Hi all, my situation is the following, I need to collect web activity logs from all of my users regardless of whether they are in the Office, or at home connected to the VPN, or at home not connected to the VPN.
All of my users are Active Directory users
All devices have the FortiClient Installed & are registered to my EMS server
My EMS Server has a public facing IP Address
If I go to my FortiAnalyzer, I only seem to have web activity logs for users when they are in the office, or when they are at home connected to the VPN.
Is there a way to get the web activity logs when they're at home but not connected to the VPN? I thought that because they have the FortiClient, the FCT would collect the web activity logs, pass them to the EMS server via the public IP address, then the EMS would pass them to the FortiAnalyzer, but this doesn't seem to be the case?
Been in talks with both FAZ & EMS support. EMS support believe that the FAZ needs to have a public IP address.
I was under the impression that the FCT would forward all logs to the EMS (which does have a public IP) then the EMS could forward the logs to the FAZ internally on the LAN. Apparently, this isn't how it works. The FCT will send directly to the FAZ.
I've created a policy using port 514 for the FAZ to be public facing & modified the EMS profile to use the external rather than internal IP of the FAZ.
No idea if this will work, will leave it 24hrs to test.
I'm not sure setting anything in FortiGate policies would help in the case of FortiClient (not FortiGate) logging web activity and reporting this directly to FortiGate, no matter if the FortiClient is on-net or not.
Regarding Matthew's setup: - I don't know your support tickets, so I may just be repeating what other colleagues have already suggested, but I would proceed something like this: -> verify FortiClient profile (is logging enabled, is upload to FortiAnalyzer enabled)
-> verify that FortiClient is actually generating logs (try to download the local logs, check them to see if they are generated)
-> verify that FortiAnalyzer is reachable on port 514 from the FortiClient
-> verify that FortiClient is trying to reach FortiAnalyzer (packet captures for example)
-> verify that FortiAnalyzer has an EMS ADOM (or a Fabric ADOM) that the clients should log to
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.