Switching to an alternate FortiAnalyzer if the main FortiAnalyzer is unavailable

FortiOS supports switching to an alternate FortiAnalyzer if the main FortiAnalyzer is unavailable. Once the connectivity is restored, it will automatically fall back to the primary FortiAnalyzer.

This feature can be used in multi VDOM mode when FortiAnalyzer override settings are configured.

To configure switching to an alternate FortiAnalyzer when the main FortiAnalyzer is unavailable:

1. Configure primary and alternate FortiAnalyzer servers:

   config log fortianalyzer setting
       set status enable
       set server "172.16.200.250"
       set alt-server "172.16.200.251"
       set fallback-to-primary enable
       set serial "FAZ-VMTM22000000" "FAZ-VMTM23000003"
   end

2. Verify the primary and alternate FortiAnalyzer server IPs:

   # diagnose test application fgtlogd 1
   vdom-admin=1
   mgmt=vdom1
   
   fortilog:
   faz: global , enabled 
           server=172.16.200.250, alt-server=172.16.200.251, active-server=172.16.200.250, realtime=3, ssl=1, state=connected
           server_log_status=Log is allowed.,
           src=, mgmt_name=FGh_Log_vdom1_172.16.200.250, reliable=0, sni_prefix_type=none,
           required_entitlement=none, region=ca-west-1,
           logsync_enabled:1, logsync_conn_id:65535, seq_no:0
           disconnect_jiffies:0
                   status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y
                   SNs: last sn update:11 seconds ago.
                           Sn list:
                           (FAZ-VMTM22000000,age=11s)      (FAZ-VMTM23000003,age=12s)
                   queue: qlen=0.
   filter: severity=6, sz_exclude_list=0
            traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter virtual-patch
   subcategory:
           traffic: forward local multicast sniffer ztna
           virus:all subcategories are enabled.
           webfilter:all subcategories are enabled.
           ips:all subcategories are enabled.
           emailfilter:all subcategories are enabled.
           anomaly:all subcategories are enabled.
           voip:all subcategories are enabled.
           dlp:all subcategories are enabled.
           app-ctrl:all subcategories are enabled.
           waf:all subcategories are enabled.
           dns:all subcategories are enabled.
           ssh:all subcategories are enabled.
           ssl:all subcategories are enabled.
           file-filter:all subcategories are enabled.
           icap:all subcategories are enabled.
           sctp-filter:all subcategories are enabled.
           virtual-patch:all subcategories are enabled.
   
           server: global, id=0, ready=1, name=172.16.200.250 addr=172.16.200.250:514
           oftp-state=connected
           primary oftp status:null
           probe oftp status:null, 442

   The 172.16.200.250 server is currently active and acting as the primary FortiAnalyzer.

3. Make the primary FortiAnalyzer server go down. The FortiGate will automatically connect to the alternate FortiAnalyzer server.

4. Verify the FortiAnalyzer server status information:

   # diagnose  test application fgtlogd 1
   vdom-admin=1
   mgmt=vdom1
   
   fortilog:
   faz: global , enabled 
           server=172.16.200.250, alt-server=172.16.200.251, active-server=172.16.200.251, realtime=3, ssl=1, state=connected
           server_log_status=Log is allowed.,
           src=, mgmt_name=FGh_Log_vdom1_172.16.200.250, reliable=0, sni_prefix_type=none,
           required_entitlement=none, region=ca-west-1,
           logsync_enabled:1, logsync_conn_id:65535, seq_no:0
           disconnect_jiffies:0
                   status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y
                   SNs: last sn update:30 seconds ago.
                           Sn list:
                           (FAZ-VMTM22000000,age=30s)      (FAZ-VMTM23000003,age=31s)
                   queue: qlen=0.
   filter: severity=6, sz_exclude_list=0
            traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter virtual-patch
   subcategory:
           traffic: forward local multicast sniffer ztna
           virus:all subcategories are enabled.
           webfilter:all subcategories are enabled.
           ips:all subcategories are enabled.
           emailfilter:all subcategories are enabled.
           anomaly:all subcategories are enabled.
           voip:all subcategories are enabled.
           dlp:all subcategories are enabled.
           app-ctrl:all subcategories are enabled.
           waf:all subcategories are enabled.
           dns:all subcategories are enabled.
           ssh:all subcategories are enabled.
           ssl:all subcategories are enabled.
           file-filter:all subcategories are enabled.
           icap:all subcategories are enabled.
           sctp-filter:all subcategories are enabled.
           virtual-patch:all subcategories are enabled.
   
           server: global, id=0, ready=1, name=172.16.200.250 addr=172.16.200.250:514
           oftp-state=connected
           probe oftp status:null, 38

   The 172.16.200.251 server is currently active and acting as the primary FortiAnalyzer.

5. Restore the connection to the 172.16.200.250 server. The FortiGate will automatically reconnect to this FortiAnalyzer server.

6. Verify the FortiAnalyzer server status information:

   # diagnose test application fgtlogd 1
   vdom-admin=1
   mgmt=vdom1
   
   fortilog:
   faz: global , enabled 
           server=172.16.200.250, alt-server=172.16.200.251, active-server=172.16.200.250, realtime=3, ssl=1, state=connected
           server_log_status=Log is allowed.,
           src=, mgmt_name=FGh_Log_vdom1_172.16.200.250, reliable=0, sni_prefix_type=none,
           required_entitlement=none, region=ca-west-1,
           logsync_enabled:1, logsync_conn_id:65535, seq_no:0
           disconnect_jiffies:0
                   status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y
                   SNs: last sn update:11 seconds ago.
                           Sn list:
                           (FAZ-VMTM22000000,age=58s)      (FAZ-VMTM23000003,age=59s)
                   queue: qlen=0.
   filter: severity=6, sz_exclude_list=0
            traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh ssl file-filter icap sctp-filter virtual-patch
   subcategory:
           traffic: forward local multicast sniffer ztna
           virus:all subcategories are enabled.
           webfilter:all subcategories are enabled.
           ips:all subcategories are enabled.
           emailfilter:all subcategories are enabled.
           anomaly:all subcategories are enabled.
           voip:all subcategories are enabled.
           dlp:all subcategories are enabled.
           app-ctrl:all subcategories are enabled.
           waf:all subcategories are enabled.
           dns:all subcategories are enabled.
           ssh:all subcategories are enabled.
           ssl:all subcategories are enabled.
           file-filter:all subcategories are enabled.
           icap:all subcategories are enabled.
           sctp-filter:all subcategories are enabled.
           virtual-patch:all subcategories are enabled.
   
           server: global, id=0, ready=1, name=172.16.200.250 addr=172.16.200.250:514
           oftp-state=connected
           primary oftp status:null
           probe oftp status:null, 530

   The 172.16.200.250 server is currently active and acting as the primary FortiAnalyzer again.

To manually switch from the primary to alternate FortiAnalyzer (and vice-versa):

# execute log {fortianalyzer | fortianalyzer2 | fortianalyzer3} manual-failover

If the primary server is still up, the behavior resulting from running this command is based on the fallback-to-primary setting configured in the global FortiAnalyzer log settings.

• If fallback-to-primary is enabled (default), running execute log fortianalyzer manual-failover will switch to the alternate FortiAnalyzer, but it will switch back to the primary since it is not actually down.

• If fallback-to-primary is disabled, running execute log fortianalyzer manual-failover will switch to the alternate FortiAnalyzer, and it will not switch back to the primary.