Function Status

This report category is the function to monitor the status of FortiWAN’s major functions for a long period. Long term statistics of function status is helpful to administrators. This category can further be divided into Connection Limit, Firewall, Virtual Server and Multihoming.

Connection Limit

To prevent network congestion, FortiWAN’s Connection Limit function limits the number of connections from each source IP. A Connection Limit event means the number of connections from a given source IP has exceeded the limit (See “Connection Limit”). Reports produces a summary report for Connection Limit events.

Create a report for a specific day or over a range of dates (See “Create a Report”).

Export reports and send reports through email (See “Export and Email”). Statistics Table

• List the Source IP generating the most accesses while connections exceeding the limit, sorted by the volume of Drops in declining order.
• Source IP: The IP address generating connections exceeding the limit. l Drops: The counts of denied access (try to construct new connection) while the connections exceeding the limit.

Firewall

Firewall is the most popular tool to control network access and deny illegal access. FortiWAN’s Firewall function limits network access by service, source IP and/or destination IP. A Firewall event means that network access has been denied according to the Firewall rules (See “Firewall”). Reports produces a summary report for Firewall events.

Create a report for a specific day or over a range of dates (See “Create a Report”).

Export reports and send reports through email (See “Export and Email”).

Function Status

Statistics Table

• Lists the Service, Source IP and Destination IP of denied network access, sorted by the volume of Drops in declining order.
• Service: The Service of denied access. l Source IP: The Source IP address of denied access. l Destination IP: The Destination IP address of denied access. l Drops: The counts of denied access.

Virtual Server

FortiWAN’s Virtual Server function the linking of multiple servers in an internal (or private) network to external network (public) IP addresses. It is usually used to share multiple servers with single public IP addresses – a simple server load balancing application (See “Virtual Server & Server Load Balancing”). Reports produces a summary and detailed report for Virtual Server.

Create a report for a specific day or over a range of dates (See “Create a Report”).

Export reports and send reports through email (See “Export and Email”). Statistics Table

• Lists the Virtual Server IP (Service) and count of access, sorted by the Server IP (default). l WAN IP: the public IP address for external users to access the virtual server. l WAN Service: the service for external users to access the virtual server. l Server IP: the IP address of the Virtual Server. l Server Service: the service ran on the virtual server. l Requests: the count of accessing this Server Service ran on the Virtual Server IP from the WAN IP address.
• Note: Select “WAN IP”, “WAN Service”, “Server IP” and “Server Service” as primary sorting via clicking on the column title. A “▲” or “▼” is shown aside the column header while the column is selected as primary sorting, e.g. Server IP ▲. The sorting order will be switched by clicking on the same column header.

Multihoming

FortiWAN’s Multihoming function performs load balancing and fault tolerance between WAN links for inbound traffic. Users from the public network are told dynamically by FortiWAN the best available WAN link to access in order to reach specific resources on the internal network (See “Inbound Load Balancing and Failover (Multihoming)”). Reports produces a summary and detailed report for Multihoming.

Create a report for a specific day or over a range of dates (See “Create a Report”).

Export reports and send reports through email (See “Export and Email”). Statistics Table

• Lists the Domain Name and the count of the number of times this domain was accessed, sorted by the FQDN

(default).

• FQDN: the domain name configured on FortiWAN. Select “FQDN” as primary sorting via clicking on the column title “FQDN”.
• WAN: which WAN links this FQDN was accessed through. Select “WAN” as primary sorting via clicking on the column title “WAN”.
• WAN IP: the WAN IP address in this FQDN accessed through the WAN link. Select “WAN IP” as primary sorting via clicking on the column title “WAN IP”.
• Access: the counts of accessing this domain by external users via the WAN IP address.
• Note: Select “FQDN”, “WAN” and “WAN IP” as primary sorting via clicking on the column title. A “▲” or “▼” is shown aside the column header while the column is selected as primary sorting, e.g. FQDN ▲. The sorting order will be switched by clicking on the same column header.

Introduction

This document provides the following information for FortiOS 5.6.0 build 1449:

l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations

For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 5.6.0 supports the following models.

What’s new in FortiOS 5.6.0                                                                                                                Introduction

What’s new in FortiOS 5.6.0

For a list of new features and enhancements that have been made in FortiOS 5.6.0, see the What’s New for FortiOS 5.6.0 document.

Special Notices

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FortiClient (Mac OS X) SSL VPN Requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.0, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

FortiClient Profile Changes

With introduction of the Security Fabric, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

The FortiClient profile on FortiGate is for FortiClient features related to compliance, such as Antivirus, Web

Filter, Vulnerability Scan, and Application Firewall. You may set the Non-Compliance Action setting to Block or Warn. FortiClient users can change their features locally to meet the FortiGate compliance criteria. You can also use FortiClient EMS to centrally provision endpoints. The EMS also includes support for additional features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

Upgrade Information

Upgrading to FortiOS 5.6.0

FortiOS version 5.6.0 officially supports upgrading from version 5.4.3 and 5.4.4.

Security Fabric Upgrade

FortiOS 5.6.0 greatly increases the interoperability between other Fortinet products. This includes:

l FortiAnalyzer 5.6.0 l FortiClient 5.6.0 l FortiClient EMS 1.2.0 l FortiAP 5.4.2 and later l FortiSwitch 3.5.2 and later

Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.

Before upgrading any product, you must read the FortiOS Security Fabric Upgrade Guide.

FortiClient Profiles

After upgrading from FortiOS 5.4.0 to 5.4.1 and later, your FortiClient profiles will be changed to remove a number of options that are no longer supported. After upgrading, review your FortiClient profiles to make sure they are configured appropriately for your requirements and either modify them if required or create new ones.

The following FortiClient Profile features are no longer supported by FortiOS 5.4.1 and later:

• Advanced FortiClient profiles (XML configuration)
• Advanced configuration, such as configuring CA certificates, unregister option, FortiManager updates, dashboard

Banner, client-based logging when on-net, and Single Sign-on Mobility Agent l VPN provisioning l Advanced AntiVirus settings, such as Scheduled Scan, Scan with FortiSandbox, and Excluded Paths l Client-side web filtering when on-net

• iOS and Android configuration by using the FortiOS GUI

With FortiOS 5.6.0, endpoints in the Security Fabric require FortiClient 5.6.0. You can use FortiClient 5.4.3 for VPN (IPsec, VPN, or SSL VPN) connections to FortiOS 5.6.0, but not for Security Fabric functions.

Upgrade Information                                                                                          FortiGate-VM 5.6 for VMware ESXi

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.0, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles.

If you have long VDOM names, you must shorten the long VDOM names (maximum 11 characters) before downgrading:

1. Back up your configuration.
2. In the backup configuration, replace all long VDOM names with its corresponding short VDOM name. For example, replace edit <long_vdom_name>/<short_name> with edit <short_name>/<short_ name>.
3. Restore the configuration.
4. Perform the downgrade.

Amazon AWS Enhanced Networking Compatibility Issue

With this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.6.0 image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

When downgrading from 5.6.0 to older versions, running the enhanced nic driver is not allowed. The following AWS instances are affected:

• C3 l C4 l R3 l I2
• M4 l D2

FortiGate VM firmware                                                                                                            Upgrade Information

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

• .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
• .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
• .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

• .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
• .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

• .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
• .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

• .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
• .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Product Integration and Support

FortiOS 5.6.0 support

The following table lists 5.6.0 product integration and support information:

11

FortiOS 5.6.0 support

Product Integration and Support                                                                                                  Language support

Language support

The following table lists language support information.

Language support

SSL VPN support

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Product Integration and Support                                                                                                  SSL VPN support

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Supported Microsoft Windows 7 32-bit antivirus and firewall software

SSL VPN support

Resolved Issues

The following issues have been fixed in version 5.6.0. For inquires about a particular bug, please contact CustomerService & Support.

