FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
yujames
Staff
Staff
Article Id 194596
Description
Requirements:
  • The FortiSIEM instance you wish to convert to PAYG licensing must be running in Service Provider mode.
  • You must have an active FSM MSSP PAYG subscription.
  • If you are an existing FortiSIEM customer and migrating from Perpetual or Subscription license, in order to associate FortiSIEM with a new license key, you should contact Customer Services through the support portal and request that the license  is unregistered from your existing FortiSIEM license.
System Impact:
  • FortiSIEM specific processes (phProcesses) will restart on the supervisor.
  • Existing rule correlations in memory will be lost.

Scope
Releases below 6.1.

Solution
Replacing the existing License

1)  Download your new license from https://support.fortinet.com

2)  Before installing the license, please verify that you have the right license installed. The system will not function if you have an incorrect license. Verify the license:
  • Upload the license via SSH to the supervisor and run the command phLicenseRead
  • Note: Using the phLicenseRead tool, you will not be able to identify the License type.
  • Note: If the license is incorrect, contact Fortinet support to get the right license. Do not install partial license.

3)  Log in to your FSM instance using admin credentials

4)  Go to Admin -> License and click the Upload button

5)  Click on Browse, select the license you downloaded from https://support.fortinet.com

6)  Add your admin credentials and click Upload 


Your phProcesses will restart, the system will not reboot.

Wait a few seconds and you can log in again.

You can verify if the processes are up by connecting via SSH to the Supervisor and executing the 'phstatus' command.


Installing the Billing Script (FortiSIEM 5.x)

Summary

The FortiSIEM Consumption Model (FSM-PAYG) allows you to build and grow your SIEM services on a per device basis. For the licensing to work properly, your distributor requires a monthly device count report. This reporting tool automates reporting and is required for the FortiSIEM Consumption Licensing.

Please contact your local Fortinet sales representative if you have questions.

Prerequisites

Before running this script, please ensure you have the following:
  • Root account information. This script runs in the root account of your FortiSIEM SupervisorInstance and requires the ability to read the local Database.
  • An SSH client and a method to upload files to the FortiSIEM instance. If you require a method for upload, we suggest using WinSCP or Filezilla with your SSH credentials.
  • SMTP server information and authentication settings. The setup will require you to enter an accessible SMTP server to send the inventory email. The system supports either the standard SMTP (25) or TLS (587) ports.

Installation

Your Fortinet Sales Representative will be able to provide the script

Upload the installation zip file to your FSM supervisor. Once the file is placed on the server, SSH to the system, run the ‘sudo su‘ command to ensure the scripts runs as root, unzip the file, run the setup, and follow the
sudo su
–unzip fsm_payg_reporting_install-v2_x.zip
cd fsm_payg_reporting_install
./install/setup

Settings Options

1)  If you have installed an earlier version of the script, the setup will ask if you wish to reinstall over the existing. Selecting yes will allow you to preserve your previous settings.

2)  Supply the Distributor email that you have been provided. This should be from your Distributor or Fortinet Sales representative.

3)  If you select N for distribution, the system will ask for an email to send the test and reports.

4)  Enter the company name, this name will appear on the reports.

5)  The partner ID is a unique identifier field. It may be used to identify the specific instance or the distributor may ask that a specific ID be entered to ensure the account is identified correctly. If you do not have an ID provided by your distributor, you can leave this blank.

6)  The system will ask if you have a current license on the system where the consumption solution is installing. If you do, you must input the number of licenses and the expiration of the license.

7)  The system requires an SMTP email system that FortiSIEM can access in order to relay messages. The SMTP setting should be entered along with any additional email names the partner wishes to get the report.

NOTE: When setting the SMTP server, be sure to include the port for TLS if not using standard SMTP. The format for TLS would be as follows: smtp.mymailserver.com:587

8)  What is your environment for this install? All environments should be installed as production [PROD] unless specified by the Fortinet Sales representative for testing or troubleshooting.

9)  At the end of the script, all the setting will be shown. If the settings are correct, select ‘yes’ and the script will run, and the test emails will be sent. If you select ‘no’ you may simply rerun the script and change the appropriate settings. 

Results of Installation

The installation will install to ~/fsm-payg/.This installation will send you and your distribution two emails. One is to confirm the script is installed and your email is working. Then the second email confirms the report itself can connect to the DB and run as expected.

Setup Complete Email

The Setup Complete Email will indicate the Supervisor hostname and user used during the setup. This email is indicated by the SETUP_COMPLETE status. It shows that communication is functioning properly and the report is expected to run on the first of the next month.

Test Report Email

The Test Report Email is a pre-run of the real monthly report. It indicates it is not the official monthly report by the TEST_REPORT status.

Monthly Report Email

The monthly report will have an “OK” status. This is what will occur each month if the report runs as expected.

Contributors