0% found this document useful (0 votes)
96 views64 pages

FortiAnalyzer 7.2.0 Examples

Uploaded by

prmeamzn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
96 views64 pages

FortiAnalyzer 7.2.0 Examples

Uploaded by

prmeamzn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 64

Examples

FortiAnalyzer 7.2.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE


https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT


https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM


https://www.fortinet.com/training-certification

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://www.fortiguard.com

END USER LICENSE AGREEMENT


https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

April 11, 2022


FortiAnalyzer 7.2.0 Examples
05-720-0794571-20220411
TABLE OF CONTENTS

Change log 5
Introduction 6
System settings 7
Setting up a FortiAnalyzer HA cluster 7
Reports 9
Configuring a report with an LDAP server 9
Real-time dashboards 11
Configuring FortiAnalyzer to detect FortiSandbox devices 11
Creating a firewall policy on FortiSandbox 11
Creating a log server for FortiAnalyzer 12
Adding FortiSandbox to FortiAnalyzer 13
Fabric connectors 15
Configuring a ServiceNow connector 15
Locating your ServiceNow API URL 15
Creating a fabric connector for ServiceNow 16
Sending notifications to ServiceNow 17
Creating a Google Cloud connector 18
Configuring a Google Cloud storage bucket 18
Locating your Google Cloud information 20
Importing the CA certificate 23
Creating the cloud connector 24
Testing the Google Cloud connector 26
SOAR and SIEM 28
Event handler example scenarios 28
Custom event handler example 28
Predefined event handler example 29
Configuring an EMS connector for use in FortiSoC playbooks 31
Configure the EMS connector 32
Create a playbook using the EMS connector 35
Configuring an event handler to filter IPS attack direction 37
Event handler setup based on user network subnet 37
Event handler setup based on interface role 42
Logging 47
FortiAI logging on FortiAnalyzer 47
Troubleshooting 51
Troubleshooting report performance issues 51
Check the report diagnostic log 51
Check hardware and software status 54
Check data policy and log storage policy 55
Check report and chart settings 55
Check and adjust report auto-cache daemon 56
Check and adjust report hcache 57
Report performance troubleshooting commands 58

FortiAnalyzer 7.2.0 Examples 3


Fortinet Inc.
Troubleshooting a dataset query 59
Troubleshooting a custom dataset 60
SQL functions for formatting and converting data types 60
Macros for formatting date and time in a dataset 61
Troubleshooting an empty chart 61
CLI commands for troubleshooting 62
Common issues 63

FortiAnalyzer 7.2.0 Examples 4


Fortinet Inc.
Change log

Date Change Description

2022-04-11 Initial release.

FortiAnalyzer 7.2.0 Examples 5


Fortinet Inc.
Introduction

Introduction

This document serves as a reference guide to common FortiAnalyzer 7.2 configuration and deployment scenarios. The
scope of this document is to explain specific examples and include information required for those examples to work. The
examples rely on the other documents to provide full product information.

For further FortiAnalyzer information, refer to the FortiAnalyzer Administration Guide available
on the Fortinet Docs Library.

This section includes configuration examples for FortiAnalyzer 7.2:


l System settings on page 7
l Reports on page 9
l Real-time dashboards on page 11
l Fabric connectors on page 15
l SOAR and SIEM on page 28
l Logging on page 47
l Troubleshooting on page 51

FortiAnalyzer 7.2.0 Examples 6


Fortinet Inc.
System settings

System settings

This section contains the following topics:


l Setting up a FortiAnalyzer HA cluster on page 7

Setting up a FortiAnalyzer HA cluster

You can configure two or more FortiAnalyzer units in a High Availability (HA) cluster to provide real-time redundancy in
case a primary unit fails. High Availability clusters also alleviate the load on the primary unit by using secondary units for
processes such as running reports.
The following is an overview of how to configure FortiAnalyzer units in an HA cluster:
1. Go to System Settings > HA.
2. Set the Operation Mode of the primary unit to High Availability.
3. Configure the settings for the primary unit.
4. Configure the settings for the secondary units.

All the units must:


l Be of the same FortiAnalyzer series

l Be visible on the network

l Run in the same operation mode: Analyzer or Collector

To configure the primary unit in an HA cluster:

1. Go to System Settings > HA.


2. Set the Operation Mode to High Availability.
3. Set the Preferred Role to Primary.
4. Configure the Cluster Virtual IP settings:

Interface Select the interface to be used as the clustered Virtual IP.

IP Address Type the IP address to be used by the HA cluster to provide redundancy.

5. In the Peer IP and Peer SN box, type the Peer IP and Peer SN for each secondary unit. The maximum is three units.

6. Type the Group Name, Group ID, and Password. These settings must be the same for all the units in the cluster.
7. Click Apply.

FortiAnalyzer 7.2.0 Examples 7


Fortinet Inc.
System settings

To configure secondary units in an HA cluster:

1. Set the Preferred Role to Secondary.


2. Configure the Cluster Virtual IP settings with the HA cluster's Interface and IP Address.

Interface Select the interface being used by the cluster as the Virtual IP.

IP Address Type the IP address being used by the cluster to provide redundancy.

3. In the Peer IP and Peer SN box, type the Peer IP and Peer SN for the primary unit and each secondary unit.
4. Type the Group Name, Group ID, and Password. These settings must be the same for all the units in the cluster.
5. Click Apply.

FortiAnalyzer 7.2.0 Examples 8


Fortinet Inc.
Reports

Reports

This section contains the following topics:


l Configuring a report with an LDAP server on page 9

Configuring a report with an LDAP server

You can use report filters to only the show members of a group in an LDAP server.
This example demonstrates how to filter the Admin and System Events Report to show data for the group members in
Distinguished Name: cn=group1,ou=groups,dc=fortinet,dc=com in the report output.
Requirements:
l The LDAP server is ready and accessible.
l Group members are configured.

To configure the report:

1. Add the LDAP server to FortiAnalyzer.


a. Go to System Settings > Admin > Remote Authentication Server, and click Create New > LDAP Server.
b. Configure the LDAP server settings, then click OK.

2. Apply the LDAP server to the report filter.


a. Go to Reports and select the Admin and System Events Report.
b. Click the Settings tab, then expand the Filters section.

FortiAnalyzer 7.2.0 Examples 9


Fortinet Inc.
Reports

c. Use the following settings to configure the filter:

Log Field Select Group (group).

Match Criteria Select Equal to.

Value Enter group1.

d. Click LDAP Query and set LDAP Server to the LDAP server you created, then click Apply.

3. Select the View Report tab and click Run Report to run the report and verify the output.
The report displays the users in the group: cn=group1,ou=groups,dc=fortinet,dc=com in the Login
Summary chart and the group name in the Report Filters.

FortiAnalyzer 7.2.0 Examples 10


Fortinet Inc.
Real-time dashboards

Real-time dashboards

This section contains the following topics:


l Configuring FortiAnalyzer to detect FortiSandbox devices on page 11

Configuring FortiAnalyzer to detect FortiSandbox devices

You can use FortiAnalyzer to monitor FortiSandbox devices. Some configurations are required on FortiSandbox to add
the device to FortiAnalyzer. After you add the device, go to FortiView > Threats > FortiSandbox Detection to view the
scanned files.

To detect FortiSandbox on FortiAnalyzer:

1. Create a firewall policy on FortiSandbox.


2. Create a log server on FortiSandbox.
3. Add FortiSandbox to FortiAnalyzer.

Creating a firewall policy on FortiSandbox

You can use the CLI console in FortiSandbox to configure a firewall policy, then specify the IP address of the
FortiAnalyzer you want to monitor the FortiSandbox.

