circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Troubleshooting FotiGate

hashtag
Installation Issues

Issue: Integration fails to install

  • Solution: Verify Logpoint version compatibility (v6.7.0 or later for Devices, v7.4.0 or later for log source template)

  • Solution: Check available disk space and system resources

  • Solution: Ensure proper administrative privileges

Issue: Integration not visible after installation

  • Solution: Refresh the browser and check under Settings >> System Settings >> Plugins

  • Solution: Restart Logpoint if necessary

hashtag
Configuration Issues

Issue: Cannot configure syslog forwarding on FortiGate device

  • Solution: Verify you have administrative access to FortiGate device

  • Solution: Ensure Logpoint IP address is reachable from FortiGate device

  • Solution: Check firewall rules allow syslog traffic (typically UDP port 514)

  • Solution: Consult FortiGate documentation for proper syslog configuration commands

Issue: CNDP (CompiledNormalizer Date Preference) not configured

  • Solution: CNDP configuration is mandatory for FortiGate normalizers

  • Solution: Access CNDP configuration in Logpoint settings

  • Solution: Configure appropriate date format matching FortiGate log format

  • Solution: Refer to Logpoint CNDP documentation for detailed configuration steps

Issue: Wrong normalizer selected

  • Solution: Use FortiOSCompiledNormalizer for standard FortiGate logs

  • Solution: Use FortiCEFCompiledNormalizer for CEF-formatted logs

  • Solution: Verify log format from FortiGate matches selected normalizer

Issue: Processing policy configuration errors

  • Solution: Ensure normalization policy is created before processing policy

  • Solution: Verify the correct normalizer is selected in the normalization policy

  • Solution: Check that routing and enrichment policies are properly configured

hashtag
Data Ingestion Issues

Issue: No logs being ingested

  • Solution: Verify FortiGate device is configured to forward syslog to Logpoint

  • Solution: Check if syslog service is running on FortiGate device

  • Solution: Confirm syslog collector is active in Logpoint

  • Solution: Test network connectivity from FortiGate to Logpoint

  • Solution: Verify FortiGate syslog configuration includes correct destination IP and port

Issue: Incomplete log ingestion

  • Solution: Check routing criteria configuration - ensure it matches FortiGate log structure

  • Solution: Verify the correct normalizer and normalization packages are selected

  • Solution: Monitor collector logs for errors or warnings

  • Solution: Check if specific log types are disabled on FortiGate

Issue: Logs not normalized correctly

  • Solution: Verify appropriate Compiled Normalizer is selected (FortiOSCompiledNormalizer or FortiCEFCompiledNormalizer)

  • Solution: Ensure CNDP is properly configured for date parsing

  • Solution: Check log format matches expected format (key-value pairs)

  • Solution: Ensure SyslogParser is selected as the parser

  • Solution: Verify FortiGate firmware version is supported

Issue: Date/timestamp parsing errors

  • Solution: Verify CNDP configuration matches FortiGate date format

  • Solution: Check FortiGate timezone configuration matches Logpoint device timezone

  • Solution: Ensure date and time fields are present in FortiGate logs

  • Solution: Review CNDP documentation for proper date format configuration

Issue: Message ID not recognized

  • Solution: Verify FortiGate firmware version is compatible with normalization packages

  • Solution: Check if newer message IDs need updated normalization packages

  • Solution: Update FortiGate integration to latest version

  • Solution: Consult FortiGate message ID documentation for unknown IDs

hashtag
Dashboard and Analytics Issues

Issue: Dashboard widgets not displaying data

  • Solution: Verify repository selection matches where FortiGate logs are stored

  • Solution: Check time range settings on dashboard

  • Solution: Confirm normalization is working correctly using search query: norm_id = "Forti*"

  • Solution: Ensure device timezone matches log source timezone

Issue: Traffic dashboard showing no bandwidth data

  • Solution: Verify traffic logs are being generated by FortiGate

  • Solution: Check that sent_datasize and received_datasize fields are populated

  • Solution: Ensure traffic logging is enabled on FortiGate policies

  • Solution: Verify bandwidth calculation fields are being normalized correctly

Issue: Attack dashboard showing no detections

  • Solution: Verify IPS is enabled and actively detecting threats on FortiGate

  • Solution: Check that attack logs are being forwarded to Logpoint

  • Solution: Ensure attack field is being parsed correctly

  • Solution: Verify IPS signatures are up to date on FortiGate

Issue: Web filtering dashboard showing no data

  • Solution: Verify web filtering is enabled on FortiGate

  • Solution: Check that webfilter logs are being generated

  • Solution: Ensure URL filtering policies are active

  • Solution: Verify sub_category field contains "webfilter" value

Issue: Configuration changes not appearing

  • Solution: Verify configuration change logging is enabled on FortiGate

  • Solution: Check for specific message IDs: 32102, 32104, 44544-44552

  • Solution: Ensure admin users have proper audit logging enabled

  • Solution: Verify configuration path and attribute fields are populated

Issue: FortiMail dashboard showing no data

  • Solution: Verify FortiMail logs are being sent to same Logpoint repository

  • Solution: Check that FortiMail-specific fields are being normalized

  • Solution: Ensure FortiMail session IDs are being captured

  • Solution: Verify email-related event categories are present

hashtag
Alert Issues

Issue: Alerts not triggering

  • Solution: Review alert queries and ensure they match FortiGate log format

  • Solution: Check alert policy configuration and notification settings

  • Solution: Verify logs contain expected message IDs and labels

  • Solution: Test alert query manually in search to confirm matching events exist

Issue: False positive alerts

  • Solution: Tune alert thresholds to reduce noise

  • Solution: Add exclusion criteria for known benign events

  • Solution: Review alert query logic for overly broad matching

  • Solution: Implement correlation rules for more accurate detection

Issue: Dynamic list updates not working (FORTIMAIL_SESSION)

