Fortinet black logo

Release Notes

Home FortiSIEM 7.0.1 Release Notes
7.0.1
7.1.5
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.3
7.0.2
7.0.1
7.0.0
6.7.9
6.7.8
6.7.7
6.7.6
6.7.5
6.7.4
6.7.3
6.7.2
6.7.1
6.7.0
6.6.5
6.6.4
6.6.3
6.6.2
6.6.1
6.6.0
6.5.3
6.5.2
6.5.1
6.5.0
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.3.0
6.2.1
6.2.0
6.1.2
6.1.1
6.1.0
5.4.0
5.3.3
5.3.2
5.3.1
5.3.0
5.2.8
5.2.7
5.2.6
5.2.5
5.2.5
5.2.1
5.1.2
5.1.1
5.1.0
5.0.1
4.10.0
4.9.0

What's New in 7.0.1

What's New in 7.0.1

Important Notes

  1. For native Elasticsearch and Elastic Cloud deployments, FortiSIEM 7.0.0 supports Elasticsearch versions 7.17 and 8.5. If you are running a lower Elasticsearch version and upgrade to FortiSIEM 7.0.0, then Elasticsearch Queries will not work. Follow these steps to properly upgrade your infrastructure.

    1. Upgrade FortiSIEM to 7.0.0.

    2. Upgrade Elasticsearch version to 7.17 or 8.5.

    3. In Admin > Setup > Storage > Online, redo Test and Deploy.

  2. AWS Elasticsearch is not supported since they only support Elasticsearch 7.10, which is lower than the required 7.17.

  3. AWS Opensearch is not supported.

  4. To support new analytical functions in Elasticsearch, the Painless scripting language is used. See https://www.elastic.co/guide/en/elasticsearch/reference/7.17/modules-scripting-painless.html for reference. If you are running Elasticsearch, then add the following line to the Elasticsearch.yml file in every Elasticsearch node and restart the cluster for the changes to take effect. Otherwise, queries will fail.

    script.painless.regex.enabled: true

  5. 5.x Collector will not work with FortiSIEM 6.7.2 or later. This step is taken for improved security. Follow these steps to make the 5.x Collectors operational after upgrade.

    1. Upgrade the Supervisor to the latest version: 7.0.0 or higher.

    2. Copy phProvisionCollector.collector from the Supervisor to all 5.x Collectors.

      1. Login to Supervisor.

      2. Run the following command.

        scp /opt/phoenix/phscripts/bin/phProvisionCollector.collector root@<Collector_IP>:/opt/phoenix/bin/phProvisionCollector

    3. Update 5.x Collector password.

      1. SSH to the Collector.

      2. Run the following command.

        phProvisionCollector --update <Organization-user-name> <Organization-user-password> <Supervisor-IP> <Organization-name> <Collector-name>

      3. Make sure the Collector ID and password are present in the file /etc/httpd/accounts/passwds on Supervisors and Workers.

    4. Reboot the Collector.

  6. This release cannot be installed with FIPS option.

  7. For Windows and Linux Agents monitoring host performance, CMDB > Monitor Status tab is not populated in GUI.

  8. FortiSIEM 7.0.0 and later API documentation is transitioning to https://fndn.fortinet.net/index.php?/fortiapi/2627-fortisiem/. Fortinet recommends checking this link first for the latest API updates.

Key Enhancements

Rocky Linux 8.8

This release updates Rocky Linux OS to 8.8 and includes published Rocky Linux OS updates until July 14, 2023. The list of updates can be found at https://errata.rockylinux.org/.

FortiSIEM Rocky Linux Repositories (os-pkgs-cdn.fortisiem.fortinet.com and os-pkgs-r8.fortisiem.fortinet.com) have also been updated to include fixes until July 14, 2023. Therefore, FortiSIEM customers in versions 6.4.1 and above, can upgrade only their Rocky Linux versions by following the procedures described in https://docs.fortinet.com/document/fortisiem/7.0.0/fortisiem-os-update-procedure/574280/fortisiem-os-update-procedure.

Optimized Incident Trigger Event Lookup

Incident Trigger Event lookup in GUI is optimized for long running Incidents. In previous releases, the trigger events are searched over the First Seen Time and Last Seen Time window, which can be very large, if the incident is constantly triggering and is not resolved. In such cases, GUI may fail to display trigger events. In the new design, for an Incident, the latest 100 trigger events are shown over a maximum 30-day period. For ClickHouse, in addition, the eventType field is stored for every trigger event and used in the queries. Since eventType is a ClickHouse Primary Index, queries are faster (https://help.fortinet.com/fsiem/7-0-0/Online-Help/HTML5_Help/appendix-clickhouse-index-design.htm), but the additional speedup will impact newer incidents. Consider these examples:

  • If 100 trigger events occur in last 1 day, then only these trigger events are shown.

  • If 50 trigger events occur in each of last 2 days, then only these trigger events over last 2 days are shown.

  • If 1 trigger event occur on each of last 100 days, then 30 trigger events are shown.

Bug Fixes

This release contains the following fixes and enhancements.

Bug Id

Severity

Module

Description

929885

Major

App Server

Test Connectivity & Discovery may get stuck with Database update 0% when a few discoveries are running.

922978

Major

Report

ReportWorker on EventDB environments may be slow in processing events and sending summaries to ReportMaster.

914571

Minor

Agent Manager

phAgentManager process memory grows, while receiving Kafka events, caused by a memory leak in the 3rd party librdkafka module. In this release, librdkafka module has been upgraded to the latest version. Our tests show that a FortiSIEM Collector with 8 vCPU and 24GB memory, can collect up to 4K EPS from Kafka.

923024

Minor

App Server

In GUI, switching user from Super Global to a specific Organization does not work unless the user belongs to all Organizations.

921351

Minor

App Server

Multiple Incident REST API issues are fixed:

  • JSON APIs return error responses in JSON format, instead of XML format

  • POST API filtering allow these event attributes: eventSeverity, eventSeverityCat, phIncidentCategory, incidentStatus, customer, phCustId, incidentReso, incidentId

  • Two parameters are required for Trigger event queries - timeFrom and timeTo, to provide response to trigger event queries in reasonable time. These two parameters should not be more than 1 day apart.

For details, see FortiSIEM REST API.

918854

Minor

App Server

AppServer incorrectly invalidates older log integrity XML data, resulting in these files not written to database.

917625

Minor

App Server

During CMDB Merge for Windows Agents, Windows GUID is considered for merging. This causes two different Windows Servers with different names but same IP or GUID to be merged into the same entry in CMDB.

921662

Minor

Data Purger

Excessive logging by phDataPurger when it hits a Value Group lookup error, fills up /opt disk.

921628

Minor

Elasticsearch

In Elasticsearch, the nesting of SUM and IF functions doesn't work when IF operator is (>,<,>= or <=). An example is SUM(IF(( Event Severity >= 4 ),1,0)).

921451

Minor

Event Pulling Agents

Azure for US Govt does not work - (fails with correct credential).

928179

Minor

GUI

Machine Learning Report: Windows Process Interaction Ratio does not display correct data.

927794

Minor

GUI

If a nested function has aggregation but outer function is non-aggregate (e.g. LOG(SUM(X))), then whole function is treated as non-aggregate and included in GroupBY attribute list. This results in an invalid Query.

924367

Minor

GUI

New Entity Risk View in 7.0 shows only 10 Incidents in the time window. Now it shows all Incidents.

919768

Minor

GUI

Two issues are resolved for assigning Custom Design Templates assigned to a Report Folder under Resources > Reports: (a) If you are migrating from pre-7.0.0 release and you have Custom Design Templates assigned to a Report Folder under Resources > Reports, then Report Design Template migration process will not complete, (b) Cannot assign a custom Report Design Template to a Report Folder.

918931

Minor

GUI

Cannot execute FortiSOAR Playbook and run FortiSOAR Connector from Analytics page.

923667

Minor

Machine Learning

The Machine Learning algorithm fails to predict Incident Resolution for some new Incidents.

921060

Minor

Machine Learning

The Machine Learning algorithm to predict Incident Resolution does not work in Service Provider installations.

929009

Minor

Parser

The EPS in event PH_SYSTEM_EPS_GLOBAL is calculated incorrectly.

928414

Minor

Parser

phParser CPU may be high if event size is very large. This was noticed when receiving larger than 800KB events.

918150

Minor

System

Upgrade can fail when Rocky Linux OS repo DNS Name resolution fails.

918654

Enhancement

Parser

Make phParser EoL character recognition configurable for TLS syslog. The following phoenix_config.txt entry is added:

tcp_syslog_delimiter=0x0a # or 0x00,0x0a

743793

Enhancement

Parser

Enable SASL_SSL (authentication plus encryption) for Kafka producer and consumer. In this release, there is no GUI support for this. Customer needs to choose SASL_PLAINTEXT on GUI and configure this in phoenix_config.txt.

sasl_ssl_ca_cert=/etc/pki/kafka/ca-cert
sasl_ssl_cert_file=/etc/pki/kafka/client_client.pem
sasl_ssl_key_file=/etc/pki/kafka/client_client.key
sasl_ssl_password=
sasl_ssl_verify=true

See the Appendix > Configuration Notes > Editing phoenix_config.txt File for guidance on changing the file. Specifically, on the Collector, you need to make the same change in 2 places:

  • Change the /opt/config/phoenix_config.txt file on the Collector and restart the Collector.

