FortiSIEM What’s New 4.7.2

What’s new in Release 4.7.2

Device Support

FortiSandbox – discovery, performance monitoring, log analysis and external threat intelligence (see here)

FortiWeb – discovery, performance monitoring and log analysis (see here)

FortiMail – log analysis (see here)

MalwareBytes – log analysis (see here)

Sophos UTM – log analysis (see here)

Bug Fixes

Bug ID Severity Component Description
17552 Major System Patch Linux Kernel Local Privilege Escalation Vulnerability (“Dirty COW”) – CVE-2016-5195
15161 Major App Server FortiSIEM users cannot change their own passwords if they are read only users or were restricted by RBAC from viewing or making changes to CMDB users page
17025 Major Parser Cisco ASA parser code introduced in 4.5.1 leaks memory


Major System FortiSIEM hangs during upgrade and reboot if there is no internet connectivity. This is because in 4.7.1, OS update was done during upgrade and reboot. This release provides two solutions: (1) OS upgrade via yum update now only happens during upgrade and not during reboot and (2) FortiSIEM goes to repositories set up in AWS Cloudfront AWS edge locations listed here ( depending on where the FortiSIEM node is connecting from. The Cloudfront CDN distribution is created and controlled by FortiSIEM engineering. If the connection to this edge location fails, it connects to origin server ima which is hosted by FortiSIEM engineering in AWS
17466 Major Rule Engine Rule Engine sometimes crashes while evaluating FIRST and LAST aggregation operators
16991 Normal Performance


Sometime Java Agent has too many open files
17290 Normal Parser AIX log Parser incorrectly parses reporting device name
15868 Normal Performance


Palo Alto Firewall configuration pulling SSH script not logging out
16969 Normal System FortiSIEM Worker ssl.conf is overwritten during upgrade – e.g. if FortiSIEM Worker is configured to use valid CA certificates, these are overwritten during an upgrade to use self-signed. FortiSIEM Supervisor works correctly.
16984 Normal System Re-registered license not getting updated in Worker and Report Server.
16992 Normal Performance


Java agents (e.g. SQL based monitoring) can result in too many open files


16995 Normal Rule Engine While testing rules, Rule Master module may time out if the rule test evaluates to FALSE. RuleMaster never reports the status to the GUI.
17008 Normal GUI White labeling does not work correctly in HTML5 GUI
17058 Normal GUI User can no longer approve multiple CMDB devices at a time.
17068 Normal GUI Ticketing system GUI can not load tickets if any ticket does not have a due date
17097 Normal Performance


FortiGate SSH based commands for Audit do not work when VDOMs are configured
17114 Normal App Server CMDB replication setting in postgresql.conf on both Super and Report Server lost after upgrade
17115 Normal System Prevent event loss during eps surge by adding another warning period to elastic eps enforcement
17352 Normal GUI Sometimes, the list of users in Assigned To in a ticket created from incident, may not be shown properly
17354 Normal Query Engine Sometimes Incident Query with Incident Reporting IP IN A Device Group does not return result.
17380 Normal Parser Device type in TrendMicro Deep Security Manager parser is incorrect.
17382 Normal Discovery Can not connect to a device via Telnet/SSH when user name is empty but password and enable password is set
17387 Normal Discovery Custom device discovery does not work when discovered device type is Generic Unix or Generic Linux.
17409 Normal GUI CMDB > Device > Link usage does not show data for non-FortiGate devices
17483 Normal Discovery SDEE based Test Connectivity to Cisco IPS does not work for Cisco IPS 7.0 and earlier that does not support

TLS 1.2

17076 Enhancement Data Some Cylance Protect syslog can not be parsed
17092 Enhancement Performance


Allow a higher priority queue for Airline log monitoring
17098 Enhancement GUI Remove “Forticare” from default exported Audit report name
17115 Enhancement Device Support Extend IBM Townsend parser
17248 Enhancement Device Support Update FortiGate IPS Event types (Signatures)
17255 Enhancement Device Support Update Forcepoint (previously McAfee Stonesoft) parser
17405 Enhancement Device Support Update F5 ASM parser
17057 Enhancement Device Support Update Nginx parser

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos