Difference between revisions of "FortiManager & FortiAnalyzer"

From Tech-Wiki
Jump to: navigation, search
 
(5 intermediate revisions by the same user not shown)
Line 4: Line 4:
 
  execute device replace sn <device_name> <serial>
 
  execute device replace sn <device_name> <serial>
 
  execute fgfm reclaim-dev-tunnel
 
  execute fgfm reclaim-dev-tunnel
 +
 +
Restore FortiManager configuration
 +
execute migrate all-settings <ftp | scp | sftp> <server> <filepath> <user> <password> [cryptpasswd]
  
 
Enable scheduled scripts in FortiManager
 
Enable scheduled scripts in FortiManager
Line 11: Line 14:
 
Clear hit counters
 
Clear hit counters
 
  execute reset hitcount
 
  execute reset hitcount
 +
 +
Fix stuck tasks in FortiManager
 +
diag dvm task repair
 +
 +
Troubleshoot/Debug policy push on FortiManager (as meaningless errors)
 +
diag debug app securityconsole 255
 +
diag debug enable
 +
 +
Configure periodic backup to remote server:
 +
config system backup all-settings
 +
    set status enable
 +
    set server "10.1.10.2"
 +
    set user "backup"
 +
    set directory "/home/backup/"
 +
    set week_days sunday
 +
    set time "23:00:00"
 +
    set passwd 1234
 +
    set crptpasswd 1234
 +
end
 +
 +
Troubleshoot FortiGuard (AV and IPS signatures)
 +
diag autoupdate status
 +
diag autoupdate versions
  
 
Rebuild DB index from log data in FortiAnalyzer
 
Rebuild DB index from log data in FortiAnalyzer
 
  exec sql-local rebuild-db
 
  exec sql-local rebuild-db
 
  diag sql status rebuilbd-db
 
  diag sql status rebuilbd-db
 +
 +
Visualizing events per second and type
 +
diag fortilogd lograte
 +
diag fortilogd msgrate-type
  
 
Archiving logs from FortiAnalyser to external server. Then, enable ‘Delete log file older than’ in System Settings | File Management
 
Archiving logs from FortiAnalyser to external server. Then, enable ‘Delete log file older than’ in System Settings | File Management

Latest revision as of 11:48, 22 February 2021


Replace a device in FortiManager in case of failure of an active unit. (Remember to delete the unregistered device first)

execute device replace sn <device_name> <serial>
execute fgfm reclaim-dev-tunnel

Restore FortiManager configuration

execute migrate all-settings <ftp | scp | sftp> <server> <filepath> <user> <password> [cryptpasswd]

Enable scheduled scripts in FortiManager

config system admin setting
  set show_schedule_script enable

Clear hit counters

execute reset hitcount

Fix stuck tasks in FortiManager

diag dvm task repair

Troubleshoot/Debug policy push on FortiManager (as meaningless errors)

diag debug app securityconsole 255
diag debug enable

Configure periodic backup to remote server:

config system backup all-settings
   set status enable
   set server "10.1.10.2"
   set user "backup"
   set directory "/home/backup/"
   set week_days sunday
   set time "23:00:00"
   set passwd 1234
   set crptpasswd 1234
end

Troubleshoot FortiGuard (AV and IPS signatures)

diag autoupdate status
diag autoupdate versions

Rebuild DB index from log data in FortiAnalyzer

exec sql-local rebuild-db
diag sql status rebuilbd-db

Visualizing events per second and type

diag fortilogd lograte
diag fortilogd msgrate-type

Archiving logs from FortiAnalyser to external server. Then, enable ‘Delete log file older than’ in System Settings | File Management

execute backup logs all ftp|sftp|scp <server> <username> <password>

Enable syslog forwarding on Fortigate devices

 config log syslogd setting
   set status enable
   set server 192.168.1.50
   set reliable disable    (UDP)
   set port 514
   set csv disable
   set facility alert
   set source-ip 192.168.1.254
 end

Sending alerts out based on log messages with certain severity levels, or information within the logs.

 config system alert-event
   edit warning
     config alert-destination
   edit 1
     set type mail
     set from [email protected]
     set to [email protected]
     set smtp-name mail.example.com
   end
   set enable-severity-filter enable
   set severity-level-log error
   set severity-level-comp =
   set severity-filter medium
   set event-time-period 1
   set num-events 5
   set enable-generic-text enable
   set generic-text <string>
 end

More information about above:

enable-severity-filter enable
severity-level-log {no-check | information | notify | warning |error | critical | alert | emergency}
severity-level-comp {>= | = | <=}  # Set the severity level in relation to the log level which they are monitored. 
                                   For example, alerts may be monitored if the messages are greater than, and equal to (>=) Warning log level
severity-filter medium # Set the alert severity indicator for the alert message sent to the recipient
event-time-period {0.5 | 1 | 3 | 6 | 12 | 24 | 72 | 168} # The period of time in hours during which if the threshold number is exceeded, the event will be reported
num-events {1 | 5 | 10 | 50 | 100}  # Set the number of events that must occur in the given interval before it is reported.
enable-generic-text enable  # Enable Grep mode
generic-text <string>  # Enter the text the alert looks for in the log message