Fortinet black logo

Release Notes

Home FortiSIEM 6.6.3 Release Notes
6.6.3
7.1.5
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.3
7.0.2
7.0.1
7.0.0
6.7.9
6.7.8
6.7.7
6.7.6
6.7.5
6.7.4
6.7.3
6.7.2
6.7.1
6.7.0
6.6.5
6.6.4
6.6.3
6.6.2
6.6.1
6.6.0
6.5.3
6.5.2
6.5.1
6.5.0
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.3.0
6.2.1
6.2.0
6.1.2
6.1.1
6.1.0
5.4.0
5.3.3
5.3.2
5.3.1
5.3.0
5.2.8
5.2.7
5.2.6
5.2.5
5.2.5
5.2.1
5.1.2
5.1.1
5.1.0
5.0.1
4.10.0
4.9.0

What's New in 6.6.3

What's New in 6.6.3

Bug Fixes

Bug ID

Severity

Module

Description

861196

Major

AI module

phFortiInsightAI module may consume high CPU on Workers from excessive Windows logon events containing machine accounts ending with $.

859950, 858445

Major

App Server

Rule evaluation is slow when filter condition uses individual Malware and Country Group Items.

854349

Major

App Server

Malware hash update from large 100K line CSV file causes App Server CPU to go 90%.

857967, 857550

Major

Rule

RuleWorker pauses when there is a rule change and App Server is busy.

862538

Minor

App Server

Test rule does not work for approved devices that are in orgs.

861554

Minor

App Server

Custom rules for Org trigger incidents even if they are disabled for that Org.

860517

Minor

App Server

SQL Injection vulnerability in CMDB Report Display fields.

858787

Minor

App Server

Device usage counts incorrectly in enterprise environment after the upgrade from 6.4.0 to 6.6.2.

858459

Minor

App Server

App Server may generate excessive 6.4.0 false positive Collector Down events.

857944

Minor

App Server

OKTA Authentication redirects to Flash UI.

851078

Minor

App Server

Incident email notification may be slow when email is mis-configured.

851077

Minor

App Server

Incident Queries by Incident ID may time out if there are lots of Incidents stored in PostGreSQL over a long period of time.

838600

Minor

App Server

Device name change does not take effect on collectors that do not discover/monitor the device.

853819

Minor

Data Purger

When the retention policy triggers, the archive data for CUSTOMER_1 contains other orgs data.

857192

Minor

Discovery

LDAP user Discovery may hang under certain conditions.

866669

Minor

ElasticSearch

Need to handle new roles for Elasticsearch 7.17 for Test and Save Elasticsearch storage.

854955

Minor

Event Pulling

Tenable Security Center API does not work.

841669

Minor

Event Pulling

WMI/OMI event pulling may lag behind in some cases.

862020

Minor

Event Pulling Agent

Generic HTTPS Advanced Event Puller incorrectly sets lastPollTime window to local time instead of UTC.

859767

Minor

GUI

Incorrect ES Org Bucket mapping from file occurs when 10 groups are used, and there are gaps in 50,001-50,010. GUI maps Group 50,011 to 50,000.

860571

Minor

Query

PctChange function in Query fails on Clickhouse and phQueryMaster restarted.

866034

Minor

Query (ClickHouse)

Destination IP IN Networks > Group: Public DNS Servers will cause ClickHouse errors.

864290

Minor

Query (Elasticsearch)

Queries for CMDB Groups under Resources > Networks do not work.

867816

Minor

System

SSH to instance on GCP does not work.

844287

Minor

System

FortiSIEM upgrade does not backup network_param.json.

843361

Minor

System

Collector stores certain REST API responses in files.

847099

Enhancement

App Server

Enhance audit log to include device name/ip for all failed Device Outbound Integrations.

853031

Enhancement

System

Collector should not connect to Internet during fresh install.

Known Issues

  1. Currently, Policy based retention for EventDB does not cover two event categories: (a) System events with phCustId = 0, e.g. a FortiSIEM External Integration Error, FortiSIEM process crash etc., and (b) Super/Global customer audit events with phCustId = 3, e.g. audit log generated from a Super/Global user running an adhoc query. These events are purged when disk usage reaches high watermark.

