Add FortiAnalyzer
Adding a FortiAnalyzer device to FortiManager gives FortiManager visibility into the logs on the FortiAnalyzer, providing a Single Pane of Glass on FortiManager. It also enables FortiAnalyzer Features, including FortiView, Log View, Incidents & Events, and Reports.
For information about FortiAnalyzer Features, see FortiAnalyzer Features. See also Viewing policy rules and View logs related to a policy rule.
To add a FortiAnalyzer to FortiManager, they both must be running the same OS version, at least 5.6 or later. |
If FortiAnalyzer Features are enabled, you cannot add a FortiAnalyzer unit to FortiManager. See FortiAnalyzer Features. In addition, you cannot add a FortiAnalyzer unit to FortiManager when ADOMs are enabled, and ADOM mode is set to Advanced. |
ADOMs disabled
When you add a FortiAnalyzer device to FortiManager with ADOMs disabled, all devices with logging enabled can send logs to the FortiAnalyzer device. You can add only one FortiAnalyzer device to FortiManager, and the FortiAnalyzer device limit must be equal to or greater than the number of devices managed by FortiManager.
When you add additional devices with logging enabled to FortiManager, the managed devices can send logs to the FortiAnalyzer device. The new devices display in the Device Manager pane on FortiAnalyzer unit when FortiManager synchronizes with the FortiAnalyzer unit.
ADOMs enabled
When you add a FortiAnalyzer device to FortiManager with ADOMs enabled, all devices with logging enabled in the ADOM can send logs to the FortiAnalyzer device. Following are the guidelines for adding a FortiAnalyzer device to FortiManager when ADOMs are enabled:
- FortiAnalyzer devices can be added to each ADOM, and the FortiAnalyzer device limit must be equal to or greater than the number of devices in the ADOM.
- The same FortiAnalyzer device can be added to more than one ADOM.
- The same ADOM name and settings must exist on the FortiAnalyzer device and FortiManager. The wizard synchronizes these settings for you if there is a mismatch.
- The logging devices in the FortiAnalyzer ADOM and FortiManager ADOM must be the same. The wizard synchronizes these settings for you.
- When one FortiAnalyzer is added to more than one ADOM, FortiAnalyzer features and visibility in the ADOM are limited to the logging devices included in the ADOM.
When you add additional devices with logging enabled to an ADOM in FortiManager, the managed devices can send logs to the FortiAnalyzer device in the ADOM. The new devices display in the Device Manager pane on the FortiAnalyzer unit when FortiManager synchronizes with the FortiAnalyzer unit.
Provisioning templates for log settings
After you add a FortiAnalyzer device to FortiManager, you can use FortiManager to enable logging for all FortiGates in the root ADOM (when ADOMs are disabled) or the ADOM (when ADOMs are enabled) by using the log settings in a system template. See System templates.
Legacy FortiAnalyzer ADOM
The FortiAnalyzer ADOM supports FortiAnalyzer units added to FortiManager before upgrading to FortiManager 5.6 and later. If you want to use the new functionality, you must delete the FortiAnalyzer unit from FortiManager and add it by using the Add FortiAnalyzer wizard.
Log storage and configuration
Logs are stored on the FortiAnalyzer device, not the FortiManager device. You configure log storage settings on the FortiAnalyzer device; you cannot change log storage settings using FortiManager.
Configuration and data for FortiAnalyzer features
When FortiManager manages a FortiAnalyzer unit, all configuration and data is kept on the FortiAnalyzer unit to support the following FortiAnalyzer features: FortiView > FortiView, Log View, Incidents & Events, and Reports. FortiManager remotely accesses the FortiAnalyzer unit to retrieve requested information for FortiAnalyzer features. For example, if you use the Reports pane in FortiManager to create a report, the report is created on the FortiAnalyzer unit and remotely accessed by FortiManager.