Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Release Notes

    Home FortiSIEM 7.3.5 Release Notes
    7.3.5
    7.5.0
    7.4.2
    7.4.1
    7.4.0
    7.3.5
    7.3.4
    7.3.3
    7.3.2
    7.3.1
    7.3.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.9
    7.1.8
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.10
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.8
    5.2.7
    5.2.6
    5.2.5
    5.2.5
    5.2.1
    5.1.2
    5.1.1
    5.1.0
    5.0.1
    4.10.0
    4.9.0

    What's New in 7.3.5

    What's New in 7.3.5

    This release contains the following bug fixes and enhancements.

    caution icon

    If you are running 7.3.5, then you must upgrade to 7.4.2 or later. There was a security fix in 7.3.5, but it was not included in earlier 7.4.1, causing the upgrades to fail.

    System Updates

    This release includes Rocky Linux OS 8.10 patches until September 18, 2025. Details can be found at https://rockylinux.org/news/rocky-linux-8-10-ga-release. FortiSIEM Rocky Linux Repositories (os-pkgs-cdn.fortisiem.fortinet.com and os-pkgs-r8.fortisiem.fortinet.com) have also been updated to include Rocky Linux 8.10. FortiSIEM customers in versions 6.4.1 and above, can upgrade their Rocky Linux versions by following the FortiSIEM OS Update Procedure.

    Known Issues

    1. FortiSIEM 7.3.5 cannot be installed in IPV6 only environments.

    2. If you are running HA and DR and can't login to GUI after Failback operation, then restart App Server.

    Bug Fixes and Enhancements

    The following bugs are resolved in this release.

    Bug ID

    Severity

    Module

    Description

    1196070

    Major

    App Server

    Optimize the Apply on Windows Agent > Host Template Association > Apply.

    1193567

    Major

    App Server

    Improve performance of Public Incident REST API - /phoenix/rest/pub/incident API.

    1192432

    Major

    Event Pulling Agents

    Microsoft Defender Alerts stops after a while due to pagination mishandling.

    1203162

    Major

    GUI

    Clicking on "Reformat" when editing system or custom parser will incorrectly encode CDATA definition inside the parser and test will fail.

    1192774

    Major

    Upgrade

    HA Super Cluster upgrade script does not work on AWS.

    1201362

    Minor

    App Server

    The public Incident REST APIs fail to return results in HA environment.

    1194942

    Minor

    App Server

    Upgrade to 7.3.4 may fail while deleting Sigma rules, when the rule has test events.

    1203148

    Minor

    GUI, Parser

    Modifying the event format recognizer to any string on a working custom parser will incorrectly test successfully.

    1196219

    Minor

    Linux Agent

    Linux Agent Monitor Status of is empty after restarting Linux Agent service.

    1185262

    Minor

    Query

    Analytic query involving Malware IPs does not work if a Malware IP entry is an IP range.

    1206464

    Minor

    System

    "configFSM.sh" run failed on HW during re-installation.

    1200502

    Minor

    System

    "configFSM.sh" run fails on 3600G after upgrade & regular factory reset.

    1199999

    Minor

    System

    Improve the performance of Collector upgrade via Supervisor via caching. If many collectors are doing yum upgrade simultaneously, then upgrade may fail.

    1195950

    Minor

    System

    Ansible task to restart ClickHouse Keeper service is incorrect.

    Implementation Notes

    Linux Agent Related

    If you are running Linux Agent on Ubuntu 24, then Custom Log File monitoring may not work because of App Armor configuration. Take the following steps to configure App Armor to enable FortiSIEM Linux Agent to monitor custom files.

    1. Login as root user.

    2. Check if rsyslogd is protected by AppArmor by running the following command.

      aa-status | grep rsyslogd

      If the output displays rsyslogd, then you need to modify AppArmor configuration as follows.

