Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Deployment and Admin Guide

    Home FortiSIEM Cloud Deployment and Admin Guide

    Getting Started

    Getting Started

    Beginning with FortiSIEM Cloud

    The following introductory topics are available:

    Logging into FortiSIEM Cloud for the First Time

    From the FortiCloud portal, you can access the FortiSIEM web UI once an instance is at STATUS "Complete". To do this, select the serial number, which will open a new tab. When initially logging in, use admin for the USER ID. For the password, enter the administration password you provisioned your FortiSIEM Cloud instance with.

    For information on FortiSIEM features and how to use and configure them, see the FortiSIEM Documentation Library.

    Differences between FortiSIEM Cloud and FortiSIEM

    Please note the following differences between FortiSIEM Cloud and FortiSIEM.

    • FortiSIEM Cloud does not offer a Licensing page from the FortiSIEM GUI. Licensing is handled automatically by the FortiCloud platform.

    • FortiSIEM Cloud does not offer a Cloud Health page from the FortiSIEM GUI. The FortiSIEM Cloud Portal provides you with high level utilization information such as how much storage is currently being used, and how much is available.

    • FortiSIEM Cloud storage is setup via provisioning, and not available via the FortiSIEM GUI.

    The following table provides additional details on differences between FortiSIEM Cloud vs. customer Virtual and Hardware Appliance deployments:

    Feature

    FortiSIEM Cloud Support

    FortiSIEM Manager

    FortiSIEM Cloud does not support FortiSIEM Manager integration.

    Console and SSH access to FortiSIEM

    Not available. For any configuration that requires SSH access, customers should contact customer support.

    Event Forwarding from FortiSIEM Super or Workers

    Event Forwarding via FortiSIEM Cloud using Syslog forwarding or as a Kafka Producer is not supported. Event Forwarding via Syslog or as a Kafka Producer is supported from FortiSIEM Collectors used in conjuction with FortiSIEM Cloud.

    FortiSIEM Cloud Health

    Not available.

    FortiSIEM License Screen

    Not available.

    Configure Storage

    Not available.

    Configure Query and Event Workers

    Not available.

    Configure "Event Worker" on Collectors

    Not available.

    Remediate Incidents

    Remediation actions are supported where Remediation is performed via Collectors only.

    "Connect To" remote device via Collector

    Not available. See here for more information on this feature.

    API Access

    API associated with FortiSIEM management are not supported. For example: "Performance and Health API", “Event/Query Worker Configuration API”, “Rest API to Return Worker Queue State”.

    Connectivity to FortiSIEM Cloud

    HTTPS/TCP/443 is the only permitted protocol to FortiSIEM Cloud. Customers should deploy Collectors to collect events from devices, which in turn upload to FortiSIEM Cloud.

    External Authentication using RADIUS, LDAP(S)

    As defined here, external authentication requires access from FortiSIEM directly to the authentication provider. To support RADIUS or LDAP(S) external authentication, this would require access from FortiSIEM Cloud to the RADIUS or LDAP(S) server over the Internet.

    Custom Java or Python based Malware Feed Integration. See here for more details.

    Adding a custom Java module or custom Python script for Malware Feed Integration is not supported on FortiSIEM Cloud.

    Admin > Settings > Database

    FortiSIEM Cloud differences:

    • Online Data and Archive Data are not available on FortiSIEM Cloud. Total Online and Archive storage usage can be monitored in the FortiSIEM Cloud portal. See Managing Your FortiSIEM Cloud Instance -Overview.

    • Online Retention Policy has been renamed to Retention Policy. On FortiSIEM Cloud, the retention policy spans the data independent of the Online Storage or Archive Storage location.

    • ClickHouse Config is not available. This is managed by FortiSIEM Cloud and is not applicable.

    Analytics behavior for searches involving event source

    Selecting the event source (Online or Archive) is not applicable in FortiSIEM Cloud. In FortiSIEM Cloud, queries are performed across Online and Archive storage automatically. There is no need to define if the query should be performed on Archived data separately. See Analytics Queries for more details.

    Analytics Queries

    FortiSIEM Cloud analytics unifies the search across the Online event data and the Archive event data. There is no need to restore data from Archive to Online to perform an analytic search; however, queries of data that is stored in the Archive will be significantly slower than Online data.

    Analytic Query Concurrency

    An Analytics query to the Event Database runs under the following conditions:

    • User executes a Search from Analytics > Search and Analytics > Machine Learning > Train.

    • User executed Search performed when user visits a Widget Dashboard

    • Scheduled report runs

    • Scheduled rule runs

    • Machine learning inference job executes

    • User looks up Triggered events for an Incident in Incidents > List View

    More FortiSIEM Compute Units (FCU) enables more Analytics queries to run in parallel. If the concurrent query limit is hit, then submitted queries wait for one or more currently running queries to finish.

    The following table shows the concurrent queries for several FCU combinations.

