Fortinet black logo

EMS Administration Guide

Communication with FortiAnalyzer for logging

Communication with FortiAnalyzer for logging

This section applies only if you are sending logs from FortiClient EMS to FortiAnalyzer. If you are not sending logs, skip this section.

Sending logs to FortiAnalyzer requires you enable ADOMs in FortiAnalyzer and add FortiClient EMS to FortiAnalyzer. FortiClient EMS is added as a device to the FortiClient ADOM in FortiAnalyzer. See the FortiAnalyzer Administration Guide.

FortiClient EMS supports logging to FortiAnalyzer. If you have a FortiAnalyzer and configure FortiClient EMS to send logs to FortiAnalyzer, a FortiAnalyzer CLI command must be enabled and an SSL certificate is required to support communication between the FortiClient Web Filter extension and FortiAnalyzer.

If you use a public SSL certificate, you only need to add the public SSL certificate to FortiAnalyzer. See Adding an SSL certificate to FortiAnalyzer.

However, if you prefer to use a certificate not from a common CA, you must add the SSL certificate to FortiAnalyzer and push your certificate's root CA to the Google Chromebooks. Otherwise, the HTTPS connection between the FortiClient Chromebook Web Filter extension and FortiAnalyzer will not work. See Uploading root certificates to the Google Admin console.

The FortiAnalyzer IP address should be specified in the SSL certificate. If you are using a public SSL certificate, the FortiAnalyzer IP address can be assigned to Common Name or Alternative Name. If you are using a self-signed (nonpublic) SSL certificate, your certificate's Subject Alternative Name must include IP:<FortiAnalyzer IP>.

You must use the FortiAnalyzer CLI to add HTTPS-logging to the allow-access list in FortiAnalyzer. This command is one step in the process that allows FortiAnalyzer to receive logs from FortiClient EMS.

In FortiAnalyzer CLI, enter the following command:

config system interface

edit "port1"

set allowaccess https ssh https-logging

next

end

Adding an SSL certificate to FortiAnalyzer
To add an SSL certificate to FortiAnalyzer:
  1. In FortiAnalyzer, go to System Settings > Certificates > Local Certificates.
  2. Click Import. The Import Local Certificate dialog appears.
  3. In the Type list, select Certificate or PKCS #12 Certificate.
  4. Beside Certificate File, click Browse to select the certificate.
  5. Enter the password and certificate name.
  6. Click OK.
Selecting a certificate for HTTPS connections
To select a certificate for HTTPS connections:
  1. In FortiAnalyzer, go to System Settings > Admin > Admin Settings.
  2. From the HTTPS & Web Service Certificate dropdown list, select the certificate to use for HTTPS connections, and click Apply.

Communication with FortiAnalyzer for logging

This section applies only if you are sending logs from FortiClient EMS to FortiAnalyzer. If you are not sending logs, skip this section.

Sending logs to FortiAnalyzer requires you enable ADOMs in FortiAnalyzer and add FortiClient EMS to FortiAnalyzer. FortiClient EMS is added as a device to the FortiClient ADOM in FortiAnalyzer. See the FortiAnalyzer Administration Guide.

FortiClient EMS supports logging to FortiAnalyzer. If you have a FortiAnalyzer and configure FortiClient EMS to send logs to FortiAnalyzer, a FortiAnalyzer CLI command must be enabled and an SSL certificate is required to support communication between the FortiClient Web Filter extension and FortiAnalyzer.

If you use a public SSL certificate, you only need to add the public SSL certificate to FortiAnalyzer. See Adding an SSL certificate to FortiAnalyzer.

However, if you prefer to use a certificate not from a common CA, you must add the SSL certificate to FortiAnalyzer and push your certificate's root CA to the Google Chromebooks. Otherwise, the HTTPS connection between the FortiClient Chromebook Web Filter extension and FortiAnalyzer will not work. See Uploading root certificates to the Google Admin console.

The FortiAnalyzer IP address should be specified in the SSL certificate. If you are using a public SSL certificate, the FortiAnalyzer IP address can be assigned to Common Name or Alternative Name. If you are using a self-signed (nonpublic) SSL certificate, your certificate's Subject Alternative Name must include IP:<FortiAnalyzer IP>.

You must use the FortiAnalyzer CLI to add HTTPS-logging to the allow-access list in FortiAnalyzer. This command is one step in the process that allows FortiAnalyzer to receive logs from FortiClient EMS.

In FortiAnalyzer CLI, enter the following command:

config system interface

edit "port1"

set allowaccess https ssh https-logging

next

end

Adding an SSL certificate to FortiAnalyzer
To add an SSL certificate to FortiAnalyzer:
  1. In FortiAnalyzer, go to System Settings > Certificates > Local Certificates.
  2. Click Import. The Import Local Certificate dialog appears.
  3. In the Type list, select Certificate or PKCS #12 Certificate.
  4. Beside Certificate File, click Browse to select the certificate.
  5. Enter the password and certificate name.
  6. Click OK.
Selecting a certificate for HTTPS connections
To select a certificate for HTTPS connections:
  1. In FortiAnalyzer, go to System Settings > Admin > Admin Settings.
  2. From the HTTPS & Web Service Certificate dropdown list, select the certificate to use for HTTPS connections, and click Apply.