Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Deployment and Admin Guide

    Home FortiSIEM Cloud Deployment and Admin Guide

    Managing Your FortiSIEM Cloud Instance

    Managing Your FortiSIEM Cloud Instance

    Overview

    To manage your FortiSIEM Cloud Instance settings, such as whitelisting Network Classless Inter-Domain Routing (CIDR), managing notification settings, and adding alternate domains, select your instance from the Instances Table, and select Manage to go to the Manage page.

    After clicking Manage, the Manage page will appear. Also from here, you can view Events per Second rate for your FortiSIEM Cloud instance, either by last Hour, Day, Week or Month.

    Viewing Online and Archive Storage Usage

    FortiSIEM Cloud instances will track your Online and Archive storage usage in two ways:

    1. Total usage, which includes both events and any system data, such as daily summary statistics.

    2. By stored events per day.

    The total Online and Archive Storage charts are displayed using the free and used space statistics. Also, provided is EVENT STORAGE BY DAY, either as a chart or a table.

    Total Usage for ONLINE STORAGE and ARCHIVE STORAGE

    An example of total usage for Online Storage and Archive Storage is shown here:

    Used: Relates to the total amount of disk usage used. It can include events and any summary data.

    Free: Relates to the amount of storage purchased, minus the USED calculation.

    These statistics are updated on an hourly basis within the FortiSIEM Cloud platform.

    Storage Usage by Day for Online or Archive Storage

    An example of daily usage event storage (Online Event Storage by Day and Archive Event Storage by Day) is shown here:

    Internally, all event data is stored in daily (UTC) data portions. Here, the data shown relates to these buckets and the total storage they currently take on disk. Note that only event data is summarized in this view, as it will take the majority of space available in Online or Archive storage.

    In Chart mode, each bar represents the total amount of storage taken by that particular bucket.

    Note: Data across the FortiSIEM Cloud platform can occasionally show storage being used by both Online and Archive for a short period on the same day; this typically occurs when data is moved from Online storage to Archive storage. Data must first move to Archive storage before being removed from Online storage. This data is refreshed hourly.

    Viewing Events per Second Rate

    FortiSIEM Cloud instances will monitor your Events per Second rate after provisioning. You can view this rate by either last Hour, Day, Week or Month. Simply navigate to the Manage page, and on the Events per Second widget, select the required time interval. Hovering over any points will show their underlying value for that time span.

    If you wish to update your settings, click Edit. The following settings can be updated.

    Updating Network CIDR

    Each FortiSIEM Cloud deployment is segmented from others, and you can provide individual network Classless Inter-Domain Routing (CIDR) that can be whitelisted to allow access to the Console, and Ingestion routes. You can provide both IPV4 and IPV6 CIDR blocks.

    To edit Network CIDR, take the following steps.

    1. From the Manage page, click Edit.

    2. Click Network.

    3. Select the field below IPV4 LIST OF CIDR BLOCKS or IPV6 LIST OF CIDR BLOCKS, depending on whether you wish to modify IPV4 or IPV6 respectively, and enter a new CIDR block on a new line, or edit an existing one.

    4. When done, click Update to apply the new network settings.

      An example of editing IPV4 LIST OF CIDR BLOCKS is provided below.

      caution icon

      Note: This update can take some time to propagate fully.

    Updating Notification Settings with Additional Contacts

    Notification settings allow you to specify email addresses for others to receive notifications for your FortiSIEM Cloud instance. These will include early warnings for any FortiSIEM Cloud instances that are near expiration.

    To edit Additional Contacts, take the following steps.

    1. From the Manage page, click Edit.

    2. Click Notifications.

    3. Select the field below Additional Contacts.

    4. Enter each email address on a new line.

    5. When done, click Update.

      An example of editing ADDITIONAL CONTACTS is provided below.


      caution icon

      Note: This update can take some time to propagate fully.


    Updating Alternate Domain Settings

    FortiSIEM Cloud instances, by default, come with a secure TLS certificate which provides HTTPS access to your console and event ingestion. These fall under the fortisiem.cloud domain. However, you can optionally provide a secondary domain to use with your FortiSIEM Cloud instance.

    To update this setting, you must:

    1. Have control of the domain in order to create a CNAME record, which will point to the FortiSIEM Cloud default route.

    2. Have a TLS certificate, extracting the public, private keys and any certificate authority chains, and provide these to the FortiSIEM Cloud portal to attach to your deployment.

    To update the alternate domain for your FortiSIEM Cloud instance, you must provide the private key, the certificate and optionally, any certificate authority chain. The certificate must specify one of the following cryptographic algorithm and key sizes:

    • RSA 1024 bit

    • RSA 2048 bit

    • RSA 3072 bit

    • RSA 4096 bit

    • ECDSA 256 bit

    • ECDSA 384 bit (API name: EC_prime256v1)

    • ECDSA 521 bit (API name: EC_secp384r1)

    Also note the following:

    • The certificate provided must be an SSL/TLS X.509 version 3 certificate. It must contain a public key, the fully qualified domain name (FQDN) for your alternate domain, and information about the issuer.

    • The certificate can be self-signed by a private key that you own, or by the private key of an issuing certificate authority (CA).

      • If the certificate is self-signed, you must provide the private key. The private key must be no larger than 5 KB (5,120 bytes), and it must be unencrypted.

      • If the certificate is signed by a CA, you must provide the private key, and certificate chain, and the cryptographic algorithm of the certificate must match the algorithm of the CA. For example, if the CA key type is RSA, then the certificate key type must also be RSA.

    • The certificate must be valid at the time of upload. You cannot upload a certificate before its validity period begins or after it expires. The NotBefore certificate field contains the validity start date, and the NotAfter field contains the end date.

    Example commands to extract a certificate, private key and CA chain from P12 is provided in the following table.

    Extraction

    Command
    Private Key 
    openssl pkcs12 -in "<FILE_PATH>" -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > 1_clientcert.key
    Certificate 
    openssl pkcs12 -in "<FILE_PATH>" -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > 2_clientcert.cer
    CA Chain 
    openssl pkcs12 -in "<FILE_PATH>" -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > 3_cacerts.cer

    Once uploaded, the certificate is securely stored in the FortiSIEM Cloud platform.

    To edit the Alternate Domain settings, take the following steps.

    1. From the Manage page, click Edit.

    2. Click Alternate Domain.

    3. From here, you can select File if you have a file in PKCS#12 format, or select Manual to provide the information manually.

    Steps for Importing PKCS#12 Format File

    To import PKCS#12 file information, you will choose the certificate from your local computer, and the information will be extracted from it.

    Take the following steps.

    1. Select the File tab.

    2. Select choose file.

    3. Enter the certificate password, or leave it blank if no password is necessary.

    4. Click Load.

      Once the certificate is loaded, the information will be shown below.


    Steps to Manually Provide Alternate Domain Information

    To manually provide the information, take the following steps.

    1. Select the Manual tab.

    2. Click on the field below CERTIFICATE BODY and provide the base64 encoded certificate (PEM encoding).

    3. Click on the field below CERTIFICATE PRIVATE KEY and provide the base64 encoded Private Key (PEM encoding).

    4. (Optional) Click on the field below CERTIFICATE CHAIN - OPTIONAL and provide the base64 encoded CA Chain (PEM encoding).

    5. When done, click Update.

      An example of editing Alternate Domain is provided below.


      caution icon

      Note: This update can take some time to propagate fully.

    6. Once complete, you must then add a new CNAME onto your domain, this CNAME record should point to your FortiSIEM Cloud instance FQDN. This FQDN is provided in the Manage page, under Super FQDN. To copy this value, simply click the Super FQDN link, and the content will be copied to clipboard.

      This can then be used when creating a new CNAME record for your domain, and will allow the newly added alternate domain to be served correctly during resolution.

    Scheduling Upgrades to Instances

    FortiSIEM Cloud regularly releases upgrades to the underlying FortiSIEM version. These provide improved availability, performance and security to your deployment.

    When an update is available, you will be notified on the Manage screen, and will be able to schedule a convenient time to upgrade.

    To do this, click on the Schedule/Reschedule button on the “New Version” information panel, then enter a convenient day for the upgrade to take place.


    Note: Upgrades are scheduled to run at the time you specify. During this time, your instances may have intermittent access,

    and any collectors connected to your FortiSIEM Cloud instance will cache locally and upload once the upgrade is

    completed.

    To upgrade, follow these steps:

    1. Click on Schedule/Reschedule button.

    2. Click on the calendar icon and select a day when you want to update. A new date must be at least 1 day from the current day.

    3. Select a time. You can select between an hour and half an hour time frame.

    4. Select a UTC offset. By default, your current local offset will be selected.

    5. Click Schedule.

      The upgrade will run on your scheduled date.


