Disregard my former answer - C is correct when you look at the screengrab. There are two completely different identified devices reporting the logs for each packet observed in the Wireshark sniffer. Check the info column, and you'll see. This one is a doozy though.
Even though answer B is ridiculously written, just look at it:
"The logs belong to devices..."
Instead of "The screen capture shows logs from the primary device in a HA cluster"
would make this discussion a lot mot one sided. At first I was adament it was "C", as Fortianalyzer collects and correlates the logs from all Securty fabric devices as if they are seen from one device, however, all downstream Fortigates in a Security Fabric do send their logs directly to the FAZ, and you can view the logs for each device individually in the Topology View. Thus B is the most correct answer.
For more info on Security Fabric logging, see page 48 in the study guide.
For more info on how FAZ handles logs from a Fortigate HA Cluster, see pages 176-177.
ANSWER is B.
Pag. 48 says:
"Note that each FortiGate in the Security Fabric logs traffic to FortiAnalyzer independent of the root or other leaf devices. If the root FortiGate is down, logging from leaf FortiGate devices to FortiAnalyzer continues to function."
Pag. 176 says:
"In an HA cluster, the only device that communicates with FortiAnalyzer is the primary device in the cluster. The other devices send their logs to the primary, which then forwards them to FortiAnalyzer." "FortiAnalyzer distinguishes different devices by their serial numbers, which are found in the headers of all the log messages it receives."
I'm going with B. Per page 136 of the Study Guide, in active-passive HA, only the primary device can forward logs and archive files to a remote server (syslog, in this case). Thoughts?
Correct answer is C.
https://docs.fortinet.com/document/fortianalyzer/7.4.2/administration-guide/767294/security-fabric-traffic-log-to-utm-log-correlation
The answer is B. the slave unit log will send log to syslog server via master unit.
In the FAZ admin study guide page 176 it mentions that you can distinguish logs by the serial number of the header.
See the screenshot at https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-syslog-communication-for-HA-setup/ta-p/211546
Oh boy, please go by the most upvotes here. My take is this.
A. incorrect, FAZ deletes logs coming from every FG except the root FG
except in the case of NAT and UTM logs.
B. incorrect, cluster devices have their own IP.
C. is correct because all logs from the root Fortigate of a security Fabric
contain the IP of the root FG.
D. incorrect, this would not affect the traffic logs in this way.
I think both FGT are set up in an HA cluster here (B).
In a HA cluster, only the primary FortiGate talks to FAZ and forwards all logs to it (from other Cluster members and from itself). This can be seen only in an HA environment. From the Hostnames, we can see that they're both VMs so they could be clustered.
I've never seen the feature to aggregate logs on the root FortiGate and let it forward all logs from the fabric to FAZ. And I've never even seen it documented somewhere, even after searching for it. Usually, when devices are members of the fabric, they inherit the logging setting (in this case FAZ) and if they are first to receive / forward a packet, that fabric member generates the log and forwards it to FAZ. Of course, a fabric root FortiGate could be the primary FortiGate of an HA cluster. But even then, it will only aggregate logs of all cluster members, NOT of all fabric members. FortiGates that are in the fabric but are not part of the HA cluster directly send logs to FAZ.
Don't confuse HA and security fabric.
In a Fortinet Security Fabric, logs from downstream devices can be sent to FortiAnalyzer through the root FortiGate. This is why all the logs have the same source IP address (the root FortiGate). The root FortiGate aggregates and forwards the logs from all downstream devices, so the source IP in the log capture will appear to be from the root FortiGate itself, even though the logs originate from multiple devices within the fabric.
C is Correct
No. I think both FGT are set up in an HA cluster here (B).
In a HA cluster, only the primary FortiGate talks to FAZ and forwards all logs to it (from other Cluster members and from itself). This can be seen only in an HA environment. From the Hostnames, we can see that they're both VMs so they could be clustered.
I've never seen the feature to aggregate logs on the root FortiGate and let it forward all logs from the fabric to FAZ. And I've never even seen it documented somewhere, even after searching for it. Usually, when devices are members of the fabric, they inherit the logging setting (in this case FAZ) and if they are first to receive / forward a packet, that fabric member generates the log and forwards it to FAZ. Of course, a fabric root FortiGate could be the primary FortiGate of an HA cluster. But even then, it will only aggregate logs of all cluster members, NOT of all fabric members. FortiGates that are in the fabric but are not part of the HA cluster directly send logs to FAZ.
Don't confuse HA and security fabric.
I'm confused on why this would be C. In the Study guide it says:
"Note that each FortiGate in the Security Fabric logs traffic to FortiAnalyzer independent of the root or other leaf devices. If the root FortiGate is down, logging from leaf FortiGate devices to FortiAnalyzer continues to function."
This implies that downstream devices send logs directly to FA, they don't send them through the Root of the Security Fabric.
Can someone point me to where it it says that the root fortigate acts as an aggregator for the downstream device logs?
I'm 90% sure this is actually B. In the 7.2 study guide page 170, where it discusses adding an HA cluster it shows these exact device serial numbers in the screenshot on the slide.
"With an HA cluster, the only device that communicates with FortiAnalyzer is the primary device in the cluster. The other devices send their logs to the primary, which then forwards them to FortiAnalyzer.
FortiAnalyzer distinguishes different devices by their serial numbers, which are found in the headers of all the different log messages it receives."
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
truserud
1 week, 3 days agotruserud
1 week, 4 days agojl2307
2 months agojdubyah_
2 months, 1 week agoaamrcl
3 months agoetodesco
3 months agodarkstar15
3 months agoSlikings
3 months, 2 weeks ago066c9f3
3 months, 3 weeks ago066c9f3
3 months, 3 weeks agoChandraH
4 months, 1 week ago066c9f3
3 months, 3 weeks ago6bee64f
4 months, 1 week agofa7474b
4 months, 1 week agofa7474b
4 months, 1 week agoDBFront
4 months ago