This article addresses an issue where users encounter a '502 Proxy Error' when attempting to Remediate an Incident on a FortiGate device through the FortiSIEM GUI.
The issue is related to a mismatch between the device hostname stored in FortiSIEM's CMDB and the actual hostname of the FortiGate, which results in a timeout due to extended WhoIs query processing.
Scope
FortiSIEM v7.2.x and versions earlier than v7.3.3
Solution
The hostname configured in the FortiSIEM CMDB does not match the actual hostname of the FortiGate device. This discrepancy causes delays in hostname resolution, particularly during WhoIs lookups, which in turn leads to a connection timeout between the FortiSIEM UI and App Server, triggering a 502 Proxy Error.
Example Scenario:
CMDB entry: FortiGate-501E-master.domain.name.
Actual FortiGate hostname: FortiGate-501E-master.
This mismatch causes the WhoIs query to take longer than expected, resulting in the error during the "Remediate Incident" operation.
Resolution Steps:
Access FortiSIEM CMDB: Navigate to Admin -> CMDB > Devices in the FortiSIEM GUI.
Update Hostname:
Locate the FortiGate device entry.
Edit the device record and update the hostname to match the actual FortiGate hostname (e.g., FortiGate-501E-master).
Perform Rediscovery: Once the hostname is corrected, rediscover the device to refresh its metadata and associations.
Retry Remediation:
Navigate to the incident and reattempt the Remediate Incident action.
The operation should now complete successfully without a 502 error.
Recommendation: Ensure that hostnames recorded in the FortiSIEM CMDB are consistent with the actual device hostnames to avoid lookup delays and UI timeouts. Regular synchronization and rediscovery of devices is recommended to maintain accurate CMDB entries.
