What's New in 6.4.0
This document describes the additions for FortiSIEM 6.4.0 release.
New Features
Migration from CentOS 8 to Rocky Linux
FortiSIEM 6.4.0 and later releases will run on Rocky Linux since CentOS 8 reached End Of Life on December 31, 2021. Fresh 6.4.0 installations will run on Rocky Linux. There are no special upgrade procedures for existing customers running older FortiSIEM 6.x versions. A regular 6.4.0 upgrade will replace CentOS 8 binaries with appropriate Rocky Linux binaries.
Lookup Table JOIN for Advanced Analytics
This release enables users to define Lookup tables and then write rules and reports by joining event database and Lookup tables. Lookup tables can be created manually, via API or by running a CMDB or Event report on FortiSIEM. Lookup tables can contain meta data not present in events. The ability to join events with Lookup tables enables many threat hunting use cases, for example:
-
look up of new processes, ports, external domains not seen in last 2 days
-
look up for user logins not seen in last 2 days
-
look up for VPN logins from IP addresses or countries not seen in last 2 days
Lookup tables can be used in Analytical searches and Rules. However, if you are running Elasticsearch for Online event database, then Lookup tables cannot be used in searches, but Rules still can use Lookup tables.
For details on creating Lookup tables, see Adding Lookup Tables in Lookup Tables.
For details on creating Lookup tables via API, see Lookup Table Integration in the Integration API Guide.
For details in using Lookup tables in rules and reports, see LookupTableHas
and LookupTableGet
in Examples of Expressions.
Several pre-built Lookup tables and rules using these Lookup tables are defined. See Added Rules under Rule and Report Modifications since 6.3.3.
Content Upgrade Framework via FortiGuard Service
Currently, new FortiSIEM content such as device support via parsers, rules, and reports have to wait for a new FortiSIEM release. This release provides a content update framework that can be separate from the software releases. Periodically, new FortiSIEM content will be published to FortiGuard. FortiSIEM customers with a valid Support license can download the new content, which will then be automatically deployed to Supervisor and Workers. In this release, the user has to manually deploy to all Collectors from the ADMIN > Health > Collector Health page.
New content covers additions or modifications to device types, event attributes and groups, parsers, rules, reports, dashboard and Fortinet Geo database.
A content update versioning scheme is deployed to keep track of updates. FortiSIEM 6.4.0 release starts with Content update version 100, which will monotonically increase with future releases.
For details on how to download and apply new content, see Content Update.
Note: For this feature to work
-
You need to allow port 443 connection from the Supervisor to
update.fortiguard.net
. -
A valid FortiSIEM Support License.
-
FortiSIEM Supervisor, Workers, Collectors must be on 6.4.0 or higher.
Agent and Collector Upgrade from Supervisor
This release enables FortiSIEM Windows Agents, Linux Agents and Collectors to be upgraded from the Supervisor node. Furthermore, up to 10 entities can be upgraded in parallel.
For details on Windows Agent upgrades, see here.
For details on Linux Agent upgrades, see here.
For details on Collector upgrades, see here.
Notes:
-
For Collector upgrade, the Supervisor Name field defined in the FortiSIEM GUI located at ADMIN > License > Nodes must be an IP address or a FQDN that is resolvable by the Collector.
-
For this feature to work, you need to allow port 443 connection from the Supervisor to
update.fortiguard.net
. Supervisor communicates with FortiGuard to download valid image hashes. FortiSIEM compares the hash and allows upgrade to proceed if the hashes match.
This feature works with the following versions:
-
FortiSIEM Supervisor (and Workers) must be 6.4.0 or higher
-
FortiSIEM Windows Agent must be 4.2.0 or higher
-
FortiSIEM Linux Agents must be 6.4.0 or higher
-
FortiSIEM Collectors can be on 6.1.0 or higher
Native FortiSOAR Integration
Users can now run FortiSOAR Playbooks and Connectors directly from the FortiSIEM GUI. FortiSIEM will execute Playbooks and run Connectors on FortiSOAR and display the results in the FortiSIEM GUI in easy to understand terms.
For details on running Playbooks, see Playbooks.
For details on running Connectors, see Connectors.
For details on how to create Playbooks optimized for FortiSIEM, see Writing FortiSIEM Compatible FortiSOAR Playbooks in the Appendix.
