What's New in 7.1.0
New Features
Fortinet Advisor
This release introduces OpenAI/ChatGPT-4 powered Advisor that provides the following functions:
-
Responses to SOC Queries by running an API. Currently, the following questions are supported.
-
Get FortiSIEM health – This retrieves the current health of FortiSIEM nodes including Supervisor, Worker and Collector.
-
Get the latest known vulnerabilities – This retrieves the list of vulnerabilities in your environment known to FortiSIEM. To get this data, you must enable FortiSIEM to collect data from FortiClient/EMS or vulnerability scanners.
-
-
Responses to Questions from 7.1.0 Product documentation and internal knowledge base articles.
-
Analysis and Recommendations for logs and Incidents: From Incidents > List View, Incidents > Risk, Incidents > Investigation and Analytics > Search pages, you can launch these requests using the Fortinet Advisor menu option. Incident analysis provided by OpenAI/ChatGPT-4 can be added to Incident Comments.
-
Automated Incident Analysis and Recommendation using the Notification policy framework. Incident Notification email can be configured to include Incident analysis provided by OpenAI/ChatGPT-4.
-
Help in building a FortiSIEM Report: You can ask the Fortinet Advisor to “Create a report”. After the report has been generated, the report can be uploaded to Analytics at the click of a button and subsequently run. You can also create a rule once you are satisfied with the Report.
Important Notes:
-
Fortinet Advisor uses GPT3.5-Turbo and GPT4. Your OpenAI API key must support access to these models.
-
When asking Advisor to build a report, you can describe the report using natural language, but certain keywords need to be present for accuracy. The syntax is as follows and the keywords are in bold: Create a report to show the <comma separated list of attributes> where <filtering conditions>, group them by <list of event attributes>, and only show results for <having conditions>, order by <attribute> in ascending or descending order. Grouping and ordering is optional. Several examples are provided in the Advisor GUI.
-
For SOC Queries, you always have to use the exact question: “Get FortiSIEM health” and “Get the latest known vulnerabilities”.
-
Anonymization: When you ask ChatGPT for log and Incident analysis using the Fortinet Advisor menu option, then customer specific information is anonymized before sending to ChatGPT. The returned results are converted back to the original values before displaying to the user. The full list of anonymized event attributes is here. Similar anonymization is performed when you invoke ChatGPT via Notification policy. If you manually enter log and ask ChatGPT to analyze the log, then the log fields are not anonymized.
OpenAI Integration and Disclaimer
The Fortinet Advisor lets you connect FortiSIEM to your own OpenAI account, using your own OpenAI license key. This integration will send data from your FortiSIEM to OpenAI and will show you responses from OpenAI. Fortinet does not verify or correct these responses and has no responsibility for them. OpenAI is operated by a third party, not Fortinet. You must exercise discretion and independently verify any information or recommendations you receive from OpenAI before relying on them.
Note: Fortinet Advisor uses GPT3.5-Turbo and GPT4. Your OpenAI API key must support access to these models.
For details on using the Fortinet Advisor, see here.
Scheduled Rules for ClickHouse based Deployments
This release allows users to create Incidents by running reports on periodic intervals. This is only supported for ClickHouse based deployments. In contrast to the current in-memory streaming rule engine, Scheduled rules require disk access and does not scale comparably. In-memory option is faster and a large number of rules can be evaluated concurrently. However, the new scheduled report-based approach has the following advantages:
-
Rules can be written using the complex analytic functions introduced in 7.0.
-
Rules can be evaluated over larger time intervals.
Once the scheduled rule conditions are met, Incidents are created the same way as Streaming rules.
For steps on how to define scheduled rules, see Creating a Rule.
A ClickHouse Query Management layer is introduced to enforce a priority-based scheduling between 3 types of queries: Interactive GUI queries (highest priority), Scheduled Rules (medium priority), and Scheduled Reports (lowest priority). The status of currently running ClickHouse queries can be seen on the Query Status page.
