FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
akaratas
Staff
Staff
Article Id 203789
Description

Sometimes FortiAnalyzer may incorrectly show FortiGates in the same cluster.

This article describes how this may be a result of auto-grouping that relies upon unique HA group name configuration on the FortiGate to ensure proper grouping in the FortiAnalyzer.

Scope For version, 6.0.x, 6.2.x, 6.4.x,7.0.x,
Solution

When several FortiGates in a high-availability cluster are submitting logs to the FortiAnalyzer, the config attributes from the FortiGate should be auto-grouped under the same unit name.

 

config system ha

    set group-id 10

    set group-name "LAB"

    set mode a-p

    set password

    set hbdev "internal1" 0 "internal2" 0

    set session-pickup enable

    set link-failed-signal enable

    set ha-mgmt-status enable

    config ha-mgmt-interface

        edit 1

            set interface "internal4"

            set gateway 192.168.229.6

        next

    end

    set override disable

    set priority 142

end

 

Even if FortiGate is removed from the FortiAnalyzer, it will be added to the same unit again and again if the FortiGate(s) end is transmitting the log.

 

By default, FortiAnalyzer uses the HA group name configured on the FortiGates for determining which cluster to place them in.

 

Each FortiGate cluster must have a unique group name for auto-grouping.

 

akaratas_0-1643271296355.png

 

To mitigate such issue, it is possible to disable HA auto grouping under the system global from the CLI as follows, it is enabled by default.

config system global
   set ha-member-auto-grouping disable
end

 

Another mitigation step is giving a unique HA group name to each FortiGate cluster.