To create a firewall policy on FortiSandbox:

1. In the FortiGate device, click the CLI Console icon on the right-side of the banner on any page.
2. Specify the FortiSandbox in the global configuration:
config antivirus profile
edit "test"
set ftgd-analytics everything config http
set options scan avmonitor
end config ftp
set options scan avmonitor
end config imap
set options scan
end config pop3
set options scan
end config smtp
set options scan
end config nntp
set options scan
end
next
end
3. Create an antivirus profile to allow FortiGate to submit all files scanned by AntiVirus to FortiSandbox. The following
is a sample AntiVirus profile:

FortiAnalyzer 7.2.0 Examples 11


Fortinet Inc.
Real-time dashboards

config firewall policy


edit 13
set name "to-server1"
set uuid 5107b480-3d19-51e8-f1c1-571602a6375b
set srcintf "lan"
set dstintf "wan1"
set srcaddr "net-local"
set dstaddr "server1"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set fsso disable
set av-profile "test"
set ssl-ssh-profile "certificate-inspection"
set nat enable
next
end
4. Use the antivirus profile in the firewall policy. The following is a sample firewall policy:
config firewall policy
edit 13
set name "to-server1"
set uuid 5107b480-3d19-51e8-f1c1-571602a6375b
set srcintf "lan"
set dstintf "wan1"
set srcaddr "net-local"
set dstaddr "server1"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set fsso disable
set av-profile "test"
set ssl-ssh-profile "certificate-inspection"
set nat enable
next
end
5. Specify the IP address of the FortiAnalyzer unit for FortiGate to send logs.
configure log fortianalyzer setting
set status enable
set server <ip address of FortiAnalyzer> set upload-option realtime
end

Creating a log server for FortiAnalyzer

Use FortiSandbox to create a log server to specify the FortiAnalyzer that will monitor the scanned files.

FortiAnalyzer 7.2.0 Examples 12


Fortinet Inc.
Real-time dashboards

To create a log server on FortiSandbox:

1. On FortiSandbox, go to Log & Report > Log Servers.


2. Click Create New in the toolbar and configure the following settings:

Name Enter a name for the new server entry.

Type Select FortiAnalyzer from the dropdown list.

Log Server Address Enter the log server IP address for the FortiAnalyzer device.

Port Enter the port number. The default port is 514.

Status Select Enable to send logs to the server.

Log Level l Set the logging levels to be forwarded to the log server. The following
options are available:
Enable Alert Logs. By default, only logs of non-Clean rated jobs are sent.
Users can choose to send Clean Job Alert Logs by selecting Include job
with Clean Rating.
l Enable Critical Logs
l Enable Error Logs
l Enable Warning Logs
l Enable Information Logs
l Enable Debug Logs

Adding FortiSandbox to FortiAnalyzer

You can use the IP address of the configured FortiSandbox to add it to FortiAnalyzer with Device Manager.

To add the FortiSandbox:

1. In FortiAnalyzer, go to Device Manager.


2. Click Add Device, and enter the FortiSandbox information into the dialog box.

Device Name Type a name for the FortiSandbox device.

Link Device By Serial Number.

Serial Number Type the serial number for the FortiSandbox device.

Device Model Select the model of the FortiSandbox device.

Description Type a description of the FortiSandbox device (optional).

3. Click Next.
The device is added to the ADOM and, if successful, is ready to begin sending logs to the FortiAnalyzer unit.
4. Click Finish.
5. In Device Manager, select the FortiSandbox you added, and click Edit in the toolbar.
6. Enter the Admin User and Password to allow FortiAnalyzer to access the FortiSandbox, then click OK.

FortiAnalyzer 7.2.0 Examples 13


Fortinet Inc.
Real-time dashboards

To view FortiSandbox scanned files:

1. Go to FortiView > FortiView > Threats > FortiSandbox Detection to view the files scanned by FortiSandbox.
2. Click a file to view the Drilldown Panel.

3. Click the FortiSandbox Scan link to view the Sandbox Execution Details panel.

FortiAnalyzer 7.2.0 Examples 14


Fortinet Inc.
Fabric connectors

Fabric connectors

This section contains the following topics:


l Configuring a ServiceNow connector on page 15
l Creating a Google Cloud connector on page 18

Configuring a ServiceNow connector

Admins can use ServiceNow to manage incidents and events with the FortiAnalyzer App. To notify ServiceNow when an
incident is raised in FortiAnalyzer, create a fabric connector, then enable notifications for the fabric connector you
created.
Before you begin, ensure you have completed the following tasks in ServiceNow:
l Install the ServiceNow FortiAnalyzer App.
l Go to FortiAnalyzer App > FortiAnalyzer System Properties, and create a connection for the ServiceNow API.
To integrate FortiAnalyzer with ServiceNow:
1. Record the ServiceNow API URL.
2. Create a fabric connector for ServiceNow.
3. Enable notifications to notify ServiceNow when an incident is raised.

Locating your ServiceNow API URL

You will need to know the ServiceNow API URL and login credentials to create a fabric connector in FortiAnalyzer.

To locate your ServiceNow API URL:

1. Open ServiceNow and go to FortiAnalyzer App > FortiAnalyzer System Properties.

FortiAnalyzer 7.2.0 Examples 15


Fortinet Inc.
Fabric connectors

2. In the Connection to ServiceNow API section, copy the URL in the ServiceNow API URL field.

Creating a fabric connector for ServiceNow

You will need to create a fabric connector to notify ServiceNow when an incident is raised in FortiAnalyzer.

To create a fabric connector for ServiceNow:

1. Open FortiAnalyzer and go to Fabric View > Fabric > Connectors.


2. Click Create New.
The Create New Fabric Connector dialog opens.
3. Select the ServiceNow connector type.
4. Configure the fabric connector:

FortiAnalyzer 7.2.0 Examples 16


Fortinet Inc.
Fabric connectors

Name Type a name for the fabric connector. The name cannot be changed once the
fabric connector is created.

Description (Optional) Type a description for the fabric connector. You can change the
description after the fabric connector is created.

Protocol Select HTTPS.

Method Select POST.

Title Type a title for the fabric connector. You can change the title after the fabric
connector is created.

URL Type the ServiceNow API URL located in FortiAnalyzer App > FortiAnalyzer
System Properties.

User Name Type the Username located in FortiAnalyzer App > FortiAnalyzer System
Properties.

Password Type the Password located in FortiAnalyzer App > FortiAnalyzer System
Properties.

Status Toggle ON to enable the fabric connector.

5. Click OK.

Sending notifications to ServiceNow

You will need to enable notifications in FortiAnalyzer to trigger an incident in ServiceNow:

To enable notifications in FortiAnalyzer:

1. Go to FortiSoC > Incidents.


2. Click Settings in the toolbar.
3. From the Fabric Connector 1 dropdown, select the fabric connector you created for ServiceNow.
4. Select the notification icon settings, and click OK.

FortiAnalyzer 7.2.0 Examples 17


Fortinet Inc.
Fabric connectors

Creating a Google Cloud connector

When logs hit a certain size, they rollover and begin deleting the earliest entries to make room for additional logs. To
prevent losing any log entries, FortiAnalyzer can periodically back up older logs to an external object storage location in
Google Cloud. This off-site log archive will help ensure compliance and data redundancy in case there is a local storage
or outage in FortiAnalyzer.

To create a Google Cloud connector:

1. Create a storage bucket on Google Cloud. See Configuring a Google Cloud storage bucket on page 18
2. Locate your Google Cloud Platform information. See Locating your Google Cloud information on page 20
3. Import the required CA certificates on FortiAnalyzer. See Importing the CA certificate on page 23
4. Create a cloud connector on FortiAnalyzer. See Creating the cloud connector on page 24
5. Test the connector. See Testing the Google Cloud connector on page 26.

