Fortinet white logo
Fortinet white logo

Administration Guide

Switching to an alternate FortiAnalyzer if the main FortiAnalyzer is unavailable

Switching to an alternate FortiAnalyzer if the main FortiAnalyzer is unavailable

FortiOS supports switching to an alternate FortiAnalyzer if the main FortiAnalyzer is unavailable. Once the connectivity is restored, it will automatically fall back to the primary FortiAnalyzer.

Note

This feature can be used in multi VDOM mode when FortiAnalyzer override settings are configured.

To configure switching to an alternate FortiAnalyzer when the main FortiAnalyzer is unavailable:
  1. Configure primary and alternate FortiAnalyzer servers:

    config log fortianalyzer setting
        set status enable
        set server "172.16.200.250"
        set alt-server "172.16.200.251"
        set fallback-to-primary enable
        set serial "FAZ-VMTM22000000" "FAZ-VMTM23000003"
    end
  2. Verify the primary and alternate FortiAnalyzer server IPs:

    # diagnose test application fgtlogd 1
    vdom-admin=1
    mgmt=vdom1
    
    fortilog:
    faz: global , enabled 
            server=172.16.200.250, alt-server=172.16.200.251, active-server=172.16.200.250, realtime=3, ssl=1, state=connected
            server_log_status=Log is allowed.,
            src=, mgmt_name=FGh_Log_vdom1_172.16.200.250, reliable=0, sni_prefix_type=none,
            required_entitlement=none, region=ca-west-1,
            logsync_enabled:1, logsync_conn_id:65535, seq_no:0
            disconnect_jiffies:0
                    status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y
                    SNs: last sn update:11 seconds ago.
                            Sn list:
                            (FAZ-VMTM22000000,age=11s)      (FAZ-VMTM23000003,age=12s)
                    queue: qlen=0.
    filter: severity=6, sz_exclude_list=0
             traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter virtual-patch
    subcategory:
            traffic: forward local multicast sniffer ztna
            virus:all subcategories are enabled.
            webfilter:all subcategories are enabled.
            ips:all subcategories are enabled.
            emailfilter:all subcategories are enabled.
            anomaly:all subcategories are enabled.
            voip:all subcategories are enabled.
            dlp:all subcategories are enabled.
            app-ctrl:all subcategories are enabled.
            waf:all subcategories are enabled.
            dns:all subcategories are enabled.
            ssh:all subcategories are enabled.
            ssl:all subcategories are enabled.
            file-filter:all subcategories are enabled.
            icap:all subcategories are enabled.
            sctp-filter:all subcategories are enabled.
            virtual-patch:all subcategories are enabled.
    
            server: global, id=0, ready=1, name=172.16.200.250 addr=172.16.200.250:514
            oftp-state=connected
            primary oftp status:null
            probe oftp status:null, 442

    The 172.16.200.250 server is currently active and acting as the primary FortiAnalyzer.

  3. Make the primary FortiAnalyzer server go down. The FortiGate will automatically connect to the alternate FortiAnalyzer server.

  4. Verify the FortiAnalyzer server status information:

    # diagnose  test application fgtlogd 1
    vdom-admin=1
    mgmt=vdom1
    
    fortilog:
    faz: global , enabled 
            server=172.16.200.250, alt-server=172.16.200.251, active-server=172.16.200.251, realtime=3, ssl=1, state=connected
            server_log_status=Log is allowed.,
            src=, mgmt_name=FGh_Log_vdom1_172.16.200.250, reliable=0, sni_prefix_type=none,
            required_entitlement=none, region=ca-west-1,
            logsync_enabled:1, logsync_conn_id:65535, seq_no:0
            disconnect_jiffies:0
                    status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y
                    SNs: last sn update:30 seconds ago.
                            Sn list:
                            (FAZ-VMTM22000000,age=30s)      (FAZ-VMTM23000003,age=31s)
                    queue: qlen=0.
    filter: severity=6, sz_exclude_list=0
             traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter virtual-patch
    subcategory:
            traffic: forward local multicast sniffer ztna
            virus:all subcategories are enabled.
            webfilter:all subcategories are enabled.
            ips:all subcategories are enabled.
            emailfilter:all subcategories are enabled.
            anomaly:all subcategories are enabled.
            voip:all subcategories are enabled.
            dlp:all subcategories are enabled.
            app-ctrl:all subcategories are enabled.
            waf:all subcategories are enabled.
            dns:all subcategories are enabled.
            ssh:all subcategories are enabled.
            ssl:all subcategories are enabled.
            file-filter:all subcategories are enabled.
            icap:all subcategories are enabled.
            sctp-filter:all subcategories are enabled.
            virtual-patch:all subcategories are enabled.
    
            server: global, id=0, ready=1, name=172.16.200.250 addr=172.16.200.250:514
            oftp-state=connected
            probe oftp status:null, 38

    The 172.16.200.251 server is currently active and acting as the primary FortiAnalyzer.

  5. Restore the connection to the 172.16.200.250 server. The FortiGate will automatically reconnect to this FortiAnalyzer server.

  6. Verify the FortiAnalyzer server status information:

    # diagnose test application fgtlogd 1
    vdom-admin=1
    mgmt=vdom1
    
    fortilog:
    faz: global , enabled 
            server=172.16.200.250, alt-server=172.16.200.251, active-server=172.16.200.250, realtime=3, ssl=1, state=connected
            server_log_status=Log is allowed.,
            src=, mgmt_name=FGh_Log_vdom1_172.16.200.250, reliable=0, sni_prefix_type=none,
            required_entitlement=none, region=ca-west-1,
            logsync_enabled:1, logsync_conn_id:65535, seq_no:0
            disconnect_jiffies:0
                    status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y
                    SNs: last sn update:11 seconds ago.
                            Sn list:
                            (FAZ-VMTM22000000,age=58s)      (FAZ-VMTM23000003,age=59s)
                    queue: qlen=0.
    filter: severity=6, sz_exclude_list=0
             traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter virtual-patch
    subcategory:
            traffic: forward local multicast sniffer ztna
            virus:all subcategories are enabled.
            webfilter:all subcategories are enabled.
            ips:all subcategories are enabled.
            emailfilter:all subcategories are enabled.
            anomaly:all subcategories are enabled.
            voip:all subcategories are enabled.
            dlp:all subcategories are enabled.
            app-ctrl:all subcategories are enabled.
            waf:all subcategories are enabled.
            dns:all subcategories are enabled.
            ssh:all subcategories are enabled.
            ssl:all subcategories are enabled.
            file-filter:all subcategories are enabled.
            icap:all subcategories are enabled.
            sctp-filter:all subcategories are enabled.
            virtual-patch:all subcategories are enabled.
    
            server: global, id=0, ready=1, name=172.16.200.250 addr=172.16.200.250:514
            oftp-state=connected
            primary oftp status:null
            probe oftp status:null, 530

    The 172.16.200.250 server is currently active and acting as the primary FortiAnalyzer again.

To manually switch from the primary to alternate FortiAnalyzer (and vice-versa):
# execute log {fortianalyzer | fortianalyzer2 | fortianalyzer3} manual-failover

If the primary server is still up, the behavior resulting from running this command is based on the fallback-to-primary setting configured in the global FortiAnalyzer log settings.

  • If fallback-to-primary is enabled (default), running execute log fortianalyzer manual-failover will switch to the alternate FortiAnalyzer, but it will switch back to the primary since it is not actually down.

  • If fallback-to-primary is disabled, running execute log fortianalyzer manual-failover will switch to the alternate FortiAnalyzer, and it will not switch back to the primary.

Switching to an alternate FortiAnalyzer if the main FortiAnalyzer is unavailable

Switching to an alternate FortiAnalyzer if the main FortiAnalyzer is unavailable

FortiOS supports switching to an alternate FortiAnalyzer if the main FortiAnalyzer is unavailable. Once the connectivity is restored, it will automatically fall back to the primary FortiAnalyzer.

Note

This feature can be used in multi VDOM mode when FortiAnalyzer override settings are configured.

To configure switching to an alternate FortiAnalyzer when the main FortiAnalyzer is unavailable:
  1. Configure primary and alternate FortiAnalyzer servers:

    config log fortianalyzer setting
        set status enable
        set server "172.16.200.250"
        set alt-server "172.16.200.251"
        set fallback-to-primary enable
        set serial "FAZ-VMTM22000000" "FAZ-VMTM23000003"
    end
  2. Verify the primary and alternate FortiAnalyzer server IPs:

    # diagnose test application fgtlogd 1
    vdom-admin=1
    mgmt=vdom1
    
    fortilog:
    faz: global , enabled 
            server=172.16.200.250, alt-server=172.16.200.251, active-server=172.16.200.250, realtime=3, ssl=1, state=connected
            server_log_status=Log is allowed.,
            src=, mgmt_name=FGh_Log_vdom1_172.16.200.250, reliable=0, sni_prefix_type=none,
            required_entitlement=none, region=ca-west-1,
            logsync_enabled:1, logsync_conn_id:65535, seq_no:0
            disconnect_jiffies:0
                    status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y
                    SNs: last sn update:11 seconds ago.
                            Sn list:
                            (FAZ-VMTM22000000,age=11s)      (FAZ-VMTM23000003,age=12s)
                    queue: qlen=0.
    filter: severity=6, sz_exclude_list=0
             traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter virtual-patch
    subcategory:
            traffic: forward local multicast sniffer ztna
            virus:all subcategories are enabled.
            webfilter:all subcategories are enabled.
            ips:all subcategories are enabled.
            emailfilter:all subcategories are enabled.
            anomaly:all subcategories are enabled.
            voip:all subcategories are enabled.
            dlp:all subcategories are enabled.
            app-ctrl:all subcategories are enabled.
            waf:all subcategories are enabled.
            dns:all subcategories are enabled.
            ssh:all subcategories are enabled.
            ssl:all subcategories are enabled.
            file-filter:all subcategories are enabled.
            icap:all subcategories are enabled.
            sctp-filter:all subcategories are enabled.
            virtual-patch:all subcategories are enabled.
    
            server: global, id=0, ready=1, name=172.16.200.250 addr=172.16.200.250:514
            oftp-state=connected
            primary oftp status:null
            probe oftp status:null, 442

    The 172.16.200.250 server is currently active and acting as the primary FortiAnalyzer.

  3. Make the primary FortiAnalyzer server go down. The FortiGate will automatically connect to the alternate FortiAnalyzer server.

  4. Verify the FortiAnalyzer server status information:

    # diagnose  test application fgtlogd 1
    vdom-admin=1
    mgmt=vdom1
    
    fortilog:
    faz: global , enabled 
            server=172.16.200.250, alt-server=172.16.200.251, active-server=172.16.200.251, realtime=3, ssl=1, state=connected
            server_log_status=Log is allowed.,
            src=, mgmt_name=FGh_Log_vdom1_172.16.200.250, reliable=0, sni_prefix_type=none,
            required_entitlement=none, region=ca-west-1,
            logsync_enabled:1, logsync_conn_id:65535, seq_no:0
            disconnect_jiffies:0
                    status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y
                    SNs: last sn update:30 seconds ago.
                            Sn list:
                            (FAZ-VMTM22000000,age=30s)      (FAZ-VMTM23000003,age=31s)
                    queue: qlen=0.
    filter: severity=6, sz_exclude_list=0
             traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter virtual-patch
    subcategory:
            traffic: forward local multicast sniffer ztna
            virus:all subcategories are enabled.
            webfilter:all subcategories are enabled.
            ips:all subcategories are enabled.
            emailfilter:all subcategories are enabled.
            anomaly:all subcategories are enabled.
            voip:all subcategories are enabled.
            dlp:all subcategories are enabled.
            app-ctrl:all subcategories are enabled.
            waf:all subcategories are enabled.
            dns:all subcategories are enabled.
            ssh:all subcategories are enabled.
            ssl:all subcategories are enabled.
            file-filter:all subcategories are enabled.
            icap:all subcategories are enabled.
            sctp-filter:all subcategories are enabled.
            virtual-patch:all subcategories are enabled.
    
            server: global, id=0, ready=1, name=172.16.200.250 addr=172.16.200.250:514
            oftp-state=connected
            probe oftp status:null, 38

    The 172.16.200.251 server is currently active and acting as the primary FortiAnalyzer.

  5. Restore the connection to the 172.16.200.250 server. The FortiGate will automatically reconnect to this FortiAnalyzer server.

  6. Verify the FortiAnalyzer server status information:

    # diagnose test application fgtlogd 1
    vdom-admin=1
    mgmt=vdom1
    
    fortilog:
    faz: global , enabled 
            server=172.16.200.250, alt-server=172.16.200.251, active-server=172.16.200.250, realtime=3, ssl=1, state=connected
            server_log_status=Log is allowed.,
            src=, mgmt_name=FGh_Log_vdom1_172.16.200.250, reliable=0, sni_prefix_type=none,
            required_entitlement=none, region=ca-west-1,
            logsync_enabled:1, logsync_conn_id:65535, seq_no:0
            disconnect_jiffies:0
                    status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y
                    SNs: last sn update:11 seconds ago.
                            Sn list:
                            (FAZ-VMTM22000000,age=58s)      (FAZ-VMTM23000003,age=59s)
                    queue: qlen=0.
    filter: severity=6, sz_exclude_list=0
             traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter virtual-patch
    subcategory:
            traffic: forward local multicast sniffer ztna
            virus:all subcategories are enabled.
            webfilter:all subcategories are enabled.
            ips:all subcategories are enabled.
            emailfilter:all subcategories are enabled.
            anomaly:all subcategories are enabled.
            voip:all subcategories are enabled.
            dlp:all subcategories are enabled.
            app-ctrl:all subcategories are enabled.
            waf:all subcategories are enabled.
            dns:all subcategories are enabled.
            ssh:all subcategories are enabled.
            ssl:all subcategories are enabled.
            file-filter:all subcategories are enabled.
            icap:all subcategories are enabled.
            sctp-filter:all subcategories are enabled.
            virtual-patch:all subcategories are enabled.
    
            server: global, id=0, ready=1, name=172.16.200.250 addr=172.16.200.250:514
            oftp-state=connected
            primary oftp status:null
            probe oftp status:null, 530

    The 172.16.200.250 server is currently active and acting as the primary FortiAnalyzer again.

To manually switch from the primary to alternate FortiAnalyzer (and vice-versa):
# execute log {fortianalyzer | fortianalyzer2 | fortianalyzer3} manual-failover

If the primary server is still up, the behavior resulting from running this command is based on the fallback-to-primary setting configured in the global FortiAnalyzer log settings.

  • If fallback-to-primary is enabled (default), running execute log fortianalyzer manual-failover will switch to the alternate FortiAnalyzer, but it will switch back to the primary since it is not actually down.

  • If fallback-to-primary is disabled, running execute log fortianalyzer manual-failover will switch to the alternate FortiAnalyzer, and it will not switch back to the primary.