Adding FortiAnalyzer to a security fabric

In this recipe, you will add a FortiAnalyzer to a network that is already configured as a Cooperative Security Fabric (CSF). This will simplify network logging by storing and displaying all log information in one place.

This recipe is part of the Cooperative Security Fabric collection. It can also be used as a standalone recipe.

In this example, a FortiGate called External is the upstream FortiGate. There are also two ISFWs, called Accounting and Marketing. OSPF routing is used between the FortiGates in the CSF.

1. Connecting the External FortiGate and the FortiAnalyzer

In this example, the External FortiGate’s port 16 will connect to port 2 on the FortiAnalyzer.

On the External FortiGate, go to Network > Interfaces and edit port 16. Set an IP/Network Mask for the interface (in the example, 192.168.55.2).

Configure Administrative Access to allow FortiTelemetry, required for communication between devices in the CSF. Configure other services as required.

 
On the FortiAnalyzer, go to System Settings > Network, select All Interfaces, and edit port2. Set IP/Netmask to an internal IP (in the example, 192.168.55.10/255.255.255.0).  
Connect the External FortiGate and the FortiAnalyzer.
On the FortiAnalyzer, go to System Settings > Network. Port 2 is now shown as the management interface. Add a Default Gateway, using the IP address of the External FortiGate’s port 16.  

2. Configuring OSPF routing to the FortiAnalyzer

On the External FortiGate, go to Network > OSPF and create a new Network. Set IP/Netmask to 192.168.55.0/255.255.255.0 (the subnet that includes FortiAnalyzer’s port 2) and Area to 0.0.0.0.
 

3. Allowing internal FortiGates to access the FortiAnalyzer

On the External FortiGate, go to System > Feature Select. Under Additional Features, select Multiple Interface Policies.  

Go to Policy & Objects > IPv4 Policy and create a policy allowing the internal FortiGates (Accounting and Marketing) to access the FortiAnalyzer.

Do not enable NAT.

 

4. Sending log information to the FortiAnalyzer

On the FortiAnalyzer, go to Device Manager and add a device.

Enter all information about the External FortiGate, then select Next.


 

The FortiAnalyzer will now add the device.


 
The External FortiGate is now listed on the FortiAnalyzer.  

On the External FortiGate, go to Log & Report > Log Settings. Under Remote Logging and Archiving, enable Send Logs to FortiAnalyzer/FortiManager. Enter the IP Address of the FortiAnalyzer.


 

In this example, logs will be uploaded in Realtime because there is no bandwidth limitations. Also, since log traffic is occurring within the CSF, encryption is not enabled.

Select Test Connectivity to view information about the connection.

 

 

Under GUI Preferences, select Display Logs From FortiAnalyzer.

Repeat this process on both the Accounting and Marketing FortiGates. 

5. Results 

All three FortiGates are listed in the FortiAnalyzer’s Device Manager.
 
Go to FortiView > System > System Events. Events from all FortiGates in the CSF are shown, allowing you to have a complete view of the network.
 
You can select a type of System Event, such as System performance statistics, to view information about the individual events. Events are shown from all three FortiGates (the Device ID shown for each FortiGate is that unit’s serial number).  
Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

Share this recipe:

Facebooktwittergoogle_pluslinkedin

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.

  • Chris Harper

    The topology diagram shows FGT ‘External’ port16 and FAZ port2 both having the same IP of 192.168.55.10.

    • Victoria Martin

      Hi Chris,

      Thanks for letting me know. I’ve corrected the diagram so that the FGT port 16 has the correct IP.