Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Integration API Guide

    Home FortiSIEM 6.5.2 Integration API Guide
    6.5.2
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.6
    5.2.5
    5.2.1
    5.1.0
    5.0.0
    4.10.0

    Current Thresholds for Health Status

    Current Thresholds for Health Status

    The following table provides information on what normal thresholds are for certain Health JSON attributes.

    Health JSON Attribute

    Applicability

    Threshold
    CPU Utilization

    All nodes

    • Normal - if cpuUsage.used_pct less than 75 AND loadAverage 15 minutes less than nodes.hardware.vCPU and the loadAverage of last 15 minutes are less than 1 * number_of_cores

    • Warning - if (cpuUsage.used_pct between (75 and 90) OR (loadAverage 15 minutes between (nodes.hardware.vCPU and 2* nodes.hardware.vCPU) and the loadAverage of the last 15 minutes are less than 2 * number_of_cores

    • if cpuUsage.used_pct greater than 90 OR loadAverage 15 minutes greater than 2*nodes.hardware.vCPU and the loadAverage of the last 15 minutes is greater than 2 * number_of_cores
    Memory Utilization

    All nodes

    • Normal - if memoryUsage.used_pct less than 75

    • Warning - if memoryUsage.used_pct between 75 and 90

    • Critical - if memoryUsage.used_pct greater than 90
    Swap Space Utilization

    All nodes

    • Normal - if swapUsage.in_bps less than 7Mbps

    • Warning - if swapUsage.in_bps between 7Mbps and 10Mbps

    • Critical - if swapUsage.in_bps greater than 10Mbps
    Disk Utilization

    All nodes; skips /data, data-clickhouse

    • Normal - if diskUsage.used_pct less than 65

    • Warning - if diskUsage.used_pct between 65 and 85

    • Critical - if diskUsage.used_pct greater than 85

    I/O Utilization

    All nodes

    • Normal - if cpuUsage.ioWait_pct less than 15 AND diskIO.readWait_ms less than 30 AND diskIO.writeWait_ms less than 30 AND nfsIO.readLatency_ms less than 50 AND nfsIO.writeLatency_ms less than 50

    • Warning - if cpuUsage.ioWait_pct between (15 and 30) OR diskIO.readWait_ms between (30 and 60) OR diskIO.writeWait_ms between (30 and 60) AND nfsIO.readLatency_ms between (50 and 75) AND nfsIO.writeLatency_ms between 50 and 75

    • Critical - if cpuUsage.ioWait_pct more than 30 OR diskIO.readWait_ms more than 60 OR diskIO.writeWait_ms more than 60 OR nfsIO.readLatency_ms more than 75 OR nfsIO.writeLatency_ms more than 75

    Process Health

    All nodes

    • Normal - if processStat.uptime more than 1 hour AND processStat.cpuUtil_pct less than 50 AND processStat.memoryUtil_pct less than 50

    • Warning - if processStat.uptime less than 1 hour OR processStat.cpuUtil_pct between (50 and 75) OR processStat.memoryUtil_pct between (50 and 75)

    • Critical - if process is DOWN OR processStat.cpuUtil_pct greater than 75 OR processStat.memoryUtil_pct greater than 75

    Event Pipeline

    Collector only

    This indicates whether queues are building up in Collectors.

    • Normal - if eventUploadQueue.total_mb less than 20

    • Warning - if eventUploadQueue.total_mb between 20 and 50

    • Critical - if eventUploadQueue.total_mb greater than 50

    Event Pipeline

    Worker only

    This indicates whether queues are building up in Workers and may be caused by Workers slow in ingesting events to storage.

    • Normal - if eventUploadQueue.disk_mb less than 25

    • Warning - if eventUploadQueue.disk_mb between 25 and 75

    • Critical - if eventUploadQueue.disk_mb greater than 75
    Shared Store

    Worker, Supervisor

    This indicates that some FortiSIEM processes are slow in processing events and may eventually block the writer phParser process from ingesting events. Events may eventually be lost.

    • Normal - if difference between reader and writer's sharedStore_pct is less than 15

    • Warning - if difference between reader and writer's sharedStore_pct is between 15 and 30

    • Critical - if difference between reader and writer's sharedStore_pct is more than 30

    Last Status Updated

    All nodes

    This is based on the health updates between Collector and Supervisor; Worker and Supervisor; and Instance Supervisor and FortiSIEM Manager.

    • Normal - if nodes.metrics.lastStatusUpdated less than 15 minute delay

    • Warning - if nodes.metrics.lastStatusUpdated between (15 minute and 20 minute) delay

    • Critical - if nodes.metrics.lastStatusUpdated more than 20 minute delay

    Last Event Time

    Collector

    This information is sent by each Worker to Supervisor based on what each Worker receives from Collectors. This detects whether Collectors are falling behind in sending events to Workers. This may be caused by Workers slow in ingesting events to storage or Collectors slow processing events and uploading to Workers.

    • Normal - if nodes.metrics.lastEventTime less than 15 minute delay

    • Warning - if nodes.metrics.lastEventTime between (15 minute and 20 minute) delay

    • Critical - if nodes.metrics.collectorUploadStatus.lastEventTime more than 20 minute delay

    Last File Received

    Collector

    This information is sent by each Worker to Supervisor based on what each Worker receives from Collectors. This may be caused by Workers slow in ingesting events to storage or Collectors slow processing events and uploading to Workers.

