FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 205112

This article describes the situation when FortiGate and FortiAnalyzer connectivity test fails.

Scope FortiGate.

1) If the connection between the FortiGate and FortiAnalyzer is down, check the connectivity by ping.


2) Do the connectivity test from the FortiGate by using the below command:


# exec log fortianalyzer test-connectivity


If the output is the below error then take the sniffers:


Failed to get FAZ's status. SSL error. (-3)


Take the sniffers for the FortiAnalyzer IP and check the connection,


Capture shows that FortiAnalyzer sending RST back to FortiGate:


Capture shows that FortiAnalyzer sending RST back to FortiGate:


66.345323 port10 out -> syn 1195392681

66.345952 port10 in -> syn 1231566839 ack 1195392682

66.346003 port10 out -> ack 1231566840

66.346728 port10 out -> psh 1195392682 ack 1231566840

66.346857 port10 in -> psh 1231566840 ack 1195392682

66.346885 port10 out -> ack 1231567207

66.346990 port10 in -> ack 1195392843

66.347044 port10 out -> psh 1195392843 ack 1231567207

66.347382 port10 in -> ack 1195392850

67.349171 port10 in -> rst 1231567207 ack 1195392850  <----- FortiAnalyzer sending RST.


Check the FortiAnalyzer settings on the FortiGate by using the below command:


# get log fortianalyzer setting

status: enable

ips-archive: enable


enc-algorithm: high   

conn-timeout: 10

monitor-keepalive-period: 5

monitor-failure-retry-period: 5

certificate                  :

source-ip                    :

upload-option           : 5-minute <----- Upload logs. every 5 minutes.

reliable: disable  <----- Logs are sent over UDP.



Remote FortiAnalyzer logging over UDP if reliable is disabled and TCP if reliable.


3) Enable reliable for the FortiAnalyzer settings by below command:


# config log fortianalyzer setting

    set reliable enable


4) Make sure to verify is any certificate has been assigned and Check certificate on both side, FortiAnalyzer and FortiGate if they have same and valid.

On FortiGate:


# config log fortianalyzer setting
    set certificate "Fortinet_Factory"


System -> Certificates.




On FortiAnalyzer:

System setting -> Certificates.




5) If one of the certificates between FortiAnalyzer and FortiGate did not have between those units, download the certificate from the unit that has the certificate and import the unit that did not have the certificate.