In the world of cybersecurity defense, it is imperative to have absolute visibility into your network, especially if your network is ever evolving and ever changing. As no matter how secure a network is, the more we close a gap, the more another one becomes available to be exploited by lingering threats who seek to defame, extort, exploit or harm your organization for a myriad of reasons ranging from political, financial, revenge or just plain curiosity. Being able to recognize threats, hunt them down and remediate them with frightening precision through automation and logging, while being backed by AI/ML is what can give you the edge in staying above those that mean your business harm.

Recognize Fortinet’s FortiAnalyzer. A comprehensively complex, flexible, and strategically crafted solution to providing meticulous data into what’s happening in your network beyond what you’d expect of a normal logging solution. Let’s unpack what makes FortiAnalyzer tick and why its a fantastic next generational solution for automation, logging, threat hunting and complete SOC visibility in your network.

What is FortiAnalyzer?

Think of FortiAnalyzer as the central nervous system for your security data. Instead of logs and events being scattered across multiple firewalls, switches, access points, or endpoints, and so on, FortiAnalyzer aggregates this data into one unified location, a centralized log repository if you will.

FortiAnalyzer provides centralized Logging, which securely collects and stores massive amounts of log data in raw format from Fortinet devices (FortiGate, FortiSwitch, FortiAP, FortiClient, FortiSandbox, FortiEDR, etc.) and prepares them in human readable format for review and analysis. FortiAnalyzer can also integrate logs from third-party devices via Syslog. Log aggregation provides a single channel for accessing your complete network data, so you don’t need to access multiple devices, multiple times per day.

Operation Modes

FortiAnalyzer can run in two operation modes: Analyzer and Collector. The operation mode you choose should depend on your network topology and requirements.

Analyzer mode (Centralized Processing)

Analyzer mode is the default mode that supports all FortiAnalyzer features. Use this mode to aggregate logs from one or more Collectors, (Collectors meaning endpoints, different vendors or other Fortinet devices).

The following diagram shows an example of deploying FortiAnalyzer in Analyzer mode.

Reference: https://docs.fortinet.com/document/fortianalyzer/7.6.3/administration-guide/15523/analyzer-mode

Analyzer mode is the default mode that FortiAnalyzer uses fresh out the box.

How it Works:

Devices (FortiGates, FortiSwitches, FortiAPs, etc.) send raw logs directly to the FortiAnalyzer unit operating in Analyzer mode.
The FortiAnalyzer itself performs all log reception, parsing, filtering, indexing, and initial analysis/storage.
All analytics (views, reports, threat detection, correlation) run directly on the central FortiAnalyzer using its processed data.

Collector mode (Distributed Processing)

When FortiAnalyzer is in Collector mode, its primary task is forwarding logs of the connected devices to an Analyzer and archiving the logs. Instead of writing logs to the database, the Collector retains logs in their original binary format (0,1) for uploading. In this mode, most features are disabled. When operating in collector mode, the device collects logs from multiple devices and then forwards those logs, in their original binary format, to another device, such as a FortiAnalyzer operating in analyzer mode. It can also send them to a syslog server or a common event format (CEF) server, depending on the forwarding mode.

A collector does not have the same feature-rich options as an analyzer, because its only purpose is to collect and forward logs. It does not allow event management or reporting.

Reference: https://training.fortinet.com/local/staticpage/view.php?page=library_fortianalyzer-analyst

Multiple tiers high availability | FortiAnalyzer 7.6.0 | Fortinet Document Library

How it Works:

Collectors: Dedicated FortiAnalyzer units (physical or VM) are deployed locally (e.g., in a multi wan setup, remote offices, etc.).
Local Processing: These Collectors receive raw logs in binary directly from devices in their local LAN’s/domain.
Forwarding: Processed/compressed log data is then efficiently forwarded to a central Analyzer Unit.
Central Analysis: The central Analyzer Unit (operating in Analyzer mode) receives this pre-processed data from multiple Collectors. It performs indexing, long-term storage, correlation, analytics, reporting, and management.

As you can probably see already, you can deploy Analyzer mode and Collector mode on different FortiAnalyzer units and make the units work together to improve the overall performance of log receiving, analysis, and reporting. The Analyzer offloads the log receiving task to the Collector so that the Analyzer can focus on data analysis and report generation. This maximizes the Collector’s log receiving performance.

Collectors and Analyzers

Here is another diagram showing a scenario where we have a FortiAnalyzer in Analyzer mode and a FortiAnalyzer in collector mode.

Company A has a remote branch network with a FortiGate unit and a FortiAnalyzer 400E in Collector mode. In its head office, Company A has another FortiGate unit and a FortiAnalyzer 3000D in Analyzer mode. The Collector forwards the logs of the FortiGate unit in the remote branch to the Analyzer in the head office for data analysis and reports generation. The Collector is also used for log archival.

Reference: https://docs.fortinet.com/document/fortianalyzer/7.6.3/administration-guide/129528/collectors-and-analyzers

Log Fetching

Log fetching is used to retrieve archived logs from one FortiAnalyzer device to another. This allows administrators to run queries and reports against historic data, which can be useful for forensic analysis.

The fetching FortiAnalyzer (the FortiAnalyzer in Analyzer mode) can query the server FortiAnalyzer (the FortiAnalyzer in Collector mode) and retrieve the log data for a specified device and time period, based on specified filters. The retrieved data are then indexed, and can be used for data analysis and reports.

Log fetching can only be done on two FortiAnalyzer devices running the same firmware. A FortiAnalyzer device can be either the fetch server or the fetching client, and it can perform both roles at the same time with different FortiAnalyzer devices. Only one log fetching session can be established at a time between two FortiAnalyzer devices.

Why logging?

Log messages help paint a picture of what is transpiring in your network environment. Logs are useful and can help with troubleshooting the network, determine load on network devices, establish baselines as to how regular traffic should flow and operate and support threat hunting including incident response and forensic analysis. There are many network environments still in operation where log isolation is a serious problem. More often than not, multiple log messages are often required to determine the exact chain of activity that leads to a breach. A log messages from a single endpoint is often won’t help you to best configure your network environment to prevent such breaches in the future. This is why centralized logging is so crucial.

Security Fabric

FortiAnalyzer can be integrated into Fortinet’s Security Fabric. Logging with FortiAnalyzer is an automated, centralized process where all devices within a Fortinet Security Fabric (FortiGate, FortiSwitch, FortiAP, FortiClient, etc.) seamlessly stream their security logs and events to a dedicated FortiAnalyzer system. FortiAnalyzer acts as the nerve center, correlating this integrated data across the entire fabric to provide unified visibility, intelligent threat detection, automated reporting, and simplified compliance auditing, turning isolated events into actionable security intelligence.

For more information on the Security Fabric, please see Fortinet’s documentation library: https://docs.fortinet.com/document/fortianalyzer/7.6.3/administration-guide/798229/fortinet-security-fabric

FortiView

FortiAnalyzer is equipped with FortiView. FortiView is an interactive, visual analytics tool built into FortiGate firewalls and FortiAnalyzer that provides real-time insights into network traffic, threats, users, and applications. It transforms raw security data into intuitive, drillable dashboards for instant visibility and rapid troubleshooting. FortiView’s comprehensive monitoring system displays historical data in real-time and also displays data from analytics logs (logs that are indexed).

Features & Capabilities

Real-Time Monitoring: Live views of traffic patterns, top talkers, threats, and application usage. No waiting for reports – data updates dynamically.
Interactive Drill-Down: Click any element (IP, user, application) to uncover granular details. Example: Click a suspicious IP → see its destinations, protocols, associated threats. Trace attack paths or bandwidth hogs in seconds.
Dashboard Visibility:

Traffic: Top sources/destinations, interfaces, geolocations, policy hits and more.

Threats: Top attackers, victims, malware types, C&C connections, global map showing traffic destinations and more.

Websites: Most-visited domains/categories (e.g., social media, streaming).

Applications: Top applications, bandwidth usage by app (Zoom, Netflix, SaaS tools).

Users: Activity per AD/LDAP user or device.

Wireless: Client SSIDs, signal strength, AP load.

ADOM Support (in FortiAnalyzer): Filter views by Administrative Domain (ADOM) for multi-tenant/multi-site visibility.

FortiView allows you to use multiple filters in the consoles, enabling you to narrow your view to a specific time, by user ID or local IP address, by application, and others. You can use it to investigate traffic activity, such as user uploads and downloads, or videos watched on YouTube on a network-wide user group or on an individual-user level. You can also export FortiView information as a PDF file, or create a chart to use in your own reports.

Reference: https://training.fortinet.com/local/staticpage/view.php?page=library_fortianalyzer-analyst

In essence: FortiView is your network’s "live CCTV camera" – delivering immediate, actionable intelligence at a glance. Ideal for SOC teams, network admins, and anyone needing to see and act fast.

Administrative Domains (ADOMs)

ADOMs (Administrative Domains) are isolated, logical partitions within a FortiAnalyzer system that act as separate "virtual analyzers." They allow you to segment log data, configurations, and administrative access, manage multiple organizations/tenants, departments, or geographic regions, enforce strict data privacy (e.g., HIPAA, GDPR) and delegate administration without cross-tenant visibility.

Think of ADOMs like an apartment building with multiple rooms, each having their own party and activities under one structure (FortiAnalyzer), but never actually interacting as the door is separating each room (ADOMs) from each other. Similar to how Virtual Domains or VDOMs operate on a typical FortiGate device.

For review: ADOMs turn one FortiAnalyzer into multiple secure, isolated analytics environments – critical for scalability, compliance, and delegated administration.

Reference: https://docs.fortinet.com/document/fortimanager/7.2.0/new-features/244000/one-fortianalyzer-can-be-shared-across-multiple-fortimanager-adoms

Structured Query Language (SQL)

FortiAnalyzer supports Structured Query Language (SQL) for logging and reporting. The log data is inserted into the SQL database to support data analysis in FortiView, Log View (where you view logs), and Reports (where you view or generate reports). Remote SQL databases are not supported. FortiAnalyzer's SQL functionality is a restricted query language that enables targeted log retrieval from its underlying SQL database. It searches, filters, and extracts security log data while maintaining system integrity.

The log storage settings define how much FortiAnalyzer disk space to use for the SQL database. When FortiAnalyzer is in Collector mode, the SQL database is disabled by default, which makes sense as collectors don’t usually query the database for an output, they just forward logs to the FortiAnalyzer operating upstream in Analyzer more. If you want to use logs that require SQL when FortiAnalyzer is in Collector mode, you must enable the SQL database on the CLI.

FortiAnalyzer's SQL-like querying is a purpose-built tool that lets SOC teams surgically extract insights from massive log datasets. Allowing for quick outputs which can lead to timely strategies being formed to combat any abnormalities of any indicators of compromise in your network environment.

FortiAI

FortiAI is a generative AI security assistant that uses FortiGuard lab's high-fidelity security data and is continuously monitored and improved by FortiGuard Security experts. Administrators can use the FortiAI Assistant to answer questions and get help with configurations using FortiAI's advanced natural language processing capabilities.

FortiAI can be used in FortiAnalyzer for incident investigation, response, and threat hunting. The assistant can interpret security events, generate detailed summaries, identify potential impacts, and make remediation recommendations. FortiAI can also simplify platform usage with natural language prompts. For example, the assistant can create complex database queries, generate reports, write event handler and correlation rules, and execute many other FortiAnalyzer functions during typical workflow.

To review: It’s essentially a device deep learning AI engine embedded in FortiAnalyzer. It analyzes raw security logs in real-time to detect unknown threats, automate incident triage, and predict attack patterns—transforming reactive log storage into proactive threat intelligence.

For more information, see Using FortiAI.

High Availability (HA)

FortiAnalyzer supports High Availability (HA). This provides automatic failover between two identical nodes (primary/backup) to ensure zero logging downtime, continuous analytics, and data integrity during hardware/software failures. It transforms FortiAnalyzer from a single point of failure into a resilient logging backbone.

A FortiAnalyzer high availability (HA) cluster provides the following features:

Provide real-time redundancy in case a FortiAnalyzer primary unit fails. If the primary unit fails, another unit in the cluster is selected as the primary unit.
Synchronize logs and data securely among multiple FortiAnalyzer units. Some system and configuration settings are also synchronized.
Alleviate the load on the primary unit by using secondary (backup) units for processes such as running reports.

A FortiAnalyzer HA cluster can have a maximum of four units: one primary unit with up to three secondary units. All units in the cluster must be of the same FortiAnalyzer series. All units are visible on the network.

All units must run in the same operation mode: Analyzer or Collector.

If the primary unit fails

If the primary unit becomes unavailable, another unit in the cluster is selected as the primary unit using the following rules:

All cluster units are assigned a priority from 1 – 120. The default priority is 100. If the primary unit becomes unavailable, an available unit with the highest priority is selected as the new primary unit. For example, a unit with a priority of 110 is selected over a unit with a priority of 100.
If multiple units have the same priority, the unit whose primary IP address has the greatest value is selected as the new primary unit. For example, 123.45.67.124 is selected over 123.45.67.123.

High Availability is designed in such a way that having redundant FortiAnalyzers in your network environment can eliminate the single point of failure and provide robust redundancy in ensuring your network is constantly being monitored and documented by your FortiAnalyzer.

Reference: https://docs.fortinet.com/document/fortianalyzer/7.6.3/administration-guide/648336/if-the-primary-unit-fails

In essence: FortiAnalyzer HA is your insurance policy for logging continuity. It ensures your security telemetry, compliance evidence, and forensic data remain intact – even when hardware fails. For enterprises where logging = security, HA isn’t optional; it’s essential.

Automation

Automation is critical for security teams who are facing the ever-changing threat landscape. Generally speaking, automation improves productivity, reduces cost, increases efficiency, and minimizes human errors. In a SOC environment, these benefits provide, among other results, faster response time, faster data analysis, better use of analysts time, better compliance management, and a more consistent security posture. FortiAnalyzer allows SOC analysts to automate common and repetitive tasks with the use of playbooks.

FortiAnalyzer works with standalone devices, but it is also integrated with the Security Fabric. This integration allows FortiAnalyzer to communicate with other devices in the Security Fabric to detect security events, and trigger corrective or preventive actions automatically, by running automated playbooks. For example, you can create playbooks that automatically generate a report, or instruct a FortiGate device to quarantine a compromised host, just to mention two use cases. The available actions depend on the device type. Using devices that are compatible with the Security Fabric allows you to exploit their capabilities to their full extent.

What comprises FortiAnalyzer’s automation capabilities?

Triggers act as the nervous system of this automation engine. These are predefined conditions that launch automated workflows the moment something significant occurs. Imagine a trigger as a sentry standing watch—it might spring into action when spotting a critical ransomware signature in firewall logs, an unusual spike in data exports from a sensitive server, or even a scheduled event like 2 AM vulnerability scans. Unlike traditional alert systems that merely notify, triggers initiate complex countermeasures automatically.

Playbooks serve as the brain and hands of the operation. These are customizable workflows that execute a sequence of actions when triggered. Picture a playbook as a seasoned incident responder encoded into software: upon detecting a phishing attack, it might instantly quarantine infected devices, force password resets for compromised accounts, scan network shares for malware traces, then document every action in an audit-ready report—all within seconds. The real power lies in their adaptability; playbooks can branch like decision trees (e.g., "If the threat severity is high, isolate the device; if medium, just alert the team").

Connectors function as the framework's diplomatic envoys. They allow FortiAnalyzer to seamlessly interact with third-party systems through APIs. When a playbook determines an infected device needs isolation, connectors translate that intent into actions across your ecosystem: Microsoft 365 might delete malicious emails, ServiceNow could generate a trouble ticket, CrowdStrike may initiate a forensic scan, and Slack simultaneously alerts your SOC channel. This interoperability turns fragmented tools into a unified defense orchestra.

Reference: https://training.fortinet.com/local/staticpage/view.php?page=library_fortianalyzer-analyst

Why This Automation Matters in Real-World Security

This triad—triggers, playbooks, connectors, creates self-healing security infrastructure. Consider a ransomware outbreak at 3 AM: triggers detect the encryption patterns, playbooks automatically isolate infected subnets and disable affected user accounts, while connectors synchronize these actions across firewalls, endpoint tools, and ticketing systems. By sunrise, the threat is contained with full audit trails, all without human intervention.

For compliance teams, automation converts months of manual evidence collection into scheduled playbooks that generate PCI or HIPAA reports, attach them to emails, and archive them in regulated storage. Threat hunters leverage triggers to scour logs for subtle IOCs, automatically enriching findings with threat intelligence before feeding results into SIEMs. This can result up to a 90% reduction in mean-time-to-respond, turning analysts from firefighters into strategic advisors.

The Human Impact: Beyond Technical Gains

While the technology prevents breaches, its profound value lies in rescuing SOC teams from alert fatigue. By automating repetitive tasks, false positive filtering, ticket creation, and basic containment, it frees humans to focus on sophisticated threats that require intuition and creativity. Organizations transition from reactive panic to proactive confidence, knowing their digital perimeter autonomously adapts to evolving risks 24/7. In essence, FortiAnalyzer’s automation doesn’t replace people; it amplifies their impact, turning security from a cost center into a strategic enabler.

Conclusion

In today’s threat landscape, FortiAnalyzer delivers the absolute network visibility demanded by evolving infrastructures, transforming fragmented logs into a unified security narrative. Its dual-mode architecture, whether centralized Analyzer or distributed Collector , it ensures scalable, bandwidth-optimized telemetry aggregation across all environments. By correlating Security Fabric data with third-party sources, it exposes hidden attack chains no single device could detect. Real-time FortiView dashboards and AI-driven analysis turn raw data into actionable intelligence, accelerating threat hunting from hours to seconds. This foundational visibility isn’t just operational, it’s the bedrock of proactive cyber defense.

The Strategic Advantage Beyond logging, FortiAnalyzer emerges as a force multiplier through ADOM segmentation for compliance, HA resilience for zero-downtime monitoring, and automation playbooks that execute surgical responses. Its SQL-powered forensics and FortiAI’s predictive analytics transform reactive SOC teams into strategic hunters, containing threats before escalation. The platform’s true genius lies in harmonizing enterprise-scale data control with autonomous threat remediation. Turning administrative burden into competitive advantage. When every second of dwell time risks million-dollar breaches, this convergence of visibility, automation, and AI doesn’t just secure networks; it future-proofs organizations. In the arms race against cyber adversaries, FortiAnalyzer isn’t a tool, it’s your decisive edge.

For more information on Fortinet’s FortiAnalyzer, please visit the link below to Fortinet’s official documentation page that goes in great detail about everything that is FortiAnalyzer and other resources: