- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiSIEM Missed Data
The devices are discovered (SNMP & SSH), but I found a problem in the CMDB of each device. Here is a list and I hope you have a guideline.
- No Device Configuration data
- Old version only of Device Configuration data
- No installed software data
- No Hardware data
- No SNMP traps from FortiADC
- Labels:
-
FortiSIEM
Created on 05-27-2022 01:18 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @EEHC ,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Fortinet Community Team
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @EEHC ,
The issue is specific to your system and would need deeper analysis of the Fortisiem logs.
You can open a ticket with Fortinet support for any assistance.
However to get all these metrics verify if the device integration is done as suggested in external systems configuration guide , here the metric and supported protocol are given for
information to be gathered.
Related Link:
https://docs.fortinet.com/document/fortisiem/6.5.0/external-systems-configuration-guide/780675/forti...
Prem Chander R
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I already did this but I expected that maybe someone have an iea. I use Fortinet Forum for two reasons. Share the knowledge I get with others. Get knowledge from the posts of the others.
Created on 05-28-2022 06:19 AM Edited on 05-28-2022 06:20 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"Related Link:
https://docs.fortinet.com/document/fortisiem/6.5.0/external-systems-configuration-guide/780675/forti..."
This guide is the key to understanding the integration between FortiSIEM and other systems, then knowing which data we expect to get. This solves several problems.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had a nice time. Here is what I got.
Syslog is the only supported method of FortiADC integration with FortiSIEM as per the external system configuration guide. So, pulling configuration information using SNMP for FortiADC devices may not be possible currently.
When I test credentials I get SSH failed (Host key verification failed). But discover is successful. I have to login to FortiSIEM Supervisor SSH and follow the steps mentioned in the KB Article "Technical Note: [Accelops KB] How to reset SSH key" to clear SSH key cache.
It helped so much and solved several problems.
I found the name for FortiGate is "_gateway". When I changed the name to FortiGate, The configuration data on FortiSIEM disappeared. I realized that there is a relation between the name and the configuration. I did rediscover for another IP addresses and found the name is displayed connected to the domain name. I did edit the name by adding the domain name and the configuration for both IP addresses is updated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @EEHC ,
Glad to know issue has resolved and the Knowledge base has been useful .
Thanks for sharing your knowledge to other members as well :)
The hostname for device can be picked up from discovery or dns and also defined in /etc/hosts . Editing this path or fixing on dns can resolve the issue as well.
Prem Chander R
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"/etc/hosts ", you opened a door for me to a new area.
"host.conf " is also new for me.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You gave me an idea to sole a problem I have. I have FortiWeb cluster managed by the MGMT interface. when they change the active one, I get two FortiWeb devices in FortiSIEM CMDB with the same IP. I plan to add a host in the file so they are one.
Another thing I try to go through. I try to make FortiADC managed by SNMP from FortiSIEM. I did snmp walk from FortiSiem for FortiADC. In Admin>Device Support>SNMP SysObjectId, I added my FortiADC.
I have security audit and as-built document preparation. Tese will delay me now.