FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Article Id 193264



This article explains what to do when access to the admin password for a FortiManager or FortiAnalyzer unit is lost.




FortiManager, FortiAnalyzer.



FortiManager or FortiAnalyzer products do not have a password recovery mechanism (maintainer account) as there is in FortiOS.

There are two approaches for dealing with this scenario. 

Icon-Light-Bulb.png Special precautions must be taken if workflow mode is in use (see below).


1. BIOS Configuration Menu (Does NOT require a configuration backup file)

For FortiManager and FortiAnalyzer appliances, formatting flash and reloading the image (from the BIOS configuration menu) will erase the system settings including the administrative accounts. 
Icon-Light-Bulb.png System settings include IP and routes. Access to the serial console to reconfigure IP and routing is required to restore remote connectivity.

The factory-default administrative account can then be used. Information about managed devices (e.g. policy packages on FortiManager and logs and reports on FortiAnalyzer) are unaffected by these changes and are still preserved on the disk.

Icon-Light-Bulb.png For FortiManager and FortiAnalyzer VMs, the above step is not an option.

Workflow sessions are lost when using this approach.
The above steps are only for appliances.  For VMWare, it is possible to replace the storage disk and so accomplish the same purpose (see "Related Articles").
2. Migrate Command (Requires a configuration backup file)

Starting in 5.4.1, the exec migrate command was introduced that allows a backup of the configuration file to be loaded. 

See related KB Article "Using 'exec migrate' to migrate to a new ForitAnalyzer/FortiManager model".

This approach is the main one for virtual machines (VMs) because approach #1 above only applies to appliances & not VMs.

1. Create a new VM.

Icon-Light-Bulb.png Prior to running exec migrate:

If workflow mode was in use on the original unit, workflow mode should be enabled on the new unit PRIOR to running exec migrate.
If this order is followed, workflow sessions are preserved.

Also, if multiple ADOMs were previously in use, enable ADOMs first.

2. Run the exec migrate command.
3. The default admin account and password can still be used (system settings are not restored).

For FortiManager and FortiAnalyzer VMs prior to 5.4.1, contact Fortinet Technical Support for assistance.


Related articles: