Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
heng
Staff
Staff

Created on ‎09-28-2023 09:14 PM Edited on ‎07-10-2025 01:30 PM By Moderator

Article Id 276541

Technical Tip: FortiGate FIPS-CC enabled to send log to FortiAnalyzer

Description

 

This article describes the requirements for and how to configure the FortiGate with FIPS-CC enabled in order to send a log to FortiAnalyzer or FortiAnalyzer-Cloud successfully. It also discusses the use case for FortiGate with none-FIPS-CC enabled requirements and configuration. 

 

Scope

 

FortiGate (FIPS-CC enabled), FortiAnalyzer, FortiAnalyzer-Cloud.

 

Solution

 

The mandatory requirements to achieve successful logging from the FortiGate with FIPS-CC enabled to FortiAnalyzer are as follows:

  • FortiAnalyzer must to set to use the custom server certificate for the OFTP. The server certificate can be a self-signed certificate using FortiAuthenticator, OpenSSL, or Windows Server CA.
  • FortiGate must import the CA cert that signed the custom server certificate in the FortiAnalyzer. 
  • FortiGate CLI config must set to: set server FQDN or IP and must match the SAN field of the custom server certificate in the FortiAnalyzer.

 

At the same time, for non-FIPS-CC enabled FortiGate (s) that are sent to the same FortiAnalyzer, the requirements are as follows:

 

  • FortiGate must import the CA cert that signed the custom server certificate in the FortiAnalyzer.

FortiAnalyzer custom Server certificate needs to be an X509 certificate that should meet the following requirements:

  • Its Common Name should be the Serial Number of FortiAnalyzer.
  • Its Subject Alternative Name shall be its FQDN or IP of FortiAnalyzer, based on what is configured on FortiGate.
  • Its Extended Key Usage shall be serverAuth.
  • The current time/day shall fall within its validity.

FortiAnalyzer-Cloud custom Server certificate needs to be an X509 certificate that should meet the following requirements:

  • Its Common Name should be the Serial Number of FortiAnalyzer-cloud.
  • Its Subject Alternative Name must have these 2 FQDN values:
    • *.fortianalzyer.forticloud.com.
    • <region>.fortianalyzer.forticloud.com [Example: ca-west-1.fortianalyzer.forticloud.com].
    • Its Extended Key Usage shall be serverAuth.
    • The current time/day shall fall within its validity.

 

In FortiAnalyzer:

  1. FortiAnalyzer to import the custom server certificate. In this example, the FortiAnalyzer IP is SAN = 10.128.210.139 and CN = <S/N>.

 

faz_custom_cert.png

 

  1. Configure via CLI to use a custom certificate for OFTP connection. 

 

config system certificate oftp
    set mode local
    set local "fazvmnew"
end

 

  1.  Restart OFTP process with CLI command: 'diagnose test application oftpd 99or 'fnsysctl killall oftpd'.

 

In FortiAnalyzer-Cloud:

  1. Custom server certificate in FortiAnalyzer cloud has 2 mandatory DNS entries for SAN and CN = <S/N>.

 

faz-cl_custom_cert.png

 

  1. Reset of the steps are the same as Regular FortiAnalyzer.

 

In FortiGate:

  1. Refer to the KB article: How to enable FIPS-CC mode, to enable the FIOS-CC in the FortiGate, which requires console access.
  2. Configure the FortiAnalyzer settings via CLI. The set server is set to the FAZ FQDN or IP. In this example, the FortiAnalyzer IP is 10.128.210.139.

 

config log fortianalyzer setting
    set status enable
    set server "10.128.210.109"
    set certificate-verification enable
    set upload-option realtime

    set reliable enable
end

 

  1.  FortiGate must import the CA certificate that signed the custom server certificate.
  2.  Run the CLI in FortiGate to check the connectivity. If the FortiGate is not added to FortiAnalyzer, an authentication failure is expected. 

 

execute log fortianalyzer test-connectivity
Failed to get FAZ's status. Authentication Failed. (-19)

 

  1. If the FortiGate has not yet been added to the FortiAnalyzer, log back into FortiAnalyzer to authorize the FortiGate.

 

image.png

 

  1. Wait for a minute or two for the OFTP connection to establish. Run the CLI again in FortiGate to check the connectivity. The counter for Tx and Rx values should be increased in the CLI output. 

 

execute log fortianalyzer test-connectivity
FortiAnalyzer Host Name: FAZ-74
FortiAnalyzer Adom Name: root
FortiGate Device ID: FGVM08TM99999999
Registration: registered
Connection: allow
Adom Disk Space (Used/Allocated): 576885730B/53687091200B
Analytics Usage (Used/Allocated): 535450594B/37580963840B
Analytics Usage (Data Policy Days Actual/Configured): 3/60 Days
Archive Usage (Used/Allocated): 41435136B/16106127360B
Archive Usage (Data Policy Days Actual/Configured): 3/365 Days
Log: Tx & Rx (638 logs received since 09:45:46 09/28/23)
IPS Packet Log: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx

 

  1. Log back into FortiAnalyzer GUI, the FortiGate is sending the logs in real-time.

 

image.png

 

  1.  In the FortiAnalyzer GUI, navigate to Log Browse -> FortiGate, and the analytic log should be received and displayed as expected. 

 

image.png

3353
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.