Hot!FortiAnalyzer Threat Map Always Blank

Author
tanr
Gold Member
  • Total Posts : 384
  • Scores: 12
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
2017/09/29 07:33:06 (permalink) 5.4
0

FortiAnalyzer Threat Map Always Blank

Hi All,
 
We're running a FAZ 5.4.3 getting logs from a couple FortiGates (5.4.5).  This seems to work well, but one thing I've never got to work is the Threat Map.  It's always blank (except for showing the couple FortiGates).  Before hooking the FGT's up to the FAZ the FortiView Threat Map on each FGT worked just fine.
 
Anybody got the FAZ 5.4.3 Threat Map working?  Any suggestions on what to check?
#1
chall_FTNT
skyhigh
  • Total Posts : 149
  • Scores: 3
  • Reward points: 0
  • Joined: 2003/11/28 16:19:30
  • Status: offline
Re: FortiAnalyzer Threat Map Always Blank 2017/09/29 08:39:59 (permalink)
0
The most common problem is that the coordinates (longtitude & latitude) are not set for the FortiGates.  At the moment, this needs to manually be configured on either FortiGate (CLI) or FortiAnalyzer (in Device Manager).   We are working on a way for that information to be learned and populated automatically in a future release.
#2
tanr
Gold Member
  • Total Posts : 384
  • Scores: 12
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: FortiAnalyzer Threat Map Always Blank 2017/09/29 09:33:24 (permalink)
0
Thanks, but I had already set the coordinates on the FAZ. 
Just in case, I set the FGT's longitude and latitude to match with:
 
config sys global
  set gui-latitude
  set gui-longitude
 
I still get a Thread Map without any activity on it, even though the the threats log shows multiple entries.
 
Any other thoughts?  I would hope the FAZ doesn't need the FGT's admin username and password for this.
 
#3
chall_FTNT
skyhigh
  • Total Posts : 149
  • Scores: 3
  • Reward points: 0
  • Joined: 2003/11/28 16:19:30
  • Status: offline
Re: FortiAnalyzer Threat Map Always Blank 2017/09/29 13:53:00 (permalink)
0
You need utm logs with a crscore entry.  And both srcip & dstip cannot both be private IP addresses.
If those conditions are being met, then it is possible that the public IPs in question don't have a match in the geo-ip database loaded on the FAZ.
#4
tanr
Gold Member
  • Total Posts : 384
  • Scores: 12
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: FortiAnalyzer Threat Map Always Blank 2017/09/29 14:26:04 (permalink)
0
Checking the raw logs, I see plenty of them with a crscore=30 and public srcip and dstip.  Is there a way to test the ip's against the geo-ip database?  Or test the FAZ's geo-ip database itself?
 
Note that both FGT's, before they were set to log to the FAZ, showed active Threat Maps with (unfortunately) plenty of attacks.
 
BTW, the FAZ has no public IP's itself, in case that could be part of the issue?  I've allowed it a few required services outbound, but perhaps I've somehow blocked it's checks or updates for geo-ip? 
#5
chall_FTNT
skyhigh
  • Total Posts : 149
  • Scores: 3
  • Reward points: 0
  • Joined: 2003/11/28 16:19:30
  • Status: offline
Re: FortiAnalyzer Threat Map Always Blank 2017/10/02 12:00:07 (permalink)
0
> Is there a way to test the ip's against the geo-ip database?  Or test the FAZ's geo-ip database itself?
 
If you provide some IPs that you want us to check, we can do it for you, just to rule out that being the issue.
post edited by chall_FTNT - 2017/10/02 13:40:29
#6
tanr
Gold Member
  • Total Posts : 384
  • Scores: 12
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: FortiAnalyzer Threat Map Always Blank 2017/10/02 13:34:50 (permalink)
0
I dug up ways to check the geoip in the FAZ 5.4 CLI, though it's not documented correctly (you need to add the word ip to the end of the command before the actual ip).
 
FAZ-200D-XXXXX # diag sys geoip ip 200.232.251.47
200.232.251.47 : BR - Brazil
 
I tested a few of the IPs that were coming through and geoip worked correctly for all of them.
 
So I'm assuming this is something else, either in the FAZ config, what I'm letting through from it, or my web browser settings (though I've tried multiple web browsers, allowing flash, etc.).
 
#7
chall_FTNT
skyhigh
  • Total Posts : 149
  • Scores: 3
  • Reward points: 0
  • Joined: 2003/11/28 16:19:30
  • Status: offline
Re: FortiAnalyzer Threat Map Always Blank 2017/10/02 13:38:24 (permalink)
0
Ah yes, I had overlooked that diagnostic command.  Glad you figured that out.
post edited by chall_FTNT - 2017/10/02 13:41:03
#8
chall_FTNT
skyhigh
  • Total Posts : 149
  • Scores: 3
  • Reward points: 0
  • Joined: 2003/11/28 16:19:30
  • Status: offline
Re: FortiAnalyzer Threat Map Always Blank 2017/10/02 14:43:32 (permalink)
0
diag sys geoip ip -- this is for the country-level database & is used when viewing logs -- i.e. showing country flags.
 
Threat map uses a city-level database which does not have a corresponding diagnostic command.
#9
chall_FTNT
skyhigh
  • Total Posts : 149
  • Scores: 3
  • Reward points: 0
  • Joined: 2003/11/28 16:19:30
  • Status: offline
Re: FortiAnalyzer Threat Map Always Blank 2017/10/03 14:19:28 (permalink)
0
But 200.232.251.47 is indeed in the city level database as well:
Result: GeoIP City Edition, Rev 1: BR, 27, Sao Paulo, Santa Barbara D'oeste, N/A, -22.755699, -47.414700, 0, 0
 
So the database is not the issue.
 
Something else to consider (assuming that you do have matching UTM logs & not just traffic logs) is that unlike the threat map in a FortiGate GUI which goes back 1 hour, the FAZ shows threats in relative realtime (not the last hour).
 
#10
tanr
Gold Member
  • Total Posts : 384
  • Scores: 12
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: FortiAnalyzer Threat Map Always Blank 2017/10/03 14:28:07 (permalink)
0
Ah, good point.  I'll leave the FAZ threat map and logs up to verify if log entries that match appropriate threats show on the threat map before I dig deeper.
#11
chall_FTNT
skyhigh
  • Total Posts : 149
  • Scores: 3
  • Reward points: 0
  • Joined: 2003/11/28 16:19:30
  • Status: offline
Re: FortiAnalyzer Threat Map Always Blank 2017/10/03 14:31:16 (permalink)
0
I guess you could setup an Event Handler to match the types of logs you'd expect to show up in the threat map. 
 
Not sure whether the alerts would arrive in time or not -- syslog or SNMP trap would be better than e-mail OR just displaying the event listing page on the FAZ.
#12
tanr
Gold Member
  • Total Posts : 384
  • Scores: 12
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: FortiAnalyzer Threat Map Always Blank 2017/10/03 14:57:56 (permalink)
0
I just downloaded some of the EICAR test files, and, voila, they showed up on the threat map!  So I've just been missing them due to the threat map being realtime. 
 
BTW, part of why I didn't figure this out earlier is that the list of threats shown at the bottom of the map doesn't show *any* threats that have happened previous to opening the map page.  I would think it would contain the list of previously logged threats.  You can test this by having the map up, downloading an EICAR test file, then switching to the FAZ to Top Threats and back to the Threat Map.  The list will be empty.
 
Thanks for your help with this.
#13
Jump to:
© 2017 APG vNext Commercial Version 5.5