Technical Tip: How to properly disable FortiAnalyzer feature on FortiManager

1. Back up the existing logs and reports to an external server.

FMG # execute backup logs <device name(s)| all> <ftp/sftp/scp> <ip> <user name> <password> <directory>

FMG # execute backup reports <report name or all> <ftp/sftp/scp> <ip> <user name> <password> <directory>

2. Enable the backend-shell access in FortiManager following the guide below:

    

Reference: Technical Tip: How to enable backend-shell access in FortiManager/FortiAnalyzer.

3. Upon entering the shell, enter the commands as shown below and it will be possible to see the logs stored for the managed FortiGate devices.

    

FMG # exe shell

   Enter password:

   bash$ cd /Storage/Logs

   bash$ ls

4. Disable the FortiAnalyzer Features setting on FortiManager under System Settings -> Dashboard -> System Information -> FortiAnalyzer Features.
   
   

5. Verify from the shell again to check if the logs are still stored. From the image below, it is still possible to see that managed FortiGate logs are being stored even though the FortiAnalyzer feature is disabled.
   
   

6. Take the current FortiManager backup configuration with FortiAnalyzer feature disabled.

7. After that, proceed to format the disk to remove the managed FortiGate logs that are still being stored.

FMG # execute format disk

8. After that, restore the FortiManager backup configuration.

    

9. After the configuration has been restored, disable Offline Mode under Advanced -> Advanced Settings -> Offline Mode and verify the statuses of the managed devices.
   
   

10. Lastly, verify on the shell again to see if the managed devices' logs are still stored.