Users

The CMDB Users page contains information about users of your system. For more information about adding users, see Adding a Single User.

Watch Lists

A Watch List is a smart container of similar items such as host names, IP addresses, or user names, that are of significant interest to an administrator and need to be watched. Examples of watch lists that are already set up in FortiSIEM are

Frequent Account Lockouts – users who are frequently locked out

Host Scanners – IP addresses that scan other devices

Disk space issues – hosts with disks that are running out of capacity

Denied countries – countries with an excessive number of access denials at the firewall

Blacklisted WLAN endpoints – Endpoints that have been blacklisted by Wireless IPS systems

Typically items are added to a watch list dynamically when a rule is triggered, but you can also add items to a watch list manually. When you define a rule, you can also choose a watch list that will be populated with a specific incident attribute, as described in Adding a Watch List to a Rule, and you can use watch lists as conditions when creating reports, as described in Using Watch Lists as Conditions in Rules and Reports. Yo u can also define when an entry leaves a watch list. Typically this is time based. For example, if the rule does not trigger for that attribute for defined time-period, then the entry is removed from the watch list. Watch lists are also multi-tenant aware, with organization IDs tracked in relation to watch list items.

Creating a Watch List

System-Defined Watch Lists

Related Links

Using Watch Lists as Conditions in Rules and Reports

Adding a Watch List to a Rule

Overview of the CMDB User Interface

Creating a Watch List

1. Log in to your Supervisor node.
2. Go to CMDB > Watch Lists.
3. Click +.
4. Choose an Organization to associate with the watch list.
5. Enter a Group name and Description for the watch list.
6. Select an object Type for the incident attribute that will be saved to the watch list.
7. Select Case Sensitive if the object type is String and you want to use case sensitivity to compare strings.
8. For Values Expire in, set the time period in which items will expire from the watch if there is no activity for that time.
9. Click OK.

You can now add your new watch list to a rule, so that when the rule is triggered, items will be added to the watch list. You can also use your watch list as a condition in historical search. See Adding a Watch List to a Rule and Using Watch Lists as Conditions in Rules and Reports for more information.

Related Links

Adding a Watch List to a Rule

Using Watch Lists as Conditions in Rules and Reports

System-Defined Watch Lists

FortiSIEM includes several pre-defined watch lists that are populated by system-defined rules.

Network Memory Warning

Network Memory Critical

Server Swap Memory Critical

Server Disk space Warning

Server Disk space Critical

Server Disk Latency Warning

Server Disk Latency Critical

Server Intf Util Warning

Server Intf Util Critical

Network Intf Util Warning

Network Intf Util Critical

Network IPS Intf Util Warning

Network IPS Intf Util Critical Network Intf Error Warning

Network Intf Error Critical Server Intf Error Warning

Server Intf Error Critical

Virtual Machine CPU Warning

Virtual Machine CPU Critical

Virtual Machine Memory

Swapping Warning

Virtual Machine Memory

Swapping Critical

ESX CPU Warning

ESX CPU Critical

ESX Memory Warning

ESX Memory Critical

ESX Disk I/O Warning

ESX Disk I/O Critical

ESX Network I/O Warning

ESX Network I/O Critical Storage CPU Warning

Storage CPU Critical

NFS Disk space Warning

NFS Disk space Critical

NetApp NFS Read/Write

Latency Warning

NetApp NFS Read/Write Latency Critical

NetApp CIFS Read/Write

Latency Warning

Reporting on CMDB Objects

All of the information in the CMDB can be reported on. FortiSIEM includes a number of pre-defined reports that you can run and export to PDF, and you can also create your own reports.

CMDB Report Types

Running, Saving, and Exporting a CMDB Report

Creating and Modifying CMDB Reports

Importing and Exporting CMDB Report Definitions

CMDB Report Types

You can find all system-defined reports in CMDB > CMDB Reports. The reports are organized into folders as shown in this table. Click on a report to view Summary information about it, including the report conditions and the columns included in the report.

Report and Organization Associations for Multi-Tenant Deployments

If you have an FortiSIEM multi-tenant deployment, the Organization column in the CMDB report table will show whether the report is defined for a specific organization. If it is, then that report is available for both the organization and Super/Global users.

Running, Saving, and Exporting a CMDB Report

1. Log in to your Supervisor node.
2. Go to CMDB > CMDB Reports, and select the report you want to run.
3. Click Run.
4. If you have a multi-tenant deployment, you will be prompted to select the organizations for which you want to run the report.
5. Click Save if you want to save the report.

Reports are only saved for the duration of your login session, and you can view saved reports by clicking Report Results. Each saved report will be listed as a separate tab, and you can delete them by clicking the X that appears when you hover your mouse over the report name in the tab. You can save up to 5 reports per login session

Creating and Modifying CMDB Reports

There are two ways you can create new CMDB reports: you can create a new report from scratch, or you can clone and modify an existing system or user-defined report.

Creating a New Report

1. Log in to your Supervisor node.
2. Go to CMDB > CMDB Reports.
3. Create a group to add the new report to if you are not adding it to an existing group.
4. Click New.
5. Enter a Name and Description for the report.
6. Select the Conditions for the report.

You can use parentheses to give higher precedence to evaluation conditions.

7. Select the Display Columns.

The Display Column attributes contain an implicit “group by” command. You can change the order of the columns with the Move Row:

Up and Down buttons.

8. Click Save.

Cloning and Modifying a Report

You can modify user-defined reports by selecting the report and clicking Edit. However, you cannot directly edit a system-defined report. Instead, you have to clone it, then save it as a new report and modify it.

1. Log in to your Supervisor node.
2. Go to CMDB > CMDB Reports.
3. Select the system-defined you want to modify, and then click Clone.
4. Enter a name for the new report, and then click Save.

The cloned report will be added to the folder of the original report.

5. Select the new report, and then click Edit.
6. Edit the report, and then click Save.

Importing and Exporting CMDB Report Definitions

Instead of using the user interface to define a report, you can import report definitions, or you can export a definition, modify it, and import it back into your FortiSIEM virtual appliance. Report definitions follow an XML schema.

Importing a Report Definition

1. Log in to your Supervisor node.
2. Go to CMDB > CMDB Reports.
3. Select the folder where you want to import the report definition, or create a new one.
4. Click Import.
5. Copy your report definition into the text field, and then click Import.