    3. Verify that the following line exists in the file /etc/apparmor.d/usr.sbin.rsyslogd

      include if exists <rsyslog.d>

      If it does not, then add the above line to the file.

    4. Create or modify the file /etc/apparmor.d/rsyslog.d/custom-rules and add rules for the monitored log file as needed.

      Examples:

      If you want to monitor /testLinuxAgent/testLog.log file, then add the following line that allows rsyslogd to read the file:

      /testLinuxAgent/testLog.log r,

      Always add the following line that allows rsyslogd to read the FortiSIEM log file. This is needed:

      /opt/fortinet/fortisiem/linux-agent/log/phoenix.log r,

    5. Run the following command to reload the rsyslogd AppArmor profile and apply the changes above.

      apparmor_parser -r /etc/apparmor.d/usr.sbin.rsyslogd

    Identity and Location Related

    If you are upgrading to 7.3.5, then please update the following entry in the /opt/phoenix/config/identityDef.xml file in Supervisor and Workers to get Identity and location entries populated for Microsoft Office365 events. Then restart IdentityWorker and IdentityMaster processes on Supervisor and Workers.

    Pre-7.3.5 Entry 

    <identityEvent>
     <eventType>MS_OFFICE365_UserLoggedIn_Succeeded</eventType>
     <eventAttributes>
        <eventAttribute name="userId" identityAttrib="office365User" reqd="yes"/>
        <eventAttribute name="srcDomain" identityAttrib="domain" reqd="no"/>
        <eventAttribute name="srcIpAddr" identityAttrib="ipAddr" reqd="yes"/>
        <eventAttribute name="srcGeoCountry" identityAttrib="geoCountry" reqd="no"/>
        <eventAttribute name="srcGeoCountryCodeStr" identityAttrib="geoCountryCode" reqd="no"/>
        <eventAttribute name="srcGeoState" identityAttrib="geoState" reqd="no"/>
        <eventAttribute name="srcGeoCity" identityAttrib="geoCity" reqd="no"/>
        <eventAttribute name="srcGeoLatitude" identityAttrib="geoLatitude" reqd="no"/>
        <eventAttribute name="srcGeoLongitude" identityAttrib="geoLongitude" reqd="no"/>
     </eventAttributes>
  </identityEvent>

    7.3.5 Entry 

    <identityEvent>
     <eventType>MS_OFFICE365_UserLoggedIn_Succeeded,MS_OFFICE365_EntraID_UserLoggedIn,MS_OFFICE365_EntraID_StsLogon_UserLoggedIn</eventType>
     <eventAttributes>
        <eventAttribute name="user" identityAttrib="office365User" reqd="yes"/>
        <eventAttribute name="srcDomain" identityAttrib="domain" reqd="no"/>
        <eventAttribute name="srcIpAddr" identityAttrib="ipAddr" reqd="yes"/>
        <eventAttribute name="srcGeoCountry" identityAttrib="geoCountry" reqd="no"/>
        <eventAttribute name="srcGeoCountryCodeStr" identityAttrib="geoCountryCode" reqd="no"/>
        <eventAttribute name="srcGeoState" identityAttrib="geoState" reqd="no"/>
        <eventAttribute name="srcGeoCity" identityAttrib="geoCity" reqd="no"/>
        <eventAttribute name="srcGeoLatitude" identityAttrib="geoLatitude" reqd="no"/>
        <eventAttribute name="srcGeoLongitude" identityAttrib="geoLongitude" reqd="no"/>
     </eventAttributes>
  </identityEvent>

    Post-Upgrade ClickHouse IP Index Rebuilding

    If you are upgrading ClickHouse based deployment from pre-7.1.1 to 7.3.5, then after upgrading to 7.3.5, you need to run a script to rebuild ClickHouse indices. If you are running 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.2.x, 7.3.0, 7.3.1, 7.3.2, 7.3.3 or 7.3.4 and have already executed the rebuilding steps, then nothing more needs to be done.

