Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

m_abureesh
New Contributor

Created on ‎09-25-2019 11:12 PM

Remediations Acton Issue

hello,
I have FortiSEM FS-1000F with a perpetual license but the support is expired now, I had notification rule includes run script FortiGate-blockip-after5.2 to block the source IP when the incident "Permitted traffic from suspicions external source " is generated. the problem is when I view the running task the script is a freeze on 0%.is this issue caus my support is expired?
Labels:
704
0 Kudos
1 Solution
FSM_FTNT
Staff
Staff
In response to m_abureesh

Created on ‎09-26-2019 05:42 AM

If the Incident triggered and fired a notification then depending on the Notification Window defined in the Rule it won't trigger a notification again until either the Incident is cleared or the Notification Window expires.

Suggest try clearing the Incident and triggering it again.

View solution in original post

683
0 Kudos
6 REPLIES 6
FSM_FTNT
Staff
Staff

Created on ‎09-26-2019 03:20 AM

There isn't a FSM 1000F appliance, there is 500F Collector, 2000F Super and 3500F Super. Expired support should not impact remediations, but would advise to get it back under support for the latest updates and fixes.

I typically use the "Block IP FortiOS API" remediation, you just need to make sure you an https credential associated with the device.

In the FSM GUI go to Admin / Setup / Credentials and create the following credentials under "Step 1: Enter Credentials"

As well as having SNMP and ideally SSH credentials defined, also create an HTTPS credential for example:

HTTPS

  • Name: HTTPS - Fortigate
  • Device Type: Fortinet FortiOS
  • Access Protocol: HTTPS
  • Port: 443
  • Password config: Manual
  • User Name: admin
  • Password: FortiSIEM
  • Save.

Then associate that credential with the FGT IP.

UploadedImages_slgSkp3DSvycYVbuP71c_temp-M.jpg
After that, rediscover the device and try remediating with the API remediation option.
683
0 Kudos
m_abureesh
New Contributor
In response to FSM_FTNT

Created on ‎09-26-2019 03:33 AM

Sorry, is 2000F .i seen this remediation action needs SSH access only from resources tabs. is necessary to enable https ?

683
0 Kudos
FSM_FTNT
Staff
Staff
In response to m_abureesh

Created on ‎09-26-2019 04:24 AM

You can use SSH remediation or the API remediation. API connects in over HTTPS. But you must have the appropriate credential associated and discovered with the device.
683
0 Kudos
FSM_FTNT
Staff
Staff
In response to FSM_FTNT

Created on ‎09-26-2019 04:26 AM

Just one point on API (HTTPS) remediation with the FGT, the FGT needs to be licensed.
683
0 Kudos
m_abureesh
New Contributor
In response to FSM_FTNT

Created on ‎09-26-2019 05:10 AM

yes I had the credential and the remediation scripts worked before, and I want to be added the notification rule didn't send the emails or run the script now. so do you think is support issue?
683
0 Kudos
FSM_FTNT
Staff
Staff
In response to m_abureesh

Created on ‎09-26-2019 05:42 AM

If the Incident triggered and fired a notification then depending on the Notification Window defined in the Rule it won't trigger a notification again until either the Incident is cleared or the Notification Window expires.

Suggest try clearing the Incident and triggering it again.
684
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.