Category Archives: Administration Guides

Multi-Tenant Deployment Options for Managed Service Providers or Multiple Organizations

Multi-Tenant Deployment Options for Managed Service Providers or Multiple Organizations

While a common use case for FortiSIEM is the monitoring of IT infrastructure for a single enterprise, Managed Service Providers (MSPs) and large enterprises with multiple organizations can also use FortiSIEM to monitor IT infrastructure at the customer or organization level, either by splitting IP addresses to correspond to the customer or organization, or by deploying Collectors for each customer or organization and managing the monitoring and analysis of their data from a centralized Supervisor.

Standalone Supervisor Deployment for Multi-Tenancy

Supervisor and Worker Cluster Deployment for Multi-Tenancy

Supervisor with Collectors Deployment for Multi-Tenancy

Matrix of Multi-Tenancy Deployment Configuration Options

Standalone Supervisor Deployment for Multi-Tenancy

FortiSIEM allows users to create organizations, to and manage the entire IT infrastructure monitoring life cycle from data collection, storage, analytics and alerting for an organization that organization as a separate entity from other organizations. There are several use cases for this this multi-tenant model.

Hosting service providers that host multiple customers in their own data center

Managed service providers that manage a customer’s data centers from their own data center

Large enterprises that want to manage separate parts of the organization as individual customers

The simplest multi-tenancy deployment involves a single Supervisor, with organizations defined through the splitting of IP address ranges. For example:

Page

Supervisor and Worker Cluster Deployment for Multi-Tenancy

As the number of monitored devices, or the analyzed event rate, grows, one Supervisor may not be able to handle the load. In that case, you can deploy a cluster of Supervisor and Worker virtual appliances that share data over NFS. In a cluster deployment, the Supervisor and Worker nodes have specific functions:

10.1.2.0/24 = Customer 2

During the discovery process, the AccelOps Supervisor node will tag a device with the correct customer ID based on the IP address definition.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Supervisor with Collectors Deployment for Enterprises

Supervisor with Collectors Deployment for Enterprises

There are two cases where a single Supervisor may not be enough for your deployment.

There are monitored devices behind a firewall that will not allow monitoring protocols like Windows Management Instrumention (WMI) to be used from the Supervisor

The Supervisor can only reach the monitored devices through a high latency network like a Wide Area Network (WAN), in which case monitoring like protocols like Simple Network Management Protocol (SNMP) or WMI do not work well

In these cases you can deploy Collectors to monitor the devices, and they will communicate to the Supervisor over HTTP(S). The Collectors communicate with the devices, collect and parse events and logs, compress them, and then send them to the Supervisor for monitoring and analysis. Collectors also can buffer the events, in case transmission to the Supervisor is interrupted. As shown in the diagrams, you can use Collectors in a deployment with a single Supervisor, or in a deployment that also includes Workers.

An AccelOps deployment with a single Supervisor and Collectors

An AccelOps deployment using a Single Supervisor + 2 Workers + 2 Collectors

Matrix of Enterprise Deployment Configuration Options

This matrix shows the components required for each enterprise deployment option.

Deployment Option Supervisor

Node

Worker

Node

Collector

Node

NFS

Server

Report

Server

Visual

Analytics

Server

Description
Single Supervisor Node         x           This is the most basic single site enterprise deployment.
Supervisor Node with

Collectors

        x          x       This is also an enterprise deployment covering multiple sites. Data collection is simplified by deploying a collector for the satellite sites.
Enterprise Cluster         x         x        x     This is the scalable enterprise deployment. An NFS Server is required in the data sharing architecture between Supervisor and Worker nodes.
Enterprise Cluster with

Collectors

        x         x        x      x     This deployment adds collectors to the mix and is the most comprehensive enterprise deployment.
Supervisor Node with

Tableau Visual Analytics

        x          x  x This is the most basic single node enterprise deployment, with added capability for Visual Analytics with Tableau
Supervisor Node with

Collectors and Tableau

Visual Analytics

        x          x      x  x This is also an enterprise deployment covering multiple sites with added capability for Visual Analytics with Tableau. Data collection is simplified by deploying a collector for the satellite sites.
Enterprise Cluster with Ta bleau Visual Analytics         x         x        x    x  x This is the scalable enterprise deployment with added capability for with added capability for Visual Analytics with Tableau. An NFS Server is required in the data sharing architecture between Supervisor and Worker nodes.
Enterprise Cluster with

