Step 1 - Install the Virtual or Hardware Appliance

You can choose to use all-in-one FortiSIEM Hardware Appliance or a Virtual Appliance based solution.

To install FortiSIEM Hardware Appliance (FSM-2000F, FSM-2000G, FSM-2200G, FSM-3500F, FSM-3500G, FSM-3600G, FSM-500F, FSM-500G), see here.

To install a FortiSIEM Virtual Appliance based solution:

• Select the hypervisor (VMWare ESX, AWS, Azure, Hyper-V, KVM, Nutanix, Google Cloud Platform, Oracle Cloud Infrastructure) on which FortiSIEM is going to run
• Select event database storage – local or NFS or Elasticsearch or ClickHouse
  Note: ClickHouse is recommended for most deployments. Please see ClickHouse Reference Architecture for more information.
• Set up external storage if needed: NFS and Elasticsearch
  See NFS Storage Guide and Elasticsearch Storage Guide
• Install FortiSIEM Virtual Appliance (See the installation guides here.)

Step 2 - Install License

Apply the license provided by Fortinet. Note that for Virtual appliance install, the UUID of the Supervisor node must match the license while for hardware appliance, the hardware serial numbers must match the license.

After applying the license, the system will reboot and provide a login page.

Login with the following default values:

• USER ID - admin
• PASSWORD - admin*1
• CUST/ORG ID - super
• DOMAIN - LOCAL

For more information about FortiSIEM Licensing, see the Licensing Guide here.

Step 3 - Specify Event Database Storage

If you chose Virtual Appliances, then specify storage option (see here – ADMIN > Setup > Storage).

Hardware appliances only support local disk event database storage.

Step 4 - Check System Health and License

Ensure that:

• All the system components are up and in good health (ADMIN > Health > Cloud Health – see here)
• The license matches your purchase by visiting the ADMIN > License > License page – see here

Step 5 - (Optional) Create Organizations for Service Provider Deployments

A Service Provider would consist of multiple Organizations.

These Organizations can be defined in two ways:

• Case 1 - By associating one or more collectors to an Organization – any log received by those Collectors or any devices discovered by those collectors will belong to that Organization. This typically makes sense for remote management scenarios.
• Case 2 - By associating an IP range to an Organization – this typically makes sense for hosted scenarios

In both cases, create organizations by visiting ADMIN > Setup > Organizations (see here).

The system will create default system users with Full Admin functionality for each created organization.

Step 6 - (Optional) Check Full Admin Organization Users for Service Provider Deployments

FortiSIEM will automatically create a Super-global Full Admin user and one Full Admin user for each Organization. Ensure that you are able to log in to:

• each Organization using the system created Full Admin users
• Super-Global mode using Super-global Full Admin user and then switch to any Organization

Step 7 - Add Email Gateway

FortiSIEM will send notifications for incidents via email. Setup the email gateway by visiting ADMIN > Settings > System > Email (see here for details).

Step 8 - (Optional) Add Collector

If your monitored devices are behind a firewall or in a distant location across the Internet, then you will need a Collector to collector to collect logs and performance metrics from that location.

FortiSIEM Collectors can be Hardware Appliances or Virtual Appliances. Hardware Appliances are easiest to install.

• For FSM-500F

See 500F Collector Configuration Guide for the installation above.

Install the FortiSIEM Collector Virtual appliance based on the Hypervisor of your choice:

• VMWare ESX
• AWS
• Azure
• KVM
• Microsoft Hyper-V
• Nutanix
• Google Cloud Platform
• Oracle Cloud Infrastructure

See the specific Installation Guides here for the installations above.

Register the Collector to the FortiSIEM Supervisor node.

See the section Registering Collectors for the registration process.

Step 9 - (Optional) Set Event Upload Destination for the Collector(s)

You must specify the FortiSIEM nodes where the Collector will upload events to, in ADMIN > Settings > System > Worker Upload (see here). There are three options:

• In a simple setup with one Supervisor node, specify the Supervisor node. This is not recommended in larger setups as this will make the Supervisor node busy.
• You may want to specify one or more Worker nodes, listed by Worker IP addresses. The Collectors will load balance across the specified Worker nodes. In this manner, streaming analytics like inline reports and rule are distributed over Worker nodes.
• You may specify a load balancer name that sits in front of the Worker nodes. Note that in this case, you have to carefully tune the load balancing configuration to get optimum performance.

