FortiAnalyzer 7.2.0 Examples
FortiAnalyzer 7.2.0 Examples
FortiAnalyzer 7.2.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://www.fortiguard.com
FEEDBACK
Email: [email protected]
Change log 5
Introduction 6
System settings 7
Setting up a FortiAnalyzer HA cluster 7
Reports 9
Configuring a report with an LDAP server 9
Real-time dashboards 11
Configuring FortiAnalyzer to detect FortiSandbox devices 11
Creating a firewall policy on FortiSandbox 11
Creating a log server for FortiAnalyzer 12
Adding FortiSandbox to FortiAnalyzer 13
Fabric connectors 15
Configuring a ServiceNow connector 15
Locating your ServiceNow API URL 15
Creating a fabric connector for ServiceNow 16
Sending notifications to ServiceNow 17
Creating a Google Cloud connector 18
Configuring a Google Cloud storage bucket 18
Locating your Google Cloud information 20
Importing the CA certificate 23
Creating the cloud connector 24
Testing the Google Cloud connector 26
SOAR and SIEM 28
Event handler example scenarios 28
Custom event handler example 28
Predefined event handler example 29
Configuring an EMS connector for use in FortiSoC playbooks 31
Configure the EMS connector 32
Create a playbook using the EMS connector 35
Configuring an event handler to filter IPS attack direction 37
Event handler setup based on user network subnet 37
Event handler setup based on interface role 42
Logging 47
FortiAI logging on FortiAnalyzer 47
Troubleshooting 51
Troubleshooting report performance issues 51
Check the report diagnostic log 51
Check hardware and software status 54
Check data policy and log storage policy 55
Check report and chart settings 55
Check and adjust report auto-cache daemon 56
Check and adjust report hcache 57
Report performance troubleshooting commands 58
Introduction
This document serves as a reference guide to common FortiAnalyzer 7.2 configuration and deployment scenarios. The
scope of this document is to explain specific examples and include information required for those examples to work. The
examples rely on the other documents to provide full product information.
For further FortiAnalyzer information, refer to the FortiAnalyzer Administration Guide available
on the Fortinet Docs Library.
System settings
You can configure two or more FortiAnalyzer units in a High Availability (HA) cluster to provide real-time redundancy in
case a primary unit fails. High Availability clusters also alleviate the load on the primary unit by using secondary units for
processes such as running reports.
The following is an overview of how to configure FortiAnalyzer units in an HA cluster:
1. Go to System Settings > HA.
2. Set the Operation Mode of the primary unit to High Availability.
3. Configure the settings for the primary unit.
4. Configure the settings for the secondary units.
5. In the Peer IP and Peer SN box, type the Peer IP and Peer SN for each secondary unit. The maximum is three units.
6. Type the Group Name, Group ID, and Password. These settings must be the same for all the units in the cluster.
7. Click Apply.
Interface Select the interface being used by the cluster as the Virtual IP.
IP Address Type the IP address being used by the cluster to provide redundancy.
3. In the Peer IP and Peer SN box, type the Peer IP and Peer SN for the primary unit and each secondary unit.
4. Type the Group Name, Group ID, and Password. These settings must be the same for all the units in the cluster.
5. Click Apply.
Reports
You can use report filters to only the show members of a group in an LDAP server.
This example demonstrates how to filter the Admin and System Events Report to show data for the group members in
Distinguished Name: cn=group1,ou=groups,dc=fortinet,dc=com in the report output.
Requirements:
l The LDAP server is ready and accessible.
l Group members are configured.
d. Click LDAP Query and set LDAP Server to the LDAP server you created, then click Apply.
3. Select the View Report tab and click Run Report to run the report and verify the output.
The report displays the users in the group: cn=group1,ou=groups,dc=fortinet,dc=com in the Login
Summary chart and the group name in the Report Filters.
Real-time dashboards
You can use FortiAnalyzer to monitor FortiSandbox devices. Some configurations are required on FortiSandbox to add
the device to FortiAnalyzer. After you add the device, go to FortiView > Threats > FortiSandbox Detection to view the
scanned files.
You can use the CLI console in FortiSandbox to configure a firewall policy, then specify the IP address of the
FortiAnalyzer you want to monitor the FortiSandbox.
1. In the FortiGate device, click the CLI Console icon on the right-side of the banner on any page.
2. Specify the FortiSandbox in the global configuration:
config antivirus profile
edit "test"
set ftgd-analytics everything config http
set options scan avmonitor
end config ftp
set options scan avmonitor
end config imap
set options scan
end config pop3
set options scan
end config smtp
set options scan
end config nntp
set options scan
end
next
end
3. Create an antivirus profile to allow FortiGate to submit all files scanned by AntiVirus to FortiSandbox. The following
is a sample AntiVirus profile:
Use FortiSandbox to create a log server to specify the FortiAnalyzer that will monitor the scanned files.
Log Server Address Enter the log server IP address for the FortiAnalyzer device.
Log Level l Set the logging levels to be forwarded to the log server. The following
options are available:
Enable Alert Logs. By default, only logs of non-Clean rated jobs are sent.
Users can choose to send Clean Job Alert Logs by selecting Include job
with Clean Rating.
l Enable Critical Logs
l Enable Error Logs
l Enable Warning Logs
l Enable Information Logs
l Enable Debug Logs
You can use the IP address of the configured FortiSandbox to add it to FortiAnalyzer with Device Manager.
Serial Number Type the serial number for the FortiSandbox device.
3. Click Next.
The device is added to the ADOM and, if successful, is ready to begin sending logs to the FortiAnalyzer unit.
4. Click Finish.
5. In Device Manager, select the FortiSandbox you added, and click Edit in the toolbar.
6. Enter the Admin User and Password to allow FortiAnalyzer to access the FortiSandbox, then click OK.
1. Go to FortiView > FortiView > Threats > FortiSandbox Detection to view the files scanned by FortiSandbox.
2. Click a file to view the Drilldown Panel.
3. Click the FortiSandbox Scan link to view the Sandbox Execution Details panel.
Fabric connectors
Admins can use ServiceNow to manage incidents and events with the FortiAnalyzer App. To notify ServiceNow when an
incident is raised in FortiAnalyzer, create a fabric connector, then enable notifications for the fabric connector you
created.
Before you begin, ensure you have completed the following tasks in ServiceNow:
l Install the ServiceNow FortiAnalyzer App.
l Go to FortiAnalyzer App > FortiAnalyzer System Properties, and create a connection for the ServiceNow API.
To integrate FortiAnalyzer with ServiceNow:
1. Record the ServiceNow API URL.
2. Create a fabric connector for ServiceNow.
3. Enable notifications to notify ServiceNow when an incident is raised.
You will need to know the ServiceNow API URL and login credentials to create a fabric connector in FortiAnalyzer.
2. In the Connection to ServiceNow API section, copy the URL in the ServiceNow API URL field.
You will need to create a fabric connector to notify ServiceNow when an incident is raised in FortiAnalyzer.
Name Type a name for the fabric connector. The name cannot be changed once the
fabric connector is created.
Description (Optional) Type a description for the fabric connector. You can change the
description after the fabric connector is created.
Title Type a title for the fabric connector. You can change the title after the fabric
connector is created.
URL Type the ServiceNow API URL located in FortiAnalyzer App > FortiAnalyzer
System Properties.
User Name Type the Username located in FortiAnalyzer App > FortiAnalyzer System
Properties.
Password Type the Password located in FortiAnalyzer App > FortiAnalyzer System
Properties.
5. Click OK.
When logs hit a certain size, they rollover and begin deleting the earliest entries to make room for additional logs. To
prevent losing any log entries, FortiAnalyzer can periodically back up older logs to an external object storage location in
Google Cloud. This off-site log archive will help ensure compliance and data redundancy in case there is a local storage
or outage in FortiAnalyzer.
1. Create a storage bucket on Google Cloud. See Configuring a Google Cloud storage bucket on page 18
2. Locate your Google Cloud Platform information. See Locating your Google Cloud information on page 20
3. Import the required CA certificates on FortiAnalyzer. See Importing the CA certificate on page 23
4. Create a cloud connector on FortiAnalyzer. See Creating the cloud connector on page 24
5. Test the connector. See Testing the Google Cloud connector on page 26.
Google storage buckets must be globally unique. For simplicity, this example uses the project name. However, you can
use any name you like.
For more information about creating Google storage buckets, see the product help.
1. Open the Cloud Storage browser in the Google Cloud Console and click Create Bucket.
2. Enter a name for the bucket.
3. Select a region for the bucket. You will need this location when you create a cloud connector in FortiAnalyzer.
7. Click Create.
Some information is required from Google Cloud in order to create a storage connector on FortiAnalyzer.
3. Locate the Project Info widget and copy the Project Number.
A private key is required to create a fabric connector for Google Cloud. After you create the key, save it to your computer
and paste the entire contents of the JSON file in the Service Account Credentials field when you create the cloud
connector. You can download an existing service account key from the bucket details page.
1. Open your project in Google Cloud Platform.
2. In the Navigation pane, go to IAM & admin > Service Accounts. The Service accounts page opens.
3. Click Create Service Account. The Create service account page opens.
4. Type the Service account name, Service account ID, and Service account description, then click Create.
5. Select the account permissions from the Role dropdown, then click Continue.
6. In the Grant users access to this service account section, click Create Key.
8. Paste the entire contents of the JSON file in the Service Account Credentials field when you create the cloud
connector.
Use the Google bucket name for the Remote Path in the Device Logs Settings. The bucket name is also the name of the
fabric connector.
1. In the navigation pane, go to Storage > Browser.
2. Copy the name of the bucket as it appears in the Name column and paste it into the Remote Path field when you
create the cloud connector.
Google requires you provide CyberTrust and GlobalSign certificates when creating a cloud object.
To import a CA certificate:
Before you begin creating a Google Cloud connector, ensure you have:
l Imported the required CA certificates.
l Downloaded the private key from Google Cloud.
1. Go to Fabric View > Fabric > Connectors, and click Create New in the toolbar. The Create New Fabric Connector
dialog opens.
2. In the Storage section, click Google Cloud Storage Connector.
3. Configure the fabric connector settings, then click OK.
Property Description
Cloud Project Number Type the project number from the Google Cloud Platform dashboard.
See Locating your Google Cloud information on page 20.
Service Account Credentials Paste the entire Google account JSON key into the field. Click the eye icon to
Show or Hide the key.
See Locating your Google Cloud information on page 20.
Cloud Location Type the bucket region. See Creating a Google storage bucket
See Locating your Google Cloud information on page 20.
Property Description
Cloud Storage Connector Type the name you gave to the fabric connector.
Remote Path Type the globally unique name you gave to your bucket. For simplicity use the
project name.
See Locating your Google Cloud information on page 20.
You can use the CLI console to test the cloud connector before the logs have rolled over or a scheduled backup is
performed.
1. Open the CLI console and type: diag test application uploadd 62 <connector name> <bucket
name>.
If the connector is working, the output will show success.
2. Go to the storage bucket on Google Cloud and look for the test files you uploaded.
1. With the default settings, access to shell will give the following message:
FAZ1000D # execute shell
Shell disabled.
2. Use the following commands to enable shell on the FortiAnalyzer:
FAZ1000D # config system admin setting
(setting)# set shell-access enable
Enter new password: *****
Confirm new password: *****
FAZ1000D # end
3. The shell is now enabled.
FAZ1000D # execute shell
Enter password:
sh-4.3#
sh-4.3#
Open the CLI console on any page and type: rclone --config=/drive0/private/rclone.cfg ls
<connector-name>:<bucketname>
Event handlers can be created to trigger events based on a variety of conditions. By viewing logs in a raw format, you
can identify notable log fields and apply corresponding filters in event handlers so that similar logs will trigger an event.
For more information on viewing raw logs in FortiAnalyzer, see the FortiAnalyzer Administration Guide.
In this scenario, information from the following raw log is used to create a custom event handler.
date="2020-08-02" time="09:49:57" id=6856321710715568162 bid=8050516 dvid=1039
itime=1596361797 euid=1 epid=1 dsteuid=1 dstepid=1 log_id="0100026477" type="virus"
subtype="infected" pri="information" from="[email protected]" to="[email protected]"
src="172.20.140.108" session_id="s7Q4T9no026475-s7Q4T9pw026475" msg="The file virus_
samples/sandbox/1385973112552098.172.16.92.92.3 is infected with W32/DomaIQ.AN!tr."
device_id="FE-2KB3R09690010" vd="root" devname="FE-2KB3R09690010"
This log contains information about malware detected by FortiMail. Two notable fields are the log type, type=virus,
and the subtype, subtype=infected.
Using this information, you can create an event handler which identifies these fields and generates an alert whenever
FortiMail logs include these definitions, indicating the presence of an infection.
1. Go to FortiSoC > Handlers > Event Handler List, and click Create New.
2. Enter a name and description (optional) for the event handler.
3. For Devices, select your FortiMail device, and for Subnets select All Subnets.
4. Configure a filter with the following information:
a. Log Device Type: FortiMail
b. Log Type: Antivirus Log (virus)
c. Group By: Device ID
d. Logs match: All
e. Log Field: Subtype (subtype) Equal To Infected.
The remaining settings can be left in their default state. Click OK to save the event handler.
When enabled, logs from the selected FortiMail device which include the Log Type: virus and Sub Type: Infected will
generate an event.
In addition to custom event handlers, FortiAnalyzer includes predefined event handlers. Below are example logs that will
trigger predefined event handlers when enabled.
These examples use the Generic Text filter field to include specific log information, such as logid="0422016400, in the
event handler filters.
Example log:
The above example log triggers Filter 1 in the Default-Compromised Host-Detection-by IOC-By-Threat event handler:
Default-Botnet-Communication-Detection-By-Threat:
Example log:
date="2020-10-02" time="12:44:16" id=6879111064877793339 bid=151784 dvid=1043
itime=1601667857 euid=3 epid=1083 dsteuid=3 dstepid=101 logflag=16 logver=604021723
type="utm" subtype="ips" level="warning" action="dropped" sessionid=4398915
srcip="10.100.91.100" dstip="103.226.154.43" srcport=8725 dstport=80 attackid=7630075
severity="critical" proto=6 logid="0422016400" service="HTTP"
eventtime=1601667857379929845 policyid=13 crscore=50 craction=4 crlevel="critical"
srcintfrole="lan" dstintfrole="wan" direction="outgoing" profile="default"
srcintf="port3" dstintf="port1" ref="http://www.fortinet.com/be?bid=7630075"
attack="BlackMoon" eventtype="botnet" srccountry="Reserved" msg="Botnet C&C
Communication." tz="-0700" tdthreatname=20432 devid="FGVM02TM20001234" vd="root"
devname="Enterprise_Core"
The above example log triggers Filter 8 in the Default-Botnet-Communication-Detection-By-Threat event handler:
Configuring an EMS connector on FortiAnalyzer allows FortiSoC automation playbooks to reach out to endpoints and
collect information or take containment actions.
1. Configure a FortiClient EMS 6.4.0 server which supports the FortiAnalyzer EMS connector feature.
3. In FortiClient EMS System Settings, configure FortiClient EMS to send logs to FortiAnalyzer.
5. In the Fabric ADOM, go to Fabric View > Fabric > Connectors. Click Create New, and select FortiClient EMS.
6. Go to FortiSoC > Automation > Connectors. Here you can view the actions FortiAnalyzer can take on endpoints
using the EMS connector.
Below are two examples of how FortiSoC playbooks can be configured to use the FortiClient EMS connector to enable
actions in FortiAnalyzer.
A prompt appears to select the endpoint on which to perform the vulnerability scan. Select the endpoint and enter
the ID of the incident that will be updated with information from the scan.
4. Go to FortiSoC > Automation > Playbook Monitor to view the running status of the playbook job and confirm it has
completed successfully.
The example below demonstrates how you can create a FortiAnalyzer event handler for filtering the IPS attack direction
based on the user's network environment.
You can configure this event handler based on network subnet information or interface roles:
l Event handler setup based on user network subnet on page 37
l Event handler setup based on interface role on page 42
In this example, the following IP range includes the internal IPs for users. IPs outside of this range are considered
external IPs.
l 192.168.0.0 - 192.168.255.255
The victim and attacker are identified as follows:
l The victim is identified by the IP of the traffic's origin (srcip) if the direction is incoming or the destination IP (dstip) if
the direction is outgoing.
l The attacker is identified by Attack Source and Attack Name.
1. Go to FortiSoC > Handlers > Event Handler List, and click Create New to create a new event handler.
2. Based on the previously described example IP range, create an event handler to filter the alert as an attack to the
internal network when the source IP is within the internal network and the direction is incoming.
In this example, the filter is configured as follows:
3. Add an additional filter for when the destination IP is within the internal network and the direction is outgoing.
In this example, the filter is configured as follows:
1. Go to FortiSoC > Handlers > Event Handler List, and click Create New to create a new event handler.
2. Based on the previously described example IP range, create an event handler to filter the alert as an attack to the
external network when the source IP is external and the direction is incoming.
In this example, the filter is configured as follows:
3. Add an additional event handler filter for when the destination IP is external and the direction is outgoing.
In this example, the filter is configured as follows:
In this example, interface roles are set up in FortiGate, where the internal network is connected with the "lan" interface,
and the external network is connected with the "wan" interface.
Traffic follows the below situations between the internal and external networks.
l Traffic from internal to internal: srcintfrole="lan", dstintfrole="lan".
l Traffic from internal to external: srcintfrole="lan", dstintfrole="wan".
l Traffic from external to external: srcintfrole="wan", dstintfrole="wan".
l Traffic from external to internal: srcintfrole="wan", dstintfrole="lan".
1. Go to FortiSoC > Handlers > Event Handler List, and click Create New to create a new event handler.
2. Based on the previously described interface roles, create an event handler to filter the alert as an attack to the
internal interface when the source interface role is "lan" and the direction is incoming.
In this example, the filter is configured as follows:
3. Add an additional filter for when the destination interface role is "lan" and the direction is outgoing.
In this example, the filter is configured as follows:
1. Go to FortiSoC > Handlers > Event Handler List, and click Create New to create a new event handler.
2. Based on the previously described interface roles, create an event handler to filter the alert as an attack to the
external interface when the source interface role is "wan" and the direction is incoming. In this example, the filter is
configured as follows:
3. Add an additional filter for when the destination interface role is "wan" and the direction is outgoing.
In this example, the filter is configured as follows:
Logging
Starting in FortiAnalyzer 7.0.1, you can configure FortiAnalyzer to accept logs from a FortiAI device for use in the
following ways:
l FortiAnalyzer can recognize FortiAi devices.
l FortiAI logs can be stored in Fabric ADOM.
l FortiAI can be viewed in LogView.
l FortiAI Device Type and Log Types are available in event handlers and report data sets.
1. Go to FortiSoC > Handlers > Event Handler List, and create a new event handler.
2. Enter a name for the event handler, for example FortiAI-Event-Handler.
3. Enable a filter, and select FortiAI as the Log Device Type.
4. In Log type, select a FortiAI log type.
5. Configure the remaining settings as required, and click OK to save the event handler.
6. Events triggered by the event handler appear in FortiSoC > Event Monitor > All Events. The name of the event
handler is displayed in the table.
1. Go to Reports > Report Definitions > Datasets, and create or edit a dataset.
2. Select a FortiAI log type in the Log Type dropdown.
3. Configure the remaining settings as required, and click OK to save the dataset.
The dataset can now be used when configuring charts used in FortiAnalyzer reports.
Troubleshooting
The following topics provide guidance when troubleshooting report performance issue:
l Check the report diagnostic log on page 51
l Check hardware and software status on page 54
l Check data policy and log storage policy on page 55
l Check report and chart settings on page 55
l Check and adjust report auto-cache daemon on page 56
l Check and adjust report hcache on page 57
l Report performance troubleshooting commands on page 58
For reports that take a long time to run, check the report diagnostic log to troubleshoot performance issues.
To retrieve a report diagnostic log, go to Reports > Generated Report, right-click the report and select Retrieve
Diagnostic to download the log to your computer. Use a text editor to open the log and check the log for possible causes
of performance issues.
Following are parts of a sample report diagnostic log and what to look for when troubleshooting report performance.
NAME SCHEDULED AUTO-CACHE REPORT GROUP REPORT TITLE
==================================================================================
1 V V - Security Analysis
Report Status
Max pending rpts: 100000
Current pendings: 0
Max running rpts: 10
Current runnings: 2
NAME / SCHEDULED / Check the SCHEDULED, AUTO-CACHE, and REPORT GROUP columns.
AUTO-CACHE / REPORT l Schedule the reports that run regularly. To configure report schedules, see
------------------------------------------
System Performance
Fri Aug 25 12:00:02 2017
------------------------------------------
CPU
Used: 34.4%
Used(Excluded NICE): 34.4%
Memory
Total: 34939888 KB
Used 23899636 KB 68.4%
Hard Disk
Total: 28837161872 KB
Used: 11171927688 KB 38.7%
IoStat:
Log Rate
logs/sec: 20326.8, logs/30sec: 20395.6, logs/60sec: 20274.2
Message Rate
msgs/sec: 3057.4, msgs/30sec: 3068.1, msgs/60sec: 3039.1
Total Quota Summary l Ensure there is enough disk quota and disk space for logging and reporting.
and System Storage Insufficient disk quota might affect report accuracy.
Summary Disk quota must be big enough so that quota enforcement does not affect logs
used for reporting. If quota enforcement trims the logs or tables used for the
reporting period, there might be empty charts or incorrect data.
System Performance l Check that there is enough system resources including CPU, memory, and disk
space.
l Check that the log rate and message rate is not so high that it slow report
generation.
l If the log rate is higher than the sustained rates for your FortiAnalyzermodel, the
hardware is overloaded and needs an upgrade. The sustained rates for
FortiAnalyzermodels are listed in the Data Sheet on the FortiAnalyzer web page.
------------------------------------------
Run Report
Fri Aug 25 12:00:03 2017
------------------------------------------
[12:00:03] Request hcaches for 9 log tables
chart Traffic-Bandwidth-Summary-Day-Of-Month done, 1 subqrys
1/1 took 17.88s, 0 hcaches ready, 2 hcaches requested
overall time used 18.13s
chart Session-Summary-Day-Of-Month done, 1 subqrys
1/1 took 15.54s, 0 hcaches ready, 2 hcaches requested
overall time used 15.80s
chart Traffic-History-By-Active-User done, 1 subqrys
1/1 took 12.79s, 0 hcaches ready, 2 hcaches requested
overall time used 13.07s
chart Top-Attack-Victim done, 1 subqrys
1/1 took 1.71s, 0 hcaches ready, 1 hcaches requested
overall time used 1.71s
chart Top-Attack-Source done, 1 subqrys
1/1 took 1.51s, 0 hcaches ready, 1 hcaches requested
overall time used 1.51s
chart Top-Attacks-Detected done, 1 subqrys
1/1 took 1.91s, 0 hcaches ready, 1 hcaches requested
overall time used 1.94s
…
…
…
chart System-Summary-By-Severity done, 1 subqrys
1/1 took 1.22s, 0 hcaches ready, 1 hcaches requested
overall time used 1.22s
chart System-Critical-Severity-Events done, 1 subqrys
1/1 took 1.18s, 0 hcaches ready, 1 hcaches requested
overall time used 1.18s
chart System-High-Severity-Events done, 1 subqrys
1/1 took 0.46s, 0 hcaches ready, 1 hcaches requested
overall time used 0.46s
------------------------------------------
Report Summary
Fri Aug 25 12:00:56 2017
------------------------------------------
Number of charts: 58
Number of tables: 9
Number of hcaches requested: 109
Report Summary l Check the number of hcaches requested, hcache building time, and rendering
time.