Exporting a Report Definition

1. Log in to your Supervisor node.
2. Go to CMDB > CMDB Reports.
3. Select the report you want to export, and then click Export.
4. Click Copy to Clipboard.
5. Paste the report definition into a text editor, modify it, and then follow the instructions for importing it back into your virtual appliance.

XML Schema for Report Definitions

Importing a CMDB Report Definition

1. Go to Report listing page and select the CMDB Report folder where the report is to be imported.
2. Click Import and see the report showing up in the correct folder.

Exporting a CMDB Report Definition

Creating Event Database Archives

Online v. Offline Storage

Setting Purge and Archive Policies

Archive and Purge Alerts

Online v. Offline Storage

The FortiSIEM event database, eventDB, is for near-to-intermediate term storage and querying of events. As an online database, eventDB has fast query performance, but this performance comes with a limited storage capacity, and is expensive in terms of resource consumption. For these reasons, data needs to be periodically purged from eventDB and moved into offline storage, but still be available for querying for forensic analysis. FortiSIEM checks the capacity of the online EventDB storage every 30 minutes, and when approaches capacity, begins to move event information, in daily increments, into the offline storage location.

The FortiSIEM virtual appliance includes a data archiving function that enables you to define an offline storage location, and a policy for the number of days that events will be kept in online or offline storage. This archiving function also includes the ability for compliance auditors to validate logs to ensure that they haven’t been tampered with in the offline storage. The data is cryptographically signed (SHA256) at the point of entry, and the checksums are stored in the database. The check sums can be re-verified on demand at any point of time, and if the data has been tampered with, then the check sums will not match. The data integrity reports can be exported in PDF format. If the events in offline storage need to be queried at some point in the future, they can be restored to the FortiSIEM virtual appliance.

Setting Purge and Archive Policies

Online data is only moved to the archive location when online storage reaches capacity. When you set the archive policy as described in Managin g Event Data Archive, you are setting the amount of time that archived data will be retained before it is purged. For example, if you set the Data Management Policy for your deployment or an organization to 90 days, then maintenance will run every day to purge data that is over 90 days old. If there is not enough offline storage for 90 days, then archived events will be purged from offline storage to create more capacity. If there is enough storage for the 90 days, then events will only be purged after 90 days. For this reason it is very important that you set an archive location that has sufficient capacity to store the amount of data for the number of days that you specify.

For multi-tenant deployments, you can set archive policies for each organization. If one organization requires 30 days of storage, and another customer requires 90 days of storage, then FortiSIEM will attempt to enforce these policies in relation to the amount of storage available. For the first organization, events will be deleted from the archive storage location on the 31st day to free up capacity for the organization that has longer storage requirements.

As with the online EventDB data, every 30 minutes FortiSIEM will check the capacity of the offline archive storage, and when the remaining storage capacity reaches a 20GB threshold, it will begin to purge data from the archive location, beginning with the oldest data, and purging it in daily increments, until the remaining storage capacity is above 20GB.

Archive and Purge Alerts

There are several system alerts that are related to eventDB capacity and the archiving function:

Managing Event Data Archive

Managing Online Event Data

Restoring Archived Data Validating Log Integrity

Managing Event Data Archive

Prerequisites

Creating Archive Destination

Creating Offline (Archive) Retention Policy

Prerequisites

Make sure you read the section on Setting Archive and Purge Policies in the topic Creating Event Database Archives before you set up your policy. It is very important that you understand how FortiSIEM moves data into the archive, and purges archived data when the archive destination storage reaches capacity, before you create your policy.

Make sure that your Archive Destination has sufficient storage for your event data + 20GB. When the archive storage reaches 20GB of capacity, FortiSIEM will begin to purge archived data, in daily increments, starting with the oldest data, to maintain a 20GB overhead.

Creating Archive Destination

1. Log in to your Supervisor node.
2. Go to Admin > Event DB Management.
3. Click Retention Policy.
4. For Archive Destination, enter the full path of the file system directory where you want your event data to be archived, and then click Ap ply.

Offline Storage Capacity for Multi-Tenant Deployments

Note that all organizations will share the same Archive Destination. For this reason, you should make sure that the archive destination has enough capacity to hold the event data for both the number of organizations and the archive retention period that you set for each. If the archive destination does not have enough storage capacity, the archive operation may fail.

Creating Offline (Archive) Retention Policy

This enables you to control which customers data stays in event data archive and for how long.

1. Log in to your Supervisor node.
2. Go to Admin > Event DB Management.
3. Click Retention Policy.
4. Under Offline Retention Policies, click New.
5. For multi-tenant installations, select the Organization for which this policy will apply.
6. For Time Period, enter the number of days that event data should be held in the offline storage before it is purged.
7. Click Save.

Managing Online Event Data

Creating Online Event Retention Policy

This enables you to control the content of online event data.

1. Log in to your Supervisor node.
2. Go to Admin > Event DB Management.
3. Click Retention Policy.
4. Under Online Retention Policies, click Add.
5. Enter the following information
   1. Enabled – Check this box if the policy has to be enforced right away.
   2. Organizations – Choose the organizations for which the policy has to be applied (for Service Provide installs)
   3. Reporting Devices – Choose the reporting devices relevant to this policy
   4. Event Type – Choose the event types or event type groups
   5. Time period – enter the number of days that event data specified by the conditions (Organizations, Reporting Devices and Event Type) should be held in the online storage before it is moved to archive or purged.
   6. Description – enter a description for the policy
6. Click Save.

Viewing Online Event Data Usage

This enables you to see a summarized view of online event data. These views enables you to manage storage more effectively by writing appropriate event dropping policies or online event retention policies.

Restoring Archived Data

Once your event data has been moved to an offline archive, you can no longer query that data from within FortiSIEM. However, you can restore it to your virtual appliance, and then proceed with any queries or analysis.

1. Log in to your Supervisor node.
2. Go to Admin > Event DB Management > Data Manager.
3. Under Reserved Restore Space (GB), enter the amount of storage space that will be reserved for the restored data.

This should be equal to or larger than the size of the archive to be restored.

4. Under Archived Data, select the archive that you want to restore.
5. Click Restore.

The archive data will be moved to the restore space and can be queried in the usual ways.

Validating Log Integrity

1. Security auditors can validate that archived event data has not been tampered with by using the Event Integrity function of Event DB Management.
2. Log in to your Supervisor node.
3. Go to Admin > Event DB Management > Event Integrity.
4. Select the Begin Time and End Times for the time period during which log integrity needs to be validated.
5. Click Show.

You will see a table of all the logs that are available for the specified time period

6. Use Validation Status to filter the types of logs you want to validate.
7. Select the log you want to validate, and click Validate.

A table showing the validation status of logs will be displayed.

8. Click Export to create a PDF version of the validation results.

Integrating with External CMDB and Helpdesk SystemsTopics in this section include

FortiSIEM Integration Framework Overview

External Helpdesk System Integration

Creating Inbound Policies for Updating Ticket Status from External Ticketing Systems

Creating Outbound Policies for Creating Tickets in External Helpdesk Systems Searching for Tickets from or to External Systems

External CMDB Integration

Creating Inbound Policies for Importing Devices from an External System

Creating the CSV File for Importing Devices from External Systems

Creating Outbound Policies for Exporting CMDB Devices to External Helpdesk Systems

Setting Schedules for Receiving Information from External Systems

Using the AccelOps API to Integrate with External Systems Exporting Events to External Systems via Kafka

FortiSIEM Integration Framework Overview

The FortiSIEM integration framework provides a way for you create two-way linkages between workflow-based Help centers like ServiceNow and Connectwise, as well as external CMDBs.

The integration framework is based on creating policies for inbound and outbound communications with other systems, including sharing of incident and ticket information, and CMDB updates. Support is provided for creating policies to work with selected vendor systems, while the integration API lets you build modules to integrate with proprietary and other systems. Once you’ve created your integration policies, you can set them to execute once on a defined date and time, or on a regular schedule.

External Helpdesk System Integration

Creating Inbound Policies for Updating Ticket Status from External Ticketing Systems

Once a ticket has been opened in an external ticketing system, the status of the ticket is maintained in external system. This section shows how to synchronize the external ticket status back in FortiSIEM.

Creating a integration policy

Create an integration policy for updating FortiSIEM external ticket state and incident status.

1. Log into your FortiSIEM Supervisor with administrator credentials.
2. Go to Admin > General Settings > Integration.
3. Click Add.
4. For Type, select Incident.
5. For Direction, select Inbound.
6. For Vendor, select the vendor of the system you want to connect to. ServiceNow and ConnectWise is supported out of the box. When you select the Vendor:
   1. An Instance is created – this is the unique name for this policy. If you had 2 ServiceNow or ConnectWise installations, each would have different Instance names. You can change this instance name.
   2. A default Plugin Name is populated – this is the Java code that implements the integration including connecting to the external help desk systems and creating/updating the ticket. The plugin name is automatically populated for ServiceNow and ConnectWise. For other vendors, you have to create your own plugin and type in the plugin name here.
7. For Host/URL, enter the host name or URL of the external system.
8. For User Name and Password, enter a user name and password that the system can use to authenticate with the external system.
9. Enter the Time Window – external ticket state for tickets closed in the external help desk/workflow system during the time window specified here will be synched back.
10. Click Save.

Updating FortiSIEM external ticket state and incident status automatically on a schedule

1. Log into your FortiSIEM Supervisor with administrator credentials.
2. Go to Admin > General Settings > Integration.
3. Click Schedule and then click +
   1. Select the integration policy
   2. Select a schedule

The following fields in an FortiSIEM incident are updated

External Ticket State

Ticket State

External Cleared Time

External Resolve Time

Populating custom CMDB or extending current integration

Create a new plugin by following instructions in the FortiSIEM ServiceAPI. The document is available at FortiSIEM support portal under FortiSIEM ServiceAPI section.

Creating Outbound Policies for Creating Tickets in External Helpdesk Systems

This section explains how to configure FortiSIEM to create tickets in external help desk systems.

Prerequisites

Make sure you have the URL and the credentials for connecting to external help desk systems. The credentials must have sufficient permission to make changes to the Incident view.

Procedure

Creating an integration policy

1. Log into your FortiSIEM Supervisor with administrator credentials.
2. Go to Admin > General Settings > Integration.
3. Click Add.
4. For Type, select Incident.
5. For Direction, select Outbound.
6. For Vendor, select the vendor of the system you want to connect to. ServiceNow and ConnectWise is supported out of the box. When you select the Vendor:
   1. An Instance is created – this is the unique name for this policy. If you had 2 ServiceNow or ConnectWise installations, each would have different Instance names. You can change this instance name.
   2. A default Plugin Name is populated – this is the Java code that implements the integration including connecting to the external help desk systems and creating/updating the ticket. The plugin name is automatically populated for ServiceNow and ConnectWise. For other vendors, you have to create your own plugin and type in the plugin name here.
7. For Host/URL, enter the host name or URL of the external system.
8. For User Name and Password, enter a user name and password that the system can use to authenticate with the external system.
9. Enter the Maximum number of incidents to be synched with the external system at a time.
10. For Incident Comment Template, click Edit to format a string using Incident Attributes. This formatted string will be written in the ticket comment field in the external ticketing system. It works similarly as a custom email notification.
11. For Org Mapping, click Edit to create mappings between the organizations in your FortiSIEM deployment and the names of the organization in the external system.
12. ConnectWise specific field: ServiceBoard: Enter the name of the ServiceBoard where the incidents would be posted
13. Click Save.

Creating tickets automatically when incident triggers

1. Create an integration policy
2. Go to Analytics > Incident Notification Policy and create a Notification Policy.
3. For Actions, check Invoke a Notification Policy. Then Click Edit Policy and select an integration policy created in Step 1.
4. Click Save

The following fields in an FortiSIEM incident are updated after a ticket has been created in external ticketing system

External Ticket ID

External Ticket State

External User (optional)

Creating tickets automatically on a schedule

1. Log into your FortiSIEM Supervisor with administrator credentials.
2. Go to Admin > General Settings > Integration.
3. Click Schedule and then click +
   1. Select the integration policies
   2. Select a schedule

The following fields in an FortiSIEM incident are updated after a ticket has been created in external ticketing system

External Ticket ID

External Ticket State

External User (optional)

Creating tickets on-demand (one-time)

1. Log into your FortiSIEM Supervisor with administrator credentials.
2. Go to Admin > General Settings > Integration.
3. Select a specific integration policy and Click Run

The following fields in an FortiSIEM incident are updated after a ticket has been created in external ticketing system

External Ticket ID

External Ticket State

External User (optional)

Populating custom CMDB or extending current integration

Create a new plugin by following instructions in the FortiSIEM ServiceAPI. The document is available at FortiSIEM support portal under FortiSIEM ServiceAPI section.

Searching for Tickets from or to External Systems

This should not be client accessible!

Provide a brief (two to three sentence) description of the task or the context for the task.

Prerequisites

Procedure

Related Links

Prerequisites

Optional, list any information the user needs to complete the task, or any tasks they need to complete before this task.

Prerequisite 1

Prerequisite 2

Procedure

1. A step should be a single sentence telling the user what to do. Use bold for interface elements, monospace for system messages, file names, etc.

Write any results of the step or notes to the user on the line below the step. You can also insert any of the info boxes here.

2. A step should be a single sentence telling the user what to do. Use bold for interface elements, monospace for system messages, file names, etc.

Write any results of the step or notes to the user on the line below the step. You can also insert any of the info boxes here.

3. A step should be a single sentence telling the user what to do. Use bold for interface elements, monospace for system messages, file names, etc.

Write any results of the step or notes to the user on the line below the step. You can also insert any of the info boxes here.

Post-Requisites

Optional, list anything the user should do after completing the task.

Post-requisite

Post-requisite

Related Links

List any related topics. Do not include topics that are in the same hierarchy as this topic, as the relationship is implied by the hierarchy.

Related link 1

Related link 2

External CMDB Integration

Creating Inbound Policies for Importing Devices from an External System

You can import the contents of other help desk and external system device databases into the FortiSIEM CMDB.

Prerequisites

Procedure

Prerequisites

You will need to have created a CSV file for mapping the contents of the external database to a location on your FortiSIEM Supervisor, which will be periodically updated based on the schedule you set. See Creating the CSV File for Importing Devices from External Systems for more information.

Procedure

1. Log into your Supervisor node with administrator credentials.
2. Go to Admin > General Settings > Integration.
3. Click Add.
4. For Type, select Device.
5. For Direction, select Inbound.
6. Select the Vendor of the external system you want to connect to.
7. Enter the File Path to the CSV file.
8. For Column Mapping, click + and enter the mapping between columns in the Source CSV file and the Destination

For example, if the source CSV has a column IP,  and you want to map that to the column Device IP in the CMDB, you would enter IP for Source Column, and select Device IP for Destination Column.

9. When you are finished creating column mappings, click OK.
10. For Data Mapping, click + and enter the mapping between data values in the external system and the destination CMDB.

For example, if you wanted to change all instances of California in the entries for the State attribute in the external system to CA in the destination CMDB, you would select the State attribute, enter California for From. and CA for To.

11. When you are done creating your data mappings, click OK.
12. Click Save.

Creating the CSV File for Importing Devices from External Systems

Creating Outbound Policies for Exporting CMDB Devices to External Helpdesk Systems

You can populate an external CMDB from FortiSIEM CMDB. Currently, ServiceNow CMDB population is natively supported. For other CMDB, you need to write a Java class and add some mapping files.

Prerequisites

Make sure you have the URL and the credentials for connecting to external help desk systems. The credentials must have sufficient permission to make changes to the CMDB.

Procedure

Creating an integration policy

1. Log into your Supervisor node with administrator credentials.
2. Go to Admin > General Settings > Integration.
3. Click Add.
4. For Type, select Device.
5. For Direction, select Outbound.
6. For Vendor, select the vendor of the system you want to connect to. ServiceNow is supported out of the box.

When you select the Vendor:

1. An Instance is created – this is the unique name for this policy. For example if you had 2 ServiceNow installations, each would have different Instance names.
2. A default Plugin Name is populated – this is the Java code that implements the integration including connecting to the external help desk systems and synching the CMDB elements. The plugin is automatically populated for ServiceNow and ConnectWise. For other vendors, you have to create your own plugin and type in the plugin name here

7. For Host/URL, enter the host name or URL of the external system.
8. For User Name and Password, enter a user name and password that the system can use to authenticate with the external system.
9. Enter the Maximum number of devices to send to the external system.
10. For Org Mapping, click Edit to create mappings between the organizations in your FortiSIEM deployment and the names of the organization in the external system.
11. For ConnectWise, it is possible to define a Content Mapping
    1. Enter Column Mapping
       1. To add a new mapping, Click on the + button
       2. Choose an FortiSIEM CMDB attribute as the Source Column

• Enter external (ConnectWise) attribute as the Destination Column

1. Specify Default Mapped Value as the value assigned to the Destination Column if the Source Column is not found in Data Mapping definitions.
2. Select Put to a Question is the Destination Column is a custom column in ConnectWise b. Enter Data Mapping
3. Choose the (Destination) Column Name
4. Enter From as the value in FortiSIEM iii. Enter To as the value in ConnectWise

12. For Groups, click Edit if you want the policy to only apply to a specific group of CMDB devices.
13. Select Run after Discovery if you want this export to take place after you have run discovery in your system. This is the only way to push automatic changes from FortiSIEM to the external system.
14. Click Save.

Updating external CMDB automatically after FortiSIEM discovery

1. Create an integration policy
2. Make sure Run after Discovery is checked.
3. Click Save

Updating external CMDB automatically on a schedule

1. Log into your FortiSIEM Supervisor with administrator credentials.
2. Go to Admin > General Settings > Integration.
3. Click Schedule and then click +
   1. Select the integration policies
   2. Select a schedule

Updating external CMDB on-demand (one-time)

1. Log into your FortiSIEM Supervisor with administrator credentials.
2. Go to Admin > General Settings > Integration.
3. Select a specific integration policy and Click Run

Populating custom CMDB or extending current integration

Create a new plugin by following instructions in the FortiSIEM ServiceAPI. The document is available at FortiSIEM support portal under FortiSIEM ServiceAPI section.

Setting Schedules for Receiving Information from External Systems

Prerequisites

Procedure

You can set schedules for when your inbound external integration policies will run and update your incidents or CMDB.

Prerequisites

You should already have created an inbound policy for importing a device from an external system or an an inbound policy for receiving Incidents.

Procedure

1. Log in to your Supervisor node.
2. Go to Admin > General Settings > Integration.
3. Click Schedule.
4. Click +.
5. Select the notification policy you want to create a schedule for, and use the arrow buttons to add it to the Selected
6. Set the parameters for one-time, Hourly, Daily, Weekly, or Monthly scheduled updates.
7. Click OK.

Using the AccelOps API to Integrate with External Systems

Exporting Events to External Systems via Kafka

This section describes procedures for exporting FortiSIEM events to an external system via the Kafka message bus.

Prerequisites

Make sure you have set up a Kafka Cloud (here) with a specific Topic for FortiSIEM events.

Make sure you have identified a set of Kafka brokers that FortiSIEM is going to send events to.

Make sure you have configured Kafka receivers which can parse FortiSIEM events and store in a database. An example would be Logstash receiver (see here) that can store in a Elastic Search database. Supported Kafka version: 0.8

Procedure

Backing Up and Restoring FortiSIEM Directories and Databases

Backing Up and Restoring SVN

Backing Up and Restoring the CMDB

Backing Up and Restoring the Event Database

Backing Up and Restoring SVN

Backup and restore SVN

FortiSIEM uses an inbuilt SVN to store network device configuration and installed software versions.

Backup

The SVN files are stored in /data/svn. Copy the entire directory to another location.

Restore

Copy the entire /data/svn from the backup location and rename the directory to /data/svn.

Backing Up and Restoring the CMDB

The FortiSIEM Configuration Management Database (CMDB) contains discovered information about devices, servers, networks and applications. You should create regular backups of the CMDB that you can use to restore it in the event of database corruption.

Backup

The database files are stored in /data/cmdb/data. FortiSIEM automatically backs up this data twice daily and the backup files are stored in /data/archive/cmdb. To

If your database becomes corrupted, restore it from backup by performing these steps on you Supervisor node.

1. Stop all processes with this phTools command:

These processes will continue to run, which is expected behavior:

3. Copy the latest phoenixdb_<timestamp> file to a directory like /tmp on the Supervisor host.
4. Go to /opt/phoenix/deployment.
5. Run db_restore /tmp/phoenixdb_<timestamp>.
6. When this process completes, reboot the system.

Backing Up and Restoring the Event Database

Backup

Restore

Backup

The event data is stored in /data/eventdb. Since this data can become very large over time, you should use a program such as rsync to incrementally move the data to another location. From version 4.2.1 the rsync program is installed on FortiSIEM by default.

Use this command to back up the eventdb.

Restore

To restore eventdb there are two options:

Mount the directory where the event database was backed up. Copy the backup to the /data/eventdb directory.

These instructions are for copying the backup to the /data/eventdb directory.

1. Stop all running processes.
2. Copy the the event DB to the event DB location /data/eventdb

If you use the cp command it may appear that the command has hung if there is a lot of data to copy

Alternatively you can use rsync and display the process status.

4. Once complete, restart all processes.

Check that all processes have started.

Monitoring Operations with FortiSIEM

Dashboards – Flash version

FortiSIEM includes several different types of dashboards and views to monitor your IT infrastructure. Topics in this section provide an overview of the General and VM View dashboards available in the Dashboard tab, along with their user interface controls and customization options.

Dashboard Overview

Summary Dashboard User Interface Overview

VM Dashboard User Interface Overview

Widget Dashboard User Interface Overview

Network Topology View of Devices

How Values in Dashboard Columns are Derived

Using the Analysis Menu

Customizing Dashboards

Adding Custom Columns to Dashboards

Adding Widgets to Dashboards

Creating a Customized Dashboard

Setting a Dashboard to Home

Creating Dashboard Slideshow

Exporting and Importing Dashboards Link Usage Dashboard

Dashboard Overview

FortiSIEM includes two types of component dashboards: General, which are used to monitor IT infrastructure components, and VM View, which focus specifically on information about virtual machines in your infrastructure. These two types of component dashboards also include two types of dashboads for collecting different types of information:

Summary dashboards that provide single-line entries for IT infrastructure components based on their system status (Critical, Criitcal + Warning, All) in operational time

Widget-based dashboards that provide metrics and analytics for functional areas using historical data

In addition to the summary and widget-based dashboards, FortiSIEM also includes a specialized Incident dashboard, with features that are detailed in the Incidents – Flash version section.

Topics in this section provide an overview of the Summary and Widget dashboards, as well as how to use the Analysis menu to gain more information about your IT infrastructure components.

Summary Dashboard User Interface Overview

VM Dashboard User Interface Overview

Widget Dashboard User Interface Overview

Network Topology View of Devices

How Values in Dashboard Columns are Derived Using the Analysis Menu

Summary Dashboard User Interface Overview

Dashboard Overview

Summary Dashboard UI Controls

Dashboard Overview

Summary dashboards are best used for gathering information about individual infrastructure components in operational time. Summary dashboards include the Exec Summary dashboard, and all the dashboards in the Summary Dashboards and Availability/Performance folders of the Dashboards > General pane. In the Dashboards > VM View pane, summary dashboards include the ESX Host Type dashboards (All ESX Hosts and Standalone ESX Hosts, for example). Metrics for these dashboards are displayed either on a real-time basis, or as an average of ten minute intervals.

This screenshot shows an example of a Biz Service Summary dashboard for a multi-tenant deployment. It contains all the standard user interface controls found in summary dashboard, though some additional UI controls are found in other summary dashboards as described in the table Columnar Dashboard UI Controls. Selecting a business service in the top pane loads all the components associated with that service into the panes below.

