Description
This article describes how to connect FortiGate to FortiAnalyzer Cloud and troubleshoot connectivity issues.
Scope
FortiAnalyzer Cloud.
Pre-requirements:
FortiGate needs the following licenses:
FortiAnalyzer Cloud subscription:
|
FortiGate hardware |
FC-10-[FortiGate Model Code]-585-02-DD |
|
FortiGate-VM |
FC-10-[FortiGate VM Model Code]-585-02-DD |
For more information, visit the following page: Licensing
Solution
Connect FortiGate to FortiAnalyzer Cloud.
- Go to Log & Report --> Log Settings --> Enable Cloud Logging Settings.
- Select FortiAnalyzer Cloud and Apply the changes.
In Firmware v7.2.x or v7.4.x, follow the steps below:
- Go to Security Fabric --> Fabric Connectors --> click on edit Logging& Analytics.
- Choose the Cloud Logging option and then select FortiAnalyzer Cloud and apply the changes. Note: If the FortiGate has the entitlement [license ] for Fortianalyzer choose the the FortiAnalyzer Cloud.
- Go to FortiAnalyzer Cloud and Authorized:
- Go to Device Manager and Check Unauthorized Devices.
- Select it and Authorize it.
- After, Test Connectivity to see if the connection works.
On FortiGate:
On FortiAnalyzer:
Note:
Only the master account ID has permission to authorize FortiGate devices in the FortiAnalyzer cloud, for other users the option will not be available. To check the master account ID:
dia test update info
-
Troubleshooting connectivity: After saving the setting, check the output of the below command in the FortiGate CLI:
exec log fortianalyzer-cloud test-connectivity
Upon seeing an error like the following, check internet connectivity and FortiAnalyzer cloud connectivity.
execute telnet fortianalyzer.forticloud.com 514
execute ping fortianalyzer.forticloud.com
Unknown host: fortianalyzer.forticloud.com
Failed to get FortiAnalyzer Cloud's status. Hostname resolution failed. (-21)
If there is no internet communication issue, check below sniffer outputs.
To check if FortiGate has the correct contract and add the correct account, run the following commands.
diagnose test update info
To see the domain region, log quota, and daily volume to understand whether connectivity is correct and using the correct region, run the following command:
diagnose test application forticldd 3
On the FortiGate CLI, resolve the fortianalyzer.forticloud.com domain, via ping:
execute ping fortianalyzer.forticloud.com
PING fortianalyzer.forticloud.com.geo.fortinet.net (154.52.2.161): 56 data bytes
Then use the IP to run a sniffer towards the FortiAnalyzer Cloud servers, where 'x.x.x.x' is the resolved IP in the procedure above:
diag sniffer packet any 'host x.x.x.x and port 514' 6 0 l
On the FortiAnalyzer CLI:
diag sniffer packet any 'port 514' 3 0 l
If there is a need to report a support ticket, collect the following command outputs and share them in the ticket with the above outputs.
On FortiAnalyzer:
diag debug app oftpd 8 <FGT-IP> <- Alternatively, a device name can be used. IP is preferable.
diag debug timestamp enable
diag debug enable
On FortiGate:
diag test app miglogd 6
diag test app fgtlogd 4 (since 7.4.0 to replace diag test app miglogd 6)
diag log kernel-stats
Both FortiAnalyzer and FortiGate:
execute tac report
Related articles:
Troubleshooting Tip: FortiGate to FortiAnalyzer connectivity
Technical Note: How to create a log file of a session using PuTTY
Technical Tip: Ticket Creation via the Support Portal
Technical Note: Traffic Types and TCP/UDP Ports used by Fortinet Products
Troubleshooting Tips: No logs received on FortiAnalyzer
Technical Tip: How to setup a custom certificate regarding OFTP protocol
