FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Article Id 223118



This article provides the necessary information changes on FortiManager and FortiAnalyzer to allow the FortiManager to act as a FortiGuard server for the FortiAnalyzer.




During the initial installation of new FortiManager/FortiAnalyzer VM is connecting to the FortiCare server to download the contract information.




To setup a new FortiAnalyzer VM.

First, upload the license file.




Then the FortiAnalyzer will try to connect to FortiCare servers.




At this point one has two options:


  1. To upload the Entitlement File to the FortiAnalyzer / FortiManager directly.
  2. To override the settings of the device about the FDS to point to a local FortiManager who is acting as a FortiGuard server.


This article will start with the first scenario.


Note: Remember that any change of the IP of the FortiAnalyzer / FortiManager regarding the license will require a new Entitlement File.


Connect through the CLI to upload the Entitlement File (how to request, can be found in the links at the end of the article).


execute fmupdate ftp import license "Entitlement_filename" "FTP_IP_addr" "/" "ftp_user" "ftp_pwd"


Example of this command below:


execute fmupdate ftp import license "EntitlementExport-2022-08-30T190500.229" "" "/" "test1" "test1"

This operation will replace the current package!

Do you want to continue? (y/n)y


Start getting file from FTP Server...

Transferred 0.002M of 0.002M in 0:00:00s (0.014M/s)

FTP transfer is successful.

Package installation is in process... This could take some time.

Update successfully


Note: Command parameters are case-sensitive. Quotes are always used around the parameters like in this example 'my_Account'.


Update: From version 7.2.2 this process could be made through the Install wizard.





To review whether the upload was successful, use the 'diagnose fmupdate dbcontract' command.


diagnose fmupdate dbcontract





  Contract:  6







  Contract Raw Data:


After this step, the web page of the FortiAnalyzer/FortiManager needs to be reloaded.




Troubleshooting steps:


In this case, it is possible to do a packet capture concerning the selected protocol.

Two CLI console connections will be needed.

The first connection is required to start a packet capture. The second connection will be used to initiate the download of the entitlement file again.

If the selected protocol is TFTP, refer to the example below.


diagnose sniffer packet any 'udp and port 69' 3 0 a
filters=[udp and port 69]


The second option.


 First, set up the FortiManager. The version of the FortiManager should be 6.2.x or newer.

config system interface
    edit "port2"
        set ip
        set serviceaccess fgtupdates fclupdates webfilter-antispam


config ipv6
    set ip6-autoconf disable


config fmupdate service
    set query-antispam enable
    set webfilter-https-traversal enable


To review if the port is open type the following command.


diagnose fmnetwork netstat list

Active Internet connections (servers and established)

tcp        0      0 :::8890                 :::*                    LISTEN


After taking all of these steps, add the Entitlement File from the GUI (Go to FortiGuard - > Settings - > Service License - > Upload) or upload it through the CLI as shown in the previous section of this article.


diagnose fmupdate dbcontract

--- output omitted ---


This article will help one how to make it:


From the FortiAnalyzer set the following commands:

config fmupdate server-override-status
    set mode strict


config fmupdate fds-setting

config server-override

    set status enable

config servlist

    edit 1

        set ip <---- FortiManager IP.

        set port 8890






To review whether the settings are correct, use the command below.


diagnose fmupdate view-serverlist fds

Fortiguard Server Comm : Enabled

Server Override Mode   : Strict

FDS   server list      :

Index   Address                    Port            TimeZone        Distance        Source


*0                 8890            1               0               CLI


If a second connection is kept to the FortiAnalyzer through CLI the FDS connectivity log can be observed with the command below:


diagnose fmupdate view-linkd-log fds

2022/09/01_12:14:53.857 info    fds_svrd[1003]: Send subshm update notification to fgdsvrd

2022/09/01_12:14:53.860 warn    fds_svrd[1003]: *** Set forticlient max number: 50000

2022/09/01_12:14:53.860 info    fds_svrd[1003]: update_downstream_fct_fect, 543: update file /var/fds/data/downstream_fct_fect.dat

2022/09/01_12:15:03.970 info    fds_svrd[1003]: Start fds client session to '', task = SELPOLL svc=0

2022/09/01_12:15:03.990 info    fds_svrd[1003]: [FMG-->FDS] Request: Protocol=4.0|Command=SelectivePoll|Firmware=FAZVM64-FW-7.02-1215|SerialNumber=FAZ-VMTM22011525|Persistent=false|DataItem=01000000CATL00000-00000.00000-0000000000*00000000FDNI00000-00000.00000-0000000000*04000000OBLT00000-00000.00000-0000000000*03001000SRUL00000-00000.00000-0000000000*03001000BREG00000-00000.00000-0000000000*01000000BLDV00000-00000.00000-0000000000*01000000OBJL00000-00000.00000-0000000000*01000000FMGI00000-00000.00000-0000000000*00000000IMLT00000-00000.00000-0000000000*01000000ALCI00000-00000.00000-0000000000|AcceptDelta=0|ContractItem=FAZ-VMTM22011525|__FMG2FMGVersion=1.0|__FMG2FMGService=FGT^M ^M

2022/09/01_12:15:04.041 info    fds_svrd[1003]: FCP_CONN:: receiving package: num_objects=1 total_size=240

2022/09/01_12:15:04.041 info    fds_svrd[1003]: FCP_CONN:: received object: id=04000000FCPR00000 ver=00000.00000-0000000000 size=112

2022/09/01_12:15:04.041 info    fds_svrd[1003]: [FDS-->FMG] Response: Protocol=4.0|Firmware=FMG-VM64-FW-6.04-2253|SerialNumber=FMG-VMTMxxxxxx|Response=400|Persistent=false^M ^M

2022/09/01_12:15:04.041 error   fds_svrd[1003]: Got error response from fds: code = 400

2022/09/01_12:15:04.042 info    fds_svrd[1003]: Check update with fds SUCCESS


During the first connection to the FortiManager is normal to receive the error code 400.

To overcome this, it is necessary to restart the service.


diagnose fmupdate service-restart fds

This operation will restart the selected service.

Do you want to continue? (y/n)y


diagnose fmupdate view-linkd-log fds

2022/09/01_12:19:45.415 info    fds_svrd[1003]: Start fds client session to '' by indicated request.

2022/09/01_12:19:45.433 info    fds_svrd[1003]: [FMG-->FDS] Request: Protocol=3.0|Command=VMSetup|Firmware=FAZVM64-FW-7.02-1215|SerialNumber=FAZ-VMTM22011525|Uid=bb133442-db28-7dbb-f960-273d7ec41fd6|Language=en-US|UpdateMethod=1|__FMG2FMGVersion=1.0|__FMG2FMGService=FGT^M ^M

2022/09/01_12:19:45.556 info    fds_svrd[1003]: FCP_CONN:: receiving package: num_objects=1 total_size=240

2022/09/01_12:19:45.556 info    fds_svrd[1003]: FCP_CONN:: received object: id=04000000FCPR00000 ver=00000.00000-0000000000 size=112

2022/09/01_12:19:45.557 info    fds_svrd[1003]: [FDS-->FMG] Response: Protocol=3.0|Firmware=FMG-VM64-FW-6.04-2253|SerialNumber=FMG-VMTMxxxxx|Response=200|Persistent=false^M ^M

2022/09/01_12:19:45.557 info    fds_svrd[1003]: Send setup to fds SUCCESS


Related articles: