FortiSIEM What’s new in Release 4.2.3

What’s new in Release 4.2.3

This release addresses several issues and enhancements on top of 4.2.2 release.

Note: To upgrade to this release, migrate to 4.2.1 first and then upgrade to 4.2.3. It is not possible to directly upgrade from 3.7.x or earlier releases to 4.2.2 because of the Linux Operating System changes.

The following are the key issues that are addressed in this release:

Bug 9211: Windows log and metric pulling via WMI has been optimized to be roughly 4x faster and more robust

Bug 11459: Checkpoint LEA log collection agent occasionally restarts

Bug 11631: VMware log pulling sometimes stops after encountering an exception in the API

Bug 11699: QueryMaster module memory grows to be large when there are over large number of devices (over 2500) in summary dashboard.

Other addressed issues include the following:

General GUI related fixes and enhancements

Bug 11353: App server stops picking discovery result xml files when malware site/IP auto update failed

Bug 11517: Windows server version in device selector UI can not be seen completely

Bug 11526: Delete custom event attribute or custom event type – the custom dashboard column not removed

Bug 11586: Footer shows wrong language when browser’s OS language is not in English

Bug 11654: Custom Property Attribute not populating in query conditions

Bug 11655: CMDB/Performance page shows CPU green at 100% utilization

Bug 11735: App Server Exception for incidents with custom event attribute causes performance issues

Platform related fixes and enhancements

Bug 11435: Handle error: “File does not exist: /var/www/html/favicon.ico”

Bug 11574: Include misc debugging tools: nfsiostat, iostat, screen, ntop

Bug 11812: Custom group is not editable after migration

Performance Monitoring / STM related fixes and enhancements

Bug 11336: Add sent bits/sec and received bits/sec to Netflow metrics

Bug 11410: Nessus vulnerability scanner reports are not parsed correctly

Bug 11422: Add “Diff” system transform for custom SNMP and WMI performance monitoring

Bug 11426: Possible memory leak issue in VMware performance pulling agent

Bug 11428: Add use cases for Linux syslog monitoring – detect “yum update”, system going down, network interface up/down, process killed by kernel because of out of memory

Bug 11449: The NMAP check during Flow based service detection can cause unnecessary probing traffic from AccelOps. Remove the nmap test or make it optional.

Bug 11450: VMware monitoring enhancements:

Add Cluster names and VCenter IP to all VMware host events

Add Folder to show VM performance metrics on the right hand side in VMware view

Add folder information to VMware guest and ESX events

Capture VMware tools version including it is out of date or not Add cluster balance information

Bug 11470: Exclude Mounted Volumes from disk space monitoring at client machine. The mounted volume disk space has to be monitored at the server side.

Bug 11620: Some interfaces (like Serial) have send/recv bytes only from regular IF-MIB and not from high speed MIB; so need to pick interface speed from regular IF-MIB and not from high speed MIB. Currently speed for T1 interfaces is picked from high speed MIB and so it is 2Mbps instead of 1536Mbps.

Rule / Query / Report Engine related fixes and enhancements

Bug 10934: The rule “Concurrent VPN Authentications To Same Account From Different Cities” need to be enhanced to cover the case where user attribute is not present in the log.

Bug 11360: Some pre-defined rules does not map Reporting IP to Destination IP in incident events – this may cause notification policy to trigger

Bug 11456: Include Reporting IP for consideration in Notification policy > Affected Objects. Currently Affected Object check includes only Destination IP and Host IP.

Bug 11483: Rule synch – new worker causes performance  issues

Bug 11594: Should restart phRuleMaster when failed to retrieve rule exception

Bug 11775: Incident fails to trigger when host name contains special characters which are not acceptable in XML e.g. &, <, > etc

Parsing related fixes and enhancements

Bug 10418: User name in Windows MSSQL Server Event 18453 is not parsed

Bug 11230: Certificate Information in Win-Security-4768 and Win-Security-4771 not parsed

Bug 11239: Event time order not always maintained at the Supervisor/Worker nodes

Bug 11280: FortiGate event “FortiGate-traffic-icmp-allowed” is improperly classified as a denied event and triggers rules

Bug 11466: Several events are not parsed for Barracuda Mail gateway

Bug 11473: If parser sets event severity, then let it win over event severity from syslog header

Bug 11615: Juniper SSL VPN parsing extensions

Bug 11634: User not parsed in Windows Security 4625 events

Bug 11696: For Cisco ASA, Network Interface > Security Level info not consistently propagated to parser – this causes problems in identifying source and destination interfaces for parsing network traffic

Discovery related fixes and enhancements

Bug 11260: CBQoS / BGP / OSPF metrics get falsely discovered for Cisco devices even when they are not configured on the device

Bug 11397: Allow HTTPS selection choice for NetApp ONTAPI discovery

Bug 11519: Update access IP after re-discovery if original access IP interface is down

Bug 11524: Handle “>” as prompt in Unix SSH scripts

Bug 11582: EMC VNX CPU Discovery fails with password special characters

Bug 11681: EMC VNX discovery fails when it has only Meta LUNs but no normal LUNs

Bug 11755: VMware VCenter 5.5 discovery cannot return the correct tree structure when a Data Center is created under a Folder

Device Support

Bug 11419: VMware VCNS log parsing

Bug 11474: Collect Back-to-back consistency point metric for NetApp from SNMP

Bug 11539: Support for Emerging Threats Snort rules

Bug 11553: Match Cisco MARS SIM rules

Bug 11559: NeXpose Rapid7 XML Export 2.0 Report format not supported

Bug 11570: Support FireEye HX appliance

Bug 11616: IronPort-Web Parser Logic Error

Bug 11680: Parse additional foundry syslog

Bug 11697: Add user name and source IP addr from ASA-113019 into identity and location report

Bug 11722: User information in Spanish win-security-4625 cannot be parsed correctly

Bug 11727: Update Cisco IPS Signatures to latest

Bug 11732: Windows events 673, 4769, 4773, 674, 677, 4770 are assigned to wrong log failure group causing brute force logon rules to fire

Bug 11733: Windows Clustering Failover rule definition needs to be tightened by adding  the constraint eventSource = “Microsoft-Windows-FailoverClustering”

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.