Hi All,
We're running a FAZ 5.4.3 getting logs from a couple FortiGates (5.4.5). This seems to work well, but one thing I've never got to work is the Threat Map. It's always blank (except for showing the couple FortiGates). Before hooking the FGT's up to the FAZ the FortiView Threat Map on each FGT worked just fine.
Anybody got the FAZ 5.4.3 Threat Map working? Any suggestions on what to check?
The most common problem is that the coordinates (longtitude & latitude) are not set for the FortiGates. At the moment, this needs to manually be configured on either FortiGate (CLI) or FortiAnalyzer (in Device Manager). We are working on a way for that information to be learned and populated automatically in a future release.
Thanks, but I had already set the coordinates on the FAZ.
Just in case, I set the FGT's longitude and latitude to match with:
config sys global
set gui-latitude
set gui-longitude
I still get a Thread Map without any activity on it, even though the the threats log shows multiple entries.
Any other thoughts? I would hope the FAZ doesn't need the FGT's admin username and password for this.
You need utm logs with a crscore entry. And both srcip & dstip cannot both be private IP addresses.
If those conditions are being met, then it is possible that the public IPs in question don't have a match in the geo-ip database loaded on the FAZ.
Checking the raw logs, I see plenty of them with a crscore=30 and public srcip and dstip. Is there a way to test the ip's against the geo-ip database? Or test the FAZ's geo-ip database itself?
Note that both FGT's, before they were set to log to the FAZ, showed active Threat Maps with (unfortunately) plenty of attacks.
BTW, the FAZ has no public IP's itself, in case that could be part of the issue? I've allowed it a few required services outbound, but perhaps I've somehow blocked it's checks or updates for geo-ip?
> Is there a way to test the ip's against the geo-ip database? Or test the FAZ's geo-ip database itself?
If you provide some IPs that you want us to check, we can do it for you, just to rule out that being the issue.
I dug up ways to check the geoip in the FAZ 5.4 CLI, though it's not documented correctly (you need to add the word ip to the end of the command before the actual ip).
FAZ-200D-XXXXX # diag sys geoip ip 200.232.251.47
200.232.251.47 : BR - Brazil
I tested a few of the IPs that were coming through and geoip worked correctly for all of them.
So I'm assuming this is something else, either in the FAZ config, what I'm letting through from it, or my web browser settings (though I've tried multiple web browsers, allowing flash, etc.).
Ah yes, I had overlooked that diagnostic command. Glad you figured that out.
diag sys geoip ip -- this is for the country-level database & is used when viewing logs -- i.e. showing country flags.
Threat map uses a city-level database which does not have a corresponding diagnostic command.
But 200.232.251.47 is indeed in the city level database as well:
Result: GeoIP City Edition, Rev 1: BR, 27, Sao Paulo, Santa Barbara D'oeste, N/A, -22.755699, -47.414700, 0, 0
So the database is not the issue.
Something else to consider (assuming that you do have matching UTM logs & not just traffic logs) is that unlike the threat map in a FortiGate GUI which goes back 1 hour, the FAZ shows threats in relative realtime (not the last hour).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.