Known Issues for 5.3.1
FortiSIEM customers running 5.3.1 build 1668 or lower, and having license for the FortiSIEM Indicators Of Compromise (IOC) service may experience a failure to update the IOC. The following error may be received:
Update failed: No SSL Connect
This is due to a licensing issue that requires an update to be applied to FortiSIEM and a new license key installed. To get the update, please contact Fortinet Support https://support.fortinet.com/.
- The location where you pick up FortiSIEM Images has changed—the website https://imagescdn.fortisiem.fortinet.com/ is no longer available. You must obtain FortiSIEM Images from the Fortinet support site: https://support.fortinet.com/.
Follow the instructions in Downloading FortiSIEM Products to
get the FortiSIEM images.
If you are running Elasticsearch, then the upgrade from 5.2.1 or earlier to 5.3.1 requires special steps – See here. Please read these steps before beginning the upgrade process.
- The Report Server upgrade to 5.3.1 requires additional steps. See Upgrade Report Server.
- Customers using releases prior to 4.10.0 must first upgrade to 4.10.0 before upgrading to 5.3.1. Customers using release 4.10.0 can directly upgrade to 5.3.1.
- Make sure that Super, Worker, Collector, and Report Server can connect to FortiSIEM hosted CentOS repo on https port 443 under the URLs below. Otherwise, some packages may not install and 5.3.1 binaries will not run.
- Collector image upgrades can now be performed from the Supervisor.
For more information, see Upgrade the Collector Image From the Supervisor.
- The GUI settings for Archive are lost during the upgrade to 5.3.0. In earlier releases, the
user mounted the archive and defined the local mount point in FortiSIEM. In this release, however, the user
provides the archive host and exported directory and FortiSIEM performs the mount operation. This action unifies
both the online and archive database mounting operations. If you were archiving in version 5.2.8 or earlier, then
complete the following steps to recover the archive settings.
- Upgrade the Super and all Workers to FortiSIEM version 5.3.0.
- Unmount the archive.
- Delete the
/etc/fstab entry of archive setting.
- Define the archive in ADMIN > Setup > > Storage > Archive. Make sure that the Archive
host and exported directories are identical to the settings before the archive.
- Click Test and Save. FortiSIEM will now archive new events to the same location as before the upgrade.
- Delete all of the Workers in
ADMIN > License > Nodes.
- Re-add all of the Workers in ADMIN > License > Nodes.
- To remediate a vulnerability in an external module, Flex login via LDAP is disabled.