FortiSIEM What’s new in Release 4.2.1

What’s new in Release 4.2.1

This release adds features and functionality in several areas.

Systems Features

Fundamental system upgrade

Run on Microsoft HyperV

Regex based search

Statistical anomaly detection

Ability to drop events

Enhanced PDF export

Remote connectivity to collector devices

CMDB device discovery filter

Delta discovery

Query/Rule usability enhancements

Support OpenLDAP for user discovery and external authentication

Support secure LDAP protocols: LDAPS and LDAP Start TLS CMDB Report extensions

Performance and Availability Monitoring

Customizable high performance summary dashboards

Generalized Selenium based Web Synthetic Transaction Monitoring (STM)

End-to-end Email Synthetic Transaction Monitoring (STM)

Custom SSH based command output monitoring

Log Management and Security Incident Event Monitoring (SIEM)

Watch list

Agent less file change and file integrity monitoring

Log integrity validation

Compliance reporting

Device Support

Miscellaneous Key Enhancements

Quick interface utilization drill down via Netflow

Manually define trunk ports

Add CMR Support for Cisco VoIP

Limit excessive generated incidents

Cisco ASA/IOS Remote Access VPN Monitoring

Most Expensive Query report

VM Snapshot monitoring Excluded Disks

General GUI related fixes and enhancements

Platform related fixes and enhancements

Performance Monitoring / STM related fixes and enhancements

Rule / Query / Report Engine related fixes and enhancements

Parsing related fixes and enhancements

Discovery related fixes and enhancements Open Issues

 

Systems Features

Fundamental system upgrade

This release upgrades the AccelOps platform to CentOS 6.4, Glassfish 3.2, Postgres 9.1 and JDK 1.7. This significantly enhances the stability and robustness of the base operating system and key sub-systems. In addition, the Apache web server is also upgraded to 2.2.25 to fix many vulnerabilities.

Run on Microsoft HyperV

In addition to VMware ESX, Redhat KVM and Amazon EC2, AccelOps supervisor, worker and collectors will now also run on Microsoft HyperV virtualization platform.

Installing AccelOps Supervisor, worker and collector on Microsoft HyperV is covered here.

Regex based search

Prior to Release 4.2.1, AccelOps allows the ability to search raw messages by AND/OR combination of keywords and via the CONTAINS and NOT CONTAINS operator. This release adds the ability to search via regular expressions (REGEXP operator). Regular expressions can return precise search results than keyword based searches. Regular expressions can be used in searches, queries and rules for any string valued attribute such as Event Type, Raw Message etc.

Regex based search for real time search is covered here.

Regex based search for historical search is covered here.

Regex based search for rules is covered here.

Statistical anomaly detection

This release enables users to baseline any performance metric or flow data collected by AccelOps and create an alert when the current value of the metrics deviates significantly from its statistical baseline. Baselines are created on an hourly basis for each distinct hour of the day and separately for work and non-work days – a total of 48 buckets. This fine-grained approach allows for accurate behavioral analysis. The baselines are learned automatically and updated continuously in an attempt to learn the new normal. The following baselines are available out of the box

Network Traffic Analysis

Network traffic – by sender, by receiver, by connection – total flows, sent bytes, received bytes, sent packets, received packets

Firewall TCP/UDP port traffic – by inbound,  by outbound – permitted traffic and denied traffic – total flows Firewall total denied flows

VPN usage – by user – time spent and total traffic volume

Host resource usage – CPU, Memory, Virtual Memory, Disk I/O

Application resource usage – CPU, Memory

Network interface usage – by interface – utilization, sent bytes, received bytes, sent errors, received errors SAN usage – LUN I/O

NAS usage – Volume usage, Protocol latency

DNS requests – by sender – requests, unique resolution requests

ICMP requests – by sender – requests, unique destinations

Web requests – count, errors, distinct clients

Reporting eps

Login – successful count, failed count

Server process count

Login – successful count, failed count

Reported Event types

Reported Errors

User seen – distinct count

Statistical anomaly detection is covered here.