The second option works the best in most cases.

Step 10 - (Optional) Check Collector Health

You want to make sure that Collectors are up and running properly. Go to ADMIN > Health > Collector Health to check (see here for details).

At this point, the system is ready to receive events or perform discovery.

Step 11 - Receive Syslog and Netflow

First check the list of supported devices whose logs are parsed by FortiSIEM out of the box. The list is ADMIN > Device Support > Parsers. See also the external device support document for further details (see here). If your device is in that list, then FortiSIEM will likely parse your logs out of the box.

Note that with every new version, vendors add new log types or sometimes, even change the log format in a non-backward compatible manner. In that case, the built-in parser may need to be adjusted (this topic will be covered in Advanced Operations). If your device is not on the list of built-in parsed devices, then a custom parser needs to be written. This topic will be covered in Advanced Operations.

Configure your device to send logs to FortiSIEM. If your device is behind a Collector, then the logs will be sent to the Collector. Otherwise, logs can be sent to Supervisor or Worker node. For devices with high event rates, it is recommended to add a Worker node (Step 19) and send logs directly to Worker node. Most vendors have straightforward methods to send syslog to external systems – see here but be aware that the information may be a little out of date. Consider your vendor's manual in that case.

FortiSIEM automatically receives Netflow variations of well-defined ports.

Step 12 – Check CMDB Devices and Run Searches for Received Events

If the logs in Step 11 are received correctly in FortiSIEM, then you should see the sending devices in the correct CMDB device and application group.

You can also search for the logs and see how they are parsed. Go to ANALYTICS > Shortcuts from the folder drop-down and run 'Raw Messages', 'Top Reporting Devices' or 'Top Event Types' queries (see here for details).

Step 13 - Discover Devices

Some systems (for example, Linux based servers) have generic log patterns – so logs cannot precisely identify the Operating system. If you want to get accurate information from such systems, then you must discover them via protocols such as SNMP, SSH. For Windows servers, if you want to collect logs via WMI, then you must discover them via WMI only or SNMP and WMI.

To perform discovery first go to ADMIN > Setup > Credentials and set up credentials and then go to ADMIN > Setup > Discovery and run discoveries. For Service Provider deployments with collectors, do the discoveries from each organization because IP addresses and names can be overlapping.

You can run the discovery in the foreground or in the background. If you run in the foreground, then you will know when it finishes. If you run in the background, then you must go to Tasks section to see the discovery completion percentages and status. Note that ill-defined discoveries can take a long time to complete – see here for guidelines.

To see the benefits of discovery, see the External Systems Configuration Guide here and search your device type.

Step 14 - Check CMDB and Performance Monitors for Discovered Devices

After discovery is complete, you will see the CMDB populated with the discovered devices in the correct device, application and network segment folders.

Note the following:

• If the number of devices is within your license limits, then the discovered devices will be in managed and Pending state. Otherwise, a set of (randomly chosen) devices exceeding license limit will be in the Unmanaged state. FortiSIEM will not receive logs from unmanaged devices, nor they can be monitored. You can flip a device from Unmanaged to Managed and vice-versa. You can also buy additional licenses to rectify this situation.
• If devices have overlapping IP addresses, then they will be merged. Check for this incident “PH_RULE_DEVICE_MERGED_OVERLAP_IP” to look for merged devices. To correct this situation, you have two choices:
  • Change the overlapping IP address on the device, delete the device from CMDB and rediscover.
  • If the overlapping IP is a Virtual IP (VIP), then add this IP to the VIP list in ADMIN > Settings > Discovery. Delete the device from CMDB and re-discover.

After you have corrected the situation, make sure that devices are not merged and appear correctly in CMDB.

Note that in the enterprise mode, discoveries are done by the Supervisor node. In the Service Provider version, there are two possibilities, depending on how organizations are defined (see Step 5)

• For Organizations defined by IP addresses, discoveries are done by the Supervisor node. After discovery, the devices should belong to the correct organization.
  • If all interfaces of a device belong to the specified Organization IP range, then the device belongs to that Organization.
  • On the other hand, if at least one IP does not belong to specified Organization IP range, then the device belongs to the Super/local Organization (representing the Hosting Service Provider Organization).
• For Organizations with Collectors, discoveries are done by the associated Collector node. Check CMDB to see that the devices are marked with the correct Organization and Collector.

