Fortinet black logo

Cookbook

Configuring multiple FortiAnalyzers on a multi-VDOM FortiGate

Copy Link
Copy Doc ID 5ede200c-a21f-11eb-b70b-00505692583a:229573
Download PDF

Configuring multiple FortiAnalyzers on a multi-VDOM FortiGate

This topic shows a sample configuration of multiple FortiAnalyzers on a multi-VDOM FortiGate.

In this example:

  • The FortiGate has three VDOMs:
    • Root (management VDOM)
    • VDOM1
    • VDOM2
  • There are four FortiAnalyzers.

    These IP addresses are used as examples in the instructions below.

    • FAZ1: 172.16.200.55
    • FAZ2: 172.18.60.25
    • FAZ3: 192.168.1.253
    • FAZ4: 192.168.1.254
  • Set up FAZ1 and FAZ2 under global.
    • These two collect logs from the root VDOM and VDOM2.
    • FAZ1 and FAZ2 must be accessible from management VDOM root.
  • Set up FAZ3 and FAZ4 under VDOM1.
    • These two collect logs from VDOM1.
    • FAZ3 and FAZ4 must be accessible from VDOM1.
To set up FAZ1 as global FortiAnalyzer 1 from the GUI:

Prerequisite: FAZ1 must be reachable from the management root VDOM.

  1. Go to Global > Log & Report > Log Settings.
  2. Enable Send logs to FortiAnalyzer/FortiManager.
  3. Enter the FortiAnalyzer IP.

    In this example: 172.16.200.55.

  4. For Upload option, select Real Time.
  5. Click Apply.
To set up FAZ2 as global FortiAnalyzer 2 from the CLI:

Prerequisite: FAZ2 must be reachable from the management root VDOM.

config log fortianalyzer2 setting
    set status enable
    set server "172.18.60.25"
    set upload-option realtime
end
To set up FAZ3 and FAZ4 as VDOM1 FortiAnalyzer 1 and FortiAnalyzer 2:

Prerequisite: FAZ3 and FAZ4 must be reachable from VDOM1.

config log setting
   set faz-override enable
end

config log fortianalyzer override-setting
   set status enable
   set server "192.168.1.253"
   set upload-option realtime
end

config log fortianalyzer2 override-setting
   set status enable
   set server "192.168.1.254"
   set upload-option realtime
end

Checking FortiAnalyzer connectivity

To use the diagnose command to check FortiAnalyzer connectivity:
  1. Check the global FortiAnalyzer status:
    FGTA(global) # diagnose test application miglogd 1
    faz: global , enabled
            server=172.16.200.55, realtime=3, ssl=1, state=connected, src=, mgmt_name=FGh_Log_root_172.16.200.55, reliable=1
                    status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=N
                    SNs: last sn update:1369 seconds ago.
                            Sn list:
    
                    queue: qlen=0.
    filter: severity=6, sz_exclude_list=0
             voip dns ssh ssl
    subcategory:
            traffic: forward local multicast sniffer
            anomaly: anomaly
    
            server: global, id=0, fd=90, ready=1, ipv6=0, 172.16.200.55/514
            oftp-state=5
    faz2: global , enabled
            server=172.18.60.25, realtime=1, ssl=1, state=connected, src=, mgmt_name=FGh_Log_root_172.18.60.25, reliable=0
                    status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=N
                    SNs: last sn update:1369 seconds ago.
                            Sn list:
    
                    queue: qlen=0.
    filter: severity=6, sz_exclude_list=0
             voip dns ssh ssl
    subcategory:
            traffic: forward local multicast sniffer
            anomaly: anomaly
    
            server: global, id=1, fd=95, ready=1, ipv6=0, 172.18.60.25/514
            oftp-state=5
  2. Check the VDOM1 override FortiAnalyzer status:
    FGTA(global) # diagnose test application miglogd 3101
    faz: vdom, enabled, override
            server=192.168.1.253, realtime=1, ssl=1, state=connected, src=, mgmt_name=FGh_Log_root_192.168.1.253, reliable=1
                    status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=N
                    SNs: last sn update:1369 seconds ago.
                            Sn list:
                            (FAZ-VM0000000001,age=17s)
                    queue: qlen=0.
    filter: severity=6, sz_exclude_list=0
             voip dns ssh ssl
    subcategory:
            traffic: forward local multicast sniffer
            anomaly: anomaly
    
            server: vdom, id=0, fd=72, ready=1, ipv6=0, 192.168.1.253/514
            oftp-state=5
    faz2: vdom, enabled, override
            server=192.168.1.254, realtime=1, ssl=1, state=connected, src=, mgmt_name=FGh_Log_root_192.168.1.254, reliable=0
                    status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=N
                    SNs: last sn update:1369 seconds ago.
                            Sn list:
                            (FL-1KET318000008,age=17s)
                    queue: qlen=0.
    filter: severity=6, sz_exclude_list=0
             voip dns ssh ssl
    subcategory:
            traffic: forward local multicast sniffer
            anomaly: anomaly
    
            server: vdom, id=1, fd=97, ready=1, ipv6=0, 192.168.1.254/514
            oftp-state=5
    faz3: vdom, disabled, override

Configuring multiple FortiAnalyzers on a multi-VDOM FortiGate

This topic shows a sample configuration of multiple FortiAnalyzers on a multi-VDOM FortiGate.

