Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bcastano
Staff
Staff

Created on ‎08-17-2024 12:21 AM Edited on ‎11-25-2024 02:11 AM By Moderator

Article Id 333891

Troubleshooting Tip: FortiGate not sending logs to FortiCloud

Description

 

This article describes the starting steps to follow when FortiGate Logs cannot be seen in the FortiCloud account.

 

Scope

 

FortiGate.

 

Solution

 

Troubleshooting.

 

First, enable logging to FortiCloud.

 

  1. Go to Security Fabric -> Fabric Connectors and select the Logging & Analytics card -> Edit.

    Capture.png

     

  2. On the Cloud Logging tab, set Type to FortiGate Cloud.

    Capture2.png

     

  3. Select an upload option:
    • Real Time: logs are sent to the cloud device in real time.
    • Every Minute: logs are sent to the cloud device once every minute.
    • Every 5 Minutes: logs are sent to the cloud device once every five minutes (default).
  4. Select OK.

    Capture3.png

     

Confirm communication between FortiGate and FortiCloud:

 

execute ping logctrl1.fortinet.com
PING logctrl1.fortinet.com 

 

If the logs are enabled, and there is a connection to the FortiCloud, check the region. Sometimes having the FortiGate and FortiCloud in different regions can lead to this type of issue, so ensure both are in the same region.

 

Check that anycast is enabled under config sys fortiguard, if enabled try disabling as follows:

 

config sys fortiguard
    set fortiguard-anycast disable
    set protocol udp
    set port 8888
end

 

di de app update -1
di de en
exec update-now

 

Verify the FortiGuard servers using the following command:

 

di de rating

 

Logout from the FortiCloud account, refresh the below processes, and log in again:

 

fnsysctl killall ipsengine

fnsysctl killall forticldd

fnsysctl killall miglogd

 

Check again if the logs are not being forwarded to the FortiCloud.

Use the following command to check the Home log server IP.

 

FortiOS 7.2.3 and below:

 

diagnose test application miglogd 20

 

FortiOS 7.2.4 and above:

 

diagnose test application fgtlogd 20

 

Once the server IP is known, establish a telnet connection to it on port 514 and take the sniffer to see the response from the server.

 

If there is no response, try changing the outgoing interface with the following commands.

 

config log fortiguard setting

    set interface-select-method
auto === Set outgoing interface automatically.
sdwan === Set outgoing interface by SD-WAN or policy routing rules.
specify === Set outgoing interface manually. 


Removing and making sure of the source IP in the FortiGuard configuration: 


config log fortiguard setting
    set source-ip x.x.x.x 
    set interface-select-method specify -----> This means that it is manually configured.
    set interface "wan1" 

 

Instead do: 

 

config log fortiguard setting 

    unset interface-select-method 

 

It should bring back the default settings.

 

Related document:

Sending logs to FortiCloud - Fortinet Community

1168
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.