Help
FortiSIEM Discussions
Taher11
New Contributor III

Created on ‎08-03-2023 12:45 PM

Devices status

Hello everyone,

 I would like to know exactly what the difference is between those different device statuses shown on the CMDB:

  • Decommissioned
  • Pending
  • Approved
  • Unmanaged

The other question is why can I receive logs from  a Decommissioned device.

 

FortiSIEM 

EL MOUSTAPHA MOHAMED LEMINE TAHER
EL MOUSTAPHA MOHAMED LEMINE TAHER
2580
0 Kudos
6 REPLIES 6
premchanderr
Staff
Staff

Created on ‎08-03-2023 10:41 PM

Hi @Taher11 ,

 

The status device in CMDB can be : pending, approved and unmanaged. Here is how it works:
1) If a managed device is newly discovered but the device license is exceeded, the device will be entered in the CMDB but as an Unmanaged device.
The unmanaged device will not be monitored in FortiSIEM
2) The approved device --> allow the incident firing on the device. If this option is enabled in General Settings.
3) If the incident reporting device is not approved and in Pending, the incident does not trigger.

General Settings > Discovery > Generic you can Enable a option Allow Incident Firing on "Approved Devices only" or all devices(Pending and Approved).

Approved and Pending devices would be counted in your license and all the logging, parsing and storing would work normally.

You can change status of device in CMDB > Action > Change Status . Choose any of the option in dropdown.

If a device is sending logs continuously and you want to stop it then need to configure the device filter and only decommissioning wouldn't help : 

https://help.fortinet.com/fsiem/7-0-1/Online-Help/HTML5_Help/Discovery_Settings.htm#Setting2

 

Regards,
Prem Chander R
2559
Taher11
New Contributor III
In response to premchanderr

Created on ‎08-04-2023 02:51 AM

Thank you 

EL MOUSTAPHA MOHAMED LEMINE TAHER
EL MOUSTAPHA MOHAMED LEMINE TAHER
2551
0 Kudos
Secusaurus
Contributor II
In response to premchanderr

Created on ‎01-04-2024 06:58 AM Edited on ‎01-04-2024 07:03 AM

Hello everyone,

 

We just saw, that on our FortiSIEM v7.1.1, some Incidents were triggered from a device that was on Pending.

Is the above information still correct? Or should I file a bug to the TAC?

 

EDIT: Or does the option only apply for all devices that were discovered *after* setting the option under Discovery -> Generic

Or is it set individually for each organization and defaults to "all devices"?

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
2246
kcanalichio
New Contributor III

Created on ‎01-04-2024 07:20 AM

for as long as I have been using fortisiem, pending devices have always triggered incidents, but I haven't updated to 7.1.1. yet, so maybe its a new feature.

2239
simonai
New Contributor III
In response to kcanalichio

Created on ‎01-04-2024 08:46 AM

Hi

 

I observed as well that the logs from Devices that are "pending" are being accepted (on 6.7 until at least 7.0). I assume that the rules do not care at all if the source device of the log is pending or accepted to trigger, so I'm almost certain that incidents are created anyways.

 

Regards

2232
Secusaurus
Contributor II
In response to simonai

Created on ‎01-04-2024 10:30 PM Edited on ‎01-04-2024 10:31 PM

Thanks for your feedback. I investigated that with our team and I just expected a different default behavior.

 

To wrap up the topic "pending":

  • Default state for all orgs is "Pending" also generates incidents
  • Default state for all orgs is that new devices (sending logs or discovered) are set to "Pending"
  • You must set this option per org (setting in in "super/global" will not change it in an org) --> General Settings > Discovery > Generic

(btw, "Pending" will also consume a device license)

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
2218
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.