FortiAnalyzer

Device Registration and Communication

FortiAnalyzer 6.4
© Copyright Fortinet Inc. All rights reserved.
Last Modified:
Wednesday, February 16, 2022
Lesson Overview

Registering Devices

Communication Troubleshooting

Disk Quota

Managing Registered Devices

Registering Devices
Objectives
• Identify the different ways you can register a device
• Describe how device registration works with ADOMs
• View device status
Methods of Device Registration
• Two types of devices:
• Registered: devices authorized to store logs on FortiAnalyzer
• Unregistered: devices requesting to store logs on FortiAnalyzer

Method 1: Request from supported device

1. The administrator of the supported device requests registration
2. The FortiAnalyzer administrator accepts (or denies) the request

Method 2: Device registration wizard

3. The FortiAnalyzer administrator uses the device registration wizard to register
the device
4. If the device is supported and the details are correct, the device is registered

4
Device Registration and ADOMs
• Each device can be registered with an administrative domain (ADOM)
• Devices can be registered only with their device-specific ADOMs
• For example: FortiMail device  FortiMail ADOM type
• Administrator can register a device with the default ADOM for that device
• Administrator can register with a custom ADOM they create (the custom ADOM must still be associated
with the ADOM type for the specific device)
• Cannot add different device types to the same ADOM! Typical use case: multiple FortiGate
• By default, ADOMs aren’t enabled devices assigned to a custom ADOM
• FortiGate devices are automatically assigned to a root (FortiOS) ADOM
• Cannot add a non-FortiGate device without first enabling ADOMs

5
Method 1: Request from a Supported Device - I
1. FortiGate administrator enables Log & Report > Log Settings
remote logging to FortiAnalyzer

2. FortiAnalyzer administrator accepts

(or denies) registration request Device Manager (root ADOM)
• ADOMs  Can add FortiGate to the
root ADOM or a custom FortiGate
ADOM

6
Method 1: Request from a Supported Device - II
1. FortiGate administrator enables Security Fabric > Fabric Connectors > Security Fabric Setup
Security Fabric and FortiAnalyzer

2. FortiAnalyzer administrator accepts Device Manager (root ADOM)

(or denies) registration request
• ADOMs  Can add FortiGates to the
root ADOM or a custom FortiGate
ADOM

7
Method 2: Device Registration Wizard
1. Add a device using Device Manager
Device Manager

2. Type the required device information

in the wizard

• If ADOMs are not enabled, only FortiGate

devices can be registered
• If ADOMs are enabled, the device is
automatically registered to its device-
specific, prebuilt ADOM
• If you’ve already created a custom ADOM
based on the device type you are registering,
switch to the ADOM before adding a device
using the wizard
8
Viewing Device Status
• Device Manager lists all registered devices for that ADOM
• Also shows log status (up or down)
• Storage used
Storage used
Log status

Unregistered devices appear in

the root ADOM until registered
Registered devices and assigned to an ADOM

9
 What Logs Are Collected?

Logs DLP Archive Quarantine IPS Packet Log

Supported device Logs information Logs files Logs the network

log types: about sensitive data quarantined by the packets containing
trying to get in or out device the traffic matching
• Traffic of your network: IPS signatures
• Event
• Security • Email
• IM
• Web traffic FortiAnalyzer has permission to
• FTP automatically collect these logs (but
• NNTP they must be enabled on FortiGate)

10
Knowledge Check

1. Under what situation must ADOMs be enabled on FortiAnalyzer?

A. When a FortiGate device wants to register with FortiAnalyzer
B. When a FortiMail device wants to register with FortiAnalyzer

11
Lesson Progress

Registration Methods

Communication Troubleshooting

Disk Quota

Managing Registered Devices

Communication Troubleshooting
Objectives
• Troubleshoot device communication issues
 Basic CLI Commands
• Use the following FortiAnalyzer CLI commands to check system status,
performance, and hardware statistics

What to investigate… CLI Command to Use…

What is the current status of FortiAnalyzer? # get system status

What are the performance statistics on # get system performance

FortiAnalyzer?
What are the hardware statistics for CPU, memory, # diagnose hardware info
disk, and RAID?

