Troubleshooting Tip: FortiAnalyzer connectivity loss after FortiGate VM HA failover (different IP)

Description

This article describes how to maintain a stable connection between FortiGate VM HA and FortiAnalyzer when the HA Pair uses a different IP address. It ensures that log communication to FortiAnalyzer is not interrupted during HA failover events.

Scope

FortiGate VM, FortiAnalyzer.

Solution

In virtualized environments, it is common for each FortiGate VM HA node (Primary and Secondary) to have different IP addresses and default routes.

By default, FortiAnalyzer identifies and maintains a connection with the active FortiGate using its source IP.

During an HA failover, the secondary unit becomes Active since it uses a different IP. FortiAnalyzer does not recognize it as the same device and the connection is dropped.

        +---------------------+

        |   FortiAnalyzer  |

        |                            |

        +----------+----------+

                   |

                   |

        -------------------------

        |                              |

+----------------+           +---------------------+

| FortiGate VM   |     | FortiGate VM   |

| Primary (Active)|    |  Secondary       |

| IP: 10.1.1.1    |        | IP: 10.1.1.2       |

+----------------+            +-------------------+

Solution:

To ensure seamless FortiAnalyzer connectivity across failovers, configure the following:

Step 1: Enable VDOM Exception (Both VMs - primary and secondary).

config system vdom-exception
    edit 0
        set object log.fortianalyzer.setting
end

Step 2: Change source-ip (on both the Primary and Secondary VMs).

config log fortianalyzer setting
    set source-ip <x.x.x.x>
end

Note: Make sure FortiAnalyzer is reachable via the IP x.x.x.x mentioned in the command above.

Replace <x.x.x.x> with a reachable IP address from FortiGate to FortiAnalyzer.