Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

m_abureesh
New Contributor

Remediations Acton Issue

hello,
I have FortiSEM FS-1000F with a perpetual license but the support is expired now, I had notification rule includes run script FortiGate-blockip-after5.2 to block the source IP when the incident "Permitted traffic from suspicions external source " is generated. the problem is when I view the running task the script is a freeze on 0%.is this issue caus my support is expired?
1 Solution
FSM_FTNT

If the Incident triggered and fired a notification then depending on the Notification Window defined in the Rule it won't trigger a notification again until either the Incident is cleared or the Notification Window expires.

Suggest try clearing the Incident and triggering it again.

View solution in original post

6 REPLIES 6
FSM_FTNT
Staff
Staff

There isn't a FSM 1000F appliance, there is 500F Collector, 2000F Super and 3500F Super. Expired support should not impact remediations, but would advise to get it back under support for the latest updates and fixes.

I typically use the "Block IP FortiOS API" remediation, you just need to make sure you an https credential associated with the device.

In the FSM GUI go to Admin / Setup / Credentials and create the following credentials under "Step 1: Enter Credentials"

As well as having SNMP and ideally SSH credentials defined, also create an HTTPS credential for example:

HTTPS

  • Name: HTTPS - Fortigate
  • Device Type: Fortinet FortiOS
  • Access Protocol: HTTPS
  • Port: 443
  • Password config: Manual
  • User Name: admin
  • Password: FortiSIEM
  • Save.

Then associate that credential with the FGT IP.

UploadedImages_slgSkp3DSvycYVbuP71c_temp-M.jpg
After that, rediscover the device and try remediating with the API remediation option.
m_abureesh

Sorry, is 2000F .i seen this remediation action needs SSH access only from resources tabs. is necessary to enable https ?

FSM_FTNT

You can use SSH remediation or the API remediation. API connects in over HTTPS. But you must have the appropriate credential associated and discovered with the device.
FSM_FTNT

Just one point on API (HTTPS) remediation with the FGT, the FGT needs to be licensed.
m_abureesh

yes I had the credential and the remediation scripts worked before, and I want to be added the notification rule didn't send the emails or run the script now. so do you think is support issue?
FSM_FTNT

If the Incident triggered and fired a notification then depending on the Notification Window defined in the Rule it won't trigger a notification again until either the Incident is cleared or the Notification Window expires.

Suggest try clearing the Incident and triggering it again.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.