14
# get system status: Helpful Troubleshooting Data

ForiAnalyzer # get sys status

Platform Type : FAZVM64

Platform Full Name : FortiAnalyzer-VM64
Version : v6.4.1-build2072 200615 (GA)
Serial Number : FAZ-VMTM19008187
BIOS version : 04000002
Hostname : FAZVM64
Max Number of Admin Domains : 10000
Admin Domain Configuration : Enabled
Branch Point : 2072
Release Version Information : GA
Current Time : Thu Mar 19 17:57:47 GMT 2020
Daylight Time Saving : Yes
Time Zone : (GMT) London, Edinburgh.
x86-64 Applications : Yes
Disk Usage : Free 74.22GB, Total 79.79GB
File System : Ext4
License Status : Valid
15
# get system performance: Helpful Troubleshooting Data
FortiAnalyzer # get sys performance
CPU:
Used: 2.03%
Used(Excluded NICE): 2.03%
%used %user %nice %sys %idle %iowait %irq %softirq
CPU0 2.03 0.18 0.00 0.74 97.97 0.18 0.00 0.92
CPU1 1.86 0.74 0.00 0.93 98.14 0.00 0.00 0.19
Memory:
Total: 6,141,848 KB
Used: 3,592,320 KB 58.5%
Total (Excluding Swap): 4,044,700 KB
Used (Excluding Swap): 2,181,380 KB 53.9%
Hard Disk:
Total: 83,663,256 KB
Used: 5,816,720 KB 7.0%
Inode-Total: 327,680 KB
Inode-Used: 13,543 KB 4.1%
IOStat: tps r_tps w_tps r_kB/s w_kB/s queue wait_ms svc_ms %util sampling_sec
8.5 1.2 7.2 68.7 218.6 0.0 2.1 0.6 0.5 30163.83
Flash Disk:
Total: 503,752 KB
Used: 228,236 KB 45.3%
Inode-Total: 32,768 KB
Inode-Used: 38 KB 0.1%
IOStat: tps r_tps w_tps r_kB/s w_kB/s queue wait_ms svc_ms %util sampling_sec
0.1 0.1 0.0 6.5 0.1 0.0 2.8 0.9 0.0 30163.83

16
# diagnose hardware info: Helpful Troubleshooting Data

### Memory info ###Disk info

FortiAnalyzer # diagnose hardware info
MemTotal: 4044700 kB major minor #blocks name
### CPU info MemFree: 397024 kB
processor : 0 MemAvailable: 1591812 kB
1 0 4096 ram0
vendor_id : GenuineIntel Buffers: 120344 kB
Cached: 1552360 kB 1 1 4096 ram1
cpu family : 6
SwapCached: 105044 kB 1 2 4096 ram2
model : 142
Active: 2293844 kB 1 3 4096 ram3
model name : Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz Inactive: 1048456 kB 7 0 10240 loop0
stepping : 10 Active(anon): 1525488 kB
8 0 2097152 sda
microcode : 0x96 Inactive(anon): 619120 kB
Active(file): 768356 kB
8 1 524288 sda1
cpu MHz : 2111.999
Inactive(file): 429336 kB 8 16 83886080 sdb
cache size : 8192 KB
Unevictable: 122052 kB 253 0 83881984 dm-0
physical id : 0
Mlocked: 122052 kB
siblings : 1 SwapTotal: 2097148 kB
### RAID info
core id : 0 SwapFree: 581168 kB
N/A
cpu cores : 1 Dirty: 92 kB
apicid : 0 AnonPages: 1687572 kB
Mapped: 362856 kB ### System time
initial apicid : 0
Shmem: 474968 kB local time: Thu Mar 19 18:00:41
fpu : yes Slab: 93180 kB 2020
fpu_exception : yes SReclaimable: 41412 kB UTC time: Thu Mar 19 18:00:41
cpuid level : 22 SUnreclaim: 51768 kB 2020
wp : yes KernelStack: 6288 kB
PageTables: 59824 kB
flags : fpu vme de pse tsc msr pae mce cx8 a
NFS_Unstable: 0 kB
bugs : cpu_meltdown spectre_v1 spectre_v2 CommitLimit: 4119496 kB
spec_store_bypass l1tf mds swapgs taa itlb_multihit
Committed_AS: 22775420 kB
bogomips : 4223.99 VmallocTotal: 34359738367 kB
clflush size : 64 VmallocUsed: 0 kB
cache_alignment : 64 VmallocChunk: 0 kB
address sizes : 42 bits physical, 48 bits virtual DirectMap4k: 18368 kB
DirectMap2M: 4175872 kB
power management:
DirectMap1G: 2097152 kB

17
 Device and ADOM Status Check

• Use the following FortiAnalyzer CLI commands to check device and ADOM status

What to Investigate… CLI Command to Use…

What devices and IPs are connecting to # diagnose test application oftpd 3
FortiAnalyzer?
What ADOMs are enabled and configured? # diagnose dvm adom list

What devices or VDOMs are currently registered and # diagnose dvm device list
unregistered?

18
 Troubleshooting Communication Issues
• Use the following CLI commands to troubleshoot communication issues

What to Investigate… CLI Command to Use…

Are the devices able to contact each other? # execute ping
Are packets leaving FortiGate, but not reaching # diagnose sniff packet <interface>
FortiAnalyzer? Is traffic blocked, or is there a routing <filter> <level> <timestamp>
issue?

Is FortiGate configured for remote logging to FortiGate:

FortiAnalyzer? # show log fortianalyzer setting
Is the FortiAnalyzer source IP address set on FortiGate?
Are the logging filters for logs sent to FortiAnalyzer on
FortiGate enabled?
Is FortiGate capable of generating logs? FortiGate:
# diagnose log test
Is FortiAnalyzer receiving logs? # diagnose test application oftpd 8

19
 # diagnose debug application oftpd 8 <FortiGate_IP>
FortiAnalyzer # diagnose debug application oftpd 8 10.0.1.254 Local-FortiGate # diagnose log test
oftpd debug filter: ip==10.0.1.254 generating a system event message with level - warning
generating an infected virus message with level - warning
FortiAnalyzer # oftpd_handle_session:3586: sock[24] ip[10.0.1.254] - Handle 'FGT RELIABLE LOG generating a blocked virus message with level - warning
REQUEST' request type=23.
generating a URL block message with level - warning
oftpd_handle_session:3586: sock[24] ip[10.0.1.254] - Handle 'FGT RELIABLE LOG REQUEST'
request type=23. generating a DLP message with level - warning
generating an IPS log message
oftpd_handle_session:3586: sock[24] ip[10.0.1.254] - Handle 'FGT RELIABLE LOG REQUEST'
request type=23. generating an botnet log message
oftpd_handle_session:3586: sock[24] ip[10.0.1.254] - Handle 'FGT RELIABLE LOG REQUEST' generating an anomaly log message
request type=23. generating an application control IM message with level -
oftpd_handle_session:3586: sock[24] ip[10.0.1.254] - Handle 'FGT RELIABLE LOG REQUEST' information
request type=23. generating an IPv6 application control IM message with level -
oftpd_handle_session:3586: sock[24] ip[10.0.1.254] - Handle 'FGT RELIABLE LOG REQUEST' information
request type=23. generating deep application control logs with level -
oftpd_handle_session:3586: sock[24] ip[10.0.1.254] - Handle 'FGT RELIABLE LOG REQUEST' information
request type=23. generating an antispam message with level - notification
oftpd_handle_session:3586: sock[24] ip[10.0.1.254] - Handle 'FGT RELIABLE LOG REQUEST' generating an allowed traffic message with level - notice
request type=23.
generating a multicast traffic message with level - notice
oftpd_handle_session:3586: sock[24] ip[10.0.1.254] - Handle 'FGT RELIABLE LOG REQUEST'
generating a ipv6 traffic message with level - notice
request type=23.
generating a wanopt traffic log message with level -
notification
generating a HA event message with level - warning
generating a VOIP event message with level - information
generating authentication event messages
generating a Forticlient message with level - information
generating a URL block message with level - warning
generating a DNS message with level - warning
generating an ssh-command pass log with level - notification
generating an ssh-channel block with level - warning
generating an ssl-cert_blacklisted log with level - warning

20
 FortiAnalyzer Temporarily Unavailable to FortiGate?
• The FortiGate miglogd process caches logs on FortiGate when FortiAnalyzer is not reachable
• When maximum cached value is reached, miglogd will drop cached logs (oldest first)
• When FortiAnalyzer connection is back, miglogd will send the cached logs
• FortiGate buffer will keep logs long enough to sustain a reboot of FortiAnalyzer, but not intended for lengthy outages
• FortiGate devices with an SSD have a configurable log buffer
FortiGate CLI Commands Current cache size and total cache
Local-FortiGate # diagnose test application miglogd 6 size
mem=0, disk=0, alert=0, alarm=0, sys=0, faz=171, faz-cloud=0, webt=0, fds=0
interface-missed=3726
Queues in all miglogds: cur:0 total-so-far:1023
global log dev statistics:
faz 0: sent=170, failed=0, cached=0, dropped=0 , relayed=0 If there are bursts or the link is
overloaded, failed increases
Local-FortiGate # diagnose log kernel-stats
fgtlog: 1
If the queue is full, failed-
fgtlog 0: total-log=2529, failed-log=0 log-in-queue=0
log value increases
21
Knowledge Check
1. Which CLI command can you use to find FortiAnalyzer's ADOM status?
A. # get system status
B. # show system performance

