Configuring FortiAnalyzer policies

Before you can store log messages remotely on a FortiAnalyzer appliance, you must first create FortiAnalyzer connection settings.

Once you create FortiAnalyzer connection settings, it can be referenced by a trigger, which in turn can be selected as a trigger action in a protection profile, and used to record policy violations.


	Logs stored remotely cannot be viewed from the web UI of the FortiWeb appliance. If you require the ability to view logs from the web UI, also enable local storage. For details, see “Enabling log types, packet payload retention, & resource shortage alerts”.

1. Before you can log to FortiAnalyzer, you must enable logging for the log type that you want to use as a trigger. For details, see “Enabling log types, packet payload retention, & resource shortage alerts”.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see “Permissions”.


Setting name	Description
Policy Name	Enter a unique name that other parts of the configuration can reference. Do not use spaces or special characters. The maximum length is 35 characters.
IP Address	Enter the IP address of the remote FortiAnalyzer appliance.
Encrypt Log Transmission	Select to transmit logs to the FortiAnalyzer appliance using SSL.

5. Confirm with the FortiAnalyzer administrator that the FortiWeb appliance was added to the FortiAnalyzer appliance’s device list, allocated sufficient disk space quota, and assigned permission to transmit logs to the FortiAnalyzer appliance. For details, see the FortiAnalyzer Administration Guide.

6. To verify logging connectivity, from the FortiWeb appliance, trigger a log message that matches the types and severity levels that you have chosen to store on the remote host. Then, on the remote host, confirm that it has received that log message.

If the remote host does not receive the log messages, verify the FortiWeb appliance’s network interfaces (see “Configuring the network interfaces”) and static routes (see “Adding a gateway”), and the policies on any intermediary firewalls or routers. If ICMP ECHO_RESPONSE (pong) is enabled on the remote host, try using the execute traceroute command to determine the point where connectivity fails. For details, see the FortiWeb CLI Reference.