Description
This article describes the starting steps to follow when FortiGate Logs cannot be seen in the FortiCloud account.
Scope
FortiGate.
Solution
Troubleshooting.
Enable logging to FortiCloud.
- Go to Security Fabric -> Fabric Connectors and select the Logging & Analytics card -> Edit.
- On the Cloud Logging tab, set Type to FortiGate Cloud.
- Select an upload option:
- Real-Time: logs are sent to the cloud device in real-time.
- Every Minute: logs are sent to the cloud device once every minute.
- Every 5 Minutes: logs are sent to the cloud device once every five minutes (default).
- Select OK.
Confirm communication between FortiGate and FortiCloud:
execute ping logctrl1.fortinet.com
PING logctrl1.fortinet.com
If the logs are enabled, and there is a connection to the FortiCloud, check the region. Sometimes having the FortiGate and FortiCloud in different regions can lead to this type of issue, so ensure both are in the same region.
Check that anycast is enabled under 'config sys fortiguard', if enabled, try disabling as follows:
config sys fortiguard
set fortiguard-anycast disable
set protocol udp
set port 8888
set sdns-server-ip 208.91.112.220 173.243.140.53 210.7.96.53
end
di de app update -1
di de en
exec update-now
Verify the FortiGuard servers using the following command:
di de rating
Logout from the FortiCloud account, refresh the below processes, and log in again:
fnsysctl killall ipsengine
fnsysctl killall forticldd
fnsysctl killall miglogd
Check again if the logs are not being forwarded to the FortiCloud. Use the following command to check the Home log server IP.
V7.2.3 and below:
diagnose test application miglogd 20
V7.2.4 and above:
diagnose test application fgtlogd 20
Once the server IP is known, establish a telnet connection to it on port 514 and take the sniffer to see the response from the server.
Verify outgoing traffic on port 514 using :
diagnose sniffer packet any "port 514" 4 0 l
If there is no response, try changing the outgoing interface with the following commands.
config log fortiguard setting
set interface-select-method
auto === Set outgoing interface automatically.
sdwan === Set outgoing interface by SD-WAN or policy routing rules.
specify === Set outgoing interface manually.
Removing and making sure of the source IP in the FortiGuard configuration:
config log fortiguard setting
set source-ip x.x.x.x
set interface-select-method specify -----> This means that it is manually configured.
set interface "wan1"
Instead do:
config log fortiguard setting
unset interface-select-method
It should bring back the default settings.
Note:
If the Forward Traffic log is not seen on FortiCloud, make sure Log Allowed Traffic is set to 'All sessions' instead of 'Security Events' under firewall policy config. An empty Forward Traffic log will also result in an empty FortiView dashboard when data is retrieved from FortiCloud.
Related article:
