FortiSIEM What’s New In 4.6.1

What’s New in Release 4.6.1

 

 

This release adds features and functionality in several areas.

Platform Features

Two factor authentication

Salesforce ticketing and CMDB integration

Ability to decommission a device from CMDB

Ability to export/import widget dashboard

Dark theme dashboard

Disaster recovery scripts

Performance and Availability Monitoring

Microsoft Azure compute discovery

Link usage dashboard

Log Management and SIEM

CyberArk Password Vault Integration

Salesforce CRM Audit support

Microsoft Azure Audit support

Cisco CloudAMP API support

ISO 27001 Compliance support

Device Support

New Support

Significant Enhancements

Allow users to move devices from one system defined CMDB group to another

Handle syslog over TCP

Reduce system CPU usage for SNMP V3

Keep Identity and Location database table size within limits

Allow scheduled reports to be copied to a new location

Allow queries via API to return results in csv format (gzipped)

Add a flag to control the use of winexe in discovery

Allow user to format Comment field in ServiceNow and ConnectWise for Incident Outbound

Ability to choose host name resolution mechanism during discovery

Create CMDB Report for Custom Threshold

Allow user to choose ports during SNMP port during discovery

Bug Fixes / Enhancements

Current Open Bugs/Enhancements

Platform Features

Two factor authentication

Presently the following 1-factor authentication methods are available for authenticating AccelOps GUI users:

Local authentication

External authentication via LDAP (Microsoft Active Directory and OpenLDAP), via RADIUS and Cloud Authentication via SAML (Okta)

This release makes AccelOps more secure by enabling 2-factor authentication via Duo Security. Administrator needs to tighten user’s

authentication profile by specifying two factor authentication. AccelOps will prompt the user for second factor credential after regular login. Other 2 factor authentication services e.g. Google Authenticator will be added in future releases.

Details on how to set up two factor authentication is described here.

Salesforce ticketing and CMDB integration

This release extends third party CMDB and ticketing integration by providing a plugin module for Salesforce.

Devices discovered in AccelOps can be synced to Salesforce

A ticket can be created in Salesforce when an incident triggers in AccelOps Ticket status is updated in AccelOps when it is closed in Salesforce

Details on Salesforce ticketing and CMDB integration is discussed here.

Ability to decommission a device from CMDB

Often there is a need to decommission a device and assign its IP Address to a new device. Currently, user has to delete the old device otherwise the old and the new devices will be merged as they share IP addresses. However there may be a need to keep the device in CMDB for audit purposes.

This release solves this problem by providing a separate folder for decommissioned devices. Once a device is decommissioned, it is removed from all CMDB groups and maintenance calendars, performance monitoring are stopped. The device is moved to the Decommissioned device folder. A new device with the same IP address can now be discovered and the two devices will coexist in CMDB.

For details, see here.

Ability to export/import widget dashboard

This release provides the ability to export a widget dashboard definition into an XML file. Every dashboard customization e.g. chart types, widget positioning is saved. Another user can then import the XML file and see exactly the same dashboard. This feature saves lots of work in recreating dashboards.

For details, see here.

Dark theme dashboard

This release allows users to have a dark theme dashboard. Currently this is a global setting – so all users would have the same theme.

For details, see here.

Disaster recovery scripts

A common way to perform disaster recovery is as follows

Set up an separate AccelOps cluster (Super, Workers) in a distant location – this would be a passive instance

Replicate the CMDB, SVN and event database

CMDB can be replicated by copying the exported file or by enabling PostgreSQL replication

SVN and event database can be copied over via rsynch or NFS mechanisms

This release provides a script which can bring up the passive instance and make it active. When disaster strikes, the user would do the following steps

  1. Run the script on the passive instance supervisor node.
  2. Register the passive Supervisor

Performance and Availability Monitoring

Microsoft Azure compute discovery

This release enables users to discover virtual machines in the Microsoft Azure cloud using Azure API. The API provides basic information like host name and access IP address. Therefore, SNMP and/or WMI must be used to discover the virtual machines in depth.

For details, see here.

Link usage dashboard

For perimeter network devices such as firewalls and routers, it is important to know which interfaces are busy and which traffic is consuming the most resources. This special dashboard provides this view and enables users to determine which router interfaces are overly utilized, which applications are using them and what is the QoS statistics.

