Fortinet black logo

Release Notes

Home FortiSIEM 7.1.0 Release Notes
7.1.0
7.1.5
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.3
7.0.2
7.0.1
7.0.0
6.7.9
6.7.8
6.7.7
6.7.6
6.7.5
6.7.4
6.7.3
6.7.2
6.7.1
6.7.0
6.6.5
6.6.4
6.6.3
6.6.2
6.6.1
6.6.0
6.5.3
6.5.2
6.5.1
6.5.0
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.3.0
6.2.1
6.2.0
6.1.2
6.1.1
6.1.0
5.4.0
5.3.3
5.3.2
5.3.1
5.3.0
5.2.8
5.2.7
5.2.6
5.2.5
5.2.5
5.2.1
5.1.2
5.1.1
5.1.0
5.0.1
4.10.0
4.9.0

What's New in 7.1.0

What's New in 7.1.0

New Features

Fortinet Advisor

This release introduces OpenAI/ChatGPT-4 powered Advisor that provides the following functions:

  • Responses to SOC Queries by running an API. Currently, the following questions are supported.

    • Get FortiSIEM health – This retrieves the current health of FortiSIEM nodes including Supervisor, Worker and Collector.

    • Get the latest known vulnerabilities – This retrieves the list of vulnerabilities in your environment known to FortiSIEM. To get this data, you must enable FortiSIEM to collect data from FortiClient/EMS or vulnerability scanners.

  • Responses to Questions from 7.1.0 Product documentation and internal knowledge base articles.

  • Analysis and Recommendations for logs and Incidents: From Incidents > List View, Incidents > Risk, Incidents > Investigation and Analytics > Search pages, you can launch these requests using the Fortinet Advisor menu option. Incident analysis provided by OpenAI/ChatGPT-4 can be added to Incident Comments.

  • Automated Incident Analysis and Recommendation using the Notification policy framework. Incident Notification email can be configured to include Incident analysis provided by OpenAI/ChatGPT-4.

  • Help in building a FortiSIEM Report: You can ask the Fortinet Advisor to “Create a report”. After the report has been generated, the report can be uploaded to Analytics at the click of a button and subsequently run. You can also create a rule once you are satisfied with the Report.

Important Notes:

  • Fortinet Advisor uses GPT3.5-Turbo and GPT4. Your OpenAI API key must support access to these models.

  • When asking Advisor to build a report, you can describe the report using natural language, but certain keywords need to be present for accuracy. The syntax is as follows and the keywords are in bold: Create a report to show the <comma separated list of attributes> where <filtering conditions>, group them by <list of event attributes>, and only show results for <having conditions>, order by <attribute> in ascending or descending order. Grouping and ordering is optional. Several examples are provided in the Advisor GUI.

  • For SOC Queries, you always have to use the exact question: “Get FortiSIEM health” and “Get the latest known vulnerabilities”.

  • Anonymization: When you ask ChatGPT for log and Incident analysis using the Fortinet Advisor menu option, then customer specific information is anonymized before sending to ChatGPT. The returned results are converted back to the original values before displaying to the user. The full list of anonymized event attributes is here. Similar anonymization is performed when you invoke ChatGPT via Notification policy. If you manually enter log and ask ChatGPT to analyze the log, then the log fields are not anonymized.

OpenAI Integration and Disclaimer

The Fortinet Advisor lets you connect FortiSIEM to your own OpenAI account, using your own OpenAI license key. This integration will send data from your FortiSIEM to OpenAI and will show you responses from OpenAI. Fortinet does not verify or correct these responses and has no responsibility for them. OpenAI is operated by a third party, not Fortinet. You must exercise discretion and independently verify any information or recommendations you receive from OpenAI before relying on them.

Note: Fortinet Advisor uses GPT3.5-Turbo and GPT4. Your OpenAI API key must support access to these models.

For details on using the Fortinet Advisor, see here.

Scheduled Rules for ClickHouse based Deployments

This release allows users to create Incidents by running reports on periodic intervals. This is only supported for ClickHouse based deployments. In contrast to the current in-memory streaming rule engine, Scheduled rules require disk access and does not scale comparably. In-memory option is faster and a large number of rules can be evaluated concurrently. However, the new scheduled report-based approach has the following advantages:

  1. Rules can be written using the complex analytic functions introduced in 7.0.

  2. Rules can be evaluated over larger time intervals.

Once the scheduled rule conditions are met, Incidents are created the same way as Streaming rules.

For steps on how to define scheduled rules, see Creating a Rule.

A ClickHouse Query Management layer is introduced to enforce a priority-based scheduling between 3 types of queries: Interactive GUI queries (highest priority), Scheduled Rules (medium priority), and Scheduled Reports (lowest priority). The status of currently running ClickHouse queries can be seen on the Query Status page.

Windows Certificate Monitoring via Agent

This release enables FortiSIEM to monitor certificates on Windows hosts via FortiSIEM Agent 7.1.0 and later. The following use-cases are handled:

  • Detect when a certificate is added or deleted.

  • Detect when a certificate has 7-30 days (configurable) left before expiration.

  • Report on certificates that have expired (Can notify "X" number of days after certificate has expired, "X" being configurable).

  • Detect self-signed certificates.

Steps on how to create a Certificate Monitoring Template and distribute to Windows agents is described in Define the Windows Agent Monitor Templates. Sample logs are available here.

Windows Osquery via Agent

Osquery (https://osquery.readthedocs.io/en/latest/) enables you to collect a variety of information from hosts. The osquery framework provides the following key advantages over logging, and can be used effectively in addition to log analysis.

  • Osquery can provide information that is not necessarily available in logs, for example the programs that run when a machine starts up, the TCP/UDP ports that are tied to services, etc...

  • Hosts can be queried for live information using osquery. This can be very useful in Incident investigations.

  • Osquery is Operating system independent – the same Osquery can work for Windows and Linux. Note that FortiSIEM currently supports Osquery for Windows only.

In this release, the osquery framework is integrated into FortiSIEM Windows Agent 7.1. When the 7.1 agent installs, or you upgrade to the 7.1 version, the osquery feature is available.

  • A built-in set of osqueries is provided (Resources > Osquery), and you can create and test your own osquery.

  • An osquery can be attached to a Windows monitoring template, along with other logging and performance monitoring definitions. When the template is assigned to hosts, each host will run the osquery at specific intervals and send the osquery results as FortiSIEM events (prefixed with PH_OSQUERY_WIN). The events can be used in Rules and Reports. Lookup Tables can be populated using these events and Rules can be written using the Lookup Tables.

  • Reports for built-in osqueries are in Resources > Reports > Osquery. Built-in Rules for osqueries can be found by searching for “osquery” in Resources > Rules in the main pane.

  • The user can also run live osqueries from Incident Investigation View. The osquery will collect the current matching data from the hosts. The results can be saved to PDF and attached to Cases.

For steps on how to create an osquery, see here. To attach an osquery to a Windows Monitoring template, see here. Running an osquery from an Incident Investigation graph is a selectable option under Run Reports.

User Alias in Risk Calculation

Often times, a user can have multiple accounts, e.g. Active Directory, AWS, Office 365, email. This release provides a way to define aliases for the main user account in CMDB > User> Edit > Alias. FortiSIEM calculates the Total Risk for that user by including the incidents in which aliases appear.

New Machine Learning Models

This release adds two new Anomaly Detection Machine Learning models:

  1. Gaussian Model - This unsupervised machine learning model approximates the probability distribution of an event attribute as a Gaussian distribution. A data point is considered anomalous if its occurrence probability is lower than the provided threshold.

  2. Gaussian Mixture Model - As a generalization of the Gaussian model, this unsupervised machine learning model approximates the probability distribution of an event attribute as N Gaussian distributions. This is useful for modeling event attributes which has multiple peaks and valleys. A data point is considered anomalous if its occurrence probability is lower than the provided threshold.

For Details, see Anomaly Detection.

Key Enhancements

OS Update

This release includes published Rocky Linux OS updates until October 24, 2023. The list of updates can be found at https://errata.rockylinux.org/.

FortiSIEM Rocky Linux Repositories (os-pkgs-cdn.fortisiem.fortinet.com and os-pkgs-r8.fortisiem.fortinet.com) have also been updated to include fixes until October 24, 2023. Therefore, FortiSIEM customers in versions 6.4.1 and above, can upgrade only their Rocky Linux versions by following the procedures described in https://docs.fortinet.com/document/fortisiem/7.0.0/fortisiem-os-update-procedure/574280/fortisiem-os-update-procedure.

FortiSIEM GUI Enhancements

This release contains several GUI enhancements:

  • New consistent color scheme throughout the GUI for both Light and Dark themes.

  • In the following Views, Incident detail is presented in a slide-in window from the right:

    • Incident List View

    • Incident Explorer View

    • MITRE ATT&CK Incident Explorer View

    • Incident Overview drill-down View

    • Incident Risk drill-down View

  • In Incident List View, the Actions list is streamlined.

  • Added a Check Reputation action for IP, Domain, URL and Hash.

  • In Widget dashboard, the re-arranging of widgets is optimized. When a widget is moved from one position, the GUI shows the tentative new placement based on current position and minimizes widget movements after placing the widget in the new position.

Dynamic Watchlist using User-to-IP Lookup

There are situations where a rule triggers with only username, but remediation requires the current IP address of the user. This release provides a way for FortiSIEM to update an IP based watchlist when a rule triggers, based on the Username to IP mapping information in the Identity and Location database.

When you define a rule, you can create an IP based Watchlist even if the Rule does not have IP as an event type attribute. In Resources > Rules, when adding or editing a rule, go to Step 3: Define Action, click the Watch List Edit icon, and select the LookupIpByUser function to populate a watch list. FortiSIEM will keep track of the User to IP mapping in the Identity and Location database. If it finds an IP mapping for that User, then it will add the matching IP to the watchlist. Some important sub-cases are handled, such as

  • If some other user takes that IP, then that IP is removed from the Watch List.

  • If the offending user takes some other IP, then the Watch List is updated with the new IP.

Kafka Event Collection Improvements

Two improvements were done:

  • Event Collection scalability by enabling multiple collectors to pull on the same Topic.

  • Encryption via SASL/SSL via GUI – This feature was added to 6.7.6 and 7.0.1, but the configuration was via phoenix_config.txt. In this release, this configuration option is added to the GUI. If you are using this feature in 6.7.6 or 7.0.1 and upgrade to 7.1.0, you need to navigate to Admin > Settings > System > Kafka in FortiSIEM GUI, change Protocol from PLAINTEXT to SSL and re-do Test Connectivity.

ClickHouse Storage Reduction for Existing Deployments

If you are running ClickHouse as your event database and upgrade to FortiSIEM 7.1.x, then the new events will be compressed more efficiently using ZSTD, while the old events will remain compressed using LZ4. All the events can be queried. As the older events gets purged over time, all event data will be compressed using ZSTD and the full compression potential of ZSTD will be achieved.

Windows Agent GUI Enhancement

This release enables the user to choose the network interface over which the Windows Agent will communicate with the Supervisor and Collector nodes.

For details, see the 7.1.x Windows Agent Guide.

Ability to Choose a Network Interface during Installation

In earlier releases, FortiSIEM always chose eth0 as the primary network interface for both hardware appliances and virtual machines. This release allows you to choose any configured network interface, including bonded interfaces, during FortiSIEM install process.

For details, see your specific hardware or virtual machine installation guide in the FortiSIEM Document Library.

Public REST API Enhancements

The performance of the following CMDB APIs were improved:

  • /phoenix/rest/cmdbDeviceInfo/devices

  • /phoenix/rest/cmdbDeviceInfo/devicesByPagination

  • /phoenix/rest/config/Domain

A new API is introduced to query archived events:

  • /phoenix/rest/query/archive

A new API is introduced to get IP/Host/User Context

  • /phoenix/rest/context/ip

  • /phoenix/rest/context/hostname

  • /phoenix/rest/context/user

A new API is introduced to query CMDB data. In other words, the API enables you to run CMDB Reports via API.

  • Get the schema: /phoenix/rest/query/cmdb/schema

  • Run a CMDB Query: /phoenix/rest/query/cmdb

Generic STIX/TAXII 2.1 Integration for collecting External Threat Intelligence

This release adds a python script for Collecting External Threat Intelligence feeds from any STIX/TAXII 2.1 Server. Currently supported Indicators include IP, Domain, and URL.

To use this integration, simply select Plugin Type as Python and Plugin Name as the script stix21_threadfeed.py from the Update Malware IP/Domain/URL dialog.

For details, see Custom Threat Feed Websites - Programmatic Import via Python for Malware Domain, Malware IPs, or Malware URLs.

Content Update

Each built-in Report has a Data Source field that specifies the device integration required for this report to have content. Each built-in Rule has 3 new fields: Data Source, Detection Technology and Evaluation Mode. The Data Source field specifies the device integration required for this rule to trigger. Detection Technology can be one of the following values: Correlation, Profiling, Machine Learning and Correlation Using Lookup Table. Evaluation Mode is either Streaming or Scheduled.

The SIGMA rules are now updated to match the latest from the website (https://github.com/SigmaHQ/sigma/tree/master/rules).

See here for the new rules.

See here for the new reports.

New Device Support

This release adds the following device support:

Device Support Enhancements

This release provides following enhancements to already supported devices:

Bug Fixes and Enhancements

Bug ID

Severity

Module

Description

954115

Major

App Server

When host status=UEBA and template configuration with only 'UEBA' is applied, then a Device license is counted.

951833

Major

ClickHouse Backend

NFS Real Time Archive for ClickHouse does not work.

953340

Major

GUI

GUI throws error when a requestor tries to activate or deactivate one rule in Enterprise mode.

955478

Major

Linux Agent

Linux Agent is auditing its own processes and system calls - resulting in large number of useless events.

951156

Major

System

In some situations, ReportWorker to ReportMaster communication issues can cause Data Manager to drop events.

953313

Minor

App Server

Audit log is not generated when rule is activated or deactivated in Enterprise mode.

953181

Minor

App Server

PH_UPDATE_RULE_SUCCEED audit event does not have correct ruleName event attribute, when rule is deleted (added is OK).

949130

Minor

App Server

Description column not included when importing watchlist.

944462

Minor

App Server

PDF/CSV Export fails for "Rules with Exception" CMDB Report.

937174

Minor

App Server

Upgrade and Content Updates may not complete as jobs show status as 'InWaiting'.

936858

Minor

App Server

Error occurs when disabling/enabling a new created event dropping rule.

936635

Minor

App Server

Can't update content version to 409 if content version is not configured to 400.

936224

Minor

App Server

Backend LDAP Authentication Events Shown as Unknown Events in Analytics.

930437

Minor

App Server

PostgreSQL log files are growing in number when DR has issue - create a log when this happens.

928788

Minor

App Server

Scheduling a report to run in the future runs after saving the schedule.

926547

Minor

App Server

Public Watchlist REST API (POST /phoenix/rest/watchlist/save) is not working.

923582

Minor

App Server

Public REST API /phoenix/rest/device/update returns error when updating a specific device.

923081

Minor

App Server

Public REST API to update CMDB Device System property returns NullPointer Exception.

920602

Minor

App Server

Public REST API for device maintenance (/phoenix/rest/deviceMaint/update) returns status code 500 even though it successfully created a maintenance schedule.

915524

Minor

App Server

Cases tab - Export Summary for all tickets is limited to 30 entries.

902079

Minor

App Server

Periodic updates are not working for AlienVault Malware Hash.

887393

Minor

App Server

FortiSIEM Incident Tags not being reflected in Incident JSON when pulled via Rest API.

881550

Minor

App Server

Malware Domain (AlienVault) doesn't pull all the domain values from AlienVault's response.

876052

Minor

App Server

Global Org view permission not honored from dashboard widget and drill down when phEventCategory is part of the query.

874420

Minor

App Server

Custom dashboard cannot be shared with AD group role user.

814006

Minor

App Server

Cloud Health shows wrong info after 6.5.0 for Supervisor with two NICs.

954731

Minor

App Server,GUI

Global constraint using simple function in rule is not working properly.

860610

Minor

App Server,GUI

Read-only user can still modify some values due to improper access controls.

940119

Minor

ClickHouse Backend

ClickHouse internal logs (trace_log, part_log, asynchronous_metric_log, query_log) grow to take up significant storage.

888575

Minor

ClickHouse Backend

ClickHouse encounters Signal 8 segmentation fault when all nodes in a shard are deleted.

958249

Minor

Data work

FortiGate Parser Event Type Spelling Error for NTP Status Events.

955723

Minor

Data work

Drilldown from the Server Dashboard -> Logins -> Account Lockouts widget leads to the wrong report.

932909

Minor

Data work

GitlabLogParser not functioning properly.

932801

Minor

Data work

Update Cisco Umbrella DNS parser.

904038

Minor

Data work

Update parsing for Win-Security-5136.

946373

Minor

Discovery

LDAP discovery imports contact when email field is configured.

937157

Minor

Discovery

AD Discovery completes, but cmdb GUI does not load (reason: bad group insertion in ph_group table).

958820

Minor

Event Pulling Agents

Agent Manager has high memory when reading large files for Generic AWS S3 integration.

958363

Minor

Event Pulling agents

Missing some Proofpoint events due to vendor's data format changes.

951615

Minor

Event Pulling Agents

For Tenable Security Agent, duplicate events may be seen if phAgentManager process is restarted.

949554

Minor

Event Pulling Agents

CrowdStrike event stream is getting reset every 5 minutes.

956515

Minor

GUI

Cases with overlapping incidents does not work. If a Case is opened for an Incident which is already part of a Case, then the existing case is updated.

954050

Minor

GUI

FortiGuard CTS external lookup results not added to result history in Investigation.

934291

Minor

GUI

Altering critical interfaces list in CMDB is only possible for the first selected device.

933843

Minor

GUI

Allow Parser Test to proceed even if there are more than 10 test events.

928561

Minor

GUI

Need to add OMI in Resources > Remediation, since Windows Remediation scripts require OMI credential.

946758

Minor

Identity & Location

Sometimes phIpIdentityWorker module crashed in libcurl module.

915091

Minor

Linux Agent

Linux agent audit.log folder filling up with denied write messages for user fsmadmin.

951409

Minor

Machine Learning

Viewing Scatter Plot from Machine Learning > Prepare causes GUI corruption.

951408

Minor

Machine Learning

Report for ML job built from ad-hoc report is saved in Ungrouped folder instead of Machine Learning.

934545

Minor

Notification

Case automatically created from incident without any notification policy configured.

899393

Minor

Notification

No subject line in SMS Incident Notification.

943849

Minor

Parser

Two PH_SYSTEM_EPS_ORG events generated for Super organization when there are Super local collectors.

936757

Minor

Parser

EPS calculation mismatch because (a) unknown events not counted towards license and (b) type casting error.

931868

Minor

Parser

Collector Name is not set correctly in events.

925100

Minor

Query

ClickHouse Queries referring custom network range object returns no data.

937564

Minor

Report

Report Designer only allows one Legend per Page, even if you add multiple Charts to the same page.

952241

Minor

Rule

Occasional NullPointerException error when testing a rule.

925899

Minor

Rule

phRuleMaster process crashes due to event size 65k buffer overflow.

938995

Minor

System

In Redis cache and clickhouse, ingestionnodesonline key missing for datamanager and querymaster, causing queries to fail - happens on migrating other databases to ClickHouse.

938739

Minor

System

PostgreSQL symbolic link was missing for psql 13 (6.4.x -> 6.7.2).

938735

Minor

System

Upgrade failed due to httpd process that did not start (6.7.1 -> 6.7.3).

938675

Minor

System

Upgrade to 6.7.4 could not uninstall python package pyyaml (6.6.3 -> 6.7.4).

921597

Minor

System

Reboot extremely slow and /tmp files removal errors after upgrade to v7.0.0.

902108

Minor

System

Installing on VMware ESX8 reports a certificate error.

952305

Minor

Windows Agent

UEBA File printed events comes through as '?' when printing files with Arabic characters.

947196

Minor

Windows Agent

Windows agent events are not parsed, when agent moves from offline > online.

902941

Minor

Windows Agent

Windows Agent always uses Windows proxy settings automatically and ignores /noproxy settings.

954539

Enhancement

App Server

Add Audit log when user runs a query and exports data from GUI.

951444

Enhancement

App Server

Extend the public Incident API to pull Incidents by specific event types.

937666

Enhancement

App Server

Remove unnecessary elements from Rule and Report Definition XML file during export from GUI.

919278

Enhancement

App Server

Provide IP + User based lockout for shared system accounts.

908586

Enhancement

App Server

FortiSIEM nodes discovered as a separate CMDB Group.

877664

Enhancement

App Server

Handle AlienVault new native API.

808565

Enhancement

App Server

Provide feedback on GUI when importing malware ip/hash, etc. from CSV files.

955721

Enhancement

Data work

Proofpoint parser update for URLs.

958363

Enhancement

Data work

Proofpoint parser needs update.

955949

Enhancement

Data work

Update FortiMail Cloud event parser.

953321

Enhancement

Data work

Enhance Pulse Secure VPN events to parse User, Source IP and Source Country fields.

953213

Enhancement

Data work

Sophos XG Firewall Parser update.

951972

Enhancement

Data work

Win-Sysmon-22-DNS-Query Event needs enhancement.

949904

Enhancement

Data work

Wrong Incident Title - Concurrent VPN Authentications To Same Account From Different Cities.

949563

Enhancement

Data work

Ingestion JSON Formatted Event from BitdefenderGravityZoneParser does not populate Reporting Ip.

947118

Enhancement

Data work

Add case to Generic DHCP Parser to resolve 'unknown' events.

943724

Enhancement

Data work

Fortimanager v7.2.3 parsing fails.

943106

Enhancement

Data work

Update FortiClient parser.

940666

Enhancement

Data work

Update FortiEDR parser.

936898

Enhancement

Data work

Several parsers incorrectly use applicationId of type UINT32 as a string field.

935755

Enhancement

Data work

Need to update UbiquityParser for new event types.

933472

Enhancement

Data work

Parse VMware vSAN Trace Logs.

926545

Enhancement

Data work

Update McAfeeXmlParser Parser.

925683

Enhancement

Data work

Create two rules for Dragos Worldview IP Traffic.

924510

Enhancement

Data work

FortiGate Parser doesn't parse when FortiGate serial number begins with 'FD'.

911349

Enhancement

Data work

WinOSWmiParser not parsing Application Name as attribute for event ids : 5154, 5158.

901988

Enhancement

Data work

NSX-T events are not being parsed correctly.

885730

Enhancement

Data work

FortiWeb Cloud Parser via syslog.

885316

Enhancement

Data work

Sourcefire2Parser is not parsing the HTTP Response Code field to httpStatusCode in the Raw Event Log.

884548

Enhancement

Data work

FortiAI/NDR parser update.

881333

Enhancement

Data work

Add Support to parse events received from FortiAuthenticator.

879396

Enhancement

Data work

Windows Security Event IDs 1200,1201,1206,1207,1210 are missing fields in 'RequestAuditComponent' via windows agent.

876847

Enhancement

Data work

McAfee Web Gateway parser update.

873640

Enhancement

Data work

Additional SNMP SysObjIds needed for Dell switches.

926726

Enhancement

Discovery

Add support for JBOSS 7.1.

829081

Enhancement

Discovery

For Agent/WMI/OMI - provide user option to set FQDN or shortname in discovery, perf monitoring and logs.

930821

Enhancement

Event Pulling Agents

Enhance HTTPS Advanced Generic Poller to support raw JSON post to support APIs similar to Cortex XDR.

937127

Enhancement

GUI

Add capability to Search on Discover > Include/Exclude Types.

927632

Enhancement

GUI

Allow users to choose number of rows/page in tables.

916266

Enhancement

GUI

Prevent users from changing incident severity category by mistake.

942641

Enhancement

Linux Agent

Add FortiSIEM Linux Agent support for Debian 11 and Debian 12.

941337

Enhancement

Performance Monitoring

Add CPU and Memory Monitoring via SNMP for Huawei VRP.

922131

Enhancement

Rule

Create a System Error in GUI when FortiSIEM starts to throttle Incidents (Rate limiting threshold is hit).

938679

Enhancement

System

Need to verify FSM RPM before upgrade (6.7.x -> 6.7.7).

938672

Enhancement

System

Clean up old upgrade images from /opt/upgrade to save space and make new upgrade succeed.

926490

Enhancement

System

Enhance phziplogs to include phoenix_config.txt and dmesg output.

880535

Enhancement

System

Enable Content update Docker Collector.

933390

Enhancement

Upgrade

Before beginning upgrade, ensure that /opt has enough free disk for CMDB backup.

Known Issues

  1. Kafka encryption via SASL/SSL is set from the GUI. This feature was added to 6.7.6 and 7.0.1, but the configuration was via phoenix_config.txt. If you are using this feature in 6.7.6 or 7.0.1 and upgrade to 7.1.0, you need to navigate to Admin > Settings > System > Kafka in FortiSIEM GUI, change Protocol from PLAINTEXT to SSL and re-do Test Connectivity.

