Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Release Notes

    Home FortiSIEM 6.4.1 Release Notes
    6.4.1
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.8
    5.2.7
    5.2.6
    5.2.5
    5.2.5
    5.2.1
    5.1.2
    5.1.1
    5.1.0
    5.0.1
    4.10.0
    4.9.0

    What's New in 6.4.1

    What's New in 6.4.1

    This document describes the additions for FortiSIEM 6.4.1 release.

    Bug Fixes and Minor Enhancements

    Bug ID

    Severity

    Module

    Description

    774397

    Major

    Data Manager

    Event files upload to Elasticsearch is slow for Organizations with large org Id.

    789843

    Major

    Performance Monitor

    Fail to get running-config from Cisco IOS devices.

    788814

    Minor

    Agent Manager

    phAgentManager process may crash if Cisco FireAMP event pulling job does not return expected value.

    788034

    Minor

    Agent Manager

    Collector may not efficiently get WMI event log if some of the Windows servers are down.

    757413

    Minor

    Agent Manager

    phAgentManager process may crash to handle some Cisco Firepower IPS events.

    795273

    Minor

    Agent Monitor

    Enabling an AWS Cloudwatch pull event may cause phAgentManager to crash on collector.

    801278

    Minor

    App Server

    The LOW and HIGH watermark log delay events (PH_DEV_MON_LOG_DEVICE_DELAY_LOW and PH_DEV_MON_LOG_DEVICE_DELAY_HIGH) are not generated reliably.

    794338

    Minor

    App Server

    New Dashboards created in Global Dashboard no longer appear after a couple of hours.

    791114

    Minor

    App Server

    ServiceNow Device Outbound Integration may fail if Installed Software Date was NULL.

    782304

    Minor

    App Server

    User with a cloned "Full Admin" role with Data Conditions defined cannot search for rules in RESOURCES > Rules.

    776214

    Minor

    App Server

    Searching currently Active Incidents generated many months ago fails in INCIDENTS > Search.

    785547

    Minor

    Data

    The ADMIN > Health > Cloud Health page sometimes times out after upgrade to 6.4.0, if there are many workers.

    779548

    Minor

    Data Purger

    phDataPurger incorrectly counts master nodes as hot nodes in AWS-managed Elasticsearch.

    791321

    Minor

    Data Purger

    Data Purger needs to handle error 404 when trying to purge non-existent ES indices.

    780688

    Minor

    GUI

    Sometimes, the user cannot reset their own password because of internal errors.

    776295

    Minor

    GUI

    GUI shows "Undefined" error when the user attempts to set a new password for a user created with the "Password Reset" field set.

    784026

    Minor

    Parser

    phParser may sometimes crash to handle some events.

    776350

    Minor

    Parser

    External protocol error (PH_PARSER_INVALID_EXT_LOG_PROTO) from collectors occurrs when OMI was configured.

    769414

    Minor

    QueryMaster

    phQueryMaster memory usage increases when FortiSIEM collects performance metrics for a large number of devices when they are all included in the Summary dashboard. This summary data is held in memory and needs to be more aggressively purged.

    793805

    Enhancement

    App Server

    Handling of Task Rest API results in excessive PostGreSQL accesses causing App Server performance issues.

    790052

    Enhancement

    Parser

    Increase the number of concurrent TLS connections handled by Parser module for syslog over TLS.

    System Upgrades

    Known Issues

    Policy Based Retention for EventDB

    Currently, Policy based retention for EventDB does not cover two event categories: (a) System events with phCustId = 0, e.g. a FortiSIEM External Integration Error, FortiSIEM process crash etc., and (b) Super/Global customer audit events with phCustId = 3, e.g. audit log generated from a Super/Global user running an adhoc query. These events are purged when disk usage reaches high watermark.

    Shutting Down Hardware

    On hardware appliances running FortiSIEM 6.6.0 or earlier, FortiSIEM execute shutdown CLI does not work correctly. Please use the Linux shutdown command instead.

    Elasticsearch Based Deployments Terms Query Limit

    In Elasticsearch based deployments, queries containing "IN Group X" are handled using Elastic Terms Query. By default, the maximum number of terms that can be used in a Terms Query is set to 65,536. If a Group contains more than 65,536 entries, the query will fail.

    The workaround is to change the “max_terms_count” setting for each event index. Fortinet has tested up to 1 million entries. The query response time will be proportional to the size of the group.

    Case 1. For already existing indices, issue the REST API call to update the setting 

    PUT fortisiem-event-*/_settings
{
  "index" : {
    "max_terms_count" : "1000000"
  }
}

    Case 2. For new indices that are going to be created in the future, update fortisiem-event-template so those new indices will have a higher max_terms_count setting

    1. cd /opt/phoenix/config/elastic/7.7

    2. Add "index.max_terms_count": 1000000 (including quotations) to the “settings” section of the fortisiem-event-template.

      Example:

      ...

        "settings": {
    "index.max_terms_count": 1000000,

      ...

