Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiGate-7000E Handbook

    Home FortiGate-7000 6.4.14 FortiGate-7000E Handbook
    6.4.14
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.10
    7.0.5
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.10
    6.4.8
    6.4.6
    6.4.2
    6.2.16
    6.2.16
    6.2.15
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.7
    6.2.6
    6.2.4
    6.0.18
    6.0.17
    6.0.16
    6.0.15
    6.0.14
    6.0.13
    6.0.12

    Configuring VDOMs on individual FPMs to send logs to different FortiAnalyzers

    Configuring VDOMs on individual FPMs to send logs to different FortiAnalyzers

    The following steps describe how to override the global FortiAnalyzer configuration for individual VDOMs on individual FPMs. The example shows how to configure the root VDOMs on the each of the FPMs in a FortiGate-7040E to send log messages to different FortiAnalyzers. Each root VDOM connects to FortiAnalyzer through a root VDOM data interface. This procedure assumes you have the following two FortiAnalyzers:

    FortiAnalyzer IP address

    Intended use

    172.25.176.120

    The root VDOM on the FPM in slot 3 sends log messages to this FortiAnalyzer.

    172.25.176.130

    The root VDOM on the FPM in slot 4 sends log messages to this FortiAnalyzer.
    Note

    This configuration is only supported for fortianalyzer and not for fortianalyzer2, fortianalyzer3, and fortianalyzer-cloud.

    1. Log into the primary FIM CLI using the FortiGate-7040E management IP address.

    2. Use the following command to prevent the FortiGate-7040E from synchronizing FortiAnalyzer override settings between FPMs:

      config global

      config system vdom-exception

      edit 1

      set object log.fortianalyzer.override-setting

      end

      end

    3. Log into the CLI of the FPM in slot 3:

      For example you can start a new SSH connection using the special management port for slot 3:

      ssh <management-ip>:2203

      Or you can use the following command from the global primary FIM CLI:

      execute load-balance slot manage 3

      Note

      The system will log you out of the CLI of the FPM in slot 3 in less than 60 seconds. You should have enough time to complete the following steps. If you run out of time on your first attempt, you can keep trying until you succeed.

    4. Access the root VDOM of the FPM in slot 3 and enable overriding the FortiAnalyzer configuration for the root VDOM.

      config vdom

      edit root

      config log setting

      set faz-override enable

      end

      A message similar to the following appears; which you can ignore:

      Please change configuration on FIMs. Changing configuration on FPMs may cause confsync out of sync for a while.

    5. Configure FortiAnalyzer override to send log messages to a FortiAnalyzer with IP address 172.25.176.120:

      config log fortianalyzer override-setting

      set status enable

      set server 172.25.176.120

      end

      You should see messages similar to the following on the CLI:

      Please change configuration on FIMs. Changing configuration on FPMs may cause confsync out of sync for a while.

      The Serial Number for FortiAnalyzer is not entered.

      In order to verify identity of FortiAnalyzer serial number is needed.

      If serial number is not set, connection will be set as unverified and

      access to local config and files will be accessible only with user name/password.

      FortiGate can establish a connection to obtain the serial number now.Do you want to try to connect now? (y/n)y

    6. Enter Y to confirm the serial number. Messages similar to the following should appear:

      Obtained serial number from X509 certificate of Fortianalyzer is: <serial>

      Serial number from certificate MUST be the same as serial number observed in Fortianalyzer.

      If these two serial numbers don't match, connection will be dropped.

      Please make sure the serial numbers are matching.

      In case that Fortianalyzer is using a third-party certificate, certificate verification must be disabled.

      Do you confirm that this is the correct serial number? (y/n)y

    7. Enter Y to confirm the serial number.

    8. Use the exit command to log out of the FPM CLI. Otherwise you are logged out of the FPM CLI in less than a minute
    9. Log into the CLI of the FPM in slot 4.

    10. Access the root VDOM of the FPM in slot 4 and enable overriding the FortiAnalyzer configuration for the root VDOM.

      config vdom

      edit root

      config log setting

      set faz-override enable

      end

      A message similar to the following appears; which you can ignore:

      Please change configuration on FIMs. Changing configuration on FPMs may cause confsync out of sync for a while.

    11. Configure FortiAnalyzer override to send log messages to a FortiAnalyzer with IP address 172.25.176.130:

      config log fortianalyzer override-setting

      set status enable

      set server 172.25.176.130

      end

      Messages appear like they did when you were logged into the FPM in slot 3 and you can confirm the FortiAnalyzer serial number.