Summary Dashboard UI Controls

VM Dashboard User Interface Overview

The Dashboard > VM View provides a complete overview of your virtual infrastructure, including Data Centers, Standalone ESX Hosts, Resource Pools, Clusters, ESXs, and VMs. Over 400 VMs can be discovered, and their metrics pulled via VCenter in under three minutes during initial discovery. As you navigate the Virtual Infrastructure hierarchy, you will see Summary dashboards similar to those in the General > Dashboard view for VM Clusters, All ESX Hosts, and Standalone ESX Hosts, while widget dashboards that provide performance metrics for CPU

Utilization, Memory, Network Interface, Disk I/O and Data Store Utilization are available at the level of VM, ESX, Resource Pool and Cluster.

VM Summary Dashboards Overview

UI Controls for Virtual Infrastructure Summary Dashboards

The ESX Hosts View

The ESX and VM View

VM Summary Dashboards Overview

This screenshot shows the All ESX Hosts summary dashboard, which includes a summary pane for All ESXs at the top, and a summary pane for individual VM instances for selected ESXs at the bottom. The user interface controls for the Virtual Infrastructure summary dashboards are very similar to those in the General summary dashboards.

UI Controls for Virtual Infrastructure Summary Dashboards

The ESX Hosts View

When you select an individual ESX Host in the Virtual Infrastructure hierarchy, the ESX Health tab will be selected and you will see a widget dashboard with reports for ESX Statistics, Active Incidents, Performance Metrics, Memory Utilization, and Disk Rate. Additional tabs are VM Summary and Top VMs.

The ESX and VM View

When you select an ESX or VM in the Virtual Infrastructure hierarchy, you will see a widget dashboard that contains reports for VM Statistics, Ac tive Incidents, and Performance Metrics.

Widget Dashboard User Interface Overview

Widget dashboards are best for viewing aggregated metrics based on historical search, which are generally presented in the form of a graph or chart. From the widget view of information, you can drill down to view and modify the underlying historical search. Examples of widget dashboards include Availability/Performance > Avail/Perf Widgets, the Security Dashboard, BizService Dashboard > Avail/Perf Widgets and Security Widgets, and all the dashboards listed under Dashboards by Function.

This screenshot shows an edited view of the Availability/Performance >Avail/Perf widgets dashboard. It contains all the standard user interface controls found in widget dashboards.

This screenshot shows the Event Info menu that you open by hovering your mouse cursor over an event within a widget until the menu icon appears.

Widget Dashboard UI Controls

Related Links

Refining the Results from Historical Search

Network Topology View of Devices

FortiSIEM provides two ways to view the topology of your IT infrastructure, one at the CMDB level that shows all devices, and another at the level of device groups and individual devices.

How is Network Topology Discovered and Visualized?

CMDB All Devices View

CMDB All Devices User Interface Controls

Device Group and Device View

Device Group and Device View User Interface Controls Viewing Device Information in the Topological Map

How is Network Topology Discovered and Visualized?

FortiSIEM discovers network topology at two levels,  layer 3 and layer 2. Layer 3 connectivity involves IP addresses, while Layer 2 connectivity

The layer 3 topology is discovered by obtaining network interface IP address and masks for all devices via SNMP (RFC 1213). The local networks e.g. loopback (127.0.0.0/8), link local addresses (169.254.0.0/16) are filtered out and the distinct networks segments are identified.

A layer 3 topology is visualized on the FortiSIEM Topology map by drawing:

Network segment and devices as node and

Srawing line segments from the network segment nodes to every device node that have an interface with IP address in that network segment.

The devices are represented by vendor specific icons and the network nodes are represented by a line and labeled as “Net-<net>/<maskbits>”. For visual clarity:

Only the network devices are drawn by default. A network device is one that belongs to row Network Device tab in the CMDB. Only those networks are drawn that have devices discovered by FortiSIEM (and are in CMDB). There is a “” button next to those networks. Clicking on the “” button displays those hosts in the topology graph. Clicking on the “-“ button hides those hosts.

When an enterprise network has Layer 2 switches and hubs, a layer 3 topology misses the connectivity between servers to layer 2 switches and the trunk port connectivity between layer 2/3 switches. Layer 2 discovery is difficult and, more importantly, vendor dependent as vendors have different implementations of the Spanning Tree Protocol (STP).

For Cisco switches, the layer 2 topology is obtained via SNMP (IEEE spanning tree MIB as found in RFC1493 and CISCO-VTP-MIB) as follows:

For every switch,

1. Identify all active VLANs on that switch 2. For every active VLAN:
2. Get MAC forwarding table
3. Get STP table to identify trunk ports and directly connected trunk port on adjacent switches

The MAC forwarding table obtained in Step 2a provides the server to switch port connectivity (after eliminating the trunk port entries obtained in step 2b). The trunk port connectivity between switch ports is directly obtained from Step 2b.

The Layer 2 topology is visualized on the FortiSIEM topology diagram by choosing the layer 2 mode. Then by clicking the “+” next to a device, the VLANs on that switch are displayed. Also, the trunk port connectivity is shown in an orange color and a tool tip provides the VLANs over this trunk link.

Then by clicking on the “+” of a VLAN, the hosts belonging to that VLAN and also the switch ports they connect to are displayed.

The host to switch port connectivity can also be seen in a tabular form by first clicking the switch and then clicking the “Port Mapping Table”.

CMDB All Devices View

This screenshot shows the CMDB tab selected, and in the Device View, Topology is selected. This topology map shows all the devices for the selected organization, and provides controls for editing the topology views that will be available to users from that organization.

CMDB All Devices User Interface Controls

Device Group and Device View

You can access the device group view of the topological map by selecting a group of devices in the Device View, and then clicking the Topo butto n in the Summary pane. Select an individual device, and then click the Topo button in the Details pane to view that device within the topological map.

Device Group and Device View User Interface Controls

Viewing Device Information in the Topological Map

Devices within the topological map have additional icons to represent information about the device.

How Values in Dashboard Columns are Derived

The values in Summary dashboard columns are either derived from system information (for example, the IP address for a device), or are metrics associated with events and their attributes. This topic uses the example of the CPU Util column in many summary dashboards to explain the relationship between event attributes and display columns, and how values in those columns are calculated.

