Back to Blog
Hardware & Software

FortiAnalyzer Setup Guide (2026)

FortiAnalyzer Setup Guide (2026)
A step-by-step FortiAnalyzer setup guide covering initial setup, device authorization, ADOM design, log retention, and report templates.
Published
May 04, 2026
Updated
May 04, 2026
Reading Time
14 min read
Author
LeonX Expert Team

Setting up FortiAnalyzer is not just about powering on a virtual appliance and pointing a few log sources at it. A sustainable model secures management access, chooses the right operation mode, places devices into the right ADOM structure, plans log retention from the beginning, and treats reporting as part of the initial design. The short answer is this: FortiAnalyzer setup becomes maintainable when initial setup, device authorization, ADOM design, log retention strategy, and reporting flow are handled together.

This guide is especially useful for:

  • network teams managing FortiGate and Fortinet infrastructure
  • security teams building centralized logging and reporting
  • MSP or multi-tenant administrators designing ADOM structure
  • IT operations teams deploying FortiAnalyzer for the first time

Quick Summary

  • Fortinet’s Initial setup document lays out the activation flow as GUI connection, RAID, network settings, optional ADOMs, administrator accounts, device onboarding, and operation mode.
  • The Setting up FortiAnalyzer guide explicitly lists security considerations such as restricting GUI access by trusted host, UEFI secure boot, trusted platform module, and real-time file system integrity checking.
  • According to the FortiAnalyzer 7.6.6 documentation, Security Fabric authorization for onboarding a FortiGate requires both FortiAnalyzer and FortiGate to be on at least 7.0.1.
  • The Authorizing devices page shows that unauthorized devices are handled from Unauthorized Devices under the root ADOM and should be assigned to the correct ADOM when ADOMs are enabled.
  • Fortinet’s ADOM best-practice note says that separating high-volume devices from low-volume devices helps prevent quota enforcement from affecting low-volume devices unnecessarily.
  • The log-management best-practice guide recommends retaining logs long enough for business requirements and archiving older logs for better performance.

Table of Contents

FortiAnalyzer setup guide image

Image: Wikimedia Commons - SPNN file server rack.

What Does FortiAnalyzer Setup Actually Cover?

FortiAnalyzer setup is broader than the first login screen. Fortinet’s own documents make it clear that deployment includes networking, disk layout, administrator accounts, device onboarding, log structure, and reporting.

In practice, a sound setup model should answer:

  • who is allowed to reach the management interface
  • how devices will be authorized
  • how ADOM structure will be split by tenant or log volume
  • how long logs should be retained
  • whether reports will start from predefined templates or custom definitions

That is why FortiAnalyzer fits most naturally under Hardware & Software Services, while the visibility and correlation side maps directly to SIEM and Security Event Management Integration.

What Should the Initial Setup Order Be?

What is the base activation flow according to Fortinet?

Fortinet’s Initial setup guide lays out the activation flow as:

  • GUI access
  • RAID configuration if supported
  • network-interface configuration
  • optional ADOM configuration
  • administrator accounts
  • device onboarding
  • operation-mode configuration

The important detail is that once the administrator accounts are configured, the administrator should log in again with the new account before the operational configuration continues.

What should be secured first?

The Setting up FortiAnalyzer documentation lists several security considerations, especially:

  • restricting GUI access by trusted host
  • trusted platform module
  • self-encrypting drives
  • UEFI secure boot
  • real-time file system integrity checking

That makes security a day-one setup concern rather than an afterthought.

How Should Device Authorization and ADOM Design Work?

When should Security Fabric authorization be used?

Fortinet’s Adding a FortiGate using Security Fabric authorization document says the workflow is available when both FortiAnalyzer and FortiGate are running 7.0.1 or higher. The high-level flow is:

  • configure Fabric Authorization address and port on FortiAnalyzer
  • on the FortiGate, open Security Fabric > Fabric Connectors > Logging & Analytics
  • enter FortiAnalyzer details
  • the connection first appears as Unauthorized
  • start the Authorize action from the FortiGate side
  • log in with FortiAnalyzer administrator credentials and approve
  • confirm that the device appears under Device Manager on FortiAnalyzer

This is a practical way to speed up onboarding when many FortiGates are involved.

How are unauthorized devices approved?

According to Fortinet’s Authorizing devices page, unauthorized devices are handled under root ADOM > Device Manager > Unauthorized Devices. Important details include:

  • Display Hidden Devices can be enabled when needed
  • devices should be assigned to the correct ADOM during authorization
  • if the firmware version conflicts with the ADOM version, a Version Mismatch Warning can appear

Fortinet explicitly warns that if authorization continues despite the version mismatch, the selected ADOM may not fully support that device syntax.

How should ADOM structure be designed?

Fortinet’s ADOM Design best-practice guide recommends placing high-log-rate devices and low-log-rate devices into separate ADOMs. This helps keep quota enforcement from affecting lower-volume devices negatively.

