Fortinet black logo

Administration Guide

Configuring multiple FortiAnalyzers on a FortiGate in multi-VDOM mode

Configuring multiple FortiAnalyzers on a FortiGate in multi-VDOM mode

This topic shows a sample configuration of multiple FortiAnalyzers on a FortiGate in multi-VDOM mode.

In this example:

  • The FortiGate has three VDOMs:

    • Root (management VDOM)

    • VDOM1

    • VDOM2

  • There are four FortiAnalyzers.

    These IP addresses are used as examples in the instructions below.

    • FAZ1: 172.16.200.55

    • FAZ2: 172.18.60.25

    • FAZ3: 192.168.1.253

    • FAZ4: 192.168.1.254

  • Set up FAZ1 and FAZ2 under global.

    • These two collect logs from the root VDOM and VDOM2.

    • FAZ1 and FAZ2 must be accessible from management VDOM root.

  • Set up FAZ3 and FAZ4 under VDOM1.

    • These two collect logs from VDOM1.

    • FAZ3 and FAZ4 must be accessible from VDOM1.

To set up FAZ1 as global FortiAnalyzer 1 from the GUI:

Prerequisite: FAZ1 must be reachable from the management root VDOM.

  1. Go to Global > Log & Report > Log Settings.

  2. Enable Send logs to FortiAnalyzer/FortiManager.

  3. Enter the FortiAnalyzer IP.

    In this example: 172.16.200.55.

  4. For Upload option, select Real Time.

  5. Click Apply.

To set up FAZ2 as global FortiAnalyzer 2 from the CLI:

Prerequisite: FAZ2 must be reachable from the management root VDOM.

config log fortianalyzer2 setting
    set status enable
    set server "172.18.60.25"
    set upload-option realtime
end
To set up FAZ3 and FAZ4 as VDOM1 FortiAnalyzer 1 and FortiAnalyzer 2:

Prerequisite: FAZ3 and FAZ4 must be reachable from VDOM1.

config log setting
   set faz-override enable
end

config log fortianalyzer override-setting
   set status enable
   set server "192.168.1.253"
   set upload-option realtime
end

config log fortianalyzer2 override-setting
   set status enable
   set server "192.168.1.254"
   set upload-option realtime
end

Checking FortiAnalyzer connectivity

To use the diagnose command to check FortiAnalyzer connectivity:
  1. Check the global FortiAnalyzer status:

    FGTA(global) # diagnose test application fgtlogd 1
    vdom-admin=1
    mgmt=root
    faz: global , enabled
            server=172.16.200.55, realtime=1, ssl=1, state=connected
            server_log_status=Log is allowed.,
            src=, mgmt_name=FGh_Log_root_172.16.200.55, reliable=0, sni_prefix_type=none,
            required_entitlement=none, region=ca-west-1,
            logsync_enabled:1, logsync_conn_id:65535, seq_no:0
                    status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y
                    SNs: last sn update:383 seconds ago.
                            Sn list:
                            (FAZ-VMTM2200****,age=383s)
                    queue: qlen=0.
    filter: severity=6, sz_exclude_list=0
             traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter
    subcategory:
            traffic: forward local multicast sniffer ztna
            anomaly:all subcategories are enabled.
            server: global, id=0, ready=1, name=172.16.200.55 addr=172.16.200.55:514
            oftp-state=connected
    faz2: global , enabled
            server=172.18.60.25, realtime=3, ssl=1, state=connected
            server_log_status=Log is allowed.,
            src=, mgmt_name=FGh_Log_root_172.18.60.25, reliable=0, sni_prefix_type=none,
            required_entitlement=none, region=ca-west-1,
            logsync_enabled:1, logsync_conn_id:131071, seq_no:0
                    status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y
                    SNs: last sn update:383 seconds ago.
                            Sn list:
                            (FAZ-VMTM2201****,age=383s)
                    queue: qlen=0.
    filter: severity=6, sz_exclude_list=0
             traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter
    subcategory:
            traffic: forward local multicast sniffer ztna
            anomaly:all subcategories are enabled.
            server: global, id=1, ready=1, name=172.18.60.25 addr=172.18.60.25:514
            oftp-state=connected
  2. Check the VDOM1 override FortiAnalyzer status:

    FGTA(global) # diagnose test application fgtlogd 3101
    vdom VDOM1: id=3
    event filter:
             event
    system vpn user router wireless wanopt endpoint ha security-rating fortiextender connector sdwan cifs-auth-fail switch-controller rest-api webproxy
    faz: vdom, enabled, override 
            server=192.168.1.253, realtime=3, ssl=1, state=connected
            server_log_status=Log is allowed.,
            src=, mgmt_name=FGh_Log_VDOM1_192.168.1.253, reliable=0, sni_prefix_type=none,
            required_entitlement=none, region=ca-west-1,
            logsync_enabled:1, logsync_conn_id:3, seq_no:0
                    status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y
                    SNs: last sn update:16 seconds ago.
                            Sn list:
                            (FAZ-VMTM2200****,age=16s)
                    queue: qlen=0.
    filter: severity=6, sz_exclude_list=0
             traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter
    subcategory:
            traffic: forward local multicast sniffer ztna
            anomaly:all subcategories are enabled.
            server: vdom, id=0, ready=1, name=192.168.1.253 addr=192.168.1.253:514
            oftp-state=connected 
    faz2: vdom, enabled, override 
            server=192.168.1.254, realtime=3, ssl=1, state=connected
            server_log_status=Log is allowed.,
            src=, mgmt_name=FGh_Log_VDOM1_192.168.1.254, reliable=0, sni_prefix_type=none,
            required_entitlement=none, region=ca-west-1,
            logsync_enabled:1, logsync_conn_id:65539, seq_no:0
                    status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y
                    SNs: last sn update:16 seconds ago.
                            Sn list:
                            (FAZ-VMTM2201****,age=16s)
                    queue: qlen=0.
    filter: severity=6, sz_exclude_list=0
             traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter
    subcategory:
            traffic: forward local multicast sniffer ztna
            anomaly:all subcategories are enabled.
    
            server: vdom, id=1, ready=1, name=192.168.1.254 addr=192.168.1.254:514
            oftp-state=connected
    faz3: vdom, disabled, override

Configuring multiple FortiAnalyzers on a FortiGate in multi-VDOM mode

This topic shows a sample configuration of multiple FortiAnalyzers on a FortiGate in multi-VDOM mode.

In this example:

  • The FortiGate has three VDOMs:

    • Root (management VDOM)

    • VDOM1

    • VDOM2

  • There are four FortiAnalyzers.

    These IP addresses are used as examples in the instructions below.

    • FAZ1: 172.16.200.55

    • FAZ2: 172.18.60.25

    • FAZ3: 192.168.1.253

    • FAZ4: 192.168.1.254

  • Set up FAZ1 and FAZ2 under global.

    • These two collect logs from the root VDOM and VDOM2.

    • FAZ1 and FAZ2 must be accessible from management VDOM root.

  • Set up FAZ3 and FAZ4 under VDOM1.

    • These two collect logs from VDOM1.

    • FAZ3 and FAZ4 must be accessible from VDOM1.

To set up FAZ1 as global FortiAnalyzer 1 from the GUI:

Prerequisite: FAZ1 must be reachable from the management root VDOM.

  1. Go to Global > Log & Report > Log Settings.

  2. Enable Send logs to FortiAnalyzer/FortiManager.

  3. Enter the FortiAnalyzer IP.

    In this example: 172.16.200.55.

  4. For Upload option, select Real Time.

  5. Click Apply.

To set up FAZ2 as global FortiAnalyzer 2 from the CLI:

Prerequisite: FAZ2 must be reachable from the management root VDOM.

config log fortianalyzer2 setting
    set status enable
    set server "172.18.60.25"
    set upload-option realtime
end
To set up FAZ3 and FAZ4 as VDOM1 FortiAnalyzer 1 and FortiAnalyzer 2:

Prerequisite: FAZ3 and FAZ4 must be reachable from VDOM1.

config log setting
   set faz-override enable
end

config log fortianalyzer override-setting
   set status enable
   set server "192.168.1.253"
   set upload-option realtime
end

config log fortianalyzer2 override-setting
   set status enable
   set server "192.168.1.254"
   set upload-option realtime
end

Checking FortiAnalyzer connectivity

To use the diagnose command to check FortiAnalyzer connectivity:
  1. Check the global FortiAnalyzer status:

    FGTA(global) # diagnose test application fgtlogd 1
    vdom-admin=1
    mgmt=root
    faz: global , enabled
            server=172.16.200.55, realtime=1, ssl=1, state=connected
            server_log_status=Log is allowed.,
            src=, mgmt_name=FGh_Log_root_172.16.200.55, reliable=0, sni_prefix_type=none,
            required_entitlement=none, region=ca-west-1,
            logsync_enabled:1, logsync_conn_id:65535, seq_no:0
                    status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y
                    SNs: last sn update:383 seconds ago.
                            Sn list:
                            (FAZ-VMTM2200****,age=383s)
                    queue: qlen=0.
    filter: severity=6, sz_exclude_list=0
             traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter
    subcategory:
            traffic: forward local multicast sniffer ztna
            anomaly:all subcategories are enabled.
            server: global, id=0, ready=1, name=172.16.200.55 addr=172.16.200.55:514
            oftp-state=connected
    faz2: global , enabled
            server=172.18.60.25, realtime=3, ssl=1, state=connected
            server_log_status=Log is allowed.,
            src=, mgmt_name=FGh_Log_root_172.18.60.25, reliable=0, sni_prefix_type=none,
            required_entitlement=none, region=ca-west-1,
            logsync_enabled:1, logsync_conn_id:131071, seq_no:0
                    status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y
                    SNs: last sn update:383 seconds ago.
                            Sn list:
                            (FAZ-VMTM2201****,age=383s)
                    queue: qlen=0.
    filter: severity=6, sz_exclude_list=0
             traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter
    subcategory:
            traffic: forward local multicast sniffer ztna
            anomaly:all subcategories are enabled.
            server: global, id=1, ready=1, name=172.18.60.25 addr=172.18.60.25:514
            oftp-state=connected
  2. Check the VDOM1 override FortiAnalyzer status:

    FGTA(global) # diagnose test application fgtlogd 3101
    vdom VDOM1: id=3
    event filter:
             event
    system vpn user router wireless wanopt endpoint ha security-rating fortiextender connector sdwan cifs-auth-fail switch-controller rest-api webproxy
    faz: vdom, enabled, override 
            server=192.168.1.253, realtime=3, ssl=1, state=connected
            server_log_status=Log is allowed.,
            src=, mgmt_name=FGh_Log_VDOM1_192.168.1.253, reliable=0, sni_prefix_type=none,
            required_entitlement=none, region=ca-west-1,
            logsync_enabled:1, logsync_conn_id:3, seq_no:0
                    status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y
                    SNs: last sn update:16 seconds ago.
                            Sn list:
                            (FAZ-VMTM2200****,age=16s)
                    queue: qlen=0.
    filter: severity=6, sz_exclude_list=0
             traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter
    subcategory:
            traffic: forward local multicast sniffer ztna
            anomaly:all subcategories are enabled.
            server: vdom, id=0, ready=1, name=192.168.1.253 addr=192.168.1.253:514
            oftp-state=connected 
    faz2: vdom, enabled, override 
            server=192.168.1.254, realtime=3, ssl=1, state=connected
            server_log_status=Log is allowed.,
            src=, mgmt_name=FGh_Log_VDOM1_192.168.1.254, reliable=0, sni_prefix_type=none,
            required_entitlement=none, region=ca-west-1,
            logsync_enabled:1, logsync_conn_id:65539, seq_no:0
                    status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y
                    SNs: last sn update:16 seconds ago.
                            Sn list:
                            (FAZ-VMTM2201****,age=16s)
                    queue: qlen=0.
    filter: severity=6, sz_exclude_list=0
             traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter
    subcategory:
            traffic: forward local multicast sniffer ztna
            anomaly:all subcategories are enabled.
    
            server: vdom, id=1, ready=1, name=192.168.1.254 addr=192.168.1.254:514
            oftp-state=connected
    faz3: vdom, disabled, override