The following sample playbooks are available - see FortiSOAR-FortiSIEM-Playbooks.json.
-
Playbook for getting IP address reputation via VirusTotal
-
Playbook for getting Domain reputation via VirusTotal, Anomali, FortiGuard, MX Toolbox, URLVoid, Alienvault OTX
-
Playbook for getting URL reputation via VirusTotal, Anomali, FortiGuard, MX Toolbox, URLVoid
-
Playbook for getting file hash reputation via VirusTotal
Link Graph Based Visualization
You can now visualize the search results using link graphs. A link graph shows relationships between a Source node, an Event Node and a Destination Node. You can see the relationship by mapping search result columns to link graph nodes.
For details, see Link Graph in FortiSIEM Charts and Views.
Trusted Hosts for GUI Login
You can restrict GUI Login by defining a set of IP addresses in ADMIN > Settings > System > Trusted Hosts. If the field is empty, then GUI login from any IP addresses is allowed. However once defined, new logins are disallowed from IP addresses outside of the defined range. Existing logins are not affected. However, you can force a logout from the icon in the GUI.
For details, see here.
Key Enhancements
Elasticsearch Integration Enhancements
This release provides the following enhancements targeted towards improving Elasticsearch performance when cluster size is large.
-
Create indices early to give Elasticsearch more time to load balance shards.
-
Limit shards per node to aid Elasticsearch load balancing.
-
Remove keyword definition to reduce Elasticsearch cluster state. This requires dynamic mapping to be enabled.
-
Configurable timeout for Elasticsearch APIs. For details on configuration, see Configuring Elasticsearch Timeout in the Appendix.
-
Reduce alias count to reduce Elasticsearch cluster state.
-
Separate Coordinator nodes for ingest and query. For details see Setting Up the Database under Configuring Online Event Database on Elasticsearch.
-
This release extends support for Elasticsearch as external event database to 7.17.3.
Windows Agent 4.2.0
This version contains 2 enhancements
-
A GUI is provided for installing the agent. See Installing FortiSIEM Windows Agent 4.2.x in the Windows Agent 4.x.x Installation Guide.
-
Ability to upgrade multiple agents in parallel from the Supervisor. See here.
Collector Cache Usage Visibility
Events are queued in Collectors when it cannot upload to Workers. When Collector buffer becomes full, events are lost. This release provides visibility on Collector event upload buffer.
Collector buffer sizes are displayed in ADMIN > Health > Collector Health. For details see Viewing Collector Health.
Two thresholds are defined in ADMIN > Device Support > Custom Properties:
-
collectorEventBufferLowThreshold
- default value 10MB -
collectorEventBufferHighThreshold
- default value 50MB
When the Collector total buffer crosses the high threshold (collectorEventBufferHighThreshold
), event PH_AUDIT_COLLECTOR_EVENT_BUFFER_HIGH
is generated.
If the Collector buffer falls below the low threshold (collectorEventBufferLowThreshold
) after crossing the high threshold, then event PH_AUDIT_COLLECTOR_EVENT_BUFFER_LOW
is generated.
OAuth based SMTP Authentication
This release enables FortiSIEM to authenticate via OAuth for sending notification emails.
For details, see Authentication under Email Settings.
NFS Version Auto-Negotiation Enabled by Default for FortiSIEM EventDB
For new installations, FortiSIEM will attempt to use the highest NFS version supported between FortiSIEM and NFS server, instead of defaulting to version 3.
Install and Upgrade Logging Enhancements
In the ansible log, only errors are shown in red color to help user focus on important issues.
System Upgrade
Linux is upgraded to the latest RockyLinux 8.5 release on Nov 15, 2021. Redis is upgraded to 6.2.26. PostGreSQL is upgraded to 13.5. Vulnerable log4j-core-2.x versions are upgraded to latest 2.17.1.
HDFS Integration Enhancements
In this release, performance of the HDFS real time archive and non-real time archive from Elasticsearch is improved. Note the HDFS resource allocation suggestions in the Sizing Guide.
