FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
This article describes a scenario where after the addition of an IOC subscription to a newly installed FortiAnalyzer and configuring relevant automation stitches in the FortiGate, the FortiOS connector remains in a red/disconnected status, even though logs are successfully received from the FortiGate.
Scope
FortiAnalyzer.
Solution
Test Config:
config log fortianalyzer setting
set status enable set server "lab.test.local" set serial "FAZ-VMTM00000" set upload-option 1-minute
end
Resolution:
Ensure Reliable Connection to FortiAnalyzer:
Configure FortiGate to use a reliable connection. The connection will use a TCP/514 port, allowing FortiAnalyzer to make API calls to the FortiGate:
config log fortianalyzer setting
set reliable enable
end
Sync configuration across nodes:
The configuration should only be applied on the primary FortiGate. Once set on the primary, it will automatically synchronize with the secondary FortiGate.
Ensure only primary is configured for API calls:
FortiAnalyzer will only make API calls to the primary FortiGate. From its perspective, it treats both primary and secondary FortiGates as a single device.
Reference case: A scenario was identified where a user experienced a disconnected status on the FortiOS connector, even after ensuring correct log forwarding settings. Modifying the connection to be reliable and ensuring configuration synchronization resolved the issue.