    3. Navigate to ADMIN > Storage > Online and perform Test and Deploy.

    4. Test new indices have the updated terms limit by executing the following simple REST API call.

      GET fortisiem-event-*/_settings

    Previous
    Next

    What's New in 6.4.1

    What's New in 6.4.1

    This document describes the additions for FortiSIEM 6.4.1 release.

    Bug Fixes and Minor Enhancements

    Bug ID

    Severity

    Module

    Description

    774397

    Major

    Data Manager

    Event files upload to Elasticsearch is slow for Organizations with large org Id.

    789843

    Major

    Performance Monitor

    Fail to get running-config from Cisco IOS devices.

    788814

    Minor

    Agent Manager

    phAgentManager process may crash if Cisco FireAMP event pulling job does not return expected value.

    788034

    Minor

    Agent Manager

    Collector may not efficiently get WMI event log if some of the Windows servers are down.

    757413

    Minor

    Agent Manager

    phAgentManager process may crash to handle some Cisco Firepower IPS events.

    795273

    Minor

    Agent Monitor

    Enabling an AWS Cloudwatch pull event may cause phAgentManager to crash on collector.

    801278

    Minor

    App Server

    The LOW and HIGH watermark log delay events (PH_DEV_MON_LOG_DEVICE_DELAY_LOW and PH_DEV_MON_LOG_DEVICE_DELAY_HIGH) are not generated reliably.

    794338

    Minor

    App Server

    New Dashboards created in Global Dashboard no longer appear after a couple of hours.

    791114

    Minor

    App Server

    ServiceNow Device Outbound Integration may fail if Installed Software Date was NULL.

    782304

    Minor

    App Server

    User with a cloned "Full Admin" role with Data Conditions defined cannot search for rules in RESOURCES > Rules.

    776214

    Minor

    App Server

    Searching currently Active Incidents generated many months ago fails in INCIDENTS > Search.

    785547

    Minor

    Data

    The ADMIN > Health > Cloud Health page sometimes times out after upgrade to 6.4.0, if there are many workers.

    779548

    Minor

    Data Purger

    phDataPurger incorrectly counts master nodes as hot nodes in AWS-managed Elasticsearch.

    791321

    Minor

    Data Purger

    Data Purger needs to handle error 404 when trying to purge non-existent ES indices.

    780688

    Minor

    GUI

    Sometimes, the user cannot reset their own password because of internal errors.

    776295

    Minor

    GUI

    GUI shows "Undefined" error when the user attempts to set a new password for a user created with the "Password Reset" field set.

    784026

    Minor

    Parser

    phParser may sometimes crash to handle some events.

    776350

    Minor

    Parser

    External protocol error (PH_PARSER_INVALID_EXT_LOG_PROTO) from collectors occurrs when OMI was configured.

    769414

    Minor

    QueryMaster

    phQueryMaster memory usage increases when FortiSIEM collects performance metrics for a large number of devices when they are all included in the Summary dashboard. This summary data is held in memory and needs to be more aggressively purged.

    793805

    Enhancement

    App Server

    Handling of Task Rest API results in excessive PostGreSQL accesses causing App Server performance issues.

    790052

    Enhancement

    Parser

    Increase the number of concurrent TLS connections handled by Parser module for syslog over TLS.

    System Upgrades

    Known Issues

    Policy Based Retention for EventDB

    Currently, Policy based retention for EventDB does not cover two event categories: (a) System events with phCustId = 0, e.g. a FortiSIEM External Integration Error, FortiSIEM process crash etc., and (b) Super/Global customer audit events with phCustId = 3, e.g. audit log generated from a Super/Global user running an adhoc query. These events are purged when disk usage reaches high watermark.

    Shutting Down Hardware

    On hardware appliances running FortiSIEM 6.6.0 or earlier, FortiSIEM execute shutdown CLI does not work correctly. Please use the Linux shutdown command instead.

    Elasticsearch Based Deployments Terms Query Limit

    In Elasticsearch based deployments, queries containing "IN Group X" are handled using Elastic Terms Query. By default, the maximum number of terms that can be used in a Terms Query is set to 65,536. If a Group contains more than 65,536 entries, the query will fail.

    The workaround is to change the “max_terms_count” setting for each event index. Fortinet has tested up to 1 million entries. The query response time will be proportional to the size of the group.

    Case 1. For already existing indices, issue the REST API call to update the setting 

    PUT fortisiem-event-*/_settings
{
  "index" : {
    "max_terms_count" : "1000000"
  }
}

    Case 2. For new indices that are going to be created in the future, update fortisiem-event-template so those new indices will have a higher max_terms_count setting

    1. cd /opt/phoenix/config/elastic/7.7

    2. Add "index.max_terms_count": 1000000 (including quotations) to the “settings” section of the fortisiem-event-template.

      Example:

      ...

        "settings": {
    "index.max_terms_count": 1000000,

      ...

    3. Navigate to ADMIN > Storage > Online and perform Test and Deploy.

    4. Test new indices have the updated terms limit by executing the following simple REST API call.

      GET fortisiem-event-*/_settings

    Previous
    Next