What's New in 7.1.1
This release contains the following key enhancements and bug fixes.
Key Enhancements
Rocky Linux 8.9
This release updates Rocky Linux OS to 8.9 and includes published Rocky Linux OS updates until November 28, 2023. The list of updates can be found at https://errata.rockylinux.org/.
FortiSIEM Rocky Linux Repositories (os-pkgs-cdn.fortisiem.fortinet.com and os-pkgs-r8.fortisiem.fortinet.com) have also been updated to include fixes until July 14, 2023. Therefore, FortiSIEM customers in versions 6.4.1 and above, can upgrade only their Rocky Linux versions by following the procedures described in FortiSIEM OS Update Procedure.
Redis Memory Usage Optimization
FortiSIEM uses Redis to distribute CMDB Group Objects (including Malware IP/Domain/URL/Hash objects) from Supervisor PostGreSQL database to the Worker nodes. A Malware IP or Domain group containing a large number of entries can cause Redis to hit its memory limit and cause Search queries to fail. In this release, by using compression techniques, Redis peak memory usage is reduced significantly. This enables FortiSIEM to handle more threat feed entries, and more CMDB Groups.
As an example, in Fortinet experiments with 1 million FortiGuard Malware IP, 3 million Malware Domains, 500 thousand Malware URL and with App Server Java memory set to 10GB, Redis peak memory usage is reduced from 1GB in 7.0.2 to 156MB in 7.1.1. For this case, compression resulted in more than 80% reduction of Redis peak memory.
Support for Trend Vision One
This release adds support for Trend Vision One XDR platform. See Trend Vision One in the External Systems Configuration Guide for integration details.
More SOC Queries via Fortinet Advisor
Fortinet Advisor recognizes and responds to the following Security Operations Center (SOC) questions.
-
Get my FortiSIEM environment
-
Get latest 10 high severity Incidents
-
Get most frequent 10 Incidents
-
Get Top 10 risky users
-
Get Top 10 risky devices
SIGMA Rule Fixes
This release updates several FortiSIEM rules adapted from SIGMA rules. Updates involve regular expression conversions from SIGMA format to FortiSIEM format.
Public REST API Throttling
To safeguard Supervisor performance, FortiSIEM now throttles the volume of public REST API requests. Concurrent API requests are limited per source IP and globally. Once limits are reached, error code 429 is sent in response.
The limits are defined in /opt/phoenix/config/phoenix_config.txt:
global_max_concurrent_public_api_requests=50
per_ip_max_concurrent_public_api_requests=10
Notes:
-
When a single source IP makes more than 10 concurrent API calls, then the 11th request will receive a 429 HTTP(S) error code. If the client retries and one or more of its earlier calls finishes and the number of active calls becomes lower than 10, then the new call will succeed.
-
If the total of all active API calls from all sources is over 50, then the 51st request will receive a 429 HTTP(S) error code.
-
When a 429 error code is encountered, API Clients should implement backoff, waiting longer between each subsequent retry.
Bug Fixes and Enhancements
This release contains the following fixes and enhancements.
|
Bug ID |
Severity |
Module |
Description |
|---|---|---|---|
|
971855 |
Major |
App Server |
Null pointer exception may occur during App Server incident handling. |
|
971840 |
Major |
App Server |
App Server may hit deadlock issue in Postgres during FortiSIEM node health update. |
|
977554 |
Major |
ClickHouse |
After upgrading to 7.1.0, adding new ClickHouse node to the same shard fails with DDL error. |
|
914974 |
Major |
Rule Engine |
User created security incidents auto-clear after 24 hours even if
|
|
975345 |
Minor |
App Server |
For Windows and Linux Agents, agent monitoring attributes overwrite agentless monitoring attributes, when both agentless methods (such as OMI or SSH) are used along with agents on the same server. |
|
973567 |
Minor |
App Server |
After cloning an existing rule and changing the evaluation mode to scheduled, Incidents are still evaluated in streaming mode. |
|
972257 |
Minor |
App Server |
Summary Dashboards do not show performance metrics collected by Windows Agent. |
|
971860 |
Minor |
App Server |
For Event Receive Hour/Day/Week queries, Query Result Export and Scheduled Report do not work correctly. |
|
971276 |
Minor |
App Server |
System defined and user defined Network objects with same IP range become incorrectly linked together. |
|
971126 |
Minor |
App Server |
Invalid Query XML for IN queries with more than 1 Individual Countries. |
|
969372 |
Minor |
App Server |
Public REST API for Event Query and Archive Query return no events if report syntax is invalid. It should return error instead. |
|
968983 |
Minor |
App Server |
Content update fails if there are dashboard widgets in the content update. |
|
968751 |
Minor |
App Server |
Box.com integration may cause App Server to lock up when auth token expires. |
|
968266 |
Minor |
App Server |
For Incident public REST API, queries for second and subsequent pages may fail with 503 error code if called too fast. |
|
962913 |
Minor |
App Server |
Need to throttle public REST API queries by returning HTTP status code 429, when client sends in too many requests. |
|
939273 |
Minor |
App Server |
Cannot modify device properties for multi-tenant collector. |
|
936243 |
Minor |
App Server |
Timezone selection for Europe/Berlin is not listed in UTC+2, but it is in UTC+1. |
|
927843 |
Minor |
App Server |
Discovering a device via FSM Agent and EMS/FGT integration results in duplicate CMDB entries. |
|
926647 |
Minor |
App Server |
CMDB Device Report: No result for 'Property Event Receive Time Gap [Low/High] Threshold minutes'. |
|
970594 |
Minor |
ClickHouse Backend |
Update |
|
974846 |
Minor |
Discovery |
Test Connectivity for Cisco FireAmp fails. |
|
970075 |
Minor |
Discovery |
GitLab discovery failure: Need to use host name as IP does not work during SSL handshake. |
|
931808 |
Minor |
Discovery |
For standalone FortiSwitch, Network Interfaces not discovered via SNMP v3 because of lack of support for SHA-224, SHA-256, SHA-384 and SHA-512 for authentication and AES-192 and AES-256 for encryption. |
|
976427 |
Minor |
GUI |
Analytics > Investigation page, Run Reports > Event Receive Time column shows epoch value instead of date formatted values. |
|
976046 |
Minor |
GUI |
User with Dashboard only role gets empty landing page after login. |
|
974384 |
Minor |
GUI |
In CMDB Report, Latest Monitor Time and Latest Event Pulling Time fields show epoch value instead of date formatted values. |
|
972715 |
Minor |
GUI |
Check Reputation in Real Time/Historical Search does not work. |
|
971557 |
Minor |
GUI |
NullPointerException in the POST SAML response after modifying the idle timeout for Azure SSO user. |
|
966730 |
Minor |
GUI |
Name field from External Authentication shouldn't allow 'space' when the protocol is SAML. |
|
966728 |
Minor |
GUI |
SAML Organization field for SAML Role configuration doesn't accept space + umlaut characters. |
|
964794 |
Minor |
GUI |
For user defined rules/reports, the user cannot move rules or reports to a new custom folder without creating a copy. |
