Hot!Trial licence limitations for sending logs from Fortigate to FortiAnalyzer?

Author
yuno
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Status: offline
2020/04/29 08:26:57 (permalink) FortiAnalyzer
0

Trial licence limitations for sending logs from Fortigate to FortiAnalyzer?

Hi all
 
TL;DR
Does anyone know if the Fortigate trial licence limitations on encryption/decryption (which for example prevent the use of HTTPS) also prevent the SSL connections from Fortigate to FortiAnalyzer for the purposes of sending logs (via oftpd)?
 
I was trying to test sending logs from a Fortigate VM (firmware 6.4) to FortiAnalyzer VM (firmware 6.4) but I just get "No connection" and if you hover the cursor over that you get "Error occurred:{0}".  The goal is to test forwarding logs from the FortiAnalyzer to a third device but I can't get this far as the Fortigate won't send the logs to the FortiAnalyzer.  A reddit post (www.reddit.com/r/...er_trial_ssl_error_3/) suggested this is probably a trial licence limitation but it would be good to confirm it here if possible.
 
If anyone has found something similar please let me know.
 
Thanks
 
 
Testing steps:
I've made sure to check the compatibility matrix and the FGT and FAZ are compatible.  The Fortigate device is added as a device in the FortiAnalyzer.  I can test connectivity between the two using ping successfully.
I found various posts online with suggestions to make it work by allowing weaker encryption but none worked in this case e.g. (forum.fortinet.com/tm.aspx?m=140479)
FGT:
conf log fortianalyzer setting
set enc-algorithm low
set reliable enable
 
FAZ:
conf global setting
set enc-algorithm low
 
FGT:
exec log fortianalyzer test-connectivity
Failed to get FAZ's status.  Connection failed.  Connection refused(-1)
Failed to get FAZ's status.  SSL error. (-3).
 
FAZ - enabling debug logging for the oftpd app on the Fortianalyzer showed the following error:
(as in kb.fortinet.com/k...do?externalID=FD41272)
 
[oftpd_handle_session] oftp_recv_packet failed: SSL setup failure.
Client connection closed.  Reason 14(SSL setup failure)
 
Also I read the following, but it seems that these conditions were met during testing:
    >6.2 FAZ will only process encrypted logs from Fortinet devices.
    FAZ encryption level MUST be equal to or less than the FGT’s encryption level.
Trial licences are in use on both the Fortigate and the FortiAnalyzer.
post edited by yuno - 2020/04/29 08:42:15
#1
localhost
Gold Member
  • Total Posts : 136
  • Scores: 25
  • Reward points: 0
  • Joined: 2015/05/21 02:47:51
  • Location: Zug, Switzerland
  • Status: offline
Re: Trial licence limitations for sending logs from Fortigate to FortiAnalyzer? 2020/04/29 09:00:14 (permalink)
0
I don't know about FortiAnalyzer.
 
But Fortigates will only support very limited encryption support for Web management, IPSEC Tunnels, SSLVPN and SSL inspection,etc.
So this will be probably the same for your FortiAnalyzer connections.
 
Can you give this a try?
 
On your Fortigate:
 
config log fortianalyzer setting
set reliable disable

#2
yuno
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Status: offline
Re: Trial licence limitations for sending logs from Fortigate to FortiAnalyzer? 2020/04/29 09:32:41 (permalink)
0
Hi, thanks for the reply.
 
I used that setting on the Fortigate but unfortunately there was no change to the connection status.
#3
localhost
Gold Member
  • Total Posts : 136
  • Scores: 25
  • Reward points: 0
  • Joined: 2015/05/21 02:47:51
  • Location: Zug, Switzerland
  • Status: offline
Re: Trial licence limitations for sending logs from Fortigate to FortiAnalyzer? 2020/05/02 08:58:24 (permalink)
0
Hi
 
This works for me with FortiAnalyzer-VM64 v6.2.3 and FortiGate-VM64 v6.2.3 running unregistered trial versions:
 
FAZ config:
config system global
    set enc-algorithm low
    set log-forward-cache-size 4
    set oftp-ssl-protocol sslv3
    set usg enable
end

 
Fortigate config:
config log fortianalyzer setting
    set status enable
    set server "10.1.2.100"
    set certificate-verification disable
    set serial "FAZ-VM0000000001"
    set ssl-min-proto-version SSLv3
    set upload-option realtime
end

 
Succesfull FortiAnalyzer connectivity is not visible in GUI. But it's transfering logs and the CLI command shows a succesfull connection:
 
FortiGate-VM64 # execute log fortianalyzer test-connectivity 

FortiAnalyzer Host Name: FAZVM64
FortiAnalyzer Adom Name: root
FortiGate Device ID: FGVMEVFV6YKXEGEB
Registration: registered
Connection: allow
Adom Disk Space (Used/Allocated): 704512B/53687091200B
Analytics Usage (Used/Allocated): 671744B/37580963840B
Analytics Usage (Data Policy Days Actual/Configured): 0/60 Days
Archive Usage (Used/Allocated): 32768B/16106127360B
Archive Usage (Data Policy Days Actual/Configured): 365/365 Days
Log: Tx & Rx (5 logs received since 10:46:07 05/02/20)
IPS Packet Log: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx
Certificate of Fortianalyzer valid and serial number is:FAZ-VM0000000001

 
After entering the CLI commands, just got to Security Fabric -> Settings and re-apply the settings.
Then you should be able to change the log location to FortiAnalyzer in the 'Log & Report' view as well.
#4
yuno
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Status: offline
Re: Trial licence limitations for sending logs from Fortigate to FortiAnalyzer? 2020/05/04 04:41:09 (permalink)
0
Hi, thank you
 
I applied the settings on my 6.4 firmware FGT/FAZ devices as you detailed above but unfortunately they did not allow the two devices to communicate.  The GUI still showed 'No Connectivity' and on CLI the output from 'exec log fortianalyzer test-connectivity' was still:
Failed to get FAZ's status.  Connection failed.  Connection refused(-1)
Failed to get FAZ's status.  SSL error. (-3).
 
Following your post though I have downloaded a Fortigate and Fortianalyzer VM for firmware version 6.2.3, deployed these VMs, applied the Fortigate config log fortianalyzer settings and FortiAnalyzer system global settings as in your post, and I have been able to successfully send the logs from the Fortigate to the FortiAnalyzer.
 
Thanks again
 
#5
georgemilev
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/01/17 04:17:19
  • Status: offline
Re: Trial licence limitations for sending logs from Fortigate to FortiAnalyzer? 2021/04/08 12:11:27 (permalink)
0
Hello,
I am facing the same issue, but there is no assistance here...
#6
Yurisk
Gold Member
  • Total Posts : 217
  • Scores: 33
  • Reward points: 0
  • Joined: 2011/12/04 03:30:01
  • Status: offline
Re: Trial licence limitations for sending logs from Fortigate to FortiAnalyzer? 2021/04/11 11:57:55 (permalink)
0
Tried it on 6.4.4 - worked, tried 6.4.5 - didn't , go figure,  in the end asked for evaluation license and all worked.
 
post edited by Yurisk - 2021/04/18 04:26:43
#7
Jump to:
© 2021 APG vNext Commercial Version 5.5