Firewall

FortiRugged 60D

Endpoint Control

Resolved Issues

FortiView

GUI

Resolved Issues

HA

IPsec

Resolved Issues Kernel

Log & Report

SSL VPN

System

Resolved Issues

Visibility

WiFi

Common Vulnerabilities and Exposures

Known Issues

The following issues have been identified in version 5.6.0. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

Antivirus

FortiGate 800D

FortiGate 3815D

FortiSwitch-Controller/FortiLink

Known Issues

FortiView

GUI

HA

Log & Report

Known Issues

Security Fabric

Known Issues

SSL VPN

System

Known Issues

WiFi

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

• XenTools installation is not supported.
• FortiGate-VM can be imported or deployed in only the following three formats:
• XVA (recommended) l VHD l OVF
• The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open Source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

Advanced Functions of Reports

Reports provides advanced functions beyond the basic reports to give an accurate analysis. Drill In and Custom Filter are the functions about querying the reports with complex conditions. It delivers only the data that a user needs from large data sets. Export and Report Email are the functions about documentations and delivering of the on-line reports. The details of the advanced functions are described as follows.

Drill In

There are 7 different query conditions for Bandwidth Usage, including In Class, Out Class, WAN, Service, Internal IP, External IP and Traffic Rate. In every Bandwidth Usage report, analysis can be further drilled-in to include more traffic data statistics; in other words, Reports allows traffic to be queried based on combination of multiple conditions. For example, select Service as the query subject from the menu in the category area, and the Service report will be displayed accordingly, as shown below:

Service=All

Go to Reports > Service, you can have an overall service report which gives the traffic statistics of all the service usages (query result is as shown below).

The HTTPS(TCP@443) service can be further drilled in to query which WAN link of FortiWAN are utilizing this service by clicking the Drill In magnifier icon in the row of HTTPS(TCP@443) listed in the table and select WAN (query result is as shown below):

Service=HTTPS(TCP@443) & WAN=All

As indicated in the blue box (shown in the figure above), this page presents the data of HTTPS(TCP@443) traffic in the WAN report, In the statistics table, the WAN link 1 can be further drilled in to query what internal IP addresses are included by clicking the Drill In magnifier icon in the row of WAN 1 listed in the table and select Internal IP (query result is as shown below):

Service=HTTPS(TCP@443) & WAN=1 & Internal IP=All

As indicated in the blue box (shown in the figure above), this page presents the data of Internal IP report that includes the traffic of WAN 1 (WAN) using HTTPS(TCP@443) (Service), The IP address: 10.12.106.17 can be further drilled in to query what External IP addresses it is connected to by clicking the Drill In magnifier icon in the row of 10.12.106.17 IP listed in the table and select External IP (query result is as shown below):

Service=HTTPS(TCP@443) & WAN=1 & Internal IP=10.12.106.17 & External IP=All

As indicated in the blue box (shown in the figure above), this page presents the data of External IP report that includes the traffic of WAN 1 (WAN) at internal IP=10.12.106.17 (Internal IP) using HTTPS(TCP@443) (Service).

From the example illustrated above, administrators can easily query the traffic flow based on combination of various conditions needed, while analysis can be drilled in to more details for better review. In the upper section of the report page, you’ll see a summary of the query conditions used in the existing report (highlighted in blue as shown in the image above), making it clear for administrators to keep track of the query details.

Service=HTTPS(TCP@443) & WAN=1 & Internal IP=10.12.106.17 & Traffic Rate=All

Continuing the example described above, the query submitted returns a result that the IP address: 10.12.106.17 via WAN 1 is connecting to External IP addresses, via the HTTPS(TCP@443) service. You can change the last Drill In condition (External IP) to a different one (such as traffic rate of bandwidth usage) using the same filter: WAN=1, Internal IP=10.12.106.17 and Service=HTTPS(TCP@443), by selecting Traffic Rate from the drop-down menu of External IP (as shown below):

The report presented by Traffic Rate using the same filter: Service=HTTP(TCP@443), WAN=1 and Internal IP=10.12.106.17 is illustrated as follows.

As illustrated in the example above, Reports offers two kinds of advanced query: you can either keep drilling in with different conditions to get a report with more specific details, or change query condition at any Drill In level; in other words, network flow data can be queried either vertically or horizontally.

Custom Filter

Reports offers 6 fixed reports of bandwidth usage by default; In Class, Out Class, WAN, Service, Internal IP, and External IP. Usually, administrators will need to check drilled-in information for particular target regularly. As discussed previously, Drill-in function can be used to obtain more report specifics, while Filter helps to directly obtain more traffic data of a specific target. In order to quickly perform a query based on a specific filter without going through those tedious steps over again, Custom Filter allows users to apply their own filters based on particular requirements for query on bandwidth usage reports.

Click Filter above every Bandwidth Usage report to see an extended block for further settings.

Add new condition:

• A Filter can be composed of multiple conditions. Click Add new condition and select an option from the drop-down menu to start setting your filter: In Class, Out Class, WAN, Service, Internal IP, External IP, Internal Group and External Group.

Conditions:

• There are two actions for options while setting the condition:
• Including: Extract only those records that fulfill the specified criterion.
• Excluding: Extract those records that not fulfill the specified criterion.
• Configurations for report categories:
• In Class: Enter the Inbound Class name you want to query (include or exclude) in the input field. l Out Class: Enter the Outbound Class name you want to query (include or exclude) in the input field. l WAN: Enter the WAN number you want to query (include or exclude) in the input field.
• Service: Enter the Service you want to query (include or exclude) in the input field. Click on the arrow next to the input field to see more Service options. Predefined L4 and L3 protocols are available. Entering a single or a range of port number is also allowed.
• Internal IP: Enter the Internal IP address you want to query (include or exclude) in the input field.
• External IP: Enter the External IP address you want to query (include or exclude) in the input field.
• Delete: Delete the extended block of condition settings in the filter.

Cancel:

Click Cancel to close the extended block of filter settings.

Apply:

Click Apply to start the query based on the filter conditions defined. The result is presented in the report area. Note both the result and filter conditions will not be saved in user profile. When the page moves to other report categories, the filter conditions will be invalid.

Example

Check out the Internal IP report first, and create and apply a customer filter, for example, with the conditions

WAN = 1 and Service = HTTPS(TCP@443). The query result of traffic statistics that are associated with the Service HTTPS(TCP@443) and passed through FortiWAN via WAN1 will then be displayed by Services accordingly. As illustrated below, the block marked in blue indicates the query subject of current report:

Continuing the example described above, apply the custom filter: Service=HTTPS(TCP@443), WAN=1 and Internal IP=10.12.106.17 in the Traffic Rate report, and the query result will show the corresponding traffic statistics by traffic rate as follows (the block marked in blue indicates the query subject of current report):

Note: Saved custom filters are kept in user account profile. Users can edit and delete custom filters from their account profile. Please refer to section of Customer Filters in Account Settings for more information.

Export

All reports generated by Reports can be exported as PDF or CSV format. By clicking Export button on the upper side of any report page, PDF and CSV are displayed for options.

Report Email

All reports generated by Reports can be sent to users via email. Reports saved in PDF or CSV format can be sent out as email attachments.

Note: Prior to creating emails, you must first configure an email server used to transfer report emails to Reports. You can set the email server through Reports > Settings > Email Server, or the email function on every report page.

Click the Email button on the right upper corner of any report page to configure email settings to current report page. For example, in the settings dialog below, you are currently in Traffic Rate report (see the header “Email : Traffic Rate” on the setting dialog), then you can:

• Send Traffic Rate through email immediately l Configure the email server used to transfer report emails l Set Traffic Rate email scheduled
• Add Traffic Rate to an existing scheduled report email

The Email function is also available for custom-filter reports and drill-in reports. No matter which report page you’re at, you can always click the Email button on that page to determine when you want to send the current report through email.

Send now

Click the Send now tab on the setting dialog. This feature requires a email server configured first.

