FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
This article discusses the case where two HA cluster members are listed on the FortiManager (or FortiAnalyzer) as separate devices.

FortiGate, FortiManager running 5.2+

Expectations, Requirements

This can happen for a number of reasons, for example:
  • If the devices were added as separate devices before deciding to use them as a cluster
  • If the secondary device requests to be managed before it syncs to the HA cluster, when it is first installed, and an admin authorizes it believing that this is the correct way to add it.

When this occurs, the HA cluster may appear to be managed correctly, but should it fail over then the new master will be unable to connect to the FortiManager.

Debugs may be seen such as:
# diag debug application fgfm -1
# diag debug enable

{ "id": 32053, "result": [ { "status": { "code": 5, "message": "device serial number conflicted" }, "url": "start\/tunnel" } ] }
When this occurs, it is necessary to delete the cluster member from the FortiManager. This can be done using the following command:
# diag dvm delete <adom name> <device name>

To find out what ADOM or device name it has, given its serial number, use the following command:
# diag dvm device list