    External Storage

    External storage provides you with the ability to seamlessly transfer data from your FortiSIEM Cloud instance to an external Amazon S3 Bucket. Once you specify a new location and apply the provided policy to your bucket, data will automatically be transferred prior to being removed from Archive storage.

    If you have not purchased Archive storage, this data will be transferred once your Online storage exceeds your purchased capacity.

    Data transferred is formatted in gzipped parquet to provide convenient and optimal storage once transferred. This data can then be loaded into other tools which support the compressed Parquet format.

    note icon

    Transfer will only occur when space based usage is applied. Transfer of data will not occur for data that is subject to Retention policies. For example, if you have enough space in either Archive or Online storage, and have a 90 retention policy applied to data, this will be automatically removed during normal operation.

    Setting up External Storage

    To setup external storage locations using Amazon S3 buckets, click New, and then provide the following information:

    Parameter

    Description
    ORGANIZATION
    ID

    Provide the Organization ID, or select the TRANSFER DATA FROM ALL ORGANIZATIONS INTO A SINGLE BUCKET checkbox.

    Multiple bucket locations can be provided. For Service Providers, copy selected data to multiple customer owned buckets.

    AWS S3 BUCKET NAME Provide a bucket name with the prefix: fsiemextstr-

    Example: fsiemextstr-fortisiem-cloud-data

    Note: If the bucket does not start with fsiemextstr-, then the applied policy will be unable to transfer any data.
    AWS S3 BUCKET DIRECTORY Provide any additional prefixes to include for your bucket. Amazon S3 prefixes act similar to directories. If, for example, you have multiple prefixes for different organizations, you can include these.
    AWS S3 DESTINATION Provide the full path where FortiSIEM Cloud will move data to, when Archive or Online storage reaches capacity.

    AWS S3 POLICY

    Copy the AWS S3 Policy to your Amazon S3 bucket to apply. Adding this policy to your bucket will allow FortiSIEM Cloud to upload data to your bucket.

    After you have provided the necessary information, click the Add button to complete the setup.

    Once Archive or Online storage reaches its capacity, data will be automatically transferred to your external storage. Each location is evaluated and transferred in order. Once complete, you will see a notification for the data transferred amount and when the action was last completed or an error message.

    Previous
    Next

    Managing Your FortiSIEM Cloud Instance

    Managing Your FortiSIEM Cloud Instance

    Overview

    To manage your FortiSIEM Cloud Instance settings, such as whitelisting Network Classless Inter-Domain Routing (CIDR), managing notification settings, and adding alternate domains, select your instance from the Instances Table, and select Manage to go to the Manage page.

    After clicking Manage, the Manage page will appear. Also from here, you can view Events per Second rate for your FortiSIEM Cloud instance, either by last Hour, Day, Week or Month.

    Viewing Online and Archive Storage Usage

    FortiSIEM Cloud instances will track your Online and Archive storage usage in two ways:

    1. Total usage, which includes both events and any system data, such as daily summary statistics.

    2. By stored events per day.

    The total Online and Archive Storage charts are displayed using the free and used space statistics. Also, provided is EVENT STORAGE BY DAY, either as a chart or a table.

    Total Usage for ONLINE STORAGE and ARCHIVE STORAGE

    An example of total usage for Online Storage and Archive Storage is shown here:

    Used: Relates to the total amount of disk usage used. It can include events and any summary data.

    Free: Relates to the amount of storage purchased, minus the USED calculation.

    These statistics are updated on an hourly basis within the FortiSIEM Cloud platform.

    Storage Usage by Day for Online or Archive Storage

    An example of daily usage event storage (Online Event Storage by Day and Archive Event Storage by Day) is shown here:

    Internally, all event data is stored in daily (UTC) data portions. Here, the data shown relates to these buckets and the total storage they currently take on disk. Note that only event data is summarized in this view, as it will take the majority of space available in Online or Archive storage.

    In Chart mode, each bar represents the total amount of storage taken by that particular bucket.

    Note: Data across the FortiSIEM Cloud platform can occasionally show storage being used by both Online and Archive for a short period on the same day; this typically occurs when data is moved from Online storage to Archive storage. Data must first move to Archive storage before being removed from Online storage. This data is refreshed hourly.

    Viewing Events per Second Rate

    FortiSIEM Cloud instances will monitor your Events per Second rate after provisioning. You can view this rate by either last Hour, Day, Week or Month. Simply navigate to the Manage page, and on the Events per Second widget, select the required time interval. Hovering over any points will show their underlying value for that time span.

