Technical Tip: Create two conditions with the Correlation Event Handler on FortiAnalyzer

Scenario:

The FortiGate has two ISPs and is configured to trigger an alert when each link remains down for 2 minutes. The FortiGate has the Link Monitor feature set up for both interfaces, WAN1 and WAN2.

Solution:

1. Create the correlation event handler:
   1. Go to Incidents & Events
   2. Create new and type the name
   3. On event handler select the Correlation options
   4. Create the Correlation Sequence like the image below:

• Rule: isp-down-wan1
  
  

• Rule: isp-up-wan1

• Replicate the rule above for WAN2 by changing the interface under the Generic Text Filter.
• Set the Correlation Criteria like the image below:

• Select OK to create the Correlation Event Handler.

2. Check the events under Incidents & Events -> Event Monitor -> All Events:

• Event - WAN2:

• Logs - WAN2:

• Event - WAN1:

• Logs - WAN1:

Note:

• If the Correlation Event Handler is created using 'OR' in the middle, the FortiAnalyzer will follow the logic shown in the image below. This logic will be applied:

(isp-down-wan1 NOT_FOLLOWED_BY[2m] (isp-up-wan1 OR isp-down-wan2)) NOT_FOLLOWED_BY[2m] isp-up-wan2

• Instead of:

(isp-down-wan1 NOT_FOLLOWED_BY[2m] isp-up-wan1) OR (isp-down-wan2 NOT_FOLLOWED_BY[2m] isp-up-wan2)

• The Correlation Event Handler for this example is attached 2m-LinkMonitor-wan1-wan2.zip.
  
  

Related articles:

Creating a custom correlation handler - FortiAnalyzer administration guide

Troubleshooting Tip: How to troubleshoot for an event handler related issue