  • Make the same change on /opt/phoenix/config/collector_config_template.txt. This ensures that new Collectors registering will get the new parameters and the changes are preserved across upgrades.

914960

Enhancement

Systems

Reduce the number of CMDB backups to 1 per day to conserve space and facilitate upgrade.
Previous
Next

What's New in 7.0.1

Important Notes

  1. For native Elasticsearch and Elastic Cloud deployments, FortiSIEM 7.0.0 supports Elasticsearch versions 7.17 and 8.5. If you are running a lower Elasticsearch version and upgrade to FortiSIEM 7.0.0, then Elasticsearch Queries will not work. Follow these steps to properly upgrade your infrastructure.

    1. Upgrade FortiSIEM to 7.0.0.

    2. Upgrade Elasticsearch version to 7.17 or 8.5.

    3. In Admin > Setup > Storage > Online, redo Test and Deploy.

  2. AWS Elasticsearch is not supported since they only support Elasticsearch 7.10, which is lower than the required 7.17.

  3. AWS Opensearch is not supported.

  4. To support new analytical functions in Elasticsearch, the Painless scripting language is used. See https://www.elastic.co/guide/en/elasticsearch/reference/7.17/modules-scripting-painless.html for reference. If you are running Elasticsearch, then add the following line to the Elasticsearch.yml file in every Elasticsearch node and restart the cluster for the changes to take effect. Otherwise, queries will fail.

    script.painless.regex.enabled: true

  5. 5.x Collector will not work with FortiSIEM 6.7.2 or later. This step is taken for improved security. Follow these steps to make the 5.x Collectors operational after upgrade.

    1. Upgrade the Supervisor to the latest version: 7.0.0 or higher.

    2. Copy phProvisionCollector.collector from the Supervisor to all 5.x Collectors.

      1. Login to Supervisor.

      2. Run the following command.

        scp /opt/phoenix/phscripts/bin/phProvisionCollector.collector root@<Collector_IP>:/opt/phoenix/bin/phProvisionCollector

    3. Update 5.x Collector password.

      1. SSH to the Collector.

      2. Run the following command.

        phProvisionCollector --update <Organization-user-name> <Organization-user-password> <Supervisor-IP> <Organization-name> <Collector-name>

      3. Make sure the Collector ID and password are present in the file /etc/httpd/accounts/passwds on Supervisors and Workers.

    4. Reboot the Collector.

  6. This release cannot be installed with FIPS option.

  7. For Windows and Linux Agents monitoring host performance, CMDB > Monitor Status tab is not populated in GUI.

  8. FortiSIEM 7.0.0 and later API documentation is transitioning to https://fndn.fortinet.net/index.php?/fortiapi/2627-fortisiem/. Fortinet recommends checking this link first for the latest API updates.

Key Enhancements

Rocky Linux 8.8

This release updates Rocky Linux OS to 8.8 and includes published Rocky Linux OS updates until July 14, 2023. The list of updates can be found at https://errata.rockylinux.org/.

FortiSIEM Rocky Linux Repositories (os-pkgs-cdn.fortisiem.fortinet.com and os-pkgs-r8.fortisiem.fortinet.com) have also been updated to include fixes until July 14, 2023. Therefore, FortiSIEM customers in versions 6.4.1 and above, can upgrade only their Rocky Linux versions by following the procedures described in https://docs.fortinet.com/document/fortisiem/7.0.0/fortisiem-os-update-procedure/574280/fortisiem-os-update-procedure.

Optimized Incident Trigger Event Lookup

Incident Trigger Event lookup in GUI is optimized for long running Incidents. In previous releases, the trigger events are searched over the First Seen Time and Last Seen Time window, which can be very large, if the incident is constantly triggering and is not resolved. In such cases, GUI may fail to display trigger events. In the new design, for an Incident, the latest 100 trigger events are shown over a maximum 30-day period. For ClickHouse, in addition, the eventType field is stored for every trigger event and used in the queries. Since eventType is a ClickHouse Primary Index, queries are faster (https://help.fortinet.com/fsiem/7-0-0/Online-Help/HTML5_Help/appendix-clickhouse-index-design.htm), but the additional speedup will impact newer incidents. Consider these examples:

  • If 100 trigger events occur in last 1 day, then only these trigger events are shown.

  • If 50 trigger events occur in each of last 2 days, then only these trigger events over last 2 days are shown.

  • If 1 trigger event occur on each of last 100 days, then 30 trigger events are shown.

Bug Fixes

This release contains the following fixes and enhancements.

