Fortinet black logo

Special Notices

Special Notices

This section highlights some of the operational changes that administrators should be aware of in FortiAnalyzer version 6.4.9.

FortiDeceptor logs

Logs sent from FortiDeceptor to FortiAnalyzer 6.4 may not display in FortiAnalyzer GUI because of an incorrect ADOM type for FortiDeceptor. You can reset the FortiDeceptor ADOM type in FortiAnalyzer to workaround this issue.

Note

This issue is fixed in FortiAnalyzer 6.4.4 and later. However if the FortiDeceptor ADOM type is incorrect before upgrading to FortiAnalyzer 6.4.4 or later, you must still reset the FortiDeceptor ADOM type to correct the issue.

To reset the FortiDeceptor ADOM type:
  1. In FortiAnalyzer, reset the FortiDeceptor ADOM by running the following command:

    execute reset adom-settings FortiDeceptor 3 1 18

  2. Ensure that the FortiDeceptor ADOM type is FDC by running the following command:

    diag dvm adom list

  3. From FortiDeceptor, sends logs again to FortiAnalyzer.

    FortiDeceptor displays as an unregistered device in FortiAnalyzer.

  4. In FortiAnalyzer, authorize the FortiDeceptor device.

Hyperscale firewall mode

FortiAnalyzer does not support logs from the following models when they have hyperscale firewall mode and netflow enabled:

  • FortiGate-1800F
  • FortiGate-1801F
  • FortiGate-4200F
  • FortiGate-4201F
  • FortiGate-4400F
  • FortiGate-4401F

FortiAnalyzer only supports logs when the normal firewall mode with standard FortiGate logging are enabled.

FortiAnalyzer 3700F performance issues

FortiAnalyzer 3700F models running version 6.0.3 and later may experience high Disk I/O Utilization, large differences between Insert Rate Vs Receive Rate, and large Log Insert Lag Time.

To prevent these performance issues, FortiAnalyzer allows the disk cache to warm up for 30 minutes before inserting logs into the SQL database.

Citrix XenServer default limits and upgrade

Citrix XenServer limits ramdisk to 128M by default. However the FAZ-VM64-XEN image is larger than 128M. Before updating to FortiAnalyzer 6.4, increase the size of the ramdisk setting on Citrix XenServer.

To increase the size of the ramdisk setting:
  1. On Citrix XenServer, run the following command:

    xenstore-write /mh/limits/pv-ramdisk-max-size 536,870,912

  2. Confirm the setting is in effect by running xenstore-ls.

    -----------------------

    limits = ""

    pv-kernel-max-size = "33554432"

    pv-ramdisk-max-size = "536,870,912"

    boot-time = ""

    ---------------------------

  3. Remove the pending files left in /run/xen/pygrub.
Note

The ramdisk setting returns to the default value after rebooting.

FortiAnalyzer Cloud VM does not support FortiGate 6.4.0

FortiManager and FortiAnalyzer Cloud VMs do not currently support FortiGate 6.4.0. Cloud VM users should continue using FortiGate firmware 6.2 builds. Cloud platforms will be supported in a future 6.4 patch release.

FortiAnalyzer VM upgrade requires more memory

When upgrading FortiAnalyzer VM units from FortiAnalyzer 6.2.x to FortiAnalyzer 6.4.0 and later, the upgrade may fail because of memory allocation.

Workaround: Before upgrading FortiAnalyzer VM to FortiAnalyzer 6.4.0 and later, change the memory allocation to 8 GB of RAM.

Maximum ADOM limits for FortiAnalyzer

FortiAnalyzer hardware devices and VMs display a warning when the maximum number of ADOMs is reached or exceeded. The platform does not enforce the limit; however, adding more ADOMs may affect the performance of the unit. For more details, see Appendix A - Default and maximum number of ADOMs supported.

Port 8443 reserved

Port 8443 is reserved for https-logging from FortiClient EMS for Chromebooks.

All OFTP connections must be encrypted for FortiAnalyzer 6.2.0 (or higher)

Prior to upgrading to FortiAnalyzer 6.2, make sure that all FortiGate devices are configured to use encryption when communicating with FortiAnalyzer. Starting with FortiAnalyzer 6.2.0, all OFTP communications must be encrypted.

Hyper-V FortiAnalyzer-VM running on an AMD CPU

A Hyper-V FAZ-VM running on a PC with an AMD CPU may experience a kernel panic. Fortinet recommends running VMs on an Intel-based PC.

SSLv3 on FortiAnalyzer-VM64-AWS

Due to known vulnerabilities in the SSLv3 protocol, FortiAnalyzer-VM64-AWS only enables TLSv1 by default. All other models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run:

config system global

set ssl-protocol t1sv1

end

Special Notices

This section highlights some of the operational changes that administrators should be aware of in FortiAnalyzer version 6.4.9.

FortiDeceptor logs

Logs sent from FortiDeceptor to FortiAnalyzer 6.4 may not display in FortiAnalyzer GUI because of an incorrect ADOM type for FortiDeceptor. You can reset the FortiDeceptor ADOM type in FortiAnalyzer to workaround this issue.

Note

This issue is fixed in FortiAnalyzer 6.4.4 and later. However if the FortiDeceptor ADOM type is incorrect before upgrading to FortiAnalyzer 6.4.4 or later, you must still reset the FortiDeceptor ADOM type to correct the issue.

To reset the FortiDeceptor ADOM type:
  1. In FortiAnalyzer, reset the FortiDeceptor ADOM by running the following command:

    execute reset adom-settings FortiDeceptor 3 1 18

  2. Ensure that the FortiDeceptor ADOM type is FDC by running the following command:

    diag dvm adom list

  3. From FortiDeceptor, sends logs again to FortiAnalyzer.

    FortiDeceptor displays as an unregistered device in FortiAnalyzer.

  4. In FortiAnalyzer, authorize the FortiDeceptor device.

Hyperscale firewall mode

FortiAnalyzer does not support logs from the following models when they have hyperscale firewall mode and netflow enabled:

  • FortiGate-1800F
  • FortiGate-1801F
  • FortiGate-4200F
  • FortiGate-4201F
  • FortiGate-4400F
  • FortiGate-4401F

FortiAnalyzer only supports logs when the normal firewall mode with standard FortiGate logging are enabled.

FortiAnalyzer 3700F performance issues

FortiAnalyzer 3700F models running version 6.0.3 and later may experience high Disk I/O Utilization, large differences between Insert Rate Vs Receive Rate, and large Log Insert Lag Time.

To prevent these performance issues, FortiAnalyzer allows the disk cache to warm up for 30 minutes before inserting logs into the SQL database.

Citrix XenServer default limits and upgrade

Citrix XenServer limits ramdisk to 128M by default. However the FAZ-VM64-XEN image is larger than 128M. Before updating to FortiAnalyzer 6.4, increase the size of the ramdisk setting on Citrix XenServer.

To increase the size of the ramdisk setting:
  1. On Citrix XenServer, run the following command:

    xenstore-write /mh/limits/pv-ramdisk-max-size 536,870,912

  2. Confirm the setting is in effect by running xenstore-ls.

    -----------------------

    limits = ""

    pv-kernel-max-size = "33554432"

    pv-ramdisk-max-size = "536,870,912"

    boot-time = ""

    ---------------------------

  3. Remove the pending files left in /run/xen/pygrub.
Note

The ramdisk setting returns to the default value after rebooting.

FortiAnalyzer Cloud VM does not support FortiGate 6.4.0

FortiManager and FortiAnalyzer Cloud VMs do not currently support FortiGate 6.4.0. Cloud VM users should continue using FortiGate firmware 6.2 builds. Cloud platforms will be supported in a future 6.4 patch release.

FortiAnalyzer VM upgrade requires more memory

When upgrading FortiAnalyzer VM units from FortiAnalyzer 6.2.x to FortiAnalyzer 6.4.0 and later, the upgrade may fail because of memory allocation.

Workaround: Before upgrading FortiAnalyzer VM to FortiAnalyzer 6.4.0 and later, change the memory allocation to 8 GB of RAM.

Maximum ADOM limits for FortiAnalyzer

FortiAnalyzer hardware devices and VMs display a warning when the maximum number of ADOMs is reached or exceeded. The platform does not enforce the limit; however, adding more ADOMs may affect the performance of the unit. For more details, see Appendix A - Default and maximum number of ADOMs supported.

Port 8443 reserved

Port 8443 is reserved for https-logging from FortiClient EMS for Chromebooks.

All OFTP connections must be encrypted for FortiAnalyzer 6.2.0 (or higher)

Prior to upgrading to FortiAnalyzer 6.2, make sure that all FortiGate devices are configured to use encryption when communicating with FortiAnalyzer. Starting with FortiAnalyzer 6.2.0, all OFTP communications must be encrypted.

Hyper-V FortiAnalyzer-VM running on an AMD CPU

A Hyper-V FAZ-VM running on a PC with an AMD CPU may experience a kernel panic. Fortinet recommends running VMs on an Intel-based PC.

SSLv3 on FortiAnalyzer-VM64-AWS

Due to known vulnerabilities in the SSLv3 protocol, FortiAnalyzer-VM64-AWS only enables TLSv1 by default. All other models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run:

config system global

set ssl-protocol t1sv1

end