Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.1.7
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiSIEM 7.1.7 User Guide
    7.1.7
    7.5.1
    7.5.0
    7.4.2
    7.4.1
    7.4.0
    7.3.5
    7.3.4
    7.3.3
    7.3.2
    7.3.1
    7.3.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.9
    7.1.8
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    4.10.0
    4.9.0
    4.8.1
    4.7.2

    Device Support

    Device Support Advanced Operations

    FortiSIEM enables you to perform the following advanced operations:

    Checking Device Monitoring Status and Health

    For Performance Monitoring scenarios, you would like to know:

    • Is FortiSIEM is able to monitor the devices on time? Is FortiSIEM falling behind?
    • Are there monitoring errors?
    • What is the current health of monitored devices?

    To check whether FortiSIEM is able to collect monitoring data on time:

    1. Go to CMDB.
    2. Search for the device and by typing in a string in the search window.
    3. Check the Monitor Status column.
    4. If Monitor Status Warning or Critical, then select the Device and check the Monitor sub-tab in the bottom pane to find out the reason.

    FortiSIEM is an optimized multi-threaded solution. If one node is given too many devices to monitor, each device with many metrics, then it may not be able to keep up. If FortiSIEM is not able to keep up (e.g. polling interval is 1 minute and last poll was 3 minutes ago), then you can do one of the following:

    1. Check the Monitored Device resources (CPU, memory) and the network between FortiSIEM and the Monitored Device. Many monitoring protocols such as SNMP, WMI will not operate under WAN type latencies (greater than 10 msec).
    2. Increase the polling intervals by visiting ADMIN > Setup > Monitor Performance > More > Edit Intervals.
      Note: If you increase polling intervals, some performance monitoring rules that require a certain number of polls in a time window may not trigger. Please adjust those rules either by reducing the number of polls or increasing the time window. For example, if a rule needs 3 events (polls) for a 10 min time window with original polling interval as 3 min, the rule will not trigger if polling interval is changed to 4 min or higher. To make the rule trigger again, either reduce the number of events needed (for example, from 3 to 2) or increase the time window (for example, from 10 min to 15 min).
    3. Turn off some other jobs by visiting ADMIN > Setup > Monitor Performance > More > Edit Intervals.
    4. Deploy Collectors close to the Monitored Devices or deploy more Collectors and distribute performance monitoring jobs to Collectors by doing re-discovery.

    To check for Monitoring errors:

    • Go to ADMIN > Setup > Monitor Performance > More > Errors.

    For details see here.

    To see current health of a monitored device:

    1. Go to CMDB.
    2. Search for the device and by typing in a string in search window.
    3. Choose Actions > Device Health.

    For details, see here.

    Setting Devices Under Maintenance

    If a device will undergo maintenance and you do not want to trigger performance and availability rules while the device is in maintenance, then

    1. Go to ADMIN > Setup > Maintenance.
    2. Select the Maintenance Schedule.
    3. Select the Group of Devices or Synthetic Transaction Monitors (STM) for maintenance.
    4. Make sure the Generate Incidents for Devices under Maintenance is checked.

    For details, see here

    Creating Custom Monitors

    Although FortiSIEM provides out of the box monitoring for many devices and applications, user can add monitoring for custom device types or add monitoring for supported device types.

    1. Go to ADMIN > Device Support > Monitoring.
    2. Click Enter Performance Object > New and enter the specification of the Performance Object.
    3. Select the Performance Object and click Test.
    4. Click Enter Device Type to Performance Object Association > New and choose a set of Device Types and associated Performance Objects.
    5. Go to ADMIN > Setup > Credentials and enter the Device Credentials for a set of device types specified in Step 4.
    6. Go to ADMIN > Setup > Discovery and discover these devices.
    7. FortiSIEM will pick the customer monitors defined in Step 2 if the Tests in Step 3 succeeded.
    8. Go to ADMIN > Setup > Monitor Performance and see the monitors
      From the same tab, Select one or more devices and Click More > Report and check whether the monitoring events are generated correctly.

    Steps 1-4 are described here.

    Steps 5 is described here.

    Steps 6 is described here.

    Step 8-9 are here.

    Setting Important Interfaces and Processes

    A network may have hundreds of interfaces and you have may have hundreds of network devices. Not all interfaces may not be interesting for up/down and utilization monitoring. For example, you may only want to monitor WAN links and trunk ports and leave out Access Ports. This saves you lots of CPU and storage. Similar logic applies to critical processes on servers.

