FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
lpetit_FTNT
Staff
Staff

Description

When a ticket is created, provide a specific set of data aimed at facilitating ticket resolution is requested.
To troubleshoot complex incidents the support teams need to fully understand the network topology and role of the Fortinet unit (s) in it.
Providing unit configuration and all available logs provides a compete picture of the incident.

This article describes how to create a ticket.


Solution
[problem description and history]  must reply to the following questions:
----------------------------------------------------------------------------------------

Clear and detailed description

start of problem
             when did the problem exactly started (exact date/time)?
             if many occurences (dates and times)
             is it a new installation?
             if not, was it working before?
             did the problem occured after an upgrade? from which version to which version?
             did the problem occured after a configuration change? which parameter has been changed?
             did the problem occured after a network change (anything else)?
             have you ever had this problem before?
            
Impact
           how many devices are facing the same issues (all of them, some of them, one of them)?
           what is the number of impacted users (all of them, some of them, one of them)?
           what is the type of impacted users (specific OS, specific HW)

reproduction
          is the problem reproducible in the production device?
          is the problem reproducible in a lab environment? 
          step by step reproduction scenario

error message (copy the error message if any)
does it generate messages in the log? (copy of log message)

[troubleshooting steps]
----------------------------

how was the problem isolated?
troubleshooting command used and useful output
step by step troubleshooting actions taken so far


[documentation / KB ]
----------------------------
as per kb http://  the Fortigate should or should not behave in this way...
as per user guide http://docs.fortinet.com/... the Fortigate should or should not behave in this way...


[workaround or solution]
-------------------------------
ie
- upgrade / downgrade
- disable a parameter


Additional information required for FortiGate

[attached files]
-------------------
mandatory: 
            configuration file
            debug.log of every cluster members

optional:
ie (file name => explanation of what this file is showing - how it has been taken - when it has been taken)
            121114.log => UTM log file the problem when it occurs
            sniff.cap => sniffer trace showing the trace between source ip xxx.xxx.xxx.xxx and dst ip when the problem is present
            urlfilter.log => putty session showing urlfilter -1 when the problem is present
            diagram.vsd => network diagram or reproduction scenario
            error.jpg => screenshot showing the error message
            event.log => log file showing the error


Additional information required for FortiWeb

[Attached files]
-------------------
Mandatory: 
            Configuration file of every cluster member.
           
ie (file name => explanation of what this file is showing - how it has been taken - when it has been taken)
            sniff.cap => sniffer trace showing the trace between source ip xxx.xxx.xxx.xxx and dst ip when the problem is present
            diagram.vsd => network diagram or reproduction scenario
            error.jpg => screenshot showing the error message


Additional information required for FortiManager and FortiAnalyzer.

[attached files]
------------------

------------------
mandatory:
          
            Screenshots or a video capture describing the problem
            The following CLI commands are also required in order to analyze your running environment information (this is not included in the backup/configuration file)
        
    execute tac report
                diag sql status rebuild-db
                diag sql status rebuild-adom
          
            The FortiManager or FortiAnalzyer backup/configuration file will also allow us to view your configuration and test/verify your problem in the lab

Optional depending on type of problem:  


            Event log file of FortiManager (with debug level set) along with the event log file of FortiGate (might have to extract this from a Syslog server or FortiAnalyzer)
            Installation History log file (included in the backup/configuration file)
            Script execution log file (included in the backup/configuration file)
            A debug output that you might have collected during your problem investigation (ex: diag debug application securityconsole or fgfm , etc )