Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mtse
Staff
Staff

Created on ‎01-02-2026 12:10 AM

Article Id 422797

Technical Tip: Procedure for changing FortiAnalyzer configuration to send log from using in-band interface IP to out-band ha-direct interface

Description

This article describes the procedure for changing FortiAnalyzer configuration of sending log from using the in-band interface IP to out-band ha-direct interface.

 

In a FortiGate HA cluster that already has an existing configuration for sending logs to a FortiAnalyzer, if the interface used to send log is changed from in-band to out-band (ha-direct), but the original FortiAnalyzer setting was not deleted first, FortiGate is not able to connect to FortiAnalyzer after the change.

 

It is because after enabling 'ha-mgmt-interface' and 'ha-direct', the FortiGates in the HA cluster still use the former in-band interface IP address as the source for sending logs to the FortiAnalyzer.

 

In fact, there is a warning like below after enabling 'ha-direct'.

 

{

FGT (ha) # end

When ha-direct is enabled, source ip may not work.

We recommend to unset all log-related, netflow and sflow source ip.

By selecting to continue, all source ip will be unset.

Do you want to continue? (y/n)y

}

 

To avoid such a problem, the configuration under 'config log fortianalyzer setting' should be removed first before adding the 'ha-mgm-interface' configuration.
Scope FortiGate.
Solution

The proper procedure to change from the in-band interface to the out-band (ha-mgmt-interface) is to first remove the FortiAnalyzer config, then create the out-band 'ha-mgmt-interface' and add back the FortiAnalyzer configuration.

 

That is (following IP addresses and serial numbers are examples only. Change them to the ones used in the actual environment):

 

  1. Unset the FortiAnalyzer log setting

 

Original FortiAnalyzer setting.

 

config log fortianalyzer setting

    set status enable

    set server "10.32.32.10"

    set serial "FAZ-VM0000103333"

end

 

Remove the FortiAnalyzer setting first.

 

config log fortianalyzer setting

    unset serial

    unset server

    set status disable

end

 

  1. Then add out-band 'ha-mgmt-interface'.

 

config sys ha

    set ha-mgmt-status enable

        config ha-mgmt-interfaces

            edit 1

                set interface "port5"

                set dst 10.32.32.0 255.255.255.0

                set gateway 10.50.50.1

            next

        end

    set ha-direct enable

end

 

  1. Then add the FortiAnalyzer setting again.

 

config log fortianalyzer setting

    set status enable

    set server "10.32.32.10"

    set serial "FAZ-VM0000103333"

end

 

After this, each of the FortiGates in the HA cluster will use its 'ha-mgmt-interface' IP address as the source IP. If the existing FortiAnalyzer configuration (step 1) is not performed, after the change, FortiGate will still send logs to the FortiAnalyzer with the former in-band interface IP instead of the new 'ha-mgmt-interface' IP address.
45
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.