Tutorial (5.0) 10 Troubleshooting * fortiedr * Fortinet network security expert NSE 5

   In this lesson , You will learn troubleshooting .

   By demonstrating the ability in advanced troubleshooting , You will be able to troubleshoot the collector upgrade , And get the collector logs to troubleshoot performance problems , Including third-party applications 、 The system hangs and crashes .

   The figure above outlines the troubleshooting process of collector upgrade . You will learn more about these steps later in this lesson . First, verify the settings on the management console . You don't want to find that the collector group is set to the wrong version during the whole troubleshooting process .

　　 Next , Restart the device . Usually , upgrade FortiEDR The collector does not need to be restarted , But occasionally , Compatibility issues ( Usually related to anti-virus software ) Reboot required .

　　 Third , Locate the collector log . You can do this on your local machine , Or you can use the management console ( If connected ) Download them . If you are using local logs , Then you can check them to locate where the fault occurred , Or send them to Fortinet Support staff . The logs obtained through the management console are encrypted , It needs to be sent to Fortinet Support decryption and analysis .

　　 Next , Try updating the collector locally using the installer file .

　　 Last , In rare cases where the collector log does not provide sufficient information ,Fortinet Support may require you to run while installing Process Monitor And return the log . Unless specifically requested by the support department , Or you don't need to .

   Again , The first step in troubleshooting and upgrading is to verify your settings on the console . First , You need to assign collector groups to the devices you are investigating . As you learned in the previous course , You can do this by clicking INVENTORY Tab and search the device name to locate it . The search results show the collector group assigned to the device and its version . Verify that the version number is what you expect , And record the collector group name . please remember , By default , You only see the downgrade collector , So make sure to click on the blue Show all collector link .

　　 After allocating the collector group , Can be in ADMINISTRATION Tab LICENSING Check the assigned version on the panel . single click “ Update collector ” Button .“ Update collector version ” The dialog box opens . Find the collector group you mentioned earlier , And make sure to assign it to the correct collector version .

　　 Be careful , In a multi tenant environment ,Fortinet Recommend from Hoster View to perform device upgrade .

   Now? , You will learn about the process of retrieving collector logs . The easiest way to get logs is through the management console , If the device is currently connected to your network , You can do this . stay INVENTORY Find the collector on the tab and select its checkbox . single click “ export ” The drop-down list , choice “ Collector log ”. Save logs locally . They are downloaded to a password protected zip In file . The collector file itself is encrypted , To prevent tampering with , So you have to send them to Fortinet Support for decryption and analysis .

   When the collector is not connected to FortiEDR Central manager , You can download the collector logs locally . You can use the CLI Command to download collector logs .

   On the collector , If you need to verify FortiEDR Is the installation successful , And there are no configuration or communication problems , Please use the CLI command .

   The newly installed collector will not be displayed in the central manager console INVENTORY On the tab , Sometimes you will see the collector in the disconnected state . To solve the connection problem , Please verify all FortiEDR Whether there is network connection between components . Verify port 555 and 8081 Whether to open , And no third-party applications block these ports . image telnet and netstat Such command-line tools can verify whether these ports are available .

   If there is still a problem upgrading the collector , Please run the installer file locally on the end user's machine . So , You need the organization's registration password , Can be in TOOLS Of the management console under ADMINISTRATION Find the password on the tab .

　　 If Fortinet Support requires additional information not contained in the collector log , They may ask you to run ProcMon, This is a free one provided by Microsoft Sysinternals Tools . This rarely happens , But if you need to , You can run when you perform the installation ProcMon, And will ProcMon Save the log to PML In file . And then through “/1*vx log.txt” Get the installation log . And send these logs to Fortinet Support department .

   The easiest way to get logs is through the management console , If the component is currently connected to your network , You can do that . Under system components INVENTORY Find the core or aggregator on the tab , And select its checkbox . single click “ export ” The drop-down list , choice “ Core log ” or “ Aggregator logs ”. Save logs locally . They are downloaded to a password protected zip In file . Send these files to Fortinet Support decryption and analysis .

   If you are troubleshooting device performance problems , Please restart . If it doesn't help , Please disable the collector on the management console . If the problem still exists , Please upgrade the collector when there is an updated version .

　　 If the performance problem still exists , The next step depends on the type of problem you are investigating . You will learn about each step in the next picture . If it is a performance problem of a third-party application , You must record the steps to reproduce the problem . For system suspend , Create a manual crash dump , Then collect the complete memory dump when the system hangs . When the system crashes or the blue screen , Please confirm that a blue screen has occurred , Then collect the full memory dump when the system hangs .

　　 If you still need more information , Please try to collect collector logs with the just completed process while the device is running . If you need help , Please go to Fortinet Provide support .

   Now? , You will learn more about these steps . If you have performance problems , First try disabling the collector , This can be done on the management console . If the problem still exists when disabling the collector , Then the problem is unlikely to be related to FortiEDR of .

　　 Next, check the collector version . You learned earlier how to locate the current version of the collector . What I saw earlier in this lesson “ Update collector ” Dialog box to find the newer collector version available . perhaps , You can also use Fortinet Support opening support ticket, For the latest collector version . If updates are available , Apply them to the affected collectors , And see if the performance has improved .

　　 If you still have problems , Please copy the problem and record the steps to reproduce the problem . In the following , You will learn more .

   If your performance problems involve third-party applications , Then start by checking for blocking events . In the administration console , single click EVENT VIEWER Tab and search the executable file name of the application being investigated . If you locate any blocking event , Please make sure they are safe . There may be , An event involving a seemingly secure process is actually malicious , for example , A malicious macro can run in a legitimate Microsoft Word In copy , Or a malicious program may masquerade as a legitimate Application . After you verify that the event is safe , You can create an exception to allow the security process to run .

　　 If there are no blocking events , And the application you are investigating cannot connect to the network , Please check the communication control strategy . First , single click COMMUNICATION CONTROL tab , And then choose Policies. Find the policy that applies to the user's collector group . Then search the application in the application list . Highlight the application and check Policies panel , To ensure that the user's policy is not set to deny communication from the application . Also check the versions , Sometimes the old version will be blocked because of known vulnerabilities , But updates are allowed 、 A more secure version .

　　 If you still haven't found the root of the problem , Please use the previous procedure to retrieve the collector logs outlined earlier .

   If the system hangs , First use from Microsoft Or third-party utilities ( Such as Bang) Instructions for creating a manual crash dump .

　　 Next , Collect a complete memory dump when the system hangs . You will learn the details of this process later in this lesson . When it's done , Compress the memory dump file and record Sha256 To verify the integrity of the document .

　　 Last , Retrieve the collector logs of the affected devices . Again , Refer to the steps you learned before this lesson .

   If you are investigating a system crash , First, verify whether the blue screen occurs . You should find a memory dump and stop the code in memory . In the system folder dmp file . You can also see Windows Event Viewer application log . By searching kernel power Locate a blue screen record .

　　 Next , Create a full memory dump when the system hangs . Compress memory dump file , And record Sha256.

　　 Last , Same as the previous process , Retrieve collector logs ( Retrieve locally or through the management console ), As mentioned earlier in this lesson .

   answer ：B

   answer ：B

   By mastering the objectives involved in this lesson , You have learned some useful troubleshooting skills FortiEDR.