As part of discovery, FortiSIEM also discovers which performance metrics it can collect and which logs it can pull. See ADMIN > Setup > Pull Events and ADMIN > Setup > Monitor Performance tabs (see here for details). You can turn off log/performance metric collection or tune the polling intervals.

Performance monitoring and log collection is a continuous process. If you tested the credentials before running discoveries (ADMIN > Setup > Credentials > Test Connectivity) and fixed the errors showing up in Discovery error tab, then the metric/log collection should not have errors. After running for some time, there can be errors – some reasons being (a) network connectivity issues from FortiSIEM to the devices, (b) someone changed the credentials or access policies on the device, (c) the device can have performance issues. Please check for errors in the ADMIN > Setup > Pull Events and ADMIN > Setup > Monitor Performance tabs (see here for details) and fix them. If credentials have changed, then you must change the credentials in ADMIN > Setup > Credentials and rediscover the corresponding devices.

Step 15 - Check Monitored Device Health

You can watch the current health of a device in CMDB by selecting the device and choosing the Device health option from the menu. To see the performance metrics in real time, select the device in CMDB and choose the Real time performance option from the menu.

Step 16 - Check Incidents

FortiSIEM provides a large number of built-in machine and user behavior anomalies in the form of rules. These rules are active by default and will trigger incidents. See here on how to navigate incidents. Advanced Operations describes how to tune these rules for your environment.

Step 17 – Notify an Incident via Email

You may want to notify users via email when an incident trigger. This is achieved in one of two ways.

• Create an Incident Automation Policy and specify the incident matching criteria and the receiver email address. See here for details.
• Select an incident from INCIDENTS > List view, go to Actions and select Notify via Email. See here for details.

Note that many other advanced actions are possible such as:

• Customizing the email template
• Remediating the incident by running a script
• Opening a ticket in an external ticketing system and so on.

See Advanced Operations for details.

Step 18 – Create a Ticket in FortiSIEM

You can use FortiSIEM built-in ticketing system to handle tickets. Currently, this is handled outside of the notification policy concept (Step 17).

To create a FortiSIEM ticket, select one or more incidents from INCIDENTS > List view, go to Actions and select Create Ticket.

Step 19 - View System Dashboards

FortiSIEM provides several built-in dashboards:

• Incident Dashboard – Overview and Risk View
• Incident Location View - (see here for details)
• Incident and Location Dashboard – select DASHBOARD > Incident and Location Dashboard (this requires you to collect DHCP, Active Directory logon events – see here for details
  

Go to DASHBOARD and select the dashboard of your choice.

Step 20 - (Optional) Add Worker

For larger software based deployments that involve multiple collectors or large number of monitored devices or devices with high event rates, it is highly recommended to deploy one or more Workers to distribute the Supervisor node’s workload. Note that Workers cannot be added to Hardware-based appliances.

Workers can be added by visiting ADMIN > License > Nodes - see here for details.

After adding the Worker(s), remember to add the workers to the collect event upload destination list (ADMIN > Settings > System > Worker Upload - see here for details).

Step 21 - (Optional) Check Worker Health

Check the health of the Workers by visiting ADMIN > Health > Cloud Health.

• The health of all nodes should be Normal, load average should be within bounds (typically less than the number of cores), CPU should not be pegged at 99%, and little swap should be used.
• Click on any node and check the health of individual processes running on that node in the bottom pane. Status should be Up with large Up times and reasonable CPU and memory usage.

Step 22 - Check License Usage

Check whether the system is operating within licensed parameters (Monitored device count and EPS) by visiting ADMIN > License > Usage (see here for details).

Step 23 - Set Home Page and Complete Your User Profile

Click the User Profile icon () in the upper right corner of the UI. The dialog box contains three tabs:

Basic - Use the Basic tab to change your password into the system.

Contact - Use the Contact tab to enter your contact information.

