Help
FortiADC
FortiADC enhances the scalability, performance, and security of your applications whether they are hosted on premises or in the cloud.
shafiq23
Staff & Editor
Staff & Editor

Created on ‎12-10-2025 12:11 AM Edited on ‎12-10-2025 12:12 AM By Community Manager

Article Id 422400

Technical Tip: FortiAnalyzer in Disconnected status

Description This article describes how to fix FortiADC-FortiAnalyzer integration where logging stopped and status displayed as ‘Disconnected’.
Scope FortiADC, FortiAnalyzer.
Solution

FortiADC uses the OFTP (Optimised Fabric Transfer Protocol) mechanism to send logs to FortiAnalyzer. It runs over a dedicated TCP session and handles everything from connecting to the analyser, validating certificates and log forwarding.

 

Issue:

 

1.png

 

 

Verification:

Validate connectivity between FortiADC and FortiAnalyzer.


execute ping <faz-ip>
execute telnet <faz-ip> 514

FortiAnalyzer must be reachable via port 514 for OFTP synchronisation.

 

Note:

The telnet test might not get connected but TCP handshakes can be observed in network packets.

diagnose sniffer packet any ‘port 514’ 4

689.734448 port1 out 10.47.20.76.24616 -> 10.47.19.67.514: syn 121677687
689.735710 port1 in 10.47.19.67.514 -> 10.47.20.76.24616: syn 3682525471 ack 121677688
689.735752 port1 out 10.47.20.76.24616 -> 10.47.19.67.514: ack 3682525472

Run OFTP debug in FortiADC.

diagnose debug module miglogd oftp set
diagnose debug enable

Example:


vdom: vdom-aps, init oftp...
vdom vdom-aps:trying connect 10.XX.XX.XX...
vdom: vdom-aps ,try connect[10.XX.XX.XX]: fd=160, oftp.status=0x11
oftp_tcp_connect: vdom: vdom-aps,tcp connected fd=160...
vdom: vdom-aps,continue status 0x12, fd=160, want_events=5
vdom: vdom-aps ,try connect[10.XX.XX.XX]: fd=160, oftp.status=0x12
vdom: vdom-aps,continue status 0x12, fd=160, want_events=5
vdom: vdom-aps ,try connect[10.XX.XX.XX]: fd=160, oftp.status=0x12
vdom: vdom-aps,continue status 0x12, fd=160, want_events=5
vdom: vdom-aps ,try connect[10.XX.XX.XX]: fd=160, oftp.status=0x12
vdom: vdom-aps,continue status 0x12, fd=160, want_events=5
vdom: vdom-aps ,try connect[10.XX.XX.XX]: fd=160, oftp.status=0x12
vdom: vdom-aps,continue status 0x12, fd=160, want_events=5
vdom: vdom-aps ,try connect[10.XX.XX.XX]: fd=160, oftp.status=0x12
vdom: vdom-aps,continue status 0x12, fd=160, want_events=5
vdom: vdom-aps ,try connect[10.XX.XX.XX]: fd=160, oftp.status=0x12
vdom: vdom-aps,continue status 0x12, fd=160, want_events=5
vdom: vdom-aps ,try connect[10.XX.XX.XX]: fd=160, oftp.status=0x12
oftp_ssl_connect: vdom vdom-aps,ssl done fd=160...
ID is FADV01XXXXXXXXXX, size 20
Gen system info:
Version: FortiADC-KVM v7.6.3,build0602,250713 (GA)
Serial-Number: FADV01XXXXXXXXXX

vdom: vdom-aps, Failed to build oftp pkt ---> No reachability on port 514

vdom: root ,try connect[10.XX.XX.XX]: fd=159, oftp.status=0x14
oftp_auth_recv: vdom=root fd=159, buf_pos=12,buf_len=50
oftp_auth_recv: vdom:root, buf_pos=50, buf_len=50, num=38
oftp_auth_recv: vdom: root read end
vdom root,login failed: -15 ---> No authorization


To disable debugging:

 

diagnose debug disable

Run OFTP debug in FortiAnalyzer:

diagnose debug app oftpd 8
diagnose debug enable

[T3719:oftps.c:1921 :10.XX.XX.XX] SSL clienthello incoming on sockfd[38]
[T3719:oftps.c:1252 :10.XX.XX.XX] dft-idx=0 inited=1.
[T3719:oftps.c:1756 :10.XX.XX.XX] SSL socket[38] pid[1608] ssl[0x7f6d180b24b0] SSL_new() success.
[T3719:oftps.c:1631 :10.XX.XX.XX] ssl verify peer cert
[T3719:oftps.c:1653 :10.XX.XX.XX] Peer is using a fortinet certificate. ON=Fortinet
[T3719:oftps.c:1666 :10.XX.XX.XX] Peer cert info, CommonName(CN=FortiADCVM).
[T3719:oftps.c:1933 :10.XX.XX.XX] SSL_accept one client SUCCESS [ protocol : (772) TLS 1.3 ]
[T3719:oftps.c:1965 :10.XX.XX.XX] SSL socket[38] pid[1608] ssl[0x7f6d180b24b0] SSL_accepted
[T3718:oftps.c:2023 :10.XX.XX.XX] SSL socket[38] pid[1608] ssl[0x7f6d180b24b0] received [238] bytes:
[T3718:main.c:4824 :10.XX.XX.XX] handle LOGIN_REQUEST_LEGACY
[T3717:login.c:3360 :10.XX.XX.XX] host = 'FortiADC'
[T3717:login.c:3406 :10.XX.XX.XX] Version: FortiADC-KVM v7.6.3,build0602,250713 (GA)
Serial-Number: FADV01XXXXXXXXXX
[T3717:login.c:345 :10.XX.XX.XX] os_type(17) os_ver(7) mr(6) patch(3) build(602) beta(-1)
[T3717:login.c:3365 :10.XX.XX.XX] vdom = 1
[T3717:login.c:3871 :10.XX.XX.XX] Error No legal SN found in cert and legacy auth mode disabled

 

To disable debugging:

 

diagnose debug disable

According to FortiAnalyzer debugging, there is an error regarding an illegal certificate used during OFTP authentication by FortiADC. This is due to changes since FortiAnalyzer v7.4.8 in the legacy-auth-mode command.


Special Notices: legacy-auth-mode command added:
FortiAnalyzer 7.4.8 Release Notes


FortiAnalyzer requires FortiADC to use its serial number in the certificate CN.


Workaround:

Temporarily enable legacy auth mode in FortiAnalyzer to allow FortiADC to authenticate via OFTP.


config system log settings
    set legacy-auth-mode enable
end


Solution:

Upgrade to FortiADC v7.4.9/7.6.4 and later.

Related document:

Configuring OFTP Settings For FortiAnalyzer Logs 
50
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.