Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
mrafat
Staff
Staff

Created on ‎12-10-2021 09:06 AM Edited on ‎12-10-2021 09:12 AM

Article Id 200734

Troubleshooting Tip:‘ FortiAnalyzer Queued logs due to wrong FAZ_VM Serial on FGT (FAZ-VM0000000001)’

Description ‘This article describes how to resolve Queued logs on FAZ-VM due to wrong license of FAZ on the FGT’
Scope Fortianalyzer-VM
Solution
  1. Verify the FortiAnalyzer settings on the FGT [Go to Fabric Connectors ->Fortianalyzer Logging ]
  2. Click on the Test connectivity to check the connection status, logs will be queued  as below:
    mrafat_0-1639126940284.png
  3. When clicked on Apply in the same page, One might get the below Notification message
    mrafat_0-1639132658772.png
  4. Validate that the FAZ Serial number on the FGT is not the Trial Serial[FAZ-VM0000000001] as below
    mrafat_2-1639132769740.png
    Note: 

    In Some Scenarios, It might be found that the output of the above command show the serial of FAZ as : FAZ-VM000000001

  5. Test the connectivity from FGT to FAZ and notice that the FAZ serial number will appear as FAZ-VM0000000001
    mrafat_0-1639132899386.png
  6. This indicate that the FAZ serial number in the Local certificates of FAZ isn’t matching the actual FAZ Serial number
  7. To Resolve the issue , there are two proposed solutions:
    a. First Solution:
    • Disable the Certificate Verification on FGT either through CLI or GUI

    On CLI:

    mrafat_1-1639133001562.png
    On GUI:
    mrafat_2-1639133033153.png

    b. Second Solution:

    • Re-apply the FAZ license that was downloaded from the Fortinet Support portal on FAZ
      By re-applying the FAZ license, it is possible to have the correct VM serial number applied back to it .
    • This process will reboot the FAZ ,however the FGT will keep caching the logs so that it can be sent to the FAZ once it’s back online

    Please check the Cached logs before and after applying the license as below:

    mrafat_0-1639133323063.png

    Advanced commands to check connectivity

    Analyzing OFTPD application debugging on the FortiAnalyzer
    On FortiAnalyzer CLI:
    # diagnose debug  application oftpd 8 10.109.52.211 -> FGT- IP Address

    oftpd debug filter:     ip==10.109.52.211

     

    # diagnose debug  enable

     

    Then click on Test Connectivity under Log Setting of the FortiGate GUI or run the command ‘diag log test’ form the FGT CLI, one should see packets received and sent from both devices.

     

    A successful attempt will display "Login Request" messages:

     

    [OFTP_try_accept_SSL_connection:1705 10.109.52.211] SSL_accept one client SUCCESS [ protocol : (772) TLS 1.3  ]

    [OFTP_try_accept_SSL_connection:1734 10.109.52.211] SSL socket[24] pid[975] ssl[0x7f4e5c085010] SSL_accepted

    [OFTP_recv_SSL_packet:1779 10.109.52.211] SSL socket[24] pid[975] ssl[0x7f4e5c085010] received [12] bytes:

    [OFTP_recv_SSL_packet:1779 10.109.52.211] SSL socket[24] pid[975] ssl[0x7f4e5c085010] received [474] bytes:

    [oftpd_handle_session:3613 10.109.52.211] handle LOGIN_REQUEST_LEGACY (2)

    [_login_get_other_opt:2521 10.109.52.211] host = 'FGT-Wempy_30'

    [_login_get_other_opt:2550 10.109.52.211] Version: FortiGate-VM64 v6.4.7,build1911,210825 (GA)

    Virus-DB: 89.07394(2021-12-02 04:20)

    IPS-DB: 6.00741(2015-12-01 02:30)

    APP-DB: 18.00199(2021-11-18 01:19)

    Industrial-DB: 18.00197(2021-11-16 01:27)

    Serial-Number: FGVM01TM21001063

    Virtual domain configuration: disable

    Current HA mode: standalone

    Current HA group:

    [__fill_dev_ext_info:559 10.109.52.211] ha_group_name:, ha_mode:0.

    [_login_get_other_opt:2526 10.109.52.211] vdom = 1

    [OFTP_send_SSL_packet:1839 FGVM01TM21001063] SSL socket[24] pid[975] ssl[0x7f4e5c085010] sent [24] bytes:

    [_login_send_ack:2631 FGVM01TM21001063] login succeed

    [OFTP_recv_SSL_packet:1779 FGVM01TM21001063] SSL socket[24] pid[975] ssl[0x7f4e5c085010] received [12] bytes:

     

    On FortiGate CLI:

     

    It is recommended to enable the below command to see the Keepalives being sent to the FortiAnalyzer

    # diagnose  debug application miglogd 6

    Debug messages will be on for 3 minutes.

     

    # diagnose debug enable

     

    # <239> _build_keep_alive_usage_pkt()-718: Pushed keepalive packet to queue for global-faz.

    <171> _build_keep_alive_usage_pkt()-718: Pushed keepalive packet to queue for global-faz.

    <239> _build_keep_alive_usage_pkt()-718: Pushed keepalive packet to queue for global-faz.

    di<171> _build_keep_alive_usage_pkt()-718: Pushed keepalive packet to queue for global-faz.

     

    Disable the debug using below command:

    # diag debug disable

     

    For Further Analysis , Please share the output of the below commands from FAZ and FGT sides and share it with TAC:

    • execute tac report

     

    Related Articles:

    https://community.fortinet.com/t5/FortiAnalyzer/Troubleshooting-Tip-FortiGate-to-FortiAnalyzer-conne...

     

     
7016
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.