Switching to an alternate FortiAnalyzer if the main FortiAnalyzer is unavailable
FortiOS supports switching to an alternate FortiAnalyzer if the main FortiAnalyzer is unavailable. Once the connectivity is restored, it will automatically fall back to the primary FortiAnalyzer.
This feature can be used in multi VDOM mode when FortiAnalyzer override settings are configured. |
To configure switching to an alternate FortiAnalyzer when the main FortiAnalyzer is unavailable:
-
Configure primary and alternate FortiAnalyzer servers:
config log fortianalyzer setting set status enable set server "172.16.200.250" set alt-server "172.16.200.251" set fallback-to-primary enable set serial "FAZ-VMTM22000000" "FAZ-VMTM23000003" end
-
Verify the primary and alternate FortiAnalyzer server IPs:
# diagnose test application fgtlogd 1 vdom-admin=1 mgmt=vdom1 fortilog: faz: global , enabled server=172.16.200.250, alt-server=172.16.200.251, active-server=172.16.200.250, realtime=3, ssl=1, state=connected server_log_status=Log is allowed., src=, mgmt_name=FGh_Log_vdom1_172.16.200.250, reliable=0, sni_prefix_type=none, required_entitlement=none, region=ca-west-1, logsync_enabled:1, logsync_conn_id:65535, seq_no:0 disconnect_jiffies:0 status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y SNs: last sn update:11 seconds ago. Sn list: (FAZ-VMTM22000000,age=11s) (FAZ-VMTM23000003,age=12s) queue: qlen=0. filter: severity=6, sz_exclude_list=0 traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter virtual-patch subcategory: traffic: forward local multicast sniffer ztna virus:all subcategories are enabled. webfilter:all subcategories are enabled. ips:all subcategories are enabled. emailfilter:all subcategories are enabled. anomaly:all subcategories are enabled. voip:all subcategories are enabled. dlp:all subcategories are enabled. app-ctrl:all subcategories are enabled. waf:all subcategories are enabled. dns:all subcategories are enabled. ssh:all subcategories are enabled. ssl:all subcategories are enabled. file-filter:all subcategories are enabled. icap:all subcategories are enabled. sctp-filter:all subcategories are enabled. virtual-patch:all subcategories are enabled. server: global, id=0, ready=1, name=172.16.200.250 addr=172.16.200.250:514 oftp-state=connected primary oftp status:null probe oftp status:null, 442
The 172.16.200.250 server is currently active and acting as the primary FortiAnalyzer.
-
Make the primary FortiAnalyzer server go down. The FortiGate will automatically connect to the alternate FortiAnalyzer server.
-
Verify the FortiAnalyzer server status information:
# diagnose test application fgtlogd 1 vdom-admin=1 mgmt=vdom1 fortilog: faz: global , enabled server=172.16.200.250, alt-server=172.16.200.251, active-server=172.16.200.251, realtime=3, ssl=1, state=connected server_log_status=Log is allowed., src=, mgmt_name=FGh_Log_vdom1_172.16.200.250, reliable=0, sni_prefix_type=none, required_entitlement=none, region=ca-west-1, logsync_enabled:1, logsync_conn_id:65535, seq_no:0 disconnect_jiffies:0 status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y SNs: last sn update:30 seconds ago. Sn list: (FAZ-VMTM22000000,age=30s) (FAZ-VMTM23000003,age=31s) queue: qlen=0. filter: severity=6, sz_exclude_list=0 traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter virtual-patch subcategory: traffic: forward local multicast sniffer ztna virus:all subcategories are enabled. webfilter:all subcategories are enabled. ips:all subcategories are enabled. emailfilter:all subcategories are enabled. anomaly:all subcategories are enabled. voip:all subcategories are enabled. dlp:all subcategories are enabled. app-ctrl:all subcategories are enabled. waf:all subcategories are enabled. dns:all subcategories are enabled. ssh:all subcategories are enabled. ssl:all subcategories are enabled. file-filter:all subcategories are enabled. icap:all subcategories are enabled. sctp-filter:all subcategories are enabled. virtual-patch:all subcategories are enabled. server: global, id=0, ready=1, name=172.16.200.250 addr=172.16.200.250:514 oftp-state=connected probe oftp status:null, 38
The 172.16.200.251 server is currently active and acting as the primary FortiAnalyzer.
-
Restore the connection to the 172.16.200.250 server. The FortiGate will automatically reconnect to this FortiAnalyzer server.
-
Verify the FortiAnalyzer server status information:
# diagnose test application fgtlogd 1 vdom-admin=1 mgmt=vdom1 fortilog: faz: global , enabled server=172.16.200.250, alt-server=172.16.200.251, active-server=172.16.200.250, realtime=3, ssl=1, state=connected server_log_status=Log is allowed., src=, mgmt_name=FGh_Log_vdom1_172.16.200.250, reliable=0, sni_prefix_type=none, required_entitlement=none, region=ca-west-1, logsync_enabled:1, logsync_conn_id:65535, seq_no:0 disconnect_jiffies:0 status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y SNs: last sn update:11 seconds ago. Sn list: (FAZ-VMTM22000000,age=58s) (FAZ-VMTM23000003,age=59s) queue: qlen=0. filter: severity=6, sz_exclude_list=0 traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter virtual-patch subcategory: traffic: forward local multicast sniffer ztna virus:all subcategories are enabled. webfilter:all subcategories are enabled. ips:all subcategories are enabled. emailfilter:all subcategories are enabled. anomaly:all subcategories are enabled. voip:all subcategories are enabled. dlp:all subcategories are enabled. app-ctrl:all subcategories are enabled. waf:all subcategories are enabled. dns:all subcategories are enabled. ssh:all subcategories are enabled. ssl:all subcategories are enabled. file-filter:all subcategories are enabled. icap:all subcategories are enabled. sctp-filter:all subcategories are enabled. virtual-patch:all subcategories are enabled. server: global, id=0, ready=1, name=172.16.200.250 addr=172.16.200.250:514 oftp-state=connected primary oftp status:null probe oftp status:null, 530
The 172.16.200.250 server is currently active and acting as the primary FortiAnalyzer again.
To manually switch from the primary to alternate FortiAnalyzer (and vice-versa):
# execute log {fortianalyzer | fortianalyzer2 | fortianalyzer3} manual-failover
If the primary server is still up, the behavior resulting from running this command is based on the fallback-to-primary
setting configured in the global FortiAnalyzer log settings.
-
If
fallback-to-primary
is enabled (default), runningexecute log fortianalyzer manual-failover
will switch to the alternate FortiAnalyzer, but it will switch back to the primary since it is not actually down. -
If
fallback-to-primary
is disabled, runningexecute log fortianalyzer manual-failover
will switch to the alternate FortiAnalyzer, and it will not switch back to the primary.