  • Solution: Verify dynamic list FORTIMAIL_SESSION is created in Knowledge Base

  • Solution: Check that session_id field is populated in FortiMail logs

  • Solution: Ensure alert query correctly processes toList() function

  • Solution: Verify list update permissions are configured

hashtag
Performance Issues

Issue: Slow query performance

  • Solution: Optimize queries by adding time range constraints

  • Solution: Use indexed fields in search queries where possible

  • Solution: Consider data retention policies to manage repository size

  • Solution: Filter by specific event categories or message IDs to reduce scope

Issue: High resource usage

  • Solution: Monitor syslog collector resource consumption

  • Solution: Implement log filtering using routing criteria to reduce unnecessary data ingestion

  • Solution: Monitor and tune normalization policies

  • Solution: Consider adjusting FortiGate logging levels to reduce volume

Issue: High log volume from FortiGate

  • Solution: Adjust logging levels on FortiGate to reduce verbosity

  • Solution: Disable logging for low-priority traffic policies

  • Solution: Configure FortiGate to log only security-relevant events

  • Solution: Use log filtering on FortiGate before forwarding to Logpoint

  • Solution: Implement selective routing criteria in Logpoint

hashtag
Event-Specific Issues

Issue: VPN events not appearing

  • Solution: Verify VPN logging is enabled on FortiGate

  • Solution: Check for message IDs: 023101-023103 (IPSec), 039424-039426 (SSL VPN)

  • Solution: Ensure VPN tunnels are active and generating logs

  • Solution: Verify event_category="event" and sub_category="vpn"

Issue: Anomaly detection not working

  • Solution: Verify anomaly detection features are enabled on FortiGate

  • Solution: Check for message IDs: 018432-018434

  • Solution: Ensure log_level="alert" for anomaly events

  • Solution: Verify anomaly policies are configured on FortiGate

Issue: Application control logs missing

  • Solution: Verify application control is enabled on FortiGate

  • Solution: Check for message IDs: 028672-028721

  • Solution: Ensure application control policies are applied to traffic

  • Solution: Verify application signatures are up to date

Issue: DNS events not being captured

  • Solution: Verify DNS logging is enabled on FortiGate

  • Solution: Check for message IDs: 054000-054803

  • Solution: Ensure DNS filtering or monitoring is configured

  • Solution: Verify DNS queries are passing through FortiGate

Issue: Wireless events missing

  • Solution: Verify FortiGate is managing wireless access points

  • Solution: Check for message IDs: 043520-043621

  • Solution: Ensure wireless controller is enabled

  • Solution: Verify access points are properly connected

Issue: DLP events not detected

  • Solution: Verify DLP is licensed and enabled on FortiGate

  • Solution: Check for message IDs: 024576-024579

  • Solution: Ensure DLP policies are configured and active

  • Solution: Verify file fingerprinting is working correctly

hashtag
GeoIP and Enrichment Issues

Issue: Geographic data not appearing in dashboards

  • Solution: Verify GeoIP enrichment policy is configured in Logpoint

  • Solution: Check that source_address and destination_address fields are populated

  • Solution: Ensure GeoIP database is up to date in Logpoint

  • Solution: Verify alert queries include GeoIP processing commands

Issue: Source/destination country fields empty

  • Solution: Ensure enrichment policy includes GeoIP lookups

  • Solution: Check that IP addresses are public (not RFC 1918 private IPs)

  • Solution: Verify geoip() processing commands in queries

  • Solution: Update GeoIP database if outdated

hashtag
Report Issues

Issue: Reports not generating

  • Solution: Verify report templates are properly configured

  • Solution: Check that selected repositories contain FortiGate data

  • Solution: Ensure time range includes events in the repository

  • Solution: Verify report generation service is running

Issue: Reports missing data

  • Solution: Check that all required FortiGate dashboards are enabled

  • Solution: Verify repository selection matches FortiGate log storage

  • Solution: Ensure normalization is producing expected fields

  • Solution: Check report template queries for syntax errors

hashtag
Integration-Specific Issues

Issue: FortiAnalyzer integration not working

  • Solution: Verify LP_FortiAnalyzer normalization package is selected

  • Solution: Check FortiAnalyzer log format compatibility

  • Solution: Ensure FortiAnalyzer is forwarding logs correctly

  • Solution: Verify network connectivity from FortiAnalyzer to Logpoint

Issue: FortiAuthenticator logs not normalizing

  • Solution: Verify LP_Forti Authenticator v4 normalization package is selected

  • Solution: Check FortiAuthenticator version compatibility

  • Solution: Ensure authentication events are being logged

  • Solution: Verify syslog configuration on FortiAuthenticator

Issue: Multiple FortiGate devices logging inconsistently

  • Solution: Ensure all FortiGate devices use consistent syslog configuration

  • Solution: Verify firmware versions are compatible across devices

  • Solution: Check that CNDP configuration works for all device formats

  • Solution: Use device-specific normalization if needed

Last updated

Was this helpful?