Technical Tip: How to integrate FortiClient EMS in the FortiAnalyzer
Description
This article describes how to integrate FortiClient EMS and FortiClient in the FortiAnalyzer so that it can centralize logging.
Scope
FortiAnalyzer.
Solution
Verify the compatibility of the FortiClient EMS server and FortiClient with the FortiAnalyzer. This can be found on the FortiClient release note, on the FortiClient EMS release note (EMS Compatibility Chart), and on the FortiAnalyzer release note (FortiClient).
Note:
The new Fabric ADOM can also be used since FortiAnalyzer 6.2 to receive logs from the FortiClient stations.
Configure the https-logging from FortiAnalyzer via CLI:
port1)# show
config system interface
edit "port1"
set ip 10.47.3.65 255.255.240.0
set allowaccess ping ssh https https-logging
next
end
- Enable ADOM on the FortiAnalyzer so that the FortiClient EMS server can be handled by the correct ADOM (FortiClient ADOM).
- Make sure to have a sufficient size for this ADOM. By default, the size is 1 GB.
- Configure the FortiClient EMS server so that it uses the FortiAnalyzer as a log receiver on the FortiClient profile.
For FortiClient EMS Cloud and FortiAnalyzer Cloud:
Both FortiClient EMS Cloud and FortiAnalyzer Cloud should be under the same FortiCare account.
FortiClient EMS Cloud has an auto-config FortiAnalyzer Cloud option that should auto-fill the FQDN of the FortiAnalyzer Cloud.
-
Connect the FortiClient to the FortiClient EMS server as follows:
-
Check that the FortiClient EMS detects the client.
-
Enable Antivirus detection or Web Filter to generate logs from the FortiClient as follows:
-
Wait for the Configuration update from the Telemetry
-
Go to the FortiClient and generate logs using a web browser or EICAR virus detection. Navigate here from the FortiClient station to download the EICAR virus detection.
- Go to the FortiClient ADOM, keep in mind that the ADOM must be of type Fabric according to the official documentation.
- As logs are generated by the FortiClient. The logs will turn green as follows:
If logs are not turning green, it is possible to check the raw log: logview, logbrowse, and filter by the FortiClient EMS serial to see the FortiClient traffic and event log. Check if any of those logs appear.
Note:
If this is not the case, navigate again from the FortiClient and deregister and register the client once again to generate logs.
If using FortiAnalyzer Cloud, 2 factors can be checked:
- FortiAnalyzer Cloud has the proper entitlements to accept logs from FortiClient EMS, like the additional storage licenses:
FC1-10-AZCLD-463-01-DD.
FC2-10-AZCLD-463-01-DD.
FC3-10-AZCLD-463-01-DD.
Related document:
- The FortiClient profile contains the required XML flags to send the logs to FortiAnalyzer Cloud. For example:
<log_upload_server>12345.ca-west-1.fortianalyzer.forticloud.com</log_upload_server>
<log_uploadserver_sni>12345.support.fortinet.com</log_uploadserver_sni>
Related document:
- Confirm that the FortiClient's ADOM is type Fabric
- execute tac report of the FortiAnalyzer and config.
- diagnose sniffer packet any ' host <FCLT IP> and port 514 ' 3 0 a.
- Wireshark from the FortiClient while navigating the net (to generate log packets).
- The sniff may show TCP SYN 3-way handshake successful, but no logs are sent by the FortiClient (make sure to have the latest version of FortiClient and FortiAnalyzer).
- diagnose test application oftpd 3 - will show what devices send logs.
- Ping from the FortiClient to the FortiAnalyzer.
- FortiClient Diagnostic Tool.
Related documents:
Technical Tip: Control logging from FortiClient EMS to FortiAnalyzer
Configuring log storage policy
Technical Tip: How to make multitenancy visible from FortiAnalyzer
Technical Tip: How to run a FortiClient Endpoint Antivirus scanning using FortiSoC Playbook
Technical Tip: How to determine the failed status from FortiSoC Playbook monitor
Technical Tip: How to send FortiClient logs to FortiAnalyzer
Technical Tip: Viewing FortiClient OS Events logs in FortiAnalyzer