Troubleshooting Tip: How to check the status of a rule from the backend in FortiSIEM

The rule status can be found mainly in cache, Redis and Database. It is important that the rule status is the same while checking in cache/redis/database level.

The following steps can be followed to check the status of rule from backend.

• Find the rule from the URL below which will confirm the status of the rule in the cache and database:

https://<IP>/phoenix/rest/dataRequest/rule

Replace <IP> with the actual IP/FQDN of Supervisor.

• Check for a line similar to the following:

<CustomerScope groupBy EachCustomer=\”true\”>

<Include all=\”true\”/>

<Exclude/>

• If Include all=true, it means the rule status is enabled for all the respective Organizations. If <Exclude/> contains any Organization ID, it means the rule has been disabled for respective Organization.
• For example, the image below shows the status of the 'Permitted Traffic from OpenCTI Malware IP List' rule in the cache.
• Note down the dbId which would be used to check rule status in Redis in the next step.

• Check the Supervisor CLI with the following command to confirm the status of the rule from Redis.

redis-cli -p 6666 -a `phLicenseTool --showRedisPassword` hget /v1/rules rule-<ID>

Replace <ID> with the dbId of the rule noticed from the cache.

• In the Redis output, look for the following line:

<CustomerScope groupBy EachCustomer=\”true\”>

<Include all=\”true\”/>

<Exclude/>

• The output above explains how the rule status is enabled for all of the respective Organizations. If <Exclude/> contains any Organization ID, it means the rule has been disabled for the respective Organization. 
• Repeat this procedure to check the status of any other rules.