FortiSIEM Setting Access Credentials for Device Discovery

Leave a reply
Setting Access Credentials for Device Discovery

Before you can discover devices, you need to provide the access protocol and credentials associated with the IP address or range where your devices are located. FortiSIEM will then use this information to access your devices, pull information from them, and begin monitoring them.

Access Protocols Required for Discovery

SNMP, VM SDK (for VMware vCenter), or WMI (for Windows devices) must be one of the access protocols for which you provide credentials in order for the devices associated with an IP address or range to be discovered. If your device does not use one of these protocols, then you must configure it to communicate with FortiSIEM as described in the topics under Configuring External Systems for Discovery, Monitoring and Log Collection. As described in those topics, you may also need to set up additional configurations within your devices to send logs and other information to FortiSIEM.

Associate Credentials Only with the IP Address Where They Will be Used

Credentials should only be associated with IP addresses where they can be used. Assigning multiple credentials to IP addresses where they are not used will trigger discovery operations for each credential, and the system will wait for a timeout to occur for each credential before it moves to the next one. This will cause the discovery process to require much more processing time and processing power from the FortiSIEM system. You can, however, associate the same credential (for example, a generic SNMP access credential) to multiple IP addresses where it will be used to communicate with a device over that protocol.

 

Before starting the discovery process, credentials need to be defined and then associated to specific IP addresses.

 

Define Credentials
  1. Log into your Supervisor node.
  2. Go to Admin > Setup Wizard > Discovery.
  3. Under Enter Credentials, click Add.
  4. Enter a Name for the credential.
  5. Select a Device Type to associate with the credential.
  6. Select the Access Protocol for which you want to enter credentials.

Note that the Device Type selection determines which Access Protocols are available. Change the default destination ports only if needed

  1. Choose Password Configuration method
    1. Manual – means that you have to define credentials in FortiSIEM
    2. CyberArk – means Accelps will fetch credentials from CyberArk
  2. If you choose Password Configuration as Manual, then enter the credentials required for the Access Protocol.
  3. If you choose Password Configuration as CyberArk, then choose CyberArk parameters
    1. AppID must be set to FortiSIEM
    2. Specify Safe, Folder, Object: This is the CyberArk Vault Safe, Folder, Object where the credential is defined.
    3. Specify User Name: This is the User Name of the credential
    4. Specify Platform (Policy ID): This is the platform related property for the credential. Specify this only if this property is also set in CyberArk. The match will be case sensitive.
    5. Specify Database: This is a property for the database credential. Specify this only if this property is also set in CyberArk. The match will be case sensitive.
    6. Check Include Address for Query: If checked, FortiSIEM will query the CyberArk credential by IP or host name. Specify this if CyberArk credential objects are specified by IP.
  4. Click Save. The credentials you created will be added to the list.
Specify Device to Credential Mapping
  1. Under Enter IP Range to Credential Associations, click Add.
  2. Select the credential you just created from the list.

Note that you can add multiple credentials to the same IP/host information in this step by clicking +.

  1. Enter an IP address, IP range, or Host Name to associate with the credential.
Test Connectivity

You need to perform a Test Connectivity to make sure that the credentials are correct.

  1. Select the IP/credential association you just created, and click Test Connectivity. A ping will be performed first to make sure that the host is alive. If ping is disabled in your network, then choose Test Connectivity without ping.

A dialog will show you the results of your connectivity tests. Note that the connectivity tests can take several minutes, so you may want to use the Run in Background option.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.