Fortinet white logo
Fortinet white logo

Administration Guide

Add FortiAnalyzer or FortiAnalyzer BigData

Add FortiAnalyzer or FortiAnalyzer BigData

Adding a FortiAnalyzer or FortiAnalyzer BigData device to FortiManager gives FortiManager visibility into the logs on the FortiAnalyzer, providing a Single Pane of Glass on FortiManager. It also enables FortiAnalyzer Features, including:

  • FortiView
  • Log View
  • Incidents & Events
  • Reports

For information about FortiAnalyzer Features, see FortiAnalyzer Features. See also Viewing policy rules and View logs related to a policy rule.

note icon

To add a FortiAnalyzer or FortiAnalyzer BigData to FortiManager, they both must be running the same OS version, at least 5.6 or later.

FortiAnalyzer BigData-VM and FortiAnalyzer BigData 4500F device are supported.

If FortiAnalyzer Features are enabled, you cannot add a FortiAnalyzer or FortiAnalyzer BigData to FortiManager. See FortiAnalyzer Features.

In addition, you cannot add a FortiAnalyzer or FortiAnalyzer BigData to FortiManager when ADOMs are enabled with ADOM mode set to Advanced.

As of 7.4.1, there are two methods to add a FortiAnalyzer to FortiManager.

ADOMs disabled

When you add a FortiAnalyzer device to FortiManager with ADOMs disabled, all devices with logging enabled can send logs to the FortiAnalyzer device. You can add only one FortiAnalyzer device to FortiManager, and the FortiAnalyzer device limit must be equal to or greater than the number of devices managed by FortiManager.

When you add additional devices with logging enabled to FortiManager, the managed devices can send logs to the FortiAnalyzer device. The new devices display in the Device Manager pane on FortiAnalyzer unit when FortiManager synchronizes with the FortiAnalyzer unit.

ADOMs enabled

When you add a FortiAnalyzer device to FortiManager with ADOMs enabled, all devices with logging enabled in the ADOM can send logs to the FortiAnalyzer device. Following are the guidelines for adding a FortiAnalyzer device to FortiManager when ADOMs are enabled:

  • FortiAnalyzer devices can be added to each ADOM, and the FortiAnalyzer device limit must be equal to or greater than the number of devices in the ADOM.
  • The same FortiAnalyzer device can be added to more than one ADOM.
  • The same ADOM name and settings must exist on the FortiAnalyzer device and FortiManager. The wizard synchronizes these settings for you if there is a mismatch.
  • The logging devices in the FortiAnalyzer ADOM and FortiManager ADOM must be the same. The wizard synchronizes these settings for you.
  • When one FortiAnalyzer is added to more than one ADOM, FortiAnalyzer features and visibility in the ADOM are limited to the logging devices included in the ADOM.

When you add additional devices with logging enabled to an ADOM in FortiManager, the managed devices can send logs to the FortiAnalyzer device in the ADOM. The new devices display in the Device Manager pane on the FortiAnalyzer unit when FortiManager synchronizes with the FortiAnalyzer unit.

Provisioning templates for log settings

After you add a FortiAnalyzer device to FortiManager, you can use FortiManager to enable logging for all FortiGates in the root ADOM (when ADOMs are disabled) or the ADOM (when ADOMs are enabled) by using the log settings in a system template. See System templates.

Log storage and configuration

Logs are stored on the FortiAnalyzer device, not the FortiManager device. You configure log storage settings on the FortiAnalyzer device; you cannot change log storage settings using FortiManager.

Configuration and data for FortiAnalyzer features

When FortiManager manages a FortiAnalyzer unit, all configuration and data is kept on the FortiAnalyzer unit to support the following FortiAnalyzer features: FortiView, Log View, Incidents & Events, and Reports. FortiManager remotely accesses the FortiAnalyzer unit to retrieve requested information for FortiAnalyzer features. For example, if you use the Reports pane in FortiManager to create a report, the report is created on the FortiAnalyzer unit and remotely accessed by FortiManager.

