FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Article Id 205627
Description This article describes how to troubleshoot FortiAnalyzer Threat Map.

Section 1.


Check firmware compatibility between FortiGate and FortiAnalyzer.



Section 2.


1) Check whether FortiAnalyzer DNS able to resolve below:


# execute ping
# execute ping
# diagnose system geoip info
# diagnose system geoip-city info
# diagnose system geoip-city ip


2) Check whether FortiGate sending log to FortiAnalyzer.


FGT FAZ test connectivity.JPG


3) Verify FortiGate Geographic Coordinate had been configured on FortiAnalyzer GUI.

Device Manager, select FortiGate, select Edit.


Edit FGT detail on FAZ.JPG


After above, below screen should appear.

Verify that coordinates had been configured.


FGT Geographic Coordinate on FAZ GUI.jpg


Section 3.


1) In FortiAnalyzer FortiView, it will be possible to see Top Threats.


FortiView_Top Threats.JPG


2) Next, to test the map, execute # diagnose log test on FortiGate CLI


FGT_diagnose log test.JPG


3) Then, it will be possible to see some output on the Threat Map, as below. (As it is real time, you might generate logs from FortiGate CLI using <diag log test> command.)



FAZ_Threat map.JPG


Threat Map will be visible if:


- There is a device geo location configured, this will draw a device icon in map, also a switch for threat map enable/disable


- utm log with crscore > 0, and either srcip or dstip is public IP (this can locate to city in map), srcip is preferred)


- Threat map only show the new live log, not replay the history log.