Fortinet black logo

Release Notes

Home FortiAnalyzer 5.6.11 Release Notes

Special Notices

5.6.11
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.3
6.2.2
6.2.1
6.2.0
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.10
5.2.9
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.13
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2
5.0.1
4.3.8
Copy Link
Copy Doc ID 643b5592-c588-11eb-97f7-00505692583a:236230
Download PDF

Special Notices

This section highlights some of the operational changes that administrators should be aware of in FortiAnalyzer version 5.6.11.

Mixed HA groups

FortiAnalyzer uses the High Availability (HA) group name to create and register FortiGate devices in Device Manager. When multiple FortiGate clusters use the same group name, they appear as one, mixed cluster in the Device Manager pane in FortiAnalyzer GUI. The solution is to disable automatic grouping of HA members in FortiAnalyzer and clean up the mixed cluster.

Automatic grouping of HA members is enabled by default in FortiAnalyzer.

The following example describes how to clean up a mixed cluster in FortiAnalyzer that contains two FortiGate clusters.

To disable automatic grouping of HA members:
  1. Log on to FortiAnalyzer and run the following command:

    conf sys global

    set ha-member-auto-grouping disable

    end

To clean up the mixed cluster:
  1. From FortiOS GUI, identify the High Availability (HA) primary and secondary members for the two clusters, according to the FortiGate HA infrastructure.
  2. In FortiAnalyzer GUI, clean up the mixed HA cluster by deleting the HA members for the second HA cluster.
    1. Go to Device Manager.
    2. Right-click the HA cluster and select Edit.
    3. Click the Delete icon to delete the members that do not belong to this cluster.

    The result is one HA cluster with the required devices. The deleted devices for the second cluster are displayed in the Unregistered device list.

  3. From FortiAnalyzer CLI, delete all the VDOM names from the mixed HA cluster by using the exe log device vdom delete <Device Name> <VDOM> command.
  4. From FortiAnalyzer GUI, verify and promote unregistered devices to the second cluster.
    1. Go to Device Manager, and verify that the deleted devices for the second HA cluster are displayed in the Unregistered device list as separate HA devices.
    2. Promote the unregistered HA devices as HA devices.
  5. In Device Manager, clean up the second cluster.
    1. Right-click the secondary device in the second cluster, and select Edit.
    2. Clear the HA Cluster check box to convert the secondary device to a standalone device.
    3. Right-click the primary device in the second cluster, and select Edit.
    4. Add the secondary device back to the cluster.
  6. In FortiAnalyzer, verify that there is a proper VDOM on the second cluster. If not, follow step 3 to delete the mixed VDOM by using the CLI.
  7. From FortiAnalyzer GUI, go to Device Manager, and press F5 to load all the VDOMs into the GUI.

Hyper-V FortiAnalyzer-VM running on an AMD CPU

A Hyper-V FAZ-VM running on a PC with an AMD CPU may experience a kernel panic. Fortinet recommends running VMs on an Intel-based PC.

IPsec connection to FortiOS for logging

FortiAnalyzer 5.4.2 and later does not support an IPsec connection with FortiOS 5.0/5.2. However UDP or TCP + reliable are supported.

Instead of IPsec, you can use the FortiOS reliable logging feature to encrypt logs and send them to FortiAnalyzer. You can enable the reliable logging feature on FortiOS by using the configure log fortianalyzer setting command. You can also control the encryption method on FortiOS by using the set enc-algorithm default/high/low/disable command.

Datasets Related to Browse Time

If upgrading from an image prior to FAZ 5.4.2, cloned datasets that query for browse time may not be able to return any results after upgrade.

FortiAnalyzer 5.4.2 contains enhancements to calculating the estimated browse time. Due to the changes, cloned datasets that query for browse time may not be able to return any results after upgrade.

System Configuration or VM License is Lost after Upgrade

When upgrading FortiAnalyzer from 5.4.0 or 5.4.1 to 5.4.x or 5.6.0, it is imperative to reboot the unit before installing the 5.4.x or 5.6.0 firmware image. Please see the FortiAnalyzer Upgrade Guide for details about upgrading. Otherwise, FortiAnalyzer may lose system configuration or VM license after upgrade. There are two options to recover the FortiAnalyzer unit:

  1. Reconfigure the system configuration or add VM license via CLI with execute add-vm-license <vm license>.
  2. Restore the 5.4.0 backup and upgrade to 5.4.2.

SSLv3 on FortiAnalyzer-VM64-AWS

Due to known vulnerabilities in the SSLv3 protocol, FortiAnalyzer-VM64-AWS only enables TLSv1 by default. All other models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run:

config system global

set ssl-protocol t1sv1

end

Pre-processing logic of ebtime

Logs with the following conditions met are considered usable for the calculation of estimated browsing time:

Traffic logs with logid of 13 or 2, when logid == 13, hostname must not be empty. The service field should be either HTTP, 80/TCP or 443/TCP.

If all above conditions are met, then devid, vdom, and user (srcip if user is empty) are combined as a key to identify a user. For time estimation, the current value of duration is calculated against history session start and end time, only un-overlapped part are used as the ebtime of the current log.

