Configuring multiple FortiAnalyzers on a FortiGate in multi-VDOM mode
This topic shows a sample configuration of multiple FortiAnalyzers on a FortiGate in multi-VDOM mode.
In this example:
-
The FortiGate has three VDOMs:
-
Root (management VDOM)
-
VDOM1
-
VDOM2
-
-
There are four FortiAnalyzers.
These IP addresses are used as examples in the instructions below.
-
FAZ1:
172.16.200.55
-
FAZ2:
172.18.60.25
-
FAZ3:
192.168.1.253
-
FAZ4:
192.168.1.254
-
-
Set up FAZ1 and FAZ2 under global.
-
These two collect logs from the root VDOM and VDOM2.
-
FAZ1 and FAZ2 must be accessible from management VDOM root.
-
-
Set up FAZ3 and FAZ4 under VDOM1.
-
These two collect logs from VDOM1.
-
FAZ3 and FAZ4 must be accessible from VDOM1.
-
To set up FAZ1 as global FortiAnalyzer 1 from the GUI:
Prerequisite: FAZ1 must be reachable from the management root VDOM.
-
Go to Global > Log & Report > Log Settings.
-
Enable Send logs to FortiAnalyzer/FortiManager.
-
Enter the FortiAnalyzer IP.
In this example:
172.16.200.55
. -
For Upload option, select Real Time.
-
Click Apply.
To set up FAZ2 as global FortiAnalyzer 2 from the CLI:
Prerequisite: FAZ2 must be reachable from the management root VDOM.
config log fortianalyzer2 setting set status enable set server "172.18.60.25" set upload-option realtime end
To set up FAZ3 and FAZ4 as VDOM1 FortiAnalyzer 1 and FortiAnalyzer 2:
Prerequisite: FAZ3 and FAZ4 must be reachable from VDOM1.
config log setting set faz-override enable end config log fortianalyzer override-setting set status enable set server "192.168.1.253" set upload-option realtime end config log fortianalyzer2 override-setting set status enable set server "192.168.1.254" set upload-option realtime end
Checking FortiAnalyzer connectivity
To use the diagnose command to check FortiAnalyzer connectivity:
-
Check the global FortiAnalyzer status:
FGTA(global) # diagnose test application fgtlogd 1 vdom-admin=1 mgmt=root faz: global , enabled server=172.16.200.55, realtime=1, ssl=1, state=connected server_log_status=Log is allowed., src=, mgmt_name=FGh_Log_root_172.16.200.55, reliable=0, sni_prefix_type=none, required_entitlement=none, region=ca-west-1, logsync_enabled:1, logsync_conn_id:65535, seq_no:0 status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y SNs: last sn update:383 seconds ago. Sn list: (FAZ-VMTM2200****,age=383s) queue: qlen=0. filter: severity=6, sz_exclude_list=0 traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter subcategory: traffic: forward local multicast sniffer ztna anomaly:all subcategories are enabled. server: global, id=0, ready=1, name=172.16.200.55 addr=172.16.200.55:514 oftp-state=connected faz2: global , enabled server=172.18.60.25, realtime=3, ssl=1, state=connected server_log_status=Log is allowed., src=, mgmt_name=FGh_Log_root_172.18.60.25, reliable=0, sni_prefix_type=none, required_entitlement=none, region=ca-west-1, logsync_enabled:1, logsync_conn_id:131071, seq_no:0 status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y SNs: last sn update:383 seconds ago. Sn list: (FAZ-VMTM2201****,age=383s) queue: qlen=0. filter: severity=6, sz_exclude_list=0 traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter subcategory: traffic: forward local multicast sniffer ztna anomaly:all subcategories are enabled. server: global, id=1, ready=1, name=172.18.60.25 addr=172.18.60.25:514 oftp-state=connected
-
Check the VDOM1 override FortiAnalyzer status:
FGTA(global) # diagnose test application fgtlogd 3101 vdom VDOM1: id=3 event filter: event system vpn user router wireless wanopt endpoint ha security-rating fortiextender connector sdwan cifs-auth-fail switch-controller rest-api webproxy faz: vdom, enabled, override server=192.168.1.253, realtime=3, ssl=1, state=connected server_log_status=Log is allowed., src=, mgmt_name=FGh_Log_VDOM1_192.168.1.253, reliable=0, sni_prefix_type=none, required_entitlement=none, region=ca-west-1, logsync_enabled:1, logsync_conn_id:3, seq_no:0 status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y SNs: last sn update:16 seconds ago. Sn list: (FAZ-VMTM2200****,age=16s) queue: qlen=0. filter: severity=6, sz_exclude_list=0 traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter subcategory: traffic: forward local multicast sniffer ztna anomaly:all subcategories are enabled. server: vdom, id=0, ready=1, name=192.168.1.253 addr=192.168.1.253:514 oftp-state=connected faz2: vdom, enabled, override server=192.168.1.254, realtime=3, ssl=1, state=connected server_log_status=Log is allowed., src=, mgmt_name=FGh_Log_VDOM1_192.168.1.254, reliable=0, sni_prefix_type=none, required_entitlement=none, region=ca-west-1, logsync_enabled:1, logsync_conn_id:65539, seq_no:0 status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y SNs: last sn update:16 seconds ago. Sn list: (FAZ-VMTM2201****,age=16s) queue: qlen=0. filter: severity=6, sz_exclude_list=0 traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter subcategory: traffic: forward local multicast sniffer ztna anomaly:all subcategories are enabled. server: vdom, id=1, ready=1, name=192.168.1.254 addr=192.168.1.254:514 oftp-state=connected faz3: vdom, disabled, override