Special Notices

This section highlights some of the operational changes that administrators should be aware of in FortiAnalyzer version 7.6.7.

FortiCare Elite or FortiCare Premium required to download FortiGuard objects

Starting in 7.2.12, 7.4.9, and 7.6.5, FortiAnalyzer requires a valid FortiCare Elite or FortiCare Premium support contract registered in FortiCloud in order to get object updates from FortiGuard.

FortiAnalyzer instances deployed on the Azure platform

FortiAnalyzer instances deployed on the Azure platform (regardless of version) may lose all data—including configuration, logs, and reports—if the VM is deallocated and subsequently reallocated.

This issue can occur when the VM is deallocated through Azure-level operations (e.g., Azure portal, CLI, or automation). For example, this may happen when an Azure administrator changes the VM SKU (e.g., from Standard_D16_v3 to Standard_D32a_v4), or when the VM is manually stopped (deallocated) from the Azure portal.

To minimize the risk of data loss, it is strongly recommended to:

• Perform regular backups of configuration and data via the GUI or native CLI commands on FortiAnalyzer.

• Shut down the FortiAnalyzer instance, if required, only from within the FortiAnalyzer system itself rather than through Azure-level controls.

• Before performing any upgrade or modification:

Run execute lvm info to verify disk composition and ensure no Azure temporary disk is included in LVM, For example:

Disk 1: 10 TB, Disk 2: 6 TB, ...

If all listed disks were explicitly added by the faz-admin, this indicates that no temporary disk is part of LVM and the upgrade is considered safe.

If an unexpected disk is detected (e.g., smaller system disk such as ~128 GB), it is likely the Azure temporary disk. In this case, perform a full backup before proceeding with the upgrade.

If issues occur after the upgrade:

• Run execute format disk to rebuild LVM,

• Use execute restore to recover data from backup.

The possible root cause may be as follows:

Prior to version 7.4.2, the system assumed sdb was always the Azure temporary disk and excluded it from LVM. In certain corner cases, a different device (e.g., sda) may have been incorrectly added to LVM. After upgrading, the existing LVM metadata persists on disk. When the VM is later deallocated and reallocated, Azure replaces the temporary disk, causing LVM initialization to fail due to stale metadata. As a result, any data previously stored on the temporary disk is lost.

The FortiAnalyzer XML API is no longer supported

The XML API is removed as of FortiAnalyzer 7.6.5.

legacy-auth-mode command added

A new CLI command, legacy-auth-mode, has been introduced to enhance the flexibility of OFTP connections between devices and FortiAnalyzer when needed. By default, FortiAnalyzer enforces certificate-based authentication for OFTP connections and validates the device's certificate by checking the Common Name (CN) field — if the CN matches the device's serial number (SN), the connection is accepted.

However, for devices like FortiWeb, FortiMail, and FortiADC, the certificate CN often does not match the SN, causing the OFTP connection to fail. When legacy-auth-mode is enabled, FortiAnalyzer allows OFTP connections to fall back to username/password authentication if the certificate CN does not match the SN. This enables compatibility with devices whose certificates use alternative CN formats while still providing a level of authentication. In line with security best practices, the OFTP port should not be exposed when legacy-auth-mode is enabled unless proper access restrictions are applied.

config system log settings

(settings)# set legacy-auth-mode ?

disable - Disable support for legacy authentication mode.

enable - Enable support for legacy authentication mode.

The grep command is added to the CLI

The grep command is added in FortiAnalyzer 7.6.5 CLI. This command can be used to filter larger outputs so that they only show the required information.

For more information, see the FortiAnalyzer CLI Reference.

FortiManager Connector

In FortiAnalyzer 7.6.4, the FMG Connector is moved to Incidents & Events > Automation > Active Connectors.

Default password policy for local users

Beginning in FortiAnalyzer 7.6.4, a password policy for local users is enabled and configured by default. If you are setting up FortiAnalyzer 7.6.4 or later, the password created at setup must be at least 8 characters and must contain uppercase letter(s), lowercase letter(s), number(s), and special character(s).

Note that existing password policy settings are maintained after upgrading. For example, if the password policy is disabled prior to upgrading to FortiAnalyzer 7.6.4 or later, it will remain disabled after the upgrade.

