FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
This article describes how to troubleshoot notifications on FortiGate 'FortiAnalyzer certificate is not verified and how the OFTPD protocol is used to create communication between FortiGate and FortiAnalyzer OFTP protocol applied for connectivity, health check, file transfer and log display from FortiGate.
Scope
FortiGate and FortiAnalyzer.
Solution
Check firmware compatibility between FortiGate and FortiAnalyzer.
Collect information on FortiGate and FortiAnalyzer.
On FortiGate CLI:
get system status get log fortianalyzer setting get log fortianalyzer filter execute ping <FAZ-IP> execute traceroute <FAZ-IP> execute ssh <FAZ-IP> 514 execute log fortianalyzer test-connectivity diagnose debug app miglogd -1 diagnose debug enable --wait 1 minute-- diagnose debug disable <----- Disable debug.
On FortiAnalyzer CLI:
get system status get sys global diagnose debug app oftpd 255 diagnose debug enable --wait 1 minute-- diagnose debug disable <----- Disable debug.
From the debug log observed:
2021-11-23 13:23:18 <314> _check_oftp_certificate()-206: checking sn:FAZ-VM00000XXXXX vs cert sn:FAZ-VM0000000001 2021-11-23 13:23:18 <314> _check_oftp_certificate()-216: The certificate CN (FAZ-VM0000000001) doesn't match the Serial numbers sent by 192.168.2.77 2021-11-23 13:23:18 <314> miglog_faz_stop_oftp_ex()-739: faz:192.168.2.77 connection close. reason:Serial number of server is unauthorized. 2021-11-23 13:23:18 <314> _build_disk_usage_pkt()-701: Pushed disk usage info to queue for faz.
Checked FAZ Local certificates, System Settings > Certificates > LocalCertificates. If the FortiAnalyzer serial number in the certificates was FAZ-VM0000000001, it is incorrect.
Download a new copy of the license file from the support portal and apply the new license file to the FortiAnalyzer VM via the License Information Widget.