Email Server

Click the Email Server tab on the setting dialog. You can also set the email server through Reports > Settings > Email Server. Both ways directs to one Reports to one email server.

Schedule

Click the Schedule tab on the setting dialog to set the report email scheduled. This feature requires a email server configured first.

Add to existing

Click the Add to existing tab on the setting dialog to list the schedule. By clicking the button “Add to this” on the right upper corner of every schedule item, you can add current report category to one of the scheduled report emails. You can edit the schedule through Reports > Settings > Scheduled Emails.

Reports Database Tool

FortiWAN’s Reports stores database in the built-in hard disk (HDD) for long-term analysis and reports. As the data increases, storage consumption increases. The Reports database tool (DB tool) is an application running on your local computer to manage remote FortiWAN Reports database. Note that the DB tool must be ran on a host that can access FortiWAN Web UI. Please contact Fortinet CSS to get the tool and install it following the instructions below.

A Web-based Reports database management tool providing limited functions similar to the Reports database tool is available, see Database Data Utility.

Installation Procedures

Step 1: Click the installation file (such as FWN-dbtool-4.0.0-B20150303.exe) to run the installer. Select the language of your choice.

Step 2: Read the System Requirements.

Step 3: Click ‘Next’ to begin the setup.

Step 4: Read the License Agreement carefully. Click the ‘I Agree’ button to accept the agreement and begin the installation process. Otherwise, please click ‘Cancel’.

Step 5: Choose a destination folder for setup and click ‘Next’.

Step 6: Choose a Start Menu folder (or check ‘Do not create shortcuts’ to ignore it). Click ‘Install’ and then the installation process will begin.

Step 7: Click ‘Finish’ to complete Reports DB Tool setup.

Start DB Tool

To perform the database tool, please go to: Start > Programs > FWN-dbtool, and DB Tool utility is available for selection.

DB Tool: Tool to manage report data from the Reports database.

Fortinet: Link to Fortinet web site.

Uninstall: Uninstalls DB Tool.

Setting

The first time when you use the DB tool, please go to Setting to specify the database to be managed.

The DB tool can be used to backup, restore and delete data from FortiWAN’s Reports database.

Backup

Restore

Delete

Note that although operations that Backup and Restore data of the current date (today) are allowed, it might cause damages the report data since FortiWAN Reports is receiving and processing the data for today. Backup and Restore are strongly recommend to be used for data before today.

Reports Settings

The Settings here is used to simply manage the Reports on database, disk space and the SMTP server used to email reports. Click the listed settings and you can further configure them:

Reports    :   Enable/disable Reports (See “Reports”).

“Database Data Utility”)

Please note that this function is only available for the users log-in as administrator permission.

Reports

FortiWAN Reports works by parsing and analyzing the various system logs. Before using the FortiWAN Reports, you have to enable it by specifying the way and the events to push system logs to Reports. You will be redirected to Log > Reports to complete the necessary settings to enable the FortiWAN Reports (See “Log > Reports”).

IP Annotation

IP annotation helps users to recognize IP addresses shown in Reports by predefined notes. An annotation icon will appear next to the IP address listed in a report page. Users can read the content of the annotation through clicking the icon. Click Settings > IP Annotation to enter the IP Annotation settings page.

Search IP Annotations

The search function for IP annotations is on the right upper corner of the page.

List the IP Annotations

All IP annotations are displayed in the table on the center of the page.

IP address    :   List the IP address of an annotation.

Note    :    Lists the annotation content of the IP address.

Action         :         Click Edit to edit the content of an IP annotation. The edit interface is the same as what for adding a new annotation (See below). Click Delete to delete an IP annotation.

Add a New IP Annotation

Click the New Note button on the left upper corner to enter the page for adding a new IP annotation.

IP address    :   Enter the IP address for the IP annotation.

Note Content    :    Enter the annotation content.

Save    :   Click to save the configuration and complete adding an IP annotation.

Dashboard Page Refresh Time

Reports dashboard displays instant hardware states and information of FortiWAN (See “Dashboard”). The refresh interval keeps your dashboard in sync with the latest data, however frequent page refresh might cause high CPU usage especially when FortiWAN is processing large traffic flow. Please select the appropriate fresh interval for your system. The options are refreshing dashboard every 5 sec, 15 sec, 20 sec and 30 sec, or Do not refresh the dashboard.

Email Server

Individual reports (See “Report Email”) and system alerts (See “Disk Space Control”) can be sent to users via email. It is necessary to configure the email server first to deliver the report and alert emails to users. Note that configuration here is the same as the configuration made in the tab “Email” of every report page (See “Report Email”).You can maintain the unique configuration of mail server for Reports via Settings > Email Server or the “Email” function of every report page. The mail servers used for Reports, log push (See “Log Control”) and notifications (See “Notification”) could be different. Click Settings > Email Server to enter the Email Server settings page.

Scheduled Emails

You may have get some report emails scheduled (see Report Email). Go to Reports > Settings > Scheduled Emails, then you can edit or delete the schedules.

Edit a scheduled report email

Disk Space Control

Disk space of the FortiWAN Reports is being consumed by increasing report database. Once the disk space is used up, Reports will fail to continue log processing. Disk Space Control monitors the disk space status of Reports and triggers actions (purge and alert) according to user-defined conditions. Click Settings > Disk Space Control to enter the Disk Space Control settings page.

Purge old data from database

The Purge function is triggered by two conditions, day duration and percentage of free disk space. It will purge the old data from database when any of the two conditions is satisfied. This function purges data from database without data backup. Please refer section of Reports Database Utility in Advanced Functions for more information about database backup (See “Reports Database Tool”).

Days         :         Enter the number of days for the duration. When database data exceeds the day duration, Reports keeps the latest data of the day duration in database and purges the earlier data. Leave the field empty if you want disable the condition.

Send Alerts

The alert function is triggered by two conditions, day duration and percentage of free disk space. It will alert administrator via email when any of the two conditions is satisfied. Settings > Email Server must be configured to ensure the notification (See “Reports Email Server”).

Note that system schedules condition check for database purge and sending alerts at 04:00 A.M. everyday. You are suggested to set a looser condition for sending alerts than database purge so that you get the alert earlier before the data being purged, if you need to backup the data (via Reports database tool) in advance.

Mail To

e-mail address         :         Enter the email address for system delivers alerts and notifications to. Settings > Email Server must be configured to ensure the notification (See “Reports Email Server”).

Disk Space Status

Current usage of disk space is displayed here for reference. A pie chart of disk space usage is generated based on free space, database used and other used. Moving the mouse over the three parts of the chart displays the correspondent amount of space.

Database Data Utility

FortiWAN’s Reports keeps report data in the built-in hard disk (HDD) for long-term analysis and reports. As the data increases, disk storage consumption increases. The DB data utility provides functions to manage FortiWAN Reports database:

l Backup: Backup report data for migration. l Delete: Delete report data to release disk space. l Restore: Restore backup data to Reports’ database.

The DB data utility is a Web-based management tool providing limited features very similar to the Reports database tool.

Go to Reports > Settings > DB Data Utility, an operation panel with tabs Backup, Restore and Delete is shown.

Backup

This feature allows you a database backup for a single day. For having backups of a couple of days, you will need to either perform the backups individually (day by day) or install a Reports Database tool on your local computer to perform a single database backup for a couple of days.

To backup report data of a single date, click the Backup tab on the panel and simply follow the steps:

1. Click the Date field to open the calender and specify a date for backup.
2. Click the Backup button to start data backup procedure. The backup file will be named in form Default_ yyyymmdd.data by default, such as Default_20161007.data. This backup file will be required when you are restoring it back to FortiWAN.

Restore

To restore a data backup to Reports, click the Restore tab on the panel and simply follow the steps:

1. Click the filed Select the data file to restore to select a backup file (.data file) for restoring.
2. Click the Restore button to start data restore procedure.

Note that it is not allowed to backup or restore report data of the current date (today) since FortiWAN Reports is receiving and processing the data for today. The operations are available for data before today.