Port 8443 reserved

Port 8443 is reserved for https-logging from FortiClient EMS for Chromebooks.

Previous
Next

Special Notices

This section highlights some of the operational changes that administrators should be aware of in FortiAnalyzer version 5.6.11.

Mixed HA groups

FortiAnalyzer uses the High Availability (HA) group name to create and register FortiGate devices in Device Manager. When multiple FortiGate clusters use the same group name, they appear as one, mixed cluster in the Device Manager pane in FortiAnalyzer GUI. The solution is to disable automatic grouping of HA members in FortiAnalyzer and clean up the mixed cluster.

Automatic grouping of HA members is enabled by default in FortiAnalyzer.

The following example describes how to clean up a mixed cluster in FortiAnalyzer that contains two FortiGate clusters.

To disable automatic grouping of HA members:
  1. Log on to FortiAnalyzer and run the following command:

    conf sys global

    set ha-member-auto-grouping disable

    end

To clean up the mixed cluster:
  1. From FortiOS GUI, identify the High Availability (HA) primary and secondary members for the two clusters, according to the FortiGate HA infrastructure.
  2. In FortiAnalyzer GUI, clean up the mixed HA cluster by deleting the HA members for the second HA cluster.
    1. Go to Device Manager.
    2. Right-click the HA cluster and select Edit.
    3. Click the Delete icon to delete the members that do not belong to this cluster.

    The result is one HA cluster with the required devices. The deleted devices for the second cluster are displayed in the Unregistered device list.

  3. From FortiAnalyzer CLI, delete all the VDOM names from the mixed HA cluster by using the exe log device vdom delete <Device Name> <VDOM> command.
  4. From FortiAnalyzer GUI, verify and promote unregistered devices to the second cluster.
    1. Go to Device Manager, and verify that the deleted devices for the second HA cluster are displayed in the Unregistered device list as separate HA devices.
    2. Promote the unregistered HA devices as HA devices.
  5. In Device Manager, clean up the second cluster.
    1. Right-click the secondary device in the second cluster, and select Edit.
    2. Clear the HA Cluster check box to convert the secondary device to a standalone device.
    3. Right-click the primary device in the second cluster, and select Edit.
    4. Add the secondary device back to the cluster.
  6. In FortiAnalyzer, verify that there is a proper VDOM on the second cluster. If not, follow step 3 to delete the mixed VDOM by using the CLI.
  7. From FortiAnalyzer GUI, go to Device Manager, and press F5 to load all the VDOMs into the GUI.

Hyper-V FortiAnalyzer-VM running on an AMD CPU

A Hyper-V FAZ-VM running on a PC with an AMD CPU may experience a kernel panic. Fortinet recommends running VMs on an Intel-based PC.

IPsec connection to FortiOS for logging

FortiAnalyzer 5.4.2 and later does not support an IPsec connection with FortiOS 5.0/5.2. However UDP or TCP + reliable are supported.

Instead of IPsec, you can use the FortiOS reliable logging feature to encrypt logs and send them to FortiAnalyzer. You can enable the reliable logging feature on FortiOS by using the configure log fortianalyzer setting command. You can also control the encryption method on FortiOS by using the set enc-algorithm default/high/low/disable command.

Datasets Related to Browse Time

If upgrading from an image prior to FAZ 5.4.2, cloned datasets that query for browse time may not be able to return any results after upgrade.

FortiAnalyzer 5.4.2 contains enhancements to calculating the estimated browse time. Due to the changes, cloned datasets that query for browse time may not be able to return any results after upgrade.

System Configuration or VM License is Lost after Upgrade

When upgrading FortiAnalyzer from 5.4.0 or 5.4.1 to 5.4.x or 5.6.0, it is imperative to reboot the unit before installing the 5.4.x or 5.6.0 firmware image. Please see the FortiAnalyzer Upgrade Guide for details about upgrading. Otherwise, FortiAnalyzer may lose system configuration or VM license after upgrade. There are two options to recover the FortiAnalyzer unit:

  1. Reconfigure the system configuration or add VM license via CLI with execute add-vm-license <vm license>.
  2. Restore the 5.4.0 backup and upgrade to 5.4.2.

SSLv3 on FortiAnalyzer-VM64-AWS

Due to known vulnerabilities in the SSLv3 protocol, FortiAnalyzer-VM64-AWS only enables TLSv1 by default. All other models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run:

config system global

set ssl-protocol t1sv1

end

Pre-processing logic of ebtime

Logs with the following conditions met are considered usable for the calculation of estimated browsing time:

Traffic logs with logid of 13 or 2, when logid == 13, hostname must not be empty. The service field should be either HTTP, 80/TCP or 443/TCP.

If all above conditions are met, then devid, vdom, and user (srcip if user is empty) are combined as a key to identify a user. For time estimation, the current value of duration is calculated against history session start and end time, only un-overlapped part are used as the ebtime of the current log.

Port 8443 reserved

Port 8443 is reserved for https-logging from FortiClient EMS for Chromebooks.

Previous
Next