    Since FortiSIEM discovers interfaces and processes, it is easy to select Critical Interfaces and Processes for Monitoring.

    1. Go to ADMIN > Settings > Monitoring.
    2. Click Important Interfaces> Enable > New and select the Interfaces.
    3. Click Important Processes> Enable> New and select the Processes.

    Note that once you select Important Interfaces and Processes, only these Interfaces and Processes will be monitored for availability and performance.

    For details, see here.

    Modifying System Parsers

    If you want to modify a built-in log parser, then do the following steps:

    1. Go to ADMIN > Device Support > Parsers.
    2. Select a Parser and click Disable since you have two parsers for the same device.
    3. Select the same Parser and click Clone.
    4. Make the required modifications to the parser.
    5. Click Validate to check the modified Parser syntax.
    6. Click Test to check the semantics of the modified Parser.
    7. If both Validate and Test pass, then click Enable and then Save.
      The modified Parser should show Enabled
    8. Click Apply to deploy the modified Parser to all the nodes.

    For details, see here.

    Creating Custom Parsers

    If you want to create a completely new log parser, then do the following steps:

    1. Go to ADMIN > Device Support > Parsers.
    2. Parsers are evaluated serially from top to bottom in the list. Select the parser just before the current custom parser and click New.
    3. Fill in the parser details – Name, Device Type, test Events and the parser itself.
    4. Click Validate to check the syntax
    5. Click Test to check the semantics of the modified parser.
    6. If all passes, then click Enable and then click Save.
      The newly added parser should show Enabled.
    7. Click Apply to deploy the change to all the nodes.

    For details, see here.

    Handling Multi-line Syslog

    When devices send the same log in multiple log messages, you can combine them into one log in FortiSIEM to facilitate analysis and correlation.

    1. Go to ADMIN > Settings > Event Handling > Multiline Syslog.
    2. Click New to begin a multi-line syslog handling rule.
    3. Enter a Protocol – TCP or UDP.
    4. Enter a Begin Pattern and End Pattern regular expressions.
      All the logs matching a begin pattern and an end pattern are combined into a single log
    5. Click Save.

    For details, see here.

    Creating Synthetic Transaction Monitors

    You can define a Synthetic Transaction Monitor to monitor the health an application or a web service. To do this:

    1. Go to ADMIN > Setup > STM.
    2. Step 1: Create a monitoring definition, click New and enter the required fields. When the protocol is HTTP, then a Selenium script can be input. Specify the timeout values for detecting STM failures.
    3. Step 2: Apply the monitoring definition to a host
    4. Step 3: Make sure it is working correctly - click Monitor Status.

    For details, see here.

    Mapping Events to Organizations

    In most cases, the events received by a Collector is tagged with the Organization to which the Collector belongs. In some cases, events for multiple Organizations are aggregated by an upstream device and then forwarded to FortiSIEM. In this case, FortiSIEM needs to map events to organizations based on some parsed event attribute. An example is the FortiGate VDOM attribute.

    This is accomplished as follows:

    1. Go to ADMIN > Settings > Event Handling > Event Org Mapping.
    2. Click New to create an Event Org mapping definition.
    3. Select a Device Type from the drop-down list.
    4. Specify the Event Attribute that contains the Organization information.
    5. Specify the Collector that will do this Event Org Mapping.
    6. Specify an IP or IP Range.
    7. Specify the mapping rules by clicking the edit icon next to Org mapping. In the Event Organization Mapping dialog box, map Event Attribute values to Organizations.

    For details, see here.

    Adding Windows Agents

    FortiSIEM Windows Agents provides a scalable way to collect performance metrics, logs and other audit violations from a large number of Windows servers. Windows Agents (version 3.1 onwards) can be configured and managed from the FortiSIEM GUI. Windows Agent Manager is not required. As long as license is available, you can install Windows Agents and register to the FortiSIEM Supervisor node.

    For details about Installing Windows Agents, see the latest Windows Agent Installation Guide.

    For details about Configuring Windows Agent in FortiSIEM, see here.

    Adding Linux Agents

    Starting release 5.2.1, Linux Agent requires a license. Install a Linux Agent and register to the FortiSIEM Supervisor node. As long as the license is available, you can install Linux Agent and register to the FortiSIEM Supervisor node. Linux Agents can be configured and managed from the FortiSIEM GUI.

    For details about Installing Linux Agents, see Linux Agent Installation Guide.

    For details about Configuring Linux Agent in FortiSIEM, see here.

    Forwarding Events to External Systems

    Events received by FortiSIEM can be forwarded to external systems. FortiSIEM provides a flexible way to define forwarding criteria and forwarding mechanism such as syslog, Kafka and Netflow.

    For details, see here.

    Previous
    Next

    Device Support

    Device Support Advanced Operations

    FortiSIEM enables you to perform the following advanced operations:

    Checking Device Monitoring Status and Health

    For Performance Monitoring scenarios, you would like to know:

    • Is FortiSIEM is able to monitor the devices on time? Is FortiSIEM falling behind?
    • Are there monitoring errors?
    • What is the current health of monitored devices?

    To check whether FortiSIEM is able to collect monitoring data on time:

    1. Go to CMDB.
    2. Search for the device and by typing in a string in the search window.
    3. Check the Monitor Status column.
    4. If Monitor Status Warning or Critical, then select the Device and check the Monitor sub-tab in the bottom pane to find out the reason.

    FortiSIEM is an optimized multi-threaded solution. If one node is given too many devices to monitor, each device with many metrics, then it may not be able to keep up. If FortiSIEM is not able to keep up (e.g. polling interval is 1 minute and last poll was 3 minutes ago), then you can do one of the following:

    1. Check the Monitored Device resources (CPU, memory) and the network between FortiSIEM and the Monitored Device. Many monitoring protocols such as SNMP, WMI will not operate under WAN type latencies (greater than 10 msec).
    2. Increase the polling intervals by visiting ADMIN > Setup > Monitor Performance > More > Edit Intervals.
      Note: If you increase polling intervals, some performance monitoring rules that require a certain number of polls in a time window may not trigger. Please adjust those rules either by reducing the number of polls or increasing the time window. For example, if a rule needs 3 events (polls) for a 10 min time window with original polling interval as 3 min, the rule will not trigger if polling interval is changed to 4 min or higher. To make the rule trigger again, either reduce the number of events needed (for example, from 3 to 2) or increase the time window (for example, from 10 min to 15 min).
    3. Turn off some other jobs by visiting ADMIN > Setup > Monitor Performance > More > Edit Intervals.
    4. Deploy Collectors close to the Monitored Devices or deploy more Collectors and distribute performance monitoring jobs to Collectors by doing re-discovery.

    To check for Monitoring errors:

    • Go to ADMIN > Setup > Monitor Performance > More > Errors.

    For details see here.

    To see current health of a monitored device:

    1. Go to CMDB.
    2. Search for the device and by typing in a string in search window.
    3. Choose Actions > Device Health.

    For details, see here.

    Setting Devices Under Maintenance

    If a device will undergo maintenance and you do not want to trigger performance and availability rules while the device is in maintenance, then

    1. Go to ADMIN > Setup > Maintenance.
    2. Select the Maintenance Schedule.
    3. Select the Group of Devices or Synthetic Transaction Monitors (STM) for maintenance.
    4. Make sure the Generate Incidents for Devices under Maintenance is checked.

    For details, see here

    Creating Custom Monitors

    Although FortiSIEM provides out of the box monitoring for many devices and applications, user can add monitoring for custom device types or add monitoring for supported device types.

    1. Go to ADMIN > Device Support > Monitoring.
    2. Click Enter Performance Object > New and enter the specification of the Performance Object.
    3. Select the Performance Object and click Test.
    4. Click Enter Device Type to Performance Object Association > New and choose a set of Device Types and associated Performance Objects.
    5. Go to ADMIN > Setup > Credentials and enter the Device Credentials for a set of device types specified in Step 4.
    6. Go to ADMIN > Setup > Discovery and discover these devices.
    7. FortiSIEM will pick the customer monitors defined in Step 2 if the Tests in Step 3 succeeded.
    8. Go to ADMIN > Setup > Monitor Performance and see the monitors
      From the same tab, Select one or more devices and Click More > Report and check whether the monitoring events are generated correctly.

    Steps 1-4 are described here.

    Steps 5 is described here.

    Steps 6 is described here.

    Step 8-9 are here.

    Setting Important Interfaces and Processes

    A network may have hundreds of interfaces and you have may have hundreds of network devices. Not all interfaces may not be interesting for up/down and utilization monitoring. For example, you may only want to monitor WAN links and trunk ports and leave out Access Ports. This saves you lots of CPU and storage. Similar logic applies to critical processes on servers.

    Since FortiSIEM discovers interfaces and processes, it is easy to select Critical Interfaces and Processes for Monitoring.

    1. Go to ADMIN > Settings > Monitoring.
    2. Click Important Interfaces> Enable > New and select the Interfaces.
    3. Click Important Processes> Enable> New and select the Processes.

