Hello everyone,
I would like to know exactly what the difference is between those different device statuses shown on the CMDB:
The other question is why can I receive logs from a Decommissioned device.
Hi @Taher11 ,
The status device in CMDB can be : pending, approved and unmanaged. Here is how it works:
1) If a managed device is newly discovered but the device license is exceeded, the device will be entered in the CMDB but as an Unmanaged device.
The unmanaged device will not be monitored in FortiSIEM
2) The approved device --> allow the incident firing on the device. If this option is enabled in General Settings.
3) If the incident reporting device is not approved and in Pending, the incident does not trigger.
General Settings > Discovery > Generic you can Enable a option Allow Incident Firing on "Approved Devices only" or all devices(Pending and Approved).
Approved and Pending devices would be counted in your license and all the logging, parsing and storing would work normally.
You can change status of device in CMDB > Action > Change Status . Choose any of the option in dropdown.
If a device is sending logs continuously and you want to stop it then need to configure the device filter and only decommissioning wouldn't help :
https://help.fortinet.com/fsiem/7-0-1/Online-Help/HTML5_Help/Discovery_Settings.htm#Setting2
Thank you
Created on 01-04-2024 06:58 AM Edited on 01-04-2024 07:03 AM
Hello everyone,
We just saw, that on our FortiSIEM v7.1.1, some Incidents were triggered from a device that was on Pending.
Is the above information still correct? Or should I file a bug to the TAC?
EDIT: Or does the option only apply for all devices that were discovered *after* setting the option under Discovery -> Generic
Or is it set individually for each organization and defaults to "all devices"?
Best,
Christian
for as long as I have been using fortisiem, pending devices have always triggered incidents, but I haven't updated to 7.1.1. yet, so maybe its a new feature.
Hi
I observed as well that the logs from Devices that are "pending" are being accepted (on 6.7 until at least 7.0). I assume that the rules do not care at all if the source device of the log is pending or accepted to trigger, so I'm almost certain that incidents are created anyways.
Regards
Created on 01-04-2024 10:30 PM Edited on 01-04-2024 10:31 PM
Thanks for your feedback. I investigated that with our team and I just expected a different default behavior.
To wrap up the topic "pending":
(btw, "Pending" will also consume a device license)
Best,
Christian
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.