To maintain consistent log transmission and device status monitoring, it is important to configure FortiGate and FortiAnalyzer with appropriate log and keepalive settings. Ensuring that logs such as system events, heartbeat signals, and performance data (for example: CPU and memory utilization) are regularly sent will help avoid issues like false offline alarms and ensure reliable device monitoring.

1. False Device Offline Alarm During Off Business Hours.

During off-business hours, FortiGate devices may not generate logs frequently due to reduced traffic or lower activity. If a 5-minute timer is set for log transmission, FortiAnalyzer (FAZ) may not receive logs within this period and could incorrectly trigger a false offline alarm, despite the FortiGate device being functional.

Action: To address this, it is recommended to extend the log transmission timeout period or adjust the alarm settings on FortiAnalyzer to prevent false alarms during low activity periods. Additionally, ensure that device and log transmission schedules are aligned with off-peak times to avoid such issues.

2. Specific Log Sent by FortiGate to FortiAnalyzer Continuously (less than 5 minutes).

FortiGate devices can send specific logs to FortiAnalyzer (FAZ) at frequent intervals, such as system logs or heartbeat signals, which can be used to monitor device status.

These logs, such as traffic logs, event logs, and system logs, are typically generated based on configuration settings like VPN tunnels, high-availability (HA) status, or other system events. To ensure FortiAnalyzercan reliably determines the device’s status, it is important to configure FortiGate to send these logs (particularly system logs or heartbeat) at regular intervals, ideally less than 5 minutes.

Action: Review and adjust the FortiGate log settings to send logs like system or heartbeat logs at a more frequent interval to FortiAnalyzer for reliable device status monitoring.

3. Reliability of CPU and Memory Data Logs

FortiGate devices generate CPU and memory utilization logs, which can be sent to FortiAnalyzer for real-time monitoring of device performance. These logs are useful for assessing the health of the device. The reliability of this data depends on proper configuration and log settings.

Action: To ensure accurate monitoring, enable CPU and memory monitoring on the FortiGate device and configure it to send performance data to FortiAnalyzer at regular intervals. It is also important to review the logging configurations on both devices to ensure these logs are properly captured and transmitted.

4. Other Log or Keepalive Exchanged Between FortiGate and FortiAnalyzer.

FortiGate and FortiAnalyzer exchange various logs, including traffic, event, and system logs. In addition to these logs, keepalive messages are frequently exchanged to maintain an active connection and confirm the device's availability. Specifically, heartbeat logs are sent by FortiGate to FortiAnalyzer, which is particularly useful in high-availability (HA) setups to provide the operational status of the device.

Action: To ensure reliable device status monitoring, it is recommended to enable keepalive or heartbeat signals between the devices. This will allow FortiAnalyzer to consistently verify if the FortiGate device is online and functioning, even during times of low log activity.