FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
tnesh
Staff
Staff
Article Id 302613
Description

 

This article provides details on how to troubleshoot the FortiAnalyzer HA failover issue in the Google Cloud Platform (GCP).

 

Scope

 

FortiAnalyzer-VM for GCP.

 

Solution

 

  1. Enable shell access for all FortiAnalyzer HA instances:

FAZ # config system admin settings

(setting)# set shell-access enable
Enter new password:
Confirm new password:

(setting)# end

 

Note:

Ensure the shell password is not lost, as the password could not be reset/recover

 

  1. Enter shell mode in the FortiAnalyzer HA instance and view the FortiAnalyzer HA debug log:

FAZ # exe shell

Enter password:
bash$ vi /drive0/private/clusterd/faz-ha.log

 

  1. To perform live debug:
    • Run the below CLI command on all the FortiAnalyzer VM shell mode:

bash$ tail -f /drive0/private/clusterd/faz-ha.log

 

    • Proceed to perform HA failover:

FAZ # diag ha failover

 

    • Verify the output of the faz-ha.log for the error message

 

  1. Sample error: … tls: failed to verify certificate: x509: …

 

error-google-cert.png

 

    • Due to Google root CA certificate.
    • Verify if the Google root CA certificate has been imported to all FortiAnalyzer VM -> CA Certificates.

 

  1. Sample error: ... googleapi: Error 403: Request had insufficient authentication scopes.

 

compute-engine-access.png

 

    • Due to GCP Virtual Machine Compute Engine access.
    • Verify if GCP Virtual Machine -> Cloud API -> Compute Engine has Read Write access.

Troubleshooting commands:

 

diag ha status
diag ha stats
diag test app cluster 1
diag test app cluster 3 conn
diag test app cluster 3 log
diag test app cluster 97 status

 

execute shell

 

cat /etc/keepalived/keepalived.cfg
cat /drive0/private/clusterd/faz-ha.log
cat /drive0/private/clusterd/keepalived.log

 

diag sniff packet portX "vrrp" 3

 

Related article:

Technical Tip: How to configure FortiAnalyzer HA instance in Google Cloud Platform (GCP)

Technical Tip: FortiAnalyzer HA Configuration and Troubleshooting