Fortinet black logo

Administration Guide

Collectors

Copy Link
Copy Doc ID 30b84173-e130-11ec-bb32-fa163e15d75b:235598
Download PDF

Collectors

The COLLECTORS page displays a list of the previously defined Collector Groups, which can be expanded to show the FortiEDR Collectors that each contains. Additional Collector Groups can be defined by you, as described on Defining a new Collector Group. FortiEDR Collectors automatically register with the system after installation. By default, each FortiEDR Collector is added to the Collector Group called All. You can move any Collector to another Collector Group, as described on Assigning Collectors to a Collector Group.

To access this page, click the down arrow next to INVENTORY and then select Collectors, as shown below.

The default Collector Group (to which new Collectors are automatically added) is marked with a yellow group icon . You can change to a different default Collector Group by clicking the group icon of another Collector Group.

Click the Expand icon () to expand the list and display the FortiEDR Collectors that the Collector Group contains.

The following information is provided for each Collector:

Information Field

Description

Checkbox Check this checkbox to select the Collector. You can then use one of the buttons at the top left of the window, such as the Delete button.
Collector Group Name Specifies the name of the Collector Group to which the Collector is assigned.
Device Name Specifies the device name taken from the communicating device on which the FortiEDR Collector is installed.

Last Logged

  • Specifies the last user that logged into the device on which the Collector is installed. It shows the domain of the computer/username. If this device has not been logged into, then this column is blank. In addition, if the Collector is not V3.0.0.0 or above, then this column is empty and the events from this Collector will not contain the user from which the security event was triggered.
  • OS

  • Specifies the operating system of the communicating device on which the FortiEDR Collector is installed.
  • IP

  • Specifies the IP address of the communicating device on which the FortiEDR Collector is installed.
  • MAC Address

    Specifies the physical address of the device. If a device has multiple MAC addresses, three dots (…) display. You can hover over the MAC Address to display the value (or values, in case of multiple MAC addresses) in a tooltip.

    Version

    Specifies the version of the FortiEDR Collectors installed on the communicating device.

    State

    Specifies the current state of the FortiEDR Collector. Hovering over the STATE value pops up the last time the STATE was changed. Possible value for STATE are as follows:

    State Description

    Running

    The FortiEDR Collector is up and all is well.

    Disconnected

    The device is offline, powered down or is not connected to the FortiEDR Aggregator.

    Disconnected (Expired)

    The device has not been connected for 30 or more consecutive days. Collectors in this state are not counted for licensing purposes. To see the list of Collectors in this state, click the down arrow in the Search box at the top right of the window to display the following window:

    Then, check the Show only devices that have not been seen for more than 30 days checkbox, and click the Search button. The Collectors area then displays only devices in the Disconnected (Expired) state.

    Pending Reboot After the FortiEDR Collector is installed, you may want some devices to be rebooted before the FortiEDR Collector can start running. This status means that the FortiEDR Collector is ready to run after this device is rebooted. The reboot is performed in the usual manner on the device itself.
    Disabled

    Specifies that this FortiEDR Collector was disabled in the FortiEDR Central Manager. This feature is not yet available in version 1.2.

    Degraded Specifies that the FortiEDR Collector is prevented from performing to its full capacity (for example, due to lack of resources on the device on which it is installed or compatibility issues).

    Last Seen

    Counts the number of days passed from the last time this Collector communicated with the Core.

    Collectors

    The COLLECTORS page displays a list of the previously defined Collector Groups, which can be expanded to show the FortiEDR Collectors that each contains. Additional Collector Groups can be defined by you, as described on Defining a new Collector Group. FortiEDR Collectors automatically register with the system after installation. By default, each FortiEDR Collector is added to the Collector Group called All. You can move any Collector to another Collector Group, as described on Assigning Collectors to a Collector Group.

    To access this page, click the down arrow next to INVENTORY and then select Collectors, as shown below.

    The default Collector Group (to which new Collectors are automatically added) is marked with a yellow group icon . You can change to a different default Collector Group by clicking the group icon of another Collector Group.

    Click the Expand icon () to expand the list and display the FortiEDR Collectors that the Collector Group contains.

    The following information is provided for each Collector:

    Information Field

    Description

    Checkbox Check this checkbox to select the Collector. You can then use one of the buttons at the top left of the window, such as the Delete button.
    Collector Group Name Specifies the name of the Collector Group to which the Collector is assigned.
    Device Name Specifies the device name taken from the communicating device on which the FortiEDR Collector is installed.

    Last Logged

  • Specifies the last user that logged into the device on which the Collector is installed. It shows the domain of the computer/username. If this device has not been logged into, then this column is blank. In addition, if the Collector is not V3.0.0.0 or above, then this column is empty and the events from this Collector will not contain the user from which the security event was triggered.
  • OS

  • Specifies the operating system of the communicating device on which the FortiEDR Collector is installed.
  • IP

  • Specifies the IP address of the communicating device on which the FortiEDR Collector is installed.
  • MAC Address

    Specifies the physical address of the device. If a device has multiple MAC addresses, three dots (…) display. You can hover over the MAC Address to display the value (or values, in case of multiple MAC addresses) in a tooltip.

    Version

    Specifies the version of the FortiEDR Collectors installed on the communicating device.

    State

    Specifies the current state of the FortiEDR Collector. Hovering over the STATE value pops up the last time the STATE was changed. Possible value for STATE are as follows:

    State Description

    Running

    The FortiEDR Collector is up and all is well.

    Disconnected

    The device is offline, powered down or is not connected to the FortiEDR Aggregator.

    Disconnected (Expired)

    The device has not been connected for 30 or more consecutive days. Collectors in this state are not counted for licensing purposes. To see the list of Collectors in this state, click the down arrow in the Search box at the top right of the window to display the following window:

    Then, check the Show only devices that have not been seen for more than 30 days checkbox, and click the Search button. The Collectors area then displays only devices in the Disconnected (Expired) state.

    Pending Reboot After the FortiEDR Collector is installed, you may want some devices to be rebooted before the FortiEDR Collector can start running. This status means that the FortiEDR Collector is ready to run after this device is rebooted. The reboot is performed in the usual manner on the device itself.
    Disabled

    Specifies that this FortiEDR Collector was disabled in the FortiEDR Central Manager. This feature is not yet available in version 1.2.

    Degraded Specifies that the FortiEDR Collector is prevented from performing to its full capacity (for example, due to lack of resources on the device on which it is installed or compatibility issues).

    Last Seen

    Counts the number of days passed from the last time this Collector communicated with the Core.