Configuring a Google Cloud storage bucket

Google storage buckets must be globally unique. For simplicity, this example uses the project name. However, you can
use any name you like.
For more information about creating Google storage buckets, see the product help.

To create a Google storage bucket:

1. Open the Cloud Storage browser in the Google Cloud Console and click Create Bucket.
2. Enter a name for the bucket.

FortiAnalyzer 7.2.0 Examples 18


Fortinet Inc.
Fabric connectors

3. Select a region for the bucket. You will need this location when you create a cloud connector in FortiAnalyzer.

4. Set the object storage type to standard.

5. Set the access control to Fine grained.

FortiAnalyzer 7.2.0 Examples 19


Fortinet Inc.
Fabric connectors

6. Set the encryption to Google-managed key.

7. Click Create.

To view the bucket details:

Go to Storage > Browser.


l Use the Objects tab to test the cloud connector. See Testing the Google Cloud connector on page 26.
l Use the Permissions tab to see who can access this bucket. The Google account JSON key will be tied to these
permissions. See Locating your Google Cloud information on page 20.

Locating your Google Cloud information

Some information is required from Google Cloud in order to create a storage connector on FortiAnalyzer.

To locate a Google project number:

1. Open the project in Google Cloud Platform.


2. Open the Home page.

FortiAnalyzer 7.2.0 Examples 20


Fortinet Inc.
Fabric connectors

3. Locate the Project Info widget and copy the Project Number.

To create a Google service account key:

A private key is required to create a fabric connector for Google Cloud. After you create the key, save it to your computer
and paste the entire contents of the JSON file in the Service Account Credentials field when you create the cloud
connector. You can download an existing service account key from the bucket details page.
1. Open your project in Google Cloud Platform.
2. In the Navigation pane, go to IAM & admin > Service Accounts. The Service accounts page opens.

3. Click Create Service Account. The Create service account page opens.

4. Type the Service account name, Service account ID, and Service account description, then click Create.
5. Select the account permissions from the Role dropdown, then click Continue.

FortiAnalyzer 7.2.0 Examples 21


Fortinet Inc.
Fabric connectors

6. In the Grant users access to this service account section, click Create Key.

7. Click Create and save your key to your computer.

8. Paste the entire contents of the JSON file in the Service Account Credentials field when you create the cloud
connector.

To locate the remote path in Google Cloud:

Use the Google bucket name for the Remote Path in the Device Logs Settings. The bucket name is also the name of the
fabric connector.
1. In the navigation pane, go to Storage > Browser.

FortiAnalyzer 7.2.0 Examples 22


Fortinet Inc.
Fabric connectors

2. Copy the name of the bucket as it appears in the Name column and paste it into the Remote Path field when you
create the cloud connector.

Importing the CA certificate

Google requires you provide CyberTrust and GlobalSign certificates when creating a cloud object.

To import a CA certificate:

1. Go to System Settings > Certificates > CA Certificates.


2. Click Import in the toolbar, or right-click and select Import. The Import dialog box opens.
3. Click Browse... and locate the certificate file on the management computer, or drag and drop the file onto the dialog
box.
4. Click OK to import the certificate.

To view a CA certificate's details:

1. Go to System Settings > Certificates > CA Certificates.


2. Select the certificates you need to see details about.
3. Click View Certificate Detail in the toolbar, or right-click and select View Certificate Detail. The View CA Certificate
page opens.

FortiAnalyzer 7.2.0 Examples 23


Fortinet Inc.
Fabric connectors

4. Click OK to return to the CA certificates list.

Creating the cloud connector

Before you begin creating a Google Cloud connector, ensure you have:
l Imported the required CA certificates.
l Downloaded the private key from Google Cloud.

To create a Google Cloud connector:

1. Go to Fabric View > Fabric > Connectors, and click Create New in the toolbar. The Create New Fabric Connector
dialog opens.
2. In the Storage section, click Google Cloud Storage Connector.
3. Configure the fabric connector settings, then click OK.

FortiAnalyzer 7.2.0 Examples 24


Fortinet Inc.
Fabric connectors

Property Description

Name Type a name for the fabric connector.

Comments (Optional) Add comments about the connector.

Title Type a title for the fabric connector.

Cloud Project Number Type the project number from the Google Cloud Platform dashboard.
See Locating your Google Cloud information on page 20.

Service Account Credentials Paste the entire Google account JSON key into the field. Click the eye icon to
Show or Hide the key.
See Locating your Google Cloud information on page 20.

Cloud Location Type the bucket region. See Creating a Google storage bucket
See Locating your Google Cloud information on page 20.

The fabric connector appears in the Fabric Connectors pane.

To roll the logs to Google Cloud:

1. Go to System Settings > Advanced > Device Log Settings.


2. In the Registered Device Logs section, click Upload logs to cloud storage > Create New.

FortiAnalyzer 7.2.0 Examples 25


Fortinet Inc.
Fabric connectors

3. Configure the following cloud storage settings and click OK.

Property Description

Cloud Storage Connector Type the name you gave to the fabric connector.

Remote Path Type the globally unique name you gave to your bucket. For simplicity use the
project name.
See Locating your Google Cloud information on page 20.

Upload option Choose between Rolling or Schedule.

Testing the Google Cloud connector

You can use the CLI console to test the cloud connector before the logs have rolled over or a scheduled backup is
performed.

To test a cloud connector:

1. Open the CLI console and type: diag test application uploadd 62 <connector name> <bucket
name>.
If the connector is working, the output will show success.

2. Go to the storage bucket on Google Cloud and look for the test files you uploaded.

FortiAnalyzer 7.2.0 Examples 26


Fortinet Inc.
Fabric connectors

To test a cloud connector with a shell prompt:

1. With the default settings, access to shell will give the following message:
FAZ1000D # execute shell
Shell disabled.
2. Use the following commands to enable shell on the FortiAnalyzer:
FAZ1000D # config system admin setting
(setting)# set shell-access enable
Enter new password: *****
Confirm new password: *****
FAZ1000D # end
3. The shell is now enabled.
FAZ1000D # execute shell
Enter password:
sh-4.3#
sh-4.3#
Open the CLI console on any page and type: rclone --config=/drive0/private/rclone.cfg ls
<connector-name>:<bucketname>

If the connector is working, you will not see any errors.

FortiAnalyzer 7.2.0 Examples 27


Fortinet Inc.
SOAR and SIEM

SOAR and SIEM

This section contains the following topics:


l Event handler example scenarios on page 28
l Configuring an EMS connector for use in FortiSoC playbooks on page 31
l Configuring an event handler to filter IPS attack direction on page 37

Event handler example scenarios

Custom event handler example

Event handlers can be created to trigger events based on a variety of conditions. By viewing logs in a raw format, you
can identify notable log fields and apply corresponding filters in event handlers so that similar logs will trigger an event.
For more information on viewing raw logs in FortiAnalyzer, see the FortiAnalyzer Administration Guide.
In this scenario, information from the following raw log is used to create a custom event handler.
date="2020-08-02" time="09:49:57" id=6856321710715568162 bid=8050516 dvid=1039
itime=1596361797 euid=1 epid=1 dsteuid=1 dstepid=1 log_id="0100026477" type="virus"
subtype="infected" pri="information" from="[email protected]" to="[email protected]"
src="172.20.140.108" session_id="s7Q4T9no026475-s7Q4T9pw026475" msg="The file virus_
samples/sandbox/1385973112552098.172.16.92.92.3 is infected with W32/DomaIQ.AN!tr."
device_id="FE-2KB3R09690010" vd="root" devname="FE-2KB3R09690010"

This log contains information about malware detected by FortiMail. Two notable fields are the log type, type=virus,
and the subtype, subtype=infected.
Using this information, you can create an event handler which identifies these fields and generates an alert whenever
FortiMail logs include these definitions, indicating the presence of an infection.

