Problem
Sometimes you may wan’t to trigger an alert only if one event persists longer than x minutes and isn’t followed by an log entry XY.
Solution
Check out the FortiAnalyzer correlation handler to do that.
Further Details
Starting with version 7.2.2, FortiAnalyzer has got a new Feature which is called correlation handler.
This might be very helpful, if you would like to verify if an event like VPN Tunnel down isn’t followed by a VPN Tunnel up in X Minutes.
In the example below i will show you how you may use the correlation handler to trigger an alert if a VPN Tunnel is down for more than 10 Minutes:
- Create a new Correlation Handler
- In the correlation Handler add a new rule for a tunnel down event
- In the correlation Handler add a second rule for a tunnel up event
- finish the configuration of the correlation handler
If you’re using a notification profile with E-Mail alerting configured, you’ll get a similar like the screenshot below, if the correlation handler is triggered:
The correlation handler is a very powerful feature of the FortiAnalyzer which you may use in many ways.
You may find further information’s in the 7.2 new features guide from Fortinet:
or in the FortiAnalyzer admin guide:
Creating a custom correlation handler | FortiAnalyzer 7.4.1 | Fortinet Document Library
If you should need further assistance with Fortinet products don’t hesitate to contact us –> office@c3it.net
