Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

Fortianalyzer add device works but the ip address is empty and no logs

For a client, in his local FortiAnalyzerVM (v7.4.1), I added the local Fortigate200F (v7.2.4), and it work great.


So I tryed to add, with the same "Device Manager-Add Device" a FortigateVM (v7.2.4) in AWS with the serial number, but even if the wizard say "complete", at the end, nothing works.


The network is like this:

Local - Fortigate200F - internet - IPSec Tunnel - internet - AWS - (WAN EC2 FortigateVM (LAN - remote AWS EC2 servers


All pings works in all direction, except if I go on the FortigateVM in the CLI, and ping the FortiAnalyzer.


But that ping works if I add a ping-options source like this:

FortigateVM# exec ping-options source (internal LAN ip-address of the FortigateVM)


Obliviously, if I test the FortigateVM settings of Fortianalyzer, it's not there:

FortigateVM# get log fortianalyzer setting
status : disable

So this comes with two questions:


Q1 - By default, does the exec ping uses the WAN1 ip address all the time?

Q2 - In a 2012 post here, they suggest to use the "config log fortianalyzer override-setting" to force a source-ip address...


Forcing it...
System - Feature Visibility : Local Out Routing (Enable)
Security Fabric - Fabric Connectors - Logging & Analytics - Edit settings , and enable/configure FortiAnalyzer, it wont connect, can't get the serial number.
Network - Local Out Routing - Edit Log FortiAnalyzer Setting to specify an interface you could ping the FortiAnalyzer from and forcing a source-ip...

Validating with "get log fortianalyzer setting" shows it's using the correct port and the source-ip is correct...


STILL not working!



Take a sniffer by executing the following command: 'di sniffer packet any 'host x.x.x.x and port 541', where x.x.x.x is the IP of the FortiAnalyzer. We want to verify they are talking back and forth properly with your current settings. 

"Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth."
New Contributor III

Thanks for the answer and guidance. I'll So, at first I tryed the basic with the sniffer...


FortiAnalyzerVM : sniff anything from FortigateVM, ping, and confirm it work.
FortigateVM : exec ping-options source, sniff anything from FortiAnalyzerVM, ping, and it works. (With the ping-options source parameter, more on that later).


Keep sniffing everything (not just port 541) from one another, and from the FortiAnalyzerVM, "add device" by adding the FortigateVM with the serial number : Answer "Device is added successfully."


There are no traffic at all between the two.


Just for fun, locally, I nmap (scan) the FortiAnalyzerVM ports, and 541 and 514 where closed. But the local Fortigate200F is working even without that.

Officially, it's only port 514


So, I have changed the port configuration on the FortiAnalyzerVM to allow "Web Service" and "FortiManager".


Now, local network nmap FortiAnalyzerVM , ports 541 and 514 are now open.
Same for remote network nmap from the network 10.0.1.x, ports 541 and 514 are now open.


No changes.


Maybe it's a bug , I have a feeling that the FortigateVM does not follow it's own config to force the connection from the source-ip parameter. Because it's it's using only the current routing tables, it wont work, just like the ping without the "ping-options source" option.


get log fortianalyzer setting
FortigateVM # get log fortianalyzer setting
status : enable
ips-archive : enable
server :
source-ip :
interface-select-method: specify
interface : port2


Any more ideas?


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors