Difference between revisions of "FortiManager & FortiAnalyzer"
(4 intermediate revisions by the same user not shown) | |||
Line 4: | Line 4: | ||
execute device replace sn <device_name> <serial> | execute device replace sn <device_name> <serial> | ||
execute fgfm reclaim-dev-tunnel | execute fgfm reclaim-dev-tunnel | ||
+ | |||
+ | Restore FortiManager configuration | ||
+ | execute migrate all-settings <ftp | scp | sftp> <server> <filepath> <user> <password> [cryptpasswd] | ||
Enable scheduled scripts in FortiManager | Enable scheduled scripts in FortiManager | ||
Line 11: | Line 14: | ||
Clear hit counters | Clear hit counters | ||
execute reset hitcount | execute reset hitcount | ||
+ | |||
+ | Fix stuck tasks in FortiManager | ||
+ | diag dvm task repair | ||
+ | |||
+ | Troubleshoot/Debug policy push on FortiManager (as meaningless errors) | ||
+ | diag debug app securityconsole 255 | ||
+ | diag debug enable | ||
+ | |||
+ | Configure periodic backup to remote server: | ||
+ | config system backup all-settings | ||
+ | set status enable | ||
+ | set server "10.1.10.2" | ||
+ | set user "backup" | ||
+ | set directory "/home/backup/" | ||
+ | set week_days sunday | ||
+ | set time "23:00:00" | ||
+ | set passwd 1234 | ||
+ | set crptpasswd 1234 | ||
+ | end | ||
+ | |||
+ | Troubleshoot FortiGuard (AV and IPS signatures) | ||
+ | diag autoupdate status | ||
+ | diag autoupdate versions | ||
Rebuild DB index from log data in FortiAnalyzer | Rebuild DB index from log data in FortiAnalyzer |
Latest revision as of 11:48, 22 February 2021
Replace a device in FortiManager in case of failure of an active unit. (Remember to delete the unregistered device first)
execute device replace sn <device_name> <serial> execute fgfm reclaim-dev-tunnel
Restore FortiManager configuration
execute migrate all-settings <ftp | scp | sftp> <server> <filepath> <user> <password> [cryptpasswd]
Enable scheduled scripts in FortiManager
config system admin setting set show_schedule_script enable
Clear hit counters
execute reset hitcount
Fix stuck tasks in FortiManager
diag dvm task repair
Troubleshoot/Debug policy push on FortiManager (as meaningless errors)
diag debug app securityconsole 255 diag debug enable
Configure periodic backup to remote server:
config system backup all-settings set status enable set server "10.1.10.2" set user "backup" set directory "/home/backup/" set week_days sunday set time "23:00:00" set passwd 1234 set crptpasswd 1234 end
Troubleshoot FortiGuard (AV and IPS signatures)
diag autoupdate status diag autoupdate versions
Rebuild DB index from log data in FortiAnalyzer
exec sql-local rebuild-db diag sql status rebuilbd-db
Visualizing events per second and type
diag fortilogd lograte diag fortilogd msgrate-type
Archiving logs from FortiAnalyser to external server. Then, enable ‘Delete log file older than’ in System Settings | File Management
execute backup logs all ftp|sftp|scp <server> <username> <password>
Enable syslog forwarding on Fortigate devices
config log syslogd setting set status enable set server 192.168.1.50 set reliable disable (UDP) set port 514 set csv disable set facility alert set source-ip 192.168.1.254 end
Sending alerts out based on log messages with certain severity levels, or information within the logs.
config system alert-event edit warning config alert-destination edit 1 set type mail set from [email protected] set to [email protected] set smtp-name mail.example.com end set enable-severity-filter enable set severity-level-log error set severity-level-comp = set severity-filter medium set event-time-period 1 set num-events 5 set enable-generic-text enable set generic-text <string> end
More information about above:
enable-severity-filter enable severity-level-log {no-check | information | notify | warning |error | critical | alert | emergency} severity-level-comp {>= | = | <=} # Set the severity level in relation to the log level which they are monitored. For example, alerts may be monitored if the messages are greater than, and equal to (>=) Warning log level severity-filter medium # Set the alert severity indicator for the alert message sent to the recipient event-time-period {0.5 | 1 | 3 | 6 | 12 | 24 | 72 | 168} # The period of time in hours during which if the threshold number is exceeded, the event will be reported num-events {1 | 5 | 10 | 50 | 100} # Set the number of events that must occur in the given interval before it is reported. enable-generic-text enable # Enable Grep mode generic-text <string> # Enter the text the alert looks for in the log message