Troubleshooting

Error messages in the FortiAnalyzer Integration App GUI and in the ServiceNow Application Logs describe the problem and usually contain recommendations to correct it.

Connection problems

To troubleshoot connection problems between FortiAnalyzer and the FortiAnalyzer Integration App:

1. In FortiAnalyzer, go to System Settings > Admin > Administrators.
   1. Click the account used for integration with the FortiAnalyzer Integration App and check that the settings are correct.

      See Setting Up FortiAnalyzer.

2. Check that you have set up JSON-RPC permission correctly.

   Ensure the Username can be found in FortiAnalyzer and has JSON-RPC permission.

   See Setting Up FortiAnalyzer.

3. Go to the FortiAnalyzer Integration App System Properties.
   1. Check that the connection settings are correct, especially the domain name, port number, ADOMs, and API credentials.

      Ensure the Domain HTTPS link is correct. Ensure a trusted, signed SSL certificate is installed. Ensure the port number is correct. Ensure the password is correct.

      See Setting up the FortiAnalyzer Integration App.

      If connection settings are incorrect, the app displays an error message when you click Save.

   2. Check that you are using a supported firmware version.
4. Check that the FortiAnalyzer is missing a certificate, or the certificate is incomplete. ServiceNow requires a trusted certificate on FortiAnalyzer to establish a secured connection.
   1. In ServiceNow, go to Application Log > Errors. The following error may indicate the certificate is incomplete:

      fileName: ;line:0;errorMessage:org.apache.commons.httpclient.HttpException:SSLPeerUnverifiedException

      

   2. Use a third-party service such as digicert or sslshopper to identify the errors on the FortiAnalyzer side.
   3. In FortiAnalyzer, go to System Settings > Certificates, to fix the certificate issues, such as adding an intermediate CA certificate.

To troubleshoot event logs that are not updating:

Event logs are not automatically updated after a FortiAnalyzer service outage when "Fetch events from FortiAnalyzer ADOMs automatically" is enabled. To resume updates after service is restored, run the Run_FetchFAZEvents script.

You must have an admin role to perform this task.

1. Go to System Definition > Scheduled Jobs, or type scheduled jobs in the system explorer.
2. Type *faz in the Search field.
3. Click Run_FetchFAZEvents.
4. Deselect Active and select it again to resume the updates.

Others

To view log message errors, go to ServiceNow, click All applications and search for System Log. Then select Application Logs.

In the App Log pane, check for errors. You can filter by keywords to search for messages.

Error	Possible solutions
User cannot log in	Check that the user account has the correct roles. Check the spelling of the username and password.
Error message: FortiAnalyzer: fileName: ; line: 0; message: Unknown host	Check the name and spelling of the Domain.
Error message: ServiceNow API user snapi needs to have x_forti_fazintgv2.snAPI role assigned	Assign the x_forti_fazintgv2.snAPI role to the ServiceNow account. See Setting up the FortiAnalyzer Integration App.
Error message: ServiceNow API user snapi needs to have import_transformerrole assigned	Assign the import_transformer to the ServiceNow account. See Setting up the FortiAnalyzer Integration App.
FortiAnalyzer Incidents are not up-to-date	Synchronizing incidents takes time. Wait a few minutes and try again.