    12. Use the exit command to log out of the FPM CLI. Otherwise you are logged out of the FPM CLI in less than a minute.

    Previous
    Next

    Configuring VDOMs on individual FPMs to send logs to different FortiAnalyzers

    Configuring VDOMs on individual FPMs to send logs to different FortiAnalyzers

    The following steps describe how to override the global FortiAnalyzer configuration for individual VDOMs on individual FPMs. The example shows how to configure the root VDOMs on the each of the FPMs in a FortiGate-7040E to send log messages to different FortiAnalyzers. Each root VDOM connects to FortiAnalyzer through a root VDOM data interface. This procedure assumes you have the following two FortiAnalyzers:

    FortiAnalyzer IP address

    Intended use

    172.25.176.120

    The root VDOM on the FPM in slot 3 sends log messages to this FortiAnalyzer.

    172.25.176.130

    The root VDOM on the FPM in slot 4 sends log messages to this FortiAnalyzer.
    Note

    This configuration is only supported for fortianalyzer and not for fortianalyzer2, fortianalyzer3, and fortianalyzer-cloud.

    1. Log into the primary FIM CLI using the FortiGate-7040E management IP address.

    2. Use the following command to prevent the FortiGate-7040E from synchronizing FortiAnalyzer override settings between FPMs:

      config global

      config system vdom-exception

      edit 1

      set object log.fortianalyzer.override-setting

      end

      end

    3. Log into the CLI of the FPM in slot 3:

      For example you can start a new SSH connection using the special management port for slot 3:

      ssh <management-ip>:2203

      Or you can use the following command from the global primary FIM CLI:

      execute load-balance slot manage 3

      Note

      The system will log you out of the CLI of the FPM in slot 3 in less than 60 seconds. You should have enough time to complete the following steps. If you run out of time on your first attempt, you can keep trying until you succeed.

    4. Access the root VDOM of the FPM in slot 3 and enable overriding the FortiAnalyzer configuration for the root VDOM.

      config vdom

      edit root

      config log setting

      set faz-override enable

      end

      A message similar to the following appears; which you can ignore:

      Please change configuration on FIMs. Changing configuration on FPMs may cause confsync out of sync for a while.

    5. Configure FortiAnalyzer override to send log messages to a FortiAnalyzer with IP address 172.25.176.120:

      config log fortianalyzer override-setting

      set status enable

      set server 172.25.176.120

      end

      You should see messages similar to the following on the CLI:

      Please change configuration on FIMs. Changing configuration on FPMs may cause confsync out of sync for a while.

      The Serial Number for FortiAnalyzer is not entered.

      In order to verify identity of FortiAnalyzer serial number is needed.

      If serial number is not set, connection will be set as unverified and

      access to local config and files will be accessible only with user name/password.

      FortiGate can establish a connection to obtain the serial number now.Do you want to try to connect now? (y/n)y

    6. Enter Y to confirm the serial number. Messages similar to the following should appear:

      Obtained serial number from X509 certificate of Fortianalyzer is: <serial>

      Serial number from certificate MUST be the same as serial number observed in Fortianalyzer.

      If these two serial numbers don't match, connection will be dropped.

      Please make sure the serial numbers are matching.

      In case that Fortianalyzer is using a third-party certificate, certificate verification must be disabled.

      Do you confirm that this is the correct serial number? (y/n)y

    7. Enter Y to confirm the serial number.

    8. Use the exit command to log out of the FPM CLI. Otherwise you are logged out of the FPM CLI in less than a minute
    9. Log into the CLI of the FPM in slot 4.

    10. Access the root VDOM of the FPM in slot 4 and enable overriding the FortiAnalyzer configuration for the root VDOM.

      config vdom

      edit root

      config log setting

      set faz-override enable

      end

      A message similar to the following appears; which you can ignore:

      Please change configuration on FIMs. Changing configuration on FPMs may cause confsync out of sync for a while.

    11. Configure FortiAnalyzer override to send log messages to a FortiAnalyzer with IP address 172.25.176.130:

      config log fortianalyzer override-setting

      set status enable

      set server 172.25.176.130

      end

      Messages appear like they did when you were logged into the FPM in slot 3 and you can confirm the FortiAnalyzer serial number.

    12. Use the exit command to log out of the FPM CLI. Otherwise you are logged out of the FPM CLI in less than a minute.

    Previous
    Next