Troubleshooting FortiSOAR Issues
This section covers issues that you might face while deploying FortiSOAR, upgrading FortiSOAR, or while using FortiSOAR.
For the procedure on how to upgrade to FortiSOAR 7.0.1, see the Upgrading a FortiSOAR enterprise instance to 7.0.1 section in the “Upgrade Guide.”
Issues occurring in FortiSOAR due to insufficient space
You can face deployment or upgrade failures due to insufficient space. If you have limited partition size for /dev/mapper/vgapp-csapps
, then FortiSOAR upgrade might fail. Therefore, before you upgrade your FortiSOAR system, you must ensure that you increase the partition size to a minimum of 4 GB for /dev/mapper/vgapp-csapps
to prevent potential loss of backups.
You might also experience any of the following symptoms when the disk space of the database on which FortiSOAR is running gets full:
- Users are unable to log into FortiSOAR.
- All FortiSOAR services might stop working, as they cannot write to their respective log files.
For example, the PostgreSQL service fails to start when the PostgreSQL database disk is full.
Insufficient space in FortiSOAR can be caused due to a number of reasons, some of them are as follows:
- Increase in the number of log files in
/var/log/
and/var/log/cyops
-
/home
drive is full - Increase in the data in the database
- PostgreSQL database disk is full
You can fix this issue using the following methods:
- Extend the disk space by adding a new disk and then extending the logical volume in the new disk.
- Extend the logical volume by using the free space that is already available in the volume group.
- Extend the logical volume on the existing disk without adding a new disk, if sufficient unallocated space is available on the existing disk.
- Procedure to be followed when the Postgres service has failed which could be due to the PostgreSQL database disk is full.
Note: Perform the following procedures as a root
user using the sudo su
command.
Resolution 1
Perform the following steps to extend your disk space by adding a new disk and then extending the logical volume (LVM) in the new disk.
When you add a new disk, ensure that the disk size is less than 2TB. If you have a disk whose size is greater than 2TB size, you need to create multiple PVs with 2TB size and expand the Volume Groups accordingly. This is because FortiSOAR has the MBR disk type whose maximum hard drive size is 2TB. |
- Stop all FortiSOAR services using the following command:
# csadm services --stop
- Add the new disk drive with the required size on the instance.
- Run the following command to check the size of the newly added and unpartitioned disk.
# lsblk
This command displays the size of newly added and unpartitioned disk. In this example,sde
is the newly added disk:NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 8G 0 disk
'-sda1 8:1 0 8G 0 part /
sdb 8:16 0 100G 0 disk
'-sdb1 8:17 0 100G 0 part
sdc 8:32 0 300G 0 disk
'-sdc1 8:33 0 300G 0 part
'-vg_repo-lvol0 253:0 0 500G 0 lvm /repos
sdd 8:48 0 200G 0 disk
'-vg_repo-lvol0 253:0 0 500G 0 lvm /repos
sde 8:64 0 200G 0 disk
#This is the new attached partitionsr0 11:0 1 1024M 0 rom
Note: In case the disk is not reflected in the VM, you can run the following command:## echo "- - -" > /sys/class/scsi_host/<host#>/scan
(Replace host# with the correct host number)
Then run the# lsblk
command again to verify the newly added disk.
If even after running the above command the newly added disk is NOT visible underlsblk
, then reboot the appliance usingreboot
command. - Run the following command to create the physical volume by specifying the name for the newly added disk:
# pvcreate /dev/<disk_name>
- Run the following command to check the name of the volume group:
# vgs
The column VG corresponds to the volume group as seen in the following sample output:VG #PV #LV #SN Attr VSize VFree
<volume_group_name> 1 13 0 wz--n- <243.65g 8.00g
- Run the following command with the volume group name (from VG column in step 5) and
disk_name
as specified in step 4, to extend the volume group size:# vgextend <lvm_group_name> /dev/<disk_name>
- Run the following command to check the size of the extended volume group:
# vgs
The column VFree corresponds to the volume group size (20.00g) as seen in the following sample output:VG #PV #LV #SN Attr VSize VFree
<volume_group_name> 1 13 0 wz--n- <243.65g 20.00g
- Run the following command to extend the logical volume by the size you specify:
# lvextend -L +<disk_size>G <LVM_name>
The following example shows that the logical volume is being extended by 18GB:lvextend -L +18G /dev/mapper/<LVM_name>
Note: You must extend the disk size to less than or equal to the total size of the volume group. - Run the following command to resize the file system for the disk that has been extended in step 8:
# xfs_growfs /dev/mapper/<LVM_name>
- Run the following command to check if the volume size is extended:
# df -h /dev/mapper/<LVM_name>
- Start all FortiSOAR services using the following command:
# csadm services --start
Resolution 2
Perform the following steps to extend the logical volume by using the free space that is already available in the volume group:
- Stop all FortiSOAR services using the following command:
# csadm services --stop
- Run the following command to check the free size available in volume group:
# vgs
The column VFree corresponds to the volume group size (20.00g) as seen in the following sample output:VG #PV #LV #SN Attr VSize VFree
<volume_group_name> 1 13 0 wz--n- <243.65g 20.00g
