- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Alerts Trigger - Severity Logs
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alerts Trigger - Severity Logs
Hi.!
I have an " Alert Trigger" set to reach me only Critical severity alerts. However, I get the mail alerts Medium severity.
Device: FortiAnalyzer 100C, v5.0.2
Time: Wed Jan 26 13:40:41 ART 2014
Type: alert
Severity: high
From: FortiAnalyzer-100C(FL100C3910003883)
Trigger: HighAlert
Threshold: more than 1 event(s) occurred within last 6 minutes
Return-Path: log@etherincoll.com
Message-ID:
<WLSP-O0169aZbLAX3cf00000005@wlsp-o01.GLOBAL.etherincoll.com>
X-OriginalArrivalTime: 29 Jan 2014 13:40:01.0233 (UTC)
FILETIME=[F382BA90:01CD7D0B]
Date: 26 Jan 2014 13:40:41 -0300
Log message:
date=2014-01-26 time=13:40:41 itime=1391024859 devid=FG300B3910600945
logid=16385 type=ips subtype=signature pri=alert vd=Portmirror
severity=medium srcip=10.10.15.38 dstip=10.10.52.8 srcintf=" port4"
policyid=1 identidx=0 sessionid=0 status=detected proto=1 service=icmp
count=1 attackname=" Multiple.Vendor.ICMP.Remote.DoS" icmpid=0x0000
icmptype=0x04 icmpcode=0x00 attackid=13244 sensor=" ruleipspmirror"
ref=" http://www.fortinet.com/ids/VID13244" incidentserialno=1719070378
msg=" DoS: Multiple.Vendor.ICMP.Remote.DoS,"
Then,
Severity: high
Log message: severity=medium
Any ideas to help me resolve this situation?
Regards.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I recommend you first upgrade to FAZ 5.0.6 as there have been countless improvement to alert handling. You might get an easier time configuring this with the Event Management tool in 5.0.6...
Post back if you still struggle afterwards!
-- Mathieu Nantel Systems Engineer / Conseiller Technique - Fortinet Montreal, QC
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if i want to set alert for device reboot by power distruption then which option should i select
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Event handler on the FortiAnalyzer is triggered by logs received from the FortiGates. If all power is lost to the FortiGate, it would not be able to generate a log. It also does not generate a log message upon reboot explaining why it rebooted.
Sounds like you would need to find a way to correlate FortiGate reboots coincided with power fluctuations in your environment. Perhaps if you a UPS solution that is monitoring power availability & it could send syslog to FAZ, it might be possible to use Event Handler somehow. Otherwise, you would need some other monitoring solution. Perhaps involving SNMP.
Chris Hall
Fortinet Technical Support
Fortinet Technical Support
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
first of all thanks a lot for quick reply.
i can configure SNMP as well. but in that how can i configure reboot option as there is no such option i can see in fortigate. but if i download MIB file and upload it to SNMP server then will that option be there? if yes what would be name of that option.
i want to configure this now. but i don't have control of SNMP server. so i will send MIB file to SNMP guy. but i need to guide him ro reboot or power disruption which option need to check.
Moreover i don't have fortianalyzer
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i have fortimanager . so is it possible to enable Event handler in forti manager. as we have analyzer option also there.
if yes then only for reboot or power distruption which option is there
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, I assumed your question was about FortiAnalyzer because this is a FortiAnalyzer forum.
In general, FortiGates do not record a reason for their last shutdown. Also, although some mid & high range FortiGates have PSU monitors, you still would only be able to poll realtime information on the state of their power supplies.
But you could poll FortiGates for their uptime values
fgSysUpTime OID .1.3.6.1.4.1.12356.101.4.1.20 (from FortiGate MIB)
& correlate that information with polling of some other 3rd party devices like UPS which monitor power conditions.
Chris Hall
Fortinet Technical Support
Fortinet Technical Support
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is it possible to do something on SMTP with MIB file. so that if fortigate goes down i can come to knw in SMTP server ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That questions is a good one for whatever network monitoring tool you are using. Whether the trigger condition is the output of an SNMP query to the FortiGate or lack of response to a ping probe for a predefined period of X seconds, the alert could presumably trigger an e-mail notification.
The one thing you can do on the FortiAnalyzer (or FortiManager with FortiAnalyzer features enabled) is to define an event handler to be triggered by lack of logging from a FortiGate.
Chris Hall
Fortinet Technical Support
Fortinet Technical Support
Related Posts
- Automation Email not working 1208 Views
- Why using Webex triggers Snort.TCP.SACK.Option.DoS IPS... 364 Views
- How to get email alerts of... 2752 Views
- Trigger alert via API 363 Views
- FortiAnalyzer Customer Email Handler 771 Views
Labels
-
FortiGate
6,680 -
FortiClient
1,330 -
5.2
801 -
5.4
639 -
FortiManager
578 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
342 -
FortiAP
339 -
FortiClient EMS
272 -
FortiMail
259 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
110 -
FortiGuard
106 -
FortiSIEM
92 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
79 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
30 -
SD-WAN
30 -
Firewall policy
29 -
High Availability
24 -
FortiConnect
24 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
10 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
Authentication
8 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.