  2. Special steps for upgrading 6.2.0 Collector with 7.1.0 Supervisor are required. A bug was introduced in 6.2.0 but fixed in 6.2.1, which will cause the Collector upgrade from 6.2.0 to 7.1.0 to fail, unless the following steps are taken:

    1. Download the upgrade package, FSM_Upgrade_All_7.1.0_build####.zip.

    2. Unzip the package:

      unzip FSM_Upgrade_All_7.1.0_build####.zip

    3. Go to the upgrade package folder:

      cd FSM_Upgrade_All_7.1.0_build###

    4. Decompress the python 3.9 package:

      tar xf Py39-compiled-install.tar.xz

    5. Move the python 3.9 folder to /usr/local:

      mv py39/ /usr/local/

    6. Create symlink for python 3.9:

      ln -s /usr/local/py39/bin/python3.9 /usr/bin/python3.9

    7. Continue with upgrade from Supervisor.

Previous
Next

What's New in 7.1.0

New Features

Fortinet Advisor

This release introduces OpenAI/ChatGPT-4 powered Advisor that provides the following functions:

  • Responses to SOC Queries by running an API. Currently, the following questions are supported.

    • Get FortiSIEM health – This retrieves the current health of FortiSIEM nodes including Supervisor, Worker and Collector.

    • Get the latest known vulnerabilities – This retrieves the list of vulnerabilities in your environment known to FortiSIEM. To get this data, you must enable FortiSIEM to collect data from FortiClient/EMS or vulnerability scanners.

  • Responses to Questions from 7.1.0 Product documentation and internal knowledge base articles.

  • Analysis and Recommendations for logs and Incidents: From Incidents > List View, Incidents > Risk, Incidents > Investigation and Analytics > Search pages, you can launch these requests using the Fortinet Advisor menu option. Incident analysis provided by OpenAI/ChatGPT-4 can be added to Incident Comments.

  • Automated Incident Analysis and Recommendation using the Notification policy framework. Incident Notification email can be configured to include Incident analysis provided by OpenAI/ChatGPT-4.

  • Help in building a FortiSIEM Report: You can ask the Fortinet Advisor to “Create a report”. After the report has been generated, the report can be uploaded to Analytics at the click of a button and subsequently run. You can also create a rule once you are satisfied with the Report.

Important Notes:

  • Fortinet Advisor uses GPT3.5-Turbo and GPT4. Your OpenAI API key must support access to these models.

  • When asking Advisor to build a report, you can describe the report using natural language, but certain keywords need to be present for accuracy. The syntax is as follows and the keywords are in bold: Create a report to show the <comma separated list of attributes> where <filtering conditions>, group them by <list of event attributes>, and only show results for <having conditions>, order by <attribute> in ascending or descending order. Grouping and ordering is optional. Several examples are provided in the Advisor GUI.

  • For SOC Queries, you always have to use the exact question: “Get FortiSIEM health” and “Get the latest known vulnerabilities”.

  • Anonymization: When you ask ChatGPT for log and Incident analysis using the Fortinet Advisor menu option, then customer specific information is anonymized before sending to ChatGPT. The returned results are converted back to the original values before displaying to the user. The full list of anonymized event attributes is here. Similar anonymization is performed when you invoke ChatGPT via Notification policy. If you manually enter log and ask ChatGPT to analyze the log, then the log fields are not anonymized.

OpenAI Integration and Disclaimer

The Fortinet Advisor lets you connect FortiSIEM to your own OpenAI account, using your own OpenAI license key. This integration will send data from your FortiSIEM to OpenAI and will show you responses from OpenAI. Fortinet does not verify or correct these responses and has no responsibility for them. OpenAI is operated by a third party, not Fortinet. You must exercise discretion and independently verify any information or recommendations you receive from OpenAI before relying on them.

Note: Fortinet Advisor uses GPT3.5-Turbo and GPT4. Your OpenAI API key must support access to these models.

For details on using the Fortinet Advisor, see here.

Scheduled Rules for ClickHouse based Deployments

This release allows users to create Incidents by running reports on periodic intervals. This is only supported for ClickHouse based deployments. In contrast to the current in-memory streaming rule engine, Scheduled rules require disk access and does not scale comparably. In-memory option is faster and a large number of rules can be evaluated concurrently. However, the new scheduled report-based approach has the following advantages:

  1. Rules can be written using the complex analytic functions introduced in 7.0.

  2. Rules can be evaluated over larger time intervals.

Once the scheduled rule conditions are met, Incidents are created the same way as Streaming rules.

For steps on how to define scheduled rules, see Creating a Rule.

A ClickHouse Query Management layer is introduced to enforce a priority-based scheduling between 3 types of queries: Interactive GUI queries (highest priority), Scheduled Rules (medium priority), and Scheduled Reports (lowest priority). The status of currently running ClickHouse queries can be seen on the Query Status page.

Windows Certificate Monitoring via Agent

This release enables FortiSIEM to monitor certificates on Windows hosts via FortiSIEM Agent 7.1.0 and later. The following use-cases are handled:

  • Detect when a certificate is added or deleted.

  • Detect when a certificate has 7-30 days (configurable) left before expiration.

  • Report on certificates that have expired (Can notify "X" number of days after certificate has expired, "X" being configurable).

  • Detect self-signed certificates.

Steps on how to create a Certificate Monitoring Template and distribute to Windows agents is described in Define the Windows Agent Monitor Templates. Sample logs are available here.

Windows Osquery via Agent

Osquery (https://osquery.readthedocs.io/en/latest/) enables you to collect a variety of information from hosts. The osquery framework provides the following key advantages over logging, and can be used effectively in addition to log analysis.

  • Osquery can provide information that is not necessarily available in logs, for example the programs that run when a machine starts up, the TCP/UDP ports that are tied to services, etc...

  • Hosts can be queried for live information using osquery. This can be very useful in Incident investigations.

  • Osquery is Operating system independent – the same Osquery can work for Windows and Linux. Note that FortiSIEM currently supports Osquery for Windows only.

In this release, the osquery framework is integrated into FortiSIEM Windows Agent 7.1. When the 7.1 agent installs, or you upgrade to the 7.1 version, the osquery feature is available.

  • A built-in set of osqueries is provided (Resources > Osquery), and you can create and test your own osquery.

  • An osquery can be attached to a Windows monitoring template, along with other logging and performance monitoring definitions. When the template is assigned to hosts, each host will run the osquery at specific intervals and send the osquery results as FortiSIEM events (prefixed with PH_OSQUERY_WIN). The events can be used in Rules and Reports. Lookup Tables can be populated using these events and Rules can be written using the Lookup Tables.

  • Reports for built-in osqueries are in Resources > Reports > Osquery. Built-in Rules for osqueries can be found by searching for “osquery” in Resources > Rules in the main pane.

  • The user can also run live osqueries from Incident Investigation View. The osquery will collect the current matching data from the hosts. The results can be saved to PDF and attached to Cases.

For steps on how to create an osquery, see here. To attach an osquery to a Windows Monitoring template, see here. Running an osquery from an Incident Investigation graph is a selectable option under Run Reports.