Collectors and Tableau

Visual Analytics

        x         x        x      x    x  x This deployment adds collectors to the mix and is the most

comprehensive enterprise deployment, with added capability for Visual Analytics with Tableau.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiSIEM Deployment Options

Deployment Options

FortiSIEM architecture of workers, collectors, and supervisors offers a number deployment options for enterprises at any level of scale, as well as deployment options for managed service providers who need multi-tenant solutions. Topics in this section describe these deployment options in detail, including use cases for each deployment type as well as node and server configurations for each deployment type.

Enterprise Deployment Options

Standalone Supervisor Deployment for Enterprises

Supervisor and Worker Cluster Deployment for Enterprises

Supervisor with Collectors Deployment for Enterprises

Matrix of Enterprise Deployment Configuration Options

Multi-Tenant Deployment Options for Managed Service Providers or Multiple Organizations

Standalone Supervisor Deployment for Multi-Tenancy

Supervisor and Worker Cluster Deployment for Multi-Tenancy

Supervisor with Collectors Deployment for Multi-Tenancy

Matrix of Multi-Tenancy Deployment Configuration Options

Enterprise Deployment Options

For FortiSIEM, an Enterprise deployment is one in which there is a single organization for which data is gathered and analyzed, and the virtual appliances are located entirely on-premises for that organization.

Standalone Supervisor Deployment for Enterprises

Supervisor and Worker Cluster Deployment for Enterprises

Supervisor with Collectors Deployment for Enterprises

Matrix of Enterprise Deployment Configuration Options

Standalone Supervisor Deployment for Enterprises

This is the simplest possible deployment option, in which a single Supervisor handles all the work of monitoring, processing, and analyzing data.

You can configure the Supervisor to use local or NFS storage, depending on your event data storage requirements, as described in Using NFS

Storage with AccelOps

Supervisor and Worker Cluster Deployment for Enterprises

As the number of monitored devices, or the analyzed event rate, grows, one Supervisor may not be able to handle the load. In that case, you can deploy a cluster of Supervisor and Worker virtual appliances that share data over NFS. In a cluster deployment, the Supervisor and Worker nodes have specific functions:


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiSIEM Supervisors, Workers, Collectors, and Organizations

Supervisors, Workers, Collectors, and Organizations

An FortiSIEM deployment can be configured using either a single virtual appliance, or with multiple virtual appliances that play different roles within the deployment. The Supervisor virtual appliance is the primary component in both standalone and cluster deployments, and all deployments begin with the set up and configuration of the Supervisor. As described in Supervisor and Worker Cluster Deployment for

Enterprises, there may be situations in which the single appliance cannot monitor all the data and devices in your infrastructure, and so you can deploy Worker virtual appliances to take up the extra load. Finally, you may encounter situations in which you need to deploy Collectors  for the purpose of gathering data that will be processed by Supervisors and Workers. As described in Supervisor with Collectors Deployment for Enterprises and Supervisor and Worker Cluster Deployment for Multi-Tenancy, these are most likely situations where you need to monitor IT infrastructure for different sites, as in the case of a large or distributed enterprise, or for different organizations, as in the case of multi-tenant installations for Managed Service providers (MSPs). For these situations each Organization is defined separately within FortiSIEM, so you can tailor your monitoring, analytics, and reports to meet the specific needs of that organization.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiSIEM Features and Architecture

Features and Architecture

FortiSIEM provides an all-in-one, seamlessly integrated and service-oriented IT infrastructure monitoring solution that covers performance, availability, change, and security monitoring aspects of network devices, servers, and applications. It is offered in two versions:

A VMware based virtual appliance, which you can deploy as a single appliance or a cluster of virtual appliances in a highly available, scaled-out grid architecture. This is what we refer to as FortiSIEM Enterprise.

Software-as-a-Service (SaaS), where you deploy a Collector virtual on-premises for a customer, and all of the customer data is transmitted to an FortiSIEM data center. This is what we refer to as FortiSIEM Multi-Tenant, since collector deployments are commonly used by organizations such as Managed Service Providers to monitor the services of their customers.