|
963867 |
Minor |
GUI |
Malformed IP address can be successfully imported from .CSV file without error checking. |
|
957400 |
Minor |
GUI |
CMDB Report - Rule query - Scope attribute only takes integer, but needs string. |
|
927769 |
Minor |
GUI |
GUI allows invalid / character to be added in port field for FortiOS credentials. |
|
887630 |
Minor |
GUI |
Widget Setting as Single Line Chart and Display Type as Text - COUNT(Matched Events) displays no count. |
|
628705 |
Minor |
GUI |
It is better to disable 'Test' button for OKTA authentication policy instead of showing 'IP/Host is required'. |
|
970976 |
Minor |
Parser |
In 'PH_SYSTEM_IP_EVENTS_PER_SEC' event, Reporting Device is set incorrectly. |
|
966727 |
Minor |
Parser |
For Amazon AWS CloudWatch, CMDB is populated for each discovered device. |
|
974448 |
Minor |
phMonitor |
Disaster recovery setup may fail with 1 hour timeout, if CMDB replication takes a long time (resulting from CMDB being large and network bandwidth being slow). |
|
968131 |
Minor |
Query |
Query using |
|
965081 |
Minor |
Report |
In PDF Report, legend may not always show. |
|
971810 |
Minor |
System |
|
|
966773 |
Minor |
System |
Collector fresh-install needs internet to uninstall |
|
972752 |
Minor |
Windows Agent |
Windows Agent reports "Disk Full" for Optical Drives. |
|
954108 |
Minor |
Windows Agent |
Agent can't talk to Collector (verification fails) when Collector has a TLS certificate. |
|
964501 |
Enhancement |
ClickHouse Backend |
Generate an incident and system error when free disk of ClickHouse is lower than 20%. |
|
961884 |
Enhancement |
ClickHouse Backend |
Enhancement - Procedures for incrementally adding ClickHouse storage. |
|
972486 |
Enhancement |
Data work |
Add rule/report for Apache ActiveMQ Ransomware Attack. |
|
971135 |
Enhancement |
Data work |
Netflow dashboards do not include all relevant traffic. |
|
967829 |
Enhancement |
Data work |
Windows - Need to parse Logon GUID to |
|
966160 |
Enhancement |
Data work |
Need to enhance FortiEDR Rule and event parsing. |
|
964446 |
Enhancement |
Data work |
FortiGate Events generated with logID 0100044545 needs to be parsed
as |
|
963543 |
Enhancement |
Data work |
Missing column 'appServerState' when loading Application Server dashboard. |
|
962882 |
Enhancement |
Data work |
Update Carbon Black CEF parser. |
|
939482 |
Enhancement |
Data work |
HPiLoParser Unknown Event due to different syslog header format. |
|
936650 |
Enhancement |
Data work |
PANOS parser enhancement needed to parse original VM name from Panorama logs. |
|
916555 |
Enhancement |
Data work |
'Group Policy Object Created/Modified' rules have the same event type filter. |
|
912298 |
Enhancement |
Data work |
Parse device hostname for FortiAuthenticator parser. |
|
869437 |
Enhancement |
Data work |
Update Zscaler log integration in JSON format. |
|
850455 |
Enhancement |
Data work |
Update KasperskyParser, update RegEx. |
|
964471 |
Enhancement |
Generative AI |
In ChatGPT audit log, provide visibility of user and org ID. |
|
969605 |
Enhancement |
Performance Monitoring |
|
|
963416 |
Enhancement |
Rule Engine |
Sometimes |
Known Issue
After upgrading to 7.1.1, in ClickHouse based deployments, searching on IP fields (namely, Reporting IP, Source IP, Destination IP, and Host IP) does not show correct results for events stored prior to upgrade. Events are still stored in ClickHouse, but searches on events before the upgrade do not return results, while searches on events stored after the upgrade work correctly. All other searches work correctly.
This issue is related to a recent change in ClickHouse version 23.3 in how IPV6 fields are represented. See the following URLs for more information.
Workaround
The workaround requires recreating old indices involving Reporting IP, Source IP, Destination IP, and Host IP that were created before the 7.1.1 upgrade. In our experiments, Fortinet has not seen any event loss or FortiSIEM service interruption during this process.