2. What can the CLI command # diagnose test application oftpd 3 help
you to determine?
A. What ADOMs are enabled and configured
B. What devices and IP addresses are connecting to FortiAnalyzer

22
Lesson Progress

Registration Methods

Communication Troubleshooting

Disk Quota

Managing Registered Devices

Disk Quota
Objectives
• Understand what comprises the disk quota
• Understand the disk quota
• Modify the disk quota
Finite Disk Space
• When the allotted log disk space is full:
• An alert message automatically generates on the Alert Message Console (System Settings >
Dashboard) as an event log with the level warning
• The oldest logs are overwritten (default)
• You can adjust this behavior to stop logging when disk is full

# config system locallog disk setting

set diskfull nolog

• What you need to know:

• FortiAnalyzer disk quota and what is included in the quota
• How the disk quota is enforced
• What space is reserved and not available for storing logs

25
Disk Quota
• Disk quota includes:
• Raw logs
• Archive files
• SQL database tables
ADOM1

Raw Archive Raw Archive

SQL
Local-FortiGate Remote-FortiGate

26
 Understanding Disk Quota (example)
# diagnose log device 79.8GB (Total System Storage)
Total Quota Summary: - 15.0GB (Reserved Space)
Total Quota Allocated Available
Allocate% = 64.8 (Total Quota)
64.8GB 64.6GB 142.0MB 99.8%
64.6GB (Allocated) = Archive + Analytics Quota
System Storage Summary:
for all ADOMs
Total Used Available Use%
79.8GB 5.6GB 74.2GB 7.0 %
5.6GB (Used) = Logs + all system files on
Reserved space: 15.0GB (18.8% of total space) mounted drive (# diag system print df)
Archive Analytics
Adom name AdomOID Type Logs Database
[Retention Quota UsedSpace(logs / quarantine / content / IPS) Used%] [Retention Quota Used Used%]
ADOM1 147 FSF 365days 300.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 60days 700.0MB 0.0KB 0.0%
ADOM2 162 FGT 365days 300.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 60days 700.0MB 0.0KB 0.0%
FortiAnalyzer 121 FAZ 365days 300.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 60days 700.0MB 0.0KB 0.0%
FortiAuthenticator 137 FAC 365days 300.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 60days 700.0MB 0.0KB 0.0%
FortiCache 125 FCH 365days 300.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 60days 700.0MB 0.0KB 0.0%
FortiCarrier 117 FGT 365days 300.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 60days 700.0MB 0.0KB 0.0%
FortiClient 127 FCT 365days 300.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 60days 700.0MB 0.0KB 0.0%
FortiDDoS 135 FDD 365days 300.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 60days 700.0MB 0.0KB 0.0%
FortiMail 119 FML 365days 300.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 60days 700.0MB 0.0KB 0.0%
FortiManager 131 FMG 365days 300.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 60days 700.0MB 0.0KB 0.0%
FortiNAC 141 FNA 365days 300.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 60days 700.0MB 0.0KB 0.0%
FortiProxy 139 FPX 365days 300.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 60days 700.0MB 0.0KB 0.0%
FortiSandbox 133 FSA 365days 300.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 60days 700.0MB 0.0KB 0.0%
FortiWeb 123 FWB 365days 300.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 60days 700.0MB 0.0KB 0.0%
Syslog 129 SYS 365days 300.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 60days 700.0MB 0.0KB 0.0%
root 3 FSF 365days 15.0GB 24.0KB( 24.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 60days 35.0GB 5.4MB 0.0%
Total usage: 16 ADOMs, logs=24.0KB database=930.3MB(ADOMs usage:5.4MB + Internal Usage:924.9MB) 27
Disk Quota on License Information Widget
• License Information widget shows values lower than disk quota
• Only reports on the number of logs pushed to FortiAnalyzer on that day
• Logs also limited to statistics gathered by fortilogd daemon (FortiGate/FortiAnalyzer real-time
forwarded logs)
• Doesn’t include log archive, FortiGate store and upload logs, FortiAnalyzer aggregated logs, or FortiClient
logs
• Doesn’t include SQL tables

28
Reserved Disk Quota
• The system reserves 5-20% disk space for system usage and unexpected quota
overflow
• Only 75-95% disk space is available for allocation to drives

