Fortinet white logo
Fortinet white logo

Special Notices

Special Notices

This section highlights some of the operational changes that administrators should be aware of in FortiAnalyzer version 7.4.1.

Apache-mode changed from prefork to event

Before version 7.4.0, the default "apache-mode" utilized the "prefork" mode. However, starting from version 7.4.1, the default configuration switches to the "event" mode.

This change is aimed at supporting the HTTP/2.0 protocol. With HTTP/2.0, there is no limit on the maximum concurrency of HTTP requests, potentially leading to slower GUI performance if the client's environment imposes restrictions , whether network or implementation-related. HTTP/2 may face issues such as head-of-line blocking and resource prioritization, leading to slower performance compared to HTTP/1. Additionally, server push and intermediaries struggling with encrypted headers can further complicate matters. Implementing HTTP/2 requires more computational resources, which may affect response times. These complexities highlight scenarios where HTTP/1 might outperform HTTP/2.

If customers experience GUI slowness, they have the option to revert to the "prefork" mode using the following commands:

config system global

(global)# set apache-mode prefork

(global)# end

FortiAnalyzer 7.2.3 and later firmware on FortiGuard

Starting in FortiAnalyzer 7.2.1, a setup wizard executes to prompt the user for various configuration steps and registration with FortiCare. During the execution, the FortiAnalyzer unit attempts to communicate with FortiGuard for a list of FortiAnalyzer firmware images currently available on FortiGuard – older and newer.

In the case of FortiAnalyzer 7.2.2, a bug in the GUI prevents the wizard from completing and prevents the user from accessing the FortiAnalyzer unit. The issue has been fixed in 7.2.3 and later and a CLI command has been added to bypass the setup wizard at login time.

config system admin setting

set firmware-upgrade-check disable

end

Fortinet has not uploaded FortiAnalyzer 7.2.3 and later firmware to FortiGuard in order to work around the GUI bug, however, the firmware is available for download from the Fortinet Support website.

PostgreSQL database upgrade

FortiAnalyzer 7.4.1 includes an upgrade of the PostgreSQL database. Upon upgrading to FortiAnalyzer 7.4.1, by default analytical features, such as Log View, FortiView, Reports, and Event Management are unavailable until the PostgreSQL database finishes upgrading. During this time, FortiAnalyzer will continue to receive new logs, but they will not be inserted into the PostgreSQL database. PostgreSQL database upgrade times depend on the number of ADOM configured and the analytical log volume. Some sample upgrade times are shown below.

Model Number of ADOMs Analytical Data Size DB Upgrade Time
FAZ-3700F 1200 5TB one hour
FAZ-3500G 100 1TB 15 minutes
FAZ-3000F 1 12TB 10 minutes

For customers who prefer to not wait for accessing the analytical features, such as Log View, FortiView, Reports, and Event Management, for new logs, they can execute a SQL. This command can take a long time to complete depending on the amount of data.

FAZVM64 # exec sql-local rebuild-db

Rebuild the entire log SQL database has been requested.

This operation will remove the log SQL database and rebuild from log data.

This operation will reboot the device.

Do you want to continue? (y/n)

Serial console has changed for FortiAnalyzer deployments on Xen

In FortiAnalyzer 7.4.1, the serial console for Xen deployments has changed from hvc0 (Xen specific) to ttyS0 (standard).

OpenXen in PV mode is not supported in FortiAnalyzer 7.4.1

As of FortiAnalyzer 7.4.1, kernel and rootfs are encrypted. OpenXen in PV mode tries to unzip the kernel and rootfs, but it will fail. Therefore, OpenXen in PV mode cannot be used when deploying or upgrading to FortiAnalyzer 7.4.1. Only HVM (hardware virtual machine) mode is supported for OpenXen in FortiAnalyzer 7.4.1.

Default GUI theme changed

As of FortiAnalyzer 7.4.1, the default GUI theme is Jade. The default theme can be changed from System Settings > Settings.

