FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
vraev
Staff
Staff
Article Id 342139
Description

 

This article describes the behavior of a FortiAnalyzer managed by FortiManager when a managed device is deleted from FortiManager or moved from one FortiManager ADOM to another and provides guidance on how to re-sync the FortiAnalyzer to the new Device-to-ADOM relationship in FortiManager.

Only the 'ADOMs enabled' scenario with the 'same FortiAnalyzer device added to more than one ADOM in FortiManager' is covered by this article.

More information about the managed FortiAnalyzer concept can be found in the Admin Guide.

 

Scope

 

FortiAnalyzer and FortiManager, version 7.x.

 

Solution
 
 
 
 

2024-09-19 09_59_02-Presentation1 - PowerPoint.png

 

When a FortiAnalyzer ADOM is managed under the respective FortiManager ADOM (with the same name), the Device Manager on the FortiAnalyzer side is locked for manual editing, and the two Device Manager Databases are synchronized, in a top-down manner, from the FortiManager side.

 

Adding a device in the FortiManager ADOM, also adds the same device in the corresponding FortiAnalyzer ADOM, except if the device with the same Serial Number (SN) already exists in the FortiAnalyzer Device Manager Database, where:

  • If the device exists in the same ADOM on both sides, the synchronization is skipped.
  • If the device exists in different ADOMs in FortiManager and FortiAnalyzer or is Unauthorized, then the synchronization fails.

 

Deleting a device from FortiManager does not behave the same way as adding one. Deleting a managed device from FortiManager will not sync to FortiAnalyzer and will not delete it from FortiAnalyzer automatically. This is expected behavior, and a failsafe mechanism since deleting a device from FortiAnalyzer also deletes all of its logs from both the log archive and the log database of the respective FortiAnalyzer ADOM, by default.

 

Moving a device from one FortiManager ADOM to another, will not sync to FortiAnalyzer automatically. The reasons are similar to the delete case. Moving the device to another FortiAnalyzer ADOM wipes its logs from the log database of the old ADOM and the database in the new ADOM needs to be rebuilt. Additionally, however, different FortiManager ADOMs can manage ADOMs on different FortiAnalyzer units, further complicating the potential automation of this migration process.

 

Within the current FortiManager and FortiAnalyzer design, when a FortiGate is deleted from FortiManager or moved to another FortiManager ADOM, the affected ADOMs on the FortiAnalyzer side should be unlocked and edited manually.

 

  1. In the FortiAnalyzer CLI, run the following:

    diagnose dvm adom unlock "<adom>"

    e.g. 
    FAZ-VM64 # diagnose dvm adom unlock root

  2. In FortiAnalyzer GUI, edit the unlocked ADOM/s as required.

  3. When the device is moved to a new ADOM, rebuild the log database of this ADOM to insert the device logs and make them available for analysis:

    execute sql-local rebuild-adom "<new_adom>"
    e.g.
    FAZ-VM64 #execute sql-local rebuild-adom TestAdom

 

Alternatively:

  1. Delete the managed FortiAnalyzer from the modified FortiManager ADOM(s). This will unlock the managed FortiAnalyzer ADOM(s).
  2. Modify the respective FortiAnalyzer side ADOM(s) (i.e., move the device same as in FortiManager).
  3. Re-add and resync the FortiAnalyzer back in the FortiManager ADOM(s).
    In case of sync errors, first, make sure that the device-to-ADOM relationship matches in both FortiManager and FortiAnalyzer.
  4. Rebuild the log database of the new ADOM to insert the device logs and make them available for analysis.


Other related settings:

 

config system log settings

    keep-dev-logs {enable | disable}

end

 

This option allows the user to enable or disable keeping the device logs after the device has been deleted (default = disable).

 

Related documents:

Administration Guide: Add FortiAnalyzer 

Administration Guide: Using FortiManager to manage FortiAnalyzer devices 

Technical Tip: Delete device from FortiAnalyzer managed by FortiManager

Technical Tip: How to relock an ADOM on FortiAnalyzer that is managed by FortiManager