FortiSIEM What’s New In 4.7.1

What’s new in Release 4.7.1

Features

HTML5 based GUI for Incident

You can logon to the HTML5 version of Incident page using the link https://<SupervisorIP>/phoenix/html.

For details see here.

Malware URL threat feed

Previous releases allowed users to import Malware domain, IP, file hashes and Anonymity Networks as external threat intelligence feed. This release extends this functionality to Malware URLs.

For details, see here.

Syslog over TLS

This release enables FortiSIEM to receive encrypted Syslog over TLS.

For details, see here.

Device Audit framework

FortiSIEM discovers devices in depth, collects various performance/availability metrics, parses logs, traps and triggers rules. This release provides users a framework to run an audit on devices based on the collected information. Audit criteria can be based on

OS version

Installed software version

A set of reports representing audit violations

A set of rules triggering incidents representing audit violations

User can define audit criteria and run a check against devices – either on-demand or periodically on a schedule. The results can be displayed on GUI, exported as PDF from GUI or emailed with PDF attachments.

For details, see here.

Device Support – New

Aruba Switches – discovery (Bug 15800) Alertlogic IPS – log parsing (Bug 16250)  AWS Elastic Load Balancer – log parsing (Bug 15752)

Device Support – Enhancements

F5 load balancer – detailed performance monitoring

Fortinet FortiOS – more detailed data collection and trap parsing

Aruba Clearpass Manager – more detailed log parsing (Bug 15542)

Checkpoint GAIA – monitor memory using UCD MIBs (Bug 16203)

HP/UX – more detailed syslog parsing (Bug 15565)

InfoBlox – more detailed syslog parsing (Bug 16121, Bug 16191)

Dell Equallogic – more detailed syslog parsing (Bug 15433)

TrendMicro Officescan – more detailed syslog parsing (Bug 16122)

Checkpoint FireWall-1 – parsing fix (Bug 16119)

Microsoft Windows – Added event id 4769 (Bug 16191)

Microsoft Windows – Added event id 6274, 6272 (Bug 12163)

Microsoft Windows – Added event id 5137 (Bug 7429)

Juniper SecureAccess – parser enhancement (Bug 16035)

Palo Alto Firewall – parser enhancements (Bug 16727, 16169)

Fortinet FortiOS  Firewall – parser enhancements (Bug 16554)

Symantec Endpoint Control – parser enhancements (Bug 16210)

F5 ASM – parser enhancements (Bug 16726)

McAfee Stonesoft IPS – parser enhancements (Bug 16729)

Cisco Call Manager – parser enhancements (Bug 16395)

Cisco ACS Parser – parser enhancement (Bug 15550)

Imperva SecureSphere – parser improvements (Bug 16036)

HP Procurve – syslog parsing enhancement (Bug 12072)

Bug Fixes / Enhancements

Bug

ID

Severity Component Description
16779 Minor App Server A user cannot change their own password if the CMDB Tab view is restricted from them
16767 Minor System File rename error on cross-partition operation may lead to event database archive failure
16340 Minor Parser Incorrectly formatted Netflow packets can cause parser module to crash
16460 Minor App Server Users who do not have permissions for Admin > Discovery can not launch discovery from CMDB
16009 Minor App Server User created custom types (device, event, attribute) are created as Origin = System after upgrade
16655 Minor App Server Empty “Time” in Incident Notification Policy can cause notification policy to not trigger
16067 Minor GUI Can not add more than 100 devices to a CMDB Device folder
16654 Minor GUI Can not handle CMDB Reports with filter conditions containing strings with spaces, e.g. Installed Software Name =

‘Attack Definition’

16764 Minor App Server Incident Notification Policy may some times trigger twice for the same incident id
15296 Enhancement App Server Ability tp export test connectivity error, discovery error and discovery change delta results as PDF reports
16898 Minor App Server Run script notification may sometimes fail to run
16055 Minor Parser The ‘vulnSolution’ event attribute populated from Vulnerability pulling agents such Qualys and Nessus need to allow for URLs.
16007 Minor App Server An exception may happen during clear incident processing resulting in the clear incident not getting stored
16867 Enhancement Parser SSH script for Foundry switches fails when the switch is configured to login to enable mode directly without typing in

“enable; username; password”

16870 Minor Performance

Monitoring

For custom SNMP monitoring, snmpbulkwalk command does not working for some OIDs while snmpwalk works
15527 Enhancement GUI Allow users to edit the same property for multiple devices in one shot by simply multi-selecting the devices and entering new values
16382 Enhancement App Server On CMDB Reports, Add ‘Processor Name’ attribute to “Server Hardware: Processor” report
16431 Enhancement Parser System error message “Success ratio too low” is enhanced to report only when a large of retry attempts have occurred

Current Open Issues

Id Severity Component Description
8867 Normal Rule Engine LAST and FIRST operators in rules do not work (may crash Rule Worker module)
11036 Normal Rule Engine Rule Worker module may abort when a PctChange Expression is used
14242 Normal Query Engine RBAC data conditions not enforced for SP organizations when login in via the super org and moving to another org.
15022 Normal Parser Engine Parser module may stall/pause if a host name resolution is slow. Work around for now is to disable host name resolution.
11112 Normal Rule Engine COUNT DISTINCT operations consume large resources for rules utilizing Anomaly Detection
14478 Normal GUI Sometimes GUI pops up warning (Large amount of data stored over the boundaries) when users restore the archived data or delete the restored data
15109 Normal Performance

Monitoring

Failed Custom JDBC job shows in performance page after Discovery
15247 Normal Parser AIX Parser cannot parse events correctly.
15253 Normal Parser Reporting device name is parsed wrong in LinuxInotifyParser (affects Linux file integrity monitoring via AccelOps agent)
14929 Normal Performance

Monitoring

Maintenance calendar issue – Maintenance for a device does not start at the configured time if there is a long running disabled job of another device
15068 Normal Application

Server

Dashboard Search Filtering Does not work for Clariion LUNs under Summary Tab
15231 Normal Application

Server

Generating PDF Reports over 100 Pages will drop Page Footer
15233 Minor Application

Server

“Validation Status” column in Admin->Event DB->Event Integrity does not allow for sorting.
15300 Minor GUI For Report Server, if you sync -> unsync -> sync is rapid succession, then the last sync may not take effect
9261 Enhancement Application

Server

Charts in exported reports (PDF format) only contain stacked charts – not line charts

 

 

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.