Fortinet black logo

Release Notes

Home FortiSIEM 7.0.2 Release Notes
7.0.2
7.1.5
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.3
7.0.2
7.0.1
7.0.0
6.7.9
6.7.8
6.7.7
6.7.6
6.7.5
6.7.4
6.7.3
6.7.2
6.7.1
6.7.0
6.6.5
6.6.4
6.6.3
6.6.2
6.6.1
6.6.0
6.5.3
6.5.2
6.5.1
6.5.0
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.3.0
6.2.1
6.2.0
6.1.2
6.1.1
6.1.0
5.4.0
5.3.3
5.3.2
5.3.1
5.3.0
5.2.8
5.2.7
5.2.6
5.2.5
5.2.5
5.2.1
5.1.2
5.1.1
5.1.0
5.0.1
4.10.0
4.9.0

What's New in 7.0.2

What's New in 7.0.2

Key Enhancement

Storage Space Reduction for ClickHouse Based Deployments

This release reduces the storage space for storing events in ClickHouse based deployments. This is achieved in two ways:

  • By removing a derived event attribute that included the list of all parsed attributes. This attribute was added to quickly show all parsed attributes in raw message queries, but required additional storage. Now GUI performs optimized adhoc queries to get this information from ClickHouse database.

  • By changing the compression algorithm to Zstandard (ZSTD) level 6. Note that only new installations from 7.0.2 onwards can use the ZSTD level 6 compression. Existing customers will use the current LZ4 algorithm. See the ClickHouse Sizing Guide for new storage requirements.

Bug Fixes and Minor Enhancements

This release includes the following bug fixes:

  • Several code improvements in Linux Agent area

  • Fix for Bug 946202: FortiSIEM Supervisor and Worker makes excessive DNS lookups due to missing entries in /etc/hosts file. This bug was introduced in 7.0.0.

  • Fix for Bug 934773: The runtime directory of phAnomaly process under /tmp would be deleted after certain time, resulting in phAnomaly process to not run after 10 days. This bug was introduced in 7.0.0.

  • Fix for Bug 921597: Reboot may be slow after upgrading to 7.0.0. This bug was introduced in 7.0.0.

  • Fix for Bug 948701: Machine Learning Clustering job failed to handle inference output without hostName id attribute. This bug was introduced in 7.0.0.

This release includes Rocky Linux OS 8.8 updates until September 3, 2023. The list of updates can be found at https://errata.rockylinux.org/.

FortiSIEM Rocky Linux Repositories (os-pkgs-cdn.fortisiem.fortinet.com and os-pkgs-r8.fortisiem.fortinet.com) have also been updated to include fixes until September 3, 2023. Therefore, FortiSIEM customers in versions 6.4.1 and above, can upgrade only their Rocky Linux versions by following the procedures described in the FortiSIEM OS Update Procedure Guide.

Important Notes

  1. For native Elasticsearch and Elastic Cloud deployments, FortiSIEM 7.0.0 or higher supports Elasticsearch versions 7.17 and 8.5. If you are running a lower Elasticsearch version and upgrade to FortiSIEM 7.0.0 or higher, then Elasticsearch Queries will not work. Follow these steps to properly upgrade your infrastructure.

    1. Upgrade FortiSIEM to 7.0.0 or higher.

    2. Upgrade Elasticsearch version to 7.17 or 8.5.

    3. In Admin > Setup > Storage > Online, redo Test and Deploy.

  2. AWS Elasticsearch is not supported in FortiSIEM 7.0.0 or higher, since they only support Elasticsearch 7.10, which is lower than the required 7.17.

  3. AWS Opensearch is not supported in FortiSIEM 7.0.0 or higher.

  4. To support new analytical functions in Elasticsearch, the Painless scripting language is used. See https://www.elastic.co/guide/en/elasticsearch/reference/7.17/modules-scripting-painless.html for reference. If you are running Elasticsearch, then add the following line to the Elasticsearch.yml file in every Elasticsearch node and restart the cluster for the changes to take effect. Otherwise, queries will fail.

    script.painless.regex.enabled: true

  5. 5.x Collector will not work with FortiSIEM 6.7.2 or later. This step is taken for improved security. Follow these steps to make the 5.x Collectors operational after upgrade.

    1. Upgrade the Supervisor to the latest version: 7.0.0 or higher.

    2. Copy phProvisionCollector.collector from the Supervisor to all 5.x Collectors.

      1. Login to Supervisor.

      2. Run the following command.

        scp /opt/phoenix/phscripts/bin/phProvisionCollector.collector root@<Collector_IP>:/opt/phoenix/bin/phProvisionCollector

    3. Update 5.x Collector password.

      1. SSH to the Collector.

      2. Run the following command.

        phProvisionCollector --update <Organization-user-name> <Organization-user-password> <Supervisor-IP> <Organization-name> <Collector-name>

      3. Make sure the Collector ID and password are present in the file /etc/httpd/accounts/passwds on Supervisors and Workers.

