This article describes the situation when the FortiGate and FortiAnalyzer connectivity test fails.

If the connection between the FortiGate and FortiAnalyzer is down, check the connectivity by ping.

execute ping-options source <source-intf_ip>
execute ping <FortiAnalyzer_IP>

       To find the IP of the source interface indicated in  <source-intf_ip> use:
    get router info routing-table details <FortiAnalyzer_IP>

Do the connectivity test from the FortiGate by using the command below:

exec log fortianalyzer test-connectivity

If the output is the below error, then take the sniffers:

Failed to get FAZ's status. SSL error. (-3)

Take the sniffers for the FortiAnalyzer IP and check the connection.  Capture shows that FortiAnalyzer is sending RST back to FortiGate:

66.345323 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: syn 1195392681

66.345952 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: syn 1231566839 ack 1195392682

66.346003 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: ack 1231566840

66.346728 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: psh 1195392682 ack 1231566840

66.346857 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: psh 1231566840 ack 1195392682

66.346885 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: ack 1231567207

66.346990 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: ack 1195392843

66.347044 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: psh 1195392843 ack 1231567207

66.347382 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: ack 1195392850

67.349171 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: rst 1231567207 ack 1195392850  <----- FortiAnalyzer sending RST.

Check the FortiAnalyzer settings on the FortiGate by using the command below:

get log fortianalyzer setting

status: enable

ips-archive: enable

server: 10.34.199.143

enc-algorithm: high   

conn-timeout: 10

monitor-keepalive-period: 5

monitor-failure-retry-period: 5

certificate                  :

source-ip                    :

upload-option           : 5-minute <----- Upload logs every 5 minutes.

reliable: disable  <----- Logs are sent over UDP.

Note.

Remote FortiAnalyzer logging over UDP if reliable is disabled, and TCP if reliable.

Enable reliability for the FortiAnalyzer settings with the following command:

config log fortianalyzer setting

    set reliable enable

Make sure to verify if any certificate has been assigned and check the certificate on both sides, FortiAnalyzer and FortiGate, if they have the same and are valid.

On FortiGate:

config log fortianalyzer setting
    set certificate "Fortinet_Factory"
end

Go under System -> Certificates.

On FortiAnalyzer, go under System settings -> Certificates.

If one of the certificates is missing between FortiAnalyzer and FortiGate, download the certificate from the unit that has the certificate and import it into the unit that does not have the certificate.

Related articles:

Technical Tip: How to solve the FortiGate to FortiAnalyzer connectivity issue: 'Failed to allocate m...

Troubleshooting Tip: FortiGate to FortiAnalyzer connectivity