New Device Support
Bug Fixes and Minor Enhancements
Bug ID |
Severity |
Module |
Description |
---|---|---|---|
749146 |
Major |
Discovery and PerfMonitor |
WMI integration threw a system error after Windows Update KB5005573 due to auth level. |
753455 |
Major |
System |
Non-real time NFS archive failed as /archive is owned by root instead of admin . |
762085 |
Minor |
Agent Manager |
Proofpoint SIEM API poller tried to poll interval greater than 1 hour, which caused API error on initial polling. |
757413 |
Minor |
Agent Manager |
Cisco Firepower IPS event pulls could cause phAgentManager to crash. |
747005 |
Minor |
Agent Manager |
Box.com event pulling execution could fail after running for a period of time. |
744215 |
Minor |
Agent Manager |
Office365 events were not received in the order they were created , causing follow_by rules to not trigger. |
693219 |
Minor |
Agent Manager |
Cisco FireSIGHT with Estreamer Integration failed if a password had special characters . |
771937 |
Minor |
App Server |
PH_AUDIT_CASE_CREATED event sometimes referenced the wrong Organization. |
765944 |
Minor |
App Server |
No event types showed when the user logged in as cloned full admin user with data conditions. |
759638 |
Minor |
App Server |
Collector health showed normal even when httpd Process was down on the Collector. |
757207 |
Minor |
App Server |
Elasticsearch: When a customer ran one query in a specific organization in super global, the result contained events from other organizations. |
754267 |
Minor |
App Server |
FortiGuard External Integration error message incorrectly stated "0 incidents comments are updated". |
753940 |
Minor |
App Server |
Collectors could not always receive parser updates from the GUI. |
753905 |
Minor |
App Server |
After upgrade, Custom Report Bundles could not be scheduled. System Report Bundles worked fine. |
753750 |
Minor |
App Server |
Baseline reports scheduled execution failed if notification was set. |
753193 |
Minor |
App Server |
Export query result would fail if result id saved first. |
751756 |
Minor |
App Server |
Custom JDBC perf jobs, after upgrade, would sometimes not work correctly. |
751365 |
Minor |
App Server |
Sometimes custom and cloned reports could not to be exported because of a very large report id. |
749229 |
Minor |
App Server |
If a rule was deleted, then the old Incident name became empty. |
746594 |
Minor |
App Server |
PDF export did not work if report logo PNG was saved as SVG. |
741933 |
Minor |
App Server |
Incident queries could sometimes fail as Time Range was not ignored when searching an Incident by ID at the INCIDENTS tab. |
741036 |
Minor |
App Server |
After an upgrade, Linux agent Event Status was empty on the Agent Health page. |
734975 |
Minor |
App Server |
Report bundle containing reports over 90 days did not work. |
733272 |
Minor |
App Server |
With a Disaster Recovery environment, Online Data on Secondary didn't show information correctly. |
732308 |
Minor |
App Server |
On the Jobs and Errors page under an Org, a user could see data from another Org . |
714176 |
Minor |
App Server |
The Last Successful attribute from CMDB Monitor Status tab was not reset properly. |
653427 |
Minor |
App Server |
Watchlist Export failed in CSV format (Note: PDF format export succeeds). |
635725 |
Minor |
App Server |
UEBA / Attack dashboard - After drilling down on a trend chart, the number in the bar chart did not match the real incident number. |
633790 |
Minor |
App Server |
Events did not pick up organization change from the GUI. For example, events still belonged to Super/local after moving one device from super/local to org2. |
602350 |
Minor |
App Server |
The HTTP header X-Forwarded-For allowed spoofing client address. |
516944 |
Minor |
App Server |
Same-site cookie attribute support should be added to protect against CSRF and XSSI. |
762483 |
Minor |
Data |
Event attribute type mismatch between Elasticsearch and FortiSIEM caused events to be dropped by Elasticsearch. |
759506 |
Minor |
Data |
Zeek Parser parsing issues occurred due to JSON Function Change. |
756601 |
Minor |
Data |
CarbonBlack CEF did not handle severity properly. |
