What's New in 7.0.1
Important Notes
-
For native Elasticsearch and Elastic Cloud deployments, FortiSIEM 7.0.0 supports Elasticsearch versions 7.17 and 8.5. If you are running a lower Elasticsearch version and upgrade to FortiSIEM 7.0.0, then Elasticsearch Queries will not work. Follow these steps to properly upgrade your infrastructure.
-
Upgrade FortiSIEM to 7.0.0.
-
Upgrade Elasticsearch version to 7.17 or 8.5.
-
In Admin > Setup > Storage > Online, redo Test and Deploy.
-
-
AWS Elasticsearch is not supported since they only support Elasticsearch 7.10, which is lower than the required 7.17.
-
AWS Opensearch is not supported.
-
To support new analytical functions in Elasticsearch, the Painless scripting language is used. See https://www.elastic.co/guide/en/elasticsearch/reference/7.17/modules-scripting-painless.html for reference. If you are running Elasticsearch, then add the following line to the
Elasticsearch.ymlfile in every Elasticsearch node and restart the cluster for the changes to take effect. Otherwise, queries will fail.script.painless.regex.enabled: true -
5.x Collector will not work with FortiSIEM 6.7.2 or later. This step is taken for improved security. Follow these steps to make the 5.x Collectors operational after upgrade.
-
Upgrade the Supervisor to the latest version: 7.0.0 or higher.
-
Copy
phProvisionCollector.collectorfrom the Supervisor to all 5.x Collectors.-
Login to Supervisor.
-
Run the following command.
scp /opt/phoenix/phscripts/bin/phProvisionCollector.collector root@<Collector_IP>:/opt/phoenix/bin/phProvisionCollector
-
-
Update 5.x Collector password.
-
SSH to the Collector.
-
Run the following command.
phProvisionCollector --update <Organization-user-name> <Organization-user-password> <Supervisor-IP> <Organization-name> <Collector-name> -
Make sure the Collector ID and password are present in the file
/etc/httpd/accounts/passwdson Supervisors and Workers.
-
-
Reboot the Collector.
-
-
This release cannot be installed with FIPS option.
-
For Windows and Linux Agents monitoring host performance, CMDB > Monitor Status tab is not populated in GUI.
-
FortiSIEM 7.0.0 and later API documentation is transitioning to https://fndn.fortinet.net/index.php?/fortiapi/2627-fortisiem/. Fortinet recommends checking this link first for the latest API updates.
Key Enhancements
Rocky Linux 8.8
This release updates Rocky Linux OS to 8.8 and includes published Rocky Linux OS updates until July 14, 2023. The list of updates can be found at https://errata.rockylinux.org/.
FortiSIEM Rocky Linux Repositories (os-pkgs-cdn.fortisiem.fortinet.com and os-pkgs-r8.fortisiem.fortinet.com) have also been updated to include fixes until July 14, 2023. Therefore, FortiSIEM customers in versions 6.4.1 and above, can upgrade only their Rocky Linux versions by following the procedures described in https://docs.fortinet.com/document/fortisiem/7.0.0/fortisiem-os-update-procedure/574280/fortisiem-os-update-procedure.
Optimized Incident Trigger Event Lookup
Incident Trigger Event lookup in GUI is optimized for long running Incidents. In previous releases, the trigger events are searched over the First Seen Time and Last Seen Time window, which can be very large, if the incident is constantly triggering and is not resolved. In such cases, GUI may fail to display trigger events. In the new design, for an Incident, the latest 100 trigger events are shown over a maximum 30-day period. For ClickHouse, in addition, the eventType field is stored for every trigger event and used in the queries. Since eventType is a ClickHouse Primary Index, queries are faster (https://help.fortinet.com/fsiem/7-0-0/Online-Help/HTML5_Help/appendix-clickhouse-index-design.htm), but the additional speedup will impact newer incidents. Consider these examples:
-
If 100 trigger events occur in last 1 day, then only these trigger events are shown.
