Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
yuno
New Contributor

Trial licence limitations for sending logs from Fortigate to FortiAnalyzer?

Hi all

 

TL;DR

Does anyone know if the Fortigate trial licence limitations on encryption/decryption (which for example prevent the use of HTTPS) also prevent the SSL connections from Fortigate to FortiAnalyzer for the purposes of sending logs (via oftpd)?

 

I was trying to test sending logs from a Fortigate VM (firmware 6.4) to FortiAnalyzer VM (firmware 6.4) but I just get "No connection" and if you hover the cursor over that you get "Error occurred:{0}".  The goal is to test forwarding logs from the FortiAnalyzer to a third device but I can't get this far as the Fortigate won't send the logs to the FortiAnalyzer.  A reddit post (www.reddit.com/r/...er_trial_ssl_error_3/) suggested this is probably a trial licence limitation but it would be good to confirm it here if possible.

 

If anyone has found something similar please let me know.

 

Thanks

 

 

Testing steps:

I've made sure to check the compatibility matrix and the FGT and FAZ are compatible.  The Fortigate device is added as a device in the FortiAnalyzer.  I can test connectivity between the two using ping successfully.

I found various posts online with suggestions to make it work by allowing weaker encryption but none worked in this case e.g. (forum.fortinet.com/tm.aspx?m=140479)

FGT:

conf log fortianalyzer setting

set enc-algorithm low

set reliable enable

 

FAZ:

conf global setting

set enc-algorithm low

 

FGT:

exec log fortianalyzer test-connectivity

Failed to get FAZ's status.  Connection failed.  Connection refused(-1)

Failed to get FAZ's status.  SSL error. (-3).

 

FAZ - enabling debug logging for the oftpd app on the Fortianalyzer showed the following error:

(as in kb.fortinet.com/k...do?externalID=FD41272)

 

[oftpd_handle_session] oftp_recv_packet failed: SSL setup failure.

Client connection closed.  Reason 14(SSL setup failure)

 

Also I read the following, but it seems that these conditions were met during testing:

[ul]>6.2 FAZ will only process encrypted logs from Fortinet devices.[/ul][ul]FAZ encryption level MUST be equal to or less than the FGT’s encryption level.[/ul]

Trial licences are in use on both the Fortigate and the FortiAnalyzer.

1 Solution
localhost
Contributor III

Hi

 

This works for me with FortiAnalyzer-VM64 v6.2.3 and FortiGate-VM64 v6.2.3 running unregistered trial versions:

 

FAZ config:

config system global
    set enc-algorithm low
    set log-forward-cache-size 4
    set oftp-ssl-protocol sslv3
    set usg enable
end

 

Fortigate config:

config log fortianalyzer setting
    set status enable
    set server "10.1.2.100"
    set certificate-verification disable
    set serial "FAZ-VM0000000001"
    set ssl-min-proto-version SSLv3
    set upload-option realtime
end

 

Succesfull FortiAnalyzer connectivity is not visible in GUI. But it's transfering logs and the CLI command shows a succesfull connection:

 

FortiGate-VM64 # execute log fortianalyzer test-connectivity 

FortiAnalyzer Host Name: FAZVM64
FortiAnalyzer Adom Name: root
FortiGate Device ID: FGVMEVFV6YKXEGEB
Registration: registered
Connection: allow
Adom Disk Space (Used/Allocated): 704512B/53687091200B
Analytics Usage (Used/Allocated): 671744B/37580963840B
Analytics Usage (Data Policy Days Actual/Configured): 0/60 Days
Archive Usage (Used/Allocated): 32768B/16106127360B
Archive Usage (Data Policy Days Actual/Configured): 365/365 Days
Log: Tx & Rx (5 logs received since 10:46:07 05/02/20)
IPS Packet Log: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx
Certificate of Fortianalyzer valid and serial number is:FAZ-VM0000000001

 

After entering the CLI commands, just got to Security Fabric -> Settings and re-apply the settings.

Then you should be able to change the log location to FortiAnalyzer in the 'Log & Report' view as well.

View solution in original post

9 REPLIES 9
localhost
Contributor III

I don't know about FortiAnalyzer.