Note that both the Web-based database data utility and the Reports database tool use the common backup file format (.data), which implies that a backup file (.data), whether is generated by the Web-based database data utility or the Reports database tool, can be restored back to Reports database in both the ways.

Delete

To delete report data from the database, click the Delete tab on the panel and simply follow the steps:

1. Click the From date field to open the calender and specify the start date for deleting.
2. Click the To date field to open the calender and specify the end date for deleting.
3. Click the Delete button to delete the report data of the specified period.

A: Default Values

Appendix A: Default Values

In console, enter the command ‘resetconfig’, or on the Web UI select “Factory Default” to do a hard reset and restore all settings to factory default.

When restored to factory default, accounts and passwords for access of CLI, Web UI and SSH login will also be reset to:

The Web UI login port will be restored to the default port 443.

FortiWAN also supports SSH logins. The interface for SSH login is the same as the console with identical username and password.

WAN Link Health Detection Default Values

l System default values contain 13 fixed servers IPs for health detection. l Values for all Port Speed and Duplex Settings will also be reset. l All ports are restored back to AUTO state.

Network default Values (FortiWAN 200B) Port 1: WAN

• WAN Link: 1
• IP: 192.168.1.1 l Netmask : 255.255.255.0 l IP in DMZ 192.168.1.2~192.168.1.253 l Default Gateway 192.168.1.254 l DMZ at Port 5 Port 2: WAN
• WAN Link: 2 l IP: 192.168.2.1 Appendix A: Default
• Netmask: 255.255.255.0 l IP in DMZ 192.168.2.2~192.168.2.253 l Default Gateway 192.168.2.254 l DMZ at Port 5 Port 3: WAN
• WAN Link: 3
• IP: 192.168.3.1 l Netmask: 255.255.255.0 l IP in DMZ 192.168.3.2~192.168.3.253 l Default Gateway: 192.168.3.254 l DMZ at Port 5 Port 4: LAN
• IP: 192.168.0.1 l Netmask: 255.255.255.0 l DHCP Server Disabled

Port 5: DMZ

Fields such as Domain Name Server, VLAN and Port Mapping, WAN/DMZ Subnet Settings are all cleared Service Category Default Values

l Firewall: default security rules apply l Persistent Routing: Enabled l Auto Routing: By Downstream Traffic as default l Virtual Server: Disabled l Bandwidth Managemet: Disabled l Cache Redirection: Disabled l Multihoming: Disabled l All fields in the Log/Control Category are cleared

Appendix B: Suggested Maximum Configuration Values

FortiWAN’s Web UI does not set maximum limitations to numbers of most services rules and policies, but as the configured rules and policies increase interminably, performance of both FortiWAN and its Web UI decrease, especially for FortiWAN’s critical services, such as Bandwidth Management, Multihoming and Tunnel Routing. Not only FortiWAN appliances use more and more hardware resources to run and handle traffic with a large number of configurations, but also your local computer spends more time to run the Web UI pages. The following table shows the suggested maximum configuration values to FortiWAN’s services. Remember that FortiWAN

Web UI allows you to create configurations more than the value, but the performance may not be guaranteed.

Appendix B: Suggested Maximum Configuration

Appendix B: Suggested Maximum Configuration

Features

HTML5 based GUI for dashboard

You can logon to HTML5 version of Dashboard page using the link https://<SupervisorIP>/phoenix/html.

For details see Dashboards – HTML5 version.

Policy based event retention

Currently, the on-line event database storage is managed in a FCFS basis. When the event database gets full, oldest events are purged or archived. This release enables you to set event retention policies based on Customer (Service Provider case), Reporting Devices and Event Types. For example, performance metrics and flow events should be kept for 30 days but server logs for 1 year.

This release also provides visibility into which reporting Device and Event Type is consuming most storage on a per-day basis. This enables administrators to write better data retention policies.

Note that this feature will consume significant compute and storage I/O resources. Since events are stored in a compressed manner, these events have to be first uncompressed, then filtered according to the data retention policies and finally the logs that remain have to be re-indexed. It is recommended that you create these policies after some thought and change infrequently. Run the reports to monitor the performance of retention policy execution.

For details, see Managing Online Event Data..

Vulnerability correlation and device risk scoring

In this release, FortiSIEM assigns a risk score (0-100) to a device by combining Asset Weight, Vulnerabilities found on that device, Security and Non-security incident counts and severities. Users can modify certain factors to tailor the risk computation for their environment. A view is created that shows the devices ranked by risk scores along with a timeline view of the incidents that resulted in that score. The risk score is computed hourly and the trend is presented in the view.

For details, see here for Flash version and here for HTML5 version. Risk computation is detailed here.

Scalable windows agent architecture enabling agent sending events to collectors (Windows Agent/Agent Manager 2.1)

FortiSIEM Windows agents provides efficient log collection and other important functionalities such as file integrity monitoring, registry and installed software change monitoring, removable media insertion and write activity etc. In previous releases, a set of Windows agents were associated with a single Windows Agent Manager (WAM), which was responsible for configuring the Windows Agents and then relaying logs from the Agents to a Collector. This architecture has several issues, e.g. (a) WAM is a single point of failure for configuration and log relay, (b)rigid association of Agents to a single WAM results in deployment and bookkeeping issues when large number of agents need to be deployed.

This release vastly improves the above architecture. WAM is primarily used for configuring Agents. As part of the configuration, Agents can be associated to one or more FortiSIEM collectors. Agents send log directly to the assigned set of collectors in a round robin fashion. A single WAM can configure a large number of Agents.  By removing the WAM from the event forwarding path and utilizing the Collector infrastructure, this architecture provides great scalability.

For details, see here

Dynamic CMDB groups

CMDB Device Groups and Business Service Groups are critical to FortiSIEM Analytics. It enables users to write rules as reports of the form

“Reporting IP IN A CMDB Group”. Currently, CMDB Device Groups are populated during discovery based on an internal template keying on Device vendor and model, e.g. Fortinet FortiGate belongs to both Firewall Group and VPN Group, Cisco IOS belongs to Router/Switch Group etc. Business Groups have to created manually and kept up to date.

This release automates this process by allowing the user to define rules for dynamically associating devices to CMDB groups and Business Services. A rule condition can be based on Device Vendor, Model, Host Name and IP Range. When there is a match, the matching devices would be placed in the specified CMDB Groups and Business Services. The Dynamic CMDB Group happens automatically during discovery. But the assignment rules can also be applied at any time to force immediate assignment. Note that this dynamic CMDB Group assignment is in addition t o the  internal template based assignment during discovery.

For details, see Creating Dynamic CMDB Group Policies..

Display CMDB reports in dashboard

Currently, a dashboard can only show reports containing event data. Starting with this release, CMDB reports can also be displayed on the same dashboard, side by side with event data.

For details, see here for Flash version and here for HTML5 version.

Multi-line syslog handling

Often applications generate a single syslog in multiple lines. For analysis purposes, the multiple lines need to put together into a single log. This feature enables you to do that.

User can write multiple multi-line syslog combining rules based on reporting IP and begin and ending patterns. All matching syslog within the begin and ending pattern are combined into a single log.

For details, see Multi-line Syslog Handling..

Custom configuration change monitoring

FortiSIEM can collect configurations from devices and detect changes. Currently, FortiSIEM supports a limited set of devices for this feature and users can not add devices of their choice.

This release provides a way for users to do configuration change monitoring for any device. The user simply needs to upload their own configuration collection script into the system and associate to a device type. When that device type is discovered, a configuration change detection job is created via the user defined custom configuration collection script.

For details, see Custom Configuration Change Monitoring.

STIX/TAXII support for external threat intelligence

This release allows you to download any threat intelligence data in STIX format using TAXII transport protocol without writing any code. Supported IOCs include Malware Domain, IP, URL and hash.

