|
Ensure the following before proceeding with the steps outlined in this article:
- The EMS cloud and the FortiAnalyzer Cloud are registered under the same account.
- The FortiAnalyzer Cloud should have the additional license purchased to receive logs from FortiClients. See the licensing section of the Cloud Deployment guide for reference on the SKUs.
- The EMS cloud should already have been configured with the Endpoint profile following the articles below:
After ensuring the above, if the logs from FortiClients are not seen on FortiAnalyzer Cloud, verify whether the XML config on FortiClient EMS has the SNI configuration.
The FortiAnalyzer Cloud expects a URL and the SNI information to receive logs. On the FortiClient EMS XML config, the following is expected:
<log_upload_server>(account id).eu-central-1.fortianalyzer.forticloud.com</log_upload_server>
<log_uploadserver_sni>(account id).support.fortinet.com</log_uploadserver_sni> <----- Usually this SNI information is missing in the XML config on FortiClient EMS Cloud.
If the <log_uploadserver_sni> line is missing, it can be added to the FortiClient EMS XML config, and then the issue can be verified.
In place of (account ID), the actual account ID where the devices are registered has to be entered.
If the issue persists, collect the sniffers/packet captures on FortiAnalyzer Cloud, EMS, and FortiClient for port 514 and raise a ticket with TAC support to check further.
|
