Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiEDR/XDR 5.2.0 Administration Guide
    5.2.0
    6.2.0
    6.0.0
    5.2.1
    5.2.0
    5.1.0
    5.0.0
    4.2.0
    4.1.1
    4.1.0

    Collectors

    Collectors

    The COLLECTORS page displays a list of the previously defined Collector Groups, which can be expanded to show the FortiEDR Collectors that each contains. Additional Collector Groups can be defined by you, as described on Defining a new Collector Group. FortiEDR Collectors automatically register with the system after installation. By default, each FortiEDR Collector is added to the Collector Group called All. You can move any Collector to another Collector Group, as described on Assigning Collectors to a Collector Group.

    To access this page, click the down arrow next to INVENTORY and then select Collectors, as shown below.

    The default Collector Group (to which new Collectors are automatically added) is marked with a yellow group icon . You can change to a different default Collector Group by clicking the group icon of another Collector Group.

    Click the Expand icon () to expand the list and display the FortiEDR Collectors that the Collector Group contains.

    The following information is provided for each Collector:

    Information Field

    Description
    Checkbox Check this checkbox to select the Collector. You can then use one of the buttons at the top left of the window, such as the Delete button.
    Collector Group Name Specifies the name of the Collector Group to which the Collector is assigned.
    Device Name Specifies the device name taken from the communicating device on which the FortiEDR Collector is installed.

    Last Logged
  • Specifies the last user that logged into the device on which the Collector is installed. It shows the domain of the computer/username. If this device has not been logged into, then this column is blank. In addition, if the Collector is not V3.0.0.0 or above, then this column is empty and the events from this Collector will not contain the user from which the security event was triggered.
    		•

    OS
  • Specifies the operating system of the communicating device on which the FortiEDR Collector is installed.
    		•

    IP
  • Specifies the IP address of the communicating device on which the FortiEDR Collector is installed.
    		•

    MAC Address

    Specifies the physical address of the device. If a device has multiple MAC addresses, three dots (…) display. You can hover over the MAC Address to display the value (or values, in case of multiple MAC addresses) in a tooltip.

    Version

    Specifies the version of the FortiEDR Collectors installed on the communicating device.

    State

    Specifies the current state of the FortiEDR Collector. Hovering over the STATE value pops up the last time the STATE was changed. Possible value for STATE are as follows:

    State Description

    Running

    		 The FortiEDR Collector is up and all is well.

    Disconnected

    		 The device is offline, powered down or is not connected to the FortiEDR Aggregator.

    Disconnected (Expired)

    The device has not been connected for 30 or more consecutive days. Collectors in this state are not counted for licensing purposes. To see the list of Collectors in this state, click the down arrow in the Search box at the top right of the window to display the following window:

    Then, check the Show only devices that have not been seen for more than 30 days checkbox, and click the Search button. The Collectors area then displays only devices in the Disconnected (Expired) state.
    Pending Reboot After the FortiEDR Collector is installed, you may want some devices to be rebooted before the FortiEDR Collector can start running. This status means that the FortiEDR Collector is ready to run after this device is rebooted. The reboot is performed in the usual manner on the device itself.
    Disabled

    Specifies that this FortiEDR Collector was disabled in the FortiEDR Central Manager. This feature is not yet available in version 1.2.
    Degraded Specifies that the FortiEDR Collector is prevented from performing to its full capacity (for example, due to lack of resources on the device on which it is installed or compatibility issues).

    Last Seen

    Counts the number of days passed from the last time this Collector communicated with the Core.
    Previous
    Next

    Collectors

    Collectors

    The COLLECTORS page displays a list of the previously defined Collector Groups, which can be expanded to show the FortiEDR Collectors that each contains. Additional Collector Groups can be defined by you, as described on Defining a new Collector Group. FortiEDR Collectors automatically register with the system after installation. By default, each FortiEDR Collector is added to the Collector Group called All. You can move any Collector to another Collector Group, as described on Assigning Collectors to a Collector Group.

    To access this page, click the down arrow next to INVENTORY and then select Collectors, as shown below.

    The default Collector Group (to which new Collectors are automatically added) is marked with a yellow group icon . You can change to a different default Collector Group by clicking the group icon of another Collector Group.

    Click the Expand icon () to expand the list and display the FortiEDR Collectors that the Collector Group contains.

    The following information is provided for each Collector:

    Information Field

    Description
    Checkbox Check this checkbox to select the Collector. You can then use one of the buttons at the top left of the window, such as the Delete button.
    Collector Group Name Specifies the name of the Collector Group to which the Collector is assigned.
    Device Name Specifies the device name taken from the communicating device on which the FortiEDR Collector is installed.

    Last Logged
  • Specifies the last user that logged into the device on which the Collector is installed. It shows the domain of the computer/username. If this device has not been logged into, then this column is blank. In addition, if the Collector is not V3.0.0.0 or above, then this column is empty and the events from this Collector will not contain the user from which the security event was triggered.
    		•

    OS
  • Specifies the operating system of the communicating device on which the FortiEDR Collector is installed.
    		•

    IP
  • Specifies the IP address of the communicating device on which the FortiEDR Collector is installed.
    		•

    MAC Address

    Specifies the physical address of the device. If a device has multiple MAC addresses, three dots (…) display. You can hover over the MAC Address to display the value (or values, in case of multiple MAC addresses) in a tooltip.

    Version

    Specifies the version of the FortiEDR Collectors installed on the communicating device.

    State

    Specifies the current state of the FortiEDR Collector. Hovering over the STATE value pops up the last time the STATE was changed. Possible value for STATE are as follows:

    State Description

    Running

    		 The FortiEDR Collector is up and all is well.

    Disconnected

    		 The device is offline, powered down or is not connected to the FortiEDR Aggregator.

    Disconnected (Expired)

    The device has not been connected for 30 or more consecutive days. Collectors in this state are not counted for licensing purposes. To see the list of Collectors in this state, click the down arrow in the Search box at the top right of the window to display the following window:

    Then, check the Show only devices that have not been seen for more than 30 days checkbox, and click the Search button. The Collectors area then displays only devices in the Disconnected (Expired) state.
    Pending Reboot After the FortiEDR Collector is installed, you may want some devices to be rebooted before the FortiEDR Collector can start running. This status means that the FortiEDR Collector is ready to run after this device is rebooted. The reboot is performed in the usual manner on the device itself.
    Disabled

    Specifies that this FortiEDR Collector was disabled in the FortiEDR Central Manager. This feature is not yet available in version 1.2.
    Degraded Specifies that the FortiEDR Collector is prevented from performing to its full capacity (for example, due to lack of resources on the device on which it is installed or compatibility issues).

    Last Seen

    Counts the number of days passed from the last time this Collector communicated with the Core.
    Previous
    Next