To create the custom event handler:

1. Go to FortiSoC > Handlers > Event Handler List, and click Create New.
2. Enter a name and description (optional) for the event handler.
3. For Devices, select your FortiMail device, and for Subnets select All Subnets.
4. Configure a filter with the following information:
a. Log Device Type: FortiMail
b. Log Type: Antivirus Log (virus)
c. Group By: Device ID
d. Logs match: All
e. Log Field: Subtype (subtype) Equal To Infected.
The remaining settings can be left in their default state. Click OK to save the event handler.

FortiAnalyzer 7.2.0 Examples 28


Fortinet Inc.
SOAR and SIEM

When enabled, logs from the selected FortiMail device which include the Log Type: virus and Sub Type: Infected will
generate an event.

Predefined event handler example

In addition to custom event handlers, FortiAnalyzer includes predefined event handlers. Below are example logs that will
trigger predefined event handlers when enabled.
These examples use the Generic Text filter field to include specific log information, such as logid="0422016400, in the
event handler filters.

Default-Compromised Host-Detection-by IOC-By-Threat:

Example log:

FortiAnalyzer 7.2.0 Examples 29


Fortinet Inc.
SOAR and SIEM

date="2020-10-02" time="12:54:41" id=6879113766412222465 bid=152167 dvid=1046


itime=1601668486 euid=3 epid=1072 dsteuid=3 dstepid=101 logflag=1 logver=604021723
type="traffic" subtype="forward" level="notice" action="close" policyid=5
sessionid=2126025 srcip="10.200.1.8" dstip="148.81.111.122" srcport=34094 dstport=80
trandisp="noop" duration=1 proto=6 sentbyte=346 rcvdbyte=397 sentpkt=5 rcvdpkt=5
logid="0000000013" srcname="LAN-FSW-GUEST" service="HTTP" app="HTTP" appcat="unscanned"
srcintfrole="lan" dstintfrole="wan" srcserver=0 policytype="policy"
eventtime=1601668481582497121 srcuuid="2de7756a-0343-51eb-c0b5-0d5602c3ecc6"
dstuuid="2de7756a-0343-51eb-c0b5-0d5602c3ecc6" poluuid="528f5f54-0343-51eb-bae9-
3c63f22ce0df" srcmac="00:03:93:6d:8f:fd" mastersrcmac="00:03:93:6d:8f:fd"
srchwvendor="Apple" osname="Linux" srccountry="Reserved" dstcountry="Poland"
srcintf="vsw.port5" dstintf="port1" tdinfoid=7317936224723035242 tdtype="infected-ip"
tdscantime=1601668440 tdthreattype=0 tdthreatname=2 tdwfcate=0 tz="-0700"
devid="FGVM02TM20001234" vd="root" devname="Enterprise_Second_Floor"

The above example log triggers Filter 1 in the Default-Compromised Host-Detection-by IOC-By-Threat event handler:

Default-Botnet-Communication-Detection-By-Threat:

Example log:
date="2020-10-02" time="12:44:16" id=6879111064877793339 bid=151784 dvid=1043
itime=1601667857 euid=3 epid=1083 dsteuid=3 dstepid=101 logflag=16 logver=604021723
type="utm" subtype="ips" level="warning" action="dropped" sessionid=4398915
srcip="10.100.91.100" dstip="103.226.154.43" srcport=8725 dstport=80 attackid=7630075
severity="critical" proto=6 logid="0422016400" service="HTTP"
eventtime=1601667857379929845 policyid=13 crscore=50 craction=4 crlevel="critical"
srcintfrole="lan" dstintfrole="wan" direction="outgoing" profile="default"
srcintf="port3" dstintf="port1" ref="http://www.fortinet.com/be?bid=7630075"
attack="BlackMoon" eventtype="botnet" srccountry="Reserved" msg="Botnet C&C
Communication." tz="-0700" tdthreatname=20432 devid="FGVM02TM20001234" vd="root"
devname="Enterprise_Core"

FortiAnalyzer 7.2.0 Examples 30


Fortinet Inc.
SOAR and SIEM

The above example log triggers Filter 8 in the Default-Botnet-Communication-Detection-By-Threat event handler:

Configuring an EMS connector for use in FortiSoC playbooks

Configuring an EMS connector on FortiAnalyzer allows FortiSoC automation playbooks to reach out to endpoints and
collect information or take containment actions.

To use EMS connectors in FortiSoC Playbooks:

1. Configure the EMS connector on page 32


2. Create a playbook using the EMS connector on page 35

FortiAnalyzer 7.2.0 Examples 31


Fortinet Inc.
SOAR and SIEM

Configure the EMS connector

To configure an EMS connector for use in FortiSoC playbooks:

1. Configure a FortiClient EMS 6.4.0 server which supports the FortiAnalyzer EMS connector feature.

2. Register FortiClient to the EMS server.


In the example below, two FortiClients have been registered.

FortiAnalyzer 7.2.0 Examples 32


Fortinet Inc.
SOAR and SIEM

3. In FortiClient EMS System Settings, configure FortiClient EMS to send logs to FortiAnalyzer.

4. In FortiAnalyzer, register the EMS device to a Fabric ADOM.

5. In the Fabric ADOM, go to Fabric View > Fabric > Connectors. Click Create New, and select FortiClient EMS.

FortiAnalyzer 7.2.0 Examples 33


Fortinet Inc.
SOAR and SIEM

Configure the EMS connector, and click OK.

6. Go to FortiSoC > Automation > Connectors. Here you can view the actions FortiAnalyzer can take on endpoints
using the EMS connector.

FortiAnalyzer 7.2.0 Examples 34


Fortinet Inc.
SOAR and SIEM

Create a playbook using the EMS connector

Below are two examples of how FortiSoC playbooks can be configured to use the FortiClient EMS connector to enable
actions in FortiAnalyzer.

To create a playbook from a template:

1. Go to FortiSoC > Automation > Playbook, and click Create New.

2. From the list of templates, select Playbook EMS Run_Vulnerability_Scan.


This template will run a vulnerability scan on an endpoint. Save the playbook.

FortiAnalyzer 7.2.0 Examples 35


Fortinet Inc.
SOAR and SIEM

3. From the Playbook menu, run the playbook.

A prompt appears to select the endpoint on which to perform the vulnerability scan. Select the endpoint and enter
the ID of the incident that will be updated with information from the scan.
4. Go to FortiSoC > Automation > Playbook Monitor to view the running status of the playbook job and confirm it has
completed successfully.

To create a playbook from scratch

1. Go to FortiSoC > Automation > Playbook, and click Create New.


From the list of templates, select New Playbook created from scratch.

FortiAnalyzer 7.2.0 Examples 36


Fortinet Inc.
SOAR and SIEM

2. Configure the playbook:


a. Select a playbook trigger. For example, the On Demand trigger.
b. Add a task with the EMS connector Get Endpoints action.
c. Add a task with the Local connector Update Asset and Identity action.

3. Click Save Playbook.


4. Run the playbook, and go to Fabric View > Assets to view the collected endpoint information.

Configuring an event handler to filter IPS attack direction

The example below demonstrates how you can create a FortiAnalyzer event handler for filtering the IPS attack direction
based on the user's network environment.
You can configure this event handler based on network subnet information or interface roles:
l Event handler setup based on user network subnet on page 37
l Event handler setup based on interface role on page 42

Event handler setup based on user network subnet

In this example, the following IP range includes the internal IPs for users. IPs outside of this range are considered
external IPs.
l 192.168.0.0 - 192.168.255.255
The victim and attacker are identified as follows:
l The victim is identified by the IP of the traffic's origin (srcip) if the direction is incoming or the destination IP (dstip) if
the direction is outgoing.
l The attacker is identified by Attack Source and Attack Name.

