Troubleshooting Tip: Connection to secondary/tertiary FortiAnalyzer

Debbie_FTNT · ‎01-29-2020

Description
This article explains troubleshooting commands that can be used to check connections to secondary/tertiary FortiAnalyzers configured in a FortiGate.

Solution
FortiGates can be configured to login to three FortiAnalyzers.
The primary one can be configured via GUI, but secondary and tertiary FortiAnalyzers can only be configured via CLI:

# config log fortianalyzer2 setting
    set status enable
    set server <IP>
end

# config log fortianalyzer3 setting
    set status enable
    set server <IP>
end

# config log fortianalyzer2 filter
    set […]
end

# config log fortianalyzer3 filter
    set […]
end

As secondary and tertiary FortiAnalyzers are not visible in FortiGate GUI, troubleshooting the connection can also only be done via CLI and logs.
The connection to the secondary and tertiary FortiAnalyzer can be double checked with these commands:

# exe log fortianalyzer test-connectivity 2 ## fortianalyzer2

FortiAnalyzer Host Name: FAZVM64-KVM
FortiAnalyzer Adom Name: root
FortiGate Device ID: <FortiGate S/N>
Registration: registered
Connection: allow
Adom Disk Space (Used/Allocated): 19290798B/53687091200B
Analytics Usage (Used/Allocated): 12987054B/37580963840B
Analytics Usage (Data Policy Days Actual/Configured): 12/60 Days
Archive Usage (Used/Allocated): 6303744B/16106127360B
Archive Usage (Data Policy Days Actual/Configured): 12/365 Days
Log: Tx & Rx (log not received)
IPS Packet Log: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx

Certificate of Fortianalyzer valid and serial number is:FAZ-VM0000000001

# exe log fortianalyzer test-connectivity 3 ## fortianalyzer3

FortiAnalyzer Host Name: FMG-VM
FortiAnalyzer Adom Name: root
FortiGate Device ID: <FortiGate S/N>
Registration: registered
Connection: allow
Adom Disk Space (Used/Allocated): 372736B/53687091200B
Analytics Usage (Used/Allocated): 368640B/37580963840B
Analytics Usage (Data Policy Days Actual/Configured): 60/60 Days
Archive Usage (Used/Allocated): 4096B/16106127360B
Archive Usage (Data Policy Days Actual/Configured): 0/365 Days
Log: Tx & Rx (2 logs received since 12:18:43 01/28/20)
IPS Packet Log: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx

Certificate of Fortianalyzer valid and serial number is:FMG- VM0000000001

# dia test app miglogd 4

[…]
faz2
traffic: logs=681 len=438357, Sun=0 Mon=0 Tue=681 Wed=0 Thu=0 Fri=0 Sat=0 compressed=121464
event: logs=155 len=55880, Sun=0 Mon=0 Tue=155 Wed=0 Thu=0 Fri=0 Sat=0 compressed=36760

faz3
traffic: logs=670 len=431277, Sun=0 Mon=0 Tue=670 Wed=0 Thu=0 Fri=0 Sat=0 compressed=114469
event: logs=147 len=53216, Sun=0 Mon=0 Tue=147 Wed=0 Thu=0 Fri=0 Sat=0 compressed=34598

# dia test app miglogd 6

mem=1013, disk=10316, alert=0, alarm=0, sys=0, faz=1663, webt=0, fds=0
interface-missed=206
Queues in all miglogds: cur:0 total-so-far:25665
global log dev statistics:
faz 0: sent=834, failed=0, cached=0, dropped=0 , relayed=0
Num of REST URLs: 0
faz 1: sent=815, failed=0, cached=0, dropped=0 , relayed=0
[…]

Note:
Displaying logs in CLI (execute log filter/execute log display) does not currently support displaying logs from fortianalyzer2/fortianalyzer3.