Web Activity Logs

matthewleealtecnic · ‎06-15-2022

Hi all, my situation is the following, I need to collect web activity logs from all of my users regardless of whether they are in the Office, or at home connected to the VPN, or at home not connected to the VPN.

All of my users are Active Directory users
All devices have the FortiClient Installed & are registered to my EMS server
My EMS Server has a public facing IP Address

If I go to my FortiAnalyzer, I only seem to have web activity logs for users when they are in the office, or when they are at home connected to the VPN.

Is there a way to get the web activity logs when they're at home but not connected to the VPN? I thought that because they have the FortiClient, the FCT would collect the web activity logs, pass them to the EMS server via the public IP address, then the EMS would pass them to the FortiAnalyzer, but this doesn't seem to be the case?

Thanks in advance!

moseiz · ‎06-16-2022

have exact same problem. have tried to change web filter profile setting but nothing works. FortiClient 7.0.5 and ems 7.0.4. did you get any solution?

matthewleealtecnic · ‎06-16-2022

Been in talks with both FAZ & EMS support. EMS support believe that the FAZ needs to have a public IP address.

I was under the impression that the FCT would forward all logs to the EMS (which does have a public IP) then the EMS could forward the logs to the FAZ internally on the LAN. Apparently, this isn't how it works. The FCT will send directly to the FAZ.

I've created a policy using port 514 for the FAZ to be public facing & modified the EMS profile to use the external rather than internal IP of the FAZ.

No idea if this will work, will leave it 24hrs to test.

moseiz · ‎06-18-2022

did the setup work?.are web filter logs now available

matthewleealtecnic · ‎06-20-2022

Nope, still not working. Fortinet are bouncing me between the FAZ & EMS/FCT Team, neither seems to fully understand how to get this working, which is bemusing as it seems such a simple request.

seshuganesh · ‎06-20-2022

Hi Team,

Please confirm if you have enabled web filtering under concerned ssl vpn policy of fortigate.

Also, if you scroll down to bottom you can see two options for logging "all sessions and UTM session", please select all sessions.

Please keep us posted

Debbie_FTNT · ‎06-20-2022

I'm not sure setting anything in FortiGate policies would help in the case of FortiClient (not FortiGate) logging web activity and reporting this directly to FortiGate, no matter if the FortiClient is on-net or not.

Regarding Matthew's setup:
- I don't know your support tickets, so I may just be repeating what other colleagues have already suggested, but I would proceed something like this:
-> verify FortiClient profile (is logging enabled, is upload to FortiAnalyzer enabled)

-> verify that FortiClient is actually generating logs (try to download the local logs, check them to see if they are generated)

-> verify that FortiAnalyzer is reachable on port 514 from the FortiClient

-> verify that FortiClient is trying to reach FortiAnalyzer (packet captures for example)

-> verify that FortiAnalyzer has an EMS ADOM (or a Fabric ADOM) that the clients should log to

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

matthewleealtecnic · ‎06-21-2022

I'm now being told that this is a known bug - Bug ID #0799062. Fix is due in 7.0.6, not sure when this is due for release though.

Debbie_FTNT · ‎06-21-2022

Hey Matthew,

FortiClient 7.0.6 is currently looking to be released around end of June/beginning of July, but there is no fixed date as yet, so this could be subject to change.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++