The same document also warns that:

  • too many ADOMs significantly increase configuration-file size
  • that in turn increases backup and restore time

A healthier ADOM model therefore uses:

  • tenant separation where it is actually needed
  • log-volume separation where it creates value
  • operational ownership boundaries
  • only as many ADOMs as the business really needs

How Should Log Retention and Reporting Be Designed?

Why should retention be planned early?

Fortinet’s Log Management best-practice guide recommends retaining logs long enough for business requirements while archiving older logs for better performance. That leads to two practical conclusions:

  • retention should not be left to default habit
  • long-term archive and active analysis should not be treated as the same layer

When central correlation is also required, this should be tied to SIEM and Security Event Management Integration.

How can reporting be started quickly?

Fortinet’s List of report templates and Creating reports from report templates documents show that FortiAnalyzer includes ready-made report templates and that a report can be created from Reports > Report Definitions > All Reports using Create New and then From Template.

This gives two practical advantages:

  • fast startup without building every layout from scratch
  • the option to customize a standard template to fit the organization

Fortinet also states that report templates do not contain data by themselves and that data is added when the report is generated. That means:

  • template design is one layer
  • correct data ingestion and retention are another

What Are the Most Common Mistakes?

Creating too many ADOMs

Unnecessary ADOM growth makes configuration, backup, and restore operations heavier than they need to be.

Ignoring version mismatch warnings

Authorizing devices into an incompatible ADOM can lead to incomplete syntax support.

Skipping trusted-host restrictions

If management access is not narrowed, FortiAnalyzer exposes a wider attack surface than necessary.

Treating retention and archive as the same thing

Active analytics retention and long-term archive serve different purposes and should be planned separately.

Ignoring built-in report templates

FortiAnalyzer already includes usable report templates, so starting every reporting task from a blank page wastes time.

Related Content

Checklist

  • trusted host and core management-security settings were defined
  • network, administrator-account, and operation-mode steps were completed in the right order
  • the onboarding method (Fabric authorization or manual authorization) was chosen
  • unauthorized devices were assigned to the correct ADOM
  • high-volume and low-volume log sources were evaluated for ADOM separation
  • retention and archive periods were documented against business needs
  • predefined templates or a custom reporting approach were selected
  • central correlation and proposal flow were clarified

Next Step with LeonX

Setting up FortiAnalyzer is more than adding devices and receiving logs. It requires the right ADOM strategy, the right authorization workflow, the right retention model, and the right reporting structure. LeonX supports this through Hardware & Software Services, especially SIEM and Security Event Management Integration, together with Fortinet-oriented network and logging design. To define the rollout plan or request a proposal, continue through the Contact page.

Relevant pages:

Frequently Asked Questions

What is the first step in FortiAnalyzer setup?

According to Fortinet, the flow starts with GUI access, network settings, administrator accounts, and then device onboarding.

Why is ADOM design so important?

Because log volume, tenant separation, and quota-enforcement behavior are all strongly affected by the ADOM structure.

What does Fabric authorization do?

It provides a faster, more controlled way to authorize FortiGate devices to FortiAnalyzer.

Are built-in report templates sufficient?

For many starting scenarios, yes. They can later be customized when needed.

Sources

Internal Link Path

Continue to the most relevant service pages

Use the links below to move from this article to the primary service, the most relevant detail page and the contact flow.

Primary Service Page

Hardware and Software Solutions

Open Page

Relevant Subservice

SIEM and Security Incident Management Integration

Open Page

Contact / Proposal

Contact Us

Open Page

Share this article

Facebook
Twitter
LinkedIn

Related Posts

Discover more on similar topics

How to Design VMware Disaster Recovery for KVKK? Guide (2026)
Hardware & Software
2026-05-03
14 min read

How to Design VMware Disaster Recovery for KVKK? Guide (2026)

A practical guide to VMware disaster recovery for KVKK, covering RPO/RTO, site pairing, recovery priority, test failover, backup, and audit-ready recovery evidence.

Read Article
How to Optimize Dell PowerStore Performance: Guide (2026)
Hardware & Software
2026-05-01
14 min read

How to Optimize Dell PowerStore Performance: Guide (2026)

A practical guide to optimizing Dell PowerStore performance through latency, IOPS, bandwidth, top consumers, host tuning, QoS, and metric collection strategy.

Read Article
What Is Dell PowerStore Active-Active Architecture? Guide (2026)
Hardware & Software
2026-04-30
14 min read

What Is Dell PowerStore Active-Active Architecture? Guide (2026)

A practical guide to Dell PowerStore active-active architecture, covering metro protection, witness, preferred site, fractured sessions, and host I/O behavior.

Read Article

Subscribe to Our Newsletter

Get the latest insights, trends, and expert advice delivered directly to your inbox. Join our community of IT professionals.

We respect your privacy. Unsubscribe at any time.