UI Settings - Use the UI Settings tab to set the following:

Settings	Guidelines
Home	Select the tab which opens when you log in to the FortiSIEM UI.
Incident Home	Select the Overview, List, Risk, Explorer, or MITRE ATT&CK display for the INCIDENTS tab.
Case Home	Select the Overview or List display for the Cases tab.
Dashboard Home	Select the Dashboard to open by default under the DASHBOARD tab from this drop-down list.
Dashboard Settings	Select the type of dashboards to be visible/hidden using the left/right arrows. The up/down arrows can be used to sort the Dashboards.
Language	Specify which language will be used for the UI display. Many UI items have been translated into the languages in the drop-down list, including buttons, labels, top-level headings, and breadcrumbs. Items that are data-driven are not translated.
Theme	Select Dark or Light theme for FortiSIEM UI. Save and refresh the browser to view the change.

Step 24 – Log On to the Console and Check Status

In rare situations when the GUI is not responding, you may need to SSH in to the system console of Supervisor, Worker and Collector nodes and issue some commands. The list of node IP addresses are available in ADMIN > License > Nodes, ADMIN > Health > Cloud Health and ADMIN > Health > Collector Health.

You can login as root for the first time using the password: ProspectHills. After the first login, you are forced to change this password.

The following commands are available:

phstatus: shows the status of all FortiSIEM processes

phstatus –a: shows the detailed status of all FortiSIEM processes along with events per second and local I/O rates

The following Linux commands can be useful:

top: shows the CPU, memory usage of all Linux processes

iostat –x 2: shows the I/O statistics for local disk

nfsiostat –x 2: shows the NFS I/O statistics for Supervisor and Worker for NFS based deployments

tail -300f /opt/phoenix/log/phoenix.log: See the C++ module log

Step 25 - Set up Automated CMDB Disk Space Management

If the CMDB disk partition becomes full, then the system may not work correctly. To prevent this from happening, 6.3.2 introduced a CMDB disk space management framework.

Three parameters are introduced in phoenix_config.txt.

• month_retain_limit: Number of months for which incidents on the Supervisor node should be retained (default value 6 months).
• cmdb_disk_space_low_threshold (in MB): When free CMDB disk space falls below this defined threshold, disk management kicks in (default value 50MB).
• cmdb_disk_space_high_threshold (in MB): When disk management kicks in, incidents are purged until CMDB disk space reaches this defined threshold (default value 100MB).

Two audit events are introduced.

• PH_AUDIT_CMDB_DISK_PRUNE_SUCCESS: This event indicates that free CMDB disk space fell below the low threshold (cmdb_disk_space_low_threshold) and old incidents and identity / location data were pruned to bring the free CMDB disk space above the high threshold (cmdb_disk_space_high_threshold).
• PH_AUDIT_CMDB_DISK_PRUNE_FAILED: This event indicates that free CMDB disk space fell below the low threshold (cmdb_disk_space_low_threshold) and in spite of pruning older incidents and identity / location data, free CMDB disk space stays below the high threshold (cmdb_disk_space_high_threshold). To remedy this situation, the user must reduce the number of months of incidents and identity / location data in CMDB (month_retain_limit).

Two system defined rules are included.

• FortiSIEM: CMDB Disk space low - Prune successful.
• FortiSIEM: CMDB Disk space low - Prune failed to keep free disk space above high threshold.

Adjust the CMDB disk management values if necessary.

Step 26 - Create Retention Policy

After the event database has been set up, if you haven't done so already, you may want to create retention policies to optimize how your storage is managed. To do so, follow the steps in Creating a Retention Policy.

Step 27 - Online Documentation and FortiAI

The upper right corner of the UI has two icons that you may find helpful.

• Click the Online Documentation icon () in the upper right corner of the UI to access the FortiSIEM User Guide.

• Click the FortiAI icon () in the upper right corner of the UI to access FortiAI. FortiAI can be configured by following the instructions here.

  FortiAI allows you to enter English language questions, and returns a response. In the case of a report query, validated XML code is provided. You can push this code to the Analytics page by clicking on the Action drop-down option, selecting "Run on Analytics" (which will take you to the Analytics page). On the Analytics page, click Run to run the provided report.
  

  For more details, see FortiAI.