    Note that once you select Important Interfaces and Processes, only these Interfaces and Processes will be monitored for availability and performance.

    For details, see here.

    Modifying System Parsers

    If you want to modify a built-in log parser, then do the following steps:

    1. Go to ADMIN > Device Support > Parsers.
    2. Select a Parser and click Disable since you have two parsers for the same device.
    3. Select the same Parser and click Clone.
    4. Make the required modifications to the parser.
    5. Click Validate to check the modified Parser syntax.
    6. Click Test to check the semantics of the modified Parser.
    7. If both Validate and Test pass, then click Enable and then Save.
      The modified Parser should show Enabled
    8. Click Apply to deploy the modified Parser to all the nodes.

    For details, see here.

    Creating Custom Parsers

    If you want to create a completely new log parser, then do the following steps:

    1. Go to ADMIN > Device Support > Parsers.
    2. Parsers are evaluated serially from top to bottom in the list. Select the parser just before the current custom parser and click New.
    3. Fill in the parser details – Name, Device Type, test Events and the parser itself.
    4. Click Validate to check the syntax
    5. Click Test to check the semantics of the modified parser.
    6. If all passes, then click Enable and then click Save.
      The newly added parser should show Enabled.
    7. Click Apply to deploy the change to all the nodes.

    For details, see here.

    Handling Multi-line Syslog

    When devices send the same log in multiple log messages, you can combine them into one log in FortiSIEM to facilitate analysis and correlation.

    1. Go to ADMIN > Settings > Event Handling > Multiline Syslog.
    2. Click New to begin a multi-line syslog handling rule.
    3. Enter a Protocol – TCP or UDP.
    4. Enter a Begin Pattern and End Pattern regular expressions.
      All the logs matching a begin pattern and an end pattern are combined into a single log
    5. Click Save.

    For details, see here.

    Creating Synthetic Transaction Monitors

    You can define a Synthetic Transaction Monitor to monitor the health an application or a web service. To do this:

    1. Go to ADMIN > Setup > STM.
    2. Step 1: Create a monitoring definition, click New and enter the required fields. When the protocol is HTTP, then a Selenium script can be input. Specify the timeout values for detecting STM failures.
    3. Step 2: Apply the monitoring definition to a host
    4. Step 3: Make sure it is working correctly - click Monitor Status.

    For details, see here.

    Mapping Events to Organizations

    In most cases, the events received by a Collector is tagged with the Organization to which the Collector belongs. In some cases, events for multiple Organizations are aggregated by an upstream device and then forwarded to FortiSIEM. In this case, FortiSIEM needs to map events to organizations based on some parsed event attribute. An example is the FortiGate VDOM attribute.

    This is accomplished as follows:

    1. Go to ADMIN > Settings > Event Handling > Event Org Mapping.
    2. Click New to create an Event Org mapping definition.
    3. Select a Device Type from the drop-down list.
    4. Specify the Event Attribute that contains the Organization information.
    5. Specify the Collector that will do this Event Org Mapping.
    6. Specify an IP or IP Range.
    7. Specify the mapping rules by clicking the edit icon next to Org mapping. In the Event Organization Mapping dialog box, map Event Attribute values to Organizations.

    For details, see here.

    Adding Windows Agents

    FortiSIEM Windows Agents provides a scalable way to collect performance metrics, logs and other audit violations from a large number of Windows servers. Windows Agents (version 3.1 onwards) can be configured and managed from the FortiSIEM GUI. Windows Agent Manager is not required. As long as license is available, you can install Windows Agents and register to the FortiSIEM Supervisor node.

    For details about Installing Windows Agents, see the latest Windows Agent Installation Guide.

    For details about Configuring Windows Agent in FortiSIEM, see here.

    Adding Linux Agents

    Starting release 5.2.1, Linux Agent requires a license. Install a Linux Agent and register to the FortiSIEM Supervisor node. As long as the license is available, you can install Linux Agent and register to the FortiSIEM Supervisor node. Linux Agents can be configured and managed from the FortiSIEM GUI.

    For details about Installing Linux Agents, see Linux Agent Installation Guide.

    For details about Configuring Linux Agent in FortiSIEM, see here.

    Forwarding Events to External Systems

    Events received by FortiSIEM can be forwarded to external systems. FortiSIEM provides a flexible way to define forwarding criteria and forwarding mechanism such as syslog, Kafka and Netflow.

    For details, see here.

    Previous
    Next