Quotations applied to fields containing string-type data

Starting from version 7.6.3, quotations are consistently applied to the fields containing string-type data. For example: srcip, dstip, transip, date, and time.

MEAs removed in FortiAnalyzer 7.6.3

There is no support for MEAs in FortiAnalyzer 7.6.3 and later.

The following management extension applications (MEAs) are removed in FortiAnalyzer 7.6.3:

• FortiSIEM

• FortiSOAR

Migrating the log database from Postgres to ClickHouse

Beginning in FortiAnalyzer 7.6.0, FortiAnalyzer stores logs in a ClickHouse SQL database rather than a Postgres SQL database.

For more information, see the FortiAnalyzer 7.6.0 Upgrade Guide.

Shell access has been removed

As of FortiAnalyzer 7.6.0, shell access has been removed.

The following CLI variables have been removed, which were previously used to enable shell access:

config system admin setting

set shell-access {enable | disable}

set shell-password <passwd>

The following CLI command has been removed, which was previously used to access shell when enabled:

execute shell

Alert notifications generated by FortiAnalyzer and sent by syslog

Beginning in 7.4.3, alert notifications generated by FortiAnalyzer and sent by syslog will use the RFC-5424 format.

Additional configuration required for SSO users

Beginning in 7.4.3, additional configuration is needed for FortiAnalyzer Users declared as wildcard SSO users.

When configuring Administrators as wildcard SSO users, the ext-auth-accprofile-override and/or ext-auth-adom-override features, under Advanced Options, should be enabled if the intent is to obtain the ADOMs list and/or permission profile from the SAML IdP.

FortiAnalyzer 7.2.3 and later firmware on FortiGuard

Starting in FortiAnalyzer 7.2.1, a setup wizard executes to prompt the user for various configuration steps and registration with FortiCare. During the execution, the FortiAnalyzer unit attempts to communicate with FortiGuard for a list of FortiAnalyzer firmware images currently available on FortiGuard – older and newer.

In the case of FortiAnalyzer 7.2.2, a bug in the GUI prevents the wizard from completing and prevents the user from accessing the FortiAnalyzer unit. The issue has been fixed in 7.2.3 and later and a CLI command has been added to bypass the setup wizard at login time.

config system admin setting

set firmware-upgrade-check disable

end

Fortinet has not uploaded FortiAnalyzer 7.2.3 and later firmware to FortiGuard in order to work around the GUI bug, however, the firmware is available for download from the Fortinet Support website.

Configuration backup requires a password

As of FortiAnalyzer 7.4.2, configuration backup files are automatically encrypted and require you to set a password. The password is required for scheduled backups as well.

In previous versions, the encryption and password were optional.

For more information, see the FortiAnalyzer Administration Guide.

FortiAnalyzer-3500E support

FortiAnalyzer 7.4.2 and later does not support the FortiAnalyzer-3500E device.

FortiAnalyzer 7.4.2 introduces an upgrade of the OpenSSL library to address known vulnerabilities in the library. As a result, the SSL connection that is setup between the FortiAnalyzer-3500E device and the Google Map server hosted by Fortinet uses a SHA2 (2048) public key length. The certificate stored on the BIOS that is used during the setup of the SSL connection contains a SHA1 public key length, which causes the connection setup to fail. Running the following command shows the key length.

FAZ3500E # config system certificate local

(local)# ed Fortinet_Local

(Fortinet_Local)# get

name : Fortinet_Local

password : *

comment : Default local certificate

private-key :

certificate :

Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiAnalyzer, CN = FL3K5E3M15000074, emailAddress = support@fortinet.com

Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = support, emailAddress = support@fortinet.com

Valid from: 2015-03-06 16:22:10 GMT

Valid to: 2038-01-19 03:14:07 GMT

Fingerprint: FC:D0:0C:8D:DC:57:B6:16:58:DF:90:22:77:6F:2C:1B

Public key: rsaEncryption (1024 bits)

Signature: sha1WithRSAEncryption

Root CA: No

Version: 3

Serial Num:

1e:07:7a

Extension 1: X509v3 Basic Constraints:

CA:FALSE

...

(Fortinet_Local)#

Serial console has changed for FortiAnalyzer deployments on Xen

In FortiAnalyzer 7.4.1, the serial console for Xen deployments has changed from hvc0 (Xen specific) to ttyS0 (standard).

OpenXen in PV mode is not supported in FortiAnalyzer 7.4.1

As of FortiAnalyzer 7.4.1, kernel and rootfs are encrypted. OpenXen in PV mode tries to unzip the kernel and rootfs, but it will fail. Therefore, OpenXen in PV mode cannot be used when deploying or upgrading to FortiAnalyzer 7.4.1. Only HVM (hardware virtual machine) mode is supported for OpenXen in FortiAnalyzer 7.4.1.

Default GUI theme changed

As of FortiAnalyzer 7.4.1, the default GUI theme is Jade. The default theme can be changed from System Settings > Settings.

FortiManager Features removed

FortiAnalyzer 7.2.1 and later no longer supports FortiManager Features. If you have FortiManager Features enabled before upgrading to FortiAnalyzer 7.2.1, FortiManager Features will be permanently disabled after upgrading to FortiAnalyzer 7.2.1.

Setup wizard requires FortiCare registration

Starting in FortiAnalyzer 7.2.1, the FortiAnalyzer Setup wizard requires you to complete the Register with FortiCare step before you can access the FortiAnalyzer appliance or VM. Previously the step was optional.

For FortiAnalyzer units operating in a closed environment, contact customer service to receive an entitlement file, and then load the entitlement file to FortiAnalyzer by using the CLI.

When FortiManager is managing FortiAnalyzer in a closed environment, FortiManager contains the FortiAnalyzer contract information, and you can point FortiAnalyzer to FortiManager.

Hyperscale firewall mode

FortiAnalyzer does not support logs from the following models when they have hyperscale firewall mode and netflow enabled:

• FortiGate-1800F
• FortiGate-1801F
• FortiGate-2600F
• FortiGate-2601F
• FortiGate-4200F
• FortiGate-4201F
• FortiGate-4400F
• FortiGate-4401F

FortiAnalyzer only supports logs when the normal firewall mode with standard FortiGate logging are enabled.

Modifying the interface status with the CLI

Starting in verion 7.0.1, the CLI to modify the interface status has been changed from up/down to enable/disable.

For example:

config system interface

edit port2

set status <enable/disable>

next

end

Citrix XenServer default limits and upgrade

Citrix XenServer limits ramdisk to 128M by default. However the FAZ-VM64-XEN image is larger than 128M. Before updating to FortiAnalyzer 6.4, increase the size of the ramdisk setting on Citrix XenServer.

To increase the size of the ramdisk setting:

1. On Citrix XenServer, run the following command:

   xenstore-write /mh/limits/pv-ramdisk-max-size 536,870,912

2. Confirm the setting is in effect by running xenstore-ls.

   -----------------------

   limits = ""

   pv-kernel-max-size = "33554432"

   pv-ramdisk-max-size = "536,870,912"

   boot-time = ""

   ---------------------------

3. Remove the pending files left in /run/xen/pygrub.

The ramdisk setting returns to the default value after rebooting.

FortiAnalyzer VM upgrade requires more memory

When upgrading FortiAnalyzer VM units from a previous version to FortiAnalyzer 7.2.2 or higher, the upgrade may fail because of memory allocation. As of FortiAnalyzer 7.2.2, FortiAnalyzer VM requires 16 GB of RAM and 4 CPU.

Workaround: Before upgrading FortiAnalyzer VM to FortiAnalyzer 7.2.2, change the memory allocation to 16 GB of RAM.

Maximum ADOM limits for FortiAnalyzer

FortiAnalyzer hardware devices and VMs display a warning when the maximum number of ADOMs is reached. For more details, see Appendix A - Default and maximum number of ADOMs supported.

Port 8443 reserved

Port 8443 is reserved for https-logging from FortiClient EMS for Chromebooks. See also FortiAnalyzer 7.0 Ports Reference on the Docs Library.

Hyper-V FortiAnalyzer-VM running on an AMD CPU

A Hyper-V FAZ-VM running on a PC with an AMD CPU may experience a kernel panic. Fortinet recommends running VMs on an Intel-based PC.

SSLv3 on FortiAnalyzer-VM64-AWS

Due to known vulnerabilities in the SSLv3 protocol, FortiAnalyzer-VM64-AWS only enables TLSv1 by default. All other models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run:

config system global

set ssl-protocol t1sv1

end