Description
This article describes how to send logs to FortiCloud.
Scope
FortiGate.
Solution
The FortiCloud server can be used as a redundant backup or the primary logging solution. The following assumes that this service has already been registered, and a subscription has been purchased for expanded space.
Activate FortiCloud under System -> FortiGuard, and under FortiGate Cloud select 'Activate'.
Registered Email will be pre-filled, fill empty fields and enable 'Send logs to Fortigate Cloud', select the Domain/Region (Global, US, Europe), then select 'OK'.
Go to Log and Report -> Log Settings, enable Cloud Logging, select FortiGate Cloud as 'Type', then select 'Apply'.
For v7.2.x and above, go to Security Fabric -> Fabric Connector -> Logging & Analytics -> Cloud logging -> FortiGate Cloud.
Also, in case of multiple ISPs or SD-WAN connection source IP and interface may be required to add.
config log fortiguard setting
set status enable
set access-config enable
set ssl-min-proto-version default
set source-ip 0.0.0.0 <-- It should be one of the WAN interface IP.
set interface-select-method auto [auto|sdwan|specify] <----- With 'specify', it is necessary to add 'set interface WAN_INTERFAC_PORT_Number'.
set upload-option realtime
set priority default
set max-log-rate 0
set enc-algorithm high
set conn-timeout 10
end
Note:
If there is an upstream firewall, the following ports need to be allowed for the FortiGate Cloud connection to work properly.
Refer to Outgoing Ports.
- TCP/443 for Registration, Quarantine, Log and report, Syslog, and Contract Validation.
- TCP/514 for OFTP.
- TCP/541 for Management.
If the Forward Traffic log is not seen on FortiCloud, make sure Log Allowed Traffic is set to 'All sessions' instead of 'Security Events' under the firewall policy config. An empty Forward Traffic log will also result in an empty FortiView dashboard when data is retrieved from FortiCloud.
If all the above settings are checked and still not receiving the logs on the Cloud, make sure that FortiGate is running the latest firmware if using Free Subscription with FortiGate Cloud.
Starting February 28, 2025, a FortiGate without an active FortiGate Cloud subscription is required to upgrade to the latest firmware patch within 7 days of a new GA patch release, or FortiGate Cloud services will be paused for that device.
This will affect the cloud retention service, where logs will not be forwarded to FortiCloud until the device is updated to the latest firmware patch if using a Free FortiGate Cloud account: Technical Tip: Security enforcement change for FortiGates provisioned to FortiGate Cloud without act...
A possible issue if the logging is not working due to a known issue ID 1045253. This issue causes the FortiGate logs not to be transferred to the FortiGate Cloud Log server. It is fixed on versions v7.2.11, v7.4.8, or v7.6.1, or above.
Related articles:
Troubleshooting Tip: FortiGate not sending logs to FortiCloud
Technical Note: Logs not displayed because of corrupted flash memory
Troubleshooting Tip: FortiGate log uploads blocked to FortiGate Cloud
Technical Tip: How to check whether a FortiGate has a paid FortiGate Cloud Service Subscription
