Configuring multiple FortiAnalyzers on a FortiGate in multi-VDOM mode
This topic shows a sample configuration of multiple FortiAnalyzers on a FortiGate in multi-VDOM mode.
In this example:
- The FortiGate has three VDOMs:
- Root (management VDOM)
- VDOM1
- VDOM2
- There are four FortiAnalyzers.
These IP addresses are used as examples in the instructions below.
- FAZ1:
172.16.200.55 - FAZ2:
172.18.60.25 - FAZ3:
192.168.1.253 - FAZ4:
192.168.1.254
- FAZ1:
- Set up FAZ1 and FAZ2 under global.
- These two collect logs from the root VDOM and VDOM2.
- FAZ1 and FAZ2 must be accessible from management VDOM root.
- Set up FAZ3 and FAZ4 under VDOM1.
- These two collect logs from VDOM1.
- FAZ3 and FAZ4 must be accessible from VDOM1.
To set up FAZ1 as global FortiAnalyzer 1 from the GUI:
Prerequisite: FAZ1 must be reachable from the management root VDOM.
- Go to Global > Log & Report > Log Settings.
- Enable Send logs to FortiAnalyzer/FortiManager.
- Enter the FortiAnalyzer IP.
In this example:
172.16.200.55. - For Upload option, select Real Time.
- Click Apply.
To set up FAZ2 as global FortiAnalyzer 2 from the CLI:
Prerequisite: FAZ2 must be reachable from the management root VDOM.
config log fortianalyzer2 setting
set status enable
set server "172.18.60.25"
set upload-option realtime
end
To set up FAZ3 and FAZ4 as VDOM1 FortiAnalyzer 1 and FortiAnalyzer 2:
Prerequisite: FAZ3 and FAZ4 must be reachable from VDOM1.
config log setting set faz-override enable end config log fortianalyzer override-setting set status enable set server "192.168.1.253" set upload-option realtime end config log fortianalyzer2 override-setting set status enable set server "192.168.1.254" set upload-option realtime end
Checking FortiAnalyzer connectivity
To use the diagnose command to check FortiAnalyzer connectivity:
- Check the global FortiAnalyzer status:
FGTA(global) # diagnose test application miglogd 1 faz: global , enabled server=172.16.200.55, realtime=3, ssl=1, state=connected, src=, mgmt_name=FGh_Log_root_172.16.200.55, reliable=1 status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=N SNs: last sn update:1369 seconds ago. Sn list: queue: qlen=0. filter: severity=6, sz_exclude_list=0 voip dns ssh ssl subcategory: traffic: forward local multicast sniffer anomaly: anomaly server: global, id=0, fd=90, ready=1, ipv6=0, 172.16.200.55/514 oftp-state=5 faz2: global , enabled server=172.18.60.25, realtime=1, ssl=1, state=connected, src=, mgmt_name=FGh_Log_root_172.18.60.25, reliable=0 status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=N SNs: last sn update:1369 seconds ago. Sn list: queue: qlen=0. filter: severity=6, sz_exclude_list=0 voip dns ssh ssl subcategory: traffic: forward local multicast sniffer anomaly: anomaly server: global, id=1, fd=95, ready=1, ipv6=0, 172.18.60.25/514 oftp-state=5 - Check the VDOM1 override FortiAnalyzer status:
FGTA(global) # diagnose test application miglogd 3101 faz: vdom, enabled, override server=192.168.1.253, realtime=1, ssl=1, state=connected, src=, mgmt_name=FGh_Log_root_192.168.1.253, reliable=1 status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=N SNs: last sn update:1369 seconds ago. Sn list: (FAZ-VM0000000001,age=17s) queue: qlen=0. filter: severity=6, sz_exclude_list=0 voip dns ssh ssl subcategory: traffic: forward local multicast sniffer anomaly: anomaly server: vdom, id=0, fd=72, ready=1, ipv6=0, 192.168.1.253/514 oftp-state=5 faz2: vdom, enabled, override server=192.168.1.254, realtime=1, ssl=1, state=connected, src=, mgmt_name=FGh_Log_root_192.168.1.254, reliable=0 status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=N SNs: last sn update:1369 seconds ago. Sn list: (FL-1KET318000008,age=17s) queue: qlen=0. filter: severity=6, sz_exclude_list=0 voip dns ssh ssl subcategory: traffic: forward local multicast sniffer anomaly: anomaly server: vdom, id=1, fd=97, ready=1, ipv6=0, 192.168.1.254/514 oftp-state=5 faz3: vdom, disabled, override