Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
rmankotia
Staff
Staff

Created on ‎12-25-2019 11:35 PM

Article Id 196974

Troubleshooting Tip: Global threat research data in FortiAnaylzer

Description
This article describes how to view global threat research data in FortiAnaylzer.

Solution
From the GUI, global threat research data is not visible and FortiAnalyzer shows 'Unable to connect to FortiGuard':





Not Successful:
GET /p/fgd/get_top/?category=threat&threattype=app&finish=2019-10-29&start=2019-10-29&num=10 HTTP/1.1
Host: 10.56.245.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-CSRFToken: 283cb12c8b0f89ef736e428b92f0ba12
XSRF-TOKEN: bd3mgFapghTCil7b8vwfgS8TPjh//KJ
If-Modified-Since: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
X-XSRF-TOKEN: "bd3mgFapghTCil7b8vwfgS8TPjh//KJ"
Connection: keep-alive
Referer: https://10.56.245.9/p/app/
Cookie: csrftoken=283cb12c8b0f89ef736e428b92f0ba12; CURRENT_SESSION=+BOoxfke//X5ezXccGcAa/kzfYTXIN3XSa3cnDs4iyQ0dfvqsa/hZMrr1K8zInreIMpJbJSad1x+jL8qQCSahOBh+LbKFOpY; auth_state=; remoteauth=; HTTP_CSRF_TOKEN=bd3mgFapghTCil7b8vwfgS8TPjh//KJ; XSRF-TOKEN="bd3mgFapghTCil7b8vwfgS8TPjh//KJ"

HTTP/1.1 404 NOT FOUND
Date: Tue, 29 Oct 2019 05:07:52 GMT
Vary: Cookie,Accept-Encoding
Content-Language: en
X-Frame-Options: SAMEORIGIN
Content-Encoding: gzip
Strict-Transport-Security: max-age=63072000
X-UA-Compatible: IE=Edge
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Keep-Alive: timeout=30, max=200
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8




Change the DNS settings to correct DNS (FortiGuard DNS in this case):





Successful:
GET /p/fgd/get_top/?category=threat&threattype=virus&finish=2019-10-29&start=2019-10-29&
num=10 HTTP/1.1
Host: 10.56.245.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-CSRFToken: 283cb12c8b0f89ef736e428b92f0ba12
XSRF-TOKEN: bd3mgFapghTCil7b8vwfgS8TPjh//KJ
If-Modified-Since: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
X-XSRF-TOKEN: "bd3mgFapghTCil7b8vwfgS8TPjh//KJ"
Connection: keep-alive
Referer: https://10.56.245.9/p/app/
Cookie: csrftoken=283cb12c8b0f89ef736e428b92f0ba12; CURRENT_SESSION=+BOoxfke//X5ezXccGcAa/kzfYTXIN3XSa3cnDs4iyQ0dfvqsa/hZMrr1K8zInreIMpJbJSad1x+jL8qQCSahOBh+LbKFOpY; auth_state=; remoteauth=; HTTP_CSRF_TOKEN=bd3mgFapghTCil7b8vwfgS8TPjh//KJ; XSRF-TOKEN="bd3mgFapghTCil7b8vwfgS8TPjh//KJ"

HTTP/1.1 200 OK
Date: Tue, 29 Oct 2019 05:14:33 GMT
Content-Language: en
Expires: -1
Vary: Cookie,Accept-Encoding
Pragma: no-cache
Cache-Control: no-store,no-cache,must-revalidate
X-Frame-Options: SAMEORIGIN
Content-Encoding: gzip
Strict-Transport-Security: max-age=63072000
X-UA-Compatible: IE=Edge
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Keep-Alive: timeout=30, max=200
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/json; charset=UTF-8
After adding the correct DNS , global threat research is shown without issues:





DNS was not able to resolve the URLs requested by FortiAnalyzer for global threat research.
DNS resolves those URLs to get data displayed properly.

362
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.