Before you can add a Security Fabric group to FortiAnalyzer, you need to create the Security Fabric group in FortiGate. For more information, see the FortiOS Handbook.
Fortinet recommends using a dedicated Super_User administrator account on the FortiGate for FortiAnalyzer access. This ensures that associated log messages are identified as originating from FortiAnalyzer activity. This dedicated Super_User administrator account only needs Read Only access to System Configuration; all other access can be set to None.
To add a Security Fabric group:
- Go to Device Manager > Unregistered Devices.
- Select all the devices corresponding to the Security Fabric group created in FortiGate.
- Authenticate the Security Fabric group by clicking the Warning icon (yellow triangle) beside the corresponding FortiGate root.
- Enter the Authentication Credentials. The authentication credentials are the ones you specified in FortiGate. Once the FortiGate root has been authenticated, the Warning icon will disappear.
- After authentication, it takes a few minutes for FortiAnalyzer to automatically populate the devices under the FortiGate root which creates the Security Fabric group.