-
Go to root shell by running the following command:
sudo -s -
Change directory to
/tmpby running the following command:cd /tmp -
Run the following command:
clickhouse-client -
Ensure that
/data-clickhouse-hot-1has at least 10% free disk space. This space is required during index re-creation (Step 5 below). If free disk space is less that 10%, then run the following SQL command (4a.) to get the list of oldest ClickHouse partitions residing on the/data-clickhouse-hot-1disk and either move them to another disk or tier, or delete them until/data-clickhouse-hot-1has at least 10% free disk space. These commands need to be run only on ALL data nodes in every shard. The first command (4a.), identifies the largest partitions on the/data-clickhouse-hot-1disk. The remaining commands enable you to move the data to another tier (4b.), or another disk (4c.), or delete the data (4d.).-
Identify the largest ClickHouse partitions in Hot node:
SELECT disk_name, partition, extract(partition, '\(\d+,(\d+)\)') as date, formatReadableSize(sum(bytes_on_disk)), formatReadableSize(sum(data_uncompressed_bytes)) FROM system.parts WHERE (table = 'events_replicated') AND path LIKE '%hot-1%' AND active GROUP BY disk_name, partition ORDER BY disk_name ASC, date ASC limit 10 -
Move the data to another tier:
ALTER TABLE fsiem.events_replicated MOVE PARTITION <partition expression from (a) > TO VOLUME <next tier> -
Move the data to another disk:
ALTER TABLE fsiem.events_replicated MOVE PARTITION <partition expression from (a) > TO disk <another disk> -
Delete the data:
ALTER TABLE fsiem.events_replicated DROP PARTITION <partition expression from (a) >Example:
Output from command in 4a.:
To move the first partition (size 3.98 GiB) to Warm tier, issue the following command as shown in 4b.
ALTER TABLE fsiem.events_replicated MOVE PARTITION (18250, 20240115) TO VOLUME 'warm'To move the first partition (size 3.98 GiB) to another disk in Hot tier, issue the following command as shown in 4c.
ALTER TABLE fsiem.events_replicated MOVE PARTITION (18250, 20240116) TO disk 'data_clickhouse_hot_2'To delete the first partition (size 3.98 GiB), issue the following command as shown in 4d.
ALTER TABLE fsiem.events_replicated DROP PARTITION (18250, 20240116)
-
-
Run the following commands sequentially. This will drop/add/recreate all affected indices: Reporting IP, Source IP, Destination IP, and Host IP within ClickHouse. These commands need to be run only on one data node per shard. Note that the first command (
drop) in every index may take some time to complete. User must wait until the command completes before issuing the next command.alter table fsiem.events_replicated drop index index_reptDevIpAddr_bloom_filter alter table fsiem.events_replicated add INDEX index_reptDevIpAddr_bloom_filter reptDevIpAddr TYPE bloom_filter GRANULARITY 5 AFTER index_customer_set alter table fsiem.events_replicated materialize index index_reptDevIpAddr_bloom_filter alter table fsiem.events_replicated drop index index_srcIpAddr_bloom_filter alter table fsiem.events_replicated add INDEX index_srcIpAddr_bloom_filter metrics_ip.value[indexOf(metrics_ip.name, 'srcIpAddr')] TYPE bloom_filter GRANULARITY 5 AFTER collectorId_set alter table fsiem.events_replicated materialize index index_srcIpAddr_bloom_filter alter table fsiem.events_replicated drop index index_destIpAddr_bloom_filter alter table fsiem.events_replicated add INDEX index_destIpAddr_bloom_filter metrics_ip.value[indexOf(metrics_ip.name, 'destIpAddr')] TYPE bloom_filter GRANULARITY 5 AFTER index_srcIpAddr_bloom_filter alter table fsiem.events_replicated materialize index index_destIpAddr_bloom_filter alter table fsiem.events_replicated drop index index_hostIpAddr_bloom_filter alter table fsiem.events_replicated add INDEX index_hostIpAddr_bloom_filter metrics_ip.value[indexOf(metrics_ip.name, 'hostIpAddr')] TYPE bloom_filter GRANULARITY 5 AFTER index_user_bloom_filter alter table fsiem.events_replicated materialize index index_hostIpAddr_bloom_filter