Setting up CyberArk
This section specifies how FortiSIEM can be configured to fetch credentials from CyberArk.
Installing CyberArk Provider in FortiSIEM
- Login to FortiSIEM as root
- Run the rpm command to begin the installation:
The installation runs automatically and does not require any interactive response from the user. When the installation is complete, the following message appears: “Installation process completed successfully.”
Configuring CyberArk Provider in FortiSIEM
- Login as root
- Open the Vault.ini file and specify the parameters of the Vault that will be accessed by the Provider
- Run CreateCredFile to create a credential file for the administrative user that will create the Vault environment during installation.
- Check the log file /var/tmp/aim-install-logs/CreateEnv.log to make sure that the Provider environment was created successfully
- Start the CyberArk Application Password Provider service manually as a privileged user
- Run ldconfig
Configuring CyberArk for communication with FortiSIEM
- Login to CyberArk Password Vault Web Access (PVWA) Interface as an user allowed to managed applications (it requires Manage Users authorization).
- Add FortiSIEM as an Application
- Go to Applications and click Add Application.
- Set Name to FortiSIEM
- In the Description, specify a short description of the application that will help you identify it (e.g. FortiSIEM SIEM)
- In the Business owner section, specify contact information about the application’s Business owner.
- In the lowest section, specify the Location of the application in the Vault hierarchy. If a Location is not selected, the application will be added in the same Location as the user who is creating this application.
- Click Add; the application is added and is displayed in the Application Detailspage
- Check Allow extended authentication restrictions – this enables you to specify an unlimited number of machines and Windows domain OS users for a single application
- Specify the application’s (FortiSIEM) Authentication This information enables the Credential Provider to check certain application characteristics before retrieving the application password.
- In the Authentication tab, click Add; a drop-down list of authentication characteristics is displayed.
- Specify the OS user as “admin” and Click
- Specify the application path as “/opt/phoenix/bin”. Make sure Path is folder and Allow internal scripts to request credentials… check boxes are checked
- Do not specify a hash
- In the Allowed Machines tab, click Add and specify the IP/host name of the FortiSIEM Supervisor, Workers and Collectors 5. Authorize FortiSIEM to retrieve accounts.
- Go to Policies > Access Control (Safes)
- For every Safe, Click on Members.
- Click on Add Safe Member
- Search for FortiSIEM. An entry will already exist. Select that entry.
- Check Retrieve accounts.
- Click Add
Now FortiSIEM should be ready to retrieve passwords from CyberArk via Test Connectivity and Discovery.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!