FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Kush_Patel
Staff
Staff
Article Id 326801
Description

This article describes when alert messages are configured to be sent by FortiGate for certain conditions through email, that email might drop some of the alerts and explains why.

 

Related article:

Technical Tip: How to configure alert email settings

 

The email will start as something like this:

'Warning! This message was sent from outside your organization and we were unable to verify the sender.

 

Message meets Alert condition

The following critical firewall event was detected: SSL VPN login fail.

date=2024-06-15 time=11:18:54 devname=Ventura devid=FGTXXFTKXXXXXXXX eventtime=11829004388780 tz="-0700" logid="0101039426" type="event" subtype="vpn" level="alert" vd="root" logdesc="SSL VPN login fail" action="ssl-login-fail" tunneltype="ssl-web" tunnelid=0 remip=Y.Y.Y.Y user="test" group="N/A" dst_host="N/A" reason="sslvpn_login_permission_denied" msg="SSL user failed to logged in'

 

……

 

And at the end of the email, after many alert messages, a drop message can be observed:

 

'41 Alert alert message(s) dropped since 06/13/2024 10:06:45.

3 Warning alert message(s) dropped since 06/13/2024 10:06:45.'

 

In the actual email, there were a total of 100 alert messages.

Scope FortiGate.
Solution

In each email, FortiGate will only include 100 alert messages (highest severity, latest if messages have the same severity). Others will be dropped.

 

The CLI settings can be changed to reduce the number of alert messages by observing for which category the alerts are being generated in the highest number. If that is not needed, then it can be disabled:

 

config alertemail setting

(setting) # set violation-traffic-logs disable  (probably the one causing many alerts)

(setting) # end

 

The settings under alert emails can be explained here:

config alertemail setting 

 

Another solution would be changing the interval time to receive the email from 5 minutes to something lesser (such as 3 minutes).

 

config alertemail setting

(setting) # set email-interval 3 (default is 5 minutes)

(setting) # end

Contributors