Troubleshooting Tip: FortiWeb is not send the attack logs to Threat Analytics on FortiAppSec
| Description | This article describes how to resolve an issue where FortiWeb is not sending the attack logs to FortiAppSec however the status of the threat analytic is up and connected. |
| Scope | FortiWeb. |
| Solution | Step 1: Verify that FortiWeb is successfully generating the attack logs: Under Log & Report -> Log Config -> Global Log Settings: verify that Attack log is marked with log level of 'Information'. Under Log & Report -> Log Access -> Attack log: verify that the attack logs are being generated.
   Step 2: In the Dashboard, select Threat Analytics in the system information widget, then log in to the AppSec account.
     Step 3: Verify the Threat Analytics connectivity:
diagnose system threat-analytics info WS Connection: Connected =========> Here the status is "connected"
Step 4: Packet capture the connection between FortiWeb and FortiAppSec on port 9194:
In the above example, the SYN packets are being sent out of FortiWeb, but the SYN-ACKs are not being received back. This can be resolved by allowing port 9194 on the Firewall.
diagnose system threat-analytics info diagnose debug application logd 7 diagnose debug enable
Disable the Threat Analytics at the Dashboard -> System information widget. Then re-enable it. Wait for 2-3 minutes, then attach the outputs in a FortiWeb support ticket at the Fortinet Support portal.
Additional information: Make sure FortiWeb is allowed to access the Internet via TCP port 443 and DNS without SSL inspection (remember to disable SSL inspection for the FortiWeb appliance).
|