FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
farhanahmed
Staff
Staff
Article Id 296998
Description

 

This article describes how to authorize FortiGates on managed FortiAnalyzer for ADOMs not managed by FortiManager.

 

Scope

 

FortiAnalyzer, FortiManager.

 

Solution

 

  • If the 'root' ADOM of FortiAnalyzer is not being managed by FortiManager, new unauthorized devices showing up in the 'root' ADOM can be authorized to any ADOM (that is not managed by FortiManager).
  • If the 'root' ADOM of FortiAnalyzer is being managed by FortiManager, it will not allow to authorize any devices in FortiAnalyzer unless:
    1. The ADOM is unlocked.
    OR
    2. The FGT is added to FortiManager first.

 

  1. Unlock a locked ADOM in FortiAnalyzer:

When FortiAnalyzer is added to a FortiManager ADOM, the same name ADOM on FortiAnalyzer is created (if not already exist). The ADOM is then locked, showing a Red padlock beside the name of the ADOM in FortiAnalyzer -> System Settings -> ADOMs.

 

1.png

 

  • This lock then prevents devices from being authorized to that ADOM and in the case of the 'root' ADOM of FortiAnalyzer, it prevents to authorize any device in FortiAnalyzer.
  • The lock can be removed by using the below command in FortiAnalyzer CLI:

 

dia dvm adom unlock <ADOM NAME>

 

2.png

 

  • The lock is now removed from the ADOM:

 

3.png

 

  • Unauthorized devices showing up in FortiAnalyzer 'root' ADOM can be authorized to any unlocked FortiAnalyzer ADOM.

 

4.png

 

  • The ADOM '72' is still NOT showing up in this list, because it is still locked.
  • Even though now FortiAnalyzer will allow to authorize the devices to 'root' ADOM. It is NOT recommended to authorize a device to a managed FortiAnalyzer ADOM and not to add it to FortiManager as well. This will cause sync issues.
  • The ADOM will be logged again by Refreshing the FortiAnalyzer in FortiManager. Refer to this article KB article: Technical Tip: How to relock an ADOM on FortiAnalyzer that is managed by FortiManager.

 

5.png

 

 

  1. Adding FortiGate to FortiManager first:
  • Add the FortiGate to FortiManager using the 'Add Device' option (in the ADOM where FortiAnalyzwer is already added).

Adding online devices using Discover mode

 

OR

 

  • Enable the central-management config on the FortiGate. Authorize it in FortiManager.

Technical Tip: How to register a FortiGate to a FortiManager from CLI

 

6.png

 

  • The FortiGate will automatically also show up in FortiAnalyzer ADOM as well.

 

7.png

 

  • The status of FortiGate might still be shown as down in FortiAnalyzer.
  • Enable the logging connector on the FortiGate either via GUI under Security Fabric -> Fabric Connectors -> Logging or CLI (can also make the change via FortiManager and push the config to the FortiGate ).
  • The below image shows how to make the change via CLI, it has automatically fetched the serial number of the FortiAnalyzer, press 'y' after confirming the serial of FortiAnalyzer.

 

8.png

 

  • Then the FortiGate status will show as UP in FortiAnalyzer too.

 

9.png

 

Related articles:

Technical Tip: Using FortiManager to manage FortiAnalyzer devices and Adoms

Technical Tip: How to relock an ADOM on FortiAnalyzer that is managed by FortiManager

Technical Tip: Delete device from FortiAnalyzer managed by FortiManager