IBM Security QRadar

 View Only
  • 1.  Fotigate Unknown events

    Posted Wed March 24, 2021 02:09 AM
    HI Everyone,

    Urgent Help,

    Suddenly last few days all Fortigate firewall events are unparsing. Kindly suggest how to rectify it.

    Thanks,
    Panendar Rao.C

    ------------------------------
    PHANENDRA RAO CHAVANA
    ------------------------------


  • 2.  RE: Fotigate Unknown events

    IBM Champion
    Posted Wed March 24, 2021 05:58 AM
    Phanendra,

    when you ask for urgent help you should supply sufficient information to help community members to assist you.
    Fortnet Fortigate works like all the other devices from my experience. Roubleshooting steps to take:
    • automatic update enabled in QRadar? (yes)
    • automatic update enabled in Fortigate? (yes)
    • does release and subrelease correspond between Fortigate and DSM? (yes)
    • if all events are unnormalized (aka unparsed) are there any events at all hitting your existing logsource? (yes)
    • are events bypassing your existing logsource type definition because of IP address or host name change? (no)
    • are you using DHCP for your managed fortigate IP? (no)
    • has a new logsource automatically been created? (no)
    • are unknown events coming in beeing stored by generic DSM? (no)
    • what is the HLC of your unknown events? (unknown)
    if all! answers listed above in parenthesis are correct you should open a service ticket with IBM.
    If one or more answers are different we are happy to assist you.





    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------