Special Notices
This section highlights some of the operational changes that administrators should be aware of in FortiAnalyzer version 5.6.11.
Mixed HA groups
FortiAnalyzer uses the High Availability (HA) group name to create and register FortiGate devices in Device Manager. When multiple FortiGate clusters use the same group name, they appear as one, mixed cluster in the Device Manager pane in FortiAnalyzer GUI. The solution is to disable automatic grouping of HA members in FortiAnalyzer and clean up the mixed cluster.
Automatic grouping of HA members is enabled by default in FortiAnalyzer.
The following example describes how to clean up a mixed cluster in FortiAnalyzer that contains two FortiGate clusters.
To disable automatic grouping of HA members:
- Log on to FortiAnalyzer and run the following command:
conf sys global
set ha-member-auto-grouping disable
end
To clean up the mixed cluster:
- From FortiOS GUI, identify the High Availability (HA) primary and secondary members for the two clusters, according to the FortiGate HA infrastructure.
- In FortiAnalyzer GUI, clean up the mixed HA cluster by deleting the HA members for the second HA cluster.
- Go to Device Manager.
- Right-click the HA cluster and select Edit.
- Click the Delete icon to delete the members that do not belong to this cluster.
The result is one HA cluster with the required devices. The deleted devices for the second cluster are displayed in the Unregistered device list.
- From FortiAnalyzer CLI, delete all the VDOM names from the mixed HA cluster by using the
exe log device vdom delete <Device Name> <VDOM>
command. - From FortiAnalyzer GUI, verify and promote unregistered devices to the second cluster.
- Go to Device Manager, and verify that the deleted devices for the second HA cluster are displayed in the Unregistered device list as separate HA devices.
- Promote the unregistered HA devices as HA devices.
- In Device Manager, clean up the second cluster.
- Right-click the secondary device in the second cluster, and select Edit.
- Clear the HA Cluster check box to convert the secondary device to a standalone device.
- Right-click the primary device in the second cluster, and select Edit.
- Add the secondary device back to the cluster.
- In FortiAnalyzer, verify that there is a proper VDOM on the second cluster. If not, follow step 3 to delete the mixed VDOM by using the CLI.
- From FortiAnalyzer GUI, go to Device Manager, and press F5 to load all the VDOMs into the GUI.
Hyper-V FortiAnalyzer-VM running on an AMD CPU
A Hyper-V FAZ-VM running on a PC with an AMD CPU may experience a kernel panic. Fortinet recommends running VMs on an Intel-based PC.
IPsec connection to FortiOS for logging
FortiAnalyzer 5.4.2 and later does not support an IPsec connection with FortiOS 5.0/5.2. However UDP or TCP + reliable are supported.
Instead of IPsec, you can use the FortiOS reliable logging feature to encrypt logs and send them to FortiAnalyzer. You can enable the reliable logging feature on FortiOS by using the configure log fortianalyzer setting
command. You can also control the encryption method on FortiOS by using the set enc-algorithm default/high/low/disable
command.
Datasets Related to Browse Time
If upgrading from an image prior to FAZ 5.4.2, cloned datasets that query for browse time may not be able to return any results after upgrade.
FortiAnalyzer 5.4.2 contains enhancements to calculating the estimated browse time. Due to the changes, cloned datasets that query for browse time may not be able to return any results after upgrade.
System Configuration or VM License is Lost after Upgrade
When upgrading FortiAnalyzer from 5.4.0 or 5.4.1 to 5.4.x or 5.6.0, it is imperative to reboot the unit before installing the 5.4.x or 5.6.0 firmware image. Please see the FortiAnalyzer Upgrade Guide for details about upgrading. Otherwise, FortiAnalyzer may lose system configuration or VM license after upgrade. There are two options to recover the FortiAnalyzer unit:
- Reconfigure the system configuration or add VM license via CLI with
execute add-vm-license <vm license>
. - Restore the 5.4.0 backup and upgrade to 5.4.2.
SSLv3 on FortiAnalyzer-VM64-AWS
Due to known vulnerabilities in the SSLv3 protocol, FortiAnalyzer-VM64-AWS only enables TLSv1 by default. All other models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run:
config system global
set ssl-protocol t1sv1
end
Pre-processing logic of ebtime
Logs with the following conditions met are considered usable for the calculation of estimated browsing time:
Traffic logs with logid
of 13
or 2
, when logid == 13
, hostname
must not be empty. The service
field should be either HTTP
, 80/TCP
or 443/TCP
.
If all above conditions are met, then devid
, vdom
, and user
(srcip
if user
is empty) are combined as a key to identify a user. For time estimation, the current value of duration
is calculated against history session start and end time, only un-overlapped part are used as the ebtime
of the current log.
Port 8443 reserved
Port 8443 is reserved for https-logging
from FortiClient EMS for Chromebooks.