Ability to drop events

Certain devices and applications generate a significant of logs. Often logs are very verbose and certain log types are of little value and waste valuable storage. This release provides the ability for user to drop the events immediately after they are accepted by AccelOps. These logs do not count towards licensed eps and do not trigger rules.

Ability to drop events is covered here

Enhanced PDF export

The charting technology in PDF reports is significantly enhanced – the exported charts now look similar to what the users see in GUI.

Remote connectivity to collector devices

After detecting a problem, often there is a need to open a session to a monitored device either via Telnet/SSH, VNC, HTTP(S), Microsoft RDP directly from AccelOps GUI. This release release enables AccelOps users to launch terminal sessions to monitored devices for the following two cases

device is in the same data center as Supervisor/Worker

device is in a remote date center behind a firewall and monitored by a Collector. This case uses a reverse SSH tunnels between Collector and Super

The topic of opening remote connections to collector devices is covered here.

CMDB device discovery filter

This release enables users to control the CMDB device discovery process by including or excluding certain device types. For virtualization discovery, powered off VMs and VM templates can also be excluded. This facilitates a “clean” CMDB consisting of only the devices of importance to the user.

Setting up CMDB device discovery filters is discussed here.

The following reports in CMDB > Reports > System Audit can be used to report on devices added or deleted to CMDB via discovery

CMDB: Device Addition and Deletion History

CMDB: Device Modification History

Delta discovery

Because of the depth at which AccelOps discovers a device, a full discovery of a range of devices can take some time. Often there is a need to quickly detect only the new devices in the network. This is an important PCI compliance requirement – for security purposes, it is critical to know if there are any new devices plugged in to the network. This release enables users to quickly discover devices and applications that are not already in AccelOps CMDB.

Setting up delta discovery is discussed here.

The following reports in CMDB > Reports > System Audit can be used to report on devices added or deleted to CMDB via discovery

CMDB: Device Addition and Deletion History

CMDB: Device Modification History

Query/Rule usability enhancements

This release improves the Query/Rule usability by creating the following shortcut operations.

Ability to turn a query to a rule (see here) and vice versa (see here)

Ability to convert a historical search to a real time search and vice versa (see here) Ability to smart copy a query from one tab to another (see here)

Ability to create display and filter templates and use them later in a query or rule (see here)

Support OpenLDAP for user discovery and external authentication

This release extends user discovery and external authentication capabilities from Microsoft Active Directory to also include OpenLDAP servers.

Setting up OpenLDAP based discoveries and external user authentication is covered here.

Support secure LDAP protocols: LDAPS and LDAP Start TLS

This release extends secure LDAP protocols: LDAPS and LDAPStartTLS for user discovery and external authentication. This topic is covered here.

CMDB Report extensions

Currently users can create CMDB reports for exporting CMDB information. Currently this includes a report of devices in CMDB, their installed and running applications, hardware inventory etc. This release extends this capability to include users, rules and reports. Specifically users can now run reports on

Discovered users

AccelOps administrative users and their roles

Active Rules with exceptions if any

Scheduled Reports

Active Performance Monitors

For details see here

The following inbuilt reports in CMDB Report section can be used to quickly get relevant information.

Discovered Users

Externally Authenticated AccelOps Users

Locally Authenticated AccelOps Users

Manually Defined Users

Active Rules

Inactive Rules

Rules with Exceptions

Scheduled Reports

Active Performance Monitors

Performance and Availability Monitoring

Customizable high performance summary dashboards

Summary dashboards, a unique AccelOps feature, provide a real-time bird’s cross-domain metrics and health of a device or a group of devices or applications. There are 3 types of dashboards:

single level e.g. All Network dashboard, Hardware summary

two-level dashboards e.g. database performance dashboard, ESX-VM dashboard

three level dashboards e.g. Business Service dashboard (Business Service -> Devices -> Applications), VM Cluster dashboard (Cluster -> ESXs -> VMs)

In this release, all of these dashboards are enhanced for scalability and extensibility:

the dashboards are now configurable users can create their own dashboards

users can add their own performance metrics whether they are collected by default or created by customers as custom monitors paginated dashboard views eliminate the limitation of 300 devices/applications per dashboard – searching and sorting happens across the entire set of devices, not just on the page the user is on

most performance metric computations (like maximum or average interface utilization over all interfaces of a device) are now shifted from the GUI to the Super/Worker cloud – this dramatically reduces GUI network bandwidth and improves GUI rendering speed.

