Tuesday, January 24, 2012

Log uploads in realtime (FortiOS 4.0 MR3)

After upgrading several firewalls to 4.0 MR3 I noticed that by default the logs are no longer sent to my FortiAnalyzer unit in realtime. Instead they are scheduled to upload to the FAZ once per day.
If, like me, you are relying on these logs to provide realtime visibility into your network here is how to turn realtime logging back on.

On the CLI (really, Fortinet??):
config log fortianalyzer setting
set upload-option realtime

This is only available on smaller units, such as the FG60C and FWF60C.
On units such as the FG200B and FG310B the "set upload-option realtime" switch does not exist, thus defaulting to realtime logging to FAZ or Syslog.

Friday, January 20, 2012

The cmdb add entry failed

I recently started noticing that when I try to add objects, policies, etc to one of our firewalls I receive an error dialog of "The cmdb add entry failed." After doing some research on the knowledge base the most likely explanation was related to memory utilization on the Fortigate.
There are a number of ways to resolve the problem, although they are all temporary until Fortinet comes up with a fix.

  • Reboot the firewall
  • In Firewall -> Policy -> Protocol Options modify your scan profile(s) and reduce the file Size Threshold down to 2MB from 10MB.
  • From the CLI you can run "diag sys top 1" and figure out which processes are using the most memory (right most column in the process list). You can then restart the processes using "diag test app 99", so for example "diag test app ipsmonitor 99" if the IPS engine is running high.