Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Release Notes

    Home FortiSIEM 6.6.3 Release Notes
    6.6.3
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.8
    5.2.7
    5.2.6
    5.2.5
    5.2.5
    5.2.1
    5.1.2
    5.1.1
    5.1.0
    5.0.1
    4.10.0
    4.9.0

    What's New in 6.6.3

    What's New in 6.6.3

    Bug Fixes

    Bug ID

    Severity

    Module

    Description

    861196

    Major

    AI module

    phFortiInsightAI module may consume high CPU on Workers from excessive Windows logon events containing machine accounts ending with $.

    859950, 858445

    Major

    App Server

    Rule evaluation is slow when filter condition uses individual Malware and Country Group Items.

    854349

    Major

    App Server

    Malware hash update from large 100K line CSV file causes App Server CPU to go 90%.

    857967, 857550

    Major

    Rule

    RuleWorker pauses when there is a rule change and App Server is busy.

    862538

    Minor

    App Server

    Test rule does not work for approved devices that are in orgs.

    861554

    Minor

    App Server

    Custom rules for Org trigger incidents even if they are disabled for that Org.

    860517

    Minor

    App Server

    SQL Injection vulnerability in CMDB Report Display fields.

    858787

    Minor

    App Server

    Device usage counts incorrectly in enterprise environment after the upgrade from 6.4.0 to 6.6.2.

    858459

    Minor

    App Server

    App Server may generate excessive 6.4.0 false positive Collector Down events.

    857944

    Minor

    App Server

    OKTA Authentication redirects to Flash UI.

    851078

    Minor

    App Server

    Incident email notification may be slow when email is mis-configured.

    851077

    Minor

    App Server

    Incident Queries by Incident ID may time out if there are lots of Incidents stored in PostGreSQL over a long period of time.

    838600

    Minor

    App Server

    Device name change does not take effect on collectors that do not discover/monitor the device.

    853819

    Minor

    Data Purger

    When the retention policy triggers, the archive data for CUSTOMER_1 contains other orgs data.

    857192

    Minor

    Discovery

    LDAP user Discovery may hang under certain conditions.

    866669

    Minor

    ElasticSearch

    Need to handle new roles for Elasticsearch 7.17 for Test and Save Elasticsearch storage.

    854955

    Minor

    Event Pulling

    Tenable Security Center API does not work.

    841669

    Minor

    Event Pulling

    WMI/OMI event pulling may lag behind in some cases.

    862020

    Minor

    Event Pulling Agent

    Generic HTTPS Advanced Event Puller incorrectly sets lastPollTime window to local time instead of UTC.

    859767

    Minor

    GUI

    Incorrect ES Org Bucket mapping from file occurs when 10 groups are used, and there are gaps in 50,001-50,010. GUI maps Group 50,011 to 50,000.

    860571

    Minor

    Query

    PctChange function in Query fails on Clickhouse and phQueryMaster restarted.

    866034

    Minor

    Query (ClickHouse)

    Destination IP IN Networks > Group: Public DNS Servers will cause ClickHouse errors.

    864290

    Minor

    Query (Elasticsearch)

    Queries for CMDB Groups under Resources > Networks do not work.

    867816

    Minor

    System

    SSH to instance on GCP does not work.

    844287

    Minor

    System

    FortiSIEM upgrade does not backup network_param.json.

    843361

    Minor

    System

    Collector stores certain REST API responses in files.

    847099

    Enhancement

    App Server

    Enhance audit log to include device name/ip for all failed Device Outbound Integrations.

    853031

    Enhancement

    System

    Collector should not connect to Internet during fresh install.

    Known Issues

    1. Currently, Policy based retention for EventDB does not cover two event categories: (a) System events with phCustId = 0, e.g. a FortiSIEM External Integration Error, FortiSIEM process crash etc., and (b) Super/Global customer audit events with phCustId = 3, e.g. audit log generated from a Super/Global user running an adhoc query. These events are purged when disk usage reaches high watermark.

    2. FortiSIEM uses dynamic mapping for Keyword fields to save Cluster state. Elasticsearch needs to encounter some events containing these fields before it can determine their type. For this reason, queries containing group by on any of these fields will fail if Elasticsearch has not seen any event containing these fields. Workaround is to first run a non-group by query with these fields to make sure that these fields have non-null haves.

    Previous
    Next

    What's New in 6.6.3

    What's New in 6.6.3

    Bug Fixes

    Bug ID

    Severity

    Module

    Description

    861196

    Major

    AI module

    phFortiInsightAI module may consume high CPU on Workers from excessive Windows logon events containing machine accounts ending with $.

    859950, 858445

    Major

    App Server

    Rule evaluation is slow when filter condition uses individual Malware and Country Group Items.

    854349

    Major

    App Server

    Malware hash update from large 100K line CSV file causes App Server CPU to go 90%.

    857967, 857550

    Major

    Rule

    RuleWorker pauses when there is a rule change and App Server is busy.

    862538

    Minor

    App Server

    Test rule does not work for approved devices that are in orgs.

    861554

    Minor

    App Server

    Custom rules for Org trigger incidents even if they are disabled for that Org.

    860517

    Minor

    App Server

    SQL Injection vulnerability in CMDB Report Display fields.

    858787

    Minor

    App Server

    Device usage counts incorrectly in enterprise environment after the upgrade from 6.4.0 to 6.6.2.

    858459

    Minor

    App Server

    App Server may generate excessive 6.4.0 false positive Collector Down events.

    857944

    Minor

    App Server

    OKTA Authentication redirects to Flash UI.

    851078

    Minor

    App Server

    Incident email notification may be slow when email is mis-configured.

    851077

    Minor

    App Server

    Incident Queries by Incident ID may time out if there are lots of Incidents stored in PostGreSQL over a long period of time.

    838600

    Minor

    App Server

    Device name change does not take effect on collectors that do not discover/monitor the device.

    853819

    Minor

    Data Purger

    When the retention policy triggers, the archive data for CUSTOMER_1 contains other orgs data.

    857192

    Minor

    Discovery

    LDAP user Discovery may hang under certain conditions.

    866669

    Minor

    ElasticSearch

    Need to handle new roles for Elasticsearch 7.17 for Test and Save Elasticsearch storage.

    854955

    Minor

    Event Pulling

    Tenable Security Center API does not work.

    841669

    Minor

    Event Pulling

    WMI/OMI event pulling may lag behind in some cases.

    862020

    Minor

    Event Pulling Agent

    Generic HTTPS Advanced Event Puller incorrectly sets lastPollTime window to local time instead of UTC.

    859767

    Minor

    GUI

    Incorrect ES Org Bucket mapping from file occurs when 10 groups are used, and there are gaps in 50,001-50,010. GUI maps Group 50,011 to 50,000.

    860571

    Minor

    Query

    PctChange function in Query fails on Clickhouse and phQueryMaster restarted.

    866034

    Minor

    Query (ClickHouse)

    Destination IP IN Networks > Group: Public DNS Servers will cause ClickHouse errors.

    864290

    Minor

    Query (Elasticsearch)

    Queries for CMDB Groups under Resources > Networks do not work.

    867816

    Minor

    System

    SSH to instance on GCP does not work.

    844287

    Minor

    System

    FortiSIEM upgrade does not backup network_param.json.

    843361

    Minor

    System

    Collector stores certain REST API responses in files.

    847099

    Enhancement

    App Server

    Enhance audit log to include device name/ip for all failed Device Outbound Integrations.

    853031

    Enhancement

    System

    Collector should not connect to Internet during fresh install.

    Known Issues

    1. Currently, Policy based retention for EventDB does not cover two event categories: (a) System events with phCustId = 0, e.g. a FortiSIEM External Integration Error, FortiSIEM process crash etc., and (b) Super/Global customer audit events with phCustId = 3, e.g. audit log generated from a Super/Global user running an adhoc query. These events are purged when disk usage reaches high watermark.

    2. FortiSIEM uses dynamic mapping for Keyword fields to save Cluster state. Elasticsearch needs to encounter some events containing these fields before it can determine their type. For this reason, queries containing group by on any of these fields will fail if Elasticsearch has not seen any event containing these fields. Workaround is to first run a non-group by query with these fields to make sure that these fields have non-null haves.

    Previous
    Next