The ability to customize a summary dashboard is covered here.

Generalized Selenium based Web Synthetic Transaction Monitoring (STM)

The ability to monitor websites by running complex multi-level synthetic monitoring tests is an important criterion. This release allows AccelOps customers to record any web transaction from a web browser via Selenium plugin, and then play it back within AccelOps framework for continuous monitoring. Alerts can be triggered when the script fails to run or has an unacceptably large delay.

For setting up a Selenium based Web STM, see here.

End-to-end Email Synthetic Transaction Monitoring (STM)

For properly testing the health of email system, it is important to be able to test the entire path of an email: sender -> SMTP gateway -> receiving SMTP gateway -> receiving mailbox. This release provides AccelOps users a framework to run end-to-end e-mail synthetic tests, e.g. AccelOps will send an email and make sure that the same email is received within an acceptable time limit. Alerts can be triggered when an email fails to arrive or has an unacceptably large delay.

For setting up an end-to-end email STM, see here.

Custom SSH based command output monitoring

Often customers have scripts that monitor certain aspects of a system or an application and there is a need to get those script outputs into AccelOps for reporting and alerting. This release provides customers a framework for running these scripts remotely, bringing back the command output via SSH, parsing the output and creating events for further analysis in AccelOps.

For setting up command output monitoring, see here.

Log Management and Security Incident Event Monitoring (SIEM)

Watch list

This release enables users to create and manage watch lists. Watch lists are (often dynamic) containers that can hold objects of interest, e.g. Network Scanners, Frequent Locked out users, Externally excessive denied ports, High I/O Virtual machines etc. Watch lists can be dynamically populated when a rule triggers. An entry can leave the watch list if it does not trigger in a defined period of time or the entry could be permanent. A watch list can also be populated statically. A watch list can be further used in a rule condition in a nested manner to trigger rules of significant more significance. Watch lists provide a easy way to keep track of important policy violators in a monitoring system without always running reports.

For setting up command output monitoring, see here.

Agent less file change and file integrity monitoring

Unauthorized and untested configuration changes often lead to critical failure conditions. AccelOps already provides a way to keep track of network device configuration changes. This capability is further extended in this release to address the following situations – in an agent less fashion.

File integrity via checksum for specific files or directories on a server – trigger an alert when there is a change in any file in any directory.

The files need to be accessible via SSH or Telnet.

Monitor the content of a file on devices and make sure that it is identical to a target “blessed” file. Alert when the monitored file differs from the target file and show exactly what has changed.

Setting up agent-less file change/integrity monitoring is discussed here.

Log integrity validation

This release enables AccelOps customers to demonstrate to security auditors that the collected logs have not been tampered with, while at rest within AccelOps monitoring system. To achieve this, logs are cryptographically signed immediately upon arrival at the AccelOps point of entry. Using the AccelOps GUI, the cryptographic checksum can be validated to prove to the auditors that logs have not been tampered with. In case the logs have indeed been tampered with, AccelOps can identify the time period of the affected logs.

Log integrity validation is discussed here.

Compliance reporting

AccelOps already provides compliance reports for the following standards: PCI, HIPAA, COBIT, GLBA, FISMA, NERC, GPG13. This release extends this set by providing compliance reports for the following standards

SANS Critical Controls ISO

Device Support

Checkpoint Provider-1 – collect  firewall logs from CLM and audit logs from MDM – see here for details

MySQL database – discovery, performance monitoring and audit log collection and analysis – see here for details

IBM DB2 Audit Log  – audit log parsing and analysis –  see Configuring Security Gateways for details

Cisco AVC – log analysis via Netflow

McAfee Foundstone Vulnerability Scanner – full log parsing and analysis  – see Web Server Configuration for details HyperV log parsing via Honeycomb agent

Windows log parsing and file integrity monitoring via Honeycomb agent

Windows log parsing via Correlog agent

Dell Blade center

EMC Data Domain

Citrix NetScaler performance monitoring

Link interface errors (1.3.6.1.2.1.10.7.2)

EMC Isilon

Alcatel AAA Radius syslog

Miscellaneous Key Enhancements

Quick interface utilization drill down via Netflow

This release enables users to quickly analyze a network interface usage issue by combining SNMP and Netflow. SNMP provides interface utilization metrics and Netflow provides the traffic on that interface. AccelOps makes this connection seamless assuming that the router/switch is monitored by SNMP and also sending Netflow to AccelOps.

