Fortinet white logo
Fortinet white logo

Deployment Guide

Configuring FortiSOAR

Configuring FortiSOAR

This chapter describes the initial configuration steps required for setting up your FortiSOAR system.

Logging on to FortiSOAR for the first time

  1. In a browser, enter the IP address that you had identified using the steps mentioned in the Determining your DHCP IP address section as and press Enter.
    For example, https://{Your_FortiSOAR_IP}
    This will display the Fortinet End-User License Agreement (EULA). You must accept the EULA before you can log onto FortiSOAR.
    Once you accept the EULA; the login screen is displayed as shown in the following image:
    Login Screen
  2. Login using the following credentials:
    Username: csadmin
    Password: changeme
    The UI password of the 'csadmin' user for AWS is set to the "instance_id" of your instance. To know the instance ID of your FortiSOAR AWS instance, you can SSH and run the cloud-init query instance_id command.
    If you are a 'csadmin' user, and you are logging into FortiSOAR for the first time, you will be mandated to change the default password. This enhances the security of your csadmin account and prevents unauthorized parties from accessing the administration account for FortiSOAR. Ensure that you note down your csadmin password since if you forget your initial csadmin password, then you have to request FortiSOAR to reset this password. Also, when you are changing your csadmin password, you must ensure that you also update the email ID that is specified for csadmin, which by default is set to soc@fortinet.com (which is not a valid email ID). You can change the email ID by clicking the User Profile icon (User Profile icon) to open the User Profile page and change the email address in the Email field. Once you set a valid email ID in the user profile, then you would be able to reset your password, whenever required, by clicking the Forgot Password link on the login page.
    Important: It is also recommended that all new users should change their password when they first log on to FortiSOAR, irrespective of the complexity of the password assigned to the users.
    After you have changed the default password, FortiSOAR logs you into the application and by default displays the Dashboard page:
    Dashboard page

Now you can begin configuring FortiSOAR for your network environment.

Configuring SMTP for FortiSOAR

You must configure the SMTP connector to receive any system or email notifications, including requests for resetting passwords. The SMTP connector is part of a number of pre-installed connectors or built-ins that are included with FortiSOAR. By default, the SMTP connector is configured to use FortiSOAR appliance as an SMTP relay server. You must point it to a production SMTP server in your organization. For more information on configuring the SMTP connector, see the "FortiSOAR Built-in connectors" article.

Caution

When you configure the SMTP connector, ensure that you select the Mark As Default Configuration option for the configuration that will be used for sending system notifications.

It is highly recommended that you review the Additional configuration settings for FortiSOAR chapter to understand the configurations that you should make in your FortiSOAR system before you begin to use FortiSOAR.

Creating your first user and record

Note

The following steps provide a high-level view of how to get started with FortiSOAR. These steps are explained in detail in "Beginners Tutorial to FortiSOAR for Administrators."

  1. Successfully log into FortiSOAR.
  2. Click the Settings (Settings icon) icon that is present in the upper right-hand corner near the User Profile icon.
    This displays the System page.
    Use the Security Management section to configure the following: Team Hierarchy, Teams, Roles, Users, Authentication, and Password Vault.
  3. Add a new team in FortiSOAR.
    You can also use the default teams that are present in FortiSOAR.
  4. Add a new role in FortiSOAR.
    You can also use default roles that are present in FortiSOAR.
    You provide user permissions on a module based on roles that you have assigned to that user.
    For example, if you want to provide a user with complete access to the Incident module, you must create a role that has Create, Read, Update, and Delete permissions on the Incident module and name it Incident Administrator. You must then assign that role to a user.
  5. Add a new user and assign an appropriate role to the user.
    For example, create a user John A and assign John A the Incident Administrator role.
  6. Create your first record.
    Log on to FortiSOAR as user John A, who has access to the Incident module. Click the Add button in the top bar of the Incidents module to open the Create New Alert form. Fill in the required details the Create New Incident form and click Save to create an incident.

