Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
HRCA
New Contributor II

Created on ‎02-27-2025 02:48 PM Edited on ‎02-27-2025 02:48 PM

FAZ 7.6.2 - VPN Report Broken After Upgrade (No Matching Log Data)

Hey everyone

 

Thanks in advance for any help you can provide.

 

I recently upgraded my company's FortiAnalyzer (FAZ) to 7.6.2, and a custom VPN connection/disconnection report used by my manager has broken. While the report is custom, it was originally based on a Fortinet employee’s article. 

After logging a support case, I was informed that because this is a custom report, I need to resolve the issue myself.

 

What I’ve Found So Far

  • I found a Reddit post where another user experienced similar issues after the FAZ backend switched from PostgreSQL to ClickHouse.
  • I followed the Fortinet ClickHouse migration documentation and updated my SQL query accordingly.
  • The data appears correctly when previewing the dataset, and it also shows up in chart previews.
  • However, when I generate the report, it comes out blank with the message:
    :police_car_light:"No matching log data for this report"

My Current SQL Query

 
SELECT
`user` AS "User",
(
CASE
WHEN `action` = 'tunnel-up' THEN 'Connected'
ELSE 'Disconnected'
END
) AS "VPN Status",
$calendar_time(itime) AS `Time Stamp`
FROM
$log
WHERE
$filter
AND (
(`action` = 'tunnel-up')
OR (`action` = 'tunnel-down`)
)
GROUP BY
`Time Stamp`,
`action`,
`user`
ORDER BY
`user`,
`Time Stamp`

Questions for the Community

  1. Has anyone else faced this issue after upgrading to FAZ 7.6.x?
  2. Are there any known issues with ClickHouse affecting FAZ report generation?
  3. Is there a workaround to get this report working again?

Any help or insight would be greatly appreciated!

 

Thanks
Heath

Labels:
1256
0 Kudos
1 Solution
HRCA
New Contributor II

Created on ‎03-12-2025 03:36 PM

Hey All

 

This has been solved with the below SQL query. All credit to farhanahmed 

 

Thanks 

Heath

SELECT
a.`user`,
a.login,
b.logout,
b.duration,
b.transferred_bytes
FROM
###(
SELECT
`user`,
min(from_dtime(dtime)) AS login,
tunnelid
FROM
$log-event
WHERE
action = 'tunnel-up'
and $filter
GROUP BY
`user`,
tunnelid
)### a,
###(
SELECT
max(from_dtime(dtime)) AS logout,
duration,
sum(sentbyte + rcvdbyte) AS transferred_bytes,
tunnelid
FROM
$log-event
WHERE
action = 'tunnel-down'
and $filter
GROUP BY
duration,
tunnelid
HAVING
sum(sentbyte + rcvdbyte) > 0
)### b
WHERE
a.tunnelid = b.tunnelid
ORDER BY
login,
`user`

View solution in original post

1047
7 REPLIES 7
Stephen_G
Moderator
Moderator

Created on ‎03-02-2025 05:39 AM

Hello,

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Stephen - Fortinet Community Team
1219
0 Kudos
Stephen_G
Moderator
Moderator

Created on ‎03-04-2025 11:13 AM

Hi,

 

Sorry, we're still trying to get you an answer or reply. In the meantime, if anyone viewing this topic has a possible answer, your input is welcomed.

Stephen - Fortinet Community Team
1195
0 Kudos
Stephen_G
Moderator
Moderator

Created on ‎03-06-2025 04:35 PM

Hi again,

 

Is this article any help?

Stephen - Fortinet Community Team
1147
HRCA
New Contributor II
In response to Stephen_G

Created on ‎03-07-2025 01:56 AM

Thanks Stephen. As the report was working until the upgrade and reading through the article, I don't believe that is the issue. Maybe this will go unresolved until more people hit the issue on FAZ 7.6 🤷

1116
0 Kudos
HRCA
New Contributor II

Created on ‎03-12-2025 03:36 PM

Hey All

 

This has been solved with the below SQL query. All credit to farhanahmed 

 

Thanks 

Heath

SELECT
a.`user`,
a.login,
b.logout,
b.duration,
b.transferred_bytes
FROM
###(
SELECT
`user`,
min(from_dtime(dtime)) AS login,
tunnelid
FROM
$log-event
WHERE
action = 'tunnel-up'
and $filter
GROUP BY
`user`,
tunnelid
)### a,
###(
SELECT
max(from_dtime(dtime)) AS logout,
duration,
sum(sentbyte + rcvdbyte) AS transferred_bytes,
tunnelid
FROM
$log-event
WHERE
action = 'tunnel-down'
and $filter
GROUP BY
duration,
tunnelid
HAVING
sum(sentbyte + rcvdbyte) > 0
)### b
WHERE
a.tunnelid = b.tunnelid
ORDER BY
login,
`user`

1048
czamudio
Staff
Staff

Created on ‎03-27-2025 10:30 AM

Hello

 

there is a bug with vpn logs report in 7.6.2, you will need to create a ticket so we can investigate the specifics and see if it match

Cuauhtemoc Zamudio Technical Support Engineer – LATAM ETAC M-F 09:00-18:00 Hrs. Central Time T: +1 408-542-7780
966
0 Kudos
farhanahmed
Staff
Staff

Created on ‎04-02-2025 10:54 AM

Thanks @HRCA for the mention. I am glad the solution I provided helped you resolve the issue.


SELECT
a.`user`,
a.login,
b.logout,
b.duration,
b.transferred_bytes
FROM
###(
SELECT
`user`,
min(from_dtime(dtime)) AS login,
tunnelid
FROM
$log-event
WHERE
action = 'tunnel-up'
and $filter
GROUP BY
`user`,
tunnelid
)### a,
###(
SELECT
max(from_dtime(dtime)) AS logout,
duration,
sum(sentbyte + rcvdbyte) AS transferred_bytes,
tunnelid
FROM
$log-event
WHERE
action = 'tunnel-down'
and $filter
GROUP BY
duration,
tunnelid
HAVING
sum(sentbyte + rcvdbyte) > 0
)### b
WHERE
a.tunnelid = b.tunnelid
ORDER BY
login,
`user`



its a bit more useful because it shows login, logout and duration of a user as well. You can then adjust the chart to change the format of the duration and bytes.

FA
909
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.