FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
This article explains why emails may be received for detection logs that are older than the alert interval despite how the endpoint alerts interval is correctly configured.
Scope
FortiClient EMS.
Solution
The set interval is based on when the EMS receives the alert from a FortiClient.
This means an alert from more than 24 hours ago (assuming the interval was set to 24 hours) may show in the email as the EMS has just received it.
This is to prevent alerts from being missed due to a FortiClient being temporarily unable to communicate with an EMS for any reason.
Notably, the email text is generated and stored in the DB until it is sent out.
This means that if any problems occur sending the email, it will be delayed but still sent eventually.
Additionally, Email servers tend to record the time an email has been received rather than when it was sent. This may also factor into the delay mentioned above.