To achieve this drill down

Go to CMDB, select the router and click ‘Interface Stats’. The displayed data is from SNMP.

Note that for any interface, there is a drill down for Inbound or Outbound traffic. Select the desired direction and the interface usage for the chosen direction is displayed. This information is gathered from Netflow.

Manually define trunk ports

User identity and location is a key feature in AccelOps. To accomplish this, AccelOps automatically discovers switch trunk ports to ensure that only the access ports and not trunk ports show up in Identity and Location reports. An exception is of course VoIP ports which have PCs connected to them. This release enables to manually label certain discovered interfaces as trunk ports. Future discoveries will take this input into consideration and not create Identity and location entries for those user defined trunk ports.

To label a discovered interface as a trunk port, go to CMDB; choose a device; ‘Edit’ interfaces; check the Trunk Port checkbox and click Save. You need to do a discovery again to get new identity and location information.

Add CMR Support for Cisco VoIP

Cisco VoIP Call information is in two files

CDR records – this contains primarily the Call originator and Call destination information CMR records – this contains call quality information – MOS scores

Prior to this release, AccelOps only handled CDR records. This release is able to “join” CDR and CMR records to append the call quality information to the call originator/destination information in a single event.

Limit excessive generated incidents

 

Cisco ASA/IOS Remote Access VPN Monitoring

 

Most Expensive Query report

As part of database performance monitoring, AccelOps can now monitor the most expensive queries. Currently it works for Oracle and MS SQL Server.

 

Two rules are provided that trigger when a query takes more than 5 minutes to complete. The query has to complete for the rule to trigger.

VM Snapshot monitoring

VM Snapshots consume lots of space. This release allows you monitor the space taken up by snapshots

Excluded Disks

Often there are certain disk volumes that are either read only or always close to full and never grow. Because of these disks, these servers always as CRITICAL in dashboards. This release enables users to exclude these disks from monitoring – details are here.

Fixed Issues

General GUI related fixes and enhancements

Bug 7580: While trying to validate a custom parser (cloned), user gets “Backend error code: 139” and cannot continue working on parser Bug 7589: Remove 300 device limitation in custom dashboard

Bug 7648: Devices do not update after moving Organizations

Bug 7713: Chart is not displayed in report if generate the report with “Display as” columns.

Bug 7780:  CSV exported report does not need extra commas

Bug 7958: Dashboard displays error when Request XML is over 20MB

Bug 8119: Clear Reason for system cleared has incorrect “active for more than 7 days”

Bug 8166: When creating a Ticket the “Assigned To” drop down contains ALL LDAP users, not just AO users

Bug 8170: Add search box on floating dialog boxes showing Performance Monitor errors

Bug 8180: Customer ID of All Report Notification report shows Super always

Bug 8683: Dashboard for Oracle does not display instance status

Bug 8713: Need to allow to import downloaded malware domain csv file manually

Bug 8719: Display IPS Generator ID and IPS Signature ID in wrong format

Bug 8725: “Last Update” of malware domain/blocked IP is not updated

Bug 8736: Ability to set values for ports, applications, device types at global level in CMDB that apply to all orgs

Bug 8762: If you schedule a report and set a custom value in Maximum graphs or Maximum rows and save it then go back into scheduled reports, it goes back to default values. It appears graphs/rows are saved with the custom values because scheduled reports work correctly.

Bug 8768: After changing the Font – some words do not fit correctly

Bug 8826: Customer added a second email address in Admin -> General Settings -> Analytics. Scheduled Report emails are not being sent to the second address

Bug 8946: Org Users should not  be able to see Systems Errors from other Orgs Bug 8962: Allow for bulk delete of report results.

Bug 8963: Perf Incidents are not displayed properly from Dashboard (Exec. Summary)

Bug 8989:  Disk utilization drill-down dialog stop working once browser loose focus

Bug 9072: When editing credentials of various protocols, they all display the ‘description’ field. SNMP v3 protocol does not display this field. This led users to incorrectly use the context field to to put description which caused failures.

 

Bug 9073: When looking at a widget – in this case “Top Incidents by Severity, Count”, and you drill down into an incident, you are brought to the incident page with a list of the incidents – BUT – after sorting the widget, and drill down on the same incident, you are show an incorrect incident

Bug 9096: Parse out additional fields in Symantec AV events

Bug 9116: Remove SMS notification configuration from user guide

Bug 9182: Clear incident notification email contains incorrect host name which belongs to another org with the same IP

Bug 9311: Too many tasks causes GUI to be slow

Bug 9332: The report output limitation is incorrect in the pop up report run dialog

Bug 9374: Maintenance Calendar does not save Devices folders

Bug 9391: Notification policy does not work when set only the days of the week and the start date, toggle the days of the week

Bug 9539: Need to forbid “Test Rule” button for rules from organizations

Bug 9628: Daylight saving time (DST) causes report editing to not properly re-save time

Bug 9675: For Juniper SRX devices that have virtual interfaces with a 192.0.0.0 subnet mask, user cannot edit and modify any CMDB fields for this device

Bug 9734: Read-Only Admin Role allows credential to IP association edits with double click

Bug 9839: Provide ability to export IP Range to Credential associations. Currently, the Export button on Admin->Setup->Credentials only exports the credentials but not the IP to Credential associations

Bug 9892: When export CMDB report run for 1 Org, you get data for ALL Orgs

Bug 9953: Deleting Clear Conditions in Rule do not work

Bug 10023: In Dashboard > widgets > combo view,  y -axis has no scale value

Bug 10046: Last updated method overwrites the health page. Discover first using WMI then VM_SDK and you get just the VM stats Bug 10161: When SVN has too many configuration/installed software revisions on single device, UI got timed out by 120 seconds.

Finally, UI shows error and cannot see device configuration

Bug 10186: Email notification contains another organizations Interface description

Bug 10202: AO-SP: Rule Sync Errors dialog show other organization’s error

Bug 10215: AO-SP: For Rule Synch errors, an Org user should be able see ONLY his own changes causing synch errors. Super/global should be able to see all Organization errors

Bug 10263: LDAP discovery does not add users when there is an exception caused by the address field is too large to fit into our 256 character column field on ph_contact

Bug 10288: For Report Bundles, report end times are off by 1 minute

Bug 10292: For Report Bundles, absolute schedule time not saved when custom email notification is chosen

Bug 10344: Prevent user from entering more characters then allowed in text fields in UI. When creating a device maintenance schedule, entering too many characters in the description field resulted in “transaction marked for rollback” message

Bug 10673: Custom group does not show up in role management UI Access tree. This issue is affecting to many places such as Dashboard, CMDB, query condition builder

Bug 10829: When selecting multiple devices in CMDB for setting up maintenance schedule the devices do not have name in dialog box. This is GUI issue only.

Platform related fixes and enhancements

Bug 7600: Provide a CMDB Report for Active Rules for an Organization

Bug 7680: External authentication does not work with OpenLDAP

Bug 7953: Events dropped based on Elastic EPS being too slow in changing values

Bug 8142: Event Packager port unnecessarily open on the super and workers

Bug 8213: Back end modules should check certificates during SSL communication

Bug 8278: Script for creating bluecoat ftp directory does not change owner.group to ftpuser.ftpuser

Bug 8279: Every time AO device is rebooted bluecoat ftp directory owner.group are reset to admin.admin preventing files from being ftp’ed to AO

Bug 8650: Need to consolidate NSCD package to nscd-2.5-24 with its updated configuration Bug 8676: Proxy configuration does not work

Bug 8718: Add CMDB Report for Users in AccelOps

Bug 8869: Provide capability in CMDB reports to extract intersection (AND) of 2 criteria – when the criteria partially overlap