For details, see Custom Malware Domain Threat Feed, Custom Malware IP Threat Feed, Custom Malware Hash Threat Feed and Custom Malware URL Threat Feed.

Enhancements

Ability to monitor a subset of interfaces and processes

Currently, FortiSIEM monitors all interfaces and processes and there is no way to disable monitoring a subset of interfaces and processes. Many network devices (e.g. Voice Gateways) have logical interfaces that do not need to be monitored. Similarly servers have processes that may not need to be monitored. Often these redundant interfaces and processes create lots of events and consumes lots of storage over time, specially if there are many devices with such interfaces/processes.

This release allows you to specify a set of important interfaces and processes. Once this set is defined, FortiSIEM switches to monitoring only this set of important interfaces and processes.

For details, see Adding Important Interfaces and Adding Important Processes.

Ability to flag a WAN interface

Often it is important to monitor only WAN interfaces in a dashboard or report. Typically a deployment has many routers/firewalls with one or two WAN interfaces. Since WAN interfaces are not clearly marked in any configuration or SNMP MIB, the only way to create a report is manually list all the devices and interface pairs in the query. This makes the query quite cumbersome.

This release enables you to mark an interface as a WAN interface. The interface events will have the WAN flag set. To query all WAN interfaces, one simply has to specify “isWAN = true” in the query. This makes writing a query extremely simple.

For details, see Adding Important Interfaces.

Ability to define per-process CPU, Memory thresholds

FortiSIEM provides a way to specify global thresholds and per device local thresholds and refer to them in a rule. This way a single rule can capture global and local thresholds.

The thresholds can be a single value such as Critical CPU threshold, Warning CPU threshold or a map such as a map of interface utilization, disk utilization. While the single values are completely customizable meaning that users can add their own; map thresholds need a definition of the keys (such as interface name, disk name) to be defined in the system.

This release extends the map thresholds to also include process name. User can define global thresholds for process CPU utilization, process Memory utilization and per device, per process overrides (e.g. SQL Server).

For details, see Setting Global and Per-Device Threshold Properties.

Ability to include attachments in a ticket

FortiSIEM provides its own ticketing system for users that do not want to rely on an external ticketing system. Often there is a need to include attachments in a ticket, e.g. to demonstrate the problem while creating a ticket and  to demonstrate the problem resolution while closing a ticket. This release allows you to include (PDF and PNG formatted) attachments  into a ticket and export that ticket in PDF format to also include the attachments.

For details, see Ticket Related Operations..

Allow exceptions for merging based on hardware serial numbers

FortiSIEM has an algorithm based on hardware serial numbers, host name, IP and MAC addresses to merge devices in CMDB, which is needed since FortiSIEM repeatedly discovers devices. Currently, hardware serial number is a definitive factor – two devices are merged if their serial number is identical. However often some virtualized devices have generic serial numbers e.g. “Unknown”, “0000” etc which causes devices to merged incorrectly. This release provides a way to create a list of virtual serial numbers which are not considered for merge purposes.

For details, see Discovery Settings.

Device / Application Support

Windows Server 2016 – discovery, performance monitoring and log analysis like other Windows Servers – see Microsoft Windows Server Configuration.

FortiDDoS – log analysis – see FortiDDoS Configuration

Google Apps – audit log analysis – see Google Apps Audit Configuration.

Microsoft Office 365 – audit log analysis – see Microsoft Office365 Audit Configuration

Cisco ACI – performance monitoring – see Cisco Application Centric Infrastructure (ACI) Configuration

Brocade CER and MLX routers – performance monitoring – see Brocade NetIron CER Routers

Clavister IPS – log analysis – see here

Cisco SF 300 SG300/350 switches – discovery, performance monitoring – see Cisco 300 Series Routers

Fortinet 5001B firewalls – discovery, performance monitoring – per CPU utilization extensions – see Fortinet FortiGate Firewall

Configuration

Bug Fixes / Enhancements

Current Open Issues

What’s new in Release 4.7.2

Device Support

FortiSandbox – discovery, performance monitoring, log analysis and external threat intelligence (see here)

FortiWeb – discovery, performance monitoring and log analysis (see here)

FortiMail – log analysis (see here)

MalwareBytes – log analysis (see here)

Sophos UTM – log analysis (see here)

Bug Fixes

What’s new in Release 4.7.1

Features

HTML5 based GUI for Incident

You can logon to the HTML5 version of Incident page using the link https://<SupervisorIP>/phoenix/html.

For details see here.

Malware URL threat feed

Previous releases allowed users to import Malware domain, IP, file hashes and Anonymity Networks as external threat intelligence feed. This release extends this functionality to Malware URLs.

For details, see here.

Syslog over TLS

This release enables FortiSIEM to receive encrypted Syslog over TLS.

For details, see here.

Device Audit framework

FortiSIEM discovers devices in depth, collects various performance/availability metrics, parses logs, traps and triggers rules. This release provides users a framework to run an audit on devices based on the collected information. Audit criteria can be based on

OS version

Installed software version

A set of reports representing audit violations

A set of rules triggering incidents representing audit violations

User can define audit criteria and run a check against devices – either on-demand or periodically on a schedule. The results can be displayed on GUI, exported as PDF from GUI or emailed with PDF attachments.

For details, see here.

Device Support – New

Aruba Switches – discovery (Bug 15800) Alertlogic IPS – log parsing (Bug 16250)  AWS Elastic Load Balancer – log parsing (Bug 15752)

Device Support – Enhancements

F5 load balancer – detailed performance monitoring

Fortinet FortiOS – more detailed data collection and trap parsing

Aruba Clearpass Manager – more detailed log parsing (Bug 15542)

Checkpoint GAIA – monitor memory using UCD MIBs (Bug 16203)

HP/UX – more detailed syslog parsing (Bug 15565)

InfoBlox – more detailed syslog parsing (Bug 16121, Bug 16191)

Dell Equallogic – more detailed syslog parsing (Bug 15433)

TrendMicro Officescan – more detailed syslog parsing (Bug 16122)

Checkpoint FireWall-1 – parsing fix (Bug 16119)

Microsoft Windows – Added event id 4769 (Bug 16191)

Microsoft Windows – Added event id 6274, 6272 (Bug 12163)

Microsoft Windows – Added event id 5137 (Bug 7429)

Juniper SecureAccess – parser enhancement (Bug 16035)

Palo Alto Firewall – parser enhancements (Bug 16727, 16169)

Fortinet FortiOS  Firewall – parser enhancements (Bug 16554)

Symantec Endpoint Control – parser enhancements (Bug 16210)

F5 ASM – parser enhancements (Bug 16726)

McAfee Stonesoft IPS – parser enhancements (Bug 16729)

Cisco Call Manager – parser enhancements (Bug 16395)

Cisco ACS Parser – parser enhancement (Bug 15550)

Imperva SecureSphere – parser improvements (Bug 16036)

HP Procurve – syslog parsing enhancement (Bug 12072)

Bug Fixes / Enhancements

Current Open Issues

What’s new in Release 4.6.3

Starting 4.6.3, AccelOps has been re-branded as FortiSIEM.

Special upgrade procedure

Features

FortiSIEM re-branding

Enforce TLS 1.2 for tighter security

Windows Agent Enhancements (Windows Agent and Agent Manager 2.0)

Bug Fixes / Enhancements

Current Open Issues

Special upgrade procedure

Features

FortiSIEM re-branding

From this release onward, AccelOps will be branded FortiSIEM.

Enforce TLS 1.2 for tighter security

FortiSIEM web servers now only advertise TLS1.2. All FortiSIEM components now communicate using secure TLS 1.2 protocol. This includes the following communications

Collector to Super/Worker

Worker to Super

Browser to Super

Windows Agent to Agent Manager

Agent Manager to Collector and Super

Windows Agent Enhancements (Windows Agent and Agent Manager 2.0)

This release contains the following Windows Agent enhancements.

