Thanks, but I had already set the coordinates on the FAZ. 

Just in case, I set the FGT's longitude and latitude to match with:

config sys global

  set gui-latitude

  set gui-longitude

I still get a Thread Map without any activity on it, even though the the threats log shows multiple entries.

Any other thoughts?  I would hope the FAZ doesn't need the FGT's admin username and password for this.

You need utm logs with a crscore entry.  And both srcip & dstip cannot both be private IP addresses.

If those conditions are being met, then it is possible that the public IPs in question don't have a match in the geo-ip database loaded on the FAZ.

Checking the raw logs, I see plenty of them with a crscore=30 and public srcip and dstip.  Is there a way to test the ip's against the geo-ip database?  Or test the FAZ's geo-ip database itself?

Note that both FGT's, before they were set to log to the FAZ, showed active Threat Maps with (unfortunately) plenty of attacks.

BTW, the FAZ has no public IP's itself, in case that could be part of the issue?  I've allowed it a few required services outbound, but perhaps I've somehow blocked it's checks or updates for geo-ip? 

> Is there a way to test the ip's against the geo-ip database?  Or test the FAZ's geo-ip database itself?

If you provide some IPs that you want us to check, we can do it for you, just to rule out that being the issue.

I dug up ways to check the geoip in the FAZ 5.4 CLI, though it's not documented correctly (you need to add the word ip to the end of the command before the actual ip).

FAZ-200D-XXXXX # diag sys geoip ip 200.232.251.47

200.232.251.47 : BR - Brazil

I tested a few of the IPs that were coming through and geoip worked correctly for all of them.

So I'm assuming this is something else, either in the FAZ config, what I'm letting through from it, or my web browser settings (though I've tried multiple web browsers, allowing flash, etc.).

Ah yes, I had overlooked that diagnostic command.  Glad you figured that out.

diag sys geoip ip -- this is for the country-level database & is used when viewing logs -- i.e. showing country flags.

Threat map uses a city-level database which does not have a corresponding diagnostic command.

But 200.232.251.47 is indeed in the city level database as well:

Result: GeoIP City Edition, Rev 1: BR, 27, Sao Paulo, Santa Barbara D'oeste, N/A, -22.755699, -47.414700, 0, 0

So the database is not the issue.

Something else to consider (assuming that you do have matching UTM logs & not just traffic logs) is that unlike the threat map in a FortiGate GUI which goes back 1 hour, the FAZ shows threats in relative realtime (not the last hour).