FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
mrafat
Staff
Staff
Article Id 200734
Description This article describes how to resolve Queued logs on a FortiAnalyzer VM due to a wrong license for FortiAnalyzer on the FortiGate.
Scope FortiAnalyzer VM.
Solution
  1. Verify the FortiAnalyzer settings on the FortiGate [Go to Fabric Connectors -> FortiAnalyzer Logging].
  2. Select Test connectivity to check the connection status, logs will be queued as below:

    mrafat_0-1639126940284.png

  3. Upon selecting Apply in the same page, the following Notification message may appear:

    mrafat_0-1639132658772.png

  4. Validate that the FortiAnalyzer Serial number on the FortiGate is not the Trial Serial[FAZ-VM0000000001] as below:

    mrafat_2-1639132769740.png

Note: In some scenarios, the output of the command above may show the serial of FortiAnalyzer as 'FAZ-VM000000001'

 

  1. Test the connectivity from FortiGate to FortiAnalyzer and notice that the FortiAnalyzer serial number will appear as FAZ-VM0000000001.

mrafat_0-1639132899386.png

 

  1. This indicates that the FortiAnalyzer serial number in the Local certificates of FortiAnalyzer isn’t matching the actual FortiAnalyzer Serial number
  2. To resolve the issue, there are two proposed solutions:
    1. First solution:
      • Disable the Certificate Verification on FortiGate either through the CLI or the GUI.

       

 

In the CLI:

mrafat_1-1639133001562.png
In the GUI:


mrafat_2-1639133033153.png

    1. Second Solution:
      • Re-apply the FortiAnalyzer license that was downloaded from the Fortinet Support portal on FortiAnalyzer
        By re-applying the FortiAnalyzer license, it is possible to have the correct VM serial number applied back to it.
      • This process will reboot the FortiAnalyzer, but the FortiGate will keep caching the logs so that it can be sent to the FortiAnalyzer once it is back online.

Check the Cached logs before and after applying the license as below:

 

mrafat_0-1639133323063.png

 

Advanced commands to check connectivity:

 

Analyzing OFTPD application debugging on the FortiAnalyzer:


In the FortiAnalyzer CLI:

 

diagnose debug  application oftpd 8 10.109.52.211 -> FGT- IP Address

oftpd debug filter:     ip==10.109.52.211

 

diagnose debug enable

 

After, select Test Connectivity under the Log Setting of the FortiGate GUI, or run the command 'diag log test' from the FGT CLI. The user should see packets received and sent from both devices.

 

A successful attempt will display 'Login Request' messages:

 

[OFTP_try_accept_SSL_connection:1705 10.109.52.211] SSL_accept one client SUCCESS [ protocol : (772) TLS 1.3  ]

[OFTP_try_accept_SSL_connection:1734 10.109.52.211] SSL socket[24] pid[975] ssl[0x7f4e5c085010] SSL_accepted

[OFTP_recv_SSL_packet:1779 10.109.52.211] SSL socket[24] pid[975] ssl[0x7f4e5c085010] received [12] bytes:

[OFTP_recv_SSL_packet:1779 10.109.52.211] SSL socket[24] pid[975] ssl[0x7f4e5c085010] received [474] bytes:

[oftpd_handle_session:3613 10.109.52.211] handle LOGIN_REQUEST_LEGACY (2)

[_login_get_other_opt:2521 10.109.52.211] host = 'FGT-Wempy_30'

[_login_get_other_opt:2550 10.109.52.211] Version: FortiGate-VM64 v6.4.7,build1911,210825 (GA)

Virus-DB: 89.07394(2021-12-02 04:20)

IPS-DB: 6.00741(2015-12-01 02:30)

APP-DB: 18.00199(2021-11-18 01:19)

Industrial-DB: 18.00197(2021-11-16 01:27)

Serial-Number: FGVM01TM21001063

Virtual domain configuration: disable

Current HA mode: standalone

Current HA group:

[__fill_dev_ext_info:559 10.109.52.211] ha_group_name:, ha_mode:0.

[_login_get_other_opt:2526 10.109.52.211] vdom = 1

[OFTP_send_SSL_packet:1839 FGVM01TM21001063] SSL socket[24] pid[975] ssl[0x7f4e5c085010] sent [24] bytes:

[_login_send_ack:2631 FGVM01TM21001063] login succeed

[OFTP_recv_SSL_packet:1779 FGVM01TM21001063] SSL socket[24] pid[975] ssl[0x7f4e5c085010] received [12] bytes:

 

In the FortiGate CLI:

 

It is recommended to enable the following command to see the Keepalives being sent to the FortiAnalyzer:

 

diagnose debug application miglogd 6

Debug messages will be on for 3 minutes.

 

diagnose debug enable

 

<239> _build_keep_alive_usage_pkt()-718: Pushed keepalive packet to queue for global-faz.

<171> _build_keep_alive_usage_pkt()-718: Pushed keepalive packet to queue for global-faz.

<239> _build_keep_alive_usage_pkt()-718: Pushed keepalive packet to queue for global-faz.

di<171> _build_keep_alive_usage_pkt()-718: Pushed keepalive packet to queue for global-faz.

 

Disable the debugging with the following command:

diagnose debug disable

 

For further analysis, share the output of the following commands from both the FortiAnalyzer and FortiGate sides and share it with TAC:

 

execute tac report

 

Note: Ensure that FortiGate imports the CA certificate that signed the custom server certificate on FortiAnalyzer when FIPS-CC mode is enabled on FortiGate.

 

Related article:

Troubleshooting Tip: FortiGate to FortiAnalyzer connectivity