-
If 50 trigger events occur in each of last 2 days, then only these trigger events over last 2 days are shown.
-
If 1 trigger event occur on each of last 100 days, then 30 trigger events are shown.
Bug Fixes
This release contains the following fixes and enhancements.
|
Bug Id |
Severity |
Module |
Description |
|---|---|---|---|
|
929885 |
Major |
App Server |
Test Connectivity & Discovery may get stuck with Database update 0% when a few discoveries are running. |
|
922978 |
Major |
Report |
|
|
914571 |
Minor |
Agent Manager |
|
|
923024 |
Minor |
App Server |
In GUI, switching user from Super Global to a specific Organization does not work unless the user belongs to all Organizations. |
|
921351 |
Minor |
App Server |
Multiple Incident REST API issues are fixed:
For details, see FortiSIEM REST API. |
|
918854 |
Minor |
App Server |
|
|
917625 |
Minor |
App Server |
During CMDB Merge for Windows Agents, Windows GUID is considered for merging. This causes two different Windows Servers with different names but same IP or GUID to be merged into the same entry in CMDB. |
|
921662 |
Minor |
Data Purger |
Excessive logging by
|
|
921628 |
Minor |
Elasticsearch |
In Elasticsearch, the nesting of SUM and IF functions doesn't work when IF operator is (>,<,>= or <=). An example is SUM(IF(( Event Severity >= 4 ),1,0)). |
|
921451 |
Minor |
Event Pulling Agents |
Azure for US Govt does not work - (fails with correct credential). |
|
928179 |
Minor |
GUI |
Machine Learning Report: Windows Process Interaction Ratio does not display correct data. |
|
927794 |
Minor |
GUI |
If a nested function has aggregation but outer function is non-aggregate (e.g. LOG(SUM(X))), then whole function is treated as non-aggregate and included in GroupBY attribute list. This results in an invalid Query. |
|
924367 |
Minor |
GUI |
New Entity Risk View in 7.0 shows only 10 Incidents in the time window. Now it shows all Incidents. |
|
919768 |
Minor |
GUI |
Two issues are resolved for assigning Custom Design Templates assigned to a Report Folder under Resources > Reports: (a) If you are migrating from pre-7.0.0 release and you have Custom Design Templates assigned to a Report Folder under Resources > Reports, then Report Design Template migration process will not complete, (b) Cannot assign a custom Report Design Template to a Report Folder. |
|
918931 |
Minor |
GUI |
Cannot execute FortiSOAR Playbook and run FortiSOAR Connector from Analytics page. |
|
923667 |
Minor |
Machine Learning |
The Machine Learning algorithm fails to predict Incident Resolution for some new Incidents. |
|
921060 |
Minor |
Machine Learning |
The Machine Learning algorithm to predict Incident Resolution does not work in Service Provider installations. |
|
929009 |
Minor |
Parser |
The
EPS in event |
|
928414 |
Minor |
Parser |
|
|
918150 |
Minor |
System |
Upgrade can fail when Rocky Linux OS repo DNS Name resolution fails. |
|
918654 |
Enhancement |
Parser |
Make
|
|
743793 |
Enhancement |
Parser |
Enable SASL_SSL
(authentication plus encryption) for Kafka producer and consumer. In this
release, there is no GUI support for this. Customer needs to choose
SASL_PLAINTEXT on GUI and configure this in sasl_ssl_ca_cert=/etc/pki/kafka/ca-cert sasl_ssl_cert_file=/etc/pki/kafka/client_client.pem sasl_ssl_key_file=/etc/pki/kafka/client_client.key sasl_ssl_password= sasl_ssl_verify=true
See the Appendix > Configuration Notes > Editing phoenix_config.txt File for guidance on changing the file. Specifically, on the Collector, you need to make the same change in 2 places:
|
|
914960 |
Enhancement |
Systems |
Reduce the number of CMDB backups to 1 per day to conserve space and facilitate upgrade. |