In an HA cluster, the firmware upgrade process involves upgrading the secondary devices first. This approach ensures that the primary device can continue to handle traffic and maintain the operational stability of the network while the secondary devices are being upgraded. Once the secondary devices have successfully upgraded their firmware and are operational, the primary device can then be upgraded. This method minimizes downtime and maintains network integrity during the upgrade process.
When upgrading firmware in a High Availability (HA) cluster of FortiAnalyzer units, the recommended practice is to first upgrade the secondary devices before upgrading the primary device. This approach ensures that the primary device, which coordinates the cluster's operations, remains functional for as long as possible, minimizing the impact on log collection and analysis. Once the secondary devices are successfully upgraded and operational, the primary device can be upgraded, ensuring a smooth transition and maintaining continuous operation of the cluster.
Reference: FortiAnalyzer 7.2 Administrator Guide - "System Administration" and "High Availability" sections.

Using fabric connectors is more efficient than third-party polling information from the FortiAnalyzer API - Fabric connectors are designed to integrate directly with the security fabric components and other services, which allows them to operate more efficiently compared to using third-party applications to poll information via APIs. APIs often involve more overhead due to the need for frequent polling and data retrieval operations, which can be resource-intensive.
Cloud-out connectors allow you to send real-time logs to public cloud accounts like Amazon S3. - Cloud- out connectors are specifically designed to facilitate the direct and real-time transfer of logs and other data to cloud services like Amazon S3. These connectors streamline the process by providing a built-in mechanism that bypasses the need for additional scripting or manual configuration.

When you move a registered logging device from one ADOM (Administrative Domain) to another in FortiAnalyzer, it's essential to ensure that the analytical logs for the moved device are available in the new ADOM to maintain continuity in reporting and log analysis. The command execute sql-local rebuild- adom <new-ADOM-name> is used specifically for this purpose. Running this command populates the new ADOM with the analytical logs of the moved device, enabling you to generate accurate and comprehensive reports based on the historical data of the device in its new ADOM context. This process ensures that the transition of devices between ADOMs does not lead to a loss of analytical insight or reporting capabilities for the device's traffic and events.

Link aggregation is a method used to combine multiple network connections in parallel to increase throughput and provide redundancy in case one of the links fail. This feature is used in network appliances, including FortiAnalyzer, to add redundancy to the network connections, ensuring that there is a backup path for traffic if the primary path becomes unavailable.
Reference: The FortiAnalyzer 7.4.1 Administration Guide explains the concept of link aggregation and its relevance to

On FortiAnalyzer, the command to wipe all device settings, mirrors, databases, and disks, but preserve the network configuration, is: execute reset all-except-ip This command resets the FortiAnalyzer device to factory settings, but preserves network configurations such as IP addresses, gateways, and other network interface settings. This allows the device to remain accessible and reconfigured over the network after a reset.