Bug 8983: Need to auto-compact JMS request queue

Bug 9065: Empty username and password in the base URL definition causes upgrade failed

Bug 9184: Support CS MARS type drop rules

Bug 9283: Documentation for Amazon AWS need to say Access key and Secret access key instead of User ID and Password

Bug 9341: Global EPS license is ignored when Elastic EPS allocates EPS based on previous configuration

Bug 9630: Create a report for all users with system roles in AccelOps

Bug 9669: Limit the amount of times that AppServer retries a transaction

Bug 9928: Create a report for Monitor Change Performance errors

Bug 9937: Do not overwrite phoenix_config.txt upon upgrade

Bug 10009: Create a report to show all processes and open ports

Bug 10143: Customer certificate overwritten in ssl.conf with 3.7.6 upgrade

Bug 10223: Cache files created by incident notification are never removed

Bug 10525: Provide an option to not show the Domain drop-down list from logon page for external authentication Bug 10567: Fix customer found Apache security vulnerabilities

Performance Monitoring / STM related fixes and enhancements

Bug 7787: Add Virtual Memory Utilization Attributes support

Bug 8254: False high Exch Metrics

Bug 8700: Monitor VM snapshots

Bug 8837: AO is losing checkpoint firewall events every time phCheckpoint crashes

Bug 8919: The average processing time for Glassfish servlets and processors are wrong

Bug 8981: Windows log pulling time interval not implemented correctly

Bug 9137: Add load balancing metrics for Cisco ACE load balancer

Bug 9458: Need instance availability monitoring via Amazon AWS SDK

Bug 9508: Add performance monitoring for Citrix NetScaler

Bug 9627: “PH_DB_DATA_ERROR: cannot decrypt password for principal” exception thrown when running perfMonitor rest API on

Super in SP mode when there are devices monitored by a collector

Bug 10028: Performance monitor job status does not update (shows yellow star)

Bug 10222: Enhance custom performance monitor to include string index (currently only integer index)

Bug 10249: Cisco ASA CPU, memory utilization not populated correctly

Bug 10471: NX-OS devices PH_DEV_MON_INTF_UTIL not calculated correctly sometimes

Bug 10512: Apache metrics are not being pulled

Bug 10527: Fail to collect UDP echo IP SLA stats

Bug 10608: Monitoring Windows network interface statistics via WMI sometimes crashes when server has more than 1 network interface

Bug 10618: Hardware Monitoring for Cisco IOS and NX-OS devices stops after 3.7.6 upgrade

Bug 10650: Important process with long parameters (like java) are not being detected as down when they are indeed down

Bug 10827: Enhance Linux disk utilization by accounting for reserved space

Bug 10921: Generate per-host LUN usage metrics for EMC VNX/Clarion

Rule / Query / Report Engine related fixes and enhancements

Bug 7509: Prohibit user from choosing past dates in scheduled reports

Bug 8376: Reports saved as csv have blank “Event Name” column

Bug 8811: Query returns nothing for user defined port/protocol group

Bug 9405: Analytics can only query top level CMDB Application Groups

Bug 10183: When running a long report, App server needs to retry if Query Master does not respond

Bug 10345: Report Scheduler not sending reports at the correct time

Bug 10348: Daylight Savings Time (DST) causes report editing to not properly re-save time

Bug 10349: Quartz worker thread pool are too small to handle large set of scheduled reports

Bug 10487: Enhance CONTAIN operator to match anywhere in string – not just in the beginning Bug 10767: Eliminate Rule synch errors caused by Rule exception

Parsing related fixes and enhancements

Bug 7625: Suppress certain events from being parsed

Bug 7639: Windows Parser does not completely parse when key pair fields are in Spanish

Bug 8216: Parse out additional fields in ASA-722051 event

Bug 8355: Allow event forwarding based on event severity

Bug 8702: Event Type Win-Security- 4656 does not parse object type and object name

Bug 8758: Symantec AnitVirus logs – virus file name not being parsed

Bug 8874: Fix Microsoft UAG parser

Bug 8889: Fix Forescout CounterACT parser

Bug 8895: Allow parsing of “:” in certain Cisoc IOS messages

Bug 8999: Windows WMI OS Parser does not properly parse all fields on SQL Server Events

