Device and OS requirements
How can I add new devices?
For customers who are already subscribed to the service and have devices onboarded, they can add new devices by submitting the Service Request (SR) from the SOCaaS portal, and choosing Request to onboard a new device from the dropdown list. The SOC team will respond and enable new devices within three business days.
What types of devices can the service monitor?
As part of the first release of SOCaaS, FortiGate logs are monitored. Third party device logs are not supported at this time.
If I purchased the 360 Bundle before May 3rd, 2021, what is the process to convert it to the new 360 Bundle in order to get access to the SOCaaS subscription?
The 360 Bundle has been end-of-life for a couple of quarters, and there is no process for conversion. Customers can instead purchase the à la carte 464 SKU for SOCaaS.
Is SOCaaS a FortiAnalyzer software feature that I can enable and manage independently on my on-premise FortiAnalyzer?
No. SOCaaS is not a stand-alone software feature. SOCaaS is a 24x7 managed service staffed with dedicated cybersecurity specialists and senior Fortinet engineers providing threat detection and security orchestration features, and a customer facing self-service portal that is fully integrated with FortiCloud. SOCaaS license SKUs are applied to the FortiGate devices that you want to monitor.
What FortiGate and FortiAnalyzer versions are supported?
FortiGate must be running FortiOS 6.4.5 or later, and the FortiGate can send logs to an on-premise FortiAnalyzer device or to FortiAnalyzer Cloud.
FortiAnalyzer 6.4.5 or later is required when sending logs to an on-premise FortiAnalyzer, and FortiAnalyzer Cloud 6.4.5 or later is required when sending logs to FortiAnalyzer Cloud.
Which FortiGate models are supported?
All active FortiGate models (except some EOS and EOL models) are supported.
How do I configure the BOTNET feature on my FortiGate?
Please follow the BOTNET Tuning Guide located here:
How do I add FortiClient logs to SOCaaS?
Please follow the instructions below to onboard your FortiClient logs to your existing SOCaaS subscription:
-
You must already be subscribed to SOCaaS.
-
The FortiGuard Forensics Analysis Service License is required for each FortiClient endpoint you wish to include in SOCaaS monitoring.
-
Make sure your EMS is already authorized on your on-premise FortiAnalyzer or FortiAnalyzer cloud instance and FortiClient logs are already collected there.
-
Submit a Service Request from the SOCaaS portal with Device onboarding type, and provide your EMS serial number to initiate onboarding.
-
If you are using an on-premise FortiAnalyzer, review your log forwarding configuration to SOCaaS and make sure EMS device is selected.
-
If you are using FortiAnalyzer cloud, no action is required.
What if I don't meet the minimum requirements and don't have on-premise FortiAnalyzer or FortiAnalyzer Cloud?
A complimentary FortiAnalyzer Cloud instance is provided with the SOCaaS license and may be used If the customer does not have a FortiAnalyzer on-premises or FortiAnalyzer Cloud instance.