This article describes the reason for empty report or table for dataset with sessions and method to resolve the issues.
FortiAnalyzer.
FortiAnalyzer provides multiple default datasets to generate reports for user sessions or bandwidth usage.
For example:
Occasionally, users will experience empty data returns for specific tables in the report. If this issue happens, users can navigate to the datasets and look for the SQL Query.
In the dataset, the WHERE clause is the major part of most of the report returned as empty. For all the reports with sessions or bandwidth tables, the filter below will be included:
WHERE
$filter
AND (logflag & 1 > 0)
This filter only records forward traffic logs as the output of reports. Hence, users need to check the Log ID of FortiAnalyzer Log View to verify the log received from FortiGates.
The example above shows Log ID for output below:
0000000013 --> Forward Traffic Log
0001000014 --> Local Traffic Log
ID with the initial of 0000xxxxxx indicates forward traffic log while the initial 0001xxxxxx indicates local traffic log.
For more information, refer to the document below:
In order to receive forward traffic log for the FortiAnalyzer report to function, users need to make changes in the firewall policy to log all sessions:
After making changes to the firewall policy, wait for a few minutes for the FortiGate to forward the latest log to FortiAnalyzer and users can verify the Log ID in Log View again.
Related articles:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.