Skip to main content
yuno
yuno
New Member
April 29, 2020
Solved

Trial licence limitations for sending logs from Fortigate to FortiAnalyzer?

  • April 29, 2020
  • 2 replies
  • 14763 views

Hi all

 

TL;DR

Does anyone know if the Fortigate trial licence limitations on encryption/decryption (which for example prevent the use of HTTPS) also prevent the SSL connections from Fortigate to FortiAnalyzer for the purposes of sending logs (via oftpd)?

 

I was trying to test sending logs from a Fortigate VM (firmware 6.4) to FortiAnalyzer VM (firmware 6.4) but I just get "No connection" and if you hover the cursor over that you get "Error occurred:{0}".  The goal is to test forwarding logs from the FortiAnalyzer to a third device but I can't get this far as the Fortigate won't send the logs to the FortiAnalyzer.  A reddit post (www.reddit.com/r/...er_trial_ssl_error_3/) suggested this is probably a trial licence limitation but it would be good to confirm it here if possible.

 

If anyone has found something similar please let me know.

 

Thanks

 

 

Testing steps:

I've made sure to check the compatibility matrix and the FGT and FAZ are compatible.  The Fortigate device is added as a device in the FortiAnalyzer.  I can test connectivity between the two using ping successfully.

I found various posts online with suggestions to make it work by allowing weaker encryption but none worked in this case e.g. (forum.fortinet.com/tm.aspx?m=140479)

FGT:

conf log fortianalyzer setting

set enc-algorithm low

set reliable enable

 

FAZ:

conf global setting

set enc-algorithm low

 

FGT:

exec log fortianalyzer test-connectivity

Failed to get FAZ's status.  Connection failed.  Connection refused(-1)

Failed to get FAZ's status.  SSL error. (-3).

 

FAZ - enabling debug logging for the oftpd app on the Fortianalyzer showed the following error:

(as in kb.fortinet.com/k...do?externalID=FD41272)

 

[oftpd_handle_session] oftp_recv_packet failed: SSL setup failure.

Client connection closed.  Reason 14(SSL setup failure)

 

Also I read the following, but it seems that these conditions were met during testing:

[ul]>6.2 FAZ will only process encrypted logs from Fortinet devices.[/ul][ul]FAZ encryption level MUST be equal to or less than the FGT’s encryption level.[/ul]

Trial licences are in use on both the Fortigate and the FortiAnalyzer.

Best answer by localhost

Hi

 

This works for me with FortiAnalyzer-VM64 v6.2.3 and FortiGate-VM64 v6.2.3 running unregistered trial versions:

 

FAZ config:

config system global
    set enc-algorithm low
    set log-forward-cache-size 4
    set oftp-ssl-protocol sslv3
    set usg enable
end

 

Fortigate config:

config log fortianalyzer setting
    set status enable
    set server "10.1.2.100"
    set certificate-verification disable
    set serial "FAZ-VM0000000001"
    set ssl-min-proto-version SSLv3
    set upload-option realtime
end

 

Succesfull FortiAnalyzer connectivity is not visible in GUI. But it's transfering logs and the CLI command shows a succesfull connection:

 

FortiGate-VM64 # execute log fortianalyzer test-connectivity 

FortiAnalyzer Host Name: FAZVM64
FortiAnalyzer Adom Name: root
FortiGate Device ID: FGVMEVFV6YKXEGEB
Registration: registered
Connection: allow
Adom Disk Space (Used/Allocated): 704512B/53687091200B
Analytics Usage (Used/Allocated): 671744B/37580963840B
Analytics Usage (Data Policy Days Actual/Configured): 0/60 Days
Archive Usage (Used/Allocated): 32768B/16106127360B
Archive Usage (Data Policy Days Actual/Configured): 365/365 Days
Log: Tx & Rx (5 logs received since 10:46:07 05/02/20)
IPS Packet Log: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx
Certificate of Fortianalyzer valid and serial number is:FAZ-VM0000000001

 

After entering the CLI commands, just got to Security Fabric -> Settings and re-apply the settings.

Then you should be able to change the log location to FortiAnalyzer in the 'Log & Report' view as well.

2 replies

localhost
localhost
Visitor III
April 29, 2020

I don't know about FortiAnalyzer.

 

But Fortigates will only support very limited encryption support for Web management, IPSEC Tunnels, SSLVPN and SSL inspection,etc.

So this will be probably the same for your FortiAnalyzer connections.

 

Can you give this a try?

 

On your Fortigate:

 

config log fortianalyzer setting
set reliable disable

yuno
yunoAuthor
New Member
April 29, 2020

Hi, thanks for the reply.

 

I used that setting on the Fortigate but unfortunately there was no change to the connection status.

localhost
localhostAnswer
Visitor III
May 2, 2020

Hi

 

This works for me with FortiAnalyzer-VM64 v6.2.3 and FortiGate-VM64 v6.2.3 running unregistered trial versions:

 

FAZ config:

config system global
    set enc-algorithm low
    set log-forward-cache-size 4
    set oftp-ssl-protocol sslv3
    set usg enable
end

 

Fortigate config:

config log fortianalyzer setting
    set status enable
    set server "10.1.2.100"
    set certificate-verification disable
    set serial "FAZ-VM0000000001"
    set ssl-min-proto-version SSLv3
    set upload-option realtime
end

 

Succesfull FortiAnalyzer connectivity is not visible in GUI. But it's transfering logs and the CLI command shows a succesfull connection:

 

FortiGate-VM64 # execute log fortianalyzer test-connectivity 

FortiAnalyzer Host Name: FAZVM64
FortiAnalyzer Adom Name: root
FortiGate Device ID: FGVMEVFV6YKXEGEB
Registration: registered
Connection: allow
Adom Disk Space (Used/Allocated): 704512B/53687091200B
Analytics Usage (Used/Allocated): 671744B/37580963840B
Analytics Usage (Data Policy Days Actual/Configured): 0/60 Days
Archive Usage (Used/Allocated): 32768B/16106127360B
Archive Usage (Data Policy Days Actual/Configured): 365/365 Days
Log: Tx & Rx (5 logs received since 10:46:07 05/02/20)
IPS Packet Log: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx
Certificate of Fortianalyzer valid and serial number is:FAZ-VM0000000001

 

After entering the CLI commands, just got to Security Fabric -> Settings and re-apply the settings.

Then you should be able to change the log location to FortiAnalyzer in the 'Log & Report' view as well.

georgemilev
georgemilev
New Member
April 8, 2021

Hello,

I am facing the same issue, but there is no assistance here...

Yurisk
SuperUser
Yurisk
SuperUser
April 11, 2021

Tried it on 6.4.4 - worked, tried 6.4.5 - didn't , go figure,  in the end asked for evaluation license and all worked.

 

miraching
miraching
New Member
April 21, 2021

For VMs (FAZ & FG) do this

 

@ FAZ

config system global
set log-forward-cache-size 4
set oftp-ssl-protocol sslv3
end
  @ FG 
config log fortianalyzer setting
set serial "FAZ-VM0000000001"
set ssl-min-proto-version SSLv3
end
  wait for a min or two then issue 
execute log fortianalyzer test-connectivity

Terms & ConditionsAccessibility statement