Windows Certificate Monitoring via Agent
This release enables FortiSIEM to monitor certificates on Windows hosts via FortiSIEM Agent 7.1.0 and later. The following use-cases are handled:
-
Detect when a certificate is added or deleted.
-
Detect when a certificate has 7-30 days (configurable) left before expiration.
-
Report on certificates that have expired (Can notify "X" number of days after certificate has expired, "X" being configurable).
-
Detect self-signed certificates.
Steps on how to create a Certificate Monitoring Template and distribute to Windows agents is described in Define the Windows Agent Monitor Templates. Sample logs are available here.
Windows Osquery via Agent
Osquery (https://osquery.readthedocs.io/en/latest/) enables you to collect a variety of information from hosts. The osquery framework provides the following key advantages over logging, and can be used effectively in addition to log analysis.
-
Osquery can provide information that is not necessarily available in logs, for example the programs that run when a machine starts up, the TCP/UDP ports that are tied to services, etc...
-
Hosts can be queried for live information using osquery. This can be very useful in Incident investigations.
-
Osquery is Operating system independent – the same Osquery can work for Windows and Linux. Note that FortiSIEM currently supports Osquery for Windows only.
In this release, the osquery framework is integrated into FortiSIEM Windows Agent 7.1. When the 7.1 agent installs, or you upgrade to the 7.1 version, the osquery feature is available.
-
A built-in set of osqueries is provided (Resources > Osquery), and you can create and test your own osquery.
-
An osquery can be attached to a Windows monitoring template, along with other logging and performance monitoring definitions. When the template is assigned to hosts, each host will run the osquery at specific intervals and send the osquery results as FortiSIEM events (prefixed with
PH_OSQUERY_WIN). The events can be used in Rules and Reports. Lookup Tables can be populated using these events and Rules can be written using the Lookup Tables. -
Reports for built-in osqueries are in Resources > Reports > Osquery. Built-in Rules for osqueries can be found by searching for “osquery” in Resources > Rules in the main pane.
-
The user can also run live osqueries from Incident Investigation View. The osquery will collect the current matching data from the hosts. The results can be saved to PDF and attached to Cases.
For steps on how to create an osquery, see here. To attach an osquery to a Windows Monitoring template, see here. Running an osquery from an Incident Investigation graph is a selectable option under Run Reports.
User Alias in Risk Calculation
Often times, a user can have multiple accounts, e.g. Active Directory, AWS, Office 365, email. This release provides a way to define aliases for the main user account in CMDB > User> Edit > Alias. FortiSIEM calculates the Total Risk for that user by including the incidents in which aliases appear.
New Machine Learning Models
This release adds two new Anomaly Detection Machine Learning models:
-
Gaussian Model - This unsupervised machine learning model approximates the probability distribution of an event attribute as a Gaussian distribution. A data point is considered anomalous if its occurrence probability is lower than the provided threshold.
-
Gaussian Mixture Model - As a generalization of the Gaussian model, this unsupervised machine learning model approximates the probability distribution of an event attribute as N Gaussian distributions. This is useful for modeling event attributes which has multiple peaks and valleys. A data point is considered anomalous if its occurrence probability is lower than the provided threshold.
For Details, see Anomaly Detection.
Key Enhancements
OS Update
This release includes published Rocky Linux OS updates until October 24, 2023. The list of updates can be found at https://errata.rockylinux.org/.
FortiSIEM Rocky Linux Repositories (os-pkgs-cdn.fortisiem.fortinet.com and os-pkgs-r8.fortisiem.fortinet.com) have also been updated to include fixes until October 24, 2023. Therefore, FortiSIEM customers in versions 6.4.1 and above, can upgrade only their Rocky Linux versions by following the procedures described in https://docs.fortinet.com/document/fortisiem/7.0.0/fortisiem-os-update-procedure/574280/fortisiem-os-update-procedure.
FortiSIEM GUI Enhancements
This release contains several GUI enhancements:
-
New consistent color scheme throughout the GUI for both Light and Dark themes.
-
In the following Views, Incident detail is presented in a slide-in window from the right:
-
Incident List View
-
Incident Explorer View
-
MITRE ATT&CK Incident Explorer View
-
Incident Overview drill-down View
-
Incident Risk drill-down View
-
-
In Incident List View, the Actions list is streamlined.
-
Added a Check Reputation action for IP, Domain, URL and Hash.
-
In Widget dashboard, the re-arranging of widgets is optimized. When a widget is moved from one position, the GUI shows the tentative new placement based on current position and minimizes widget movements after placing the widget in the new position.
Dynamic Watchlist using User-to-IP Lookup
There are situations where a rule triggers with only username, but remediation requires the current IP address of the user. This release provides a way for FortiSIEM to update an IP based watchlist when a rule triggers, based on the Username to IP mapping information in the Identity and Location database.
When you define a rule, you can create an IP based Watchlist even if the Rule does not have IP as an event type attribute. In Resources > Rules, when adding or editing a rule, go to Step 3: Define Action, click the Watch List Edit icon, and select the LookupIpByUser function to populate a watch list. FortiSIEM will keep track of the User to IP mapping in the Identity and Location database. If it finds an IP mapping for that User, then it will add the matching IP to the watchlist. Some important sub-cases are handled, such as
-
If some other user takes that IP, then that IP is removed from the Watch List.
-
If the offending user takes some other IP, then the Watch List is updated with the new IP.
Kafka Event Collection Improvements
Two improvements were done:
-
Event Collection scalability by enabling multiple collectors to pull on the same Topic.
-
Encryption via SASL/SSL via GUI – This feature was added to 6.7.6 and 7.0.1, but the configuration was via
phoenix_config.txt. In this release, this configuration option is added to the GUI. If you are using this feature in 6.7.6 or 7.0.1 and upgrade to 7.1.0, you need to navigate to Admin > Settings > System > Kafka in FortiSIEM GUI, change Protocol fromPLAINTEXTtoSSLand re-do Test Connectivity.
ClickHouse Storage Reduction for Existing Deployments
If you are running ClickHouse as your event database and upgrade to FortiSIEM 7.1.x, then the new events will be compressed more efficiently using ZSTD, while the old events will remain compressed using LZ4. All the events can be queried. As the older events gets purged over time, all event data will be compressed using ZSTD and the full compression potential of ZSTD will be achieved.
Windows Agent GUI Enhancement
This release enables the user to choose the network interface over which the Windows Agent will communicate with the Supervisor and Collector nodes.
For details, see the 7.1.x Windows Agent Guide.
Ability to Choose a Network Interface during Installation
In earlier releases, FortiSIEM always chose eth0 as the primary network interface for both hardware appliances and virtual machines. This release allows you to choose any configured network interface, including bonded interfaces, during FortiSIEM install process.
For details, see your specific hardware or virtual machine installation guide in the FortiSIEM Document Library.
Public REST API Enhancements
The performance of the following CMDB APIs were improved:
-
/phoenix/rest/cmdbDeviceInfo/devices -
/phoenix/rest/cmdbDeviceInfo/devicesByPagination -
/phoenix/rest/config/Domain
A new API is introduced to query archived events:
-
/phoenix/rest/query/archive
A new API is introduced to get IP/Host/User Context
-
/phoenix/rest/context/ip -
/phoenix/rest/context/hostname -
/phoenix/rest/context/user
A new API is introduced to query CMDB data. In other words, the API enables you to run CMDB Reports via API.
-
Get the schema:
/phoenix/rest/query/cmdb/schema -
Run a CMDB Query:
/phoenix/rest/query/cmdb
Generic STIX/TAXII 2.1 Integration for collecting External Threat Intelligence
This release adds a python script for Collecting External Threat Intelligence feeds from any STIX/TAXII 2.1 Server. Currently supported Indicators include IP, Domain, and URL.
To use this integration, simply select Plugin Type as Python and Plugin Name as the script stix21_threadfeed.py from the Update Malware IP/Domain/URL dialog.
For details, see Custom Threat Feed Websites - Programmatic Import via Python for Malware Domain, Malware IPs, or Malware URLs.
Content Update
Each built-in Report has a Data Source field that specifies the device integration required for this report to have content. Each built-in Rule has 3 new fields: Data Source, Detection Technology and Evaluation Mode. The Data Source field specifies the device integration required for this rule to trigger. Detection Technology can be one of the following values: Correlation, Profiling, Machine Learning and Correlation Using Lookup Table. Evaluation Mode is either Streaming or Scheduled.
The SIGMA rules are now updated to match the latest from the website (https://github.com/SigmaHQ/sigma/tree/master/rules).
See here for the new rules.
See here for the new reports.
New Device Support
This release adds the following device support:
-
G42 Cloud (https://www.g42cloud.com/#/) - log collection. See here for details.
-
FortiNDR Cloud - log and alert collection. See here for details.
-
Armis Intelligence Platform (https://www.armis.com/) - alert collection. See here for details.
-
Hillstone Firewall (https://www.hillstonenet.com/) - log collection. See here for details.
Device Support Enhancements
This release provides following enhancements to already supported devices:
-
Microsoft Office365
-
Email Activity Counts via Microsoft Graph API
-
Email statistics via Office 365 Reporting Web Service
-
New rules, reports and dashboard
See here for details.
-
-
AlienVault TAXII Server 2.1 API (https://docs.oasis-open.org/cti/taxii/v2.1/os/taxii-v2.1-os.html) to download threat intelligence information. See here for integration details.
Bug Fixes and Enhancements
|
Bug ID |
Severity |
Module |
Description |
|---|---|---|---|
|
954115 |
Major |
App Server |
When host status=UEBA and template configuration with only 'UEBA' is applied, then a Device license is counted. |
|
951833 |
Major |
ClickHouse Backend |
NFS Real Time Archive for ClickHouse does not work. |
|
953340 |
Major |
GUI |
GUI throws error when a requestor tries to activate or deactivate one rule in Enterprise mode. |
|
955478 |
Major |
Linux Agent |
Linux Agent is auditing its own processes and system calls - resulting in large number of useless events. |
|
951156 |
Major |
System |
In some situations, ReportWorker to ReportMaster communication issues can cause Data Manager to drop events. |
|
953313 |
Minor |
App Server |
Audit log is not generated when rule is activated or deactivated in Enterprise mode. |
|
953181 |
Minor |
App Server |
|
|
949130 |
Minor |
App Server |
Description column not included when importing watchlist. |
|
944462 |
Minor |
App Server |
PDF/CSV Export fails for "Rules with Exception" CMDB Report. |
|
937174 |
Minor |
App Server |
Upgrade and Content Updates may not complete as jobs show status as 'InWaiting'. |
|
936858 |
Minor |
App Server |
Error occurs when disabling/enabling a new created event dropping rule. |
|
936635 |
Minor |
App Server |
Can't update content version to 409 if content version is not configured to 400. |
|
936224 |
Minor |
App Server |
Backend LDAP Authentication Events Shown as Unknown Events in Analytics. |
|
930437 |
Minor |
App Server |
PostgreSQL log files are growing in number when DR has issue - create a log when this happens. |
|
928788 |
Minor |
App Server |
Scheduling a report to run in the future runs after saving the schedule. |
|
926547 |
Minor |
App Server |
Public Watchlist REST API ( |
|
923582 |
Minor |
App Server |
Public REST API |
|
923081 |
Minor |
App Server |
Public REST API to update CMDB Device System property returns NullPointer Exception. |
|
920602 |
