- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Devices status
Hello everyone,
I would like to know exactly what the difference is between those different device statuses shown on the CMDB:
- Decommissioned
- Pending
- Approved
- Unmanaged
The other question is why can I receive logs from a Decommissioned device.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Taher11 ,
The status device in CMDB can be : pending, approved and unmanaged. Here is how it works:
1) If a managed device is newly discovered but the device license is exceeded, the device will be entered in the CMDB but as an Unmanaged device.
The unmanaged device will not be monitored in FortiSIEM
2) The approved device --> allow the incident firing on the device. If this option is enabled in General Settings.
3) If the incident reporting device is not approved and in Pending, the incident does not trigger.
General Settings > Discovery > Generic you can Enable a option Allow Incident Firing on "Approved Devices only" or all devices(Pending and Approved).
Approved and Pending devices would be counted in your license and all the logging, parsing and storing would work normally.
You can change status of device in CMDB > Action > Change Status . Choose any of the option in dropdown.
If a device is sending logs continuously and you want to stop it then need to configure the device filter and only decommissioning wouldn't help :
https://help.fortinet.com/fsiem/7-0-1/Online-Help/HTML5_Help/Discovery_Settings.htm#Setting2
Prem Chander R
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you
Created on ‎01-04-2024 06:58 AM Edited on ‎01-04-2024 07:03 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everyone,
We just saw, that on our FortiSIEM v7.1.1, some Incidents were triggered from a device that was on Pending.
Is the above information still correct? Or should I file a bug to the TAC?
EDIT: Or does the option only apply for all devices that were discovered *after* setting the option under Discovery -> Generic
Or is it set individually for each organization and defaults to "all devices"?
Best,
Christian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
for as long as I have been using fortisiem, pending devices have always triggered incidents, but I haven't updated to 7.1.1. yet, so maybe its a new feature.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I observed as well that the logs from Devices that are "pending" are being accepted (on 6.7 until at least 7.0). I assume that the rules do not care at all if the source device of the log is pending or accepted to trigger, so I'm almost certain that incidents are created anyways.
Regards
Created on ‎01-04-2024 10:30 PM Edited on ‎01-04-2024 10:31 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your feedback. I investigated that with our team and I just expected a different default behavior.
To wrap up the topic "pending":
- Default state for all orgs is "Pending" also generates incidents
- Default state for all orgs is that new devices (sending logs or discovered) are set to "Pending"
- You must set this option per org (setting in in "super/global" will not change it in an org) --> General Settings > Discovery > Generic
(btw, "Pending" will also consume a device license)
Best,
Christian