Add FortiAnalyzer or FortiAnalyzer BigData

Add FortiAnalyzer or FortiAnalyzer BigData

Adding a FortiAnalyzer or FortiAnalyzer BigData device to FortiManager gives FortiManager visibility into the logs on the FortiAnalyzer, providing a Single Pane of Glass on FortiManager. It also enables FortiAnalyzer Features, including:

  • FortiView
  • Log View
  • Incidents & Events
  • Reports

For information about FortiAnalyzer Features, see FortiAnalyzer Features. See also Viewing policy rules and View logs related to a policy rule.

note icon

To add a FortiAnalyzer or FortiAnalyzer BigData to FortiManager, they both must be running the same OS version, at least 5.6 or later.

FortiAnalyzer BigData-VM and FortiAnalyzer BigData 4500F device are supported.

If FortiAnalyzer Features are enabled, you cannot add a FortiAnalyzer or FortiAnalyzer BigData to FortiManager. See FortiAnalyzer Features.

In addition, you cannot add a FortiAnalyzer or FortiAnalyzer BigData to FortiManager when ADOMs are enabled with ADOM mode set to Advanced.

As of 7.4.1, there are two methods to add a FortiAnalyzer to FortiManager.

ADOMs disabled

When you add a FortiAnalyzer device to FortiManager with ADOMs disabled, all devices with logging enabled can send logs to the FortiAnalyzer device. You can add only one FortiAnalyzer device to FortiManager, and the FortiAnalyzer device limit must be equal to or greater than the number of devices managed by FortiManager.

When you add additional devices with logging enabled to FortiManager, the managed devices can send logs to the FortiAnalyzer device. The new devices display in the Device Manager pane on FortiAnalyzer unit when FortiManager synchronizes with the FortiAnalyzer unit.

ADOMs enabled

When you add a FortiAnalyzer device to FortiManager with ADOMs enabled, all devices with logging enabled in the ADOM can send logs to the FortiAnalyzer device. Following are the guidelines for adding a FortiAnalyzer device to FortiManager when ADOMs are enabled:

  • FortiAnalyzer devices can be added to each ADOM, and the FortiAnalyzer device limit must be equal to or greater than the number of devices in the ADOM.
  • The same FortiAnalyzer device can be added to more than one ADOM.
  • The same ADOM name and settings must exist on the FortiAnalyzer device and FortiManager. The wizard synchronizes these settings for you if there is a mismatch.
  • The logging devices in the FortiAnalyzer ADOM and FortiManager ADOM must be the same. The wizard synchronizes these settings for you.
  • When one FortiAnalyzer is added to more than one ADOM, FortiAnalyzer features and visibility in the ADOM are limited to the logging devices included in the ADOM.

When you add additional devices with logging enabled to an ADOM in FortiManager, the managed devices can send logs to the FortiAnalyzer device in the ADOM. The new devices display in the Device Manager pane on the FortiAnalyzer unit when FortiManager synchronizes with the FortiAnalyzer unit.

Provisioning templates for log settings

After you add a FortiAnalyzer device to FortiManager, you can use FortiManager to enable logging for all FortiGates in the root ADOM (when ADOMs are disabled) or the ADOM (when ADOMs are enabled) by using the log settings in a system template. See System templates.

Log storage and configuration

Logs are stored on the FortiAnalyzer device, not the FortiManager device. You configure log storage settings on the FortiAnalyzer device; you cannot change log storage settings using FortiManager.

Configuration and data for FortiAnalyzer features

When FortiManager manages a FortiAnalyzer unit, all configuration and data is kept on the FortiAnalyzer unit to support the following FortiAnalyzer features: FortiView, Log View, Incidents & Events, and Reports. FortiManager remotely accesses the FortiAnalyzer unit to retrieve requested information for FortiAnalyzer features. For example, if you use the Reports pane in FortiManager to create a report, the report is created on the FortiAnalyzer unit and remotely accessed by FortiManager.