|
Use the below command to check the serial number:
diagnose test app fgtlogd 1
**output-ommitted**
fortilog:
faz: global , enabled
server=A.B.C.D, alt-server=, active-server=A.B.C.D, realtime=1, ssl=3, state=connected
server_log_status=Log is allowed.,
src=, mgmt_name=FGh_Log_root_A.B.C.D, reliable=1, sni_prefix_type=none,
required_entitlement=none, region=ca-west-1,
logsync_enabled:1, logsync_conn_id:65535, seq_no:21746
disconnect_jiffies:0
status: ver=7, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y
SNs: last sn update:46 seconds ago.
Sn list:
(FAZAAABBBCCCDDDD,age=46s)
queue: qlen=0.
**output-ommitted**
The issue occurs when the FortiAnalyzer’s serial number entry expires in the cached list because of the known issue, which in turn deletes the serial number from the FortiGate’s configuration and disconnects the FortiAnalyzer.
The following configuration shows the configuration when the FortiAnalyzer is connected:
config log fortianalyzer setting
set status enable
set server "A.B.C.D"
set serial "FAZAAABBBCCCDDDD"
set upload-option realtime
set reliable enable
end
Serial number missing in the below configuration, as the FortiAnalyzer disconnects:
config log fortianalyzer setting
set status enable
set server "A.B.C.D"
set upload-option realtime
set reliable enable
end
This behavior occurs because of the known issues #1083537 and #1088385, these issues have been resolved in v7.6.1.
Check: FortiOS 7.6.1 Resolved Issues.
Logs required by FortiGate TAC for investigation:
- CLI outputs of the below commands:
diagnose debug app fgtlogd 255
diagnose debug app miglogd 255
diagnose debug cli 8
diagnose debug console timestamp enable
diagnose debug enable
- FortiCare debug report or TAC report:
execute tac report
- Configuration file of the FortiGate.
Workaround:
- Accept the FortiAnalyzer certificate again from the GUI under Security Fabric -> Fabric Connector -> Logging & Analytics.
- Configure an automation stitch to add the FortiAnalyzer Serial Number to the configuration.
|
