What does of these errors means?

Hi, and welcome to the forums! You seem to have serious trouble with your FAZ. First of all, I would recommend you get professional help to guide you. Depending on your service contract you may open a support case with Fortinet, especially if it includes phone support or web chat. 1. File system errors You should take precautions for an extended downtime of the FAZ and execute the first diag command from the CLI. This is like a ' fsck' on a UNIX machine meaning it might take some time. I will not give in to estimate what that would be in your case, more likely hours than minutes. This should fix the apparent file system errors. It looks to me like you' ve had a lot of power outages which made the FAZ reboot. Could that be the case here? 2. It' s just what it says. Either the DNS addresses are wrong or the FAZ cannot connect to them. The route to the DNS might be missing, or a firewall in between might block this traffic...there are many options but all of them are straight forward and you should be able to resolve this. 3. Your FAZ ran out of memory. If memory usage increases beyond 80% the FAZ (like a Fortigate) begins to shut down less important services. During this emergency situation a file needed to be quarantined or a log file had to be rolled over and the device just couldn' t do it. You should check what makes the FAZ go screaming like this. It is definitely not a situation to live with and ignore.

Hi, and welcome to the forums!

Thank you for the warm welcome

You seem to have serious trouble with your FAZ.

That' s what I' m worried about

First of all, I would recommend you get professional help to guide you. Depending on your service contract you may open a support case with Fortinet, especially if it includes phone support or web chat.

To be honest, I' m new with FAZ. FYI, the firmware version of our FAZ is: FortiAnalyzer-1000B v4.0,build0208 (MR2 Patch 1) and its VM Plugins and VM Engine are: VM Plugins 0.000 (Updated 2005-11-01) VM Engine 0.000 (Updated 2005-11-01) It' s quite an old version, right? Looks like my boss didn' t want to continue purchasing license or contract from Fortinet Technical Support. But I' ll ask him to continue receiving updates as soon as I know how to operate FAZ. BTW, is the firmware of our FAZ using the last version right now (FortiAnalyzer-1000B v4.0,build0208 (MR2 Patch 1))? Where to find or how to know the latest firmware releases from Fortinet' s products? And is it upgrading a firmware (espesially for our FAZ) will charged us?

It looks to me like you' ve had a lot of power outages which made the FAZ reboot. Could that be the case here?

You' re almost right. Because of I' m new to FAZ, I' m very often rebooted the machine (FAZ) (from web-based manager). Such as trying to change the database storage from Local database to to the default proprietary indexed file storage system. Our default FAZ' s settings to use to stores the log data is Local database (PostgreSQL). I' m very often doing this (changing the database location and reboot the machine) because of as the manual said (FortiAnalyzerâ„¢ Administration Guide Version 4.0 MR2 21 March 2011 Revision 13),

You can only add a Top Traffic/Top Web Traffic/Top Email Traffic/Top FTP Traffic/Top IM/P2P Traffic/Virus Activity/Intrusion Activity widget when you selected the proprietary indexed file storage system

Every time I tried to change the database storage location, I' ll reboot the machine. And it looks like nothing changed from our FAZ' s traffics (Top Traffic/Top Web Traffic/Top Email Traffic/Top FTP Traffic/Top IM/P2P Traffic/Virus Activity/Intrusion Activity widget). Just same. Or should I follow the guide revision 5 (FortiAnalyzer™ Administration Guide Version 4.0 MR2 10 June 2010 Revision 5)? I' m also have another question. Sometimes, I can view the expanded details for one of the widget’s items by clicking the + button (viewed by Device, Destination, Log Details etc.) It' s very often that I can' t view them. The widgets that I can always view its all expanded detail is only two: Virus Activity and Instrusion Activity). Is it goes like that? Because of I can' t view another widgets details, I' m also very often reboot the machine (I can only view them just for a while (maybe 5 or 10 minutes)).

You should take precautions for an extended downtime of the FAZ and execute the first diag command from the CLI. This is like a ' fsck' on a UNIX machine meaning it might take some time. I will not give in to estimate what that would be in your case, more likely hours than minutes. This should fix the apparent file system errors.

Is the machine/harddisk gonna be ok? I mean, it will not be error (our FAZ can' t operate anymore)?

It' s just what it says. Either the DNS addresses are wrong or the FAZ cannot connect to them. The route to the DNS might be missing, or a firewall in between might block this traffic...there are many options but all of them are straight forward and you should be able to resolve this.

I' ve asked our network team and they said it' s a firewall blocked the traffic.

Your FAZ ran out of memory. If memory usage increases beyond 80% the FAZ (like a Fortigate) begins to shut down less important services. During this emergency situation a file needed to be quarantined or a log file had to be rolled over and the device just couldn' t do it. You should check what makes the FAZ go screaming like this. It is definitely not a situation to live with and ignore.

How to check it? I' m new with FAZ. I just read the manual. Maybe I' ll ask my boss to train me with FAZ technical.

Hi, I don' t think your FAZ is outdated. It' s a recent model, one of the bigger ones, and running recent firmware. The entries for " VM" indicate the status for Vulnerability Management. This service has to be purchased/licensed separately. It' s not necessary for logging and analysis. Try to find out what your service level is. Maybe you are entitled to support but just don' t know it. I can only recommend what I would do about the file system message: run the diag command and wait until the disk is fixed. A flaky file system will not grow better over time. I don' t think that you might not get your disk back. Save your configuration beforehand! From what you reported I guess that there is just an internal reboot counter which triggers after (say) 50 reboots. Then the diag file system check would be a precaution only but nevertheless worth doing it. In general, be gentle with the machine and reboot only if absolutely necessary. Databases don' t like that much. In normal circumstances it would take years to reboot a FAZ 57 times... Please read into the Admin Guide again about the file system choices. In my understanding the ' internal indexed file system' is identical to the ' Local database' . Only recently Fortinet introduced the option to store the data in a SQL database (both internally and externally). This allows a lot more detail in analyzing but it doesn' t run with the ' old' reports - you' ll have to build your reports from scratch. (So I reverted back to the Local DB after trying it out.) Regarding the widget, some allow for drill down and others don' t. I haven' t noticed yet that if I view details that I cannot do so after a couple of minutes. Re: DNS, try to fix that or have it fixed. There is no apparent reason why the FAZ wouldn' t have access to DNS. IMHO your team shouldn' t stop at telling you but fix it ASAP. Re: memory. Watch the dashboard. Usually a 1000B can handle a large amount of traffic, like a couple of hundred logs per second. Depending on the number of FGTs that log to the FAZ their log settings might be a little bit too ' chatty' . (one more thought: maybe the FAZ is busy checking all the data bases after one of the frequent reboots, and before it is done the next reboot occurs. Let it settle for a couple of hours just to be sure.) HTH.

Nice info about the diag sys fsystem, thanks. You' re right about the file system - I forgot that there had been a change some time ago. Of course one should quit using the ReiserFS by now. Must have been 2 years ago or something like that. Just not to confuse file system with database format: OP was talking about the DB format. AFAIK there is a ' built-in' format and recently SQL. If he is not using advanced report customization I' d recommend he sticks with the Fortinet format. Even more so if he' s a novice user.

@rulirahm: you posted so many question I overlooked some. You get firmware updates on ftp://support.fortinet.com. You need a valid user account to login. You can create one if you have a valid support contract. Updates (even to major versions) are for free, then. For FAZ, 4.2.4 is the most recent version (build 226), April 20, 2011. For many 4.2.3 is current enough so don' t worry.

To measure file system ' wear off' in number of mounts does make sense, right? Alert console: you typed the command with an underscore ' _' whereas the correct syntax is with a hyphen ' -' . To avoid this kind of misspelling get used to command completion. If you type the beginning letters of a command or an option and hit TAB then the command is completed with the next matching phrase. If you hit ' ?' then you get a list of possible continuations. This way you avoid mistyping, save a lot of keystrokes and you don' t need the manual side-by-side just to look up the correct syntax. And don' t worry this forum will stay here for some years to come...I' m sure you' ll contribute one day as well.

I' ve tried the command ' diag sys file-system fsfix' . But there is still no message in the Alert Message Console widget. It' s just same :( When viewing the report of the ' diag sys file-system fsfix' using command ' dia sys file-system fsreport' , and it showing:

FortiAnalyzer-1000B # dia sys file-system fsreport /dev/md0: 9985/122109952 files (7.3% non-contiguous), 5230539/244189966 blocks

Is our FAZ error? About the DNS, I already fixed it. It wasn' t because of the firewall. It was because of another port (System -> Network -> Interface) still ' Bring Up' . And there is still an IP adresses assigned there. Our FAZ just use one port to connect to FG. After I ' Bring Down' the another port, then I was able to ping to our local DNS again. And I was able to view ' Resolve Host Name' (Log & Archive). Yes, I can use the command right now:

FortiAnalyzer-1000B # config system alert-console (alert-console)# set severity-level emergency (alert-console)# end FortiAnalyzer-1000B #

Thank you for the help. Now, my new question. I can configure the LDAP configuration. I can query the LDAP Distinguished Name Query based on Anonymous or Regular server type. Our company uses LDAP server (Domain server). Each user must login to domain server if they want to use their PC. Our domain server running under Windows 2008 server. My main goal is, by configuring the LDAP I can view the ' User' column in Log & Archive based on LDAP server. But it' s not. What for the ' User' column BTW?

I cannot really answer your last post as I cannot see any question there...but I' ll try guessing. I' d use the Fortinet prop database as long as you don' t speak SQL fluently. If you do then go with the SQL database. In the screenshot you posted select " Disabled" to use the prop. DB, and " Local" to use an SQL DB on the local disk. You get the user identification using the FSAE software on your AD controller. It sends back the login credentials to the FGT. Can be downloaded from the Fortinet ftp site. (As this is not my turf that' s more or less all I can contribute to this.)