Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiTowel
New Contributor

EMS-Server logview FCT WF Events on EMS-Server GUI

Hi @ all,

 

we have a Customer running FortiClients on their Endpoints and using an EMS-Server (v7.2.4 build 0983),

in the GUI section, Administration > Log Viewer, i can only see EMS-Server generated Events,

LDAP queries, admin logon Events, Settings updated etc., but no "on Endpoint x generated FCT Logs", like Security Events, FCT Web Filter block events as example.

 

Correct me please if i wanna see this events "FCT WebFilter" i have to go GUI: Endpoints > all Endpoints > search for Endpoint which got issues > execute >Action request FortiClient Logs, then search in the fclog.dat for the related log?

 

I was wondering because in the GUI Section Quarantine Managment > Files, in this Tab are Files and Endpoint listed, so the FortiClient forward this information via FortiTelemetry to the EMS-Server, triggered by scheduled AV-Scan or may on-prem Scan.

So is there the possibility to see this FCT-WF "Block" Events without the need of this Steps:

 

GUI: Endpoints > all Endpoints > search for Endpoint which got issues > execute >Action request FortiClient Logs

 

Thanks

me and my other selves <3 Fortinet

 

 

1 Solution
ozkanaltas
Valued Contributor III

Hello @FortiTowel ,

 

I think, if you use the Security Fabric Adom type on FortiAnalyzer, you don't need to create a new Adom. It depends on your configuration. But I can be wrong. First, you can try without creating adom if it not working that way you can create a new adom for FortiClient.

 

As far as I know, you can't achieve this with security fabric. You need to create a firewall policy so clients can able to send their logs to FortiAnalyzer.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

View solution in original post

If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
3 REPLIES 3
ozkanaltas
Valued Contributor III

Hello @FortiTowel ,

 

If you have a FortiAnalyzer, you can send client logs to FortiAnalyzer. Otherwise, there is no option on EMS, every time you need to follow the path as you said.

 

You can review this document about how to integrate FortiClient and FortiAnalyzer for web filter logs.

 

https://community.fortinet.com/t5/FortiClient/Technical-Tip-Instructions-for-transmitting-FortiClien...

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
FortiTowel
New Contributor

Hello Mr. Ozkanalatas,

 

wow that was super fast Answer.

Okay so i have to realize it with ADOMs, okay.

 

Yeah the Customer has a FAZ and multiple FGT, running Forti-Sec-Fabric,

 

Hmm do i realy need seperate ADOMs, like in the Link you shared with me,

is there no option do it via Fabric, because, so i need to create on FGT, FW-Policy, in all Policies, where are FCT-Endpoints Integrated,  FCT-integrated-Subnet > FAZ Subnet Port 514 Service FortiTelemetry allow?

 

Thank you, wish you a nice day!

 

ozkanaltas
Valued Contributor III

Hello @FortiTowel ,

 

I think, if you use the Security Fabric Adom type on FortiAnalyzer, you don't need to create a new Adom. It depends on your configuration. But I can be wrong. First, you can try without creating adom if it not working that way you can create a new adom for FortiClient.

 

As far as I know, you can't achieve this with security fabric. You need to create a firewall policy so clients can able to send their logs to FortiAnalyzer.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors