Technical Tip: How to troubleshoot CIS Controls Security Rating Report Generation Failure on FortiAnalyzer

1. Ensure that the FortiAnalyzer and FortiGate are on v7.4 and above. Check if the Security Rating licenses are present on both devices.
   
   

On FortiAnalyzer:

On FortiGate:

2. Ensure the FortiGate is registered to FortiAnalyzer and the logging status is UP.

3. Run the Security Rating Report on the FortiGate and check the Security Rating summary log on the FortiAnalyzer. Run the following debugs while performing this step to verify the RESTAPI response.

On FortiAnalyzer:

diag debug reset

diag debug disable

diag test application oftpd 95 enable "RESTAPI REQUEST" "RESTAPI RESPONSE"

diag debug timestamp enable

diag debug enable

On FortiGate:

diag debug reset

diag debug disable

diag debug application httpsd -1

diag debug console timestamp enable

diag debug enable

4. Enable the backend-shell access on the FortiAnalyzer. See also the KB article Technical Tip: How to enable backend-shell access in FortiManager/FortiAnalyzer.

FAZ # config system admin setting

(setting)# set shell-access enable
Enter new password:
Confirm new password:

(setting)# end

5. Enter the shell and check if the PostureReport files for the FortiGate are present under the drive0/private/restapi/audit_rpt/ directory.

6. Proceed to generate the report under Reports -> Report Definitions -> CIS Controls Security Rating Report -> Run Report.

7. Check if there are any crash logs present when running the report:

FAZ # diag debug crashlog read