1. Log into you your Supervisor node.
2. Go to Dashboard > Device View > All Devices.
3. Click Select Columns.

You will see a list of all the columns used in this dashboard under Selected Columns. Under Selected Columns you’ll see CPU Util, and next to it, in parentheses, you will see three event types listed, whose attributes are used to create this calculation: PH_DEV_MON_SYS_C

PU_UTIL, PH_DEV_MON_EC2_METRIC, and PH_DEV_MON_CLARION_SP_UTIL.  The metrics associated with these attributes are displayed in the CPU Util column, but how are metrics collected over time represented as a single value? To answer this question, you need to examine the column settings and Aggregation Method in the Device Support > Dashboard Columns page.

4. Go to Admin > Device Support > Dashboard Columns.
5. Find System CPU Utilization in the list of dashboard columns. CPU Util is part of the System CPU Utilization set of metric.
6. Each dashboard column has the same set of attributes:

With this information, you can see that CPU Util metric is derived from the cpuUtil attribute of the PH_DEV_MON_SYS_CPU_UTIL event, and that the display column is a reading that uses the calculation Average over time and then Average over the object being reported on. Now apply this to the event reports for a host with two CPUs, and you can see how the calculation works.

This output shows two samples of cpuUtil taken over three minutes for each CPU running on the host 192.168.0.40. According to the Aggre gator for this column, FortiSIEM should first average the samples over time for each CPU, and then average those together to derive the metric for the host. The average for the CPU 1 is 3.000000, and the average for CPU 2 is 30.000000. These values are combined and averaged again to get the overall metric for the host, which is 16.500000.

Using the Analysis Menu

The Analysis menu located in the Summary dashboards presents a number of options for gathering more information about items selected in the dashboard. You can also access the Analysis menu items by selecting a line in a summary dashboard, and hovering your mouse over the IP address of the device until the blue Analysis menu option appears.

Analysis Menu Options

Change Log

Introduction

This document provides the following information for FortiOS 5.4.5 build 1138:

l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations

See the Fortinet Document Library for FortiOS documentation.

Supported models

FortiOS 5.4.5 supports the following models.

Introduction                                                                                                                              Supported models

Special branch supported models

The following models are released on a special branch of FortiOS 5.4.5. To confirm that you are running the correct build, run the CLI command get system status and check that the Branch point field shows 1138.

What’s new in FortiOS 5.4.5                                                                                                                Introduction

What’s new in FortiOS 5.4.5

For a detailed list of new features and enhancements that have been made in FortiOS 5.4.5, see the What’s New forFortiOS 5.4.5 document available in the Fortinet Document Library.

Special Notices

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

Default log setting change

For FG-5000 blades, log disk is disabled by default. It can only be enabled via CLI. For all 2U & 3U models (FG-3600/FG-3700/FG-3800), log disk is also disabled by default. For all 1U models and desktop models that supports SATA disk, log disk is enabled by default.

FortiAnalyzer Support

In version 5.4, encrypting logs between FortiGate and FortiAnalyzer is handled via SSL encryption. The IPsec option is no longer available and users should reconfigure in GUI or CLI to select the SSL encryption option as needed.

Removed SSL/HTTPS/SMTPS/IMAPS/POP3S

SSL/HTTPS/SMTPS/IMAPS/POP3S options were removed from server-load-balance on low end models below FG-100D except FG-80C and FG-80CM.

FortiGate and FortiWiFi-92D Hardware Limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

• PPPoE failing, HA failing to form l IPv6 packets being dropped l FortiSwitch devices failing to be discovered
• Spanning tree loops may result depending on the network topology

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config system global set hw-switch-ether-filter <enable | disable>

FG-900D and FG-1000D                                                                                                               Special Notices

When the command is enabled:

• ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed l BPDUs are dropped and therefore no STP loop results l PPPoE packets are dropped l IPv6 packets are dropped l FortiSwitch devices are not discovered l HA may fail to form depending the network topology

When the command is disabled:

• All packet types are allowed, but depending on the network topology, an STP loop may result

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FG-3700DX

CAPWAP Tunnel over the GRE tunnel (CAPWAP + TP2 card) is not supported.

FortiGate units managed by FortiManager 5.0 or 5.2

Any FortiGate unit managed by FortiManager 5.0.0 or 5.2.0 may report installation failures on newly created VDOMs, or after a factory reset of the FortiGate unit even after a retrieve and re-import policy.

FortiClient Support

Only FortiClient 5.4.1 and later is supported with FortiOS 5.4.1 and later. Upgrade managed FortiClients to 5.4.1 or later before upgrading FortiGate to 5.4.1 or later.

Note that the FortiClient license should be considered before upgrading. Full featured FortiClient 5.2, and 5.4 licenses will carry over into FortiOS 5.4.1 and later. Depending on the environment needs, FortiClient EMS license may need to be purchased for endpoint provisioning. Please consult Fortinet Sales or your reseller for guidance on the appropriate licensing for your organization.

The perpetual FortiClient 5.0 license (including the 5.2 limited feature upgrade) will not carry over into FortiOS 5.4.1 and later. A new license will need to be procured for either FortiClient EMS or FortiGate. To verify if a license purchase is compatible with 5.4.1 and later, the SKU should begin with FC-10-C010.

Special Notices                                                                                FortiClient (Mac OS X) SSL VPN Requirements

FortiClient (Mac OS X) SSL VPN Requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.5, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.

FortiClient Profile Changes

With introduction of the Cooperative Security Fabric in FortiOS, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

In the FortiClient profile on FortiGate, when you set the Non-Compliance Action setting to Auto-Update, the

FortiClient profile supports limited provisioning for FortiClient features related to compliance, such as AntiVirus,

Web Filter, Vulnerability Scan, and Application Firewall. When you set the Non-Compliance Action setting to Block or Warn, you can also use FortiClient EMS to provision endpoints, if they require additional other features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security

Profiles.

When you upgrade to FortiOS 5.4.1 and later, the FortiClient provisioning capability will no longer be available in FortiClient profiles on FortiGate. FortiGate will be used for endpoint compliance and Cooperative Security Fabric integration, and FortiClient Enterprise Management Server (EMS) should be used for creating custom FortiClient installers as well as deploying and provisioning FortiClient on endpoints. For more information on licensing of EMS, contact your sales representative.

FortiPresence

FortiPresence users must change the FortiGate web administration TLS version in order to allow the connections on all versions of TLS. Use the following CLI command.

config system global set admin-https-ssl-versions tlsv1-0 tlsv1-1 tlsv1-2

end

Log Disk Usage

Users are able to toggle disk usage between Logging and WAN Optimization for single disk FortiGates.

