Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
flunaibarra
Staff
Staff

Created on ‎11-05-2024 05:55 AM Edited on ‎08-22-2025 08:16 AM By Moderator

Article Id 340617

Troubleshooting Tip: Domain admin user OMI FortiSIEM integration

Description

This article describes the troubleshooting steps for OMI Windows Server domain admin user integration with FortiSIEM.

Before going through this article, review the document link below to verify Supported OS versions, What is Discovered and Monitored, Recommendations, Data Collection Comparison, and full configuration steps:

Microsoft Windows Server via OMI/SNMP/WMI
Scope FortiSIEM v6.3.3 and higher., Windows Server 2012, 2012 R, 2016, 2019, 2022.
Solution

For OMI integration, FortiSIEM requests access to the Windows host using the user credentials.

If this fails, the issue can be relayed in the network configuration, user permissions, or credentials information.

 

  1. The following ports must be open for the OMI communication/connection from the Windows host to FortiSIEM: TCP/135, UDP/137, TCP/5985-5986.

  2. The credentials test may fail with the following errors:

failed (Win32_OperatingSystem results not found via OMI)
failed (no response to ping)

 

  • Confirm the connection from FortiSIEM to the host is successful using network tools such as ping, tcpdump, etc.
  • Make sure the user can log in to the host that will be monitored.
  • Make sure the /Domain Admins are part of the local Administrators' Group in (Domain Controller).
  • Or add the user to the local Administrators' Group (Client Host).

 

  1. Test with an omic command from the Supervisor or Collector (depending on where OMI discovery will be):

    /opt/phoenix/bin/omic -s /opt/phoenix/config/smb.conf -U DOMAIN/USER%PASSWORD //<HOST_IP> 'SELECT * FROM Win32_OperatingSystem'

    Omic successful reply:

    omic.png

  2. Review the OMI permission configured in the host along with the External Configuration Guide, and make sure:

  • Distributed COM and Performance Monitor Users Groups are added to the COM security configuration.
  • The user account privileges are enabled in the WMI control.
  • WMI and WinRM are enabled through the firewall.
  • WinRM is running - Restart the WMI service.

  1. Review the credentials definition and make sure to enter the correct information:

Example:

 

credentials.PNG

 

  • Review and verify that the NetBIOS/Domain is correct.
  • Review and verify that the username is correct.
  • Review and verify that the password is correctly entered or change it (for testing purposes).

 

Run the following command in the Supervisor or Collector (depending on where OMI discovery will be) to get more information when testing the Credentials or running the Discover process:

 

tail -f /opt/phoenix/log/phoenix.log | grep -i Discover

 

Notes: In an OMI integration, FortiSIEM is the client, and the Windows host is the server: therefore, if the server rejects the authorization, it is an issue with the server and not with the client.

 

If FortiSIEM is set up in FIPS mode, the OMI-based communication between FortiSIEM and Windows servers will not work. This is because the current OMI code uses NTLM authentication via RC4 encryption, which is not FIPS compliant. 
1196
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.