Managing Devices

Question 1

Device Registration States

Answer 1

Registered: Authorized to store logs on FAZ
Unregistered: Requesting to store logs on FAZ

Question 2

How to register device

Answer 2

Initiate from FAZ or remote device
stage devices on FAZ by prepopulating information
Add individual devices or a Security Fabric

Question 3

Pre-Shared Key method

Answer 3

Only usable for FGTs

Question 4

Which Logs are Collected from FortiGate?

Answer 4

Logs - Traffic, Event, Security
DLP Archive
Quarantine
IPS Packet Log

Question 5

Command to see devices and IPs connecting to FAZ

Answer 5

diagnose test application oftpd 3

Question 6

ADOM and Device list commands

Answer 6

diagnose dvm adom list - what adoms are enabled and configured
diagnose dvm device list - what devices or VDOMs are currently registered or unregistered

Question 7

Troubleshooting commands

Answer 7

execute ping
diagnose debug application oftpd 8 - Is FAZ receiving logs?
show log fortianalyzer settings - Is FGT configured for remote logging to FAZ, is FAZ source IP set on FGT?
show log fortianalyzer filter - Are logging filters for logs sent to FAZ on FGT enabled?
diagnose log test - is FGT capable of generating logs?

Question 8

Troubleshooting traffic to FAZ

Answer 8

Run sniffers on both devices.
diagnose sniff packet <interface> <filter> <level> <count> <timestamp></timestamp></count></level></filter></interface>

Question 9

Steps to Troubleshooting Communications

Answer 9

Debug the oftpd process
Generate test logs on FGT
Verify logs are received

Question 10

Moving Registered Devices between ADOMs

Answer 10

Don’t if you don’t have to.
Can move them after registration. (Restricted to Super_User Admins)
Don’t need to create a new ADOM if you upgrade FGT firmware(not necessary to seperate ADOMs by FortiOS version)

Question 11

After moving a device

Answer 11

Ensure Disk quota has enough space

When you move a device, only the archive logs are migrated to new adom. Analytics logs stay in the old one until you rebuild the databases

Question 12

Adding a FGT HA cluster

Answer 12

FAZ automatically discovers if a FGT is in a cluster. If registered to FAZ before forming the clust, add them manually together

Question 13

How to get Analytics Logs in New ADOM after Moving a device?

Answer 13

execute sql-local rebuild-adom <new-adom-name></new-adom-name>

Question 14

How to get rid of Analytics Logs of new device in Old ADOM?

Answer 14

execute sql-local rebuild-adom <old-adom-name></old-adom-name>

Question 15

How does FAZ distinguish FGT cluster member logs?

Answer 15

FAZ distinguishes them by serial numbers from log message headers.

Each device generates its own logs, separated by serial numbers of devices. The primary is responsible for sending logs to FAZ.