Solution |
Prerequisites:
- From FortiSIEM:
An agent user account should have been created for agent registration: For Enterprise, Go to CMDB -> Users -> FortiSIEM Users -> New -> enter a User Name, checkmark the System Admin box, checkmark the Agent Admin box, add a Password, confirm the Password, and Save.
![Agent_user_Enter.png Agent_user_Enter.png](/t5/image/serverpage/image-id/54512i5C679458D4DD5909/image-dimensions/653x87/is-moderation-mode/true?v=v2)
- For the Service Provider, Go to Global View -> Admin -> Setup -> Organization -> Select the Organization -> Edit -> In the Agent User section, enter a username, enter a Password, confirm the Password, and Save.
![User_Agent_Org.png User_Agent_Org.png](/t5/image/serverpage/image-id/54511iD42ED15C9C1FF551/image-dimensions/649x145/is-moderation-mode/true?v=v2)
Note the Organization Name and Organization ID for the agent registration.
![ORGID_NAME.PNG ORGID_NAME.PNG](/t5/image/serverpage/image-id/54510iB1B5A417F28821A9/image-size/large/is-moderation-mode/true?v=v2&px=999)
- From Windows Host: Test the connection on port 443 to Supervisor with the following command from Powershell:
Test-NetConnection <Super_IP> -port 443
![TestConnection.PNG TestConnection.PNG](/t5/image/serverpage/image-id/54513iA8284B049ADE05FA/image-size/large/is-moderation-mode/true?v=v2&px=999) The result should show: TcpTestSucceded = True If the result is TcpTestSucceded = False, it is necessary to check the port 443 connection between the host and the Supervisor.
- Net framework version. Check the NetFramework version in the Windows host is up to date with the following command. Make sure the version is 4.6.2 or higher.
reg query "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" /s
![NetFramework.PNG NetFramework.PNG](/t5/image/serverpage/image-id/54514i6C2E7AFE7ADA649E/image-size/large/is-moderation-mode/true?v=v2&px=999)
- TLS v1.2. Check that TLS1.2 is enabled and running on the Host with the following command:
reg query "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"
![TLS.PNG TLS.PNG](/t5/image/serverpage/image-id/54515iED8B7A1F20C8B272/image-size/large/is-moderation-mode/true?v=v2&px=999) If TLS1.2 is not enabled, run the following command in Powershell:
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 00000000
- Installation: 'Right-click' in the FSMLogAgent.exe file -> Choose License Type and Add the registration information.
![AgentRegistration.PNG AgentRegistration.PNG](/t5/image/serverpage/image-id/54517iF84F8C6850B88812/image-dimensions/434x325/is-moderation-mode/true?v=v2)
Troubleshooting.
There are 3 reasons for the registration to fail:
- Package requirements are not installed in the host, or the OS version is not supported.
- Registration information is incorrect. This includes Supervisor IP/FDQN, username, password, Orgname, and OrgID.
- Connection issues include network configuration/communication on port 443, NAT, SSL inspection, external firewall rules blocking, and certificate configuration. Etc.
- Review the Agent Trace log file on the Windows host to identify the HTTP status codes.
Location: C:\ProgramData\FortiSIEM\Logs\Trace.log
![Error_Codes.PNG Error_Codes.PNG](/t5/image/serverpage/image-id/54518i2BEE163044CDB65A/image-dimensions/649x64/is-moderation-mode/true?v=v2)
401 and 403 errors indicate an authentication issue - Review the registration information. For example: ORG name, ORG ID, agent username, and password. If necessary, create a new Windows agent user account.
- Manual URL Check:
Using a web browser on the Windows host, enter: https://<ip of super>/phoenix/rest/register/winAgent.
Note:
A username and password prompt is expected. DO NOT enter any credentials here, as it will not pass. This is only a check to verify the URL's availability.
![URL_test.png URL_test.png](/t5/image/serverpage/image-id/54519i397AE95782611E10/image-dimensions/613x254/is-moderation-mode/true?v=v2)
- Check the SSL Supervisor's log to confirm the host connection. SSH to Supervisor:
cat /var/log/httpd/ssl_access_log
![ssl_access_code2.PNG ssl_access_code2.PNG](/t5/image/serverpage/image-id/54521iF47D621D3FD59D0D/image-dimensions/779x138/is-moderation-mode/true?v=v2)
Review the HTTP status code.
- Leave running the tail command in Supervisor and Run the agent installation in the host:
tail -f /opt/glas*/dom*/dom*/logs/phoenix.log
For example:
![Tail_registration.PNG Tail_registration.PNG](/t5/image/serverpage/image-id/54522i5517DF9A32F7DBB5/image-dimensions/745x112/is-moderation-mode/true?v=v2)
![Tail_registration2.PNG Tail_registration2.PNG](/t5/image/serverpage/image-id/54524iCEC1562DE1E31CE8/image-dimensions/751x138/is-moderation-mode/true?v=v2)
The registration logs will provide more information about the registration.
Check if the Trusted Hosts are configured. ADMIN -> Settings -> Trusted Hosts.
If the trusted hosts are configured, please include the workstation IP address in that list.
For example: 10.0.100.10/32
![trusted hosts - 2.png trusted hosts - 2.png](/t5/image/serverpage/image-id/66429i4EBC2F0ADE9887CF/image-dimensions/896x327/is-moderation-mode/true?v=v2) |