Help
FortiSIEM Discussions
labsession101
New Contributor

Created on ‎12-26-2023 06:13 PM

FortiSIEM - behavior when log source (CMDB device ip change)

Hi Team,

Our team is on going refresh and new IP addressing scheme is being implemented.
We tried changing IP address of Firewall onboarded in FortiSIEM, but the SIEM is still detecting the old IP address.

We are thinking that new entry for new IP should be added in CMDB.

Question: How should fortiSIEM respond to IP address change of the onboarded device example. FireWall which is sending syslogs to the SIEM (i.e change IP from 172.x.x.x to 192.x.x.x)

235
0 Kudos
1 REPLY 1
PartBhat
Staff
Staff

Created on ‎12-26-2023 08:34 PM

FortiSIEM merges CMDB Devices by IP only. We have found that IP is a reliable indicator for identifying if two devices are identical. There are some exceptions - e.g. Windows and Linux Agents that are merged by Host Name since the laptops may get new IP because of DHCP or VPN Logon. 

 

In your case the solution is to manually the change the CMDB Device IP. Or (a) Delete the device from CMDB and (b) rediscover or send logs again.  

221
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.