- Run the following command to extend the logical volume by the size you specify:
# lvextend -L +<disk_size>G <LVM_name>
The following example shows that the logical volume is being extended by 18GB:# lvextend -L +18G /dev/mapper/<LVM_name>
Note: You must extend the disk size to less than or equal to the total size of the volume group. - Run the following command to resize the file system for the disk that has been extended in step 3:
# xfs_growfs /dev/mapper/<LVM_name>
- Run the following command to check if the volume size is extended:
# df -h /dev/mapper/<LVM_name>
- Start all FortiSOAR services using the following command:
# csadm services --start
Resolution 3
Perform the following steps to extend the logical volume on the existing disk without adding a new disk, if sufficient unallocated space is available on the existing disk. Before proceeding further, it is recommended that you find out whether sufficient unallocated space is available on existing disk using the following command:# parted /dev/<disk_name> print free
For example, running the # parted /dev/sdb print free
command will display the following:
Model: VMware Virtual disk (scsi)
Disk /dev/sdb: 215GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags:
Number Start End Size Type File system Flags
32.3kB 1049kB 1016kB Free Space
1 1049kB 161GB 161GB primary lvm
161GB 215GB 53.7GB Free Space
The “Free Space” in above the output refers to unallocated space. If the mentioned size is sufficient, then perform the following steps:
- Stop all FortiSOAR services using the following command:
# csadm services --stop
- Create a partition on the existing disk using the following command:
# fdisk /dev/<disk_name>
- Enter
n
to create a new partition. - Enter
p
to choose the newly created partition as the primary partition. - Select the Partition number. The operating system will calculate this on its own, you just require to press
Enter
. - Select defaults for the
First Cylinder
/Sector
andLast Cylinder
/Sector
values. - Enter
w
to write the changes to the partition table. - Run the following command to rewrite the filesystem:
# partprobe /dev/<disk_name>
- After the VM restarts, stop all FortiSOAR services using the following command:
# csadm services --stop
- Run the following command to see the new partition:
# fdisk -l /dev/<disk_name>
This command displays the properties of the newly attached partition. For this example,/dev/sda3
is the newly added partition. - Create a physical volume in the new partition using the following command:
# pvcreate
For example,# pvcreate /dev/sda3
- Extend the volume group using the following command:
# vgextend
For example,# vgextend <volume_group_name> /dev/sda3
- Extend the logical volume by the size you specify using the following command:
# lvextend -L+<size>G <LVM_name>
For example, to extend the logical volume by 20 G use the following command:# lvextend -L+20G /dev/mapper/cyops-relations
- Increase the file system size using the following command:
# xfs_growfs
For example,# xfs_growfs /dev/mapper/cyops-relations
- Start all FortiSOAR services using the following command:
# csadm services --start
Resolution 4
Perform the following steps when you notice that your Postgres service has failed which could be due to the PostgreSQL database disk is full.
- Run the following command and check the disk space in
/var/lib/pgsql/
:# df -h /var/lib/pgsql/
If there is no space or less than 1 GB space left in/var/lib/pgsql/
, then thepsql
service will not start due to the space issue. -
# cd /var/lib/pgsql/
# ls -lrth
You will observe that there is a file namedresv_space
that is taking up 1GB of space. - Move the
resv_space
file from/var/lib/pgsql/
to/home/csadmin
using the following command:# mv /var/lib/pgsql/resv_space /home/csadmin
- Check the disk space in
/var/lib/pgsql/
again:# df -h /var/lib/pgsql/
You will observe that 1GB of space has been freed. - Now you can extend or add space to
/var/lib/pgsql/
using the resolution 1, 2, or 3 mentioned above. You could also truncate workflow logs by running direct database commands with the help of FortiSOAR Support.
If you have no disk space, then you add a new disk and perform steps mentioned in Resolution 1.
If you have disk space in the volume group, then you can extend the logical group by performing steps mentioned in Resolution 2.
If you have sufficient unallocated space available on an existing disk, then you can extend the logical group by performing steps mentioned in Resolution 3. - Move the
resv_space
file from/home/csadmin
back to/var/lib/pgsql/
:# mv /home/csadmin/resv_space /var/lib/pgsql/
Troubleshooting Deployment Issues
The FortiSOAR Virtual Appliance deployment on ESX is failing
Resolution:
- Verify that FortiSOAR Virtual Appliance file that you have downloaded is not corrupted by running a
# md5sum
command for the FortiSOAR Virtual Appliance. - Check that the ESX server has fulfilled all prerequisites specified for the VM. Refer to the Planning section for details.
- If both points 1 and 2 are ok, contact VMWare support.
Cannot access the FortiSOAR portal
Resolution:
- Check the ESX network to which FortiSOAR VM is connected.
- Check if the IP address is assigned to your FortiSOAR VM, in the case of DHCP or static IP addresses.
Refer to the Editing the VM configuration section for more information on Setting a static IP and Determining your DHCP IP address.
Cannot login to the FortiSOAR platform
Resolution:
- Check if you are using the correct credentials that have been provided to you by FortiSOAR Customer Support.
-
ssh to the VM where you have deployed FortiSOAR to check the status of
cyops-auth
service. Thecyops-auth
service must be running. -
If both points 1 and 2 are ok, and the
cyops-auth
service is running, contact FortiSOAR support.
Getting a 502 error when you click on the Reports tab
Resolution:
- ssh to the VM where you have installed FortiSOAR.
- Log in using the ssh credentials.
- Run the
$ sudo su
command.
Enter your FortiSOAR password. - Run the
$ sudo systemctl restart tomcat
command. - Run the
$ sudo systemctl restart nginx
command.
If the issue yet does not get resolved, contact FortiSOAR support.
Troubleshooting Upgrade Issues
For the procedure on how to upgrade to FortiSOAR 7.0.1, see the Upgrading a FortiSOAR enterprise instance to 7.0.1 section in the “Upgrade Guide.”
Post license renewal you cannot log into FortiSOAR
If you have requested for a license from FortiSOAR with lesser number of users than your existing users, you cannot log onto FortiSOAR post upgrade.
For example, when you had requested a license from FortiSOAR, you had requested for a license for 10 users; however, you have 15 users existing in your system, you will not be able to log onto FortiSOAR post-upgrade. So, it is very important for you to provide the correct number of users while requesting for a license from FortiSOAR.
Resolution:
Contact FortiSOAR Support to generate a new license for you with the correct number of users.
Failure to upgrade FortiSOAR
In case you face a failure while trying to upgrade FortiSOAR, then perform the following steps:
Resolution:
- To gather logs and send them to FortiSOAR Support, do the following:
- ssh to machine as a root user and type the following command:
# csadm log --collect
- Specify the path where you want to collect the logs. By default, the logs are collected in the
/tmp/
folder.
A file namedfortisoar-logs.tar.gz.gpg
gets generated in the path you have specified. Send this file to FortiSOAR Support.
- ssh to machine as a root user and type the following command:
- Revert the snapshot of your system to the latest working state. You must take a snapshot of your system before you attempt to upgrade FortiSOAR on your system.
Follow the steps mentioned in the documentation of your platform for taking a snapshot and reverting to the current snapshot.
Post-upgrade your playbooks fail to execute, and the playbooks are also not listed in the executed playbooks log
If you have not cleaned the workflow history prior to upgrading your FortiSOAR version, and if you have a large number of records in the workflow history (> 50000), then the overall upgrade time would increase, and this issue might occur. For the method to clean the workflow execution run history, see the "Setting up auto-cleanup of workflow execution history" topic in the Debugging and Optimizing Playbooks chapter in the "Playbooks Guide."
Resolution
Perform the following steps:
- Check the install logs to see if errors such as the following are present:
psycopg2.InternalError: missing chunk number 0 for toast value 1502832 in pg_toast_17046
- Connect to the postgres db and run the following command:
# REINDEX table pg_toast.pg_toast_XXXXX;
(where XXXXX is the number from the error message present in step 1). - Run the following commands:
# cd /opt/cyops-workflow/sealab
$ sudo -u nginx /opt/cyops-workflow/.env/bin/python3 manage.py migrate
Note: Ifmanage.py
fails again forpg_toast
value (error mentioned in step 1), then you must execute steps 2 and 3 again with the newpg_toast
value mentioned in the error, till themanage.py
executes successfully.
Login and logout events are not audited after you have upgraded your FortiSOAR version
After you have upgraded FortiSOAR on your system, you observe the following error in the auditlog
log file located at /var/log/cyops/cyops-gateway/auditlog.log
:
ERROR c.c.a.service.RecordLogService.processRecordLogs - 500 Internal Server Error
, and you also do not see any Login
and Logout
events in Audit Logs on FortiSOAR UI, then perform the steps mentioned in the resolution.
Resolution
To resolve this issue and include login and login events in audit logs, run the following commands on your FortiSOAR VM as a root
user:
yes | cp /opt/cyops-workflow/sealab/.envdir/APPLIANCE_PUBLIC_KEY /etc/cyops/APPLIANCE_PUBLIC_KEY
yes | cp /opt/cyops-workflow/sealab/.envdir/APPLIANCE_PRIVATE_KEY /etc/cyops/APPLIANCE_PRIVATE_KEY
chmod -R 644 /etc/cyops/APPLIANCE_*_KEY
chown tomcat:tomcat /etc/cyops/APPLIANCE_*_KEY
systemctl restart tomcat
Issues occurring when you have restored data on a FortiSOAR 6.0+ system with data backed up from a system prior to 6.0.0
If you have backed up a FortiSOAR system whose version is prior to 6.0.0 and restored this system on a fresh installation of FortiSOAR 6.0.0 or later, then you might face issues in creating records etc. since the system will not be able to find your record ID sequence.
Resolution
To keep your record ID sequence and avoid issues on the FortiSOAR 6.0+ instance, you must run the following commands as a root
user to keep your record ID sequence:
- In the
/opt/cyops-api/app/config/parameters_prod.yml
file set theid_per_module
parameter to false. -
cd /opt/cyops-api
sudo -u nginx php app/console cache:clear --env=prod