Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
EEHC
Contributor

FortiSIEM Missed Data

The devices are discovered (SNMP & SSH), but I found a problem in the CMDB of each device. Here is a list and I hope you have a guideline.

- No Device Configuration data

- Old version only of Device Configuration data

- No installed software data

- No Hardware data

- No SNMP traps from FortiADC

EEHC
8 REPLIES 8
Anonymous
Not applicable

Hello @EEHC , 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Fortinet Community Team 

premchanderr
Staff
Staff

Hi @EEHC ,

 

The issue is specific to your system and would need deeper analysis of the Fortisiem logs. 

You can open a ticket with Fortinet support for any assistance.

However to get all these metrics verify if the device integration is done as suggested in external systems configuration guide , here the metric and supported protocol are given for 

information to be gathered. 


Related Link:
https://docs.fortinet.com/document/fortisiem/6.5.0/external-systems-configuration-guide/780675/forti...

Regards,
Prem Chander R
EEHC

I already did this but I expected that maybe someone have an iea. I use Fortinet Forum for two reasons. Share the knowledge I get with others. Get knowledge from the posts of the others.

EEHC
EEHC

"Related Link:
https://docs.fortinet.com/document/fortisiem/6.5.0/external-systems-configuration-guide/780675/forti..."

This guide is the key to understanding the integration between FortiSIEM and other systems, then knowing which data we expect to get. This solves several problems.

EEHC
EEHC
Contributor

I had a nice time. Here is what I got.

Syslog is the only supported method of FortiADC integration with FortiSIEM as per the external system configuration guide. So, pulling configuration information using SNMP for FortiADC devices may not be possible currently.

 

When I test credentials I get SSH failed (Host key verification failed). But discover is successful. I have to login to FortiSIEM Supervisor SSH and follow the steps mentioned in the KB Article "Technical Note: [Accelops KB] How to reset SSH key" to clear SSH key cache.

It helped so much and solved several problems.

I found the name for FortiGate is "_gateway". When I changed the name to FortiGate, The configuration data on FortiSIEM disappeared. I realized that there is a relation between the name and the configuration. I did rediscover for another IP addresses and found the name is displayed connected to the domain name. I did edit the name by adding the domain name and the configuration for both IP addresses is updated.

EEHC
premchanderr

Hi @EEHC ,

 

Glad to know issue has resolved and the Knowledge base has been useful .

Thanks for sharing your knowledge to other members as well :)

The hostname for device can be picked up from discovery or dns and also defined in /etc/hosts . Editing this path or fixing on dns can resolve the issue as well. 

Regards,
Prem Chander R
EEHC

"/etc/hosts ", you opened a door for me to a new area. 

"host.conf " is also new for me.

 

Thanks

EEHC
EEHC

You gave me an idea to sole a problem I have. I have FortiWeb cluster managed by the MGMT interface. when they change the active one, I get two FortiWeb devices in FortiSIEM CMDB  with the same IP. I plan to add a host in the file so they are one.

Another thing I try to go through. I try to make FortiADC managed by SNMP from FortiSIEM. I did snmp walk from FortiSiem for FortiADC. In Admin>Device Support>SNMP SysObjectId, I added my FortiADC.

I have security audit and as-built document preparation. Tese will delay me now.

EEHC