FortiGate 500E V7.2.3 not sending Logs to FortiGate Cloud

SpankyDevil · ‎01-12-2023

Just updated to Version 7.2.3 from FGT_500E-v6-build1319.

When i go to look at any logs on the Fortigate, if I select from Memory (Now) they show up but if I select 5mins or longer (FortiGate Cloud) there are no logs.

Under Log Settings, I can see Connection Status is connected.

When I look at FortiGate Cloud I see no logs when I select the option Last 60 mins, If i select 24 Hours it shows the logs from before the firmware upgrade.

akristof · ‎01-12-2023

Hello,

Check these outputs:

diag test app forticldd 2

diag test app forticldd 3

diag test application miglogd 1

diag test application miglogd 3

diag test application miglogd 4

Adrian

SpankyDevil · ‎01-12-2023

Hi Adrian, Please see below results

FG5H0E3917900844 # diag test app forticldd 2
Server: log-controller, task=0/10, watchdog is off
Domain name: globallogctrl.fortinet.net
Address of log-controller: 1
173.243.132.25:443
Source IP: 0.0.0.0
Source IP6: [::]
Statistics: total=23, discarded=0, sent=23, last_updated=9328 secs ago
http connection: is not in progress
Current address: 173.243.132.25:443
Source IP: 0.0.0.0:0
Calls: connect=115, rxtx=69
Current tasks number: 0
Account: name=chris@mobileitpro.co.nz, status=200, type=basic
Current volume: 0B
Current tasks number: 0
Update timer fires in 85391 secs
Daily volume reset timer fires in 1708 secs

FG5H0E3917900844 # diag test app forticldd 3
Debug zone info:
FAZCLOUD:
Domain:GLOBAL
Home log server: 173.243.132.37:514
Alt log server: 173.243.132.33:514
Active Server IP: 173.243.132.37
Active Server status: down
Log quota: 500000000MB
Log used: 10824MB
Daily volume: 1000000MB
fams archive pause: 0
APTContract : 1
APT server: 184.94.112.51:514
APT Altserver: 184.94.112.53:514
Active APTServer IP: 184.94.112.51
Active APTServer status: up

FG5H0E3917900844 # diag test application miglogd 1
have_disk=0, vdom-admin=0
icsa_comp=0, confsync=0
mgmt=root

Global memory setting:
maxsize=168272240, full_first_warning=75, full_second_warning=90
full_final_warning=95

FG5H0E3917900844 # diag test application miglogd 3
fgtdev_buf_sz = 524288.

FG5H0E3917900844 # diag test application miglogd 4
info for vdom: root
memory
traffic: logs=847187 len=616954703, Sun=0 Mon=0 Tue=0 Wed=0 Thu=847187 Fri=0 Sat=0
event: logs=1929 len=1048195, Sun=0 Mon=0 Tue=0 Wed=0 Thu=1929 Fri=0 Sat=0
webfilter: logs=2 len=658, Sun=0 Mon=0 Tue=0 Wed=0 Thu=2 Fri=0 Sat=0
emailfilter: logs=11 len=10331, Sun=0 Mon=0 Tue=0 Wed=0 Thu=11 Fri=0 Sat=0
app-ctrl: logs=98786 len=69031511, Sun=0 Mon=0 Tue=0 Wed=0 Thu=98786 Fri=0 Sat=0
waf: logs=4384 len=3698807, Sun=0 Mon=0 Tue=0 Wed=0 Thu=4384 Fri=0 Sat=0
dns: logs=112 len=74293, Sun=0 Mon=0 Tue=0 Wed=0 Thu=112 Fri=0 Sat=0
ssl: logs=2427 len=1712153, Sun=0 Mon=0 Tue=0 Wed=0 Thu=2427 Fri=0 Sat=0

