Technical Tip: How to collect the logs needed for investigating the Anomaly Detection related issues

Debug output:

Open an SSH session to the FortiWeb and execute the following commands.

diagnose debug reset
diagnose debug timestamp enable
diagnose debug flow filter http-detail 4
diagnose debug flow filter flow-detail 4
diagnose debug application bot-detection 7
diagnose debug flow filter client-ip <client IP>
diagnose debug flow filter server-ip <virtual IP>
diagnose debug info
diagnose debug enable

Front-end capture:

Log in to GUI and go to System -> Network -> Packet Capture, select interface as <VIP interface>', Host IP/Netmask as Client IP, port as <port used in the virtual server>, maximum packet count 10000, and select Save, and select the Triangle button to Run. 

Note:

Make sure to define the Source NAT IP  as the client IP in both debug and capture if the client's IP address gets source NAT along the path.

Reproduce the problem:

Take a screenshot of the error seen on the client machine.

Stop the debug and capture:

After reproducing the problem, stop the debug and capture.

To stop the debug, run the following commands.

diagnose debug disable
diagnose debug reset

Download the following files from the unit:* Traffic logs.
Event logs.
Attack logs.
Config file: go to System -> Backup & Restore, enable 'Include Machine Learning Data' and select 'Backup'.

ML Anomaly detection .dat file: go to Policy -> Server Policy, edit the Server Policy in question -> Machine Learning ->- Anomaly detection -> Export.

Attach all the files while raising the ticket so TAC can review them.