FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Article Id 260999


This article provides a detailed explanation of the steps involved in enabling the FortiSOAR and FortiSIEM docker modules on FortiAnalyzer. It also highlights possible issues that may occur after performing this operation and offers guidance on troubleshooting them.










A Docker-based MEA (Managed Exchange Application) module refers to a software module or containerized application designed to provide monitoring and management capabilities. It leverages Docker technology to encapsulate the MEA functionality within a lightweight and isolated container.


Starting from version 7.2 and onwards, the FortiAnalyzer appliance offers compatibility with Managed Exchange Application (MEA) modules, namely FortiSOAR and FortiSIEM.






A valid FortiSOAR license is a mandatory requirement.

FortiSOAR MEA must be licensed appropriately for use in production.



By default, FortiSOAR MEA includes a Trial (Extension) License. The trial mode is limited to 2 users that can use FortiSOAR MEA for a maximum of 300 actions a day:


To proceed with the subsequent steps, it is imperative to ensure that FortiManager has uninterrupted connectivity with FortiGuard servers. This ensures that the necessary communication and data exchange can take place seamlessly.


diag fmupdate view-linkd-log fds


Ping the FGD FQDNs:


execute ping


Example of diag fmupdate view-linkd-log fds command: (expected successful communication highlighted in green).




  1. To enable the Managed Event Analysis (MEA) feature and the FortiSOAR/FortiSIEM modules, follow the steps outlined below:

    config system docker

        set status enable

        set fsmcollector enable

        set fortisoar enable






In an ideal scenario, FortiAnalyzer establishes a connection with the FortiGuard server to obtain the latest module packages, ensuring the acquisition of the most up-to-date image module.


For instance (below captures):


The FortiSIEM image is retrieved from the repository.

The FortiSOAR image is retrieved from the repository.






     2. Potential errors that might be encountered when enabling FortiSOAR and FortiSIEM modules:


Can't pull fsmcollector (Error: error contacting notary server: dial tcp i/o timeout





This error indicates that FortiAnalyzer is unable to fetch update packages for a container module from FortiGuard servers due to a blocked port on the network firewall. In other terms, FortiAnalyzer will not be able to enable docker/MEA extensions.


The port to open is 4443/443 as mentioned in the following documentation on the firewall rule that points to


To verify the status of the module:


Upon completion of the operation, it is imperative that the status of the modules is verified to be in the 'running' state:


diag docker status




Despite having successfully opened the 4443 port, it is important to acknowledge the potential occurrence of additional errors. These errors may manifest in the following scenarios:


If such errors occur, the following commands effectively eliminate all FortiSOAR and FortiSIEM volumes and subsequently initiate a restart of the mentioned modules.


diag docker reset fortisoar

diag docker reset fortisiem


Failure to reset both modules may result in the manifestation of the subsequent errors:


In the case of the FortiSOAR module, the following error may occur: 'The creation of the container is impossible: no such file or directory'.




In the case of the FortiSIEM module, the following error may occur: 'Driver failed programming external connectivity on endpoint fsmcollector'.




Upon enabling both the Managed Event Analysis (MEA) and the FortiSOAR/FortiSIEM modules, a 'Management extensions' panel will be displayed in the left menu:


FortiSOAR and FortiSIEM extension:




     3. Troubleshooting:


In the event of an error, the following command can be utilized as a remedial measure:


diag debug app docker 255

diag debug enable


To upgrade modules (optional):


diagnose docker upgrade fortisoar

diagnose docker upgrade fortisiem




To disable the docker support and monitor:


diagnose docker cleanup

config system docker
(docker)# set status disable
(docker)# end


Related document: