logging tab, and set the Type to FortiAnalyzer Cloud.
  3. Optionally, configure the remaining log settings:

    Upload option

    Select the frequency of log uploads to the remote device:

    • Real Time: logs are sent to the remote device in real time.

    • Every Minute: logs are sent to the remote device once every minute. This option is unavailable if the Security Fabric connection is configured.

    • Every 5 Minutes: logs are sent to the remote device once every five minutes. This is the default option. This option is unavailable if the Security Fabric connection is configured.

    Allow access to FortiGate REST API

    Define access to FortiProxy REST API:

    • Enable: the REST API accesses the FortiProxy topology and shares data and results.

    • Disable: the REST API does not share data and results.

    Verify FortiAnalyzer Cloud certificate

    Define the FortiAnalyzer Cloud certificate verification process:

    • Enable: the FortiProxy will verify the FortiAnalyzer Cloud serial number against the FortiAnalyzer certificate. When verified, the serial number is stored in the FortiProxy configuration.

    • Disable: the FortiProxy will not verify the FortiAnalyzer Cloud certificate against the serial number.

  4. Click OK. A prompt appears to verify the FortiAnalyzer Cloud serial number.
  5. Click Accept.
  6. The verified FortiAnalyzer Cloud certificate appears in the settings.
To enable FortiAnalyzer Cloud logging in the CLI:
  1. Configure the FortiAnalyzer Cloud settings:
    config log fortianalyzer-cloud setting
        set status enable
        set ips-archive disable
        set certificate-verification enable
        set serial "FAZVCLTM19000000"
        set access-config enable
        set enc-algorithm high
        set ssl-min-proto-version default
        set conn-timeout 10
        set monitor-keepalive-period 5
        set monitor-failure-retry-period 5
        set upload-option realtime
    end
  2. Configure the FortiAnalyzer Cloud filters:
    config log fortianalyzer-cloud filter
        set severity information
        set forward-traffic disable
        set local-traffic disable
        set multicast-traffic disable
        set sniffer-traffic disable
        set anomaly disable
        set voip disable
        set dlp-archive disable
    end
To disable FortiAnalyzer Cloud logging for a specific VDOM in the CLI:
  1. Enable override FortiAnalyzer in the general log settings:
    config log setting
        set faz-override enable
    end
  2. Disable the override FortiAnalyzer Cloud setting:
    config log fortianalyzer-cloud override-setting
        set status disable
    end
To set FortiAnalyzer Cloud logging to filter for a specific VDOM in the CLI:
  1. Enable override FortiAnalyzer in the general log settings:
    config log setting
        set faz-override enable
    end
  2. Enable the override FortiAnalyzer Cloud setting:
    config log fortianalyzer-cloud override-setting
        set status enable
    end
  3. Configure the override filters for FortiAnalyzer Cloud:
    config log fortianalyzer-cloud override-filter
        set severity information
        set forward-traffic disable
        set local-traffic disable
        set multicast-traffic disable
        set sniffer-traffic disable
        set anomaly disable
        set voip disable
        set dlp-archive disable
    end
To display FortiAnalyzer Cloud logs in the CLI:
# ​​​​​​​execute log filter device fortianalyzer-cloud
# execute log filter category event
# execute log display​​​​​​​
Sample log
date=2019-05-01 time=17:57:45 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:48" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100032002 type="event" subtype="system" level="alert" srcip=10.6.30.254 dstip=10.6.30.9 action="login" msg="Administrator ddd login failed from https(10.6.30.254) because of invalid user name" logdesc="Admin login failed" sn="0" user="ddd" ui="https(10.6.30.254)" status="failed" reason="name_invalid" method="https" eventtime=1556758666274548325 devid="FG5H1E5818900000" vd="root" dtime="2019-05-01 17:57:45" itime_t=1556758668 devname="FortiProxy-501E"
date=2019-05-01 time=17:57:21 idseq=60796052214644736 bid=100926 dvid=1027 itime="2019-05-01 17:57:23" euid=3 epid=3 dsteuid=0 dstepid=3 logver=602000890 logid=0100044546 type="event" subtype="system" level="information" action="Edit" msg="Edit log.fortianalyzer-cloud.filter " logdesc="Attribute configured" user="admin" ui="ssh(10.6.30.254)" cfgtid=164757536 cfgpath="log.fortianalyzer-cloud.filter" cfgattr="severity[information->critical]" eventtime=1556758642413367644 devid="FG5H1E5818900000" vd="root" dtime="2019-05-01 17:57:21" itime_t=1556758643 devname="FortiProxy-501E"