FortiAnalyzer 7.2.0 Examples 37


Fortinet Inc.
SOAR and SIEM

To create an "IPS attack to internal network" event handler:

1. Go to FortiSoC > Handlers > Event Handler List, and click Create New to create a new event handler.
2. Based on the previously described example IP range, create an event handler to filter the alert as an attack to the
internal network when the source IP is within the internal network and the direction is incoming.
In this example, the filter is configured as follows:

Log Device Type FortiGate

Log Type IPS (ips)

Group By Destination Endpoint (dstendpoint)


Attack Name (attack)

Generic Text Filter direction="incoming" and srcip ~ "^192\.168\."

Event Severity High

Tags ips, attack, internal

Additional Info Attack to Internal Network: ${direction} attack was


detected on ${devname} from ${dstip} to ${srcip} and
${msg}

FortiAnalyzer 7.2.0 Examples 38


Fortinet Inc.
SOAR and SIEM

3. Add an additional filter for when the destination IP is within the internal network and the direction is outgoing.
In this example, the filter is configured as follows:

Log Device Type FortiGate

Log Type IPS (ips)

Group By Source Endpoint (endpoint)


Attack Name (attack)

Generic Text Filter direction="outgoing" and dstip ~ "^192\.168\."

Event Severity High

Tags ips, attack, internal

Additional Info Attack to Internal Network: ${direction} attack was


detected on ${devname} from ${srcip} to ${dstip} and
${msg}

FortiAnalyzer 7.2.0 Examples 39


Fortinet Inc.
SOAR and SIEM

4. Click OK to save the event handler.


5. Triggered alerts for this event handler are grouped by the attack source and attack name. This example includes
additional custom information and tags to help recognize them.

To create an "IPS attack to external network" event handler:

1. Go to FortiSoC > Handlers > Event Handler List, and click Create New to create a new event handler.
2. Based on the previously described example IP range, create an event handler to filter the alert as an attack to the
external network when the source IP is external and the direction is incoming.
In this example, the filter is configured as follows:

Log Device Type FortiGate

Log Type IPS (ips)

Group By Destination Endpoint (dstendpoint)


Attack Name (attack)

Generic Text Filter direction=="incoming" and srcip !~ "^192\.168\."

Event Severity High

FortiAnalyzer 7.2.0 Examples 40


Fortinet Inc.
SOAR and SIEM

Tags ips, attack, external

Additional Info Attack to External Network: ${direction} attack was


detected on ${devname} from ${dstip} to ${srcip} and
${msg}

3. Add an additional event handler filter for when the destination IP is external and the direction is outgoing.
In this example, the filter is configured as follows:

Log Device Type FortiGate

Log Type IPS (ips)

Group By Source Endpoint (endpoint)


Attack Name (attack)

Generic Text Filter direction=="outgoing" and dstip !~ "^192\.168\."

Event Severity High

Tags ips, attack, external

Additional Info Attack to External Network: ${direction} attack was


detected on ${devname} from ${srcip} to ${dstip} and
${msg}

FortiAnalyzer 7.2.0 Examples 41


Fortinet Inc.
SOAR and SIEM

4. Click OK to save the event handler.


5. Triggered alerts for this event handler are grouped by the attack source and attack name. This example includes
additional custom information and tags to help recognize them.

Event handler setup based on interface role

In this example, interface roles are set up in FortiGate, where the internal network is connected with the "lan" interface,
and the external network is connected with the "wan" interface.
Traffic follows the below situations between the internal and external networks.
l Traffic from internal to internal: srcintfrole="lan", dstintfrole="lan".
l Traffic from internal to external: srcintfrole="lan", dstintfrole="wan".
l Traffic from external to external: srcintfrole="wan", dstintfrole="wan".
l Traffic from external to internal: srcintfrole="wan", dstintfrole="lan".

FortiAnalyzer 7.2.0 Examples 42


Fortinet Inc.
SOAR and SIEM

To create an "IPS attack to internal interface" event handler:

1. Go to FortiSoC > Handlers > Event Handler List, and click Create New to create a new event handler.
2. Based on the previously described interface roles, create an event handler to filter the alert as an attack to the
internal interface when the source interface role is "lan" and the direction is incoming.
In this example, the filter is configured as follows:

Log Device Type FortiGate

Log Type IPS (ips)

Group By Destination Endpoint (dstendpoint)


Attack Name (attack)

Generic Text Filter direction=="incoming" and srcintfrole=="lan"

Event Severity High

Tags ips, attack, internal

Additional Info Attack to Internal Network: ${direction} attack was


detected on: ${devname} from ${dstip} to ${srcip} and
${msg}

3. Add an additional filter for when the destination interface role is "lan" and the direction is outgoing.
In this example, the filter is configured as follows:

Log Device Type FortiGate

Log Type IPS (ips)

Group By Source Endpoint (endpoint)


Attack Name (attack)

FortiAnalyzer 7.2.0 Examples 43


Fortinet Inc.
SOAR and SIEM

Generic Text Filter direction=="outgoing" and dstintfrole=="lan"

Event Severity Medium

Tags ips, attack, internal

Additional Info Attack to Internal Network: ${direction} attack was


detected on: ${devname} from ${srcip} to ${dstip} and
${msg}

4. Click OK to save the event handler.


5. Triggered alerts for this event handler are grouped by the attack source and attack name. This example includes
additional custom information and tags to help recognize them.

To create an "IPS attack to external interface" event handler:

1. Go to FortiSoC > Handlers > Event Handler List, and click Create New to create a new event handler.
2. Based on the previously described interface roles, create an event handler to filter the alert as an attack to the
external interface when the source interface role is "wan" and the direction is incoming. In this example, the filter is
configured as follows:

FortiAnalyzer 7.2.0 Examples 44


Fortinet Inc.
SOAR and SIEM

Log Device Type FortiGate

Log Type IPS (ips)

Group By Destination Endpoint (dstendpoint)


Attack Name (attack)

Generic Text Filter direction=="incoming" and srcintfrole=="wan"

Event Severity High

Tags ips, attack, external

Additional Info Attack to External Network: ${direction} attack was


detected on: ${devname} from ${dstip} to ${srcip} and
${msg}

3. Add an additional filter for when the destination interface role is "wan" and the direction is outgoing.
In this example, the filter is configured as follows:

Log Device Type FortiGate

Log Type IPS (ips)

Group By Source Endpoint (endpoint)


Attack Name (attack)

Generic Text Filter direction=="outgoing" and dstintfrole=="wan"

Event Severity High

Tags ips, attack, external

FortiAnalyzer 7.2.0 Examples 45


Fortinet Inc.
SOAR and SIEM

Additional Info Attack to External Network: ${direction} attack was


detected on: ${devname} from ${srcip} to ${dstip} and
${msg}

4. Click OK to save the event handler.


5. Triggered alerts for this event handler are grouped by the attack source and attack name. This example includes
additional custom information and tags to help recognize them.

FortiAnalyzer 7.2.0 Examples 46


Fortinet Inc.
Logging

Logging

This section contains the following topics:


l FortiAI logging on FortiAnalyzer on page 47

FortiAI logging on FortiAnalyzer

Starting in FortiAnalyzer 7.0.1, you can configure FortiAnalyzer to accept logs from a FortiAI device for use in the
following ways:
l FortiAnalyzer can recognize FortiAi devices.
l FortiAI logs can be stored in Fabric ADOM.
l FortiAI can be viewed in LogView.
l FortiAI Device Type and Log Types are available in event handlers and report data sets.

To add a FortiAI device to FortiAnalyzer:

1. On FortiAnalyzer, ensure you in are in the correct ADOM.


2. Go to Device Manager and add the FortiAI device.
Prior to FortiAnalyzer 7.0.1, FortiAnalyzer could not recognize FortiAI devices. In 7.0.1 and later, FortiAnalyzer is
able to recognize the FortiAI device and will display it in the Unauthorized Device list once added.

3. Select Unauthorized Devices and authorize the FortiAI device.


When the FortiAI device is authorized on FortiAnalyzer, it is listed in the FortiAnalyzer Device Manager with
information including its device name, IP, serial number, and logging status.

FortiAnalyzer 7.2.0 Examples 47


Fortinet Inc.
Logging

To view FortiAI logs in FortiAnalyzer:

1. On FortiAnalyzer, ensure you are in the correct ADOM.


2. Go to Log View > FortiAI.
There is a new FortiAI log type created for the FortiAI device. When FortiAI logs are received, they are displayed in
Log View.

3. Go to Log View > Fabric.


FortiAnalyzer adds a SIEM parser to FortiAI logs so that they can be viewed in the Fabric SIEM database correctly.

FortiAnalyzer 7.2.0 Examples 48


Fortinet Inc.
Logging

4. Go to Log View > Log Browse.


In Log Browse, you can see the FortiAI device logs listed. You can download or import FortiAI logs.

To create a custom event handler using FortiAI logs:

1. Go to FortiSoC > Handlers > Event Handler List, and create a new event handler.
2. Enter a name for the event handler, for example FortiAI-Event-Handler.
3. Enable a filter, and select FortiAI as the Log Device Type.
4. In Log type, select a FortiAI log type.
5. Configure the remaining settings as required, and click OK to save the event handler.

6. Events triggered by the event handler appear in FortiSoC > Event Monitor > All Events. The name of the event
handler is displayed in the table.

FortiAnalyzer 7.2.0 Examples 49


Fortinet Inc.
Logging

To create a custom report using FortiAI logs:

1. Go to Reports > Report Definitions > Datasets, and create or edit a dataset.
2. Select a FortiAI log type in the Log Type dropdown.
3. Configure the remaining settings as required, and click OK to save the dataset.
The dataset can now be used when configuring charts used in FortiAnalyzer reports.

FortiAnalyzer 7.2.0 Examples 50


Fortinet Inc.
Troubleshooting

Troubleshooting

This section contains the following topics:


l Troubleshooting report performance issues on page 51
l Troubleshooting a dataset query on page 59
l Troubleshooting an empty chart on page 61

Troubleshooting report performance issues

The following topics provide guidance when troubleshooting report performance issue:
l Check the report diagnostic log on page 51
l Check hardware and software status on page 54
l Check data policy and log storage policy on page 55
l Check report and chart settings on page 55
l Check and adjust report auto-cache daemon on page 56
l Check and adjust report hcache on page 57
l Report performance troubleshooting commands on page 58

Check the report diagnostic log

For reports that take a long time to run, check the report diagnostic log to troubleshoot performance issues.
To retrieve a report diagnostic log, go to Reports > Generated Report, right-click the report and select Retrieve
Diagnostic to download the log to your computer. Use a text editor to open the log and check the log for possible causes
of performance issues.
Following are parts of a sample report diagnostic log and what to look for when troubleshooting report performance.
NAME SCHEDULED AUTO-CACHE REPORT GROUP REPORT TITLE
==================================================================================
1 V V - Security Analysis

per-device option: disable


hostname-resolve: disable

Report Status
Max pending rpts: 100000
Current pendings: 0
Max running rpts: 10
Current runnings: 2

FortiAnalyzer 7.2.0 Examples 51


Fortinet Inc.
Troubleshooting

Section What to look for

NAME / SCHEDULED / Check the SCHEDULED, AUTO-CACHE, and REPORT GROUP columns.
AUTO-CACHE / REPORT l Schedule the reports that run regularly. To configure report schedules, see

GROUP / REPORT TITLE Scheduling reports in the FortiAnalyzer Administration Guide.


l Enable auto-cache for reports that run regularly, especially schedule reports. See

How auto-cache works and Enabling auto-cache in the FortiAnalyzer


Administration Guide.
l Group reports that run regularly. To group reports, see Grouping reports in the

FortiAnalyzer Administration Guide.


hostname-resolve Ensure hostname-resolve is set to disable. Resolving hostnames usually takes a
long time. If the DNS server is slow or does not support reverse DNS, report generation
might hang.

Total Quota Summary:


Total Quota Allocated Available Allocate%
27201.3GB 1024.0GB 26177.3GB 3.8 %

System Storage Summary:


Total Used Available Use%
27501.3GB 1117.6GB 26383.6GB 4.1 %

------------------------------------------
System Performance
Fri Aug 25 12:00:02 2017
------------------------------------------
CPU
Used: 34.4%
Used(Excluded NICE): 34.4%
Memory
Total: 34939888 KB
Used 23899636 KB 68.4%
Hard Disk
Total: 28837161872 KB
Used: 11171927688 KB 38.7%
IoStat:
Log Rate
logs/sec: 20326.8, logs/30sec: 20395.6, logs/60sec: 20274.2
Message Rate
msgs/sec: 3057.4, msgs/30sec: 3068.1, msgs/60sec: 3039.1

Section What to look for

Total Quota Summary l Ensure there is enough disk quota and disk space for logging and reporting.
and System Storage Insufficient disk quota might affect report accuracy.
Summary Disk quota must be big enough so that quota enforcement does not affect logs
used for reporting. If quota enforcement trims the logs or tables used for the
reporting period, there might be empty charts or incorrect data.

System Performance l Check that there is enough system resources including CPU, memory, and disk
space.
l Check that the log rate and message rate is not so high that it slow report

FortiAnalyzer 7.2.0 Examples 52


Fortinet Inc.
Troubleshooting

Section What to look for

generation.
l If the log rate is higher than the sustained rates for your FortiAnalyzermodel, the
hardware is overloaded and needs an upgrade. The sustained rates for
FortiAnalyzermodels are listed in the Data Sheet on the FortiAnalyzer web page.

------------------------------------------
Run Report
Fri Aug 25 12:00:03 2017
------------------------------------------
[12:00:03] Request hcaches for 9 log tables
chart Traffic-Bandwidth-Summary-Day-Of-Month done, 1 subqrys
1/1 took 17.88s, 0 hcaches ready, 2 hcaches requested
overall time used 18.13s
chart Session-Summary-Day-Of-Month done, 1 subqrys
1/1 took 15.54s, 0 hcaches ready, 2 hcaches requested
overall time used 15.80s
chart Traffic-History-By-Active-User done, 1 subqrys
1/1 took 12.79s, 0 hcaches ready, 2 hcaches requested
overall time used 13.07s
chart Top-Attack-Victim done, 1 subqrys
1/1 took 1.71s, 0 hcaches ready, 1 hcaches requested
overall time used 1.71s
chart Top-Attack-Source done, 1 subqrys
1/1 took 1.51s, 0 hcaches ready, 1 hcaches requested
overall time used 1.51s
chart Top-Attacks-Detected done, 1 subqrys
1/1 took 1.91s, 0 hcaches ready, 1 hcaches requested
overall time used 1.94s



chart System-Summary-By-Severity done, 1 subqrys
1/1 took 1.22s, 0 hcaches ready, 1 hcaches requested
overall time used 1.22s
chart System-Critical-Severity-Events done, 1 subqrys
1/1 took 1.18s, 0 hcaches ready, 1 hcaches requested
overall time used 1.18s
chart System-High-Severity-Events done, 1 subqrys
1/1 took 0.46s, 0 hcaches ready, 1 hcaches requested
overall time used 0.46s

Section What to look for

Run Report l Check the number of log tables.


l Check the number of hcaches requested vs ready.
If many hcaches are not ready, then those charts will take a long time.
If the number of log tables is high but the number of hcaches ready is low, retrieve
the diagnostic log after five minutes. A change in the number of hcaches ready
means the report is still running.
Since the diagnostic log is updated every five minutes, you can check this log to
view reporting progress.

