Option to encrypt logs to Fortianalyzer not available

ForgetItNet · ‎11-24-2023

Hi all,

I've taken over a site a while ago and thought I'd take a look at the logs being sent from the routers at our remote site to our Fortianalyzer at our office and noticed that there are 5 routers showing a green lock indicating that the logs are encrypted but 9 showing a red dot which are not encrypted.

I've read the guide and found you are supposed to go to Log Settings and then in the Remote section enable Encryption but I don't have the Encryption option on here ?

I've checked another router that DOES send the logs encrypted to the Fortianalyzer but this also doesn't have the encryption option.

These are a mixture of 60E, 60F and 40F routers but some of the encrypted one's are the same model as the non-encrypted.

The only difference I can see is that the routers that DO show as encrypted show their internal LAN ip address in the IP address column and the one's that aren't encrypted show their Site to Site BGP address but again I can't find any option to change this ?

Any help would be great.

Thanks

dbhavsar · ‎11-24-2023

Hello @ForgetItNet ,

you can check settings from CLI using below commands:
config log fortianalyzer setting

sh full | grep enc

based on above you can change to below values:
set enc-algorithm high-medium | high | low

DNB

ForgetItNet · ‎11-24-2023

Thanks, these all show as set enc-algorithm high ? So I'm guessing that means they're on ? I've also just realised that one of the one's that are showing as NOT being encrypted shows the LAN ip and not the BGP ip so i think that might not be relevant.

Debbie_FTNT · ‎11-24-2023

Hey ForgetitNet,

the red dot usually means that there was no recent log activity, so FortiAnalzyer would consider the connection down. I assume the green lock (for encrypted connection) is paired with a green dot as well?
If you hover your mouse of the red dot, it might give a bit more info in a tooltip.

In addition, you can do a packet capture on FortiAnalyzer (or the affected FortiGates) for TCP port 514, which is used for sending logs to FortiAnalyzer, and see if there are any cleartext log messages visible

-> dia sniff packet any 'host <FAZ IP> and tcp port 514' 3 1000 a
-> this should dump the packet bytes as well, and if you can read text in them like log level, or see visible IPs or things like that, then logs are sent unencrypted. By default, the connection should be encrypted, however, and if you check 'show log fortianalyzer setting' in the FortiGates and there is nothing visible about encryption, default values are in place and the connection is in fact encrypted.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

ForgetItNet · ‎11-24-2023

So i can see traffic coming from the unencrypted routers to the FAZ (or at least coming through the router at our office TO the FAZ) and i can read it all....i can't see anything in the capture to make me think it's encrypted ?

Debbie_FTNT · ‎11-27-2023

Hey FortgetItNet,

if you can read actual snippets (like the string 'log' or 'severity' or similar) that would indicate currently logs are NOT encrypted, in which case please do the following in the FortiGates:

#config log fortianalyzer setting

#show full

-> check what encryption settings there are and enable them as desired:
#set enc-algorithm high

#set ssl-min-proto-version <default | tlsv1-2>

-> default means system global settings are applied

#end

If you're logging in individual VDOMs, please make those settings there, and if you log to more than one FortiAnalyzer, please also ensure the settings are made for any second/third FortiAnalyzer you may have configured.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++