Technical Tip: Procedure for changing FortiAnalyzer configuration to send log from using in-band interface IP to out-band ha-direct interface
| Description | This article describes the procedure for changing FortiAnalyzer configuration of sending log from using the in-band interface IP to out-band ha-direct interface.
In a FortiGate HA cluster that already has an existing configuration for sending logs to a FortiAnalyzer, if the interface used to send log is changed from in-band to out-band (ha-direct), but the original FortiAnalyzer setting was not deleted first, FortiGate is not able to connect to FortiAnalyzer after the change.
It is because after enabling 'ha-mgmt-interface' and 'ha-direct', the FortiGates in the HA cluster still use the former in-band interface IP address as the source for sending logs to the FortiAnalyzer.
In fact, there is a warning like below after enabling 'ha-direct'.
{ FGT (ha) # end When ha-direct is enabled, source ip may not work. We recommend to unset all log-related, netflow and sflow source ip. By selecting to continue, all source ip will be unset. Do you want to continue? (y/n)y }
To avoid such a problem, the configuration under 'config log fortianalyzer setting' should be removed first before adding the 'ha-mgm-interface' configuration. |
| Scope | FortiGate. |
| Solution | The proper procedure to change from the in-band interface to the out-band (ha-mgmt-interface) is to first remove the FortiAnalyzer config, then create the out-band 'ha-mgmt-interface' and add back the FortiAnalyzer configuration.
That is (following IP addresses and serial numbers are examples only. Change them to the ones used in the actual environment):
Original FortiAnalyzer setting.
config log fortianalyzer setting set status enable set server "10.32.32.10" set serial "FAZ-VM0000103333" end
Remove the FortiAnalyzer setting first.
config log fortianalyzer setting unset serial unset server set status disable end
config sys ha set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface "port5" set dst 10.32.32.0 255.255.255.0 set gateway 10.50.50.1 next end set ha-direct enable end
config log fortianalyzer setting set status enable set server "10.32.32.10" set serial "FAZ-VM0000103333" end
After this, each of the FortiGates in the HA cluster will use its 'ha-mgmt-interface' IP address as the source IP. If the existing FortiAnalyzer configuration (step 1) is not performed, after the change, FortiGate will still send logs to the FortiAnalyzer with the former in-band interface IP instead of the new 'ha-mgmt-interface' IP address. |