License Enforcement

This section describes how FortiSIEM enforces CMDB Device license, Agent license and EPS License.

CMDB Device License Enforcement

Customer purchases an overall CMDB Device license, which specifies how many managed devices can be stored in CMDB. Managed devices can send logs and can be monitored. In an MSSP environment, customer can set a device limit for a specific organization in Admin > Setup > Organizations > Edit or New > Max Devices. The following device types are excluded from license:

• Devices > Mobile
• Devices > VoIP
• Devices > Decommission
• Devices with Status = Unmanaged.

When you try to add a device to the system, either via discovery or manually, then the global device limit and the per-org device limit is enforced. If the limit is reached, then the device is either not added to CMDB or added and set as Unmanaged. If you decommission a managed device, then the license is returned to the pool. If you recommission a device, then a license is consumed.

CMDB Device License is shown in Admin > License > General and the usage is shown in Admin > License > Usage > Device Usage.

Agent License Enforcement

Customer purchases Agent License, which specifies how many Agents can register and send events. CMDB Device License is shown in Admin > License > General and the usage is shown in Admin > License > Usage > Agent Usage.

If Agent License limit is reached, then a new Agent cannot register. If Agent license is reduced to lower than the number of registered Agents, then a few agents are randomly unregistered to bring the value lower than licensed limit.

EPS License Enforcement

Mechanism

FortiSIEM is a distributed system consisting of Supervisor, Worker and Collector nodes. Events can be received at any node and the phParser module at that node handles the events and enforces EPS license. An Elastic EPS allocation method distributes unused EPS to the node where it is needed the most.

• Every 3 minutes, phParser module on every node calculates Incoming EPS and sends it to the Supervisor node.
• Every 3 minutes, phParser module on Supervisor node collects Incoming EPS from all nodes and calculates Allocated EPS and Unused Events to be used by every node for the next 3 minutes. unused event is the difference between licensed EPS and incoming EPS accumulated since the system is installed. These parameters are sent to the phParser modules on every node. The following information is used to calculate Allocated EPS:
  • Global Licensed EPS
  • Collector Guaranteed EPS (note the total Guaranteed EPS for all Collectors must be less than Global Licensed EPS).
  • Incoming EPS
• For the next 3 minutes, the phParser module enforces license based on Allocated EPS and Unused Events information received from the Supervisor node. At the end of 3 minutes, it sends incoming EPS to the Supervisor node and the cycle continues.

Collector enforces Licensed EPS as follows:

• If incoming EPS is less than licensed EPS, events are ingested with no event drop.
• If incoming EPS is more than licensed EPS, then the following steps are taken.
  • Unused events are allocated.
  • After consuming unused events, if incoming EPS still exceeds (1.1 * Licensed EPS), then incoming events are dropped. For example, if licensed EPS is 5k, so FortiSIEM allows (5000 * 1.1 * 180 = 990000) events in each 3-minute window, after using up unused events. phParser will parse the first 990,000 events and drop the others in the 3-minute window.

Events

phParser on every node generates the following PH_SYSTEM_EPS_NODE event every 3 minutes. To query these system events, the Analytics search filter must also include “System Event Category” = 3.

[PH_SYSTEM_EPS_NODE]:[eventSeverity]=PHL_INFO,[fileName]=parserProcess.cpp,[lineNumber]=6169,[role]=Super,[hostName]=FSM-Host,[incomingEventsPerSec]=10.0,[peakIncomingEventsPerSec]=35.0,[dropPolicyEvents]=0,[dropPolicyEventsPerSec]=0.0,[peakDropPolicyEventsPerSec]=0.0,[dropLicenseEvents]=0,[dropLicenseEventsPerSec]=0.0,[peakDropLicenseEventsPerSec]=0.0,[dropLicenseEventRatio]=0

Attributes:

• incomingEventsPerSec: Total received events in 3 minutes divided by 180.
• peakIncomingEventsPerSec: The maximum value of incomingEventsPerSec over all 3-minute periods, since phParser started.
• dropPolicyEvents: The number of events that are dropped by Event Dropping rules in last 3 minutes.
• dropPolicyEventsPerSec: dropPolicyEvents divided by 180.
• peakDropPolicyEventsPerSec: The maximum value of dropPolicyEventsPerSec over all 3-minute periods, since phParser started.
• dropLicenseEvents: The number of events that are dropped because of exceeding license in last 3 minutes.
• dropLicenseEventsPerSec: dropLicenseEvents divided by 180.
• peakDropLicenseEventsPerSec: The maximum value of dropLicenseEventsPerSec over all 3-minute periods, since phParser started.
• dropLicenseEventRatio: Ratio of dropped events because of license to total incoming events in last 3 minutes.

phParser on Supervisor node generates the following PH_SYSTEM_EPS_ORG event every 3 minutes. This event provides Organization level EPS information by combining information from every node.

[PH_SYSTEM_EPS_ORG]:[eventSeverity]=PHL_INFO,[fileName]=parserProcess.cpp,[lineNumber]=6205,[phCustId]=1,[customer]=Super,[incomingEventsPerSec]=0.000000,[peakIncomingEventsPerSec]=0.000000,[dropLicenseEventsPerSec]=0.000000,[peakDropLicenseEventsPerSec]=0.000000,[phLogDetail]=

Attributes:

• customer: name of organization
• incomingEventsPerSec: Total received events in 3 minutes divided by 180 for this Organization.
• peakIncomingEventsPerSec: The maximum value of incomingEventsPerSec over all 3-minute periods for this Organization, since phParser started.
• dropLicenseEvents: The number of events that are dropped because of exceeding license in last 3 minutes.
• dropLicenseEventsPerSec: dropLicenseEvents divided by 180.
• peakDropLicenseEventsPerSec: The maximum value of dropLicenseEventsPerSec over all 3-minute periods, since phParser started.

phParser on Supervisor node generates the following PH_SYSTEM_EPS_GLOBAL event every 3 minutes. This event provides Global EPS information by combining information from every node.

[PH_SYSTEM_EPS_GLOBAL]:[eventSeverity]=PHL_INFO,[fileName]=parserProcess.cpp,[lineNumber]=6252,[licenseEventsPerSec]=13000,[incomingEventsPerSec]=0.000000,[peakIncomingEventsPerSec]=0.000000,[dropLicenseEventsPerSec]=0.000000,[peakDropLicenseEventsPerSec]=0.000000,[unusedEvents]=1897731307,[phLogDetail]=

Attributes:

• licenseEventsPerSec: Global licensed events per second
• incomingEventsPerSec: Total received events in 3 minutes divided by 180.
• peakIncomingEventsPerSec: The maximum value of incomingEventsPerSec over all 3-minute periods for this Organization, since phParser started.
• dropLicenseEvents: The number of events that are dropped because of exceeding license in last 3 minutes.
• dropLicenseEventsPerSec: dropLicenseEvents divided by 180.
• peakDropLicenseEventsPerSec: The maximum value of dropLicenseEventsPerSec over all 3-minute periods, since phParser started.
• unusedEvents: difference between licenseEventsPerSec and incomingEventsPerSec accumulated since system installed.

phParser on an event handling node (e.g. a Collector) generates the following PH_SYSTEM_EVENT_RATE_EXCEED_LICENSE event when it starts to drop events.

<174>Mar 12 11:33:20 PARSER-HOST phParser[1234]: [PH_SYSTEM_EVENT_RATE_EXCEED_LICENSE]: [eventSeverity]=PHL_INFO,[procName]=phParser,[fileName]=parserProcess.cpp,[eventsPerSec]=120.49,[phLogDetail]=120.49 events/sec exceeds licensed event rate of 100 events/sec

Attributes:

• eventsPerSec: Total received events per second

phParser on Supervisor node generates the following PH_PARSER_GLOBAL_LICENSE_EXCEED event every 3 minutes, when it sees dropped events.

[PH_PARSER_GLOBAL_LICENSE_EXCEED]:[eventSeverity]=PHL_ERROR,[fileName]=LicenseEnforce.cpp,[lineNumber]=1098,[phLogDetail]=Elastic EPS: global license has already exceeded, cannot realloc

In this case, the following incidents “FortiSIEM EPS License Exceeded” and “External Event Dropped By License” triggers.