    FortiSIEM Compute Units (FCU)

    Concurrent Queries
    10 2
    20 - 30 4
    40 - 100 8
    110 - 200 16
    210 - 290 32

    300 - 600

    64
    Previous
    Next

    On This Page

    Logging into FortiSIEM Cloud for the First Time
    Differences between FortiSIEM Cloud and FortiSIEM
    Analytics Queries
    Analytic Query Concurrency

    Getting Started

    Getting Started

    Beginning with FortiSIEM Cloud

    The following introductory topics are available:

    Logging into FortiSIEM Cloud for the First Time

    From the FortiCloud portal, you can access the FortiSIEM web UI once an instance is at STATUS "Complete". To do this, select the serial number, which will open a new tab. When initially logging in, use admin for the USER ID. For the password, enter the administration password you provisioned your FortiSIEM Cloud instance with.

    For information on FortiSIEM features and how to use and configure them, see the FortiSIEM Documentation Library.

    Differences between FortiSIEM Cloud and FortiSIEM

    Please note the following differences between FortiSIEM Cloud and FortiSIEM.

    • FortiSIEM Cloud does not offer a Licensing page from the FortiSIEM GUI. Licensing is handled automatically by the FortiCloud platform.

    • FortiSIEM Cloud does not offer a Cloud Health page from the FortiSIEM GUI. The FortiSIEM Cloud Portal provides you with high level utilization information such as how much storage is currently being used, and how much is available.

    • FortiSIEM Cloud storage is setup via provisioning, and not available via the FortiSIEM GUI.

    The following table provides additional details on differences between FortiSIEM Cloud vs. customer Virtual and Hardware Appliance deployments:

    Feature

    FortiSIEM Cloud Support

    FortiSIEM Manager

    FortiSIEM Cloud does not support FortiSIEM Manager integration.

    Console and SSH access to FortiSIEM

    Not available. For any configuration that requires SSH access, customers should contact customer support.

    Event Forwarding from FortiSIEM Super or Workers

    Event Forwarding via FortiSIEM Cloud using Syslog forwarding or as a Kafka Producer is not supported. Event Forwarding via Syslog or as a Kafka Producer is supported from FortiSIEM Collectors used in conjuction with FortiSIEM Cloud.

    FortiSIEM Cloud Health

    Not available.

    FortiSIEM License Screen

    Not available.

    Configure Storage

    Not available.

    Configure Query and Event Workers

    Not available.

    Configure "Event Worker" on Collectors

    Not available.

    Remediate Incidents

    Remediation actions are supported where Remediation is performed via Collectors only.

    "Connect To" remote device via Collector

    Not available. See here for more information on this feature.

    API Access

    API associated with FortiSIEM management are not supported. For example: "Performance and Health API", “Event/Query Worker Configuration API”, “Rest API to Return Worker Queue State”.

    Connectivity to FortiSIEM Cloud

    HTTPS/TCP/443 is the only permitted protocol to FortiSIEM Cloud. Customers should deploy Collectors to collect events from devices, which in turn upload to FortiSIEM Cloud.

    External Authentication using RADIUS, LDAP(S)

    As defined here, external authentication requires access from FortiSIEM directly to the authentication provider. To support RADIUS or LDAP(S) external authentication, this would require access from FortiSIEM Cloud to the RADIUS or LDAP(S) server over the Internet.

    Custom Java or Python based Malware Feed Integration. See here for more details.

    Adding a custom Java module or custom Python script for Malware Feed Integration is not supported on FortiSIEM Cloud.

    Admin > Settings > Database

    FortiSIEM Cloud differences:

    • Online Data and Archive Data are not available on FortiSIEM Cloud. Total Online and Archive storage usage can be monitored in the FortiSIEM Cloud portal. See Managing Your FortiSIEM Cloud Instance -Overview.

    • Online Retention Policy has been renamed to Retention Policy. On FortiSIEM Cloud, the retention policy spans the data independent of the Online Storage or Archive Storage location.

    • ClickHouse Config is not available. This is managed by FortiSIEM Cloud and is not applicable.

    Analytics behavior for searches involving event source

    Selecting the event source (Online or Archive) is not applicable in FortiSIEM Cloud. In FortiSIEM Cloud, queries are performed across Online and Archive storage automatically. There is no need to define if the query should be performed on Archived data separately. See Analytics Queries for more details.

    Analytics Queries

    FortiSIEM Cloud analytics unifies the search across the Online event data and the Archive event data. There is no need to restore data from Archive to Online to perform an analytic search; however, queries of data that is stored in the Archive will be significantly slower than Online data.

    Analytic Query Concurrency

    An Analytics query to the Event Database runs under the following conditions:

    • User executes a Search from Analytics > Search and Analytics > Machine Learning > Train.

    • User executed Search performed when user visits a Widget Dashboard

    • Scheduled report runs

    • Scheduled rule runs

    • Machine learning inference job executes

    • User looks up Triggered events for an Incident in Incidents > List View

    More FortiSIEM Compute Units (FCU) enables more Analytics queries to run in parallel. If the concurrent query limit is hit, then submitted queries wait for one or more currently running queries to finish.

    The following table shows the concurrent queries for several FCU combinations.

    FortiSIEM Compute Units (FCU)

    Concurrent Queries
    10 2
    20 - 30 4
    40 - 100 8
    110 - 200 16
    210 - 290 32

    300 - 600

    64
    Previous
    Next