This article provides a detailed explanation of the steps involved in enabling the FortiSOAR and FortiSIEM docker modules on FortiAnalyzer. It also highlights possible issues that may occur after performing this operation and offers guidance on troubleshooting them.
FortiAnalyzer.
Definition:
A Docker-based MEA (Managed Exchange Application) module refers to a software module or containerized application designed to provide monitoring and management capabilities. It leverages Docker technology to encapsulate the MEA functionality within a lightweight and isolated container.
Starting from version 7.2 and onwards, the FortiAnalyzer appliance offers compatibility with Managed Exchange Application (MEA) modules, namely FortiSOAR and FortiSIEM.
Solution:
Prerequisites:
A valid FortiSOAR license is a mandatory requirement.
FortiSOAR MEA must be licensed appropriately for use in production.
Note:
By default, FortiSOAR MEA includes a Trial (Extension) License. The trial mode is limited to 2 users that can use FortiSOAR MEA for a maximum of 300 actions a day: https://docs.fortinet.com/document/fortianalyzer/7.0.2/fortisoar-7-0-2-r1-release-notes/11736/fortis...
To proceed with the subsequent steps, it is imperative to ensure that FortiManager has uninterrupted connectivity with FortiGuard servers. This ensures that the necessary communication and data exchange can take place seamlessly.
diag fmupdate view-linkd-log fds
Ping the FGD FQDNs:
execute ping fds1.fortinet.com
Example of diag fmupdate view-linkd-log fds command: (expected successful communication highlighted in green).
config system docker
set status enable
set fsmcollector enable
set fortisoar enable
end
In an ideal scenario, FortiAnalyzer establishes a connection with the FortiGuard server to obtain the latest module packages, ensuring the acquisition of the most up-to-date image module.
For instance (below captures):
The FortiSIEM image is retrieved from the registry.fortinet.com/fortisiem/ repository.
The FortiSOAR image is retrieved from the registry.fortinet.com/fortisoar/ repository.
2. Potential errors that might be encountered when enabling FortiSOAR and FortiSIEM modules:
Can't pull fsmcollector (Error: error contacting notary server: dial tcp 173.243.139.82:4443: i/o timeout
This error indicates that FortiAnalyzer is unable to fetch update packages for a container module from FortiGuard servers due to a blocked port on the network firewall. In other terms, FortiAnalyzer will not be able to enable docker/MEA extensions.
The port to open is 4443/443 as mentioned in the following documentation on the firewall rule that points to registry.fortinet.com: https://docs.fortinet.com/document/fortianalyzer/7.4.0/cli-reference/194126/docker
To verify the status of the module:
Upon completion of the operation, it is imperative that the status of the modules is verified to be in the 'running' state:
diag docker status
Despite having successfully opened the 4443 port, it is important to acknowledge the potential occurrence of additional errors. These errors may manifest in the following scenarios:
If such errors occur, the following commands effectively eliminate all FortiSOAR and FortiSIEM volumes and subsequently initiate a restart of the mentioned modules.
diag docker reset fortisoar
diag docker reset fortisiem
Failure to reset both modules may result in the manifestation of the subsequent errors:
In the case of the FortiSOAR module, the following error may occur: 'The creation of the container is impossible: no such file or directory'.
In the case of the FortiSIEM module, the following error may occur: 'Driver failed programming external connectivity on endpoint fsmcollector'.
Upon enabling both the Managed Event Analysis (MEA) and the FortiSOAR/FortiSIEM modules, a 'Management extensions' panel will be displayed in the left menu:
FortiSOAR and FortiSIEM extension:
3. Troubleshooting:
In the event of an error, the following command can be utilized as a remedial measure:
diag debug app docker 255
diag debug enable
To upgrade modules (optional):
diagnose docker upgrade fortisoar
diagnose docker upgrade fortisiem
To disable the docker support and monitor:
diagnose docker cleanup
config system docker
(docker)# set status disable
(docker)# end
Related document:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.