After FortiAnalyzer is upgraded, the system may need to rebuild databases due to schema changes. Please note that the ability to generate accurate reports will be affected until the rebuild is complete.
If you are running a large number of reports which are very similar, you can significantly improve report generation time by grouping the reports. Report grouping can reduce the number of hcache tables and improve auto-hcache completion time and report completion time.
To group reports whose titles contain the string Security_Report and are grouped by device ID and VDOM, enter the following CLI commands:
config system report group
edit 0
set adom root
config group-by
edit devid next edit
vd next
end
set report-like Security_Report
next
end Notes:
execute sql-report list-schedule <ADOM>
To initiate a rebuild of hcache tables, enter the following CLI command:
diagnose sql rebuild-report-hcache <start-time> <end-time>
Where <start-time> and <end-time> are in the format: <yyyy-mm-dd hh:mm:ss>.
Perform an hcache-check for a given report to ensure that the hcache tables exactly match the start and end time frame for the report time period. Enter the following CLI command:
execute sql-report hcache-check <adom> <report_id> <start-time> <end-time>
If you do not run this command, the first report in the report group will take a little longer to run. All subsequent reports in that group will run optimally.
Firmware image checksums
The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. To verify the integrity of the download, select the Checksum link next to the HTTPS download link. A dialog box will be displayed with the image file name and checksum code. Compare this checksum with the checksum of the firmware image.
Downgrading to previous versions of firmware
FortiAnalyzer does not provide a full downgrade path. You can downgrade to a previous firmware release via the GUI or CLI, but doing so results in configuration loss. A system reset is required after the firmware downgrading process has completed. To reset the system, use the following CLI commands via a console port connection:
execute reset all-settings
execute format {disk | disk-ext4}
So as you may have noticed, your logs can often be filled with local broadcasts and traffic of that sort. You can remove these from your logging to help clean things up. This never crossed my mind until I was reading some other blogs that belong to Fortinet TAM’s, consultants etc. This little tid bit is thanks to FireWall GURU. Below you will see commands on how to do this for specific devices:
FortiAnalyzer:
config log fortianalyzer filter
set local-traffic disable
end
Log Disk
config log disk filter filter
set local-traffic disable
end
Memory:
config log memory filter
set local-traffic disable
end
Syslog
config log syslogd filter
set local-traffic disable
end
Extended UTM log for Application Control
For FortiOS 5.0 devices, the application control log is not visible until you enable the extended UTM log in the FortiOS CLI. To enable extended UTM log, use the following CLI command:
config application list
edit [name here]
set extended-utm-log enable
end
SQL database rebuild
FortiAnalyzer can receive new logs during SQL database rebuild. FortiView, Log View, Event Management, and Reports are also available.However, all scheduled reports are skipped. It is recommended to generate reports only after finishing the database rebuilding process.
SSLv3 on FortiAnalyzer-VM64-AWS
Due to known vulnerabilities in the SSLv3 protocol, FortiAnalyzer-VM64-AWS only enables TLSv1 by default. All other models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run: config system global set ssl-protocol t1sv1 end