Technical Tip: Sending logs to FortiCloud

nkojha · ‎12-17-2019

Description

This article describes how to send logs to FortiCloud.

Scope

FortiGate.

Solution

Activate FortiCloud:

Go to System -> FortiGuard and under FortiGate Cloud select 'Activate'.

Registered Email will be pre-filled, fill empty fields and enable 'Send logs to Fortigate Cloud', select the Domain/Region (Global, US, Europe), then select 'OK'.

Go to Log and Report -> Log Settings, enable Cloud Logging select FortiGate Cloud as 'Type' then select 'Apply'.

For v7.2.x and above, go to Security Fabric -> Fabric Connector -> Logging & Analytics -> Cloud logging -> FortiGate Cloud.

forticloud 2.PNG

Also in case of multiple ISP or SD-WAN connection source IP and interface may be required to add.

config log fortiguard setting

set status enable

set access-config enable

set ssl-min-proto-version default

set source-ip 0.0.0.0 [it should be one of the WAN interface IP]

set interface-select-method auto [auto|sdwan|specify] <- With 'specify', it is necessary to add 'set interface WAN_INTERFAC_PORT_Number'

set upload-option realtime

set priority default

set max-log-rate 0

set enc-algorithm high

set conn-timeout 10

end

Note:

If there is an upstream firewall, the following ports need to be allowed for the FortiGate Cloud connection to work properly.

Refer to Outgoing Ports

TCP/443 for Registration, Quarantine, Log and report, Syslog, and Contract Validation.
TCP/514 for OFTP.
TCP/541 for Management.

If the Forward Traffic log is not seen on FortiCloud, make sure Log Allowed Traffic is set to 'All sessions' instead of 'Security Events' under the firewall policy config. An empty Forward Traffic log will also result in an empty FortiView dashboard when data is retrieved from FortiCloud.

Related article:

Troubleshooting Tip: FortiGate not sending logs to FortiCloud

Technical Tip: Sending logs to FortiCloud

You are leaving our website