Fortinet white logo
Fortinet white logo

Multi-Tenancy Support Guide

Deployment Troubleshooting

Troubleshooting

For troubleshooting the distributed managed service provider model for multi-tenancy issues that you might face, you can use the postman.log located at:

/var/log/cyops/cyops-routing-agent/postman.log

You can change the logging levels for the postman.log by using the following command:

# vi /opt/cyops-routing-agent/postman/config.ini and set the required logging level. By default, the logging level is set to WARN.

You can set the following logging levels in the log files:

  • DEBUG: Low-level system information for debugging purposes.
  • INFO: General system information.
  • WARN: Information describing a minor problem that has occurred.
  • ERROR: Information describing a major problem that has occurred.
  • CRITICAL: Information describing a critical problem that has occurred.

Deployment Troubleshooting

While connecting to a secure message exchange, retries never stop if the DNS is not resolved

You can continue to retry to connect to the secure message exchange for 10 minutes. A long retry has been specified to ensure that you do not have to restart the service every time the network breaks since all consumers stop after a long network break.

Resolution

You can configure the time for which you will continue retrying to establish a connection with the secure message exchange using the config file, located at /opt/cyops-routing-agent/postman/config.ini:

heartbeat = 120
connection_attempts = 50
retry_delay = 10

After adding a tenant on the master, you see a Retry button on the tenant node

This issue can occur due to two reasons:

  • Incorrect secure message exchange configuration.
  • Incorrect selection of secure message exchange while configuring the tenant on the master node.

Resolution

Correct the secure message exchange configuration or selection and click the Retry button.

Configuration Troubleshooting

Failure while configuring master on a tenant node

This issue can occur if you have specified the wrong password or port while configuring the master on the tenant node.

Resolution

On the tenant node, click Master Configuration > Edit Configuration. On the Configure Master dialog and correct the password or TCP port number that you have specified.

If you yet see that the Enabled button is in the NO state, and you want to enable data replication, toggle the Enabled button to YES.

Records created at the tenant node do not replicate to the master node even when data replication is turned on

In this case, the FortiSOAR logs contain the following message: Error message on master "Error: Bad Request for url: <URL> when a field is non-mandatory on tenant and mandatory on master

This issue occurs if you have switched off replication of a required record field on a tenant node, or the field does not exist on the same module defined at the tenant node. This leads to a failure of record creation on the master node.

Resolution

You must ensure that replication is switched on for all required record fields, and you should also note that if you have done any schema changes in a module at the master node, then you must ensure that the required fields are marked as required across all tenants that are replicating that module.

A user is not able to view records and FortiSOAR displays a 500 error

Resolution

Any user who is created in a multi-tenant environment and who requires to view records must have a minimum of read-only access for the Tenants module in their respective role.

Therefore, ensure that you have assigned the user a role that has a minimum of read-only access for the Tenants module.

Tenant modules not getting displayed at the master node after initial configuration

You might not see any modules of a tenant node at the master node in Remote Tenant Manager > Manage Modules after the initial configuration (addition) of the tenant node if there are errors while configuring the tenant.

Resolution

This issue occurs due to the tenant being in the "Verification Failed" state at the time of configuration. To make the MMD of the tenant visible at the master node, restart the "cyops-postman" service at the tenant node.

In case of clustering of secure message exchanges, FortiSOAR is unable to connect to primary secure message exchange even after the primary node has come back online after a failure

If you have your secure message exchanges setup as a cluster for high availability, and you face a failure, and the primary secure message exchange node comes back online and yet the FortiSOAR node is still not able to connect to the secure message exchange. You will see the following error in the postman logs:

2018-11-20 10:36:21,022 140437372753664 59b195ab94e35ef70e28ed129c58c804 ERROR pika.callback callback process(): Calling <bound method BlockingChannel._on_channel_closed of <BlockingChannel impl=<Channel number=1 CLOSED conn=<SelectConnection OPEN socket=(‘<xxx.xxx.xx.xxx’, 53378)->(‘xxx.xxx.xx.xxx’, 52011) params=>>>> for “1:Channel.Close” failed
Traceback (most recent call last):
File “/opt/cyops-routing-agent/.env/lib/python3.4/site-packages/pika/callback.py”, line 236, in process
callback(*args, **keywords)
File “/opt/cyops-routing-agent/.env/lib/python3.4/site-packages/pika/adapters/blocking_connection.py”, line 1358, in _on_channel_closed
method.reply_text)
pika.exceptions.ChannelClosed: (404, “NOT_FOUND - home node ‘rabbit@’ of durable queue ‘queue.postman.data.remoterequest.805553bfece2f6a5895c8db8c54b9ae0’ in vhost ‘vhost_59b195ab94e35ef70e28ed129c58c804’ is down or inaccessible”)

Resolution

Stop and start the rabbitmq app on the secure message exchange node using the following commands:

# rabbitmqctl stop_app

# rabbitmqctl start_app

Shifting the Secure Message Exchange of tenants leads to MMDs not being pushed to the tenants that have been shifted to the new Secure Message Exchange

If you have shifted the Secure Message Exchange of any tenant in your multi-tenant configuration to a new Secure Message Exchange, then the remote mmd management does not work since the uwsgi service keeps the Secure Message Exchange details in memory and uses it to publish to the Secure Message Exchange. However, when the Secure Message Exchange is changed for any tenant the change gets notified using "rabbitmq publish" and the updated Secure Message Exchange setting is available only to the postman service; the uwsgi still has old Secure Message Exchange details.

Resolution

After you have shifted any tenant to a new Secure Message Exchange, then you must update the router settings in the uwsgi service by restarting the postman and uwsgi services on the master node using the following commands:
# systemctl restart uwsgi
# systemctl restart cyops-postman

You also need to restart the postman service on the tenant node.

