This article describes the behavior of a FortiAnalyzer managed by FortiManager when a managed device is deleted from FortiManager or moved from one FortiManager ADOM to another and provides guidance on how to re-sync the FortiAnalyzer to the new Device-to-ADOM relationship in FortiManager.
Only the 'ADOMs enabled' scenario with the 'same FortiAnalyzer device added to more than one ADOM in FortiManager' is covered by this article.
More information about the managed FortiAnalyzer concept can be found in the Admin Guide.
FortiAnalyzer and FortiManager, version 7.x.
When a FortiAnalyzer ADOM is managed under the respective FortiManager ADOM (with the same name), the Device Manager on the FortiAnalyzer side is locked for manual editing, and the two Device Manager Databases are synchronized, in a top-down manner, from the FortiManager side.
Adding a device in the FortiManager ADOM, also adds the same device in the corresponding FortiAnalyzer ADOM, except if the device with the same Serial Number (SN) already exists in the FortiAnalyzer Device Manager Database, where:
Deleting a device from FortiManager does not behave the same way as adding one. Deleting a managed device from FortiManager will not sync to FortiAnalyzer and will not delete it from FortiAnalyzer automatically. This is expected behavior, and a failsafe mechanism since deleting a device from FortiAnalyzer also deletes all of its logs from both the log archive and the log database of the respective FortiAnalyzer ADOM, by default.
Moving a device from one FortiManager ADOM to another, will not sync to FortiAnalyzer automatically. The reasons are similar to the delete case. Moving the device to another FortiAnalyzer ADOM wipes its logs from the log database of the old ADOM and the database in the new ADOM needs to be rebuilt. Additionally, however, different FortiManager ADOMs can manage ADOMs on different FortiAnalyzer units, further complicating the potential automation of this migration process.
Within the current FortiManager and FortiAnalyzer design, when a FortiGate is deleted from FortiManager or moved to another FortiManager ADOM, the affected ADOMs on the FortiAnalyzer side should be unlocked and edited manually.
Alternatively:
Other related settings:
config system log settings
keep-dev-logs {enable | disable}
end
This option allows the user to enable or disable keeping the device logs after the device has been deleted (default = disable).
Related documents:
Administration Guide: Add FortiAnalyzer
Administration Guide: Using FortiManager to manage FortiAnalyzer devices
Technical Tip: Delete device from FortiAnalyzer managed by FortiManager
Technical Tip: How to relock an ADOM on FortiAnalyzer that is managed by FortiManager
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.