Bug 9024: Windows Parser needs to strip the @Domain.xxx at the end of “account name” in the key-value-pair

Bug 9026: from Admin->Device Support->Event Type, if you click on the amplifier icon on the search box and uncheck ‘Device Type’, it ignores the search columns settings which always includes Device Type as part of search. Actually it ignores whatever is unchecked, it always displays the default

Bug 9451: WatchGuard Firewall Parser Missing Events

Bug 9587: Email subject is sometimes not parsed by Cisco IronPort Mail parser

Bug 9641: Save event name from Cisco IPS Alerts

Bug 9709: Add support for Alcatel AAA Radius syslog

Bug 9843: NetApp snnp traps not parsed

Bug 9861: Change Parser to not create User= “-” for event type IIS-Web-Client_Access_Denied

Bug 9862: F5 BIG-IP LTM new version has syslog not parsed by our current parser

Bug 9955: Cisco switch events for dynamic ARP inspection (SW_DAI-4-DHCP_SNOOPING_DENY) are not being fully parsed

Bug 10090: Cisco ASA Parser enhancement –  add the type of Remote Access connection that is used when a DAP is applied

Bug 10091: Parse WLAN AP Host Name attribute for Cisco WLAN disassociation SNMP traps

Bug 10092: Enhance Cisco Call Manager CDR parser to get the CM Login User ID of the caller

Bug 10119: Logon Fail events misclassified as Login Success events

Bug 10286: AccelOps is not parsing Severity and Source / Destination addresses, Event Type, Event Name, etc. from Snort Sensor IDS logs, because of the <br0> between the [Priority 1]: and {TCP}

Bug 10324: Parse addition fields for Symantec Endpoint Protection (SEP) logs

Bug 10381: Fix JunOS log parsing errors

Bug 10408: Parse logs generated by Correlog windows agent

Bug 10418: Parse user name from Windows MSSQL Event 18453 Bug 10458: Convert TOS values to DSCP values in Netflow

Bug 10511:  Parse out Account Name and Object Name for Win 4670 events

Discovery related fixes and enhancements

Bug 6574: Provide an option for removing VM monitoring

Bug 6955: Support secure LDAP protocol

Bug 7888: Checkpoint running SPLAT OS being incorrectly discovered as Generic Linux

Bug 8681: Redhat 10GB Interface discovered as 10MB

Bug 8769: Support MySQL – discovery, performance monitoring and log collection

Bug 8984: Compress Discovery result before sending to App server

Bug 9042: MS SQL Server JDBC discovery fails but AO still pulls some perf metrics but not all This is unique to MS SQL Server 2012.

Bug 9058: LDAP discovery using “daysToPasswordExpiry” is completely wrong

Bug 9070: Add SNMP support for Dell Blade Center / Chassis Mgmt Controller

Bug 9134: Support EMC Data Domain

Bug 9290: Add region to AWS EC2 discovery

Bug 9420: Checkpoint discovery does not have Installed Software/Running Process on GAIA/Security Platform

Bug 9474: VM discovery does not work with symbol character for password

Bug 9584: Make the ‘show ip route’ command optional in discovery of Border routers with millions of routes

Bug 9790: VMSDK discovery failure does not show complete failure reason

Bug 9827: Option to include or exclude VM Guest hosts during ESXi / VMSDK discovery

Bug 10025: Add device support for standalone Cisco WLAN AP (not controllers) running IOS

Bug 10171: Cisco IPS module in ASA has wrongly discovered IPS SW version

Bug 10437: Cannot discover Cisco device by SSH with high privilege user

Bug 10524: Discovering powered off VMs may cause incorrect merge if the VMs have a shared IP address

Bug 10530: Linux interface speed incorrect

Bug 10677: Interface alias not discovered when an interface has more than one addresses

 

Open Issues

Bug 7537: Can not create new incident category in VA mode. AO-SP works correctly. Workaround is to manually add the incident category to a rule in the database.

Bug 7191:  Device Maintenance window cannot be larger than 1 day

 

 

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Name *
Email *
Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.