The number of hcaches requested = number of charts per report * number
of primary tables * number of reports.
This command shows the system status such as platform type (hardware or VM), firmware version, system time, disk
usage, and file system format.
Use this information to check if the hardware is overloaded. This information also helps you and customer support to
quickly identify any issues and narrow down the investigation.
Following is a sample result of running this command.
Platform Type : FAZ3500E
Platform Full Name : FortiAnalyzer-3500E
Version : v5.4.3-build1187 170517 (GA)
Serial Number : FL99999999999999
BIOS version : 00010001
System Part-Number : P15168-01
Hostname : SAMPLEFZ350
Max Number of Admin Domains : 4000
Admin Domain Configuration : Disabled
FIPS Mode : Disabled
Branch Point : 738
Release Version Information : GA
Current Time : Tue May 23 10:22:53 PST 2017
Daylight Time Saving : Yes
Time Zone : (GMT-8:00) Pacific Time (US & Canada).
x86-64 Applications : Yes
Disk Usage : Free 17020.10GB, Total 40314.71GB
File System : Ext4
Line Notes
Current Time This is the SQL insert start time.
File System Ensure the file system is Ext4. Other file systems will likely cause performance
issues.
Check that the data policy and log storage policy are configured properly for each ADOM in each FortiAnalyzer unit. The
data policy specifies how long to keep logs. The log storage policy affects logs and the SQL database. For details, see
the FortiAnalyzer Administration Guide.
Resolving hostnames usually takes a long time. If the DNS server is slow or does not support reverse DNS, report
generation might hang. Check that Resolve Hostname is disabled:
l In Reports Settings tab > Advanced Settings, check that Resolve Hostname is not selected.
l In the Chart Library, check that Resolve Hostname is set to Disabled.
If you do not need to show all results, specify a lower maximum number of entries:
l In the Chart Library, check that the chart's Show Top (0 for all results) is not set too high.
Setting this field to 0 for all results causes FortiAnalyzer to list all logs for the chart.
This command shows system performance statistics such as CPU, memory, and I/O usage.
Following is a sample result of running this command.
CPU:
Used: 49.51%
Used(Excluded NICE): 49.51%
%used %user %nice %sys %idle %iowait %irq %softirq
CPU0 27.89 20.60 0.00 5.40 96.42 0.80 0.00 1.79
CPU1 21.62 12.61 0.00 8.20 98.38 0.40 0.00 0.40
Memory:
Total: 6,134,200 KB
Used: 3,770,260 KB 61.5%
Hard Disk:
Total: 82,434,736 KB
Used: 65,283,648 KB 79.2%
IOStat: tps r_tps w_tps r_kB/s w_kB/s queue wait_ms svc_ms %util sampling_sec
4.7 0.2 4.4 27.5 144.2 0.2 52.5 8.4 3.9 599578.78
Flash Disk:
Total: 499,656 KB
Used: 314,416 KB 62.9%
IOStat: tps r_tps w_tps r_kB/s w_kB/s queue wait_ms svc_ms %util sampling_sec
0.0 0.0 0.0 0.0 0.0 0.0 13.6 4.6 0.0 599578.78
Following is a sample result of high %iowait. To see the iowait usage and limit, first enable debug messages for SQL
commands (diagnose debug enable) and set the debug level (diagnose debug application
sqlrptcached 8).
FAZVM64 # [530] iowait usage (27.5%) is over limit (23%).
[530] iowait usage (25.9%) is over limit (23%).
[530] iowait usage (28.3%) is over limit (23%).
list-schedule <ADOM>. To configure report schedules, see Scheduling reports in the FortiAnalyzer
Administration Guide.
l Enable aggressive-schedule so the report auto-cache daemon does not stop even under heavy system
load:
config system report auto-cache
set aggressive-schedule enable
end
The following table provides notes about some output lines in the example.
Line Notes
Number of log table read pending=0 means hcache creation is able to catch up. If pending is above 0,
see What to look for below.
Number of log table done The number of primary tables used to calculate the Number of hcache
requests sent.
Current hcache table Total hcache on the system.
entries
Number of hcache The number of charts per report * the number of primary tables * the number of
requests sent reports.
Number of log table The postgres built-in status. A pending number above 0 indicates insufficient
vacuums postgres resources.
FortiView hcache load rounds is the number of FortiView caches proactively loaded into memory.
ncmdb Report configuration database.
cache hit config is the number of enabled auto cache.
l In Number of log table read, if the pending number is continuously above 0 or is increasing, that indicates
there are too many pending log tables to read and the system lacks resources to create cache. In this case,
consider disabling auto-cache on some reports. See Enabling auto-cache and Reports Settings tab in the
FortiAnalyzer Administration Guide.
l Run execute sql-report list-schedule <ADOM> and check if there are too many scheduled reports and if
auto-cache is enabled. See Scheduling reports and Enabling auto-cache in the FortiAnalyzer Administration Guide.
l Run execute top to check which applications are using the most system resources.
device list[0].FWF60C3G13006291[root].
device list[1].FG3K2C3Z11800039[root].
......
CLI Description
diagnose debug application Set the debug level of the SQL report cache daemon.
sqlrptcached 8
CLI Description
diagnose fortilogd msgrate Show message receive rate. One message might contain multiple logs.
diagnose log device Show disk quota for all logging devices.
diagnose report status Show the maximum number of pending and running reports, and the current
number of pending and running reports.
diagnose test application Show if hcache creation is able to catch up.
sqlrptcached 2
diagnose sql status run-sql- List the number of log tables, hcaches, and the time to generate each chart
rpt in the report.
diagnose sql status Show SQL query connections and hcache status.
sqlreportd
execute sql-report Show a summary table of all configured reports with their configuration
list-schedule <ADOM> status.
execute top List the processes running on the FortiAnalyzer system.
get system performance Show system performance statistics such as CPU, memory, and I/O usage.
get system status Show the system status such as platform type (hardware or VM), firmware
version, system time, disk usage, and file system format.
Use this information to check if the hardware is overloaded. This information
also helps you and customer support to quickly identify any issues and
narrow down the investigation.
l Ensure Version is the latest software version.
performance issues.
show system report Show non-default settings in the report auto-cache.
auto-cache Ensure auto-cache is enabled by running these commands:
config system report auto-cache
set status enable
end
This topic provides a list and an example of common issues in a custom dataset that cannot be identified by the dataset
test console.
Common issues:
The following SQL functions can be used to format or convert different data types:
The following macros can be used to fine tune date and time formatting in a dataset:
$day_of_week Displays number and name of the day of the week Mon
(WDAY 2-Mon).
To troubleshoot an empty chart in a report, go to Log View to verify logs are incoming.
l If you see logs check for SQL errors.
l If you don't see any logs the daemon may have stopped working.
The following table provides a list of CLI commands to troubleshoot an empty chart in a report:
Command Description
Common issues
The following table provides a list of common issues that may produce an empty chart in a report:
Issue Description
Log field changed after This can be identified by a dataset test console or SQL debug.
upgrade
Hcache corrupt Clear hcache before running the report (dia sql remove hcache).
“logver” issue Some datasets are using field “logver” to identify FOS log version.
Go to Log View and search for logver=*
If there are no records, you may need to upgrade.
Copyright© 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.