Skip to main content
3
345
New Member
May 11, 2026
Question

FG-FAZ no connectivity issue

  • May 11, 2026
  • 3 replies
  • 102 views

Hello,

I need help about our issue with connectivity FG<->FAZ. 

We are currently troubleshooting connectivity between a FortiGate 200G and a FortiAnalyzer VM.

Environment overview:

FortiGate 200G running in multi-VDOM mode
Dedicated management interface configured
FortiAnalyzer VM reachable through data-plane routing from the root VDOM
Management and data interfaces are located in different VDOM/routing contexts

Observed behavior:

FortiGate is attempting to establish a connection toward the FortiAnalyzer using:
TCP/514 (reliable logging / OFTP)
UDP/514
diagnose test application fgtlogd 1 shows:
state=disconnected
oftp-state=connecting
Packet sniffer on FortiGate shows:
mgmt out -- 10.0.0.2 -> 192.168.0.4:514
Packet sniffer on FortiAnalyzer VM does not see any packets from the FortiGate.
Traceroute sourced from 10.0.0.2 toward 192.168.0.4 does not pass the first hop.

FortiGate configuration notes:

The management interface is configured as:
set dedicated-to management
Because of this, FAZ/FMG/DNS/NTP traffic is using the management-plane routing context rather than the root VDOM routing table.
Root VDOM routing toward the FortiAnalyzer subnet appears correct, but it is not used for FortiAnalyzer communication.

Current understanding / suspected root cause:

The issue appears to be related to management-plane routing/reachability rather than FortiAnalyzer configuration itself.
FortiGate is transmitting traffic through the dedicated management interface, but the packets are not reaching the FortiAnalyzer network.

Additional observations:

Security Fabric access is enabled on the management interface.
FortiAnalyzer configuration itself appears correct.
Reliable logging is enabled.
No SYN-ACK responses are received from the FAZ side.
Intermediate firewall devices do not see traffic sourced from 10.0.0.2.

We would like help and confirmation regarding:

1. Expected FortiAnalyzer routing behavior when using set dedicated-to management?
2. Whether FAZ traffic can be forced to use a data-plane/root VDOM interface on this FortiOS build/platform?
3. Whether this behavior is expected in multi-VDOM deployments with dedicated management enabled?
4. Recommended best practice for FAZ connectivity in this architecture?

3 replies

Anthony_E
Staff
Anthony_E
Staff
May 11, 2026

Hello,

Did you already have a look at this KB article?:

 

Anthony

Best Regards
    3
    345Author
    New Member
    May 11, 2026

    yes , but not helpfull. I have problem with EDIT not working when trying to change out interface to one that is routed from second (root) VDOM. 

    btw, I don’t have  set source IP  option from CLI.

     

    3
    345Author
    New Member
    May 11, 2026

     

    sw2090
    SuperUser
    sw2090
    SuperUser
    May 13, 2026

    hm I Have two HA Clusters here and I never actively configured anything in ha concerning FAZ.

    Just conncted the cluster to FAZ and set the source-ip als listed above and eversince its sending logs to my FAZ happily :)

    However we are not using mulitv-vdom and HA is active-passive only.

    Yurisk
    SuperUser
    Yurisk
    SuperUser
    May 14, 2026

    I’d start with checking if there is any communication between devices:

    FAZ: diagnose sniffer packet any "host IP of Fortigate or leave blank"

    FGT: diagnose sniffer packet any "host IP of FAZ" -OR- diagnose sniffer packet any "port 514"

    3
    345Author
    New Member
    May 14, 2026

    Hello, I did that at first, and thats how I made sure it is mgmt interface with TCP 514 used for traffic. I guess mgmt traffic is based on mgmt routing table, not global where is clearly routed data interface to FAZ vm and I have icmp traffic but not 514.

    Terms & ConditionsAccessibility statement