FortiAnalyzer 7.4.11 issue: logs visible on FAZ, but not in FortiGate GUI
Hi all,
We are seeing a strange issue with our FortiAnalyzer after upgrading from 7.4.9 to 7.4.11.
FortiAnalyzer:
Platform Type: FAZVM64
Firmware Version: v7.4.11 build2804 (Mature)
We have multiple FortiGates streaming logs to this FortiAnalyzer. We also use ADOMs for segmentation. Most of the FortiGates are also running 7.4.11.
In general, the logs are still arriving on the FortiAnalyzer and we can view/search them normally there. However, on some FortiGates it is no longer possible to view the logs directly in the FortiGate GUI.
As a workaround, changing the forward-log setting to memory allows the logs to be viewed locally again.
What we noticed so far:
- The issue seems to affect only FortiGates using VDOMs
- From our spot checks, all VDOMs on the affected firewalls seem to be impacted
- The FortiGates are still sending logs correctly to the FortiAnalyzer
- In Security Fabric / Fabric Connect, the FortiAnalyzer also appears to be connected and embedded correctly
- A
sql rebuild-dbon the FortiAnalyzer did not improve the situation - I did not find anything obvious in the 7.4.11 release notes related to VDOM log viewing or FortiAnalyzer log integration
It is not urgent for us, since the logs are still available on the FortiAnalyzer, but I wanted to ask here before opening a TAC case:
Has anyone else seen this behaviour after upgrading to FAZ/FortiGate 7.4.11, especially in environments with VDOMs and ADOMs? Or has anyone experienced something similar with other 7.4.x releases?