    4. Reboot the Collector.

  6. FortiSIEM 7.0.0, 7.0.1 and 7.0.2 cannot be installed with FIPS option.

  7. For Windows and Linux Agents monitoring host performance, CMDB > Monitor Status tab is not populated in GUI.

  8. FortiSIEM 7.0.0 and later API documentation is transitioning to https://fndn.fortinet.net/index.php?/fortiapi/2627-fortisiem/. Fortinet recommends checking this link first for the latest API updates.

Previous
Next

What's New in 7.0.2

Key Enhancement

Storage Space Reduction for ClickHouse Based Deployments

This release reduces the storage space for storing events in ClickHouse based deployments. This is achieved in two ways:

  • By removing a derived event attribute that included the list of all parsed attributes. This attribute was added to quickly show all parsed attributes in raw message queries, but required additional storage. Now GUI performs optimized adhoc queries to get this information from ClickHouse database.

  • By changing the compression algorithm to Zstandard (ZSTD) level 6. Note that only new installations from 7.0.2 onwards can use the ZSTD level 6 compression. Existing customers will use the current LZ4 algorithm. See the ClickHouse Sizing Guide for new storage requirements.

Bug Fixes and Minor Enhancements

This release includes the following bug fixes:

  • Several code improvements in Linux Agent area

  • Fix for Bug 946202: FortiSIEM Supervisor and Worker makes excessive DNS lookups due to missing entries in /etc/hosts file. This bug was introduced in 7.0.0.

  • Fix for Bug 934773: The runtime directory of phAnomaly process under /tmp would be deleted after certain time, resulting in phAnomaly process to not run after 10 days. This bug was introduced in 7.0.0.

  • Fix for Bug 921597: Reboot may be slow after upgrading to 7.0.0. This bug was introduced in 7.0.0.

  • Fix for Bug 948701: Machine Learning Clustering job failed to handle inference output without hostName id attribute. This bug was introduced in 7.0.0.

This release includes Rocky Linux OS 8.8 updates until September 3, 2023. The list of updates can be found at https://errata.rockylinux.org/.

FortiSIEM Rocky Linux Repositories (os-pkgs-cdn.fortisiem.fortinet.com and os-pkgs-r8.fortisiem.fortinet.com) have also been updated to include fixes until September 3, 2023. Therefore, FortiSIEM customers in versions 6.4.1 and above, can upgrade only their Rocky Linux versions by following the procedures described in the FortiSIEM OS Update Procedure Guide.

Important Notes

  1. For native Elasticsearch and Elastic Cloud deployments, FortiSIEM 7.0.0 or higher supports Elasticsearch versions 7.17 and 8.5. If you are running a lower Elasticsearch version and upgrade to FortiSIEM 7.0.0 or higher, then Elasticsearch Queries will not work. Follow these steps to properly upgrade your infrastructure.

    1. Upgrade FortiSIEM to 7.0.0 or higher.

    2. Upgrade Elasticsearch version to 7.17 or 8.5.

    3. In Admin > Setup > Storage > Online, redo Test and Deploy.

  2. AWS Elasticsearch is not supported in FortiSIEM 7.0.0 or higher, since they only support Elasticsearch 7.10, which is lower than the required 7.17.

  3. AWS Opensearch is not supported in FortiSIEM 7.0.0 or higher.

  4. To support new analytical functions in Elasticsearch, the Painless scripting language is used. See https://www.elastic.co/guide/en/elasticsearch/reference/7.17/modules-scripting-painless.html for reference. If you are running Elasticsearch, then add the following line to the Elasticsearch.yml file in every Elasticsearch node and restart the cluster for the changes to take effect. Otherwise, queries will fail.

    script.painless.regex.enabled: true

  5. 5.x Collector will not work with FortiSIEM 6.7.2 or later. This step is taken for improved security. Follow these steps to make the 5.x Collectors operational after upgrade.

    1. Upgrade the Supervisor to the latest version: 7.0.0 or higher.

    2. Copy phProvisionCollector.collector from the Supervisor to all 5.x Collectors.

      1. Login to Supervisor.

      2. Run the following command.

        scp /opt/phoenix/phscripts/bin/phProvisionCollector.collector root@<Collector_IP>:/opt/phoenix/bin/phProvisionCollector

    3. Update 5.x Collector password.

      1. SSH to the Collector.

      2. Run the following command.

        phProvisionCollector --update <Organization-user-name> <Organization-user-password> <Supervisor-IP> <Organization-name> <Collector-name>

      3. Make sure the Collector ID and password are present in the file /etc/httpd/accounts/passwds on Supervisors and Workers.

    4. Reboot the Collector.

  6. FortiSIEM 7.0.0, 7.0.1 and 7.0.2 cannot be installed with FIPS option.

  7. For Windows and Linux Agents monitoring host performance, CMDB > Monitor Status tab is not populated in GUI.

  8. FortiSIEM 7.0.0 and later API documentation is transitioning to https://fndn.fortinet.net/index.php?/fortiapi/2627-fortisiem/. Fortinet recommends checking this link first for the latest API updates.

Previous
Next