Management Extensions visibility in the GUI

As of FortiAnalyzer 7.4.0, the Management Extensions pane is only visible in the GUI when docker status is enabled and at least one management extension application (MEA) is enabled and downloaded. For more information about enabling and using the MEAs, see the Management Extensions documentation in the FortiAnalyzer Documents Library.

FortiManager Features removed

FortiAnalyzer 7.2.1 and later no longer supports FortiManager Features. If you have FortiManager Features enabled before upgrading to FortiAnalyzer 7.2.1, FortiManager Features will be permanently disabled after upgrading to FortiAnalyzer 7.2.1.

Setup wizard requires FortiCare registration

Starting in FortiAnalyzer 7.2.1, the FortiAnalyzer Setup wizard requires you to complete the Register with FortiCare step before you can access the FortiAnalyzer appliance or VM. Previously the step was optional.

For FortiAnalyzer units operating in a closed environment, contact customer service to receive an entitlement file, and then load the entitlement file to FortiAnalyzer by using the CLI.

When FortiManager is managing FortiAnalyzer in a closed environment, FortiManager contains the FortiAnalyzer contract information, and you can point FortiAnalyzer to FortiManager.

Hyperscale firewall mode

FortiAnalyzer does not support logs from the following models when they have hyperscale firewall mode and netflow enabled:

  • FortiGate-1800F
  • FortiGate-1801F
  • FortiGate-2600F
  • FortiGate-2601F
  • FortiGate-4200F
  • FortiGate-4201F
  • FortiGate-4400F
  • FortiGate-4401F

FortiAnalyzer only supports logs when the normal firewall mode with standard FortiGate logging are enabled.

Modifying the interface status with the CLI

Starting in verion 7.0.1, the CLI to modify the interface status has been changed from up/down to enable/disable.

For example:

config system interface

edit port2

set status <enable/disable>

next

end

Citrix XenServer default limits and upgrade

Citrix XenServer limits ramdisk to 128M by default. However the FAZ-VM64-XEN image is larger than 128M. Before updating to FortiAnalyzer 6.4, increase the size of the ramdisk setting on Citrix XenServer.

To increase the size of the ramdisk setting:
  1. On Citrix XenServer, run the following command:

    xenstore-write /mh/limits/pv-ramdisk-max-size 536,870,912

  2. Confirm the setting is in effect by running xenstore-ls.

    -----------------------

    limits = ""

    pv-kernel-max-size = "33554432"

    pv-ramdisk-max-size = "536,870,912"

    boot-time = ""

    ---------------------------

  3. Remove the pending files left in /run/xen/pygrub.
Note

The ramdisk setting returns to the default value after rebooting.

FortiAnalyzer VM upgrade requires more memory

When upgrading FortiAnalyzer VM units from a previous version to FortiAnalyzer 7.2.2 or higher, the upgrade may fail because of memory allocation. As of FortiAnalyzer 7.2.2, FortiAnalyzer VM requires 16 GB of RAM and 4 CPU.

Workaround: Before upgrading FortiAnalyzer VM to FortiAnalyzer 7.2.2, change the memory allocation to 16 GB of RAM.

Maximum ADOM limits for FortiAnalyzer

FortiAnalyzer hardware devices and VMs display a warning when the maximum number of ADOMs is reached or exceeded. The platform does not enforce the limit; however, adding more ADOMs may affect the performance of the unit. For more details, see Appendix A - Default and maximum number of ADOMs supported.

Port 8443 reserved

Port 8443 is reserved for https-logging from FortiClient EMS for Chromebooks. See also FortiAnalyzer 7.0 Ports Reference on the Docs Library.

Hyper-V FortiAnalyzer-VM running on an AMD CPU

A Hyper-V FAZ-VM running on a PC with an AMD CPU may experience a kernel panic. Fortinet recommends running VMs on an Intel-based PC.

SSLv3 on FortiAnalyzer-VM64-AWS

Due to known vulnerabilities in the SSLv3 protocol, FortiAnalyzer-VM64-AWS only enables TLSv1 by default. All other models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run:

config system global

set ssl-protocol t1sv1

end

Special Notices

Special Notices

This section highlights some of the operational changes that administrators should be aware of in FortiAnalyzer version 7.4.1.

Apache-mode changed from prefork to event

Before version 7.4.0, the default "apache-mode" utilized the "prefork" mode. However, starting from version 7.4.1, the default configuration switches to the "event" mode.

This change is aimed at supporting the HTTP/2.0 protocol. With HTTP/2.0, there is no limit on the maximum concurrency of HTTP requests, potentially leading to slower GUI performance if the client's environment imposes restrictions , whether network or implementation-related. HTTP/2 may face issues such as head-of-line blocking and resource prioritization, leading to slower performance compared to HTTP/1. Additionally, server push and intermediaries struggling with encrypted headers can further complicate matters. Implementing HTTP/2 requires more computational resources, which may affect response times. These complexities highlight scenarios where HTTP/1 might outperform HTTP/2.

If customers experience GUI slowness, they have the option to revert to the "prefork" mode using the following commands:

config system global

(global)# set apache-mode prefork

(global)# end

FortiAnalyzer 7.2.3 and later firmware on FortiGuard

Starting in FortiAnalyzer 7.2.1, a setup wizard executes to prompt the user for various configuration steps and registration with FortiCare. During the execution, the FortiAnalyzer unit attempts to communicate with FortiGuard for a list of FortiAnalyzer firmware images currently available on FortiGuard – older and newer.

In the case of FortiAnalyzer 7.2.2, a bug in the GUI prevents the wizard from completing and prevents the user from accessing the FortiAnalyzer unit. The issue has been fixed in 7.2.3 and later and a CLI command has been added to bypass the setup wizard at login time.

config system admin setting

set firmware-upgrade-check disable

end

Fortinet has not uploaded FortiAnalyzer 7.2.3 and later firmware to FortiGuard in order to work around the GUI bug, however, the firmware is available for download from the Fortinet Support website.

PostgreSQL database upgrade

FortiAnalyzer 7.4.1 includes an upgrade of the PostgreSQL database. Upon upgrading to FortiAnalyzer 7.4.1, by default analytical features, such as Log View, FortiView, Reports, and Event Management are unavailable until the PostgreSQL database finishes upgrading. During this time, FortiAnalyzer will continue to receive new logs, but they will not be inserted into the PostgreSQL database. PostgreSQL database upgrade times depend on the number of ADOM configured and the analytical log volume. Some sample upgrade times are shown below.

Model Number of ADOMs Analytical Data Size DB Upgrade Time
FAZ-3700F 1200 5TB one hour
FAZ-3500G 100 1TB 15 minutes
FAZ-3000F 1 12TB 10 minutes

For customers who prefer to not wait for accessing the analytical features, such as Log View, FortiView, Reports, and Event Management, for new logs, they can execute a SQL. This command can take a long time to complete depending on the amount of data.

FAZVM64 # exec sql-local rebuild-db

Rebuild the entire log SQL database has been requested.

This operation will remove the log SQL database and rebuild from log data.

This operation will reboot the device.

Do you want to continue? (y/n)

Serial console has changed for FortiAnalyzer deployments on Xen

In FortiAnalyzer 7.4.1, the serial console for Xen deployments has changed from hvc0 (Xen specific) to ttyS0 (standard).

OpenXen in PV mode is not supported in FortiAnalyzer 7.4.1

As of FortiAnalyzer 7.4.1, kernel and rootfs are encrypted. OpenXen in PV mode tries to unzip the kernel and rootfs, but it will fail. Therefore, OpenXen in PV mode cannot be used when deploying or upgrading to FortiAnalyzer 7.4.1. Only HVM (hardware virtual machine) mode is supported for OpenXen in FortiAnalyzer 7.4.1.

Default GUI theme changed

As of FortiAnalyzer 7.4.1, the default GUI theme is Jade. The default theme can be changed from System Settings > Settings.