In this example:

  • The FortiGate has three VDOMs:
    • Root (management VDOM)
    • VDOM1
    • VDOM2
  • There are four FortiAnalyzers.

    These IP addresses are used as examples in the instructions below.

    • FAZ1: 172.16.200.55
    • FAZ2: 172.18.60.25
    • FAZ3: 192.168.1.253
    • FAZ4: 192.168.1.254
  • Set up FAZ1 and FAZ2 under global.
    • These two collect logs from the root VDOM and VDOM2.
    • FAZ1 and FAZ2 must be accessible from management VDOM root.
  • Set up FAZ3 and FAZ4 under VDOM1.
    • These two collect logs from VDOM1.
    • FAZ3 and FAZ4 must be accessible from VDOM1.
To set up FAZ1 as global FortiAnalyzer 1 from the GUI:

Prerequisite: FAZ1 must be reachable from the management root VDOM.

  1. Go to Global > Log & Report > Log Settings.
  2. Enable Send logs to FortiAnalyzer/FortiManager.
  3. Enter the FortiAnalyzer IP.

    In this example: 172.16.200.55.

  4. For Upload option, select Real Time.
  5. Click Apply.
To set up FAZ2 as global FortiAnalyzer 2 from the CLI:

Prerequisite: FAZ2 must be reachable from the management root VDOM.

config log fortianalyzer2 setting
    set status enable
    set server "172.18.60.25"
    set upload-option realtime
end
To set up FAZ3 and FAZ4 as VDOM1 FortiAnalyzer 1 and FortiAnalyzer 2:

Prerequisite: FAZ3 and FAZ4 must be reachable from VDOM1.

config log setting
   set faz-override enable
end

config log fortianalyzer override-setting
   set status enable
   set server "192.168.1.253"
   set upload-option realtime
end

config log fortianalyzer2 override-setting
   set status enable
   set server "192.168.1.254"
   set upload-option realtime
end

Checking FortiAnalyzer connectivity

To use the diagnose command to check FortiAnalyzer connectivity:
  1. Check the global FortiAnalyzer status:
    FGTA(global) # diagnose test application miglogd 1
    faz: global , enabled
            server=172.16.200.55, realtime=3, ssl=1, state=connected, src=, mgmt_name=FGh_Log_root_172.16.200.55, reliable=1
                    status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=N
                    SNs: last sn update:1369 seconds ago.
                            Sn list:
    
                    queue: qlen=0.
    filter: severity=6, sz_exclude_list=0
             voip dns ssh ssl
    subcategory:
            traffic: forward local multicast sniffer
            anomaly: anomaly
    
            server: global, id=0, fd=90, ready=1, ipv6=0, 172.16.200.55/514
            oftp-state=5
    faz2: global , enabled
            server=172.18.60.25, realtime=1, ssl=1, state=connected, src=, mgmt_name=FGh_Log_root_172.18.60.25, reliable=0
                    status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=N
                    SNs: last sn update:1369 seconds ago.
                            Sn list:
    
                    queue: qlen=0.
    filter: severity=6, sz_exclude_list=0
             voip dns ssh ssl
    subcategory:
            traffic: forward local multicast sniffer
            anomaly: anomaly
    
            server: global, id=1, fd=95, ready=1, ipv6=0, 172.18.60.25/514
            oftp-state=5
  2. Check the VDOM1 override FortiAnalyzer status:
    FGTA(global) # diagnose test application miglogd 3101
    faz: vdom, enabled, override
            server=192.168.1.253, realtime=1, ssl=1, state=connected, src=, mgmt_name=FGh_Log_root_192.168.1.253, reliable=1
                    status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=N
                    SNs: last sn update:1369 seconds ago.
                            Sn list:
                            (FAZ-VM0000000001,age=17s)
                    queue: qlen=0.
    filter: severity=6, sz_exclude_list=0
             voip dns ssh ssl
    subcategory:
            traffic: forward local multicast sniffer
            anomaly: anomaly
    
            server: vdom, id=0, fd=72, ready=1, ipv6=0, 192.168.1.253/514
            oftp-state=5
    faz2: vdom, enabled, override
            server=192.168.1.254, realtime=1, ssl=1, state=connected, src=, mgmt_name=FGh_Log_root_192.168.1.254, reliable=0
                    status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=N
                    SNs: last sn update:1369 seconds ago.
                            Sn list:
                            (FL-1KET318000008,age=17s)
                    queue: qlen=0.
    filter: severity=6, sz_exclude_list=0
             voip dns ssh ssl
    subcategory:
            traffic: forward local multicast sniffer
            anomaly: anomaly
    
            server: vdom, id=1, fd=97, ready=1, ipv6=0, 192.168.1.254/514
            oftp-state=5
    faz3: vdom, disabled, override