After enable raw packets for 1 rule and then did the roll out as usual, after that all the fortigate Firewall events are fire under the Rule "FortiGate_UTM Traffic Event". Now all the firewall traffic is shown as "FortiGate_UTM Traffic Event".
Please let us know any 1 fix the issue before or suggest us to fix the same.
We did the below steps with the help of McAfee support engineer, but no luck.
1) Disabled the raw packet and roll out the policy.
2) Disabled the "FortiGate_UTM Traffic Event" rule, then all the events are being listed as "unknown events"
3) We did a Manual rule update.
4) Logged in to the receiver, and deleted the rule file for the Fortigate.
5) Pushed the policy, the issue persisted.
6) Took the sample rule uploaded that in the lab device in 9.5.0 and the rule is correctly listed.
7) Disabled the copy packet option at the global and device level, no effect.
8) Disabled all the fortigate data sources, rolled out policies.
Select --> datasource -->policy editor --> Operation--> order ASP rules
found the "Fortigate_UTM User Authentication Event" from the order list. Once removed the same its start parsing as we expected.