Management Extensions visibility in the GUI

As of FortiAnalyzer 7.4.0, the Management Extensions pane is only visible in the GUI when docker status is enabled and at least one management extension application (MEA) is enabled and downloaded. For more information about enabling and using the MEAs, see the Management Extensions documentation in the FortiAnalyzer Documents Library.

FortiManager Features removed

FortiAnalyzer 7.2.1 and later no longer supports FortiManager Features. If you have FortiManager Features enabled before upgrading to FortiAnalyzer 7.2.1, FortiManager Features will be permanently disabled after upgrading to FortiAnalyzer 7.2.1.

Setup wizard requires FortiCare registration

Starting in FortiAnalyzer 7.2.1, the FortiAnalyzer Setup wizard requires you to complete the Register with FortiCare step before you can access the FortiAnalyzer appliance or VM. Previously the step was optional.

For FortiAnalyzer units operating in a closed environment, contact customer service to receive an entitlement file, and then load the entitlement file to FortiAnalyzer by using the CLI.

When FortiManager is managing FortiAnalyzer in a closed environment, FortiManager contains the FortiAnalyzer contract information, and you can point FortiAnalyzer to FortiManager.

Hyperscale firewall mode

FortiAnalyzer does not support logs from the following models when they have hyperscale firewall mode and netflow enabled:

  • FortiGate-1800F
  • FortiGate-1801F
  • FortiGate-2600F
  • FortiGate-2601F
  • FortiGate-4200F
  • FortiGate-4201F
  • FortiGate-4400F
  • FortiGate-4401F

FortiAnalyzer only supports logs when the normal firewall mode with standard FortiGate logging are enabled.

Modifying the interface status with the CLI

Starting in verion 7.0.1, the CLI to modify the interface status has been changed from up/down to enable/disable.

For example:

config system interface

edit port2

set status <enable/disable>

next

end

Citrix XenServer default limits and upgrade

Citrix XenServer limits ramdisk to 128M by default. However the FAZ-VM64-XEN image is larger than 128M. Before updating to FortiAnalyzer 6.4, increase the size of the ramdisk setting on Citrix XenServer.

To increase the size of the ramdisk setting:
  1. On Citrix XenServer, run the following command:

    xenstore-write /mh/limits/pv-ramdisk-max-size 536,870,912

  2. Confirm the setting is in effect by running xenstore-ls.

    -----------------------

    limits = ""

    pv-kernel-max-size = "33554432"

    pv-ramdisk-max-size = "536,870,912"

    boot-time = ""

    ---------------------------

  3. Remove the pending files left in /run/xen/pygrub.
Note

The ramdisk setting returns to the default value after rebooting.

FortiAnalyzer VM upgrade requires more memory

When upgrading FortiAnalyzer VM units from a previous version to FortiAnalyzer 7.2.2 or higher, the upgrade may fail because of memory allocation. As of FortiAnalyzer 7.2.2, FortiAnalyzer VM requires 16 GB of RAM and 4 CPU.

Workaround: Before upgrading FortiAnalyzer VM to FortiAnalyzer 7.2.2, change the memory allocation to 16 GB of RAM.

Maximum ADOM limits for FortiAnalyzer

FortiAnalyzer hardware devices and VMs display a warning when the maximum number of ADOMs is reached or exceeded. The platform does not enforce the limit; however, adding more ADOMs may affect the performance of the unit. For more details, see Appendix A - Default and maximum number of ADOMs supported.

Port 8443 reserved

Port 8443 is reserved for https-logging from FortiClient EMS for Chromebooks. See also FortiAnalyzer 7.0 Ports Reference on the Docs Library.

Hyper-V FortiAnalyzer-VM running on an AMD CPU

A Hyper-V FAZ-VM running on a PC with an AMD CPU may experience a kernel panic. Fortinet recommends running VMs on an Intel-based PC.

SSLv3 on FortiAnalyzer-VM64-AWS

Due to known vulnerabilities in the SSLv3 protocol, FortiAnalyzer-VM64-AWS only enables TLSv1 by default. All other models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run:

config system global

set ssl-protocol t1sv1

end