User Alias in Risk Calculation

Often times, a user can have multiple accounts, e.g. Active Directory, AWS, Office 365, email. This release provides a way to define aliases for the main user account in CMDB > User> Edit > Alias. FortiSIEM calculates the Total Risk for that user by including the incidents in which aliases appear.

New Machine Learning Models

This release adds two new Anomaly Detection Machine Learning models:

  1. Gaussian Model - This unsupervised machine learning model approximates the probability distribution of an event attribute as a Gaussian distribution. A data point is considered anomalous if its occurrence probability is lower than the provided threshold.

  2. Gaussian Mixture Model - As a generalization of the Gaussian model, this unsupervised machine learning model approximates the probability distribution of an event attribute as N Gaussian distributions. This is useful for modeling event attributes which has multiple peaks and valleys. A data point is considered anomalous if its occurrence probability is lower than the provided threshold.

For Details, see Anomaly Detection.

Key Enhancements

OS Update

This release includes published Rocky Linux OS updates until October 24, 2023. The list of updates can be found at https://errata.rockylinux.org/.

FortiSIEM Rocky Linux Repositories (os-pkgs-cdn.fortisiem.fortinet.com and os-pkgs-r8.fortisiem.fortinet.com) have also been updated to include fixes until October 24, 2023. Therefore, FortiSIEM customers in versions 6.4.1 and above, can upgrade only their Rocky Linux versions by following the procedures described in https://docs.fortinet.com/document/fortisiem/7.0.0/fortisiem-os-update-procedure/574280/fortisiem-os-update-procedure.

FortiSIEM GUI Enhancements

This release contains several GUI enhancements:

  • New consistent color scheme throughout the GUI for both Light and Dark themes.

  • In the following Views, Incident detail is presented in a slide-in window from the right:

    • Incident List View

    • Incident Explorer View

    • MITRE ATT&CK Incident Explorer View

    • Incident Overview drill-down View

    • Incident Risk drill-down View

  • In Incident List View, the Actions list is streamlined.

  • Added a Check Reputation action for IP, Domain, URL and Hash.

  • In Widget dashboard, the re-arranging of widgets is optimized. When a widget is moved from one position, the GUI shows the tentative new placement based on current position and minimizes widget movements after placing the widget in the new position.

Dynamic Watchlist using User-to-IP Lookup

There are situations where a rule triggers with only username, but remediation requires the current IP address of the user. This release provides a way for FortiSIEM to update an IP based watchlist when a rule triggers, based on the Username to IP mapping information in the Identity and Location database.

When you define a rule, you can create an IP based Watchlist even if the Rule does not have IP as an event type attribute. In Resources > Rules, when adding or editing a rule, go to Step 3: Define Action, click the Watch List Edit icon, and select the LookupIpByUser function to populate a watch list. FortiSIEM will keep track of the User to IP mapping in the Identity and Location database. If it finds an IP mapping for that User, then it will add the matching IP to the watchlist. Some important sub-cases are handled, such as

  • If some other user takes that IP, then that IP is removed from the Watch List.

  • If the offending user takes some other IP, then the Watch List is updated with the new IP.

Kafka Event Collection Improvements

Two improvements were done:

  • Event Collection scalability by enabling multiple collectors to pull on the same Topic.

  • Encryption via SASL/SSL via GUI – This feature was added to 6.7.6 and 7.0.1, but the configuration was via phoenix_config.txt. In this release, this configuration option is added to the GUI. If you are using this feature in 6.7.6 or 7.0.1 and upgrade to 7.1.0, you need to navigate to Admin > Settings > System > Kafka in FortiSIEM GUI, change Protocol from PLAINTEXT to SSL and re-do Test Connectivity.

ClickHouse Storage Reduction for Existing Deployments

If you are running ClickHouse as your event database and upgrade to FortiSIEM 7.1.x, then the new events will be compressed more efficiently using ZSTD, while the old events will remain compressed using LZ4. All the events can be queried. As the older events gets purged over time, all event data will be compressed using ZSTD and the full compression potential of ZSTD will be achieved.

Windows Agent GUI Enhancement

This release enables the user to choose the network interface over which the Windows Agent will communicate with the Supervisor and Collector nodes.

For details, see the 7.1.x Windows Agent Guide.

Ability to Choose a Network Interface during Installation

In earlier releases, FortiSIEM always chose eth0 as the primary network interface for both hardware appliances and virtual machines. This release allows you to choose any configured network interface, including bonded interfaces, during FortiSIEM install process.

For details, see your specific hardware or virtual machine installation guide in the FortiSIEM Document Library.

Public REST API Enhancements

The performance of the following CMDB APIs were improved:

  • /phoenix/rest/cmdbDeviceInfo/devices

  • /phoenix/rest/cmdbDeviceInfo/devicesByPagination

  • /phoenix/rest/config/Domain

A new API is introduced to query archived events:

  • /phoenix/rest/query/archive

A new API is introduced to get IP/Host/User Context

  • /phoenix/rest/context/ip

  • /phoenix/rest/context/hostname

  • /phoenix/rest/context/user

A new API is introduced to query CMDB data. In other words, the API enables you to run CMDB Reports via API.

  • Get the schema: /phoenix/rest/query/cmdb/schema

  • Run a CMDB Query: /phoenix/rest/query/cmdb

Generic STIX/TAXII 2.1 Integration for collecting External Threat Intelligence

This release adds a python script for Collecting External Threat Intelligence feeds from any STIX/TAXII 2.1 Server. Currently supported Indicators include IP, Domain, and URL.

To use this integration, simply select Plugin Type as Python and Plugin Name as the script stix21_threadfeed.py from the Update Malware IP/Domain/URL dialog.

For details, see Custom Threat Feed Websites - Programmatic Import via Python for Malware Domain, Malware IPs, or Malware URLs.

Content Update

Each built-in Report has a Data Source field that specifies the device integration required for this report to have content. Each built-in Rule has 3 new fields: Data Source, Detection Technology and Evaluation Mode. The Data Source field specifies the device integration required for this rule to trigger. Detection Technology can be one of the following values: Correlation, Profiling, Machine Learning and Correlation Using Lookup Table. Evaluation Mode is either Streaming or Scheduled.

The SIGMA rules are now updated to match the latest from the website (https://github.com/SigmaHQ/sigma/tree/master/rules).

See here for the new rules.

See here for the new reports.

New Device Support

This release adds the following device support:

Device Support Enhancements

This release provides following enhancements to already supported devices:

Bug Fixes and Enhancements

Bug ID

Severity

Module

Description

954115

Major

App Server

When host status=UEBA and template configuration with only 'UEBA' is applied, then a Device license is counted.

951833

Major

ClickHouse Backend

NFS Real Time Archive for ClickHouse does not work.

953340

Major

GUI

GUI throws error when a requestor tries to activate or deactivate one rule in Enterprise mode.

955478

Major

Linux Agent

Linux Agent is auditing its own processes and system calls - resulting in large number of useless events.

951156

Major

System

In some situations, ReportWorker to ReportMaster communication issues can cause Data Manager to drop events.

953313

Minor

App Server

Audit log is not generated when rule is activated or deactivated in Enterprise mode.

953181

Minor

App Server

PH_UPDATE_RULE_SUCCEED audit event does not have correct ruleName event attribute, when rule is deleted (added is OK).

949130

Minor

App Server

Description column not included when importing watchlist.

944462

Minor

App Server

PDF/CSV Export fails for "Rules with Exception" CMDB Report.

937174

Minor

App Server

Upgrade and Content Updates may not complete as jobs show status as 'InWaiting'.

936858

Minor

App Server

Error occurs when disabling/enabling a new created event dropping rule.

936635

Minor

App Server

Can't update content version to 409 if content version is not configured to 400.

936224

Minor

App Server

Backend LDAP Authentication Events Shown as Unknown Events in Analytics.

930437

Minor

App Server

PostgreSQL log files are growing in number when DR has issue - create a log when this happens.

928788

Minor

App Server

Scheduling a report to run in the future runs after saving the schedule.

926547

Minor

App Server

Public Watchlist REST API (POST /phoenix/rest/watchlist/save) is not working.

923582

Minor

App Server

Public REST API /phoenix/rest/device/update returns error when updating a specific device.

923081

Minor

App Server

Public REST API to update CMDB Device System property returns NullPointer Exception.

920602

Minor

App Server

Public REST API for device maintenance (/phoenix/rest/deviceMaint/update) returns status code 500 even though it successfully created a maintenance schedule.

915524

Minor

App Server

Cases tab - Export Summary for all tickets is limited to 30 entries.

902079

Minor

App Server

Periodic updates are not working for AlienVault Malware Hash.

887393

Minor

App Server

FortiSIEM Incident Tags not being reflected in Incident JSON when pulled via Rest API.

881550

Minor

App Server

Malware Domain (AlienVault) doesn't pull all the domain values from AlienVault's response.

876052

Minor

App Server

Global Org view permission not honored from dashboard widget and drill down when phEventCategory is part of the query.

874420

Minor

App Server

Custom dashboard cannot be shared with AD group role user.

814006

Minor

App Server

Cloud Health shows wrong info after 6.5.0 for Supervisor with two NICs.

954731

Minor

App Server,GUI

Global constraint using simple function in rule is not working properly.

860610

Minor

App Server,GUI

Read-only user can still modify some values due to improper access controls.

940119

Minor

ClickHouse Backend

ClickHouse internal logs (trace_log, part_log, asynchronous_metric_log, query_log) grow to take up significant storage.

888575

Minor

ClickHouse Backend

ClickHouse encounters Signal 8 segmentation fault when all nodes in a shard are deleted.

958249

Minor

Data work

FortiGate Parser Event Type Spelling Error for NTP Status Events.

955723

Minor

Data work

Drilldown from the Server Dashboard -> Logins -> Account Lockouts widget leads to the wrong report.

932909

Minor

Data work

GitlabLogParser not functioning properly.

932801

Minor

Data work

Update Cisco Umbrella DNS parser.

904038

Minor

Data work

Update parsing for Win-Security-5136.

946373

Minor

Discovery

LDAP discovery imports contact when email field is configured.

937157

Minor

Discovery

AD Discovery completes, but cmdb GUI does not load (reason: bad group insertion in ph_group table).

958820

Minor

Event Pulling Agents

Agent Manager has high memory when reading large files for Generic AWS S3 integration.

958363

Minor

Event Pulling agents

Missing some Proofpoint events due to vendor's data format changes.

951615

Minor

Event Pulling Agents

For Tenable Security Agent, duplicate events may be seen if phAgentManager process is restarted.

949554

Minor

Event Pulling Agents

CrowdStrike event stream is getting reset every 5 minutes.

956515

Minor

GUI

Cases with overlapping incidents does not work. If a Case is opened for an Incident which is already part of a Case, then the existing case is updated.

954050

Minor

GUI

FortiGuard CTS external lookup results not added to result history in Investigation.

934291

Minor

GUI

Altering critical interfaces list in CMDB is only possible for the first selected device.

933843

Minor

GUI

Allow Parser Test to proceed even if there are more than 10 test events.

928561

Minor

GUI

Need to add OMI in Resources > Remediation, since Windows Remediation scripts require OMI credential.

946758

Minor

Identity & Location

Sometimes phIpIdentityWorker module crashed in libcurl module.

915091

Minor

Linux Agent

Linux agent audit.log folder filling up with denied write messages for user fsmadmin.

951409

Minor

Machine Learning

Viewing Scatter Plot from Machine Learning > Prepare causes GUI corruption.

951408

Minor

Machine Learning

Report for ML job built from ad-hoc report is saved in Ungrouped folder instead of Machine Learning.

934545

Minor

Notification

Case automatically created from incident without any notification policy configured.

899393

Minor

Notification

No subject line in SMS Incident Notification.

943849

Minor

Parser

Two PH_SYSTEM_EPS_ORG events generated for Super organization when there are Super local collectors.

936757

Minor

Parser

EPS calculation mismatch because (a) unknown events not counted towards license and (b) type casting error.

931868

Minor

Parser

Collector Name is not set correctly in events.

925100

Minor

Query

ClickHouse Queries referring custom network range object returns no data.

937564

Minor

Report

Report Designer only allows one Legend per Page, even if you add multiple Charts to the same page.

952241

Minor

Rule

Occasional NullPointerException error when testing a rule.

925899

Minor

Rule

phRuleMaster process crashes due to event size 65k buffer overflow.

938995

Minor

System

In Redis cache and clickhouse, ingestionnodesonline key missing for datamanager and querymaster, causing queries to fail - happens on migrating other databases to ClickHouse.

938739

Minor

System

PostgreSQL symbolic link was missing for psql 13 (6.4.x -> 6.7.2).

938735

Minor

System

Upgrade failed due to httpd process that did not start (6.7.1 -> 6.7.3).

938675

Minor

System

Upgrade to 6.7.4 could not uninstall python package pyyaml (6.6.3 -> 6.7.4).

921597

Minor

System

Reboot extremely slow and /tmp files removal errors after upgrade to v7.0.0.

902108

Minor

System

Installing on VMware ESX8 reports a certificate error.

952305

Minor

Windows Agent

UEBA File printed events comes through as '?' when printing files with Arabic characters.

947196

Minor

Windows Agent

Windows agent events are not parsed, when agent moves from offline > online.

902941

Minor

Windows Agent

Windows Agent always uses Windows proxy settings automatically and ignores /noproxy settings.

954539

Enhancement

App Server

Add Audit log when user runs a query and exports data from GUI.

951444

Enhancement

App Server

Extend the public Incident API to pull Incidents by specific event types.

937666

Enhancement

App Server

Remove unnecessary elements from Rule and Report Definition XML file during export from GUI.

919278

Enhancement

App Server

Provide IP + User based lockout for shared system accounts.

908586

Enhancement

App Server

FortiSIEM nodes discovered as a separate CMDB Group.

877664

Enhancement

App Server

Handle AlienVault new native API.

808565

Enhancement

App Server

Provide feedback on GUI when importing malware ip/hash, etc. from CSV files.

955721

Enhancement

Data work

Proofpoint parser update for URLs.

958363

Enhancement

Data work

Proofpoint parser needs update.

955949

Enhancement

Data work

Update FortiMail Cloud event parser.

953321

Enhancement

Data work

Enhance Pulse Secure VPN events to parse User, Source IP and Source Country fields.

953213

Enhancement

Data work

Sophos XG Firewall Parser update.

951972

Enhancement

Data work

Win-Sysmon-22-DNS-Query Event needs enhancement.

949904

Enhancement

Data work

Wrong Incident Title - Concurrent VPN Authentications To Same Account From Different Cities.

949563

Enhancement

Data work

Ingestion JSON Formatted Event from BitdefenderGravityZoneParser does not populate Reporting Ip.

947118

Enhancement

Data work

Add case to Generic DHCP Parser to resolve 'unknown' events.

943724

Enhancement

Data work

Fortimanager v7.2.3 parsing fails.

943106

Enhancement

Data work

Update FortiClient parser.

940666

Enhancement

Data work

Update FortiEDR parser.

936898

Enhancement

Data work

Several parsers incorrectly use applicationId of type UINT32 as a string field.

935755

Enhancement

Data work

Need to update UbiquityParser for new event types.

933472

Enhancement

Data work

Parse VMware vSAN Trace Logs.

926545

Enhancement

Data work

Update McAfeeXmlParser Parser.

925683

Enhancement

Data work

Create two rules for Dragos Worldview IP Traffic.

924510

Enhancement

Data work

FortiGate Parser doesn't parse when FortiGate serial number begins with 'FD'.

911349

Enhancement

Data work

WinOSWmiParser not parsing Application Name as attribute for event ids : 5154, 5158.

901988

Enhancement

Data work

NSX-T events are not being parsed correctly.

885730

Enhancement

Data work

FortiWeb Cloud Parser via syslog.

885316

Enhancement

Data work

Sourcefire2Parser is not parsing the HTTP Response Code field to httpStatusCode in the Raw Event Log.

884548

Enhancement

Data work

FortiAI/NDR parser update.

881333

Enhancement

Data work

Add Support to parse events received from FortiAuthenticator.

879396

Enhancement

Data work

Windows Security Event IDs 1200,1201,1206,1207,1210 are missing fields in 'RequestAuditComponent' via windows agent.

876847

Enhancement

Data work

McAfee Web Gateway parser update.

873640

Enhancement

Data work

Additional SNMP SysObjIds needed for Dell switches.

926726

Enhancement

Discovery

Add support for JBOSS 7.1.

829081

Enhancement

Discovery

For Agent/WMI/OMI - provide user option to set FQDN or shortname in discovery, perf monitoring and logs.

930821

Enhancement

Event Pulling Agents

Enhance HTTPS Advanced Generic Poller to support raw JSON post to support APIs similar to Cortex XDR.

937127

Enhancement

GUI

Add capability to Search on Discover > Include/Exclude Types.

927632

Enhancement

GUI

Allow users to choose number of rows/page in tables.

916266

Enhancement

GUI

Prevent users from changing incident severity category by mistake.

942641

Enhancement

Linux Agent

Add FortiSIEM Linux Agent support for Debian 11 and Debian 12.

941337

Enhancement

Performance Monitoring

Add CPU and Memory Monitoring via SNMP for Huawei VRP.

922131

Enhancement

Rule

Create a System Error in GUI when FortiSIEM starts to throttle Incidents (Rate limiting threshold is hit).

938679

Enhancement

System

Need to verify FSM RPM before upgrade (6.7.x -> 6.7.7).

938672

Enhancement

System

Clean up old upgrade images from /opt/upgrade to save space and make new upgrade succeed.

926490

Enhancement

System

Enhance phziplogs to include phoenix_config.txt and dmesg output.

880535

Enhancement

System

Enable Content update Docker Collector.

933390

Enhancement

Upgrade

Before beginning upgrade, ensure that /opt has enough free disk for CMDB backup.

Known Issues

  1. Kafka encryption via SASL/SSL is set from the GUI. This feature was added to 6.7.6 and 7.0.1, but the configuration was via phoenix_config.txt. If you are using this feature in 6.7.6 or 7.0.1 and upgrade to 7.1.0, you need to navigate to Admin > Settings > System > Kafka in FortiSIEM GUI, change Protocol from PLAINTEXT to SSL and re-do Test Connectivity.

  2. Special steps for upgrading 6.2.0 Collector with 7.1.0 Supervisor are required. A bug was introduced in 6.2.0 but fixed in 6.2.1, which will cause the Collector upgrade from 6.2.0 to 7.1.0 to fail, unless the following steps are taken:

    1. Download the upgrade package, FSM_Upgrade_All_7.1.0_build####.zip.

    2. Unzip the package:

      unzip FSM_Upgrade_All_7.1.0_build####.zip

    3. Go to the upgrade package folder:

      cd FSM_Upgrade_All_7.1.0_build###

    4. Decompress the python 3.9 package:

      tar xf Py39-compiled-install.tar.xz

    5. Move the python 3.9 folder to /usr/local:

      mv py39/ /usr/local/

    6. Create symlink for python 3.9:

      ln -s /usr/local/py39/bin/python3.9 /usr/bin/python3.9

    7. Continue with upgrade from Supervisor.

Previous
Next