1. Enhanced user file monitoring: Windows Agent allows users to monitor changes in custom files. This release enhances this feature in the following ways.
   1. Allow user to specify a custom string for each monitored file. The specified user defined string would be included in the event type as a signature for that file. For example, if user is monitoring a special MyApp1 log file, then user can specify a custom string e.g. MyApp1 and the event type would be AO-WUA-UserFile-MyApp1. This approach allows the user to write a specific parser for each monitored log file by specifying the string AO-WUA-UserFile-MyApp1 in the event format recognizer.
   2. Allow wildcards in monitored file name; e.g. *radius.log. This enhancement allows for dynamically named log files including dates in file name. For example DHCP and RADIUS files are generated every day and the file names contain the date e.g. 012415radius.log.
2. Ability to monitor any file in Windows Event Manager tree: Prior to this release AccelOps only monitored specific log files in the Windows Event Manager tree, namely Security, Application, Performance events, DNS logs, DHCP logs etc. This release provides the capability to monitor any file in Windows Event Manager tree. User needs to choose the desired Windows Event Manager folder and FortiSIEM Agent will start monitoring events for that application. The corresponding event type will contain the folder name to distinguish it from events from other folders.
3. Windows CD/DVD/USB monitoring: FortiSIEM can now detect insertion/removal and certain file read/write activity on external media such as USB and CD/DVD. Specifically, the following cases are covered in this release
   1. Detect when external media such as USB, CD, DVD is inserted
   2. Detect when external media such as USB, CD, DVD is removed
   3. Detect when a file is written to USB
4. Enhanced File integrity and Registry change monitoring: This release contains the following enhancements:
   1. User can exclude directories while specifying files to be monitored, e.g. monitor “C:\System32” but exclude “C:\System32\Log” b.  Include the process name triggered file modification in FortiSIEM events
   2. Allow environment variables in the file path definition
5. Monitoring Template and License Assignment improvements: for details see here.
   1. User can define multiple monitoring templates per host, e.g. OS monitoring template, Application 1 monitoring template, Application 2 monitoring template etc.
   2. User can assign templates and licenses for large number of hosts with much fewer clicks than earlier releases
   3. A searchable tabular display of Host to license and template assignments.
6. Allow multiple power shell and WMI scripts per monitoring template. Prior releases only allowed one script per template.
7. Create Alerts when an Agent is stopped, uninstalled or unresponsive. This allows users to report and detect these potential policy violations.

Bug Fixes / Enhancements

Current Open Issues

What’s new in Release 4.6.2

This release contains the following bugs fixes.

Bug Fixes

What’s New in Release 4.6.1

This release adds features and functionality in several areas.

Platform Features

Two factor authentication

Salesforce ticketing and CMDB integration

Ability to decommission a device from CMDB

Ability to export/import widget dashboard

Dark theme dashboard

Disaster recovery scripts

Performance and Availability Monitoring

Microsoft Azure compute discovery

Link usage dashboard

Log Management and SIEM

CyberArk Password Vault Integration

Salesforce CRM Audit support

Microsoft Azure Audit support

Cisco CloudAMP API support

ISO 27001 Compliance support

Device Support

New Support

Significant Enhancements

Allow users to move devices from one system defined CMDB group to another

Handle syslog over TCP

Reduce system CPU usage for SNMP V3

Keep Identity and Location database table size within limits

Allow scheduled reports to be copied to a new location

Allow queries via API to return results in csv format (gzipped)

Add a flag to control the use of winexe in discovery

Allow user to format Comment field in ServiceNow and ConnectWise for Incident Outbound

Ability to choose host name resolution mechanism during discovery

Create CMDB Report for Custom Threshold

Allow user to choose ports during SNMP port during discovery

Bug Fixes / Enhancements

Current Open Bugs/Enhancements

Platform Features

Two factor authentication

Presently the following 1-factor authentication methods are available for authenticating AccelOps GUI users:

Local authentication

External authentication via LDAP (Microsoft Active Directory and OpenLDAP), via RADIUS and Cloud Authentication via SAML (Okta)

This release makes AccelOps more secure by enabling 2-factor authentication via Duo Security. Administrator needs to tighten user’s

authentication profile by specifying two factor authentication. AccelOps will prompt the user for second factor credential after regular login. Other 2 factor authentication services e.g. Google Authenticator will be added in future releases.

Details on how to set up two factor authentication is described here.

Salesforce ticketing and CMDB integration

This release extends third party CMDB and ticketing integration by providing a plugin module for Salesforce.

Devices discovered in AccelOps can be synced to Salesforce

A ticket can be created in Salesforce when an incident triggers in AccelOps Ticket status is updated in AccelOps when it is closed in Salesforce

Details on Salesforce ticketing and CMDB integration is discussed here.

Ability to decommission a device from CMDB

Often there is a need to decommission a device and assign its IP Address to a new device. Currently, user has to delete the old device otherwise the old and the new devices will be merged as they share IP addresses. However there may be a need to keep the device in CMDB for audit purposes.

This release solves this problem by providing a separate folder for decommissioned devices. Once a device is decommissioned, it is removed from all CMDB groups and maintenance calendars, performance monitoring are stopped. The device is moved to the Decommissioned device folder. A new device with the same IP address can now be discovered and the two devices will coexist in CMDB.

For details, see here.

Ability to export/import widget dashboard

This release provides the ability to export a widget dashboard definition into an XML file. Every dashboard customization e.g. chart types, widget positioning is saved. Another user can then import the XML file and see exactly the same dashboard. This feature saves lots of work in recreating dashboards.

For details, see here.

Dark theme dashboard

This release allows users to have a dark theme dashboard. Currently this is a global setting – so all users would have the same theme.

For details, see here.

Disaster recovery scripts

A common way to perform disaster recovery is as follows

Set up an separate AccelOps cluster (Super, Workers) in a distant location – this would be a passive instance

Replicate the CMDB, SVN and event database

CMDB can be replicated by copying the exported file or by enabling PostgreSQL replication

SVN and event database can be copied over via rsynch or NFS mechanisms

This release provides a script which can bring up the passive instance and make it active. When disaster strikes, the user would do the following steps

1. Run the script on the passive instance supervisor node.
2. Register the passive Supervisor

Performance and Availability Monitoring

Microsoft Azure compute discovery

This release enables users to discover virtual machines in the Microsoft Azure cloud using Azure API. The API provides basic information like host name and access IP address. Therefore, SNMP and/or WMI must be used to discover the virtual machines in depth.

For details, see here.

Link usage dashboard

For perimeter network devices such as firewalls and routers, it is important to know which interfaces are busy and which traffic is consuming the most resources. This special dashboard provides this view and enables users to determine which router interfaces are overly utilized, which applications are using them and what is the QoS statistics.

For details, see here.

Log Management and SIEM

CyberArk Password Vault Integration

AccelOps needs credentials to communicate to devices. Until this release, credentials needed to be stored locally (encrypted). This release allows device credentials to be fetched from CyberArk Password Vault. This makes AccelOps more secure.

Setting up CyberArk is discussed here.

Using CyberArk for discovery is discussed here.

Configuring AccelOps for receiving CyberArk syslog is discussed here.

Salesforce CRM Audit support

Audit logs from Salesforce CRM application can now be collected by AccelOps. For details see here.

Microsoft Azure Audit support

Audit trails from Microsoft Azure cloud can now be collected by AccelOps. For details, see here.

Cisco CloudAMP API support

Rather than have a FireSIGHT Manager on premise, customers can choose to send alerts to the cloud. Using Cisco provided CloudAMP API, AccelOps is now able to collect (mostly end point) alerts from the Cisco Cloud.

For details, see here.

ISO 27001 Compliance support

This release adds reports for ISO 27001/27002 compliance specifications.

