Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
mkannan
Staff
Staff

Created on ‎08-04-2022 08:34 AM Edited on ‎10-22-2025 04:11 AM By Community Manager

Article Id 219808

Technical Tip: FortiAnalyzer HA Configuration and Troubleshooting

Description

 

This article describes that each FortiManager node is assigned its own unique IP address (Primary and Secondary), while both share a common Virtual IP address. This shared VIP ensures seamless failover and continuous network availability through VRRP.

 

Source address: The primary IP address of the interface the packet is being sent.

Destination IP address: 224.0.0.18 (Multicast IP address).

 

This is a link-local scope multicast address. Routers should not forward a datagram with this destination address, regardless of its TTL.

TTL: 255.

ProtocolThe IP protocol number assigned by the IANA for VRRP is 112 (decimal).

MAC Address in the following format: 00-00-5E-00-01-{VRID}.

 

Cluster Settings:

  • Peer IP: 10.123.5.198 (Secondary FortiAnalyzer IP address).
  • Peer SN: FAZVMXXXXXX (Secondary FortiAnalyzer Serial Number).

 

Interface Settings

  • port2 and port1 must be set with the interface IPs, as the cluster settings do not set them automatically. 
  • Primary - port2 = 10.123.5.189.
  • Primary - port1 = 10.109.21.189.
  • Secondary - port2 = 10.123.5.198.
  • Secondary - port1 = 10.109.21.198.

 

Group Name: HA (Any name can be given, but should be the same on Pri & Sec).

Group ID: 9 (Any number (1-255) can be given, should be the same on Pri & Sec).

Password: Fortinet@123 (Can give any password, but should be the same on Pri & Sec).

Heartbeat Interval: 1.

Priority: 120 (Higher Value states as Primary device).

Log Data Sync: Enable the toggle option.

 

mkannan_2-1659623014654.png

 

On FortiAnalyzer-Secondary device: under System Settings -> HA -> Operation mode select 'High Availability'.

 

mkannan_3-1659623014657.png

 

Configure the following details:

 

Preferred Role: Secondary.

 

Cluster Virtual IP:

  • Interface: port1.
  • IP Address: 10.109.21.123 (make sure this IP is not used in the network).

 

Cluster Settings:

  • Peer IP: 10.123.5.189 (Primary FortiAnalyzer IP address).
  • Peer SN: FAZVMXXXXXX (Primary FortiAnalyzer Serial Number).

 

Group Name: HA (Any name can be given, but should be the same on Pri & Sec).

Group ID: 9 (Any number (1-255) can be given, should be the same on Pri & Sec).

Password: Fortinet@123 (Can give any password, but should be the same on Pri & Sec).

Heartbeat Interval: 1.

Priority: 100 (Lower Value states as Secondary device).

Log Data Sync: Enable the toggle option.

 

mkannan_4-1659623014662.png

 

After configuring Primary and Secondary, this output on the GUI can be seen.

  

mkannan_5-1659623014666.png

 

mkannan_6-1659623014669.png

 

 

Important note:

When performing the initial synchronization of the HA cluster, only the Primary node (the member with preferred-role = primary or highest priority) must use the 'Initial-sync' setting (enabled).
If both nodes initiate the sync simultaneously, each node may attempt to push its own database to the peer, causing the HA pairing to fail or remain in 'Secondary-Sync' state.

 

Troubleshooting Commands:

 

On Primary-FortiAnalyzer:

 

diagnose ha status

 

mkannan_7-1659623014677.png

 

get system ha

 

mkannan_8-1659623014687.png

 

 On Secondary-FortiAnalyzer:

 

diagnose ha status

 

mkannan_9-1659623014695.png

 

get system ha

 

mkannan_10-1659623014700.png

 

With these 2 commands, troubleshoot the status and the configured values for FortiAnalyzer-HA.

 

Restart the Cluster Process and collect its debug output:

 

After checking the configuration settings, restart the clustering process on both Primary & Secondary devices.

 

diagnose test application clusterd 1

diagnose test application clusterd 99

 

If the HA location is on different sites, it is possible to perform the following command to enable the unicast HA.

 

config sys ha
    set unicast enable
end

 

Then, if the initial logs sync has synced but the configuration has not synced, run the below command to sync the config:

 

diagnose ha force-cfg-resync <----- Force HA to re-synchronize the configuration.

 

Also, collect the cluster debug output on both Primary & Secondary devices.

 

diagnose debug application clusterd 255

diagnose debug enable

 

mkannan_11-1659623014704.png     

Also, the below command will show the HA live connection status, like (keep-alive messages).

 

diagnose ha dump-datalog

 

Troubleshooting commands:

 

diagnose de app ha 255 <----- Run this one before forming the HA to see all errors within the process.

diagnose de en

 

diagnose ha status
diagnose ha stats
diagnose test app cluster 1
diagnose test app cluster 3 conn
diagnose test app cluster 3 log
diagnose test app cluster 97 status

 

execute shell <----- This has been disabled in v7.2.10/7.4.5/7.6.2.

 

cat /etc/keepalived/keepalived.cfg
cat /drive0/private/clusterd/faz-ha.log
cat /drive0/private/clusterd/keepalived.log

 

diagnose sniff packet portX "vrrp" 3

 

Both nodes attempted initial sync: 

If initial sync is enabled on both nodes concurrently, the cluster may never form. The fix is to stop sync on one node (or reboot), then only run sync from Primary.

 

Related documents: 

Setting up a FortiAnalyzer HA cluster

Troubleshooting Tip: FortiAnalyzer HA could not be performed with specific error message 'Firmware v...

Technical Tip: How to configure FortiAnalyzer HA instance in Google Cloud Platform (GCP)

Technical Tip: File system check on FortiAnalyzer in a High Availability (HA) setup

Troubleshooting Tip: FortiAnalyzer HA configurations that will not synchronize

Technical Tip: FortiManager HA cluster setup and troubleshooting

Labels:
10546
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.