Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
mkannan
Staff
Staff

Created on ‎08-04-2022 08:34 AM Edited on ‎10-10-2024 05:23 AM By Moderator

Article Id 219808

Technical Tip: FortiAnalyzer HA Configuration and Troubleshooting

Description

 

This article describes how to configure and troubleshoot issues with FortiAnalyzer HA.

 

Scope

 

FortiAnalyzer.

 

Solution

 

Pre-request:

  • A Layer-2 connection between Primary-FortiAnalyzer and Secondary-FortiAnalyzer is mandatory to communicate through Cluster Virtual IP via VRRP.
  • If Primary-FortiAnalyzer and Secondary-FortiAnalyzer are in different locations then connected via MPLS link.
  • FortiAnalyzer HA is using VRRP for the floating IP of the cluster members.
  • Each FortiAnalyzer that will be part of the VRRP HA cluster must have a valid product license.

 

Sample Diagram with Port and IP Configuration:

 

mkannan_0-1659623014644.png

 

Note:

Virtual IP should be the same in both Primary and Secondary devices.

 

On FortiAnalyzer-Primary device: under System Settings -> HA -> Operation mode select 'High Availability'.

 

mkannan_1-1659623014648.png

In new v7.4.x and forward.

System Settings -> HA -> Operation mode select 'Active Active' for georedundant as The active-active mode for FortiAnalyzer HA helps to create a geo-redundant solution or select 'Active Passive' Where In FortiAnalyzer HA active-passive mode, a layer 2 connection is required between HA members to set up the HA cluster virtual IP. In active-active mode, however, a layer 2 connection is not required between data centers at different locations.

 

HA in 7.4.JPG

 

Configure the following details:

 

Preferred Role: Primary.

 

Cluster Virtual IP:

  • Interface: port1.
  • IP Address: 10.109.21.123 (make sure this IP is not used in the network).

 

Cluster Settings:

  • Peer IP: 10.123.5.198 (Secondary FortiAnalyzer IP address).
  • Peer SN: FAZVMXXXXXX (Secondary FortiAnalyzer Serial Number).

 

Group Name: HA (Any name can be given, but should be the same on Pri & Sec).

Group ID: 9 (Any number (1-255) can be given, should be the same on Pri & Sec).

Password: Fortinet@123 (Can give any password, but should be the same on Pri & Sec).

Heart Beat Interval: 1.

Priority: 120 (Higher Value states as Primary device).

Log Data Sync: Enable the toggle option.

 

mkannan_2-1659623014654.png

 

 

On FortiAnalyzer-Secondary device: under System Settings -> HA -> Operation mode select 'High Availability'.

 

mkannan_3-1659623014657.png

 

 

Configure the following details:

 

Preferred Role: Secondary.

 

Cluster Virtual IP:

  • Interface: port1.
  • IP Address: 10.109.21.123 (make sure this IP is not used in the network).

 

Cluster Settings:

  • Peer IP: 10.123.5.189 (Primary FortiAnalyzer IP address).
  • Peer SN: FAZVMXXXXXX (Primary FortiAnalyzer Serial Number).

 

Group Name: HA (Any name can be given, but should be the same on Pri & Sec).

Group ID: 9 (Any number (1-255) can be given, should be the same on Pri & Sec).

Password: Fortinet@123 (Can give any password, but should be the same on Pri & Sec).

Heart Beat Interval: 1.

Priority: 100 (Lower Value states as Secondary device).

Log Data Sync: Enable the toggle option.

 

mkannan_4-1659623014662.png

 

After configuring Primary and Secondary this output on GUI can be seen.

  

mkannan_5-1659623014666.png

 

 

mkannan_6-1659623014669.png

 

Troubleshooting Commands:

 

On Primary-FortiAnalyzer:

 

diag ha status

 

mkannan_7-1659623014677.png

 

get system ha

 

mkannan_8-1659623014687.png

 

 On Secondary-FortiAnalyzer:

 

diag ha status

 

mkannan_9-1659623014695.png

 

get system ha

 

mkannan_10-1659623014700.png

 

With these 2 commands, troubleshoot the status and the configured values for FortiAnalyzer-HA.

 

Restart the Cluster Process and collect its debug output:

 

After checking the configuration settings, restart the clustering process on both Primary & Secondary devices.

 

diagnose test application clusterd 1

diagnose test application clusterd 99

 

If the HA location is on different sites, it is possible to perform the below command to enable the unicast HA.

 

config sys ha
    set unicast enable
end

 

Then if the initial logs sync has synced but the configuration has not synced, run the below command to sync the config:

 

diag ha force-resync from secondary and Primary

 

Also, collect the cluster debug output on both Primary & Secondary devices.

 

diagnose debug application clusterd 255

diagnose debug enable

 

mkannan_11-1659623014704.png
     

Also, the below command will show the HA live connection status like (keep-alive messages).

 

diag ha dump-datalog

 

Troubleshooting commands:

 

diag ha status
diag ha stats
diag test app cluster 1
diag test app cluster 3 conn
diag test app cluster 3 log
diag test app cluster 97 status

 

execute shell

 

cat /etc/keepalived/keepalived.cfg
cat /drive0/private/clusterd/faz-ha.log
cat /drive0/private/clusterd/keepalived.log

 

diag sniff packet portX "vrrp" 3

 

Related documents: 

Setting up a FortiAnalyzer HA cluster

Troubleshooting Tip: FortiAnalyzer HA could not be performed with specific error message 'Firmware v...

Technical Tip: How to configure FortiAnalyzer HA instance in Google Cloud Platform (GCP)

Technical Tip: File system check on FortiAnalyzer in a High Availability (HA) setup

Troubleshooting Tip: FortiAnalyzer HA configurations that will not synchronize

Labels:
5760
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.