FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Article Id 205627
Description This article describes how to troubleshoot the FortiAnalyzer Threat Map.
Scope FortiAnalyzer.

Section 1.


Check firmware compatibility between FortiGate and FortiAnalyzer.


Section 2.



  1. Check whether FortiAnalyzer DNS able to resolve below:



execute ping
execute ping
diagnose system geoip info
diagnose system geoip-city info
diagnose system geoip-city ip



  1. Check whether FortiGate sending log to FortiAnalyzer.



FGT FAZ test connectivity.JPG


  1. Verify FortiGate Geographic Coordinate has been configured in the FortiAnalyzer GUI. Go to Device Manager, select FortiGate, then select Edit.


Edit FGT detail on FAZ.JPG


After above, below screen should appear.

Verify that coordinates had been configured.


FGT Geographic Coordinate on FAZ GUI.jpg


Section 3.


  1. In FortiAnalyzer FortiView, it will be possible to see Top Threats.


FortiView_Top Threats.JPG


  1. Next, to test the map, execute diagnose log test on the FortiGate CLI.


FGT_diagnose log test.JPG


  1. After, it will be possible to see some output on the Threat Map, as below. (As it is real time, logs may be generated from the FortiGate CLI using the <diag log test> command.)


FAZ_Threat map.JPG


The threat Map will be visible if:


  • There is a device geo-location configured. This will draw a device icon in the map, as well as a switch for enabling/disabling the threat map.
  • Utm log with a crscore of more than 0, and either srcip or dstip is a public IP (this can locate a city in a map). Srcip is preferred.

The threat map only shows the new live log. It does not replay the history log.