752064 |
Minor |
Data |
Fortisandbox related logs from FortiOS were not parsed into expected event types. |
749921 |
Minor |
Data |
ForeScout CounterACT Parser needed to be extended to handle syslog PRI and follow date information. |
741281 |
Minor |
Data |
Event parse status of event Win-Security-4688 was 0 (Failed) instead of 1 (Success). |
762148 |
Minor |
DataManager |
Elasticsearch event insert error when an event attribute mapped to Elasticsearch keyword type, was larger than 32KB. |
760658 |
Minor |
DataManager |
There should be an enforced limit for Elasticsearch bulk upload size (MB). |
760247 |
Minor |
DataManager |
custId 0 indices were not created in Elasticsearch. |
758570 |
Minor |
DataManager |
If current Elasticsearch index became Read only, it shouldn't drop events. |
758031 |
Minor |
DataManager |
There should be more detailed logging for Elasticsearch event insert failures. |
754713 |
Minor |
DataManager |
Sometimes DataManager did not parse Elasticsearch response containing errors and the events were dropped. |
758573 |
Minor |
DataPurger |
Elasticsearch force merge should be disabled. |
751920 |
Minor |
DataPurger |
Elasticsearch user defined ILM configuration could get accidentally overwritten by default configuration. |
762377 |
Minor |
Discovery |
Sometimes FortiGate Test Connectivity showed blank results even though discovery succeeded. |
762343 |
Minor |
Discovery |
FortiGate REST API Test Connectivity did not get the right host name. |
747264 |
Minor |
Discovery |
For FortiGate, Interface Alias was set to the Interface Description instead of Interface Name. |
746174 |
Minor |
Discovery |
Active Directory discovery displayed UID instead of CN as part of the name. |
743803 |
Minor |
Discovery |
Custom Configuration File Monitoring File I/O Error occurred. |
644096 |
Minor |
Discovery |
AES256 and SHA256 should be enabled for SNMPv3. |
764947 |
Minor |
GUI |
Incident explorer trend chart would not update when org is changed. |
762141 |
Minor |
GUI |
Query filter was incorrect when user clicked Report button to query Proofpoint events. |
760742 |
Minor |
GUI |
Archive clear button did not clear Real time archive setting. |
755140 |
Minor |
GUI |
Some INCIDENTS tab page views would jump back and forth between pages without user input. |
746515 |
Minor |
GUI |
Some Windows/Linux Agent setup properties would disappear when the user clicked the Back button and return. |
741088 |
Minor |
GUI |
Worker hostname showed empty on GUI after upgrading to 6.3.1. |
737889 |
Minor |
GUI |
Adding a worker node was not working consistently. |
734269 |
Minor |
GUI |
Too many Test events during Custom Parser testing could cause the Parser test to respond with 502 error code and browser timeout. |
685148 |
Minor |
GUI |
STM monitor for HTTP type only worked for 200-204 as success. |
616819 |
Minor |
HDFS Mgr |
HDFS: Spark exception caused archive failure. |
752719 |
Minor |
Java Query Server |
Java Query Server did not log detailed exception/error messages when UpdateLookupAction failed in Elasticsearch. |
752577 |
Minor |
Java Query Server |
Pre-computed results were not calculated for scheduled report bundles in Elasticsearch. |
733201 |
Minor |
Java Query Server |
Elasticsearch did not return search results for queries involving Business Service with names containing a space in the name. |
689695 |
Minor |
Java Query Server |
User was unable to export or preview a long running Report in Elasticsearch. |
740131 |
Minor |
Linux Agent |
Linux Agent: SELinux configuration was overwritten by agent restart. |
772056 |
Minor |
Parser |
Unchecked object type inside JSON could cause parser to crash. Observed with some Office365 events where the JSON value was a string and not an object. |
764939 |
Minor |
Parser |
Optimize error log generation when Kafka forwarded target was unavailable. |
753476 |
Minor |
Parser |
Windows Agent DHCP Parser did not work if translation patterns were not defined. |
751097 |
Minor |
Parser |
JSON in fields from Palo Alto Parser caused issues with parsing. |
749423 |
Minor |
Parser |
In error handling, WMI passwords appeared in logs in cleartext. |
738620 |
Minor |