To view a list of supported FortiGate models, refer to the FortiOS 5.4.0 Feature Platform Matrix.

SSL VPN setting page                                                                                                                   Special Notices

SSL VPN setting page

The default server certificate has been changed to the Fortinet_Factory option. This excludes FortiGateVMs which remain at the self-signed option. For details on importing a CA signed certificate, please see the How to purchase and import a signed SSL certificate document.

FG-30E-3G4G and FWF-30E-3G4G MODEM Firmware Upgrade

The 3G4G MODEM firmware on the FG-30E-3G4G and FWF-30E-3G4G models may require updating. Upgrade instructions and the MODEM firmware have been uploaded to the Fortinet CustomerService & Support site.

Log in and go to Download > Firmware. In the Select Product list, select FortiGate, and click the Download tab. The upgrade instructions are in the following directory:

…/FortiGate/v5.00/5.4/Sierra-Wireless-3G4G-MODEM-Upgrade/

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

Upgrade Information

Upgrading to FortiOS 5.4.5

FortiOS version 5.4.5 officially supports upgrading from version 5.4.3 and later and 5.2.9 and later.

When upgrading from a firmware version beyond those mentioned in the Release Notes, a recommended guide for navigating the upgrade path can be found on the Fortinet documentation site.

There is a separate version of the guide describing the safest upgrade path to the latest patch of each of the supported versions of the firmware. To upgrade to this build, go to FortiOS 5.4 Supported Upgrade Paths.

Upgrading to FortiOS 5.6.0

Cooperative Security Fabric Upgrade

FortiOS 5.4.1 and later greatly increases the interoperability between other Fortinet products. This includes:

• FortiClient 5.4.1 and later l FortiClient EMS 1.0.1 and later l FortiAP 5.4.1 and later l FortiSwitch 3.4.2 and later

The upgrade of the firmware for each product must be completed in a precise order so the network connectivity is maintained without the need of manual steps. Customers must read the following two documents prior to upgrading any product in their network:

• Cooperative Security Fabric – Upgrade Guide
• FortiOS 5.4.x Upgrade Guide for Managed FortiSwitch Devices

This document is available in the Customer Support Firmware Images download directory for FortiSwitch 3.4.2.

FortiGate-VM 5.4 for VMware ESXi                                                                                          Upgrade Information

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.5, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles

When downgrading from 5.4 to 5.2, users will need to reformat the log disk.

Amazon AWS Enhanced Networking Compatibility Issue

Due to this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.4.1 or later image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

Downgrading to older versions from 5.4.1 or later running the enhanced nic driver is not allowed. The following AWS instances are affected:

• C3 l C4 l R3 l I2
• M4 l D2

Upgrade Information                                                                                                            FortiGate VM firmware

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

• .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
• .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
• .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

• .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
• .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

• .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
• .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

• .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
• .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Product Integration and Support

FortiOS 5.4.5 support

The following table lists 5.4.5 product integration and support information:

FortiOS 5.4.5

FortiOS 5.4.5 support                                                                                             Product Integration and Support

Language

Language support

The following table lists language support information.

Language support

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN support                                                                                                  Product Integration and Support

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

SSL VPN

Supported Microsoft Windows 7 32-bit antivirus and firewall software

Resolved Issues

The following issues have been fixed in version 5.4.5. For inquires about a particular bug, please contact CustomerService & Support.

AntiVirus

DLP

Firewall

GUI

HA

IPsec VPN

Logging & Report

Router

SSL VPN

System

Web Filter

WebProxy

WiFi

Common Vulnerabilities and Exposures

Known Issues

The following issues have been identified in version 5.4.5. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

AntiVirus

Endpoint Control

Firewall

FortiGate-3815D

FortiRugged-60D

FortiSwitch-Controller/FortiLink

FortiView

GUI

Known Issues

HA

IPsec

Router

SSL VPN

Known Issues

System

Upgrade

Visibility

VM

WiFi

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

• XenTools installation is not supported.
• FortiGate-VM can be imported or deployed in only the following three formats:
• XVA (recommended) l VHD l OVF
• The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open Source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

Customizing Dashboards

FortiSIEM includes several dashboards for device types and IT functional areas, but you can also customize and create new dashboards and widgets.

Adding Custom Columns to Dashboards

Adding Widgets to Dashboards

Creating a Customized Dashboard Setting a Dashboard to Home

Adding Custom Columns to Dashboards

You may want to add custom columns based on event attributes to a Summary dashboard. This topic explains how to create a custom set of columns using the example of a hardware temperature readout, and then add them to a dashboard.

Prerequisites

Procedure

Prerequisites

Read the topic How Values in Dashboard Columns are Derived

Procedure

1. Find the event that contains the attribute you want to use.

In this case, you want to create a hardware temperature reading. The event PH_DEV_MON_HW_TEMP contains the attribute envTempDeg C.

2. Go to Admin > Device Support > Dashboard Columns.
3. Click New.
4. For Name, enter the display name for the new metric you want to collect. For this example, enter the name Temperature Reading.
5. For Event Type, click the Edit icon and select the event you want to use.

For this example, select PH_DEV_MON_HW_TEMP.

6. Click the + icon to add a column. As you complete each column, click OK, then click + to add more columns.

For each event type, you will typically create three columns: a Host column that contains IP information for associated hosts, an Object c olumn that includes information about the object being reported on, and a Reading column that contains the metric you want to report on.

Note that you could create additional Reading columns for other attributes contained in your event.

7. When you’re finished adding columns, click OK.

The new column you created will appear in the Admin > Device Support > Dashboard Columns.

8. Select your new column in the list, and then click Apply.
9. To add your column to a dashboard, navigate to the dashboard.
10. In the dashboard, click Select Columns.
11. Under Event Types, select the event type you used to create the new column.

The columns associated with that event type will be listed under Columns, and the Attribute Name will list the attribute you used to

create the column.

12. Under Columns, select your column and use the >> button to move it into the Selected Columns.
13. Use the up and down position buttons to place the column in the order where you want it to appear in the dashboard.
14. Click OK.

Your new column will appear in the dashboard.