Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
Ahmed_Galal
Staff
Staff

Created on ‎09-18-2025 03:08 AM Edited on ‎12-05-2025 12:58 AM By Community Manager

Article Id 411358

Troubleshooting Tip: FortiWeb is not send the attack logs to Threat Analytics on FortiAppSec

Description This article describes how to resolve an issue where FortiWeb is not sending the attack logs to FortiAppSec however the status of the threat analytic is up and connected.
Scope FortiWeb.
Solution

Step 1: Verify that FortiWeb is successfully generating the attack logs:

Under Log & Report -> Log Config -> Global Log Settings: verify that Attack log is marked with log level of 'Information'.

Under Log & Report -> Log Access -> Attack log: verify that the attack logs are being generated.

 

threat 3.png

Step 2: In the Dashboard, select Threat Analytics in the system information widget, then log in to the AppSec account.

 

threat.pngthreat 2.png

Step 3: Verify the Threat Analytics connectivity:

 

diagnose system threat-analytics info
MSK domain: "b-2-public.prodeucentral1mskcl.nxsovf.c5.kafka.eu-central-1.amazonaws.com:9194","b-1-public.prodeucentral1mskcl.nxsovf.c5.kafka.eu-central-1.amazonaws.com:9194","b-3-public.prodeucentral1mskcl.nxsovf.c5.kafka.eu-central-1.amazonaws.com:9194"
Topic: "palog_prod_cf108171-69a5-11ed-ac78-bf49f0987c5b"
User ID: 777409

WS Connection: Connected     =========> Here the status is "connected"
Log_forward: Allow
License status: 1

 

Step 4: Packet capture the connection between FortiWeb and FortiAppSec on port 9194:


diagnose network sniffer any "port 9194" 4
filters=[port 9194]
interface=[port1]
154.988983 10.109.19.9.44912 -> 3.73.212.28.9194: syn 2931162269
interface=[port1]
154.998241 18.192.89.224.9194 -> 3.73.212.28.9194: syn 2931162269
interface=[port1]
154.998289 10.109.19.9.44912 -> 3.73.212.28.9194: syn 2931162269

 

In the above example, the SYN packets are being sent out of FortiWeb, but the SYN-ACKs are not being received back. This can be resolved by allowing port 9194 on the Firewall.

Step 5: Debug the Threat Analytics process:

   

diagnose system threat-analytics info
diagnose debug application wassd 7
diagnose debug application sslutil 7

diagnose debug application logd 7

diagnose debug enable

 

Disable the Threat Analytics at the Dashboard -> System information widget. Then re-enable it. Wait for 2-3 minutes, then attach the outputs in a FortiWeb support ticket at the Fortinet Support portal.


Related documents:
Analyzing attack logs in FortiWeb Cloud Threat Analytics
Troubleshooting Tip: Fixing empty data on FortiWeb Cloud Threat Analytics Dashboard 
104
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.