Step 1: Verify that FortiWeb is successfully generating the attack logs:

Under Log & Report -> Log Config -> Global Log Settings: verify that Attack log is marked with log level of 'Information'.

Under Log & Report -> Log Access -> Attack log: verify that the attack logs are being generated.

Step 2: In the Dashboard, select Threat Analytics in the system information widget, then log in to the AppSec account.

Step 3: Verify the Threat Analytics connectivity:

diagnose system threat-analytics info
MSK domain: "b-2-public.prodeucentral1mskcl.nxsovf.c5.kafka.eu-central-1.amazonaws.com:9194","b-1-public.prodeucentral1mskcl.nxsovf.c5.kafka.eu-central-1.amazonaws.com:9194","b-3-public.prodeucentral1mskcl.nxsovf.c5.kafka.eu-central-1.amazonaws.com:9194"
Topic: "palog_prod_cf108171-69a5-11ed-ac78-bf49f0987c5b"
User ID: 777409

WS Connection: Connected     =========> Here the status is "connected"
Log_forward: Allow
License status: 1

Step 4: Packet capture the connection between FortiWeb and FortiAppSec on port 9194:

diagnose network sniffer any "port 9194" 4
filters=[port 9194]
interface=[port1]
154.988983 10.109.19.9.44912 -> 3.73.212.28.9194: syn 2931162269
interface=[port1]
154.998241 18.192.89.224.9194 -> 3.73.212.28.9194: syn 2931162269
interface=[port1]
154.998289 10.109.19.9.44912 -> 3.73.212.28.9194: syn 2931162269

In the above example, the SYN packets are being sent out of FortiWeb but the SYN-ACKs are not being received back. This can be resolved by allowing port 9194 on the Firewall.

Related document:
Analyzing attack logs in FortiWeb Cloud Threat Analytics - FortiWeb administration guide