    • Normal - if nodes.metrics.lastFileReceived less than 15 minute delay

    • Warning - if nodes.metrics.lastFileReceived between (15 minute and 20 minute) delay

    • Critical - if nodes.metrics.lastFileReceived more than 20 minute delay

    Previous
    Next

    Current Thresholds for Health Status

    Current Thresholds for Health Status

    The following table provides information on what normal thresholds are for certain Health JSON attributes.

    Health JSON Attribute

    Applicability

    Threshold
    CPU Utilization

    All nodes

    • Normal - if cpuUsage.used_pct less than 75 AND loadAverage 15 minutes less than nodes.hardware.vCPU and the loadAverage of last 15 minutes are less than 1 * number_of_cores

    • Warning - if (cpuUsage.used_pct between (75 and 90) OR (loadAverage 15 minutes between (nodes.hardware.vCPU and 2* nodes.hardware.vCPU) and the loadAverage of the last 15 minutes are less than 2 * number_of_cores

    • if cpuUsage.used_pct greater than 90 OR loadAverage 15 minutes greater than 2*nodes.hardware.vCPU and the loadAverage of the last 15 minutes is greater than 2 * number_of_cores
    Memory Utilization

    All nodes

    • Normal - if memoryUsage.used_pct less than 75

    • Warning - if memoryUsage.used_pct between 75 and 90

    • Critical - if memoryUsage.used_pct greater than 90
    Swap Space Utilization

    All nodes

    • Normal - if swapUsage.in_bps less than 7Mbps

    • Warning - if swapUsage.in_bps between 7Mbps and 10Mbps

    • Critical - if swapUsage.in_bps greater than 10Mbps
    Disk Utilization

    All nodes; skips /data, data-clickhouse

    • Normal - if diskUsage.used_pct less than 65

    • Warning - if diskUsage.used_pct between 65 and 85

    • Critical - if diskUsage.used_pct greater than 85

    I/O Utilization

    All nodes

    • Normal - if cpuUsage.ioWait_pct less than 15 AND diskIO.readWait_ms less than 30 AND diskIO.writeWait_ms less than 30 AND nfsIO.readLatency_ms less than 50 AND nfsIO.writeLatency_ms less than 50

    • Warning - if cpuUsage.ioWait_pct between (15 and 30) OR diskIO.readWait_ms between (30 and 60) OR diskIO.writeWait_ms between (30 and 60) AND nfsIO.readLatency_ms between (50 and 75) AND nfsIO.writeLatency_ms between 50 and 75

    • Critical - if cpuUsage.ioWait_pct more than 30 OR diskIO.readWait_ms more than 60 OR diskIO.writeWait_ms more than 60 OR nfsIO.readLatency_ms more than 75 OR nfsIO.writeLatency_ms more than 75

    Process Health

    All nodes

    • Normal - if processStat.uptime more than 1 hour AND processStat.cpuUtil_pct less than 50 AND processStat.memoryUtil_pct less than 50

    • Warning - if processStat.uptime less than 1 hour OR processStat.cpuUtil_pct between (50 and 75) OR processStat.memoryUtil_pct between (50 and 75)

    • Critical - if process is DOWN OR processStat.cpuUtil_pct greater than 75 OR processStat.memoryUtil_pct greater than 75

    Event Pipeline

    Collector only

    This indicates whether queues are building up in Collectors.

    • Normal - if eventUploadQueue.total_mb less than 20

    • Warning - if eventUploadQueue.total_mb between 20 and 50

    • Critical - if eventUploadQueue.total_mb greater than 50

    Event Pipeline

    Worker only

    This indicates whether queues are building up in Workers and may be caused by Workers slow in ingesting events to storage.

    • Normal - if eventUploadQueue.disk_mb less than 25

    • Warning - if eventUploadQueue.disk_mb between 25 and 75

    • Critical - if eventUploadQueue.disk_mb greater than 75
    Shared Store

    Worker, Supervisor

    This indicates that some FortiSIEM processes are slow in processing events and may eventually block the writer phParser process from ingesting events. Events may eventually be lost.

    • Normal - if difference between reader and writer's sharedStore_pct is less than 15

    • Warning - if difference between reader and writer's sharedStore_pct is between 15 and 30

    • Critical - if difference between reader and writer's sharedStore_pct is more than 30

    Last Status Updated

    All nodes

    This is based on the health updates between Collector and Supervisor; Worker and Supervisor; and Instance Supervisor and FortiSIEM Manager.

    • Normal - if nodes.metrics.lastStatusUpdated less than 15 minute delay

    • Warning - if nodes.metrics.lastStatusUpdated between (15 minute and 20 minute) delay

    • Critical - if nodes.metrics.lastStatusUpdated more than 20 minute delay

    Last Event Time

    Collector

    This information is sent by each Worker to Supervisor based on what each Worker receives from Collectors. This detects whether Collectors are falling behind in sending events to Workers. This may be caused by Workers slow in ingesting events to storage or Collectors slow processing events and uploading to Workers.

    • Normal - if nodes.metrics.lastEventTime less than 15 minute delay

    • Warning - if nodes.metrics.lastEventTime between (15 minute and 20 minute) delay

    • Critical - if nodes.metrics.collectorUploadStatus.lastEventTime more than 20 minute delay

    Last File Received

    Collector

    This information is sent by each Worker to Supervisor based on what each Worker receives from Collectors. This may be caused by Workers slow in ingesting events to storage or Collectors slow processing events and uploading to Workers.

    • Normal - if nodes.metrics.lastFileReceived less than 15 minute delay

    • Warning - if nodes.metrics.lastFileReceived between (15 minute and 20 minute) delay

    • Critical - if nodes.metrics.lastFileReceived more than 20 minute delay

    Previous
    Next