    For details about this issue, see Release Notes 7.1.3 Known Issue.

    The rebuilding steps are available in Release Notes 7.1.4 - Script for Rebuilding/Recreating pre-7.1.1 ClickHouse Database Indices Involving IP Fields.

    Previous
    Next

    What's New in 7.3.5

    What's New in 7.3.5

    This release contains the following bug fixes and enhancements.

    caution icon

    If you are running 7.3.5, then you must upgrade to 7.4.2 or later. There was a security fix in 7.3.5, but it was not included in earlier 7.4.1, causing the upgrades to fail.

    System Updates

    This release includes Rocky Linux OS 8.10 patches until September 18, 2025. Details can be found at https://rockylinux.org/news/rocky-linux-8-10-ga-release. FortiSIEM Rocky Linux Repositories (os-pkgs-cdn.fortisiem.fortinet.com and os-pkgs-r8.fortisiem.fortinet.com) have also been updated to include Rocky Linux 8.10. FortiSIEM customers in versions 6.4.1 and above, can upgrade their Rocky Linux versions by following the FortiSIEM OS Update Procedure.

    Known Issues

    1. FortiSIEM 7.3.5 cannot be installed in IPV6 only environments.

    2. If you are running HA and DR and can't login to GUI after Failback operation, then restart App Server.

    Bug Fixes and Enhancements

    The following bugs are resolved in this release.

    Bug ID

    Severity

    Module

    Description

    1196070

    Major

    App Server

    Optimize the Apply on Windows Agent > Host Template Association > Apply.

    1193567

    Major

    App Server

    Improve performance of Public Incident REST API - /phoenix/rest/pub/incident API.

    1192432

    Major

    Event Pulling Agents

    Microsoft Defender Alerts stops after a while due to pagination mishandling.

    1203162

    Major

    GUI

    Clicking on "Reformat" when editing system or custom parser will incorrectly encode CDATA definition inside the parser and test will fail.

    1192774

    Major

    Upgrade

    HA Super Cluster upgrade script does not work on AWS.

    1201362

    Minor

    App Server

    The public Incident REST APIs fail to return results in HA environment.

    1194942

    Minor

    App Server

    Upgrade to 7.3.4 may fail while deleting Sigma rules, when the rule has test events.

    1203148

    Minor

    GUI, Parser

    Modifying the event format recognizer to any string on a working custom parser will incorrectly test successfully.

    1196219

    Minor

    Linux Agent

    Linux Agent Monitor Status of is empty after restarting Linux Agent service.

    1185262

    Minor

    Query

    Analytic query involving Malware IPs does not work if a Malware IP entry is an IP range.

    1206464

    Minor

    System

    "configFSM.sh" run failed on HW during re-installation.

    1200502

    Minor

    System

    "configFSM.sh" run fails on 3600G after upgrade & regular factory reset.

    1199999

    Minor

    System

    Improve the performance of Collector upgrade via Supervisor via caching. If many collectors are doing yum upgrade simultaneously, then upgrade may fail.

    1195950

    Minor

    System

    Ansible task to restart ClickHouse Keeper service is incorrect.

    Implementation Notes

    Linux Agent Related

    If you are running Linux Agent on Ubuntu 24, then Custom Log File monitoring may not work because of App Armor configuration. Take the following steps to configure App Armor to enable FortiSIEM Linux Agent to monitor custom files.

    1. Login as root user.

    2. Check if rsyslogd is protected by AppArmor by running the following command.

      aa-status | grep rsyslogd

      If the output displays rsyslogd, then you need to modify AppArmor configuration as follows.

    3. Verify that the following line exists in the file /etc/apparmor.d/usr.sbin.rsyslogd

      include if exists <rsyslog.d>

      If it does not, then add the above line to the file.

    4. Create or modify the file /etc/apparmor.d/rsyslog.d/custom-rules and add rules for the monitored log file as needed.

      Examples:

      If you want to monitor /testLinuxAgent/testLog.log file, then add the following line that allows rsyslogd to read the file:

      /testLinuxAgent/testLog.log r,

      Always add the following line that allows rsyslogd to read the FortiSIEM log file. This is needed:

      /opt/fortinet/fortisiem/linux-agent/log/phoenix.log r,

    5. Run the following command to reload the rsyslogd AppArmor profile and apply the changes above.

      apparmor_parser -r /etc/apparmor.d/usr.sbin.rsyslogd

    Identity and Location Related

    If you are upgrading to 7.3.5, then please update the following entry in the /opt/phoenix/config/identityDef.xml file in Supervisor and Workers to get Identity and location entries populated for Microsoft Office365 events. Then restart IdentityWorker and IdentityMaster processes on Supervisor and Workers.

    Pre-7.3.5 Entry 

    <identityEvent>
     <eventType>MS_OFFICE365_UserLoggedIn_Succeeded</eventType>
     <eventAttributes>
        <eventAttribute name="userId" identityAttrib="office365User" reqd="yes"/>
        <eventAttribute name="srcDomain" identityAttrib="domain" reqd="no"/>
        <eventAttribute name="srcIpAddr" identityAttrib="ipAddr" reqd="yes"/>
        <eventAttribute name="srcGeoCountry" identityAttrib="geoCountry" reqd="no"/>
        <eventAttribute name="srcGeoCountryCodeStr" identityAttrib="geoCountryCode" reqd="no"/>
        <eventAttribute name="srcGeoState" identityAttrib="geoState" reqd="no"/>
        <eventAttribute name="srcGeoCity" identityAttrib="geoCity" reqd="no"/>
        <eventAttribute name="srcGeoLatitude" identityAttrib="geoLatitude" reqd="no"/>
        <eventAttribute name="srcGeoLongitude" identityAttrib="geoLongitude" reqd="no"/>
     </eventAttributes>
  </identityEvent>

    7.3.5 Entry 

    <identityEvent>
     <eventType>MS_OFFICE365_UserLoggedIn_Succeeded,MS_OFFICE365_EntraID_UserLoggedIn,MS_OFFICE365_EntraID_StsLogon_UserLoggedIn</eventType>
     <eventAttributes>
        <eventAttribute name="user" identityAttrib="office365User" reqd="yes"/>
        <eventAttribute name="srcDomain" identityAttrib="domain" reqd="no"/>
        <eventAttribute name="srcIpAddr" identityAttrib="ipAddr" reqd="yes"/>
        <eventAttribute name="srcGeoCountry" identityAttrib="geoCountry" reqd="no"/>
        <eventAttribute name="srcGeoCountryCodeStr" identityAttrib="geoCountryCode" reqd="no"/>
        <eventAttribute name="srcGeoState" identityAttrib="geoState" reqd="no"/>
        <eventAttribute name="srcGeoCity" identityAttrib="geoCity" reqd="no"/>
        <eventAttribute name="srcGeoLatitude" identityAttrib="geoLatitude" reqd="no"/>
        <eventAttribute name="srcGeoLongitude" identityAttrib="geoLongitude" reqd="no"/>
     </eventAttributes>
  </identityEvent>

    Post-Upgrade ClickHouse IP Index Rebuilding

    If you are upgrading ClickHouse based deployment from pre-7.1.1 to 7.3.5, then after upgrading to 7.3.5, you need to run a script to rebuild ClickHouse indices. If you are running 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.2.x, 7.3.0, 7.3.1, 7.3.2, 7.3.3 or 7.3.4 and have already executed the rebuilding steps, then nothing more needs to be done.

    For details about this issue, see Release Notes 7.1.3 Known Issue.

    The rebuilding steps are available in Release Notes 7.1.4 - Script for Rebuilding/Recreating pre-7.1.1 ClickHouse Database Indices Involving IP Fields.

    Previous
    Next