FortiAnalyzer Remote Logs Not Displaying on FortiGate GUI After FortiAnalyzer Upgrade (FAZ 7.4.11)
Scenario
Environment with multiple FortiGate firewalls connected to a FortiAnalyzer VM for centralized log collection and analysis.
Environment Versions
FortiAnalyzer VM: 7.4.11
FortiGate: 7.2.13
Fabric ADOM enabled
Some FortiGate devices operating in HA cluster mode
After upgrading the FortiAnalyzer from version 7.4.6 to 7.4.11, the FortiGate devices stopped displaying FortiAnalyzer logs directly from the FortiGate GUI.
Symptoms
When accessing logs from the FortiGate GUI:
Log & Report → Forward Traffic / Event Logs
the page remained completely blank.
However:
FortiAnalyzer continued receiving logs normally
Devices remained online in Fabric View / Device Manager
Logs were visible directly in the FortiAnalyzer GUI
No explicit communication or authorization errors were displayed
Additionally, the following behaviors were observed:
Analytics (actual/config days) above 100%
Archive Usage above 90%
diagnose dvm device list showing:
conn: unknown
conf: unknown
dev-db: unknown
This initially suggested a possible database, DVM, or analytics issue.
Root Cause
The issue was related to the source IP used by the FortiGate for communication with the FortiAnalyzer.
After the FortiAnalyzer upgrade, the Remote Log Retrieval/API session validation became more strict regarding source consistency.
On FortiGate HA clusters, when no source-ip is configured, the FortiGate may use different interfaces/IPs for:
log upload
API requests
remote log retrieval sessions
This causes the FortiAnalyzer remote query session to fail silently, resulting in a blank log page on the FortiGate GUI.
Solution
Configure a fixed source-ip for FortiAnalyzer communication.
For HA environments, it is highly recommended to use a Loopback interface IP.
Example:
config log fortianalyzer setting
  set status enable
  set server "IP FAZ(X.X.X.X)"
  set serial "FAZVMXXXXXXXXXXX"
  set upload-option realtime
  set source-ip "xxx.xxx.xxx.xxx"
end
After applying the configuration:
Remote logs immediately became visible again on the FortiGate GUI
No further issues were observed
Recommendations / Best Practices
For environments using:
FortiAnalyzer VM
HA clusters
SD-WAN
multiple WAN links
Fabric ADOM
it is strongly recommended to:
Configure set source-ip
Prefer Loopback interface IPs
Use stable management-plane routing toward FortiAnalyzer
This helps maintain consistent:
API sessions
Fabric communication
Remote Log Retrieval
Log upload stability
especially after upgrades or failover events.
Additional Notes
Although storage/analytics warnings were present:
Archive Usage > 90%
Analytics > 100%
they were not the root cause of the issue.
The FortiAnalyzer continued processing and storing logs normally.
The actual issue was the inconsistent source IP used during FortiAnalyzer remote query sessions.