FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
msuhaimi
Staff
Staff
Article Id 205627
Description This article describes how to troubleshoot FortiAnalyzer Threat Map.
Scope  
Solution

Section 1.

 

Check firmware compatibility between FortiGate and FortiAnalyzer.

Reference:https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/0955b58b-a143-11eb-b70b-005056...

 

Section 2.

 

1) Check whether FortiAnalyzer DNS able to resolve below:

 

# execute ping mapserver.fortinet.com
# execute ping maps.googleapis.com
# diagnose system geoip info
# diagnose system geoip-city info
# diagnose system geoip-city ip 8.8.8.8

 

2) Check whether FortiGate sending log to FortiAnalyzer.

 

FGT FAZ test connectivity.JPG

 

3) Verify FortiGate Geographic Coordinate had been configured on FortiAnalyzer GUI.

Device Manager, select FortiGate, select Edit.

 

Edit FGT detail on FAZ.JPG

 

After above, below screen should appear.

Verify that coordinates had been configured.

 

FGT Geographic Coordinate on FAZ GUI.jpg

 

Section 3.

 

1) In FortiAnalyzer FortiView, it will be possible to see Top Threats.

 

FortiView_Top Threats.JPG

 

2) Next, to test the map, execute # diagnose log test on FortiGate CLI

 

FGT_diagnose log test.JPG

 

3) Then, it will be possible to see some output on the Threat Map, as below. (As it is real time, you might generate logs from FortiGate CLI using <diag log test> command.)

 

 

FAZ_Threat map.JPG

 

Threat Map will be visible if:

 

- There is a device geo location configured, this will draw a device icon in map, also a switch for threat map enable/disable

 

- utm log with crscore > 0, and either srcip or dstip is public IP (this can locate to city in map), srcip is preferred)

 

- Threat map only show the new live log, not replay the history log.