FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
HernandezA
Staff
Staff
Article Id 412261
Description This article describes the process to validate steps needed to receive Threat information in Fortiview menu for FortiClient section.
Scope FortiAnalyzer, FortiAnalyzer Cloud, EMS Cloud, EMS, FortiClient.
Solution

Prerequisites:

  1. The user has already created the FortiAnalyzer/FortiManager Cloud instance in the same account as the device with the available license feature. (See the Cloud deployment guide).
  2. The user has access to the FortiAnalyzer/FortiManager Cloud instance with an administrator account.
  3. Integrate FortiClient EMS in the FortiAnalyzer (Technical Tip: How to integrate FortiClient EMS in the FortiAnalyzer).

Context: The FortiAnalyzer has a menu to display a summary of threats related with endpoints for Forticlient logs source, in order to generate that information, the FortiAnalyzer must receive specific logs (Threats) and the EMS must be in specific ADOM type (Fabric), if there is not received that information the FortiAnalyzer cannot show any data.

 

Fortiview -> Threats -> Top Threats (FortiClient).

 

No data in threat forticlient.jpg

 

Configuration steps:

  1. Confirm the EMS connection in device manager of FortiAnalyzer and validate the system profile in EMS has the setting enabled for logging (the logs needed for Threats is to enable UTM). In FortiAnalyzer Device Manager>All Logging Devices.

DevicemanagerupEMS.jpg

 

FortiClient EMS -> Endpoint Profiles -> System Settings -> System Profile Settings.

 

UTMLOGSneeded.jpg

 

  1. Confirm that at least the web-filter profile has been configured in EMS and assigned to the endpoint/endpoint group to register the logs. If the option 'log ALL URLs' is enabled, all of the traffic logs will be generated and not just blocked or monitored. See FortiClient EMS -> Endpoint Profiles -> Web Filter Settings.


webfilterconfig.jpg

 

  1. Verify the endpoint profiles of system and web-filter were assigned to the endpoint/ endpoint-group. Go to FortiClient EMS -> Endpoint Policy & Components -> Manage profiles -> Endpoint Policy.


ManagePolicies.jpg

 

FortiClient EMS -> Endpoints -> All Endpoints -> Locate the endpoint that was assigned to the profiles.

 

profiledelivered.jpg

 

  1. Confirm FortiClient is running and connected to EMS in endpoint and generate traffic or web searching in endpoint.

FCT connection.jpg

 

  1. Confirm the blocked sessions and validate the Fortiview> Threats (FortiClient) categories are according to web-filter profile configured.


cat1.jpg

 

cat2.jpg

 

Summarycat.jpg

 

Note: Is it highly important that all the platforms have the same time and zone. If this is not the case, the information will not be displayed.

 

DeviceTimezone.jpg

 

See FortiClient EMS -> System Settings -> FortiGuard Services.

 

EMS timezone.jpg

 

See FortiAnalyzer -> Status -> System Time -> Time Zone.

 

FAZtimezone.jpg

Contributors