This article describes the pre-requirements and troubleshooting steps for a Windows Agent registration with a Supervisor.
Before going through this article, review the document links below to verify that there is  the correct Windows agent package for the version of the registered FortiSIEM.

Windows Agent Installation Guide:

FortiSIEM Windows Agent 7.2.x

FortiSIEM Compatibility Matrix:
FortiSIEM Version Compatibility for Rocky Linux Based Releases

Windows Agent v4.4.x, v5.x, v7.0.x - v7.3.x, Supervisor and Collector v6.x, v7.0.x - v7.3.x.

Prerequisites:

From FortiSIEM:

An agent user account should have been created for agent registration:

• For Enterprise, Go to CMDB -> Users -> FortiSIEM Users -> New -> enter a User Name, checkmark the System Admin box, checkmark the Agent Admin box, add a Password, confirm the Password, and Save.

• For the Service Provider, go to Global View -> Admin -> Setup -> Organization -> Select the Organization -> Edit -> In the Agent User section, enter a username, enter a Password, confirm the Password, and Save.

Note:

To change the agent user password for the organisation: change to Organization View, select the organization, change the view to the organization -> CMDB -> Users -> FortiSIEM Users, select the agent user -> Edit > FortiSIEM Attributes -> FortiSIEM Role: Edit -> Change Password.

Note the organization name and ID for the agent registration.

Installation:

• From a Windows Host: Test the connection on port 443 to Supervisor and Collector node with the following commands from Powershell:
  
  

Test-NetConnection <FortiSIEM_Supervisor_IP> -port 443
Test-NetConnection <FortiSIEM_Collector_IP> -port 443

For instance:

The result should show TcpTestSucceded = True.

If the result is TcpTestSucceded = False, it is necessary to check the port 443 connection between the Windows host and the FortiSIEM Supervisor and Collector nodes.

• Net framework version: Check the NetFramework version in the Windows host is up to date with the following command. Make sure the version is 4.6.2 or higher.

reg query "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" /s

• TLS v1.2: Ensure that TLS1.2 is enabled and running on the Host with the following command:
  
  

reg query "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"

If TLS1.2 is not enabled, run the following command in Powershell:

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 00000000

Note: It is also possible to check if TLS is enabled with Windows Registry Editor, on Control Panel > Windows Tools > Registry Editor. In the Registry Editor, navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client. The left panel should show a DWORD register with a 0x00 value.

• Installation: 'Right-click' in the FSMLogAgent.exe file -> Choose License Type and Add the registration information.

Troubleshooting:

There are 4 main reasons for the registration to fail:

1. The package or software requirements are not installed in the host, or the OS version is not supported. 
2. Registration information is incorrect. This includes Supervisor IP/FDQN, username, password, Orgname, and OrgID.
3. Connection issues include network configuration/communication on port 443, NAT, SSL inspection, external firewall rules blocking, and certificate configuration. Etc.
4. TLS 1.2 is not properly enabled through Windows Register.

• Review the Agent Trace log file on the Windows host to identify the HTTP status codes.
  Location: C:\ProgramData\FortiSIEM\Logs\Trace.log.
  
  

401 and 403 errors indicate an authentication issue: Review the registration information. For example: ORG name, ORG ID, agent username, and password. If necessary, create a new Windows agent user account.

405 (Method Not Allowed) is another possible error code, indicating that the FortiSIEM node understood the request but does not allow the HTTP method used for the requested resource. This is most likely due to a misconfiguration, for example, when the Collector IP address is used to install the agent instead of the Supervisor IP address without the required proxy settings applied.

• Manual URL Check: Using a web browser on the Windows host, enter https://<ip of super>/phoenix/rest/register/winAgent.

Note:

A username and password prompt is expected. Do not enter any credentials here, as it will not pass. This is only a check to verify the URL's availability.

• Check the SSL Supervisor's log to confirm the host connection. SSH to Supervisor:

cat /var/log/httpd/ssl_access_log

Review the HTTP status code:

• Leave running the tail command in Supervisor and Run the agent installation in the host:

tail -f /opt/glas*/dom*/dom*/logs/phoenix.log 

For example:

The registration logs will provide more information about the registration.

Check if the Trusted Hosts are configured. ADMIN -> Settings -> Trusted Hosts.

If the trusted hosts are configured, include the workstation IP address in that list.

For example: 10.0.100.10/32