Fortinet white logo
Fortinet white logo

Administration Guide

Adding FortiAnalyzer devices

Adding FortiAnalyzer devices

Adding a FortiAnalyzer device to FortiManager gives FortiManager visibility into the logs on the FortiAnalyzer, providing a Single Pane of Glass on the FortiManager. It also enables FortiAnalyzer features, such as SOC > FortiView, and Log View.

For information about FortiAnalyzer features, see FortiAnalyzer Features. See also Viewing policy rules and View logs related to a policy rule.

note icon

To add a FortiAnalyzer to FortiManager, they both must be running the same OS version, at least 5.6 or later.

If FortiAnalyzer features are enabled, you cannot add a FortiAnalyzer unit to the FortiManager. See FortiAnalyzer Features.

In addition, you cannot add a FortiAnalyzer unit to the FortiManager when ADOMs are enabled and ADOM mode is set to Advanced.

ADOMs disabled

When you add a FortiAnalyzer device to FortiManager with ADOMs disabled, all devices with logging enabled can send logs to the FortiAnalyzer device. You can add only one FortiAnalyzer device to FortiManager, and the FortiAnalyzer device limit must be equal to or greater than the number of devices managed by FortiManager.

When you add additional devices with logging enabled to FortiManager, the managed devices can send logs to the FortiAnalyzer device. The new devices display in the Device Manager pane on FortiAnalyzer unit when FortiManager synchronizes with the FortiAnalyzer unit.

ADOMs enabled

When you add a FortiAnalyzer device to FortiManager with ADOMs enabled, all devices with logging enabled in the ADOM can send logs to the FortiAnalyzer device. Following are the guidelines for adding a FortiAnalyzer device to FortiManager when ADOMs are enabled:

  • You can add one FortiAnalyzer device to each ADOM, and the FortiAnalyzer device limit must be equal to or greater than the number of devices in the ADOM.
  • The same ADOM name and settings must exist on the FortiAnalyzer device and FortiManager. The wizard synchronizes these settings for you if there is a mismatch.
  • The logging devices in the FortiAnalyzer ADOM and FortiManager ADOM must be the same. The wizard synchronizes these settings for you.
  • You cannot add the same FortiAnalyzer device to multiple ADOMs.

When you add additional devices with logging enabled to an ADOM in FortiManager, the managed devices can send logs to the FortiAnalyzer device in the ADOM. The new devices display in the Device Manager pane on the FortiAnalyzer unit when FortiManager synchronizes with the FortiAnalyzer unit.

Provisioning templates for log settings

After you add a FortiAnalyzer device to FortiManager, you can use FortiManager to enable logging for all FortiGates in the root ADOM (when ADOMs are disabled) or the ADOM (when ADOMs are enabled) by using the log settings in a system template. See System templates.

Legacy FortiAnalyzer ADOM

The FortiAnalyzer ADOM supports FortiAnalyzer units added to FortiManager before upgrading to FortiManager 5.6 and later. If you want to use the new functionality, you must delete the FortiAnalyzer unit from FortiManager and add it by using the Add FortiAnalyzer wizard.

Log storage and configuration

Logs are stored on the FortiAnalyzer device, not the FortiManager device. You configure log storage settings on the FortiAnalyzer device; you cannot change log storage settings using FortiManager.

Configuration and data for FortiAnalyzer features

When FortiManager manages a FortiAnalyzer unit, all configuration and data is kept on the FortiAnalyzer unit to support the following FortiAnalyzer features: SOC > FortiView, Log View, Incidents & Events, and Reports. FortiManager remotely accesses the FortiAnalyzer unit to retrieve requested information for FortiAnalyzer features. For example, if you use the Reports pane in FortiManager to create a report, the report is created on the FortiAnalyzer unit and remotely accessed by FortiManager.

Adding FortiAnalyzer devices

Adding FortiAnalyzer devices

Adding a FortiAnalyzer device to FortiManager gives FortiManager visibility into the logs on the FortiAnalyzer, providing a Single Pane of Glass on the FortiManager. It also enables FortiAnalyzer features, such as SOC > FortiView, and Log View.

For information about FortiAnalyzer features, see FortiAnalyzer Features. See also Viewing policy rules and View logs related to a policy rule.

note icon

To add a FortiAnalyzer to FortiManager, they both must be running the same OS version, at least 5.6 or later.

If FortiAnalyzer features are enabled, you cannot add a FortiAnalyzer unit to the FortiManager. See FortiAnalyzer Features.

In addition, you cannot add a FortiAnalyzer unit to the FortiManager when ADOMs are enabled and ADOM mode is set to Advanced.

ADOMs disabled

When you add a FortiAnalyzer device to FortiManager with ADOMs disabled, all devices with logging enabled can send logs to the FortiAnalyzer device. You can add only one FortiAnalyzer device to FortiManager, and the FortiAnalyzer device limit must be equal to or greater than the number of devices managed by FortiManager.

When you add additional devices with logging enabled to FortiManager, the managed devices can send logs to the FortiAnalyzer device. The new devices display in the Device Manager pane on FortiAnalyzer unit when FortiManager synchronizes with the FortiAnalyzer unit.

ADOMs enabled

When you add a FortiAnalyzer device to FortiManager with ADOMs enabled, all devices with logging enabled in the ADOM can send logs to the FortiAnalyzer device. Following are the guidelines for adding a FortiAnalyzer device to FortiManager when ADOMs are enabled:

  • You can add one FortiAnalyzer device to each ADOM, and the FortiAnalyzer device limit must be equal to or greater than the number of devices in the ADOM.
  • The same ADOM name and settings must exist on the FortiAnalyzer device and FortiManager. The wizard synchronizes these settings for you if there is a mismatch.
  • The logging devices in the FortiAnalyzer ADOM and FortiManager ADOM must be the same. The wizard synchronizes these settings for you.
  • You cannot add the same FortiAnalyzer device to multiple ADOMs.

When you add additional devices with logging enabled to an ADOM in FortiManager, the managed devices can send logs to the FortiAnalyzer device in the ADOM. The new devices display in the Device Manager pane on the FortiAnalyzer unit when FortiManager synchronizes with the FortiAnalyzer unit.

Provisioning templates for log settings

After you add a FortiAnalyzer device to FortiManager, you can use FortiManager to enable logging for all FortiGates in the root ADOM (when ADOMs are disabled) or the ADOM (when ADOMs are enabled) by using the log settings in a system template. See System templates.

Legacy FortiAnalyzer ADOM

The FortiAnalyzer ADOM supports FortiAnalyzer units added to FortiManager before upgrading to FortiManager 5.6 and later. If you want to use the new functionality, you must delete the FortiAnalyzer unit from FortiManager and add it by using the Add FortiAnalyzer wizard.

Log storage and configuration

Logs are stored on the FortiAnalyzer device, not the FortiManager device. You configure log storage settings on the FortiAnalyzer device; you cannot change log storage settings using FortiManager.

Configuration and data for FortiAnalyzer features

When FortiManager manages a FortiAnalyzer unit, all configuration and data is kept on the FortiAnalyzer unit to support the following FortiAnalyzer features: SOC > FortiView, Log View, Incidents & Events, and Reports. FortiManager remotely accesses the FortiAnalyzer unit to retrieve requested information for FortiAnalyzer features. For example, if you use the Reports pane in FortiManager to create a report, the report is created on the FortiAnalyzer unit and remotely accessed by FortiManager.