Parser |
Rules with Group By Reporting IP did not work as expected. |
734905 |
Minor |
Parser |
The license enforce time window was not synced to EPS reporting. This could result in erroneous EPS values. |
733503 |
Minor |
Parser |
Destination IP and Name were parsed incorrectly in DNS ANALYTICAL log with FortiSIEM Agent DNSParser. |
743988 |
Minor |
PerfMonitor |
Cleartext password appeared in mysql phoenix.log entry. |
768063 |
Minor |
PerfMonitor |
Custom Configuration File Monitoring would fail if script had no output. |
756182 |
Minor |
PerfMonitor |
Slow memory leak for monitoring Cisco Meraki devices via SNMP occurred. |
755665 |
Minor |
PerfMonitor |
FortiGate Config Pulling did not occur when using REST API + SSH credentials. |
764757 |
Minor |
PhMonitor |
phQueryMaster always got HTTP 502 error from REST cache during startup. |
766723 |
Minor |
Query Engine |
Data from Incident index could not be queried after Elasticsearch upgrade from 6.8 to 7.15. |
740924 |
Minor |
Query Engine |
Very large events (greater than 3KB) were not displayed in realtime search. |
766624 |
Minor |
System |
phProvision.sh script ran unnecessarily. |
761496 |
Minor |
System |
FortiSIEM admin user's default shadow password appeared in plaintext even though the account was locked. |
760693 |
Minor |
System |
phEventExport utility could not export events from NFS /archive. |
759541 |
Minor |
System |
FSM-2000G - Serial console output did not work. |
755085 |
Minor |
System |
6.3.2 Upgrade was slow because of unoptimized SQL queries for Incident table cleanup. |
753468 |
Minor |
System |
After upgrade, user defined Report logo was not displayed in ADMIN > Settings > System > UI. |
748362 |
Minor |
System |
Failed to install FortiSIEM 6.3.1.0338 on Nutanix platform. |
741808 |
Minor |
System |
FSM in AWS environment with IPv6 VPC did not automatically assign DHCP v6 IPv6 assigned by AWS. |
741254 |
Minor |
System |
FortiSIEM timezone was not the same as configured via configFSM.py script. |
737516 |
Minor |
System |
NFS /data mount was removed by EventDB Online Storage test in GUI. |
738265 |
Minor |
Systen |
In Disaster Recovery environment, pre-computed results were not synced to Secondary. |
762137 |
Minor |
Windows Agent |
Windows Agent stopped sending DNS logs when the DNS log file rotated. |
720675 |
Minor |
Windows Agent |
Windows Agent UEBA FINS feature didn't parse multibyte characters. |
743163 |
Enhancement |
Agent Manager |
SQL Server monitoring did not work for SQL Server Clusters. |
760439 |
Enhancement |
App Server |
The incident processing for ServiceNow/Connectwise integration should be optimized. |
739201 |
Enhancement |
App Server |
Elasticsearch query interface between GUI and Elasticsearch for long running queries should be optimized. |
739061 |
Enhancement |
App Server |
Malware Feed downloads saved files in use /data/cache and could impact EventDB performance. They should be moved to /opt/phoenix/cache. |
733809 |
Enhancement |
App Server |
External Rest API Query did not return phSubIncidentCategory attribute. |
682049 |
Enhancement |
App Server |
Updated report did not reflect in corresponding dashboard. |
611737 |
Enhancement |
App Server |
Add user org level CMDB Group under ADMIN > Settings > Discovery > CMDB Group. |
763976 |
Enhancement |
Data |
Add OT Ports in Resources. |
756862 |
Enhancement |
Data |
Parse additional Office365 Audit Log Events. |
751433 |
Enhancement |
Data |
CarbonBlack CEF parser needs minor adjustment in parsed attributes. |
747379 |
Enhancement |
Data |
Proofpoint event structure has changed, requiring a parser update. |
744604 |
Enhancement |
Data |
Need to update TrendMicro DeepSecurity Parser for Chinese version. |
743660 |
Enhancement |
Data |
Fine tuning for LogBinder SharePoint Events in WinOSWMI Parser needed. |
741394 |
Enhancement |
Data |
McAfee EPO Parsing -- Another unhandled XML tag type needs to be addressed. |
740501 |
Enhancement |
Data |
WinOSWMIParser needs to trim the trailing dot from Destination Host Name when parsing DNS logs. |
740353 |
Enhancement |
Data |
Add all MS SQL Server Event IDs. |
662940 |
Enhancement |
Data |
Windows Agent Parser needs to parse more attributes for Security Event IDs 6272 and 6273 for Windows server 2016. |
739051 |
Enhancement |
GUI |
Remove QueryWorker and EventWorker dependency. These two lists should work independently. |
718180 |
Enhancement |
GUI |
Summary Dashboard | Geo Map View should show the pin location. |
735952 |
Enhancement |
Java Query Server |
For Elasticsearch, expressions using COUNT DISTINCT in Display Fields should be evaluated. |
759086 |
Enhancement |
Parser |
Create new FortiSoarCefParser to handle 7.0.1 format change. |
759076 |
Enhancement |
Parser |
Some Palo-Alto logs were not parsed correctly. |
752461 |
Enhancement |
Parser |
IPFIX and Netflow V9: Source MAC and Destination MAC were not parsed. |
744013 |
Enhancement |
PerfMonitor |
FortiGate REST API Credential needs to support custom HTTPS port other than 443. |
760628 |
Enhancement |
PerfMonitor |
HP/3com switch router config pull script needs to have larger buffer for it to work. |
653949 |
Enhancement |
System |
Support Geo IP import in IPV6 format. |
722473 |
Enhancement |
Windows Agent |
UEBA Agent needs to capture File Deletion action in USB drive. |
Rule and Report Modifications since 6.3.3
The following rules were added:
-
Emotet Malware Activity Detected by FortiClient
-
Emotet Malware Activity Detected on Host
-
Emotet Malware Activity Detected on Network
-
Emotet Suspicious File Hash Found by Forticlient
-
Emotet Suspicious File Hash Found on Host
-
Emotet Suspicious File Hash Found on Network
-
FortiSIEM: Too Many Unknown Events
-
Log4J Exploit Request Detected By Regex
-
Log4J Exploit Request Detected on Host by Fortinet Products
-
Log4J Exploit Request Detected on Network by Fortinet Products
-
Oracle OCI: Customer Secret Key Created
-
Oracle OCI: Group Created
-
Oracle OCI: Policy Created
-
Oracle OCI: Policy Deleted
-
Oracle OCI: User Activated MFA
-
Oracle OCI: User Added to a Group
-
Oracle OCI: User API Key Created and Uploaded
-
Oracle OCI: User Auth Token Created
-
Oracle OCI: User Created
-
Oracle OCI: User Deleted
-
Oracle OCI: User Disabled MFA
-
Oracle OCI: User OAuth Client Credential Created
-
Oracle OCI: User SMTP Credentials Created
-
Uncommon AWS Console Login
-
Uncommon Azure Portal Login
-
Uncommon GSuite Login
-
Uncommon Linux process Created
-
Uncommon Office365 Mail Login
-
Uncommon Server Login
-
Uncommon VPN Login
-
Uncommon Windows process Created
-
Windows DNS Server: Suspicious DNS Traffic Resolved
The following reports were added:
-
Emotet Malware Activity Detected by FortiClient
-
Emotet Malware Activity Detected on Host
-
Emotet Malware Activity Detected on Network
-
Emotet Suspicious File Hash Found by Forticlient
-
Emotet Suspicious File Hash Found on Host
-
Emotet Suspicious File Hash Found on Network
-
Log4J Exploit Request Detected By Regex
-
Log4J Exploit Request Detected on Host by Fortinet Products
-
Log4J Exploit Request Detected on Network by Fortinet Products
-
Oracle OCI: Failed Login Details
-
Oracle OCI: Groups Created
-
Oracle OCI: Groups Deleted
-
Oracle OCI: MFA Activation History
-
Oracle OCI: Password Change History
-
Oracle OCI: Policies Created
-
Oracle OCI: Policies Deleted
-
Oracle OCI: Successful Login Details
-
Oracle OCI: Top Create Events by Principal
-
Oracle OCI: Top Delete Events by Principal
-
Oracle OCI: Top Event Types by Count
-
Oracle OCI: Top Events by Country
-
Oracle OCI: Top Identity Events by Principal
-
Oracle OCI: Top Identity Events by Source IP
-
Oracle OCI: User Key and Token Creation History
-
Oracle OCI: Users Created
-
Oracle OCI: Users Deleted
-
Top AWS Console login
-
Top Azure Portal login
-
Top GSuite login
-
Top Linux Process Executions
-
Top O365 Mail login
-
Top Server Login
-
Top VPN login
-
Top Windows Process Created
Known Issues
-
Currently, Policy based retention for EventDB does not cover two event categories: (a) System events with phCustId = 0, e.g. a FortiSIEM External Integration Error, FortiSIEM process crash etc., and (b) Super/Global customer audit events with phCustId = 3, e.g. audit log generated from a Super/Global user running an adhoc query. These events are purged when disk usage reaches high watermark.