  2. FortiSIEM uses dynamic mapping for Keyword fields to save Cluster state. Elasticsearch needs to encounter some events containing these fields before it can determine their type. For this reason, queries containing group by on any of these fields will fail if Elasticsearch has not seen any event containing these fields. Workaround is to first run a non-group by query with these fields to make sure that these fields have non-null haves.

Previous
Next

What's New in 6.6.3

Bug Fixes

Bug ID

Severity

Module

Description

861196

Major

AI module

phFortiInsightAI module may consume high CPU on Workers from excessive Windows logon events containing machine accounts ending with $.

859950, 858445

Major

App Server

Rule evaluation is slow when filter condition uses individual Malware and Country Group Items.

854349

Major

App Server

Malware hash update from large 100K line CSV file causes App Server CPU to go 90%.

857967, 857550

Major

Rule

RuleWorker pauses when there is a rule change and App Server is busy.

862538

Minor

App Server

Test rule does not work for approved devices that are in orgs.

861554

Minor

App Server

Custom rules for Org trigger incidents even if they are disabled for that Org.

860517

Minor

App Server

SQL Injection vulnerability in CMDB Report Display fields.

858787

Minor

App Server

Device usage counts incorrectly in enterprise environment after the upgrade from 6.4.0 to 6.6.2.

858459

Minor

App Server

App Server may generate excessive 6.4.0 false positive Collector Down events.

857944

Minor

App Server

OKTA Authentication redirects to Flash UI.

851078

Minor

App Server

Incident email notification may be slow when email is mis-configured.

851077

Minor

App Server

Incident Queries by Incident ID may time out if there are lots of Incidents stored in PostGreSQL over a long period of time.

838600

Minor

App Server

Device name change does not take effect on collectors that do not discover/monitor the device.

853819

Minor

Data Purger

When the retention policy triggers, the archive data for CUSTOMER_1 contains other orgs data.

857192

Minor

Discovery

LDAP user Discovery may hang under certain conditions.

866669

Minor

ElasticSearch

Need to handle new roles for Elasticsearch 7.17 for Test and Save Elasticsearch storage.

854955

Minor

Event Pulling

Tenable Security Center API does not work.

841669

Minor

Event Pulling

WMI/OMI event pulling may lag behind in some cases.

862020

Minor

Event Pulling Agent

Generic HTTPS Advanced Event Puller incorrectly sets lastPollTime window to local time instead of UTC.

859767

Minor

GUI

Incorrect ES Org Bucket mapping from file occurs when 10 groups are used, and there are gaps in 50,001-50,010. GUI maps Group 50,011 to 50,000.

860571

Minor

Query

PctChange function in Query fails on Clickhouse and phQueryMaster restarted.

866034

Minor

Query (ClickHouse)

Destination IP IN Networks > Group: Public DNS Servers will cause ClickHouse errors.

864290

Minor

Query (Elasticsearch)

Queries for CMDB Groups under Resources > Networks do not work.

867816

Minor

System

SSH to instance on GCP does not work.

844287

Minor

System

FortiSIEM upgrade does not backup network_param.json.

843361

Minor

System

Collector stores certain REST API responses in files.

847099

Enhancement

App Server

Enhance audit log to include device name/ip for all failed Device Outbound Integrations.

853031

Enhancement

System

Collector should not connect to Internet during fresh install.

Known Issues

  1. Currently, Policy based retention for EventDB does not cover two event categories: (a) System events with phCustId = 0, e.g. a FortiSIEM External Integration Error, FortiSIEM process crash etc., and (b) Super/Global customer audit events with phCustId = 3, e.g. audit log generated from a Super/Global user running an adhoc query. These events are purged when disk usage reaches high watermark.

  2. FortiSIEM uses dynamic mapping for Keyword fields to save Cluster state. Elasticsearch needs to encounter some events containing these fields before it can determine their type. For this reason, queries containing group by on any of these fields will fail if Elasticsearch has not seen any event containing these fields. Workaround is to first run a non-group by query with these fields to make sure that these fields have non-null haves.

Previous
Next