Configuring FortiSOAR

Configuring FortiSOAR

This chapter describes the initial configuration steps required for setting up your FortiSOAR system.

Logging on to FortiSOAR for the first time

  1. In a browser, enter the IP address that you had identified using the steps mentioned in the Determining your DHCP IP address section as and press Enter.
    For example, https://{Your_FortiSOAR_IP}
    This will display the Fortinet End-User License Agreement (EULA). You must accept the EULA before you can log onto FortiSOAR.
    Once you accept the EULA; the login screen is displayed as shown in the following image:
    Login Screen
  2. Login using the following credentials:
    Username: csadmin
    Password: changeme
    The UI password of the 'csadmin' user for AWS is set to the "instance_id" of your instance. To know the instance ID of your FortiSOAR AWS instance, you can SSH and run the cloud-init query instance_id command.
    If you are a 'csadmin' user, and you are logging into FortiSOAR for the first time, you will be mandated to change the default password. This enhances the security of your csadmin account and prevents unauthorized parties from accessing the administration account for FortiSOAR. Ensure that you note down your csadmin password since if you forget your initial csadmin password, then you have to request FortiSOAR to reset this password. Also, when you are changing your csadmin password, you must ensure that you also update the email ID that is specified for csadmin, which by default is set to soc@fortinet.com (which is not a valid email ID). You can change the email ID by clicking the User Profile icon (User Profile icon) to open the User Profile page and change the email address in the Email field. Once you set a valid email ID in the user profile, then you would be able to reset your password, whenever required, by clicking the Forgot Password link on the login page.
    Important: It is also recommended that all new users should change their password when they first log on to FortiSOAR, irrespective of the complexity of the password assigned to the users.
    After you have changed the default password, FortiSOAR logs you into the application and by default displays the Dashboard page:
    Dashboard page

Now you can begin configuring FortiSOAR for your network environment.

Configuring SMTP for FortiSOAR

You must configure the SMTP connector to receive any system or email notifications, including requests for resetting passwords. The SMTP connector is part of a number of pre-installed connectors or built-ins that are included with FortiSOAR. By default, the SMTP connector is configured to use FortiSOAR appliance as an SMTP relay server. You must point it to a production SMTP server in your organization. For more information on configuring the SMTP connector, see the "FortiSOAR Built-in connectors" article.

Caution

When you configure the SMTP connector, ensure that you select the Mark As Default Configuration option for the configuration that will be used for sending system notifications.

It is highly recommended that you review the Additional configuration settings for FortiSOAR chapter to understand the configurations that you should make in your FortiSOAR system before you begin to use FortiSOAR.

Creating your first user and record

Note

The following steps provide a high-level view of how to get started with FortiSOAR. These steps are explained in detail in "Beginners Tutorial to FortiSOAR for Administrators."

  1. Successfully log into FortiSOAR.
  2. Click the Settings (Settings icon) icon that is present in the upper right-hand corner near the User Profile icon.
    This displays the System page.
    Use the Security Management section to configure the following: Team Hierarchy, Teams, Roles, Users, Authentication, and Password Vault.
  3. Add a new team in FortiSOAR.
    You can also use the default teams that are present in FortiSOAR.
  4. Add a new role in FortiSOAR.
    You can also use default roles that are present in FortiSOAR.
    You provide user permissions on a module based on roles that you have assigned to that user.
    For example, if you want to provide a user with complete access to the Incident module, you must create a role that has Create, Read, Update, and Delete permissions on the Incident module and name it Incident Administrator. You must then assign that role to a user.
  5. Add a new user and assign an appropriate role to the user.
    For example, create a user John A and assign John A the Incident Administrator role.
  6. Create your first record.
    Log on to FortiSOAR as user John A, who has access to the Incident module. Click the Add button in the top bar of the Incidents module to open the Create New Alert form. Fill in the required details the Create New Incident form and click Save to create an incident.