FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
This article describes additional information about the 'legacy-auth-mode' setting and certificate on OFTP connection checking on FortiAnalyzer.
Scope
FortiAnalyzer v7.4.7+, v7.6.3+.
Solution
In the FortiAnalyzer v7.4.8 Release Notes, the 'Special Notices' section states that FortiAnalyzer checks the SN information against the Common Name of the Certificate for the OFTP connection.
The certificate used for the OFTP connection can be the Fortinet default ones or a customized one. If a customized certificate is in use, the SN in the Common Name field must be the device’s genuine serial number, not a fabricated one.
To change the certificate for OFTP connection on FortiAnalyzer, use the 'config system certificate oftp' command.
To change the certificate for OFTP connection on FortiGate, use the 'config log fortianalyzer setting' command.
Note:
The config legacy-auth-mode is useful when FortiAnalyzer integrates with FortiMail, FortiWeb, and FortiEMS. This is due to these products continuing to go down after FortiAnalyzer has been upgraded to the latest version. When enabling thelegacy-auth-mode, the FortiAnalyzer will skip using the certificate (CN) and use the username and password to validate the connection.
It is very important to note that this mode should only ever be enabled if the OFTP port (UDP and TCP 514) is not exposed or if access controls are in place.
