FortiSIEM Discussions
mscirri
New Contributor III

Content Update 407 - Known Issues?

Are there any known issues with this content update on 6.7.0.1716?   I have a few rules that seem to no longer want to parse after the update.  I restarted all of the ph processes and that did not seem to help. 

5 REPLIES 5
FSM_FTNT
Staff
Staff

Hi,

 

Are these custom rules or system rules?

 

Not sure as you mention parse and rules, can you clarify with an example.

 

Thanks

 

Dan

 

mscirri
New Contributor III

They are custom rules, cloned from system rules, which were working for months until the content update. 

 

I get Sync Errors reported for 2 rules. Both with Timeout errors. 

Sync Errors.png

 

When I run the SubPattern in the 1st rule as a query, I get an Invalid XML error. When I run the SubPattern in the 2nd rule as a query, it runs fine.

mscirri
New Contributor III

In the Jobs And Errors screen the actual error message is "Data request xml format: Failed to parse Query: Search from customer 0"

FSM_FTNT

The issue you describe may be unrelated to the content pack update as it should have no affect here.

 

I think possibly there may be a rule issue and may be good to open a TAC case.

 

Or if you can post or send me the rule directly I can check.

mscirri
New Contributor III

It is just odd that they were working fine until the content update happened.   I sent you a direct message with the rule XML.

Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"