Special Notices
This section highlights some of the operational changes that administrators should be aware of in FortiAnalyzer version 7.4.10.
MEAs removed in FortiAnalyzer 7.4.7
There is no support for MEAs in FortiAnalyzer 7.4.7.
The following management extension applications (MEAs) are removed in FortiAnalyzer 7.4.7:
-
FortiSIEM
-
FortiSOAR
legacy-auth-mode command added
A new CLI command, legacy-auth-mode, has been introduced to enhance the flexibility of OFTP connections between devices and FortiAnalyzer when needed. By default, FortiAnalyzer enforces certificate-based authentication for OFTP connections and validates the device's certificate by checking the Common Name (CN) field — if the CN matches the device's serial number (SN), the connection is accepted.
However, for devices like FortiWeb, FortiMail, and FortiADC, the certificate CN often does not match the SN, causing the OFTP connection to fail. When legacy-auth-mode is enabled, FortiAnalyzer allows OFTP connections to fall back to username/password authentication if the certificate CN does not match the SN. This enables compatibility with devices whose certificates use alternative CN formats while still providing a level of authentication. In line with security best practices, the OFTP port should not be exposed when legacy-auth-mode is enabled unless proper access restrictions are applied.
config system log settings
(settings)# set legacy-auth-mode ?
disable - Disable support for legacy authentication mode.
enable - Enable support for legacy authentication mode.
Upgrading from 7.4.3 to 7.4.10 with FIPS mode enabled
When FIPS mode is enabled, upgrading from 7.4.3 to 7.4.10 might fail due to the following error message: "FIPS firmware signature verification failed". The following steps should be taken as workaround:
-
Backup FortiAnalyzer-v7.4.3-fips-cc mode DB.
-
Disable FortiAnalyzer-v7.4.3-fips mode to normal mode.
-
Upgrade FortiAnalyzer-v7.4.3 normal mode to v7.4.10.
-
FortiAnalyzer-v7.4.10 enable fips-cc mode.
-
Restore FortiAnalyzer-v7.4.3-fips DB on FortiAnalyzer-v7.4.10-fips.
Note that you do not need to follow this workaround if upgrading from 7.4.4 or later to 7.4.10.
Field name when log forwarding to CEF
As of FortiAnalyzer 7.4.3, the field names no longer include the "ad." prefix when log forwarding to a CEF server.
Shell access has been removed
As of FortiAnalyzer 7.4.4, shell access has been removed.
The following CLI variables have been removed, which were previously used to enable shell access:
config system admin setting
set shell-access {enable | disable}
set shell-password <passwd>
The following CLI command has been removed, which was previously used to access shell when enabled:
execute shell
Events and Incidents FortiView monitors removed
In FortiAnalyzer 7.4.3, the following FortiView monitors are removed from the GUI:
-
FortiView > Threats & Events > Events
-
FortiView > Threats & Events > Incidents
Alert notifications generated by FortiAnalyzer and sent by syslog
Beginning in 7.4.3, alert notifications generated by FortiAnalyzer and sent by syslog will use the RFC-5424 format.
Additional configuration required for SSO users
Beginning in 7.4.3, additional configuration is needed for FortiAnalyzer Users declared as wildcard SSO users.
When configuring Administrators as wildcard SSO users, the ext-auth-accprofile-override and/or ext-auth-adom-override features, under Advanced Options, should be enabled if the intent is to obtain the ADOMs list and/or permission profile from the SAML IdP.
FortiAnalyzer 7.2.3 and later firmware on FortiGuard
Starting in FortiAnalyzer 7.2.1, a setup wizard executes to prompt the user for various configuration steps and registration with FortiCare. During the execution, the FortiAnalyzer unit attempts to communicate with FortiGuard for a list of FortiAnalyzer firmware images currently available on FortiGuard – older and newer.
In the case of FortiAnalyzer 7.2.2, a bug in the GUI prevents the wizard from completing and prevents the user from accessing the FortiAnalyzer unit. The issue has been fixed in 7.2.3 and later and a CLI command has been added to bypass the setup wizard at login time.
config system admin setting
set firmware-upgrade-check disable
end
Fortinet has not uploaded FortiAnalyzer 7.2.3 and later firmware to FortiGuard in order to work around the GUI bug, however, the firmware is available for download from the Fortinet Support website.