 

But Fortigates will only support very limited encryption support for Web management, IPSEC Tunnels, SSLVPN and SSL inspection,etc.

So this will be probably the same for your FortiAnalyzer connections.

 

Can you give this a try?

 

On your Fortigate:

 

config log fortianalyzer setting
set reliable disable

yuno
New Contributor

Hi, thanks for the reply.

 

I used that setting on the Fortigate but unfortunately there was no change to the connection status.

localhost
Contributor III

Hi

 

This works for me with FortiAnalyzer-VM64 v6.2.3 and FortiGate-VM64 v6.2.3 running unregistered trial versions:

 

FAZ config:

config system global
    set enc-algorithm low
    set log-forward-cache-size 4
    set oftp-ssl-protocol sslv3
    set usg enable
end

 

Fortigate config:

config log fortianalyzer setting
    set status enable
    set server "10.1.2.100"
    set certificate-verification disable
    set serial "FAZ-VM0000000001"
    set ssl-min-proto-version SSLv3
    set upload-option realtime
end

 

Succesfull FortiAnalyzer connectivity is not visible in GUI. But it's transfering logs and the CLI command shows a succesfull connection:

 

FortiGate-VM64 # execute log fortianalyzer test-connectivity 

FortiAnalyzer Host Name: FAZVM64
FortiAnalyzer Adom Name: root
FortiGate Device ID: FGVMEVFV6YKXEGEB
Registration: registered
Connection: allow
Adom Disk Space (Used/Allocated): 704512B/53687091200B
Analytics Usage (Used/Allocated): 671744B/37580963840B
Analytics Usage (Data Policy Days Actual/Configured): 0/60 Days
Archive Usage (Used/Allocated): 32768B/16106127360B
Archive Usage (Data Policy Days Actual/Configured): 365/365 Days
Log: Tx & Rx (5 logs received since 10:46:07 05/02/20)
IPS Packet Log: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx
Certificate of Fortianalyzer valid and serial number is:FAZ-VM0000000001

 

After entering the CLI commands, just got to Security Fabric -> Settings and re-apply the settings.

Then you should be able to change the log location to FortiAnalyzer in the 'Log & Report' view as well.

yuno
New Contributor

Hi, thank you

 

I applied the settings on my 6.4 firmware FGT/FAZ devices as you detailed above but unfortunately they did not allow the two devices to communicate.  The GUI still showed 'No Connectivity' and on CLI the output from 'exec log fortianalyzer test-connectivity' was still: Failed to get FAZ's status.  Connection failed.  Connection refused(-1) Failed to get FAZ's status.  SSL error. (-3).

 

Following your post though I have downloaded a Fortigate and Fortianalyzer VM for firmware version 6.2.3, deployed these VMs, applied the Fortigate config log fortianalyzer settings and FortiAnalyzer system global settings as in your post, and I have been able to successfully send the logs from the Fortigate to the FortiAnalyzer.

 

Thanks again

 

georgemilev
New Contributor

Hello,

I am facing the same issue, but there is no assistance here...

Yurisk
Valued Contributor

Tried it on 6.4.4 - worked, tried 6.4.5 - didn't , go figure,  in the end asked for evaluation license and all worked.

 

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.
miraching

For VMs (FAZ & FG) do this

 

@ FAZ

config system global
set log-forward-cache-size 4
set oftp-ssl-protocol sslv3
end
  @ FG
config log fortianalyzer setting
set serial "FAZ-VM0000000001"
set ssl-min-proto-version SSLv3
end
  wait for a min or two then issue
execute log fortianalyzer test-connectivity

georgemilev

miraching wrote:

For VMs (FAZ & FG) do this

 

@ FAZ

config system global
set log-forward-cache-size 4
set oftp-ssl-protocol sslv3
end
@ FG
config log fortianalyzer setting
set serial "FAZ-VM0000000001"
set ssl-min-proto-version SSLv3
end
wait for a min or two then issue
execute log fortianalyzer test-connectivity

still not working on 6.4....

georgemilev

Yurisk wrote:

Tried it on 6.4.4 - worked, tried 6.4.5 - didn't , go figure,  in the end asked for evaluation license and all worked.

 

Would you please advise which are the exact commands you have executed an how did you accept the eval license? Thanks.