Technical Tip: How to fix PH_AUDIT_DEVICE_MERGED_B...

FortiSIEM

FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)

Article Id 413042

Description

This article describes how to fix the 'Device merged by IP' error.

Scope

FortiSIEM.

Solution

This error will occur when failing to add new devices, usually with an error (skipped) from the GUI:

Logs show the message below.

Example:

2025-07-04 14:41:30,089 [pool-14-thread-35750] INFO com.ph.phoenix.framework.logging.PhAudit - [PH_AUDIT_DEVICE_MERGED_BY_IP_WITH_DIFF_NAME]:[phCustId]=2008,[eventSeverity]=PHL_INFO,[phEventCategory]=2,[procName]=AppServer,[user]=SYSTEM(su),[customer]=xxxxx,[hostName]=server1,[targetHostName]=server2,[overlapIp]=10.1.1.1,[phLogDetail]=Device merged by IP with different device name

The logs show a shared IP (10.1.1.1) between two devices: '[overlapIp]=10.1.1.1'.

To fix this issue, add this IP under Admin -> Settings -> Discovery -> Generic and add the shared IP 10.1.1.1 to 'Virtual IPs'.

Virtual IP indication will tell FortiSIEM not to merge devices if they contain the same IP in another interface, and will discover these two devices successfully.

Related document:
Discovery Settings

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Technical Tip: How to fix PH_AUDIT_DEVICE_MERGED_BY_IP_WITH_DIFF_NAME

You are leaving our website