FortiAnalyzer 7.2.0 Examples 53


Fortinet Inc.
Troubleshooting

Section What to look for


l Check which charts take a long time to generate and reconfigure those charts to
improve performance.

------------------------------------------
Report Summary
Fri Aug 25 12:00:56 2017
------------------------------------------
Number of charts: 58
Number of tables: 9
Number of hcaches requested: 109

HCACHE building time: 53.32s


Rendering time: 13.33s
Total time: 1m7.67s

Section What to look for

Report Summary l Check the number of hcaches requested, hcache building time, and rendering
time.
The number of hcaches requested = number of charts per report * number
of primary tables * number of reports.

Check hardware and software status

get system status

This command shows the system status such as platform type (hardware or VM), firmware version, system time, disk
usage, and file system format.
Use this information to check if the hardware is overloaded. This information also helps you and customer support to
quickly identify any issues and narrow down the investigation.
Following is a sample result of running this command.
Platform Type : FAZ3500E
Platform Full Name : FortiAnalyzer-3500E
Version : v5.4.3-build1187 170517 (GA)
Serial Number : FL99999999999999
BIOS version : 00010001
System Part-Number : P15168-01
Hostname : SAMPLEFZ350
Max Number of Admin Domains : 4000
Admin Domain Configuration : Disabled
FIPS Mode : Disabled
Branch Point : 738
Release Version Information : GA
Current Time : Tue May 23 10:22:53 PST 2017
Daylight Time Saving : Yes
Time Zone : (GMT-8:00) Pacific Time (US & Canada).
x86-64 Applications : Yes
Disk Usage : Free 17020.10GB, Total 40314.71GB
File System : Ext4

FortiAnalyzer 7.2.0 Examples 54


Fortinet Inc.
Troubleshooting

Line Notes
Current Time This is the SQL insert start time.
File System Ensure the file system is Ext4. Other file systems will likely cause performance
issues.

What to look for:


l Check the hardware Platform Type. Consider upgrading older hardware, especially older hardware running
newer software such as 5.2 or later.
l Version shows the software version. Ensure you are running the latest software version with the newest report
engine.
l Ensure File System is Ext4. Other file systems will likely cause performance issues.

diagnose fortilogd lograte

This command shows the log receive rate.


Following is a sample result of running this command.
logs/sec: 121091.0, logs/30sec: 119613.9, logs/60sec: 116695

What to look for


l If the log rate is higher than the sustained rates for your FortiAnalyzer model, the hardware is overloaded and needs
an upgrade. The sustained rates for FortiAnalyzer models are listed in the Data Sheet on the FortiAnalyzer web
page.

Check data policy and log storage policy

Check that the data policy and log storage policy are configured properly for each ADOM in each FortiAnalyzer unit. The
data policy specifies how long to keep logs. The log storage policy affects logs and the SQL database. For details, see
the FortiAnalyzer Administration Guide.

Check report and chart settings

Resolving hostnames usually takes a long time. If the DNS server is slow or does not support reverse DNS, report
generation might hang. Check that Resolve Hostname is disabled:
l In Reports Settings tab > Advanced Settings, check that Resolve Hostname is not selected.
l In the Chart Library, check that Resolve Hostname is set to Disabled.
If you do not need to show all results, specify a lower maximum number of entries:
l In the Chart Library, check that the chart's Show Top (0 for all results) is not set too high.
Setting this field to 0 for all results causes FortiAnalyzer to list all logs for the chart.

FortiAnalyzer 7.2.0 Examples 55


Fortinet Inc.
Troubleshooting

Check and adjust report auto-cache daemon

get system performance

This command shows system performance statistics such as CPU, memory, and I/O usage.
Following is a sample result of running this command.
CPU:
Used: 49.51%
Used(Excluded NICE): 49.51%
%used %user %nice %sys %idle %iowait %irq %softirq
CPU0 27.89 20.60 0.00 5.40 96.42 0.80 0.00 1.79
CPU1 21.62 12.61 0.00 8.20 98.38 0.40 0.00 0.40
Memory:
Total: 6,134,200 KB
Used: 3,770,260 KB 61.5%
Hard Disk:
Total: 82,434,736 KB
Used: 65,283,648 KB 79.2%
IOStat: tps r_tps w_tps r_kB/s w_kB/s queue wait_ms svc_ms %util sampling_sec
4.7 0.2 4.4 27.5 144.2 0.2 52.5 8.4 3.9 599578.78
Flash Disk:
Total: 499,656 KB
Used: 314,416 KB 62.9%
IOStat: tps r_tps w_tps r_kB/s w_kB/s queue wait_ms svc_ms %util sampling_sec
0.0 0.0 0.0 0.0 0.0 0.0 13.6 4.6 0.0 599578.78

Following is a sample result of high %iowait. To see the iowait usage and limit, first enable debug messages for SQL
commands (diagnose debug enable) and set the debug level (diagnose debug application
sqlrptcached 8).
FAZVM64 # [530] iowait usage (27.5%) is over limit (23%).
[530] iowait usage (25.9%) is over limit (23%).
[530] iowait usage (28.3%) is over limit (23%).

What to look for


l Check the Used and IOStat lines to see if I/O is busy.
l If both CPU %used and %iowait are high, check if the report cache daemon is running:
diagnose debug enable
diagnose debug application sqlrptcached 8
l If iowait is over the limit, cache building (by sqlrptcached) will be paused until iowait drops below the limit. In
this case, do one or both of the following:
l Change the report schedule to run at a less busy time. To see scheduled reports, run execute sql-report

list-schedule <ADOM>. To configure report schedules, see Scheduling reports in the FortiAnalyzer
Administration Guide.
l Enable aggressive-schedule so the report auto-cache daemon does not stop even under heavy system

load:
config system report auto-cache
set aggressive-schedule enable
end

FortiAnalyzer 7.2.0 Examples 56


Fortinet Inc.
Troubleshooting

Check and adjust report hcache

diagnose test application sqlrptcached 2

This command shows if hcache creation is able to catch up.


Following is a sample result of running this command.
Number of log table read: all=6453(fortiview=0, rpt=6453) pending=1
Number of log table done: all=6453(fortiview=0, rpt=6453) rpt=6453
Current hcache table entries: 155750
Number of hcache requests sent: 70999
Number of log table vacuums: 39401, pending=2
FortiView hcache load: rounds=817, tbl=653600
ncmdb:
cache hit: sch=0, config=27, chart=140, macro=0, dataset=140 config=27
calls : sch=130, config=11, chart=23, macro=0, dataset=23

The following table provides notes about some output lines in the example.

Line Notes
Number of log table read pending=0 means hcache creation is able to catch up. If pending is above 0,
see What to look for below.
Number of log table done The number of primary tables used to calculate the Number of hcache
requests sent.
Current hcache table Total hcache on the system.
entries

Number of hcache The number of charts per report * the number of primary tables * the number of
requests sent reports.
Number of log table The postgres built-in status. A pending number above 0 indicates insufficient
vacuums postgres resources.
FortiView hcache load rounds is the number of FortiView caches proactively loaded into memory.
ncmdb Report configuration database.
cache hit config is the number of enabled auto cache.

What to look for

l In Number of log table read, if the pending number is continuously above 0 or is increasing, that indicates
there are too many pending log tables to read and the system lacks resources to create cache. In this case,
consider disabling auto-cache on some reports. See Enabling auto-cache and Reports Settings tab in the
FortiAnalyzer Administration Guide.
l Run execute sql-report list-schedule <ADOM> and check if there are too many scheduled reports and if
auto-cache is enabled. See Scheduling reports and Enabling auto-cache in the FortiAnalyzer Administration Guide.
l Run execute top to check which applications are using the most system resources.

