What’s new in Release 4.7.1
Features
HTML5 based GUI for Incident
You can logon to the HTML5 version of Incident page using the link https://<SupervisorIP>/phoenix/html.
For details see here.
Malware URL threat feed
Previous releases allowed users to import Malware domain, IP, file hashes and Anonymity Networks as external threat intelligence feed. This release extends this functionality to Malware URLs.
For details, see here.
Syslog over TLS
This release enables FortiSIEM to receive encrypted Syslog over TLS.
For details, see here.
Device Audit framework
FortiSIEM discovers devices in depth, collects various performance/availability metrics, parses logs, traps and triggers rules. This release provides users a framework to run an audit on devices based on the collected information. Audit criteria can be based on
OS version
Installed software version
A set of reports representing audit violations
A set of rules triggering incidents representing audit violations
User can define audit criteria and run a check against devices – either on-demand or periodically on a schedule. The results can be displayed on GUI, exported as PDF from GUI or emailed with PDF attachments.
For details, see here.
Device Support – New
Aruba Switches – discovery (Bug 15800) Alertlogic IPS – log parsing (Bug 16250) AWS Elastic Load Balancer – log parsing (Bug 15752)
Device Support – Enhancements
F5 load balancer – detailed performance monitoring
Fortinet FortiOS – more detailed data collection and trap parsing
Aruba Clearpass Manager – more detailed log parsing (Bug 15542)
Checkpoint GAIA – monitor memory using UCD MIBs (Bug 16203)
HP/UX – more detailed syslog parsing (Bug 15565)
InfoBlox – more detailed syslog parsing (Bug 16121, Bug 16191)
Dell Equallogic – more detailed syslog parsing (Bug 15433)
TrendMicro Officescan – more detailed syslog parsing (Bug 16122)
Checkpoint FireWall-1 – parsing fix (Bug 16119)
Microsoft Windows – Added event id 4769 (Bug 16191)
Microsoft Windows – Added event id 6274, 6272 (Bug 12163)
Microsoft Windows – Added event id 5137 (Bug 7429)
Juniper SecureAccess – parser enhancement (Bug 16035)
Palo Alto Firewall – parser enhancements (Bug 16727, 16169)
Fortinet FortiOS Firewall – parser enhancements (Bug 16554)
Symantec Endpoint Control – parser enhancements (Bug 16210)
F5 ASM – parser enhancements (Bug 16726)
McAfee Stonesoft IPS – parser enhancements (Bug 16729)
Cisco Call Manager – parser enhancements (Bug 16395)
Cisco ACS Parser – parser enhancement (Bug 15550)
Imperva SecureSphere – parser improvements (Bug 16036)
HP Procurve – syslog parsing enhancement (Bug 12072)
Bug Fixes / Enhancements
| Bug
ID |
Severity | Component | Description |
| 16779 | Minor | App Server | A user cannot change their own password if the CMDB Tab view is restricted from them |
| 16767 | Minor | System | File rename error on cross-partition operation may lead to event database archive failure |
| 16340 | Minor | Parser | Incorrectly formatted Netflow packets can cause parser module to crash |
| 16460 | Minor | App Server | Users who do not have permissions for Admin > Discovery can not launch discovery from CMDB |
| 16009 | Minor | App Server | User created custom types (device, event, attribute) are created as Origin = System after upgrade |
| 16655 | Minor | App Server | Empty “Time” in Incident Notification Policy can cause notification policy to not trigger |
| 16067 | Minor | GUI | Can not add more than 100 devices to a CMDB Device folder |
| 16654 | Minor | GUI | Can not handle CMDB Reports with filter conditions containing strings with spaces, e.g. Installed Software Name =
‘Attack Definition’ |
| 16764 | Minor | App Server | Incident Notification Policy may some times trigger twice for the same incident id |
| 15296 | Enhancement | App Server | Ability tp export test connectivity error, discovery error and discovery change delta results as PDF reports |
| 16898 | Minor | App Server | Run script notification may sometimes fail to run |
| 16055 | Minor | Parser | The ‘vulnSolution’ event attribute populated from Vulnerability pulling agents such Qualys and Nessus need to allow for URLs. |
| 16007 | Minor | App Server | An exception may happen during clear incident processing resulting in the clear incident not getting stored |
| 16867 | Enhancement | Parser | SSH script for Foundry switches fails when the switch is configured to login to enable mode directly without typing in
“enable; username; password” |
| 16870 | Minor | Performance
Monitoring |
For custom SNMP monitoring, snmpbulkwalk command does not working for some OIDs while snmpwalk works |
| 15527 | Enhancement | GUI | Allow users to edit the same property for multiple devices in one shot by simply multi-selecting the devices and entering new values |
| 16382 | Enhancement | App Server | On CMDB Reports, Add ‘Processor Name’ attribute to “Server Hardware: Processor” report |
| 16431 | Enhancement | Parser | System error message “Success ratio too low” is enhanced to report only when a large of retry attempts have occurred |
Current Open Issues
| Id | Severity | Component | Description |
| 8867 | Normal | Rule Engine | LAST and FIRST operators in rules do not work (may crash Rule Worker module) |
| 11036 | Normal | Rule Engine | Rule Worker module may abort when a PctChange Expression is used |
| 14242 | Normal | Query Engine | RBAC data conditions not enforced for SP organizations when login in via the super org and moving to another org. |
| 15022 | Normal | Parser Engine | Parser module may stall/pause if a host name resolution is slow. Work around for now is to disable host name resolution. |
| 11112 | Normal | Rule Engine | COUNT DISTINCT operations consume large resources for rules utilizing Anomaly Detection |
| 14478 | Normal | GUI | Sometimes GUI pops up warning (Large amount of data stored over the boundaries) when users restore the archived data or delete the restored data |
| 15109 | Normal | Performance
Monitoring |
Failed Custom JDBC job shows in performance page after Discovery |
| 15247 | Normal | Parser | AIX Parser cannot parse events correctly. |
| 15253 | Normal | Parser | Reporting device name is parsed wrong in LinuxInotifyParser (affects Linux file integrity monitoring via AccelOps agent) |
| 14929 | Normal | Performance
Monitoring |
Maintenance calendar issue – Maintenance for a device does not start at the configured time if there is a long running disabled job of another device |
| 15068 | Normal | Application
Server |
Dashboard Search Filtering Does not work for Clariion LUNs under Summary Tab |
| 15231 | Normal | Application
Server |
Generating PDF Reports over 100 Pages will drop Page Footer |
| 15233 | Minor | Application
Server |
“Validation Status” column in Admin->Event DB->Event Integrity does not allow for sorting. |
| 15300 | Minor | GUI | For Report Server, if you sync -> unsync -> sync is rapid succession, then the last sync may not take effect |
| 9261 | Enhancement | Application
Server |
Charts in exported reports (PDF format) only contain stacked charts – not line charts |