Description
This article describes the starting steps to follow when FortiGate Logs cannot be seen in the FortiCloud account.
Scope
FortiGate.
Solution
Troubleshooting.
Be sure to verify the proper logging configuration.
- Double-check that the proper logging options are enabled on the FortiGate:
- Ensure logging is turned on in firewall policies.
- Confirm that the 'Send logs to FortiGate Cloud' option is active under the FortiCloud/central-management settings.
Enable logging to FortiCloud.
- Go to Security Fabric -> Fabric Connectors and select the Logging & Analytics card -> Edit.
- On the Cloud Logging tab, set Type to FortiGate Cloud.
- Select an upload option:
- Real-Time: Logs are sent to the cloud device in real time.
- Every Minute: Logs are sent to the cloud device once every minute.
- Every 5 Minutes: Logs are sent to the cloud device once every five minutes (default).
- Select OK.
Confirm communication between FortiGate and FortiCloud:
execute ping logctrl1.fortinet.com
PING logctrl1.fortinet.com
If the logs are enabled and there is a connection to the FortiCloud, check the region. Sometimes having the FortiGate and FortiCloud in different regions can lead to this type of issue, so ensure both are in the same region.
Check that Anycast is enabled under 'config sys fortiguard'.If enabled, try disabling it as follows:
config sys fortiguard
set fortiguard-anycast disable
set protocol udp
set port 8888
set sdns-server-ip 208.91.112.220 173.243.140.53 210.7.96.53
end
diagnose debug reset
diagnose debug disable
diagnose debug application update -1
diagnose debug enable
execute update-now
To stop the debug processes in the end, press 'Ctrl+C' and enter 'diagnose debug disable'.
Verify the FortiGuard servers using the following command:
diagnose debug rating
Log out of the FortiCloud account, refresh the processes below, and log in again.
fnsysctl killall ipsengine
fnsysctl killall forticldd
fnsysctl killall miglogd
fnsysctl killall fgtlogd <-- Applicable for v7.2.4 and above.
Check again if the logs are not being forwarded to the FortiCloud. Use the following command to check the Home log server IP.
V7.2.3 and below:
diagnose test application miglogd 20
V7.2.4 and above:
diagnose test application fgtlogd 20
Note:
If the output of the above command shows 'UP' but is still unable to send logs. Try to restart the fgtlogd process by executing the command 'fnsysctl killall fgtlogd'.Confirm that the process has been restarted by running 'diagnose sys process pidof fgtlogd' before and after restarting the process. It should show a different process ID each time.
To generate a test log to confirm the logging is working, use the command below:
diagnose log test
Once the server IP is known, establish a Telnet connection to it on port 514 and take the sniffer to see the response from the server.
Verify outgoing traffic on port 514 using :
diagnose sniffer packet any "port 514" 4 0 l
To stop the sniffer in the end, press Ctrl + C; otherwise, the sniffer runs forever.
If there is no response, try changing the outgoing interface with the following commands.
config log fortiguard setting
set interface-select-method
auto === Set outgoing interface automatically.
sdwan === Set outgoing interface by SD-WAN or policy routing rules.
specify === Set outgoing interface manually.
Removing and making sure of the source IP in the FortiGuard configuration:
config log fortiguard setting
set source-ip x.x.x.x
set interface-select-method specify -----> This means that it is manually configured.
set interface "wan1"
Instead do:
config log fortiguard setting
unset interface-select-method
It should bring back the default settings.
Check interface-select-method for FortiGuard as well; it may cause issues if servers are not reachable from the specified method.
config system fortiguard
unset interface-select-method
If all the above settings are checked and still not receiving the logs on Cloud, make sure that FortiGate is running the latest firmware if using Free Subscription with FortiGate Cloud.
Starting February 28, 2025, a FortiGate without an active FortiGate Cloud subscription is required to upgrade to the latest firmware patch within 7 days of a new GA patch release, or FortiGate Cloud services will be paused for that device. This will affect the cloud retention service, where logs will not be forwarded to FortiCloud until the device is updated to the latest firmware patch if using a Free FortiGate Cloud account, and the existing scheduled 360-degree activities report as well.
More information about this change can be found here:
Technical Tip: Security enforcement change for FortiGates provisioned to FortiGate Cloud without act...
Note:
The debug output indicates the FortiGate Cloud log retention service is paused.
diagnose test application fgtlogd 20
Home log server:
Address: 173.243.132.239:514
Alternative log server:
Address: 173.243.132.54:514
FazCloud log server:
Address:
oftp status: connected
Source IP: 103.131.217.51
Debug zone info:
Server IP: 173.243.132.239
Server port: 514
Server status: up
Server log status: disabled <<<
An alternate option is to apply a FortiGate Cloud subscription to the device: Technical Tip: How to check whether a FortiGate has a paid FortiGate Cloud Service Subscription.
Note:
If the Forward Traffic log is not seen on FortiCloud, make sure Log Allowed Traffic is set to 'All sessions' instead of 'Security Events' under the firewall policy config. An empty Forward Traffic log will also result in an empty FortiView dashboard when data is retrieved from FortiCloud.
Another possibility is that the user is facing the known issue 1045253, in which the FortiGate logs are not transferred into the FortiGate Cloud Log server. To fix the issue, it is necessary to upgrade to v7.2.11, v7.4.7, or v7.6.1.
If the daily upload limit of 1TB is exceeded, FortiGate will be blocked from uploading the logs to FortiGate Cloud. This block will not remove on its own, and it's necessary to reach out to Fortinet Technical Support. To avoid this, it is recommended to disable logging on the implicit deny policy as suggested in the following article: Troubleshooting Tip: FortiGate log uploads blocked to FortiGate Cloud.
Related article:
