This article describes when alert messages are configured to be sent by FortiGate for certain conditions through email, that email might drop some of the alerts and explains why.
The email will start as something like this:
'Warning! This message was sent from outside your organization and we were unable to verify the sender. Message meets Alert condition The following critical firewall event was detected: SSL VPN login fail. date=2024-06-15 time=11:18:54 devname=Ventura devid=FGTXXFTKXXXXXXXX eventtime=11829004388780 tz="-0700" logid="0101039426" type="event" subtype="vpn" level="alert" vd="root" logdesc="SSL VPN login fail" action="ssl-login-fail" tunneltype="ssl-web" tunnelid=0 remip=Y.Y.Y.Y user="test" group="N/A" dst_host="N/A" reason="sslvpn_login_permission_denied" msg="SSL user failed to logged in'
And at the end of the email, after many alert messages, a drop message can be observed:
'41 Alert alert message(s) dropped since 06/13/2024 10:06:45. 3 Warning alert message(s) dropped since 06/13/2024 10:06:45.'
In the actual email, there were a total of 100 alert messages.
Scope
FortiGate.
Solution
In each email, FortiGate will only include 100 alert messages (highest severity, latest if messages have the same severity). Others will be dropped.
The CLI settings can be changed to reduce the number of alert messages by observing for which category the alerts are being generated in the highest number. If that is not needed, then it can be disabled:
config alertemail setting (setting) # set violation-traffic-logs disable (probably the one causing many alerts) (setting) # end
Another solution would be changing the interval time to receive the email from 5 minutes to something lesser (such as 3 minutes).
config alertemail setting (setting) # set email-interval 3 (default is 5 minutes) (setting) # end