Device Support

New Support

1. Cisco ONS – discovery, performance monitoring via SNMP and log analysis – see here
2. Cylance Protect – log analysis – see here
3. Pulse Secure VPN – log analysis – see here
4. Cyphort – log analysis – see here
5. McAfee Stonesoft IPS – log analysis – see here

Significant Enhancements

Allow users to move devices from one system defined CMDB group to another

User could already move devices from one user defined group. This release extends that functionality to system defined groups.Using this feature, user can fix device mis-classifications by discovery.

Handle syslog over TCP

AccelOps can now ingest syslog over TCP as defined in IETF RFC 6587.

Reduce system CPU usage for SNMP V3

In earlier release, the use of SNMP V3 caused significant system CPU usage during performance monitoring. This issue is resolved by reducing the number of process forks.

Keep Identity and Location database table size within limits

Identity and location entries can quickly fill up PostgreSQL database. This release allow you to control the growth of Identity and location entries by specifying two entries in the phoenix_config.txt.

PURGE_IDENTITY_LOCATION_OVER_MONTHS specifies the maximum age of Identity location database table entries. PURGE_IDENTITY_LOCATION_OVER_ROWS specifies the maximum number of rows in the Identity location database table.

When any one of the above limits are hit, the Identity location database table is purged.

Allow scheduled reports to be copied to a new location

Earlier releases allow scheduled reports to be emailed. Now the reports can be copied to be remote location via SSH.

For details, see here

Allow queries via API to return results in csv format (gzipped)

It is possible to retrieve query results via API. The results are in XML format, which is not very efficient if the result set is large. This release allows query results to be retrieved in gzipped csv files.

Add a flag to control the use of winexe in discovery

AccelOps discovery uses winexe to detect HyperV VM, Windows domain controller diagnostic (dcdiag) and replication monitoring (repadmin /replsummary). The winexe command is used to run a command on a remote windows server. However, by the nature of this command implementation by Microsoft, winexe starts a service called winexesvc on the remote server which customers do not find acceptable.

This release provides users an option to turn off winexe based discovery. This option is available in the discovery dialog.

Allow user to format Comment field in ServiceNow and ConnectWise for Incident Outbound

External ticketing systems do not have so many detailed incident attributes as AccelOps. This release enables to create a custom formatted string in the comment field in the external ticketing system.

For details, see here.

Ability to choose host name resolution mechanism during discovery

AccelOps discovers by IP addresses and used first DNS and then SNMP/WMI to get host names from IP addresses. This release allows users to control the behavior.

An discovery option now allows users to choose between DNS first (i.e. the current behavior) or SNMP/WMI first (that means SNMP/WMI then DNS).

Note – host names, once discovered are not overwritten by discovery.

Create CMDB Report for Custom Threshold

It is possible to now have a CMDB Report containing only those devices for which user has modified default thresholds.

Allow user to choose ports during SNMP port during discovery

AccelOps can now connect to SNMP via non-standard port. User can define the port during discovery. This option is available in the discovery dialog.

Bug Fixes / Enhancements

Current Open Bugs/Enhancements

What’s new in Release 4.5.2

Bug Fixes

New Device Support

Bug Fixes

New Device Support

Symantec DLP – log analysis – see here

IBM OS400 (iSeries) Log Parsing via Townsend Agent – see here

Tufin SecureTrack – log analysis – see here

IBM Guardium – log analysis – see here

What’s New in Release 4.5.1

NEW RELEASE 4.5 UPGRADE REQUIREMENT

Starting 4.5, Supervisor requires 24GB RAM. The increase from 16GB RAM in prior releases is needed for the data collection robustness and visibility feature.  Supervisor node is now caching device monitoring status for faster performance by avoiding database I/O. Without the additional RAM, Supervisor node will not operate properly.

This release adds features and functionality in several areas.

Platform Features

Data collection robustness and visibility

Export events to other Big Data systems via Kafka

CMDB Outbound Integration for ConnectWise Dashboard slideshow

Performance and Availability Monitoring

Maintenance calendar for Synthetic Transaction Monitor jobs

Real time performance probing

SLA calculation for SNMP and WMI Ping

Trace route monitoring

Log Management and Security Monitoring

Multi-tenant reporting device handling

Windows Agent Enhancements

Device Support

New Support

Enhanced Support

Significant Enhancements

DataManager and ReportWorker module robustness

Additional metrics on trend charts

Simplify Cloud and Collector health GUI

Ability to manually add hosts to Application Groups

Set important process and critical interface definitions directly from CMDB

Dashboard charting enhancements

Accounting for internal and performance monitoring events

Ability to change event database purge/archive thresholds

Ability to set remote directory renaming action during archive Registration APIs

Bug Fixes / Enhancements

Current Open Bugs/Enhancements

Platform Features

Data collection robustness and visibility

This release enhances the reliability and visibility of AccelOps data collection in the following ways.

Detailed visibility on when data was last collected: (a) data from performance monitoring jobs on a per device, per job basis and (b) data pushed from external devices on a per device per protocol basis. Last collection times are visible by simply visiting CMDB > Device > Monitor tab. The times are updated frequently (every 2 minutes).

A versioning scheme is introduced to make sure that the Application Server and the data collection agents (Java agents and Performance Monitor modules in Collectors, Workers) are always in sync. This ensures that when user changes (either manual or from discovery) are always reflected in data collection. If there is a version discrepancy, means that data collection agents are not working on the most up to date version, an alert is created based on a system rule.

System rules are provided for the following error scenarios: User can decide to restart a module or the entire application via a notification policy/remediation scripts.

1. all jobs on a data collection agent are delayed
2. a particular job on a data collection agent are delayed
3. a version discrepancy is detected – a data collection agent (Collector, Worker) has not picked up the correct monitoring version within a certain amount of time

Details on how data collection times and status is reported in CMDB are here.

Export events to other Big Data systems via Kafka

AccelOps collects a wide variety of logs and performance metrics and uses the data for its own analysis. This release enables users to export the logs in a parsed format to any external system via Kafka, a highly scalable distributed message bus (see Apache Kafka). AccelOps has developed a connector that publishes to the Kafka message bus. This feature can be used to populate a Big Data system with rich AccelOps data.

Details on configuring AccelOps for Kafka export is discussed here

CMDB Outbound Integration for ConnectWise

ConnectWise is an important help desk / ticketing system specially for service providers. AccelOps already has two-way integration with

ConnectWise ticketing – a ticket can be created in ConnectWise and state updates in ConnectWise is reflected in AccelOps. This release extends the integration to cover CMDB. When AccelOps discovers a device, ConnectWise CMDB can be populated, either automatically or on demand. When AccelOps discovers changes, the change can be synced to ConnectWise. A framework is provided to convert device attributes like Organizations, host names, device types to ConnectWise specific fields and fields.

Details on configuring AccelOps for ConnectWise outbound CMDB integration is discussed here. AccelOps provides a special content mapping feature where any AccelOps CMDB attribute and values can be converted into a corresponding ConnectWise CMDB attribute and values (see Step 11).

Dashboard slideshow

Users are now able to select a set of dashboards and display them in a slideshow mode on big monitors to cover the entire display. This is useful for Network and Security Operation Centers.

Details on creating dashboard slideshow is discussed here.

Performance and Availability Monitoring

Maintenance calendar for Synthetic Transaction Monitor jobs

This release allows the ability to add Synthetic Transaction Monitor (STM) jobs to a maintenance calendar. While a STM job is under maintenance, the job is not executed and system rule does not trigger if the job fails.

Details on how to create maintenance calendars for STM jobs is detailed here.

Real time performance probing

Often for checking the health of a device or an application, it is necessary to probe the device and check its current performance metrics. Until now, the option in AccelOps would be to query the system for performance monitoring events – this does not quite serve the purpose since the polling intervals are too large (3 minutes of so for most jobs) – so you would not get results for next 3 minutes. This release allows users to probe the device at a much faster pace (e.g. few seconds apart) and see the metrics in a real time scrolling fashion on the GUI. These metrics are polled in addition to the regular scheduled performance polls – they are neither stored nor do they trigger any rules or are part of any report. Currently, only a subset of important system performance metrics are supported for real time performance probes, e.g. system CPU, memory, disk, interface and process utilization.