For details, see here.

Log Management and SIEM

CyberArk Password Vault Integration

AccelOps needs credentials to communicate to devices. Until this release, credentials needed to be stored locally (encrypted). This release allows device credentials to be fetched from CyberArk Password Vault. This makes AccelOps more secure.

Setting up CyberArk is discussed here.

Using CyberArk for discovery is discussed here.

Configuring AccelOps for receiving CyberArk syslog is discussed here.

Salesforce CRM Audit support

Audit logs from Salesforce CRM application can now be collected by AccelOps. For details see here.

Microsoft Azure Audit support

Audit trails from Microsoft Azure cloud can now be collected by AccelOps. For details, see here.

Cisco CloudAMP API support

Rather than have a FireSIGHT Manager on premise, customers can choose to send alerts to the cloud. Using Cisco provided CloudAMP API, AccelOps is now able to collect (mostly end point) alerts from the Cisco Cloud.

For details, see here.

ISO 27001 Compliance support

This release adds reports for ISO 27001/27002 compliance specifications.

Device Support

New Support
  1. Cisco ONS – discovery, performance monitoring via SNMP and log analysis – see here
  2. Cylance Protect – log analysis – see here
  3. Pulse Secure VPN – log analysis – see here
  4. Cyphort – log analysis – see here
  5. McAfee Stonesoft IPS – log analysis – see here

Significant Enhancements

Allow users to move devices from one system defined CMDB group to another

User could already move devices from one user defined group. This release extends that functionality to system defined groups.Using this feature, user can fix device mis-classifications by discovery.

Handle syslog over TCP

AccelOps can now ingest syslog over TCP as defined in IETF RFC 6587.

Reduce system CPU usage for SNMP V3

In earlier release, the use of SNMP V3 caused significant system CPU usage during performance monitoring. This issue is resolved by reducing the number of process forks.

Keep Identity and Location database table size within limits

Identity and location entries can quickly fill up PostgreSQL database. This release allow you to control the growth of Identity and location entries by specifying two entries in the phoenix_config.txt.

PURGE_IDENTITY_LOCATION_OVER_MONTHS specifies the maximum age of Identity location database table entries. PURGE_IDENTITY_LOCATION_OVER_ROWS specifies the maximum number of rows in the Identity location database table.

When any one of the above limits are hit, the Identity location database table is purged.

Allow scheduled reports to be copied to a new location

Earlier releases allow scheduled reports to be emailed. Now the reports can be copied to be remote location via SSH.

For details, see here

Allow queries via API to return results in csv format (gzipped)

It is possible to retrieve query results via API. The results are in XML format, which is not very efficient if the result set is large. This release allows query results to be retrieved in gzipped csv files.

Add a flag to control the use of winexe in discovery

AccelOps discovery uses winexe to detect HyperV VM, Windows domain controller diagnostic (dcdiag) and replication monitoring (repadmin /replsummary). The winexe command is used to run a command on a remote windows server. However, by the nature of this command implementation by Microsoft, winexe starts a service called winexesvc on the remote server which customers do not find acceptable.

This release provides users an option to turn off winexe based discovery. This option is available in the discovery dialog.

Allow user to format Comment field in ServiceNow and ConnectWise for Incident Outbound

External ticketing systems do not have so many detailed incident attributes as AccelOps. This release enables to create a custom formatted string in the comment field in the external ticketing system.

For details, see here.

Ability to choose host name resolution mechanism during discovery

AccelOps discovers by IP addresses and used first DNS and then SNMP/WMI to get host names from IP addresses. This release allows users to control the behavior.

An discovery option now allows users to choose between DNS first (i.e. the current behavior) or SNMP/WMI first (that means SNMP/WMI then DNS).

Note – host names, once discovered are not overwritten by discovery.

Create CMDB Report for Custom Threshold

It is possible to now have a CMDB Report containing only those devices for which user has modified default thresholds.

Allow user to choose ports during SNMP port during discovery

AccelOps can now connect to SNMP via non-standard port. User can define the port during discovery. This option is available in the discovery dialog.

