Quick Start
This section includes the following information to help you get started with using FortiSOAR MEA:
- Enabling the FortiSOAR MEA
- Accessing FortiSOAR MEA using SSH
- FortiSOAR MEA usage
- Changing the HTTPS port for GUI access
- Backing up and restoring FortiSOAR MEA configurations
Enabling the FortiSOAR MEA
FortiAnalyzer provides access to a FortiSOAR MEA application that is released and signed by Fortinet.
|
Only root users or users with sudo permissions can enable management extensions. |
Enabling the FortiSOAR MEA using the FortiAnalyzer GUI
- Ensure you are using ADOM version 6.4 or later.
- Log on to FortiAnalyzer and navigate to Administration > System Settings > Management Extensions.
- Click the grayed-out tile for FortiSOAR MEA to enable the application.
- Click OK on the confirmation dialog to install and open the FortiSOAR MEA .
Note: It may take some time to install the application. Also, note that on the first boot of FortiSOAR MEA, the Configuration Wizard runs automatically and performs the initial configuration steps for FortiSOAR MEA, such as enabling the embedded (default) Secure Message Exchange (SME), installing the trial license, etc. All of these steps take some time for completion.
Enabling the FortiSOAR MEA using the CLI
- Login to FortiAnalyzer using SSH.
- Enable the FortiSOAR MEA using the following commands:
FAZ-VM64 # config system docker(docker) # set status enable(docker) # set fortisoar enable(docker) # end
You can check the status of the FortiSOAR MEA using the following command:FAZ-VM64 # diagnose docker status
Licensing FortiSOAR MEA
Once the FortiSOAR MEA extension is enabled, a trial FortiSOAR experience gets activated. The FortiSOAR MEA is shipped with a Trial (Extension) license by default and you do not need to install any additional license to use FortiSOAR MEA on FortiAnalyzer. The trial mode is limited by 2 users that can use FortiSOAR MEA for a maximum of 300 actions a day.
|
|
Important steps such as "Create Records", "Update Records", "Find Records", "Connection Actions", etc., are counted towards the maximum action count limit of 300. However, steps used for data manipulation such as "Wait", "Approval", "Loops", "Reference a Playbook", etc. are not counted towards the action count restriction. |
For a more extensive usage without action count limit and to enable more users, you can update the trial license at any time to a FortiSOAR license. However, since the trial license is an "Enterprise" type license, you can only deploy a FortiSOAR license of type "Enterprise" using the FortiSOAR UI.
To update the Trial (Extenstion) license to a FortiSOAR license:
- Log onto FortiSOAR.
- Click Settings > License Manager to open the
License Managerpage as shown in the following image:
- To update your license, click Update License and either drag-and-drop your updated license or click and browse to the location where your license file is located, then select the file and click Open.
For detailed information on deploying the FortiSOAR "Enterprise" license, see the Licensing FortiSOAR chapter in the "Deployment Guide."
|
|
Administration credentials are needed for deploying subsequent FortiSOAR licenses. However, for FortiSOAR running as a FortiAnalyzer extension, the FortiAnalyzer session is used to validate users; therefore, users does not need to enter credentials, while uploading the FortiSOAR license. |
Accessing FortiSOAR MEA using SSH
If you SSH to FortiSOAR MEA on FortiAnalyzer for the first time, then you must accept the FortiSOAR MEA EULA. To accept the EULA on the FortiAnalyzer CLI, do the following:
- Login to FortiAnalyzer using SSH.
- Ensure that the FortiSOAR MEA Extensions is enabled. For more information, see Enabling the FortiSOAR MEA MEA using the CLI section.
- Get the FortiAnalyzer root prompt by running the
execute shellcommand. - Run the following command:
docker exec -ti -u csadmin fortisoar_fortisoar_1 bash -l
This command will ask you to accept the EULA. You must accept the EULA before you can proceed to the FortiSOAR MEA Configuration Wizard.
After you accept the EULA and the Configuration Wizard is run, you can perform various operations on the FortiAnalyzer CLI such as checking the statuses of the FortiSOAR MEA using the FortiSOAR Admin CLI (csadm). For example, to check the status of services run thecsadm services –-statuscommand. For more information on 'csadm' see the see the FortiSOAR™ Administration Guide that is included in the FortiSOAR Product Documentation.
|
It is highly recommended that you set up a backup user for the FortiSOAR appliance so that, in the event you forget the ' |
Provisioning Failures
If there are any provisioning failures, such as failures while FortiSOAR MEA is performing the initial configuration phase using the automated non-interactive FortiSOAR configuration wizard, including failures while configuring the embedded Secure Message Exchange, then a failure screen detailing the status of each configuration step is displayed, making it simpler to identify the issue. Before using FortiSOAR MEA,you must use the CLI to fix any issues with the failed steps as their functioning might be hampered. However, if you decide to access FortiSOAR MEA without rectifying the failed steps, a Proceed Anyway button is provided that enables you to continue using the product while acknowledging the configuration failure:
If your instance does not come up even after clicking Proceed Anyway, you can try the following steps to fix the issues:
- Use the
csadm services --statuscommand to check the statuses of the services. Based on the output of this command, you can choose to restart the specific service that is not running; for example, if the 'postgresql-14' service is not running you can restart it using thesystemctl restart postgresql-14command. Alternatively, you can use thecsadm services --restartcommand. to restart all the services. Use thecsadm services --statuscommand once you have restarted any non-running services to verify their status.
Re-run the configuration using the/opt/cyops/scripts/config-vm.shcommand if all the services are operational. - Manually install ansible in the case of an ansible installation error using the following command:
sudo -u nginx /opt/cyops-workflow/.env/bin/pip install ansible==7.4.0 --extra-index-url https://repo.fortisoar.fortinet.com/prod/connectors/deps/simple/ - If the failure screen keeps getting displayed on the FortiSOAR MEA UI, even after you have attempted to resolve all the backend issues, then you can update the
fsr-boot.jsonto update its state from 'failed' to'config_vm_failure_acknowledged'.
Contact support if failures persist even after troubleshooting.
Additionally, if there is any issue with the activation of the 'Trial License', then the FortiSOAR UI displays the 'License Upload' page, along with information about the activation failure, as shown in the following image:
FortiSOAR MEA usage
|
|
All users get created as 'admin' users when they log onto FortiSOAR MEA for the first time, as only admin users have access to FortiSOAR MEA on FortiAnalyzer. |
The SOAR Framework Solution Pack (SP) is installed by default with the fresh installations of FortiSOAR MEA. The SOAR Framework Solution Pack (SP) is the Foundational Solution Pack that creates the framework, including modules, dashboard, roles, widgets, etc., required for effective day-to-day operations of any SOC. Also, note that the Incident Response modules, i.e., Alerts, Incidents, Indicators, and War Rooms are not part of the FortiSOAR MEA platform, making it essential for users to install the SOAR Framework SP to optimally use and experience FortiSOAR MEA’s incident response. For detailed information about the SOAR Framework SP, see the SOAR Framework SP documentation.
Changing the HTTPS port for GUI access
If an administrator of FortiAnalyzer changes the HTTPS port for GUI access, then the previously enabled FortiSOAR MEA becomes inaccessible. To resolve this issue, the administrator requires to run the following commands on the FortiSOAR MEA CLI:
/opt/cyops/python_packages/fortisoar/fsr/extn/scripts/settings.py --create-secret
/opt/cyops/scripts/api_caller.py \
--endpoint "https://localhost/api/3/system_settings/845c05cc-05b3-450e-9afb-df6b6e436321" \
--method PUT --payload "{\"globalValues\": { \"hostname\": \"myfaz .mydomain:gui_port/fortisoar\"}}"
NOTE: Replace gui_port with the value of your new https_port.
Backing up and restoring FortiSOAR MEA configurations
When FortiSOAR MEA is enabled, and you perform a backup of FortiAnalyzer using its UI, then the FortiSOAR MEA configurations also get backed up. You can then use these backed up configurations to restore the FortiSOAR MEA configuration.
|
|
Only FortiSOAR MEA configurations are backed up, FortiSOAR MEA data is not backed up. To backup and restore both the configurations and data of FortiSOAR MEA, use the csadm db command. For more information, see the Backing up and Restoring FortiSOAR chapter in the "Administration Guide." |
Troubleshooting issues faced in FortiSOAR MEA
The default Trial(Extension) license does not get installed
There might be cases when your default Trial(Extension) does not get installed or you face an issue with license synchronization during deployment.
Resolution
Upload your license using the FortiSOAR UI and once the license is uploaded, you can install the license. If you are still facing a synchronization issue, click the Retry Sync button on the UI.
First and last name of LDAP users are repeated for successive logins by different LDAP users after the first login
Once the administrators have configured LDAP on FortiAnalyzer and added users from LDAP on FortiAnalyzer, the FortiAnalyzer now has both native and LDAP users. Now, when users' login to FortiSOAR MEA using FortiAnalyzer, users might see that the first name and last name for first LDAP user who logs in gets set correctly; however, the first and last name of all LDAP users who log after the first login get set as first name and last name of the first LDAP user.
Resolution
Once the administrators have created LDAP users on FortiAnalyzer they require to edit each user profile on FortiAnalyzer and clear the Match all users on remote server checkbox.