    If you wish to update your settings, click Edit. The following settings can be updated.

    Updating Network CIDR

    Each FortiSIEM Cloud deployment is segmented from others, and you can provide individual network Classless Inter-Domain Routing (CIDR) that can be whitelisted to allow access to the Console, and Ingestion routes. You can provide both IPV4 and IPV6 CIDR blocks.

    To edit Network CIDR, take the following steps.

    1. From the Manage page, click Edit.

    2. Click Network.

    3. Select the field below IPV4 LIST OF CIDR BLOCKS or IPV6 LIST OF CIDR BLOCKS, depending on whether you wish to modify IPV4 or IPV6 respectively, and enter a new CIDR block on a new line, or edit an existing one.

    4. When done, click Update to apply the new network settings.

      An example of editing IPV4 LIST OF CIDR BLOCKS is provided below.

      caution icon

      Note: This update can take some time to propagate fully.

    Updating Notification Settings with Additional Contacts

    Notification settings allow you to specify email addresses for others to receive notifications for your FortiSIEM Cloud instance. These will include early warnings for any FortiSIEM Cloud instances that are near expiration.

    To edit Additional Contacts, take the following steps.

    1. From the Manage page, click Edit.

    2. Click Notifications.

    3. Select the field below Additional Contacts.

    4. Enter each email address on a new line.

    5. When done, click Update.

      An example of editing ADDITIONAL CONTACTS is provided below.


      caution icon

      Note: This update can take some time to propagate fully.


    Updating Alternate Domain Settings

    FortiSIEM Cloud instances, by default, come with a secure TLS certificate which provides HTTPS access to your console and event ingestion. These fall under the fortisiem.cloud domain. However, you can optionally provide a secondary domain to use with your FortiSIEM Cloud instance.

    To update this setting, you must:

    1. Have control of the domain in order to create a CNAME record, which will point to the FortiSIEM Cloud default route.

    2. Have a TLS certificate, extracting the public, private keys and any certificate authority chains, and provide these to the FortiSIEM Cloud portal to attach to your deployment.

    To update the alternate domain for your FortiSIEM Cloud instance, you must provide the private key, the certificate and optionally, any certificate authority chain. The certificate must specify one of the following cryptographic algorithm and key sizes:

    • RSA 1024 bit

    • RSA 2048 bit

    • RSA 3072 bit

    • RSA 4096 bit

    • ECDSA 256 bit

    • ECDSA 384 bit (API name: EC_prime256v1)

    • ECDSA 521 bit (API name: EC_secp384r1)

    Also note the following:

    • The certificate provided must be an SSL/TLS X.509 version 3 certificate. It must contain a public key, the fully qualified domain name (FQDN) for your alternate domain, and information about the issuer.

    • The certificate can be self-signed by a private key that you own, or by the private key of an issuing certificate authority (CA).

      • If the certificate is self-signed, you must provide the private key. The private key must be no larger than 5 KB (5,120 bytes), and it must be unencrypted.

      • If the certificate is signed by a CA, you must provide the private key, and certificate chain, and the cryptographic algorithm of the certificate must match the algorithm of the CA. For example, if the CA key type is RSA, then the certificate key type must also be RSA.

    • The certificate must be valid at the time of upload. You cannot upload a certificate before its validity period begins or after it expires. The NotBefore certificate field contains the validity start date, and the NotAfter field contains the end date.

    Example commands to extract a certificate, private key and CA chain from P12 is provided in the following table.

    Extraction

    Command
    Private Key 
    openssl pkcs12 -in "<FILE_PATH>" -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > 1_clientcert.key
    Certificate 
    openssl pkcs12 -in "<FILE_PATH>" -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > 2_clientcert.cer
    CA Chain 
    openssl pkcs12 -in "<FILE_PATH>" -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > 3_cacerts.cer

    Once uploaded, the certificate is securely stored in the FortiSIEM Cloud platform.

    To edit the Alternate Domain settings, take the following steps.

    1. From the Manage page, click Edit.

    2. Click Alternate Domain.

    3. From here, you can select File if you have a file in PKCS#12 format, or select Manual to provide the information manually.

    Steps for Importing PKCS#12 Format File

    To import PKCS#12 file information, you will choose the certificate from your local computer, and the information will be extracted from it.

    Take the following steps.

