| Description |
This article describes how FortiAnalyzer can incorrectly show FortiGates in the same cluster and how this may be a result of auto-grouping that relies upon unique HA group name configuration on the FortiGate to ensure proper grouping in the FortiAnalyzer. |
| Scope | FortiAnalyzer v6.0.x, until v7.4.x. |
| Solution |
When several FortiGates in a high-availability cluster are submitting logs to the FortiAnalyzer, the config attributes from the FortiGate should be auto-grouped under the same unit name.
config system ha set group-id 10 set group-name "LAB" set mode a-p set password set hbdev "internal1" 0 "internal2" 0 set session-pickup enable set link-failed-signal enable set ha-mgmt-status enable config ha-mgmt-interface edit 1 set interface "internal4" set gateway 192.168.229.6 next end set override disable set priority 142 end
Even if FortiGate is removed from the FortiAnalyzer, it will be added to the same unit again and again if the FortiGate(s) end is transmitting the log.
By default, FortiAnalyzer uses the HA group name configured on the FortiGates to determine which cluster to place them in.
Each FortiGate cluster must have a unique group name for auto-grouping.
To mitigate such an issue, it is possible to disable HA auto grouping under the system global from the FortiAnalyzer CLI as follows, it is enabled by default. config system global
After, group the HA cluster manually:
Once the master device has been edited, enable the HA cluster:
Once edited and the device is already listed in the device list, select 'from existing device':
Afterwards, see the grouped device as a cluster:
Another mitigation step is to give a unique HA group name to each FortiGate cluster.
Related article: Technical Tip: Re-add HA cluster device in FortiAnalyzer due to HA member auto-grouping disable Technical Tip: How to rename FortiGate HA cluster member at FortiAnalyzer |