-
On hardware appliances running FortiSIEM 6.6.0 or earlier, FortiSIEM
execute shutdown
CLI does not work correctly. Please use the Linuxshutdown
command instead. -
App Server may fail to restart after FortiSIEM reboot or App Server restart. Perform the following workaround to bring up App Server.
-
Clean up App Server cache by running the following commands.
# su admin $ cd /opt/glassfish/domains/domain1/ $ rm -rf generated/ $ rm -rf osgi-cache/
-
Restart App Server by running the following commands.
$ cat /opt/glassfish/domains/domain1/config/pid $ kill -9 $(cat /opt/glassfish/domains/domain1/config/pid)
-
-
If you execute a FortiSOAR playbook on an event or incident, and you click the "details" button to display the playbook raw json response, under some conditions with empty values, it may not display. Please contact Fortinet support for a patch that will resolve this issue.
-
If you execute a FortiSOAR connector from the ANALYTICS tab, you may under some conditions, receive an "Unknown" pop up error immediately after clicking execute. Please contact Fortinet support for a patch that will resolve this issue.
-
After upgrading collector, the ADMIN > Health > Collector Health page shows an incorrect Upgrade Version and Install Status. After a successful upgrade from 6.3.3 to 6.4.0, Upgrade Version should be 6.4.0 and Install Status should be Success. However, now it shows Upgrade Version as 6.3.3 and Install Status as N/A. To check whether upgrade completed successfully, check the Version flag which should be 6.4.0. (Bug 773473)
-
If you re-upload your license, then Java Query Server process on Supervisor does not automatically restart. Workaround is to manually restart the Java Query Server processes. (Bug 773578)
-
There is a known issue with Elasticsearch rollup search API when sorting AVG (https://github.com/elastic/elasticsearch/issues/58967). Therefore, do not use pre-compute Elasticsearch queries that have ASC or DESC on AVG().
-
In the GUI, the ADMIN > Health > Cloud Health page may time out if there are many Workers. (Bug 785547)
-
Query Master process can consume significant memory if there is a large number of devices with performance metrics to be shown in the Summary dashboard. This may cause the Supervisor to be unresponsive. (Bug 769414)
-
Cisco FireAMP log pulling can cause Agent Manager process to crash under some circumstances. (Bug 757413)
-
After an upgrade, the Java Query Server may load older libraries causing connection timeouts with Elasticsearch. This may cause queries to fail. (Bug 783844)
-
Collector may not efficiently get WMI events if there is a large number of Windows Servers to poll and some of the Windows Server are down. Log pulling may fall behind and is caused by a large timeout in one of the WMI calls. (Bug 788034)
-
In the GUI, attempting to set a new Password for a user created with the "Password Reset" field set may fail, showing "Undefined" Error. (Bug 776295)
-
FortiSIEM failed to get running-config from Cisco IOS devices. (Bug 789843)
-
DeviceToCMDBAttr(Reporting IP : Importance) display condition does not return default importance value. (Bug 779188)
-
Content Update Install may randomly return "Operation failed." However subsequent retries succeed without issues. (Bug 788973)
-
In Elasticsearch based deployments, queries containing "IN Group X" are handled using Elastic Terms Query. By default, the maximum number of terms that can be used in a Terms Query is set to 65,536. If a Group contains more than 65,536 entries, the query will fail.
The workaround is to change the “max_terms_count” setting for each event index. Fortinet has tested up to 1 million entries. The query response time will be proportional to the size of the group.
Case 1. For already existing indices, issue the REST API call to update the setting
PUT fortisiem-event-*/_settings { "index" : { "max_terms_count" : "1000000" } }
Case 2. For new indices that are going to be created in the future, update fortisiem-event-template so those new indices will have a higher max_terms_count setting
-
cd /opt/phoenix/config/elastic/7.7
-
Add
"index.max_terms_count": 1000000
(including quotations) to the “settings” section of thefortisiem-event-template
.Example:
...
"settings": { "index.max_terms_count": 1000000,
...
-
Navigate to ADMIN > Storage > Online and perform Test and Deploy.
-
Test new indices have the updated terms limit by executing the following simple REST API call.
GET fortisiem-event-*/_settings
-