Disk Size Reserved System Disk Quota

# diagnose log device
Small (< 500 GB) 20% or 50 GB, whichever is smaller
Medium (500 GB – 1000 GB) 15% or 100 GB, whichever is smaller
Large (1000 GB – 3000 GB) 10% or 200 GB, whichever is smaller Use this command to see
Very large (3000 – 5000 GB) 5% or 500 GB, whichever is smaller amount of reserved space on
your FortiAnalyzer
• RAID level impacts the determination of disk size and reserved disk quota level!
• For example, a FAZ 1000C with 4 x 1 TB hard drives configured for RAID 10 is considered a large
disk (see table above)

29
 Disk Quota Enforcement
• Processes used for disk quota enforcement:

logfiled sqlplugind oftpd

Monitors raw log file size, SQL database Enforces the SQL database size Enforces the archive file size
size, and archive file size, and sends
commands to the other daemons to process

Enforces raw log file size

• logfiled checks processes every two minutes (unless system resources are high) and
estimates space used by SQL database
• If estimated disk quota (raw + SQL) is above 95%, FortiAnalyzer removes the raw logs and the corresponding
logs in archives (with the SQL tables) up to 85%

Raw logs SQL tables

Same logs in archives deleted

30
Modifying ADOM Disk Quota
• Monitor the log rate for each device in the ADOM to determine disk quota requirements
• Adjust the quota based on the requirements

System Settings > All ADOMs Log View > System Storage

31
Increasing Disk Space
• With FortiAnalyzer VMs, you can dynamically add more disk space:
# execute lvm info: provides a list of available disks
1. Stop the FortiAnalyzer VM and add a new disk to the VM
2. Reboot FortiAnalyzer and run execute lvm info to the added disk
3. Run execute lvm extend <disk number>
4. Reboot FortiAnalyzer (run get system status to see the new disk)
• With hardware FortiAnalyzer, you have to add another disk
• If you are using RAID, this requires you to rebuild your RAID array
• Be sure to account for future growth and size correctly from the outset!

32
Knowledge Check
1. By default, what happens when the allotted log disk space is full?
A. The oldest logs are overwritten
B. Logging stops

2. What is the disk quota composed of?

A. Raw logs, archive files, SQL database tables
B. Raw logs and archive files

33
Lesson Progress

Registration Methods

Communication Troubleshooting

Disk Quota

Managing Registered Devices

Managing Registered Devices
Objectives
• Move registered devices between ADOMs
• Add two or more devices to an HA cluster
Moving Registered Devices Between ADOMs
• Do not move devices between ADOMs unless you have to
• Can move devices between ADOMs after registration
• By default, restricted to administrators with Super_User access
• You do not need to create a new ADOM if you upgrade your FortiGate firmware
• Not necessary to separate ADOMs by FortiOS version

System Settings > All ADOMs

36
Considerations Before Moving Devices
• What is the disk quota of the new ADOM? Ensure it has enough space for logs.
• Are the device’s analytics logs required for reports in the new ADOM? If so, rebuild
the new ADOM database:
# exe sql-local rebuild-adom <new-ADOM-name>

• Do you want to see the device’s analytics logs in the old ADOM? If not, rebuild the
old ADOM database (or they will be removed according to the data policy):
# exe sql-local rebuild-adom <old-ADOM-name>

• When you move a device, only the archive (compressed) logs are migrated to the
new ADOM. The analytics (indexed) logs stay in the old ADOM until you rebuild the
database.

37
High Availability Cluster
• FortiAnalyzer automatically discovers if a
FortiGate device is in a high availability
(HA) cluster
• If you register your device with FortiAnalyzer
before adding it to a cluster, you can manually
add the cluster within FortiAnalyzer
• With an HA cluster, each device generates
its own logs (separate serial number in
logs)
• Primary device responsible for sending all logs
from the other devices in the cluster to
FortiAnalyzer
• FortiAnalyzer distinguishes different
devices by their serial number (SN)
• SN in log headers Edit in Device Manager

38
Knowledge Check

1. When you move a FortiGate device from one ADOM to a new ADOM, what is the
purpose of rebuilding the new ADOM database?
A. To migrate the archived logs to the new ADOM
B. To run reports on the device's analytics logs in the new ADOM

39
Lesson Progress

Registration Methods

Communication Troubleshooting

Disk Quota

Managing Registered Devices

Review
 Identify the different ways you can register a device
 Describe how device registration works with ADOMs
 View device status
 Troubleshoot device communication issues
 Understand what comprises the disk quota
 Understand the disk quota
 Modify the disk quota
 Move registered devices between ADOMs
 Add two or more devices to an HA cluster