Deployment Troubleshooting

Troubleshooting

For troubleshooting the distributed managed service provider model for multi-tenancy issues that you might face, you can use the postman.log located at:

/var/log/cyops/cyops-routing-agent/postman.log

You can change the logging levels for the postman.log by using the following command:

# vi /opt/cyops-routing-agent/postman/config.ini and set the required logging level. By default, the logging level is set to WARN.

You can set the following logging levels in the log files:

  • DEBUG: Low-level system information for debugging purposes.
  • INFO: General system information.
  • WARN: Information describing a minor problem that has occurred.
  • ERROR: Information describing a major problem that has occurred.
  • CRITICAL: Information describing a critical problem that has occurred.

Deployment Troubleshooting

While connecting to a secure message exchange, retries never stop if the DNS is not resolved

You can continue to retry to connect to the secure message exchange for 10 minutes. A long retry has been specified to ensure that you do not have to restart the service every time the network breaks since all consumers stop after a long network break.

Resolution

You can configure the time for which you will continue retrying to establish a connection with the secure message exchange using the config file, located at /opt/cyops-routing-agent/postman/config.ini:

heartbeat = 120
connection_attempts = 50
retry_delay = 10

After adding a tenant on the master, you see a Retry button on the tenant node

This issue can occur due to two reasons:

  • Incorrect secure message exchange configuration.
  • Incorrect selection of secure message exchange while configuring the tenant on the master node.

Resolution

Correct the secure message exchange configuration or selection and click the Retry button.

Configuration Troubleshooting

Failure while configuring master on a tenant node

This issue can occur if you have specified the wrong password or port while configuring the master on the tenant node.

Resolution

On the tenant node, click Master Configuration > Edit Configuration. On the Configure Master dialog and correct the password or TCP port number that you have specified.

If you yet see that the Enabled button is in the NO state, and you want to enable data replication, toggle the Enabled button to YES.

Records created at the tenant node do not replicate to the master node even when data replication is turned on

In this case, the FortiSOAR logs contain the following message: Error message on master "Error: Bad Request for url: <URL> when a field is non-mandatory on tenant and mandatory on master

This issue occurs if you have switched off replication of a required record field on a tenant node, or the field does not exist on the same module defined at the tenant node. This leads to a failure of record creation on the master node.

Resolution

You must ensure that replication is switched on for all required record fields, and you should also note that if you have done any schema changes in a module at the master node, then you must ensure that the required fields are marked as required across all tenants that are replicating that module.

A user is not able to view records and FortiSOAR displays a 500 error

Resolution

Any user who is created in a multi-tenant environment and who requires to view records must have a minimum of read-only access for the Tenants module in their respective role.

Therefore, ensure that you have assigned the user a role that has a minimum of read-only access for the Tenants module.

Tenant modules not getting displayed at the master node after initial configuration

You might not see any modules of a tenant node at the master node in Remote Tenant Manager > Manage Modules after the initial configuration (addition) of the tenant node if there are errors while configuring the tenant.

Resolution

This issue occurs due to the tenant being in the "Verification Failed" state at the time of configuration. To make the MMD of the tenant visible at the master node, restart the "cyops-postman" service at the tenant node.

In case of clustering of secure message exchanges, FortiSOAR is unable to connect to primary secure message exchange even after the primary node has come back online after a failure

If you have your secure message exchanges setup as a cluster for high availability, and you face a failure, and the primary secure message exchange node comes back online and yet the FortiSOAR node is still not able to connect to the secure message exchange. You will see the following error in the postman logs:

2018-11-20 10:36:21,022 140437372753664 59b195ab94e35ef70e28ed129c58c804 ERROR pika.callback callback process(): Calling <bound method BlockingChannel._on_channel_closed of <BlockingChannel impl=<Channel number=1 CLOSED conn=<SelectConnection OPEN socket=(‘<xxx.xxx.xx.xxx’, 53378)->(‘xxx.xxx.xx.xxx’, 52011) params=>>>> for “1:Channel.Close” failed
Traceback (most recent call last):
File “/opt/cyops-routing-agent/.env/lib/python3.4/site-packages/pika/callback.py”, line 236, in process
callback(*args, **keywords)
File “/opt/cyops-routing-agent/.env/lib/python3.4/site-packages/pika/adapters/blocking_connection.py”, line 1358, in _on_channel_closed
method.reply_text)
pika.exceptions.ChannelClosed: (404, “NOT_FOUND - home node ‘rabbit@’ of durable queue ‘queue.postman.data.remoterequest.805553bfece2f6a5895c8db8c54b9ae0’ in vhost ‘vhost_59b195ab94e35ef70e28ed129c58c804’ is down or inaccessible”)

Resolution

Stop and start the rabbitmq app on the secure message exchange node using the following commands:

# rabbitmqctl stop_app

# rabbitmqctl start_app

Shifting the Secure Message Exchange of tenants leads to MMDs not being pushed to the tenants that have been shifted to the new Secure Message Exchange

If you have shifted the Secure Message Exchange of any tenant in your multi-tenant configuration to a new Secure Message Exchange, then the remote mmd management does not work since the uwsgi service keeps the Secure Message Exchange details in memory and uses it to publish to the Secure Message Exchange. However, when the Secure Message Exchange is changed for any tenant the change gets notified using "rabbitmq publish" and the updated Secure Message Exchange setting is available only to the postman service; the uwsgi still has old Secure Message Exchange details.

Resolution

After you have shifted any tenant to a new Secure Message Exchange, then you must update the router settings in the uwsgi service by restarting the postman and uwsgi services on the master node using the following commands:
# systemctl restart uwsgi
# systemctl restart cyops-postman

You also need to restart the postman service on the tenant node.