Skip to main content
dauneaus
dauneaus
New Member
May 11, 2022
Question

FortiSIEM

  • May 11, 2022
  • 4 replies
  • 2309 views

Much to my surprise, the company purchased FortSIEM. I am excited to start building it. I've finished the free online NSE training that was provided.

What are some tips or "gottchas" I should worry about? Hosting it in Azure.

4 replies

A
Anonymous_User
Contributor
May 13, 2022

Hello @dauneaus ,

 

We thank you for posting to Fortinet Community Forum. As per your query, we can suggest the following links for the installation and building FortiSIEM. 

https://docs.fortinet.com/document/fortisiem/5.2.5/azure-installation-guide/224521/installing-fortisiem-azure-super-worker
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/730247f7-04e0-11eb-96b9-00505692583a/FortiSIEM-6.1.1-Azure_Installation_and_Migration_Guide.pdf

 

Let us know if this helps.
Thanks

EEHC
EEHC
Explorer III
May 24, 2022

- Discovery:

             * If you don't the model or you don't find the protocol (SNMP or other) clone it and the protocols you need.

            * Discover small group or individual devices per time, to make it fast.

            * Schedule a discovery to add new devices.

            * Check Setup>monitor performance for errors

 

CMDB: Check Monitor data for the device. In the event receive status you should see the protocols you configured for the device (Syslog, SNMP, NetFlow and so on).

 

Confirm the protocol configuration on the device and logging filter to mak sure it logs the required.

Analyses: Generate a report for the data you expect to receive to confirm that.

premchanderr
Staff & Editor
premchanderr
Staff & Editor
May 27, 2022

Hi @dauneaus ,

 

Follow the steps exactly as given in configuration guide and it should work. 

Ensure the disk size for cmdb,svn and opt are kept as it is suggested on the guide. 


Be vigilant in choosing choose License type as Enterprise or Service Provider. The following option will be available for first time installations. Once the database is configured, this option will not be available and in case of incorrect choice you need to redeploy.

 

Related Link:

https://docs.fortinet.com/product/fortisiem/6.5

https://docs.fortinet.com/document/fortisiem/6.5.0/azure-installation-guide/496685/fresh-installation

EEHC
EEHC
Explorer III
May 28, 2022

Here is some experience I got.

Syslog is the only supported method of FortiADC integration with FortiSIEM as per the external system configuration guide. So, pulling configuration information using SNMP for FortiADC devices may not be possible currently.

 

When I test credentials I get SSH failed (Host key verification failed). But discover is successful. I have to login to FortiSIEM Supervisor SSH and follow the steps mentioned in the KB Article "Technical Note: [Accelops KB] How to reset SSH key" to clear SSH key cache.

It helped so much and solved several problems.

I found the name for FortiGate is "_gateway". When I changed the name to FortiGate, The configuration data on FortiSIEM disappeared. I realized that there is a relation between the name and the configuration. I did rediscover for another IP addresses and found the name is displayed connected to the domain name. I did edit the name by adding the domain name and the configuration for both IP addresses is updated.

Terms & ConditionsAccessibility statement