FortiAnalyzer 7.2.0 Examples 57


Fortinet Inc.
Troubleshooting

execute sql-report hcache-check <ADOM> <schedule-id>

This command shows a specific report’s hcache status.


If necessary, check the hcache status of a specific report that you think might be a problem.
For example, if the ADOM is root and schedule-id is 10004, then run execute sql-report hcache-check
root 10004.
To get the schedule-id, run execute sql-report list-schedule root and see the NAME column.
Following is a sample result of running the execute sql-report hcache-check <ADOM> <schedule-id>
command.
layout_num:1
start [0] get layout-id:10004.
start report_process, layout-id:10004, layout title:Admin and System Events Report.
device list:All_FortiGates.
reports num:1.

device list[0].FWF60C3G13006291[root].
device list[1].FG3K2C3Z11800039[root].
......

> checking (10004_t10004-Admin and System Events Report) ...


checking chart Admin-Login-Summary...
8/8 (100%) done 0.131 secs used.
checking chart Admin-Login-Summary-By-Date...
8/8 (100%) done 0.128 secs used.
...

What to look for


l If a few reports are causing a bottleneck, check those reports’ Check the report diagnostic log on page 51 and
consider reconfiguring those reports. See also Check and adjust report auto-cache daemon on page 56.

Report performance troubleshooting commands

CLI Description
diagnose debug application Set the debug level of the SQL report cache daemon.
sqlrptcached 8

diagnose debug crashlog read Print information of all crashed daemons.


If daemons crash frequently, contact customer support for assistance.
diagnose debug disable Disable debug message.
diagnose debug enable Enable debug messages to run SQL diagnostic commands.
diagnose fortilogd lograte Show the log receive rate.

FortiAnalyzer 7.2.0 Examples 58


Fortinet Inc.
Troubleshooting

CLI Description
diagnose fortilogd msgrate Show message receive rate. One message might contain multiple logs.
diagnose log device Show disk quota for all logging devices.
diagnose report status Show the maximum number of pending and running reports, and the current
number of pending and running reports.
diagnose test application Show if hcache creation is able to catch up.
sqlrptcached 2

diagnose sql show Show the hcache size.


hcache-size

diagnose sql status run-sql- List the number of log tables, hcaches, and the time to generate each chart
rpt in the report.
diagnose sql status Show SQL query connections and hcache status.
sqlreportd

execute sql-report hcache- Show a specific report’s hcache status.


check <ADOM> <schedule-id>

execute sql-report Show a summary table of all configured reports with their configuration
list-schedule <ADOM> status.
execute top List the processes running on the FortiAnalyzer system.
get system performance Show system performance statistics such as CPU, memory, and I/O usage.
get system status Show the system status such as platform type (hardware or VM), firmware
version, system time, disk usage, and file system format.
Use this information to check if the hardware is overloaded. This information
also helps you and customer support to quickly identify any issues and
narrow down the investigation.
l Ensure Version is the latest software version.

l Check the hardware Platform Type. Consider upgrading older

hardware, especially older hardware running newer software such as


5.2 or later.
l Ensure File System is Ext4. Other file systems will likely cause

performance issues.
show system report Show non-default settings in the report auto-cache.
auto-cache Ensure auto-cache is enabled by running these commands:
config system report auto-cache
set status enable
end

Troubleshooting a dataset query

The following topics provide guidance when troubleshooting a dataset query:

FortiAnalyzer 7.2.0 Examples 59


Fortinet Inc.
Troubleshooting

l Troubleshooting a custom dataset on page 60


l SQL functions for formatting and converting data types on page 60
l Macros for formatting date and time in a dataset on page 61

Troubleshooting a custom dataset

This topic provides a list and an example of common issues in a custom dataset that cannot be identified by the dataset
test console.

Common issues:

l $filter is not applied.


l No ### for inner query.
l distinct is used in inner query.
l No column alias for column with function.
l no hcache merge for count distinct.
l No group by or order by.
l Log tables are not joined. For example, join traffic log with IPS log.
l Dataset test console is out of memory.
The image below indicates where common issues may appear in the dataset:

SQL functions for formatting and converting data types

The following SQL functions can be used to format or convert different data types:

FortiAnalyzer 7.2.0 Examples 60


Fortinet Inc.
Troubleshooting

SQL function Description


from_itime / from_dtime Converts timestamp to formatted date/time.
ipstr Converts srcip/dstip field from inet to string.
app_group_name Groups similar application names.

root_domain Groups similar hostnames.


vpn_trim Groups similar VPN tunnels.
nullifna Converts N/A to null.
logid_to_int Trims logid.

Macros for formatting date and time in a dataset

The following macros can be used to fine tune date and time formatting in a dataset:

Macros Description Example

$flex_timescale Time scale changes according to the report time period:


l Time period > 28 days l Display day: 2018-02-25
l Time period > 12 hours and <= 28 days l Display hour: 2018-02-25
l Time period > 4 hours and <= 12 hours 14:00
l Time period > 1 hour l Display 30 min granularity:
l <= hour 2018-02-25 14:30
l Display 5 min granularity:
2018-02-25 14:40
l display 1 min granularity:
2018-02-25 14:42

$hour_of_day Displays hour in 24 hr format. 18:00

$HOUR_OF_DAY Displays date (YYYY-MM-DD) and hour in 24 hr format. 2018-01-13 18:00

$DAY_OF_MONTH Displays month in format YYYY-MM-DD (2017-01-10). 2018-01-01

$day_of_month Displays day of the month in two digits format 01-12. 01

$day_of_week Displays number and name of the day of the week Mon
(WDAY 2-Mon).

Troubleshooting an empty chart

To troubleshoot an empty chart in a report, go to Log View to verify logs are incoming.
l If you see logs check for SQL errors.
l If you don't see any logs the daemon may have stopped working.

FortiAnalyzer 7.2.0 Examples 61


Fortinet Inc.
Troubleshooting

CLI commands for troubleshooting

The following table provides a list of CLI commands to troubleshoot an empty chart in a report:

Command Description

Check report running/pending diagnose report status {running | pending}


status

Debug sql query diagnose debug enable


diagnose debug application sqlplugind 4 -----errors only
diagnose debug application sqlplugind 8

List current SQL process diagnose sql process list

Configure global report config system report auto-cache


automatic cache setting

List report schedule/auto- execute sql-report list-schedule <ADOM-name>


cache status by ADOM

Diagnose report hcache diagnose test application sqlrptcached 2


working status

Check individual report execute sql-report hcache-check <ADOM-name> <schedule-id>


hcache status

Check report status during diagnose debug enable


report running diagnose sql status sqlreportd

FortiAnalyzer 7.2.0 Examples 62


Fortinet Inc.
Troubleshooting

Common issues

The following table provides a list of common issues that may produce an empty chart in a report:

Issue Description

Wrong report filter applied Go to Log View and search for:


l Field “status” changed to “action” (since 5.0.6)

l Data type of srcip and dstip changed from string to inet.

Log field changed after This can be identified by a dataset test console or SQL debug.
upgrade

Hcache corrupt Clear hcache before running the report (dia sql remove hcache).

Log traffic l High log rate (diagnose fortilogd lograte)


l Device or ADOM quota reached (diagnose log device)

“logver” issue Some datasets are using field “logver” to identify FOS log version.
Go to Log View and search for logver=*
If there are no records, you may need to upgrade.

"out of memory” File system error. This occurs mostly in 5.2.

FortiAnalyzer 7.2.0 Examples 63


Fortinet Inc.
www.fortinet.com

Copyright© 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

You might also like