Bug Fixes / Enhancements

Id Severity Component Description
15147 Major System Upgrade loses user defined parsers for user defined device types
15473 Normal App Server Sync Update Config warning not clearing in System Error window
8393 Normal   Credentials can be seen in plain text view when running ps on cli during discovery and performance monitoring
15221 Normal System Backend C++ modules need to handle XML with empty attributes and not crash
15482 Enhancement App Server Add Device Annotation in CMDB Report and Device Integration Inbound
15500 Normal Performance

Monitor

Interface performance monitoring job may consume large memory when there are large number of interfaces
15975 Normal Performance

Monitor

WMI based log collection executable crashes when handle large messages containing “:”
15816 Normal Performance

Monitor

HyperV Performance monitor job may consume large amount of memory over time
15771 Enhancement System Swap sizes on all nodes must be set to memory size to avoid performance issues
15316 Normal App Server Excessive number of expired scheduled device maintenance entries causes performance issues. They are now deleted automatically.
15751 Normal App Server Cloning/creating rules does not place them under the correct Function group (e.g. Security) unless the system (or numerous processes) are restarted
14478 Normal System In some cases, system not able to restore the archived data or delete the restored data
15449 Normal System Prevent large Postgresql log files in /cmdb/data/pg_log/ from filling the /cmdb disk
15969 Normal Database Baseline profile schema upgrade error causes excessive loging and failed base lines in some cases
15403 Enhancement GUI RBAC: Report Server Sync button – disallow in “Run” mode, allow in Edit mode
15468  Normal Performance

Monitor

Java vulnerability pulling agents can randomly fail because of incorrect way of checking for potentially non-existent parameters in the vulnerability scan reports.
15309  Enhancement Database, App

Server

Add Reporting Device Name to an incident. Show this field in Incident dashboard. Make sure Incident XML has this field.
15875 Normal App Server Incident ID grew over time and results in an overflow causing incident report export to fail
15499 Normal GUI Add “Device Type” in Incident XML for Incident Outbound Integration
16002 Normal Parser Event rate in PH_SYSTEM_DEVAPP_EVENTS_PER_SEC is extremely high
15489 Normal Parser  PH_DEV_MON_HW_TEMP of  HP Comware switch misses hardware components.
15197 Normal System EMC VNX connectivity test stops working after upgrade
16080 Normal System Need to add Kafka configuration for VA after upgrading to 4.5
15466 Normal Parser WinOSWmiParser not parsing event id’s 4800 and 4801 correctly
15988 Normal Data SNMP Service Unavailable incident can not triggered

Current Open Bugs/Enhancements

Id Severity Component Description
8867 Normal Rule Engine LAST and FIRST operators in rules do not work (may crash Rule Worker module)
11036 Normal Rule Engine Rule Worker module may abort when a PctChange Expression is used
14242 Normal Query Engine RBAC data conditions not enforced for SP organizations when login in via the super org and moving to another org.
15022 Normal Parser Engine Parser module may stall/pause if a host name resolution is slow
11112 Normal Rule Engine COUNT DISTINCT operations consume large resources for rules utilizing Anomaly Detection
14478 Normal GUI Sometimes GUI pops up warning (Large amount of data stored over the boundaries) when users restore the archived data or delete the restored data
15109 Normal Performance

Monitoring

Failed Custom JDBC job shows in performance page after Discovery
15247 Normal Parser AIX Parser cannot parse events correctly.

 

15253 Normal Parser Reporting device name is parsed wrong in LinuxInotifyParser (affects Linux file integrity monitoring via AccelOps agent)
14929 Normal Performance

Monitoring

Maintenance calendar issue – Maintenance for a device does not start at the configured time if there is a long running disabled job of another device
15068 Normal Application

Server

Dashboard Search Filtering Does not work for Clariion LUNs under Summary Tab
15231 Normal Application

Server

Generating PDF Reports over 100 Pages will drop Page Footer
15233 Minor Application

Server

“Validation Status” column in Admin->Event DB->Event Integrity does not allow for sorting.
15300 Minor GUI For Report Server, if you sync -> unsync -> sync is rapid succession, then the last sync may not take effect
9261 Enhancement Application

Server

Charts in exported reports (PDF format) only contain stacked charts – not line charts

 

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.