FG5H0E3917900844 #

SpankyDevil · ‎01-12-2023

Just ran the commands again and this time it shows connected

FG5H0E3917900844 # diag test app forticldd 2
Server: log-controller, task=0/10, watchdog fires in 40 secs
Domain name: globallogctrl.fortinet.net
Address of log-controller: 1
173.243.132.25:443
Source IP: 0.0.0.0
Source IP6: [::]
Statistics: total=27, discarded=0, sent=27, last_updated=10600 secs ago
http connection: is not in progress
Current address: 173.243.132.25:443
Source IP: 0.0.0.0:0
Calls: connect=135, rxtx=81
Current tasks number: 0
Account: name=chris@mobileitpro.co.nz, status=200, type=basic
Current volume: 0B
Current tasks number: 0
Update timer fires in 86383 secs
Daily volume reset timer fires in 436 secs

FG5H0E3917900844 # diag test app forticldd 3
Debug zone info:
FAZCLOUD:
Domain:GLOBAL
Home log server: 173.243.132.37:514
Alt log server: 173.243.132.33:514
Active Server IP: 173.243.132.33
Active Server status: up
Log quota: 500000000MB
Log used: 10824MB
Daily volume: 1000000MB
fams archive pause: 0
APTContract : 1
APT server: 184.94.112.51:514
APT Altserver: 184.94.112.53:514
Active APTServer IP: 184.94.112.51
Active APTServer status: up

FG5H0E3917900844 # diag test application miglogd 1
have_disk=0, vdom-admin=0
icsa_comp=0, confsync=0
mgmt=root

Global memory setting:
maxsize=168272240, full_first_warning=75, full_second_warning=90
full_final_warning=95

FG5H0E3917900844 # diag test application miglogd 3
fgtdev_buf_sz = 524288.

FG5H0E3917900844 # diag test application miglogd 4
info for vdom: root
memory
traffic: logs=916482 len=666863022, Sun=0 Mon=0 Tue=0 Wed=0 Thu=916482 Fri=0 Sat=0
event: logs=2111 len=1147902, Sun=0 Mon=0 Tue=0 Wed=0 Thu=2111 Fri=0 Sat=0
webfilter: logs=2 len=658, Sun=0 Mon=0 Tue=0 Wed=0 Thu=2 Fri=0 Sat=0
emailfilter: logs=12 len=11312, Sun=0 Mon=0 Tue=0 Wed=0 Thu=12 Fri=0 Sat=0
app-ctrl: logs=100782 len=70423154, Sun=0 Mon=0 Tue=0 Wed=0 Thu=100782 Fri=0 Sat=0
waf: logs=4385 len=3699757, Sun=0 Mon=0 Tue=0 Wed=0 Thu=4385 Fri=0 Sat=0
dns: logs=112 len=74293, Sun=0 Mon=0 Tue=0 Wed=0 Thu=112 Fri=0 Sat=0
ssl: logs=2702 len=1901663, Sun=0 Mon=0 Tue=0 Wed=0 Thu=2702 Fri=0 Sat=0

FG5H0E3917900844 #

akristof · ‎01-12-2023

Hello,

Can you share with me output from "show system fortiguard"?

Adrian

SpankyDevil · ‎01-12-2023

FG5H0E3917900844 # show system fortiguard
config system fortiguard
set auto-join-forticloud disable
set sandbox-region "Global"
end

FG5H0E3917900844 #

akristof · ‎01-12-2023

Thanks. That looks good. I would just kill forticldd process and see if it will work after:

#fnsysctl ps - look for pid of forticldd process

#diag sys kill 11 <pid>

And then check if the logs will be sent (wait at least 5-10 minutes if they will be shown in forticloud)

Adrian

SpankyDevil · ‎01-12-2023

No change, still no logs.

I had also tried a reboot eariler before creating this post.

SpankyDevil · ‎01-12-2023

Under log settings it sometimes shows connected and sometimes unreachable when it says unreachable if i click test it instantly flashes and still says unreachable.

akristof · ‎01-13-2023

Hi, do you use sdwan? Can you show me how your default looks like?

get router info routing-table all (default route should be enough)

Adrian