FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
mkannan
Staff
Staff

Description

 

This article explains how to configure and troubleshoot issues with FortiAnalyzer HA.

 

Scope

 

FortiAnalyzer

 

Solution

 

Pre-request:

 

- A Layer-2 connection between Primary-FortiAnalyzer and Secondary-FortiAnalyzer is mandatory to communicate through Cluster Virtual IP via VRRP.

 

- If Primary-FortiAnalyzer and Secondary-FortiAnalyzer are in different locations then connected via MPLS link.

 

- FortiAnalyzer HA is using VRRP for the floating IP of the cluster members.

 

Sample Diagram with Port & IP Configuration:

 

mkannan_0-1659623014644.png

 

Note: Virtual IP should be the same in both Primary and Secondary devices.

 

On FortiAnalyzer-Primary device:

 

System Settings -> HA -> Operation mode select 'High Availability'.

 

mkannan_1-1659623014648.png

 

 

Configure the following details:

 

Preferred Role: Primary

Cluster Virtual IP:

          Interface: port1

          IP Address: 10.109.21.123 (make sure this IP is not used in the network)

Cluster Settings:

          Peer IP: 10.123.5.198 (Secondary FortiAnalyzer IP address)

          Peer SN: FAZVMXXXXXX (Secondary FortiAnalyzer Serial Number)

Group Name: HA (Any name can be given, but should be the same on Pri & Sec).

Group ID: 9 (Any number (1-255) can be given, should be the same on Pri & Sec).

Password: Fortinet@123 (Can give any password, but should be the same on Pri & Sec).

Heart Beat Interval: 1

Priority: 120 (Higher Value states as Primary device)

Log Data Sync: Enable the toggle option.

 

mkannan_2-1659623014654.png

 

 

On FortiAnalyzer-Secondary device:

 

System Settings -> HA -> Operation mode select 'High Availability'.

 

mkannan_3-1659623014657.png

 

 

Configure the following details:

 

Preferred Role: Secondary

Cluster Virtual IP:

          Interface: port1

          IP Address: 10.109.21.123 (make sure this IP is not used in the network)

Cluster Settings:

          Peer IP: 10.123.5.189 (Secondary FortiAnalyzer IP address)

          Peer SN: FAZVMXXXXXX (Secondary FortiAnalyzer Serial Number)

Group Name: HA (Any name can be given, but should be the same on Pri & Sec).

Group ID: 9 (Any number (1-255) can be given, should be the same on Pri & Sec).

Password: Fortinet@123 (Can give any password, but should be the same on Pri & Sec).

Heart Beat Interval: 1

Priority: 100 (Lower Value states as Secondary device)

Log Data Sync: Enable the toggle option.

 

mkannan_4-1659623014662.png

 

 

After configuring Primary & Secondary this output on GUI can be seen.

  

mkannan_5-1659623014666.png

 

 

mkannan_6-1659623014669.png

 

Troubleshooting Commands:

 

On Primary-FortiAnalyzer:

 

# diag ha status

 

mkannan_7-1659623014677.png

 

# get system ha

 

mkannan_8-1659623014687.png

 

 On Secondary-FortiAnalyzer:

 

# diag ha status

 

mkannan_9-1659623014695.png

 

# get system ha

 

mkannan_10-1659623014700.png

 

With these 2 commands, troubleshoot the status and the configured values for FortiAnalyzer-HA.

 

Restart Cluster Process and collect its debug output:

 

After checking the configuration settings, restart the clustering process on both Primary & Secondary devices.

 

# diagnose test application clusterd 1

# diagnose test application clusterd 99

 

Also, collect the cluster debug output on both Primary & Secondary devices.

 

# diagnose debug application clusterd 255

# diagnose debug enable

 

mkannan_11-1659623014704.png

 

Related Document: 

https://docs.fortinet.com/document/fortianalyzer/6.2.0/cookbook/266391/setting-up-a-fortianalyzer-ha...

Contributors