Minor |
App Server |
Public REST API for device maintenance
( |
|
915524 |
Minor |
App Server |
Cases tab - Export Summary for all tickets is limited to 30 entries. |
|
902079 |
Minor |
App Server |
Periodic updates are not working for AlienVault Malware Hash. |
|
887393 |
Minor |
App Server |
FortiSIEM Incident Tags not being reflected in Incident JSON when pulled via Rest API. |
|
881550 |
Minor |
App Server |
Malware Domain (AlienVault) doesn't pull all the domain values from AlienVault's response. |
|
876052 |
Minor |
App Server |
Global Org view permission not honored from dashboard widget and
drill down when |
|
874420 |
Minor |
App Server |
Custom dashboard cannot be shared with AD group role user. |
|
814006 |
Minor |
App Server |
Cloud Health shows wrong info after 6.5.0 for Supervisor with two NICs. |
|
954731 |
Minor |
App Server,GUI |
Global constraint using simple function in rule is not working properly. |
|
860610 |
Minor |
App Server,GUI |
Read-only user can still modify some values due to improper access controls. |
|
940119 |
Minor |
ClickHouse Backend |
ClickHouse internal logs (trace_log, part_log, asynchronous_metric_log, query_log) grow to take up significant storage. |
|
888575 |
Minor |
ClickHouse Backend |
ClickHouse encounters Signal 8 segmentation fault when all nodes in a shard are deleted. |
|
958249 |
Minor |
Data work |
FortiGate Parser Event Type Spelling Error for NTP Status Events. |
|
955723 |
Minor |
Data work |
Drilldown from the Server Dashboard -> Logins -> Account Lockouts widget leads to the wrong report. |
|
932909 |
Minor |
Data work |
GitlabLogParser not functioning properly. |
|
932801 |
Minor |
Data work |
Update Cisco Umbrella DNS parser. |
|
904038 |
Minor |
Data work |
Update parsing for Win-Security-5136. |
|
946373 |
Minor |
Discovery |
LDAP discovery imports contact when email field is configured. |
|
937157 |
Minor |
Discovery |
AD Discovery completes, but cmdb GUI does not load (reason: bad group insertion in ph_group table). |
|
958820 |
Minor |
Event Pulling Agents |
Agent Manager has high memory when reading large files for Generic AWS S3 integration. |
|
958363 |
Minor |
Event Pulling agents |
Missing some Proofpoint events due to vendor's data format changes. |
|
951615 |
Minor |
Event Pulling Agents |
For Tenable Security Agent, duplicate events may be seen if
|
|
949554 |
Minor |
Event Pulling Agents |
CrowdStrike event stream is getting reset every 5 minutes. |
|
956515 |
Minor |
GUI |
Cases with overlapping incidents does not work. If a Case is opened for an Incident which is already part of a Case, then the existing case is updated. |
|
954050 |
Minor |
GUI |
FortiGuard CTS external lookup results not added to result history in Investigation. |
|
934291 |
Minor |
GUI |
Altering critical interfaces list in CMDB is only possible for the first selected device. |
|
933843 |
Minor |
GUI |
Allow Parser Test to proceed even if there are more than 10 test events. |
|
928561 |
Minor |
GUI |
Need to add OMI in Resources > Remediation, since Windows Remediation scripts require OMI credential. |
|
946758 |
Minor |
Identity & Location |
Sometimes |
|
915091 |
Minor |
Linux Agent |
Linux agent |
|
951409 |
Minor |
Machine Learning |
Viewing Scatter Plot from Machine Learning > Prepare causes GUI corruption. |
|
951408 |
Minor |
Machine Learning |
Report for ML job built from ad-hoc report is saved in Ungrouped folder instead of Machine Learning. |
|
934545 |
Minor |
Notification |
Case automatically created from incident without any notification policy configured. |
|
899393 |
Minor |
Notification |
No subject line in SMS Incident Notification. |
|
943849 |
Minor |
Parser |
Two |
|
936757 |
Minor |
Parser |
EPS calculation mismatch because (a) unknown events not counted towards license and (b) type casting error. |
|
931868 |
Minor |
Parser |
Collector Name is not set correctly in events. |
|
925100 |
Minor |
Query |
ClickHouse Queries referring custom network range object returns no data. |
|
937564 |
Minor |
Report |
Report Designer only allows one Legend per Page, even if you add multiple Charts to the same page. |
|
952241 |
Minor |
Rule |
Occasional NullPointerException error when testing a rule. |
|
925899 |
Minor |
Rule |
|
|
938995 |
Minor |
System |
In Redis cache and clickhouse, ingestionnodesonline key missing for datamanager and querymaster, causing queries to fail - happens on migrating other databases to ClickHouse. |
|
938739 |
Minor |
System |
PostgreSQL symbolic link was missing for psql 13 (6.4.x -> 6.7.2). |
|
938735 |
Minor |
System |
Upgrade failed due to httpd process that did not start (6.7.1 -> 6.7.3). |
|
938675 |
Minor |
System |
Upgrade to 6.7.4 could not uninstall python package pyyaml (6.6.3 -> 6.7.4). |
|
921597 |
Minor |
System |
Reboot extremely slow and /tmp files removal errors after upgrade to v7.0.0. |
|
902108 |
Minor |
System |
Installing on VMware ESX8 reports a certificate error. |
|
952305 |
Minor |
Windows Agent |
UEBA File printed events comes through as '?' when printing files with Arabic characters. |
|
947196 |
Minor |
Windows Agent |
Windows agent events are not parsed, when agent moves from offline > online. |
|
902941 |
Minor |
Windows Agent |
Windows Agent always uses Windows proxy settings automatically and ignores /noproxy settings. |
|
954539 |
Enhancement |
App Server |
Add Audit log when user runs a query and exports data from GUI. |
|
951444 |
Enhancement |
App Server |
Extend the public Incident API to pull Incidents by specific event types. |
|
937666 |
Enhancement |
App Server |
Remove unnecessary elements from Rule and Report Definition XML file during export from GUI. |
|
919278 |
Enhancement |
App Server |
Provide IP + User based lockout for shared system accounts. |
|
908586 |
Enhancement |
App Server |
FortiSIEM nodes discovered as a separate CMDB Group. |
|
877664 |
Enhancement |
App Server |
Handle AlienVault new native API. |
|
808565 |
Enhancement |
App Server |
Provide feedback on GUI when importing malware ip/hash, etc. from CSV files. |
|
955721 |
Enhancement |
Data work |
Proofpoint parser update for URLs. |
|
958363 |
Enhancement |
Data work |
Proofpoint parser needs update. |
|
955949 |
Enhancement |
Data work |
Update FortiMail Cloud event parser. |
|
953321 |
Enhancement |
Data work |
Enhance Pulse Secure VPN events to parse User, Source IP and Source Country fields. |
|
953213 |
Enhancement |
Data work |
Sophos XG Firewall Parser update. |
|
951972 |
Enhancement |
Data work |
Win-Sysmon-22-DNS-Query Event needs enhancement. |
|
949904 |
Enhancement |
Data work |
Wrong Incident Title - Concurrent VPN Authentications To Same Account From Different Cities. |
|
949563 |
Enhancement |
Data work |
Ingestion JSON Formatted Event from BitdefenderGravityZoneParser does not populate Reporting Ip. |
|
947118 |
Enhancement |
Data work |
Add case to Generic DHCP Parser to resolve 'unknown' events. |
|
943724 |
Enhancement |
Data work |
Fortimanager v7.2.3 parsing fails. |
|
943106 |
Enhancement |
Data work |
Update FortiClient parser. |
|
940666 |
Enhancement |
Data work |
Update FortiEDR parser. |
|
936898 |
Enhancement |
Data work |
Several parsers incorrectly use applicationId of type UINT32 as a string field. |
|
935755 |
Enhancement |
Data work |
Need to update UbiquityParser for new event types. |
|
933472 |
Enhancement |
