Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
salemneaz
Staff
Staff

Created on ‎09-03-2022 11:34 AM

Article Id 222812

Technical Tip: Configuring and troubleshooting FortiGate Multi-VDOM to send logs to FortiAnalyzer from respective VDOM

Description

 

This article shows how to forward logs to FortiAnalyzer on a multi-VDOM FortiGate.

Some troubleshooting commands are also given to check the connectivity status.

 

Scope

 

FortiGate above 6.4.

 

Solution

 

FortiGate usually send the log to the FortiAnalyzer from the root VDOM.

But other VDOM’s may require sending logs to the FortiAnalyzer from respective VDOM’s.

 

In this example we have considered three VDOMs:

 

Root (management VDOM)
VDOM-1

 

And FortiAnalyzer with IP address of 172.16.1.100.

 

Let's consider to send logs from VDOM-1.

Prerequisite: FortiAnalyzer-1 must be reachable from the management root VDOM.

 

1) Go to Global -> Logs & Report -> Log Settings.
2) Enable Send logs to FortiAnalyzer/FortiManager.
3) Enter the FortiAnalyzer IP. In our example it is 172.16.1.100
4) Then select upload option

 

salemneaz_0-1662219788469.png

 

CLI Command Reference:

 

# config log setting
   set faz-override enable

end

 

# config log fortianalyzer override-setting
      set status enable
      set server 172.16.1.100
      set upload-option realtime
  end

 

Note.

Real-time upload option in this configuration example.

 

Checking FortiAnalyzer connectivity.

 

To use the diagnose command to check FortiAnalyzer connectivity:

 

- Check the global FortiAnalyzer status:

 

# diagnose test application miglogd 1

 

faz: global, enabled

        server=172.16.1.100, realtime=3, ssl=1, state=connected, src=, mgmt_name=FGh_Log_root_172.16.200.55, reliable=1

                status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=N

                SNs: last sn update:1369 seconds ago.

                        Sn list:

 

                queue: qlen=0.

filter: severity=6, sz_exclude_list=0

         voip dns ssh ssl

subcategory:

        traffic: forward local multicast sniffer

        anomaly: anomaly

 

- Check the VDOM-1 override FortiAnalyzer status:

 

# diagnose test application miglogd 3101

 

faz: vdom, enabled, override

        server= 172.16.1.100, realtime=1, ssl=1, state=connected, src=, mgmt_name=FGh_Log_root_ 172.16.1.100, reliable=1

                status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=N

                SNs: last sn update:1369 seconds ago.

                        Sn list:

                        (FAZ-VM0000000001,age=17s)

                queue: qlen=0.

filter: severity=6, sz_exclude_list=0

         voip dns ssh ssl

subcategory:

        traffic: forward local multicast sniffer

        anomaly: anomaly

 

        server: vdom, id=0, fd=72, ready=1, ipv6=0, 172.16.1.100/514

oftp-state=5

 

Related link:

https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/229573/configuring-multiple-...

1076
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.