Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
volkanavsar
Staff
Staff

Created on ‎10-30-2023 01:49 AM

Article Id 281657

Technical Tip: Instructions for transmitting FortiClient Web Traffic logs to FortiAnalyzer

Description

This article describes the process of transmitting web traffic logs from FortiClient to FortiAnalyzer with the aim of addressing potential issues.
Scope FortiClient, FortiClient EMS, FortiClient EMS Cloud, FortiAnalyzer.
Solution

Checkpoints:

 

  • Before commencing, compare the version information for FortiClient, FortiClient EMS, and FortiAnalyzer as provided in the following document:

 

FortiClient EMS Compatibility Chart

 

  • Attention: It is important to note that a 3rd party antivirus application may potentially obstruct the transmission of traffic logs from the machine where FortiClient is installed. In case of encountering any issues, remember to configure exclusions or allow connection between FortiClient and FortiAnalyzer within the 3rd party Antivirus software.

 

FortiGate Side:

 

FortiClient and FortiClient EMS utilize port 514 for the purpose of sending logs to FortiAnalyzer. It is essential to ensure that port 514 is permitted on the Firewall. For additional information, consult the document provided below:

 

Required services and ports

 

EMS Side:

 

To establish synchronization of FortiClient Web Traffic Logs with FortiAnalyzer, the configuration explained must be implemented within FortiClient EMS.

 

  1. EMS -> Endpoint Profiles -> Web Filter -> Advanced -> General -> Log All URLs (Enable).
    EMS -> Endpoint Profiles -> Web Filter -> Advanced -> General -> Log User Initiated Traffic (Enable).
 

1.png1.png

 

  1. EMS -> Endpoint Profiles -> System Settings -> Advanced -> Log -> Upload UTM Logs (Chromebook).

    2.png2.png
    For more details: System Settings.

     

  1. EMS -> Endpoint Profiles -> System Settings -> Advanced -> Log.

     

    Specify the log type intended to be sent to FortiAnalyzer. In this example, all options are currently selected.

    3.png3.png

     

    For more details: System settings.

     

     

  2. EMS -> Endpoint Profiles -> System Settings -> Advanced -> Log.

     

    Input the FortiAnalyzer IP address or FQDN. If using a specific port for communication, provide it in the format 'IP:port' or 'FQDN:port'.

     

    4.png4.png

     

     

  3. EMS -> System Settings -> Log Settings -> FortiAnalyzer.

     

    Enter the FortiAnalyzer’s IP address in the designated 'FortiAnalyzer Server Address' field and proceed to save the settings.

     

    5.png5.png

     

    For more details: Systems settings.

     

FortiAnalyzer Side:

 

  1. FortiAnalyzer -> System Settings -> ADOMs -> Add Device.

 

Create a new ADOM as follows:

 

6.png6.png

 

  1. Change the Adom with the newly created one.

     

    7.png7.png

     

     

  2. FortiAnalyzer -> Device Manager -> Add Device.

     

    Integrate FortiClient EMS with FortiAnalyzer as illustrated in the screenshot provided.

    8.png8.png

     

    9.png9.png

     

    10.png10.png

     

     

  3. FortiAnalyzer -> Fabric View -> Fabric Connection.

     

    Initiate a fabric connection between FortiClient EMS and FortiAnalyzer as demonstrated below:

     

    11.png11.png

     

    Provide the connection credentials in accordance with the usage of either FortiClient EMS or FortiClient EMS Cloud in the designated field below:

     

    FortiClient EMS on-premises:

     

    12.png12.png

     

    FortiClient EMS Cloud:

    13.png13.png

     

    14.png14.png

     

    15.png15.png

     

FortiClient Side:

  • Verify if the traffic logs commence their creation within the 'C:\Program Files\Fortinet\FortiClient\logs' folder and subsequently monitor the logs for any signs of disappearance, indicating their transmission to FortiAnalyzer.

16.png16.png

 

  1. It is also possible to verify, if necessary, using 'Wireshark' whether the logs sent by FortiClient to FortiAnalyzer are correctly filtered with the destination as indicated below:

     

    17.png17.png

     

    18.png18.png

     

    Finally, it is possible to review the initiated traffic logs by navigating to the 'FortiAnalyzer -> Log View -> Traffic' menu.

     

    19.png19.png

     

    Additionally, it is possible to perform a check under FortiAnalyzer CLI using the following script to ensure that traffic reception is occurring from the specified host address.

     

    'diag sniffer packet any ' host 10.xxx.xx.xx ' 3 0 a'

     

    20.png20.png

     

    Key points and important considerations regarding the FortiClient EMS Cloud.

     

    To enable communication between the FortiClient EMS Cloud and on-premises FortiAnalyzer, it is imperative to permit the port 514 connection on the firewall. Locate the IP address of FortiClient EMS Cloud in the 'About' tab on the portal as a source address.

     

    21.png21.png
1959
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.