Fortinet white logo
Fortinet white logo

FortiGate-7000E Administration Guide

Configuring individual FPMs to send logs to different FortiAnalyzers

Configuring individual FPMs to send logs to different FortiAnalyzers

The following steps show how to configure the two FPMs in a FortiGate-7040E to send log messages to different FortiAnalyzers. The FPMs connect to their FortiAnalyzers through the FortiGate 7000E management interface. This procedure assumes you have the following three FortiAnalyzers:

FortiAnalyzer IP address

Intended use

172.25.176.10

The FIMs send log messages to this FortiAnalyzer.

172.25.176.100

The FPM in slot 3 sends log messages to this FortiAnalyzer.

172.25.176.110

The FPM in slot 4 sends log messages to this FortiAnalyzer.

This procedure involves creating a FortiAnalyzer configuration template on the primary FIM that is synchronized to the FPMs. You then log into each FPM and change the FortiAnalyzer server IP address to the address of the FortiAnalyzer that the FPM should send log messages to.

Note

This configuration is only supported for fortianalyzer and not for fortianalyzer2, fortianalyzer3, and fortianalyzer-cloud.

  1. Log into the primary FIM CLI using the FortiGate-7040E management IP address.

  2. Create a FortiAnalyzer configuration template on the primary FIM.

    config global

    config log fortianalyzer setting

    set status enable

    set server 172.25.176.10

    set upload-option realtime

    end

    This configuration will be synchronized to all of the FIMs and FPMs.

    Note

    The FortiAnalyzer VDOM exception configuration requires upload-option to be set to realtime.

  3. Enter the following command to prevent the FortiGate-7040E from synchronizing FortiAnalyzer settings between FIMs and FPMs:

    config system vdom-exception

    edit 1

    set object log.fortianalyzer.setting

    end

  4. Log into the CLI of the FPM in slot 3:

    For example, you can start a new SSH connection using the special management port for slot 3:

    ssh <management-ip>:2203

    Or you can use the following command from the global primary FIM CLI:

    execute load-balance slot manage 3

    Note

    FortiOS will log you out of the CLI of the FPM in slot 3 in less than 60 seconds. You should have enough time to change the FortiAnalyzer server IP address as described in the next step, but not much else. If you run out of time on your first attempt, you can keep trying until you succeed.

  5. Change the FortiAnalyzer server IP address:

    config global

    config log fortianalyzer setting

    set server 172.25.176.100

    end

    You should see messages similar to the following on the CLI:

    Please change configuration on FIMs. Changing configuration on FPMs may cause confsync out of sync for a while.

    The Serial Number for FortiAnalyzer is not entered.

    In order to verify identity of FortiAnalyzer serial number is needed.

    If serial number is not set, connection will be set as unverified and

    access to local config and files will be accessible only with user name/password.

    FortiGate can establish a connection to obtain the serial number now.Do you want to try to connect now? (y/n)y

    Note

    If upload-option is not set to realtime, messages similar to the following appear and your configuration change will not be saved:

    Please change configuration on FIMs. Changing configuration on FPMs may cause confsync out of sync for a while.

    Can only set upload option to real-time mode when Security Fabric is enabled.

    object set operator error, -39 discard the setting

    Command fail. Return code -39

  6. Enter Y to confirm the serial number. Messages similar to the following should appear:

    Obtained serial number from X509 certificate of Fortianalyzer is: <serial>

    Serial number from certificate MUST be the same as serial number observed in Fortianalyzer.

    If these two serial numbers don't match, connection will be dropped.

    Please make sure the serial numbers are matching.

    In case that Fortianalyzer is using a third-party certificate, certificate verification must be disabled.

    Do you confirm that this is the correct serial number? (y/n)y

  7. Enter Y to confirm the serial number.

  8. Use the exit command to log out of the FPM CLI. Otherwise you are logged out of the FPM CLI in less than a minute.
  9. Log into the CLI of the FPM in slot 4.

  10. Change the FortiAnalyzer server IP address:

    config global

    config log fortianalyzer setting

    set server 172.25.176.110

    end

    When you change the FortiAnalyzer server IP address, messages appear like they did when you were logged into the FPM in slot 3 and you can confirm the FortiAnalyzer serial number.

  11. Use the exit command to log out of the FPM CLI. Otherwise you are logged out of the FPM CLI in less than a minute.

Configuring individual FPMs to send logs to different FortiAnalyzers

Configuring individual FPMs to send logs to different FortiAnalyzers

The following steps show how to configure the two FPMs in a FortiGate-7040E to send log messages to different FortiAnalyzers. The FPMs connect to their FortiAnalyzers through the FortiGate 7000E management interface. This procedure assumes you have the following three FortiAnalyzers:

FortiAnalyzer IP address

Intended use

172.25.176.10

The FIMs send log messages to this FortiAnalyzer.

172.25.176.100

The FPM in slot 3 sends log messages to this FortiAnalyzer.

172.25.176.110

The FPM in slot 4 sends log messages to this FortiAnalyzer.

This procedure involves creating a FortiAnalyzer configuration template on the primary FIM that is synchronized to the FPMs. You then log into each FPM and change the FortiAnalyzer server IP address to the address of the FortiAnalyzer that the FPM should send log messages to.

Note

This configuration is only supported for fortianalyzer and not for fortianalyzer2, fortianalyzer3, and fortianalyzer-cloud.

  1. Log into the primary FIM CLI using the FortiGate-7040E management IP address.

  2. Create a FortiAnalyzer configuration template on the primary FIM.

    config global

    config log fortianalyzer setting

    set status enable

    set server 172.25.176.10

    set upload-option realtime

    end

    This configuration will be synchronized to all of the FIMs and FPMs.

    Note

    The FortiAnalyzer VDOM exception configuration requires upload-option to be set to realtime.

  3. Enter the following command to prevent the FortiGate-7040E from synchronizing FortiAnalyzer settings between FIMs and FPMs:

    config system vdom-exception

    edit 1

    set object log.fortianalyzer.setting

    end

  4. Log into the CLI of the FPM in slot 3:

    For example, you can start a new SSH connection using the special management port for slot 3:

    ssh <management-ip>:2203

    Or you can use the following command from the global primary FIM CLI:

    execute load-balance slot manage 3

    Note

    FortiOS will log you out of the CLI of the FPM in slot 3 in less than 60 seconds. You should have enough time to change the FortiAnalyzer server IP address as described in the next step, but not much else. If you run out of time on your first attempt, you can keep trying until you succeed.

  5. Change the FortiAnalyzer server IP address:

    config global

    config log fortianalyzer setting

    set server 172.25.176.100

    end

    You should see messages similar to the following on the CLI:

    Please change configuration on FIMs. Changing configuration on FPMs may cause confsync out of sync for a while.

    The Serial Number for FortiAnalyzer is not entered.

    In order to verify identity of FortiAnalyzer serial number is needed.

    If serial number is not set, connection will be set as unverified and

    access to local config and files will be accessible only with user name/password.

    FortiGate can establish a connection to obtain the serial number now.Do you want to try to connect now? (y/n)y

    Note

    If upload-option is not set to realtime, messages similar to the following appear and your configuration change will not be saved:

    Please change configuration on FIMs. Changing configuration on FPMs may cause confsync out of sync for a while.

    Can only set upload option to real-time mode when Security Fabric is enabled.

    object set operator error, -39 discard the setting

    Command fail. Return code -39

  6. Enter Y to confirm the serial number. Messages similar to the following should appear:

    Obtained serial number from X509 certificate of Fortianalyzer is: <serial>

    Serial number from certificate MUST be the same as serial number observed in Fortianalyzer.

    If these two serial numbers don't match, connection will be dropped.

    Please make sure the serial numbers are matching.

    In case that Fortianalyzer is using a third-party certificate, certificate verification must be disabled.

    Do you confirm that this is the correct serial number? (y/n)y

  7. Enter Y to confirm the serial number.

  8. Use the exit command to log out of the FPM CLI. Otherwise you are logged out of the FPM CLI in less than a minute.
  9. Log into the CLI of the FPM in slot 4.

  10. Change the FortiAnalyzer server IP address:

    config global

    config log fortianalyzer setting

    set server 172.25.176.110

    end

    When you change the FortiAnalyzer server IP address, messages appear like they did when you were logged into the FPM in slot 3 and you can confirm the FortiAnalyzer serial number.

  11. Use the exit command to log out of the FPM CLI. Otherwise you are logged out of the FPM CLI in less than a minute.