Download Fortigate Vm Software
Nichelle Gruger
This is in every panel on the dashboard - "Error in 'SearchParser': The search specifies a macro 'fgt_logs' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information. "
Thank's jerryzhao. This is it. But now I have in dashboard overview - "Device 0", "Session 0" ect. And in dashboard traffic "No result found" on every panels.
When I search data in Splunk-search I saw every log from fortigate.
It works. Removing/uninstall app and add-on, reinstalling, copying the props.conf file from the default folder to the local folder, and editing this file (fgt_log change) helped.
Thanks again for help in need.
Hey Jerry. We've now got this TA installed and are sending our FortiGate data - via syslog-ng - to Splunk. We're telling the forwarder the sourcetype is fgt_log - and all the events are treated as such, and thus not getting tagged as firewall,attack.
you can do that but not advised, unless only graphs by fgt_traffic are what you care about.
they should be tagged with fgt_traffic, fgt_utm, fgt_event... once regex match them to those categories. you said when you uploaded sample log they were correctly tagged. but not with your fortigate logs? can you send me one piece of fortigate log to show me the format?
I noticed that the release notes for the TA state that 'From version 1.2, the Splunk TA(Add-on) for fortigate no longer match wildcard source or sourcetype to extract fortigate log data', that fgt_log is used by default - and that it's up to the customer if they want to use props/transforms in the /local folder to split the sourcetypes.
Another question Jerry, do you know why the ftnt_fgt_virus event type tags events with the 'operations' tag? It means they get picked up by the ES malware operations lookup gen and written to the malware operations tracker, for no good reason - as far as I can tell, and they therefore contribute to some of the Key Indicator searches relating to # malware clients, # clients updating signatures etc.
i think that was intended for CIM model so our data can be shown in ES dashboards. As whether it is relevant or not, could you show me what the specific problem is? Maybe a screen shot will help me identify the issue.
Thanks!
There's a saved search in ES that populates the malware_operations_tracker lookup based on those events matching the malware and operations tags - which includes some of the Fortigate events, based on your TA.
Reports of the VPN keep showing loads of errors with " 'Quick Mode Received Notification from Peer: invalid spi "
It's not every time, so with it being intermittent I have ensured both Sites have the same Encryption settings, and the Phase 1 and Phase 2 timers are definitely set to the same time/interval.
What else could be checked? Or what else do you guys who may have seen this before think it could be?
I don't have much more information at the moment, but I would like to arm myself with some potential solutions or scenarios to troubleshoot.
The suggestion most related to the error they're getting is to create a No-NAT rule. However in the VPN community in R80 you can opt to tick the option "Disable NAT within the VPN community" - Wouldn't this perform the same action?
Note: I've also suggested trying SHA256 instead of SHA1, and to not use PFS.
I have the same scenario, but in my case the vpn is established and when the user (behind the fortigate) try to access a server (behind the CP) the traffic is coming from the external interface and this traffic is dropped by antispoofing. I already configure a group to allow this network, but the traffic still coming from the external interface.
for example CP is expecting traffic from 10.0.0.0/8 to be coming from eth5 (internal interface), and now all of a sudden 10.100.0.0/24 is coming in via a VPN on the external interface
either eth5 is configured to broad for antispoofing or you need to configure exclusions on eth5
Assuming you've already verified the SA Lifetimes, ensure that the Fortigate is not using a data lifesize or tunnel idle timer. It sounds like the Fortigate is expiring the tunnel early for some reason. Also make sure DPD is disabled on the Fortigate unless you have explicitly enabled it on the Check Point side.
Also be aware that during Quick Mode Phase 2 negotiations the Fortigate is just like Juniper in that it is very picky about subnets/Proxy-IDs it will accept. The proposal must exactly match the subnets/Proxy-IDs configured on the Fortigate, unlike Cisco and Check Point it will refuse a proposal that is a subset of what is configured.
I have been trying to create a VPN with my SSG20 and Fortigate 60B, the problem is that i can only reach the untrust zone from both the sides. Below is the configuration i did on my SSG20. Any help would be useful.
Thanks for the reply ;-).I corrrected the outgoing interface. Now the juniper is showing the error "Phase 1 - Retransmission limit have been reached". Here i have checked the DH group. Selected the same encryption type, mode initiator is aggressive mode and also there is the same subnet for the proxy ID. But also thetunnel is not up yet...Please help.
So they are not able to reach other so check the pre-shared is matching at both ends or all your Phase I options at both ends like encryption algorithm or deffie hellman group for a mismatch.Check when you started getting the phase I messages.
Here the preshared key is matching, i have checked it many times. I am not allowing the internet at both ends and i am assigning a static IP address. Here i can hit the each others outgoing interface but not the private network. I have done VPN with Juniper at both ends and they are working fine but with fortigate 60B it is not showing a sign of connectivity.
First i tried with the main mode and again with the aggressive mode (both ends). Now i have again changed the setting to main mode. Its not working. I can only ping the remotes untrust interface. No more than that.
Thanks to all. I have a gud news. Now the VPN with fortigate is working. I canged the whole configuration and implemented a policy based VPN and also enabled a proxy ID. Major concerns are parameters so after many attempts finally the tunnel is UP and is working very fine. Thanks to WL, Gavrilo and all who help me in all possible ways.
7fc3f7cf58