Data work |
Parse VMware vSAN Trace Logs. |
|
926545 |
Enhancement |
Data work |
Update McAfeeXmlParser Parser. |
|
925683 |
Enhancement |
Data work |
Create two rules for Dragos Worldview IP Traffic. |
|
924510 |
Enhancement |
Data work |
FortiGate Parser doesn't parse when FortiGate serial number begins with 'FD'. |
|
911349 |
Enhancement |
Data work |
WinOSWmiParser not parsing Application Name as attribute for event ids : 5154, 5158. |
|
901988 |
Enhancement |
Data work |
NSX-T events are not being parsed correctly. |
|
885730 |
Enhancement |
Data work |
FortiWeb Cloud Parser via syslog. |
|
885316 |
Enhancement |
Data work |
Sourcefire2Parser is not parsing the HTTP Response Code field to httpStatusCode in the Raw Event Log. |
|
884548 |
Enhancement |
Data work |
FortiAI/NDR parser update. |
|
881333 |
Enhancement |
Data work |
Add Support to parse events received from FortiAuthenticator. |
|
879396 |
Enhancement |
Data work |
Windows Security Event IDs 1200,1201,1206,1207,1210 are missing fields in 'RequestAuditComponent' via windows agent. |
|
876847 |
Enhancement |
Data work |
McAfee Web Gateway parser update. |
|
873640 |
Enhancement |
Data work |
Additional SNMP SysObjIds needed for Dell switches. |
|
926726 |
Enhancement |
Discovery |
Add support for JBOSS 7.1. |
|
829081 |
Enhancement |
Discovery |
For Agent/WMI/OMI - provide user option to set FQDN or shortname in discovery, perf monitoring and logs. |
|
930821 |
Enhancement |
Event Pulling Agents |
Enhance HTTPS Advanced Generic Poller to support raw JSON post to support APIs similar to Cortex XDR. |
|
937127 |
Enhancement |
GUI |
Add capability to Search on Discover > Include/Exclude Types. |
|
927632 |
Enhancement |
GUI |
Allow users to choose number of rows/page in tables. |
|
916266 |
Enhancement |
GUI |
Prevent users from changing incident severity category by mistake. |
|
942641 |
Enhancement |
Linux Agent |
Add FortiSIEM Linux Agent support for Debian 11 and Debian 12. |
|
941337 |
Enhancement |
Performance Monitoring |
Add CPU and Memory Monitoring via SNMP for Huawei VRP. |
|
922131 |
Enhancement |
Rule |
Create a System Error in GUI when FortiSIEM starts to throttle Incidents (Rate limiting threshold is hit). |
|
938679 |
Enhancement |
System |
Need to verify FSM RPM before upgrade (6.7.x -> 6.7.7). |
|
938672 |
Enhancement |
System |
Clean up old upgrade images from |
|
926490 |
Enhancement |
System |
Enhance phziplogs to include |
|
880535 |
Enhancement |
System |
Enable Content update Docker Collector. |
|
933390 |
Enhancement |
Upgrade |
Before beginning upgrade, ensure that |
Known Issues
-
Kafka encryption via SASL/SSL is set from the GUI. This feature was added to 6.7.6 and 7.0.1, but the configuration was via
phoenix_config.txt. If you are using this feature in 6.7.6 or 7.0.1 and upgrade to 7.1.0, you need to navigate to Admin > Settings > System > Kafka in FortiSIEM GUI, change Protocol from PLAINTEXT to SSL and re-do Test Connectivity. -
Special steps for upgrading 6.2.0 Collector with 7.1.0 Supervisor are required. A bug was introduced in 6.2.0 but fixed in 6.2.1, which will cause the Collector upgrade from 6.2.0 to 7.1.0 to fail, unless the following steps are taken:
-
Download the upgrade package,
FSM_Upgrade_All_7.1.0_build####.zip. -
Unzip the package:
unzip FSM_Upgrade_All_7.1.0_build####.zip -
Go to the upgrade package folder:
cd FSM_Upgrade_All_7.1.0_build### -
Decompress the python 3.9 package:
tar xf Py39-compiled-install.tar.xz -
Move the python 3.9 folder to
/usr/local:mv py39/ /usr/local/ -
Create symlink for python 3.9:
ln -s /usr/local/py39/bin/python3.9 /usr/bin/python3.9 -
Continue with upgrade from Supervisor.
-