Fortinet black logo

Administration Guide

Home FortiNDR 7.4.2 Administration Guide
7.4.2
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

Troubleshooting tips for Network File Share

Troubleshooting tips for Network File Share

To troubleshoot Network File Share issues:
  1. Disable or delete other mounts and limit the network share mount to only one so that the logs that are collected later on will not be too complex.

  2. Turn off FortiGuard scheduled updates to rule out any update related issues.
  3. Turn off the NDR daemon to isolate the environment using CLI command:

    exec ndrd off

    This command is not persistent. If a reboot is required, run the command again.

  4. Turn off Sniffer daemon to isolate the environment using

    exec snifferd off

    This command is not persistent. If a reboot is required, run the command again.

  5. 5. Set filesize limit to smaller size to rule file size issues using the CLI command:

    exec file-size-threshold network-share 20 (MB)

  6. Click Test Connection.

    • If Network Share is inaccessible is returned, it means FortiNDR cannot mount the folder. Proceed to the next step to check the detail about the mount error. Sometimes it takes time for the network share’s setting to sync in the server. If you change the network share setting in the server, you may not connect to it right away.
    • If Mounting in progressis returned, wait about 2-5 minutes and try again.

  7. When the scan is stuck, please the following logs using the CLI:

    1. a. exec deb kernel display

      Return code = -2 is the most common error. Most times it means there were too many connections to the folder or the folder is not accessible for mounting yet.

    2. exec deb crashlog <the date this issue occured>
  8. Get system status and save the output log to determine if the issue is related to storage.

    get system status

  9. For network share scan errors, go to Log & Report > Events.
    1. Select Level: Warning, Error and User: sdigestd
    2. Take a screen shot. The Events page contains 1 day history.
    3. To record more history, use the Log settings to set logs to another logging device.

      This is example below, network share is experiencing mounting problems. Share status was down meaning at that time this FortiNDR could not access the remote mounting folder:

  10. Open sdigestd log using the following command:<ERROR>

    diagnose debug crashlog xxxx-xx-xx

    sdigestdis the daemon responsible for network share mount and copying. 7 means all level logs, if there are too many logs, use 2 <WARN> or 1.

    For more information, see Troubleshoot Network Share.

    You can configure a scheduled scan,by clicking Scan now in the GUI, or you can trigger the output right away with the CLI:

    diag deb app sdigestd 7

    diag deb enable

    Here is an example showing which mount failed during mounting:

  11. The image below shows how the completed scan jobs for Network File Scan should look:

Previous
Next

Troubleshooting tips for Network File Share

To troubleshoot Network File Share issues:
  1. Disable or delete other mounts and limit the network share mount to only one so that the logs that are collected later on will not be too complex.

  2. Turn off FortiGuard scheduled updates to rule out any update related issues.
  3. Turn off the NDR daemon to isolate the environment using CLI command:

    exec ndrd off

    This command is not persistent. If a reboot is required, run the command again.

  4. Turn off Sniffer daemon to isolate the environment using

    exec snifferd off

    This command is not persistent. If a reboot is required, run the command again.

  5. 5. Set filesize limit to smaller size to rule file size issues using the CLI command:

    exec file-size-threshold network-share 20 (MB)

  6. Click Test Connection.

    • If Network Share is inaccessible is returned, it means FortiNDR cannot mount the folder. Proceed to the next step to check the detail about the mount error. Sometimes it takes time for the network share’s setting to sync in the server. If you change the network share setting in the server, you may not connect to it right away.
    • If Mounting in progressis returned, wait about 2-5 minutes and try again.

  7. When the scan is stuck, please the following logs using the CLI:

    1. a. exec deb kernel display

      Return code = -2 is the most common error. Most times it means there were too many connections to the folder or the folder is not accessible for mounting yet.

    2. exec deb crashlog <the date this issue occured>
  8. Get system status and save the output log to determine if the issue is related to storage.

    get system status

  9. For network share scan errors, go to Log & Report > Events.
    1. Select Level: Warning, Error and User: sdigestd
    2. Take a screen shot. The Events page contains 1 day history.
    3. To record more history, use the Log settings to set logs to another logging device.

      This is example below, network share is experiencing mounting problems. Share status was down meaning at that time this FortiNDR could not access the remote mounting folder:

  10. Open sdigestd log using the following command:<ERROR>

    diagnose debug crashlog xxxx-xx-xx

    sdigestdis the daemon responsible for network share mount and copying. 7 means all level logs, if there are too many logs, use 2 <WARN> or 1.

    For more information, see Troubleshoot Network Share.

    You can configure a scheduled scan,by clicking Scan now in the GUI, or you can trigger the output right away with the CLI:

    diag deb app sdigestd 7

    diag deb enable

    Here is an example showing which mount failed during mounting:

  11. The image below shows how the completed scan jobs for Network File Scan should look:

Previous
Next