Description

This article describes how to configure FortiGate to send logs to multiple FortiAnalyzers and verify the connectivity between them.

Scope

FortiAnalyzer/FortiGate.

Solution

1. It is possible to have FortiGate send logs to 3 different FortiAnalyzers.
2. Only the first FortiAnalyzer can be added via the GUI under Security Fabric -> Fabric Connector -> FortiAnalyzer Logging.

3. The other 2 FortiAnalyzers’ IP addresses and Serial Number, can only be added using the CLI:

config log fortianalyzer2 setting

    set status enable

    set server x.x.x.x

    set serial FAZ-VMYYYYYYY

    set upload-option <realtime/1-minute/5-minute>

end

config log fortianalyzer3 setting

    set status enable

    set server x.x.x.x

    set serial FAZ-VMYYYYYYY

    set upload-option <realtime/1-minute/5-minute>

end

4. Log in to each FortiAnalyzer and authorize the FortiGate. 

5. Run the following commands to test the connectivity and verify if logs are sent to all 3 FortiAnalyzers. Verify also the FortiAnalyzer Host Name and Serial Number.

execute log fortianalyzer test-connectivity  <-----  Test 1st FortiAnalyzer.

execute log fortianalyzer test-connectivity 2 <-----  Test 2nd FortiAnalyzer.

execute log fortianalyzer test-connectivity 3 <----- Test 3rd FortiAnalyzer.

Related article:
Troubleshooting Tip: FortiGate to FortiAnalyzer connectivity