    1. Select the File tab.

    2. Select choose file.

    3. Enter the certificate password, or leave it blank if no password is necessary.

    4. Click Load.

      Once the certificate is loaded, the information will be shown below.


    Steps to Manually Provide Alternate Domain Information

    To manually provide the information, take the following steps.

    1. Select the Manual tab.

    2. Click on the field below CERTIFICATE BODY and provide the base64 encoded certificate (PEM encoding).

    3. Click on the field below CERTIFICATE PRIVATE KEY and provide the base64 encoded Private Key (PEM encoding).

    4. (Optional) Click on the field below CERTIFICATE CHAIN - OPTIONAL and provide the base64 encoded CA Chain (PEM encoding).

    5. When done, click Update.

      An example of editing Alternate Domain is provided below.


      caution icon

      Note: This update can take some time to propagate fully.

    6. Once complete, you must then add a new CNAME onto your domain, this CNAME record should point to your FortiSIEM Cloud instance FQDN. This FQDN is provided in the Manage page, under Super FQDN. To copy this value, simply click the Super FQDN link, and the content will be copied to clipboard.

      This can then be used when creating a new CNAME record for your domain, and will allow the newly added alternate domain to be served correctly during resolution.

    Scheduling Upgrades to Instances

    FortiSIEM Cloud regularly releases upgrades to the underlying FortiSIEM version. These provide improved availability, performance and security to your deployment.

    When an update is available, you will be notified on the Manage screen, and will be able to schedule a convenient time to upgrade.

    To do this, click on the Schedule/Reschedule button on the “New Version” information panel, then enter a convenient day for the upgrade to take place.


    Note: Upgrades are scheduled to run at the time you specify. During this time, your instances may have intermittent access,

    and any collectors connected to your FortiSIEM Cloud instance will cache locally and upload once the upgrade is

    completed.

    To upgrade, follow these steps:

    1. Click on Schedule/Reschedule button.

    2. Click on the calendar icon and select a day when you want to update. A new date must be at least 1 day from the current day.

    3. Select a time. You can select between an hour and half an hour time frame.

    4. Select a UTC offset. By default, your current local offset will be selected.

    5. Click Schedule.

      The upgrade will run on your scheduled date.


    External Storage

    External storage provides you with the ability to seamlessly transfer data from your FortiSIEM Cloud instance to an external Amazon S3 Bucket. Once you specify a new location and apply the provided policy to your bucket, data will automatically be transferred prior to being removed from Archive storage.

    If you have not purchased Archive storage, this data will be transferred once your Online storage exceeds your purchased capacity.

    Data transferred is formatted in gzipped parquet to provide convenient and optimal storage once transferred. This data can then be loaded into other tools which support the compressed Parquet format.

    note icon

    Transfer will only occur when space based usage is applied. Transfer of data will not occur for data that is subject to Retention policies. For example, if you have enough space in either Archive or Online storage, and have a 90 retention policy applied to data, this will be automatically removed during normal operation.

    Setting up External Storage

    To setup external storage locations using Amazon S3 buckets, click New, and then provide the following information:

    Parameter

    Description
    ORGANIZATION
    ID

    Provide the Organization ID, or select the TRANSFER DATA FROM ALL ORGANIZATIONS INTO A SINGLE BUCKET checkbox.

    Multiple bucket locations can be provided. For Service Providers, copy selected data to multiple customer owned buckets.

    AWS S3 BUCKET NAME Provide a bucket name with the prefix: fsiemextstr-

    Example: fsiemextstr-fortisiem-cloud-data

    Note: If the bucket does not start with fsiemextstr-, then the applied policy will be unable to transfer any data.
    AWS S3 BUCKET DIRECTORY Provide any additional prefixes to include for your bucket. Amazon S3 prefixes act similar to directories. If, for example, you have multiple prefixes for different organizations, you can include these.
    AWS S3 DESTINATION Provide the full path where FortiSIEM Cloud will move data to, when Archive or Online storage reaches capacity.

    AWS S3 POLICY

    Copy the AWS S3 Policy to your Amazon S3 bucket to apply. Adding this policy to your bucket will allow FortiSIEM Cloud to upload data to your bucket.

    After you have provided the necessary information, click the Add button to complete the setup.

    Once Archive or Online storage reaches its capacity, data will be automatically transferred to your external storage. Each location is evaluated and transferred in order. Once complete, you will see a notification for the data transferred amount and when the action was last completed or an error message.

    Previous
    Next