Details on how to probe devices for real time performance metrics is discussed here.

SLA calculation for SNMP and WMI Ping

Until now, we calculated Min/Max/Average Round Trip Time, downtime and SLA for ICMP Ping only. This notion is extended for two other critical performance monitoring protocols – SNMP and WMI.The events PH_DEV_MON_SNMP_PING_STAT and PH_DEV_MON_WMI_PING_STAT now contain the following additional attributes

Average Round Trip Time (RTT)

Max Round Trip Time

Min Round Trip Time

Pct Packet Loss

System Down time

System Degraded Time

SNMP Ping is calculated by issuing a very basic SNMP OID (1.3.6.1.2.1.1.1 – sysDescr in MIB-2) that is present in all SNMP implementations. WMI Ping is calculated by fetching a basic WMI Class (Win32_OperatingSystem) that is present in all WMI implementations.

Statistical computations (e.g. max, min, average) are done by sending 5 requests for the same object a few seconds apart. System is considered down for the polling interval if packet loss is 100%. System is considered degraded for the polling interval if packet loss is less 100% but greater than 50%.

Two reports are provided

Top Devices by SNMP RTT

Top Devices by WMI RTT

Trace route monitoring

Trace route is important for monitoring hop by hop latency between two wide area end points. It is important to know when latency for a particular hop increases significantly – this is often a precursor for internet outage. This release allows users to run trace route from any AccelOps node to any destination using the Synthetic Transaction Monitoring (STM) framework.

Details on how to set up trace route monitoring is described here. One report is provided: Top Trace Route Hops by RTT.

Log Management and Security Monitoring

Multi-tenant reporting device handling

This release allows AccelOps to handle reporting devices that are themselves multi-tenant. As an example, a Fortinet firewall can report logs for multiple organizations from the same source IP – the organizations is reported via the Virtual Domain variable. As another example, Qualys Vulnerability Scanner can report vulnerabilities for the devices belonging to multiple organizations in the same report via the qualysAssetGroup attribute.

A framework is provided to handle multi-tenant reporting devices. User can set up mapping rules specifying

attribute that specifies the external organization in the log. mapping between external organization to AccelOps organization.

Using these definitions, reporting devices are created and logs are mapped to the respective organizations. Subsequently, rules also trigger in the respective organizations. Details are in Event Organization Mapping.

Windows Agent Enhancements

This release provides several enhancements

1. AccelOps Windows Agent and Agent Manager now communicate over HTTP(S) instead of HTTP
2. File integrity monitoring events will now contain users that made file changes
3. Ability to export and import license and monitoring template assignments
4. Support for non-English locale for Windows Servers
5. Differentiate between files and directories in AccelOps-WUA-FileMon events by using the osObjType attribute. This information is provided for the following cases: (a) create, (b) change, (c) rename but only for the new name. This information can not be provided for the following cases: (a) delete, (b) rename – for the old name.

Windows agent upgrade and configuration is covered here.

Device Support

New Support

1. Nutanix – discovery and performance monitoring via SNMP – see here
2. Cisco FireSIGHT integration via eStreamer API – log monitoring – see here
3. AWS RDS and EBS – performance monitoring – see here
4. Airlines in-flight entertainment systems monitoring
5. Qualys Web Application Firewall log monitoring – see here
6. CiscoWorks Network Control Manager (NCM) – log monitoring – see here
7. Lantronix SLC Console Manager log monitoring – log monitoring – see here
8. Vasco DigiPass – log monitoring – see here
9. Juniper DDoS Secure – log monitoring – see here
10. Cisco Wide Area Application Services (WAAS) – performance monitoring – see here
11. Motorola AirDefense Wireless IDS – log monitoring – see here
12. Motorola WiNG WLAN Access Point – log monitoring – see here
13. Cisco Telepresence Video Communication Server – log monitoring – see here
14. Application server log monitoring – Redhat JBoss, IBM Websphere and Oracle Weblogic – see here 15. Brocade ADX load balancer – performance monitoring – see here
15. Ruckus Wireless LAN – performance monitoring – see here
16. Fortinet FortiManager – performance monitoring – see here
17. NetBotz NBRK 2000 – environmental monitoring – see here
18. Cisco NBAR monitoring – see here

Enhanced Support

VMware SDK 5.5 API integration – AccelOps automatically uses the API for the right VMware version.

Nessus 6.0 integration – AccelOps automatically determines the right Nessus server version and uses the right API for server versions 4, 5 and 6.

Significant Enhancements

DataManager and ReportWorker module robustness

In this release, DataManager and ReportWorker do not restart under the following conditions

NFS is temporarily not available

Unable to create directories during writing or purging

The modules fall behind in reading shared buffer storage

Additional metrics on trend charts

Users can now see maximum, minimum, percentiles and simple moving averages directly in trend charts in Analytics and Dashboard sections.

Simplify Cloud and Collector health GUI

Users can select what columns to display in Cloud and Collector health pages under Admin tab. By default, fewer columns are displayed now.

Ability to manually add hosts to Application Groups

Device and Application groups are important CMDB objects that allow users to write targeted rules and reports. Until now, Application groups were only populated by discovery. This release allows users to manually add to Application groups in cases where discovery is not practical.

Important user case:

Suppose a rule triggers, namely  Excessive DNS requests from a host. The host is actually a DNS server which was not discovered. There is need to create an exception for this rule for this DNS server. Three choices –

1. Create a rule exception for this host – sometimes this is not very manageable long term since the fact this is a DNS server can not be used in other analytics
2. Discover the host and make sure that the host is in the DNS server group – sometimes this may not be practical.
3. Manually add the server to the DNS server group using this feature. The DNS server group can be used for other rules and reports.

The rule would stop triggering – as desired

Set important process and critical interface definitions directly from CMDB

A important process and a critical Interface are always monitored for up/down status. Before this release, these needed to be configured from Admin > General Settings. Setting important process was difficult since one had to type in the process name, This release allows user to set these directly from CMDB > Device.

Dashboard charting enhancements

The following improvements are added

For Bar charts, the legends appear next to the charts and not at the bottom. This improves legibility.

Maximum number of displayed entries are increased form 50 to 200.

Accounting for internal and performance monitoring events

AccelOps has 3 kinds of logs/events

External logs – these count towards the licensed eps

Performance Monitoring events generated by AccelOps when it monitors a device – these also count towards the licensed eps

Internal system logs – generally reporting errors and important informational events – these do not count towards the licensed eps

Since each of these log types have to indexed, stored and since they trigger rules and reports, system performance can be affected. This release provides accurate accounting of these event types via the phstatus commands and also system provided reports. See here for details.

Ability to change event database purge/archive thresholds

By default AccelOps starts to purge (or archive if archive is set) when the free space in event database falls below 10GB. This continues until free event database space reaches 20GB. In very high event rate situations, this 10GB buffer may not suffice and database may become full. This release allows the values to be customized by the user. In phoenix_config.txt, under the phDataManager section, modify the low_space_action_threshold and low_space_warning_threshold values and restart the phDataManager module. This needs to be done at Supervisor and Worker nodes.

Ability to set remote directory renaming action during archive

When AccelOps is archiving and the destination directory already exists, then you can configure AccelOps to either rename the existing directory and archive new data to that location or skip archiving

Registration APIs

Three new APIs are provided for the following functions. For details, see here.

Register Workers to Supervisor

Register Collector to Supervisor

Register Supervisor to AccelOps License Manager

Bug Fixes / Enhancements

Current Open Bugs/Enhancements

What’s new in Release 4.4.5

This release contains the following bug fixes and enhancements. It fixes several issues that were newly introduced in 4.4.3.

What’s new in Release 4.4.3

This release contains the following bug fixes and enhancements.

What’s new in Release 4.4.2

This release contains the following bug fixes and enhancements.