Configuration backup requires a password
As of FortiAnalyzer 7.4.2, configuration backup files are automatically encrypted and require you to set a password. The password is required for scheduled backups as well.
In previous versions, the encryption and password were optional.
For more information, see the FortiAnalyzer Administration Guide.
FortiAnalyzer-3500E support
FortiAnalyzer 7.4.2 and later does not support the FortiAnalyzer-3500E device.
FortiAnalyzer 7.4.2 introduces an upgrade of the OpenSSL library to address known vulnerabilities in the library. As a result, the SSL connection that is setup between the FortiAnalyzer-3500E device and the Google Map server hosted by Fortinet uses a SHA2 (2048) public key length. The certificate stored on the BIOS that is used during the setup of the SSL connection contains a SHA1 public key length, which causes the connection setup to fail. Running the following command shows the key length.
FAZ3500E # config system certificate local
(local)# ed Fortinet_Local
(Fortinet_Local)# get
name : Fortinet_Local
password : *
comment : Default local certificate
private-key :
certificate :
Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiAnalyzer, CN = FL3K5E3M15000074, emailAddress = support@fortinet.com
Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = support, emailAddress = support@fortinet.com
Valid from: 2015-03-06 16:22:10 GMT
Valid to: 2038-01-19 03:14:07 GMT
Fingerprint: FC:D0:0C:8D:DC:57:B6:16:58:DF:90:22:77:6F:2C:1B
Public key: rsaEncryption (1024 bits)
Signature: sha1WithRSAEncryption
Root CA: No
Version: 3
Serial Num:
1e:07:7a
Extension 1: X509v3 Basic Constraints:
CA:FALSE
...
(Fortinet_Local)#
PostgreSQL database upgrade
FortiAnalyzer 7.2.6 and 7.4.1 include an upgrade of the PostgreSQL database. By default analytical features, such as Log View, FortiView, Reports, and Event Management are unavailable until the PostgreSQL database finishes upgrading. During this time, FortiAnalyzer will continue to receive new logs, but they will not be inserted into the PostgreSQL database. PostgreSQL database upgrade times depend on the number of ADOM configured and the analytical log volume. Some sample upgrade times are shown below.
| Model | Number of ADOMs | Analytical Data Size | DB Upgrade Time |
|---|---|---|---|
| FAZ-3700F | 1200 | 5TB | one hour |
| FAZ-3500G | 100 | 1TB | 15 minutes |
| FAZ-3000F | 1 | 12TB | 10 minutes |
|
Do not reboot or proceed to another upgrade while the PostgreSQL database upgrade is in progress. If you are upgrading from a version prior to 7.2.6 (such as 7.2.0, 7.2.1, 7.2.2, and so on) or 7.4.0, you must wait for the PostgreSQL database upgrade to complete before accessing the analytical features or continuing your upgrade path. For example, if your upgrade path is 7.2.5 > latest 7.2 > 7.4.10, you must wait for the PostgreSQL upgrade to complete in the latest 7.2 before upgrading to FortiAnalyzer 7.4.10. |
There is a GUI notification to track the progress of the upgrade. You can also use the following command to check the progress in the CLI:
diag sql status upgrade-db
For customers who prefer to not wait for accessing the analytical features, such as Log View, FortiView, Reports, and Event Management, for new logs, they can execute a SQL. This command can take a long time to complete depending on the amount of data.
FAZVM64 # exec sql-local rebuild-db
Rebuild the entire log SQL database has been requested.
This operation will remove the log SQL database and rebuild from log data.
This operation will reboot the device.
Do you want to continue? (y/n)
Serial console has changed for FortiAnalyzer deployments on Xen
In FortiAnalyzer 7.4.1, the serial console for Xen deployments has changed from hvc0 (Xen specific) to ttyS0 (standard).
OpenXen in PV mode is not supported in FortiAnalyzer 7.4.1
As of FortiAnalyzer 7.4.1, kernel and rootfs are encrypted. OpenXen in PV mode tries to unzip the kernel and rootfs, but it will fail. Therefore, OpenXen in PV mode cannot be used when deploying or upgrading to FortiAnalyzer 7.4.1. Only HVM (hardware virtual machine) mode is supported for OpenXen in FortiAnalyzer 7.4.1.
Default GUI theme changed
As of FortiAnalyzer 7.4.1, the default GUI theme is Jade. The default theme can be changed from System Settings > Settings.
FortiManager Features removed
FortiAnalyzer 7.2.1 and later no longer supports FortiManager Features. If you have FortiManager Features enabled before upgrading to FortiAnalyzer 7.2.1, FortiManager Features will be permanently disabled after upgrading to FortiAnalyzer 7.2.1.
Setup wizard requires FortiCare registration
Starting in FortiAnalyzer 7.2.1, the FortiAnalyzer Setup wizard requires you to complete the Register with FortiCare step before you can access the FortiAnalyzer appliance or VM. Previously the step was optional.
For FortiAnalyzer units operating in a closed environment, contact customer service to receive an entitlement file, and then load the entitlement file to FortiAnalyzer by using the CLI.
When FortiManager is managing FortiAnalyzer in a closed environment, FortiManager contains the FortiAnalyzer contract information, and you can point FortiAnalyzer to FortiManager.
Hyperscale firewall mode
FortiAnalyzer does not support logs from the following models when they have hyperscale firewall mode and netflow enabled:
- FortiGate-1800F
- FortiGate-1801F
- FortiGate-2600F
- FortiGate-2601F
- FortiGate-4200F
- FortiGate-4201F
- FortiGate-4400F
- FortiGate-4401F
FortiAnalyzer only supports logs when the normal firewall mode with standard FortiGate logging are enabled.
Modifying the interface status with the CLI
Starting in verion 7.0.1, the CLI to modify the interface status has been changed from up/down to enable/disable.
For example:
config system interface
edit port2
set status <enable/disable>
next
end
Citrix XenServer default limits and upgrade
Citrix XenServer limits ramdisk to 128M by default. However the FAZ-VM64-XEN image is larger than 128M. Before updating to FortiAnalyzer 6.4, increase the size of the ramdisk setting on Citrix XenServer.
To increase the size of the ramdisk setting:
- On Citrix XenServer, run the following command:
xenstore-write /mh/limits/pv-ramdisk-max-size 536,870,912
- Confirm the setting is in effect by running
xenstore-ls.-----------------------
limits = ""
pv-kernel-max-size = "33554432"
pv-ramdisk-max-size = "536,870,912"
boot-time = ""
---------------------------
- Remove the pending files left in
/run/xen/pygrub.
|
The ramdisk setting returns to the default value after rebooting. |
FortiAnalyzer VM upgrade requires more memory
When upgrading FortiAnalyzer VM units from a previous version to FortiAnalyzer 7.2.2 or higher, the upgrade may fail because of memory allocation. As of FortiAnalyzer 7.2.2, FortiAnalyzer VM requires 16 GB of RAM and 4 CPU.
Workaround: Before upgrading FortiAnalyzer VM to FortiAnalyzer 7.2.2, change the memory allocation to 16 GB of RAM.
Maximum ADOM limits for FortiAnalyzer
FortiAnalyzer hardware devices and VMs display a warning when the maximum number of ADOMs is reached. For more details, see Appendix A - Default and maximum number of ADOMs supported.
Port 8443 reserved
Port 8443 is reserved for https-logging from FortiClient EMS for Chromebooks. See also FortiAnalyzer 7.0 Ports Reference on the Docs Library.
Hyper-V FortiAnalyzer-VM running on an AMD CPU
A Hyper-V FAZ-VM running on a PC with an AMD CPU may experience a kernel panic. Fortinet recommends running VMs on an Intel-based PC.
SSLv3 on FortiAnalyzer-VM64-AWS
Due to known vulnerabilities in the SSLv3 protocol, FortiAnalyzer-VM64-AWS only enables TLSv1 by default. All other models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run:
config system global
set ssl-protocol t1sv1
end