Bug Id

Severity

Module

Description

929885

Major

App Server

Test Connectivity & Discovery may get stuck with Database update 0% when a few discoveries are running.

922978

Major

Report

ReportWorker on EventDB environments may be slow in processing events and sending summaries to ReportMaster.

914571

Minor

Agent Manager

phAgentManager process memory grows, while receiving Kafka events, caused by a memory leak in the 3rd party librdkafka module. In this release, librdkafka module has been upgraded to the latest version. Our tests show that a FortiSIEM Collector with 8 vCPU and 24GB memory, can collect up to 4K EPS from Kafka.

923024

Minor

App Server

In GUI, switching user from Super Global to a specific Organization does not work unless the user belongs to all Organizations.

921351

Minor

App Server

Multiple Incident REST API issues are fixed:

  • JSON APIs return error responses in JSON format, instead of XML format

  • POST API filtering allow these event attributes: eventSeverity, eventSeverityCat, phIncidentCategory, incidentStatus, customer, phCustId, incidentReso, incidentId

  • Two parameters are required for Trigger event queries - timeFrom and timeTo, to provide response to trigger event queries in reasonable time. These two parameters should not be more than 1 day apart.

For details, see FortiSIEM REST API.

918854

Minor

App Server

AppServer incorrectly invalidates older log integrity XML data, resulting in these files not written to database.

917625

Minor

App Server

During CMDB Merge for Windows Agents, Windows GUID is considered for merging. This causes two different Windows Servers with different names but same IP or GUID to be merged into the same entry in CMDB.

921662

Minor

Data Purger

Excessive logging by phDataPurger when it hits a Value Group lookup error, fills up /opt disk.

921628

Minor

Elasticsearch

In Elasticsearch, the nesting of SUM and IF functions doesn't work when IF operator is (>,<,>= or <=). An example is SUM(IF(( Event Severity >= 4 ),1,0)).

921451

Minor

Event Pulling Agents

Azure for US Govt does not work - (fails with correct credential).

928179

Minor

GUI

Machine Learning Report: Windows Process Interaction Ratio does not display correct data.

927794

Minor

GUI

If a nested function has aggregation but outer function is non-aggregate (e.g. LOG(SUM(X))), then whole function is treated as non-aggregate and included in GroupBY attribute list. This results in an invalid Query.

924367

Minor

GUI

New Entity Risk View in 7.0 shows only 10 Incidents in the time window. Now it shows all Incidents.

919768

Minor

GUI

Two issues are resolved for assigning Custom Design Templates assigned to a Report Folder under Resources > Reports: (a) If you are migrating from pre-7.0.0 release and you have Custom Design Templates assigned to a Report Folder under Resources > Reports, then Report Design Template migration process will not complete, (b) Cannot assign a custom Report Design Template to a Report Folder.

918931

Minor

GUI

Cannot execute FortiSOAR Playbook and run FortiSOAR Connector from Analytics page.

923667

Minor

Machine Learning

The Machine Learning algorithm fails to predict Incident Resolution for some new Incidents.

921060

Minor

Machine Learning

The Machine Learning algorithm to predict Incident Resolution does not work in Service Provider installations.

929009

Minor

Parser

The EPS in event PH_SYSTEM_EPS_GLOBAL is calculated incorrectly.

928414

Minor

Parser

phParser CPU may be high if event size is very large. This was noticed when receiving larger than 800KB events.

918150

Minor

System

Upgrade can fail when Rocky Linux OS repo DNS Name resolution fails.

918654

Enhancement

Parser

Make phParser EoL character recognition configurable for TLS syslog. The following phoenix_config.txt entry is added:

tcp_syslog_delimiter=0x0a # or 0x00,0x0a

743793

Enhancement

Parser

Enable SASL_SSL (authentication plus encryption) for Kafka producer and consumer. In this release, there is no GUI support for this. Customer needs to choose SASL_PLAINTEXT on GUI and configure this in phoenix_config.txt.

sasl_ssl_ca_cert=/etc/pki/kafka/ca-cert
sasl_ssl_cert_file=/etc/pki/kafka/client_client.pem
sasl_ssl_key_file=/etc/pki/kafka/client_client.key
sasl_ssl_password=
sasl_ssl_verify=true

See the Appendix > Configuration Notes > Editing phoenix_config.txt File for guidance on changing the file. Specifically, on the Collector, you need to make the same change in 2 places:

  • Change the /opt/config/phoenix_config.txt file on the Collector and restart the Collector.

  • Make the same change on /opt/phoenix/config/collector_config_template.txt. This ensures that new Collectors registering will get the new parameters and the changes are preserved across upgrades.

914960

Enhancement

Systems

Reduce the number of CMDB backups to 1 per day to conserve space and facilitate upgrade.
Previous
Next