FortiSOAR Technical FAQs

1. All use of cryptography in the Solution is compliant with CSE guidance described in ITSP.40.111.

Explanation:  

1. FortiSOAR does not use any custom cryptography algorithms.  

2. The list of allowed algorithms for both HTTPS and TCP communication is customizable. 

3. The underlying OpenSSL is FIPS compliant 

4. Apart from the FortiSOAR appliance, installation is also supported on an orgranization’s own hardened and compliant OS through the FortiSOAR script based installation 

2. All data transmission across a network between components provided for the solution is encrypted. 

Explanation:  

All 3 forms of network communication are encypted: 

1. REST based API responses 

2. TCP communication from tenant/agent nodes to FortiSOAR Secure Message Exchange for a distributed deployment 

3. Data replication between nodes of a cluster for a clustered deployment 

3. All data transmission across a network between client software (including web browser) and the Solution is encrypted. 

Explanation:  

Yes, As mentioned in a previous FAQ, this communication is encrypted. 

4. The Solution ensures the following criteria is met before establishing internal network connections between the components of the provided Solution: 

• Encryption is activated 
• Component will only connect over specific port(s) 
• Certificates are in place and valid 

Explanation:  

Yes, these validations are in place in the product. All settings including encryption algorithms, port numbers, and certificates are customizable. 

5. Changes to user, rule and workflow configuration settings are applied immediately to the system, and without any service interruption for end-users of the Solution. 

Explanation:  

Yes, the configuration is UI driven. Refer to the User Add pages, Role changes page and Workflow designer sections in the FortiSOAR User Interface 

6. All individual components of the Solution are manageable with centralized management and administration tools, including configuration, monitoring, applying software changes, and backup and recovery of system state configuration. 

Explanation:  

Yes, the configuration is from UI or FortiSOAR CLI. Refer to the Configuration Manager (Export and Import Configuration), Module Configuration Page, Global Setting Page in the User Interface. 

7. For software configuration settings (does not include software versioning), Solution components deployed by the GC, allow for configuration version control and the ability to revert to a specific configuration set. 

Explanation:  

Yes, configuration settings can be exported through the Configuration Manager wizard and the exported file can be imported back on the same instance or another instance. 

8. The incident management capability of the Solution can tag shared information using Traffic Light Protocol (TLP) to indicate the sensitivity of information. 

Explanation:  

Yes, FortiSOAR support creation of picklist and assigning colors to each picklist item value. The correct categories can then be applied to the data and corresponding color coding will automatically be shown. 

9. Near real-time alerting.

Explanation:  

Yes, FortiSOAR has a self-monitoring component in place with customizable thresholds. It sends out notifications when the thresholds are reached. The monitoring data is also available via APIs and CLI for integration with any centralized monitoring solution. For more details, refer to https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/d5bfbd4c-394a-11eb-96b9-005056... Page 16, chapter ‘Configuring System and Cluster Health Monitoring’ 

10. The software components of the Solution support external health monitoring tools through an Open API. 

Explanation:  

The FortiSOAR CLI ‘csadm ha show-health' and the equivalent API provide all system stats and can be integrated with external monitoring tools: 

APIs:  

GET /api/auth/cluster/health/ : Health of all nodes 

GET /api/auth/cluster/health?nodeId=<cluster-node-id>: Health of a specific node 

GET /api/auth/cluster/health?latest=True&section=cpu,disk,ram,swap,all,services: Filter by statistics 

 CLI Syntax  

csadm ha show-health [--json] [--all-nodes]  

Show the current node health  

If ‘--all-nodes' used, then show health of all cluster nodes  

If ‘--json’ is used, then show health in JSON Format. Useful for automation. 

11. The Solution relies on the protocol specified by the external tool, for e.g. for the use of the GC encrypted email, based on Entrust PKI and S/MIME. 

Explanation:  

The Exchange connector does not support this by default. But users can replace it with their own python based code snippets in notification playbooks and encrypt the emails before sending. 

12. The Solution is designed to leverage a single common data store, without the need to have multiple copies of the same data in different functional components, except where required for performance optimization using a subset (no more than 10%) of data. 

Explanation:  

ForitiSOAR designs comprises of the following backend services: 

1. CRUD Engine – validates and executes all CRUD requests for incident management data 

2. Workflow Engine – executes workflows and stores workflow execution logs 

3. Integrations Engine – stores connectors/add-ons and responsible for connection action executions 

4. Audit Engine – audits all activity including record creations, settings changes etc 

5. Search Engine – indexes data for faster searches 

6. Notification Engine – Sends app notifcations to the user interface 

7. Routing Engine – Handles communication with agent/tenant nodes 

Each service manages data for its own responsibility. Hence the data is efficiently stored. The primary data is indexed again for faster search, but for users wishing no duplication of data can turn it off. 

13. The Solution's SOAR functional component(s) is scalable in a single instance to: 

• Work with 10,000 network security devices 
• Work with an Endpoint Detection and Response (EDR) solution on 600,000 devices 
• Support 100 tenants 

Explanation:  

In most cases, the solution does not directly need to integrate directly with endpoint devices such as network security devices. The communication is via a SIEM, EDR, CMDB, etc. However, the solution can reach outbound to these devices via APIs and other multiple communication methods.  The FortiSOAR solution supports both clustered and distributed models for high scale requirements. 

14. The Solution works across both low bandwidth (256 kbps) and high latency networks (800 ms). 

Explanation:  

Yes, the user interface calls REST APIs on the server and the APIs are optimized to return normalized data. The UI refresh is through app notifications and not constant polling from the UI. Hence bandwidth and speed requirements are not much.  

Miscellaneous: 

1. The Solution does not add any implicit telemetry.  
2. The Solution can enable automated task assignment based on common incident lifecycles (e.g. The SANS Incident lifecycle: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned).  
3. The Solution has a customizable knowledgebase with foundations built from information management best practices, to be used by security analysts to aid their job function. This is referred to as the Content Pack in FortiSOAR. 

15.  Software components that need to be deployed by the GC should support the ability to be deployed inside a containerized environment. 

Explanation:  

Yes, the product has the required technical ability to be deployed inside a containerized environment. 

16. Ability to operate in dual-stack and IPv6-only networks without loss or impacts to functionality when compared to operating in IPv4-only networks.

Explanation:  

Yes, the product has the required technical ability to operate in IPvs6 networks. 

16. Report Export Formats Available

Explanation: