Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ametkola
Staff
Staff

Created on ‎11-18-2024 06:49 AM

Article Id 357160

Troubleshooting Tip: FortiGate intermittently loses FortiAnalyzer serial number

Description This article describes the behavior of FortiGate losing the FortiAnalyzer serial number from the settings.
Scope FortiGate.
Solution

In this example, FortiGate runs in v7.2.8 managed by FortiManager v7.2.5, where the FortiAnalyzer IP address and Serial Number are configured using the FortiManager system template.
The behaviour is triggered in a random way and once the FortiManager notices that the serial has disappeared tries to push it again.

 

config log fortianalyzer setting

    set status enable

    set server "10.10.10.10"

    set upload-option realtime

    set reliable enable

end

 

Considering that the behavior is intermittent the issue can be reproduced by using one of the methods below:

  1. By killing the OFTP daemon on the FortiGate.
  2. On the FortiGate, find and clear the FortiAnalyzer session in the CLI:

 

diag sys session filter dst x.x.x.x    ----  Replace with the FortiAnalyzer IP address
diag sys session clear    

 

A new session is visible with:

 

diag sys session list

 

Check if the FortiAnalyzer serial number is missing with the following command:

 

show full log fortianalyzer setting

 

When the issue is encountered, another prompt will appear to verify the FortiAnalyzer serial number and certificate.

 

1.KB.png

 

 

Workaround: Verify/accept the FortiAnalyzer certificate again or push the Serial Number using a CLI Script.

 

If requirements are met, run the following debug commands and raise a ticket with the TAC support team to further analyze the output.

 

diag debug reset

diag debug console timestamp enable
diag debug enable
diag debug app fgtlogd -1

 

As soon as the issue occurs, stop fgtlogd debugging with the commands below:

 

diag debug disable

diag debug app fgtlogd 0
diag debug reset

 

Check the debug outputs: 

 

write config file success, prepare to save '/tmp/system.conf.8075.MyEyZO' to '/data/./config/sys_global.conf.gz' on flash
flash: block_sz=4096, free_blocks=31059
[__create_file_new_version:293] the new version config file '/data/./config/sys_global.conf.gz.v000002957' is created
[symlink_config_file:360] a new version of '/data/./config/sys_global.conf.gz' is created: /data/./config/sys_global.conf.gz.v000002957
[symlink_config_file:404] the old version '/data/./config/sys_global.conf.gz.v000002956' is deleted
[symlink_config_file:406] '/data/./config/sys_global.conf.gz' has been symlink'ed to the new version '/data/./config/sys_global.conf.gz.v000002957'. The old version '/data/./config/sys_global.conf.gz.v000002956' has been deleted
zip config file /data/./config/sys_global.conf.gz success!

 
196
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.