FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
mantaransingh_FTNT
Article Id 193398

Description

 

This article describes how a FortiAnalyzer can be added to an ADOM on a FortiManager to have single pane of glass for Log Analysis and Configuration Management for that ADOM.
 
Although logs are still stored on the FortiAnalyzer device, they can be viewed on the FortiManager. Once added to FortiManager, that ADOM on the FortiAnalyzer is locked and can only be changed by the FortiManager.


Scope

 

- Only one ADOM of FortiAnalyzer can be managed/synchronized by the particular ADOM of FortiManager.

- Only one FortiAnalyzer can be added to each FortiGate ADOM on a FortiManager.


Expectations, Requirements

 

- FortiManager needs to be in Normal ADOM mode.

- FortiAnalyzer features globally need to be disabled on FortiManager.

- FortiAnayzer and FortiManger should have the same ADOM type. Preferred “Fabric”.

- FortiManager access needs to be enabled on the FortiAnalyzer interface (see screenshot below).

 


Configuration

 

Below are the steps to add FortiAnalyzer to a FortiManager.

1) Add Device -> Add FortiAnalyzer:

Under Add Device -> Add FortiAnalyzer, specify the IP of the FortiAnalyzer you wish to add.

 
2) When adding the FortiAnalyzer to an ADOM on the FortiManager, if that ADOM does not exist yet, the option to add the ADOM to the FortiAnalyzer will be presented (see screenshot below):
 
2.png

 

If ADOMs are matched, FortiManager will sync the ADOM and device settings.

 

3) Now we can see the FortiAnalyzer tabs in FortiManager:

 

4) FortiAnalyzer ADOM is locked by FortiManager:

 

Scenarios of adding FortiAnalyzer to FortiManager:

 

1) If FortiAnalyzer ADOM X has FortiGate-A (5.4) in it and this FortiAnalyzer is added in FortiManager ADOM X (5.6), then FortiGate-A will not be added. But starting version “6.2” this is no more the behavior. Eg: If FortiAnalyzer ADOMX has FortiGate-A on version(6.2.7) in it and this FortiAnalyzer is added in the FortiManager ADOMX with version (7.0), then FortiGate gets added without any issue.

 

2) If FortiGate-A is logging to ADOM X, FortiAnalyzer is added in ADOM Y in FortiManager, and FortiGate-A is added for management in FortiManager ADOM Y, then in this scenario FortiGate-A will still stay in ADOM X in FortiAnalyzer.

 

3) If FortiAnalyzer is deleted from ADOM in FortiManager, then the FortiGate device list which was imported in FortiManager will stay there.

 

4) If a new ADOM was created in FortiAnalyzer by FortiManager while adding the FortiAnalyzer, that will stay in FortiAnalyzer even if it is removed from FortiManager ADOM.

 

5) If the FortiAnalyzer ADOM type(Fabric) mismatches with the FortiManager ADOM type(FortiGate), the FortiManager detects the ADOM type mismatch and offers the prompt to change the FortiManager ADOM type to match with the FortiAnalyzer. Refer to the below screenshot showing the same.

 

rameshk_FTNT_0-1651240504117.png

 

But FortiAnalyzer with ADOM type (FortiGate) and FortiManager with the ADOM type (Fabric) shows below error. 

 

rameshk_FTNT_1-1651240516868.png
Solution: This cannot be automatically synchronized by the FortiManager and requires creating a new ADOM with the same ADOM type and move the device to the newly created ADOM.

 

6) If the FortiManager already has the FortiGate in dvm db and we try to import them in a different ADOM. It throws the error “A device with serial number 'FGXXXXXXX 'already exists.“.

 

Solution: The solution to this error is to move the FortiGate to the correct ADOM before adding the FortiAnalyzer.

Troubleshooting

 

If FortiAnalyzer ADOM needs to be unlocked, use:

 

# diagnose dvm adom unlock <adom>

Debugging:

 

- FGFM is used to discover the FortiAnalyzer and to display the FortiGate logs files from the FortiAnalyzer, upon operator action on the FortiManager,.

 

# diag deb application fgfm 255 <FAZ_name>

 

- The following API commands can also be used on both the FortiManager and FortiAnalyzer during device discovery and log viewing.

 

# diagnose debug service dvmdb 255
# diagnose debug service main 255
# diagnose debug service task 255 

 

On FortiAnalyzer

- The displayed logs are displayed from the FortiManager using the JSON API, which is tunneled within FGFM.

It is visible by sniffing on the loopback address using the any interface.

 

# diagnose sniffer packet any 'host 127.0.0.1 and port 80' 3

 

- Configuration changes made by the FortiManager to the FortiAnalyzer can be viewed with CLI debugging.

 

# diagnose debug cli 5

 

On FortiGate:

- FortiAnalyzer logs can be viewed directly from the FortiGate as if it is stored locally.

 

These are retrieved from the FortiAnalyzer using OFTP.

 

# diagnose debug application miglogd 255

sniffing on TCP port 514
# diagnose sniffer packet any 'port 514' 3

 

Related topic:

https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Delete-unit-from-Fortianalyzer-managed...