Some of the features of the FortiSIEM monitoring solution include:

Intelligent Device Discovery

Analytics

Business Services

Architecture

Intelligent Device Discovery

The first step in the monitoring process is IT infrastructure discovery. FortiSIEM has a fast and intelligent discovery engine that can automatically crawl an IT infrastructure and discover network devices, servers, and applications in depth. The user needs to provide appropriate credentials, a discovery IP address range, and optionally a starting router IP address for faster discovery.

A wide range of information is discovered including hardware information, serial numbers and licenses, installed software, running applications and services, and router configuration. The discovered devices are automatically categorized into detailed functional groups, such as Routers/Switches, Firewalls, and Network IPS, and this information is maintained within an integrated configuration management database (CMDB). Some special relationships are also discovered, for example WLAN Access Points to WLAN Controllers, VMware guests to physical hosts, etc. The CMDB is kept up to date through user-defined scheduled discoveries and FortiSIEM listening to changes as part of performance monitoring.

A novel aspect of FortiSIEM discovery is that those aspects of a device that can be monitored are also discovered at the same time. For example, given SNMP, WMI, and JDBC credentials for a Windows server, FortiSIEM might discover the following:

System performance metrics that can be collected by SNMP, for example CPU, memory utilization, and disk space utilization

System performance metrics that can be collected by WMI, for example Disk I/O utilization, memory swap rates, and process utilization Application specific metrics that can be collected by WMI, for example IIS, DNS, DHCP, and Exchange metrics Event logs that can be collected by WMI

Database logs that can be pulled from the server by JDBC

You simply approve the discovered results and monitoring begins. This approach reduces human error, since FortiSIEM learns from the true device configuration state.

Analytics

FortiSIEM uses a unified event-based framework to analyze all data including logs, performance monitoring data. Logs can either be sent to FortiSIEM via Syslog, SNMP traps, or other common log shipping methods, or FortiSIEM can periodically access the system and collect the logs. Performance monitoring data is collected by periodically probing the system. The data is parsed, indexed, and stored in a proprietary flat-file based database. In contrast, the CMDB information is stored in a PostgreSQL relational database. FortiSIEM unified data management architecture combines the two databases and presents a single view to the user.

FortiSIEM provides a broad range of metrics. First, it is possible to search all data based on keywords or in a structured way using the attributes parsed by AcceOps. The search can be done in real time, in which the data streaming in from devices is displayed, or the search can be based on historical data. Historical data is referred to as Reports in FortiSIEM, and can be scheduled to run at intervals you set. A large number of reports are provided in a categorized fashion, based on device type, and also based on functionality such as availability, performance, change and security. Two novel aspects of FortiSIEM metrics include unification and drill-down capabilities. With unification, all the data is analyzed and presented the same way, whether it be real time search, reports, rules or performance, availability, or change or security data. By using drill-down you can start from a specific context, such as Top Authentication Failed Users, and iteratively select attributes to further analyze data and get to the root cause of a problem. As an example, the investigation of Top Authentication Failed users could follow a drill-down of pick user and time range -> Top Destination IP, Ports for specific user and time range -> pick destination IP and port -> Query all raw messages.

FortiSIEM also uses rules for real-time alerting – a real-time event correlation engine analyzes all data and triggers alerts based on these rules. FortiSIEM ships with 500+ broad rules that cover a broad range of inter-related performance, availability, change and security scenarios. Rules can vary from simple text search and threshold conditions, to comprehensive logic supporting full Boolean operators and nested sub-patterns referencing multiple elements including thresholds and defined services. Thresholds can be static or dynamically derived from profiled network, system resource and user activity. You can add new rules, and customize existing ones, as described in Creating Rules using GUI. Business Services

A business service lets you view FortiSIEM metrics and prioritize alerts from a business service perspective. A business service is defined within FortiSIEM as a smart container of relevant devices and applications serving a business purpose. Once defined, all monitoring and analysis can be presented from a business service perspective. It is possible to track service level metrics, efficiently respond to incidents on a prioritized basis, record business impact, and provide business intelligence on IT best practices, compliance reporting, and IT service improvement. What is also novel about FortiSIEM is how easily a business service can be defined and maintained. Because FortiSIEM automatically discovers the applications running on the servers as well as the network connectivity and the traffic flow, you can simply choose the applications and respective servers and be intelligently guided to choose the rest of components of the business service. This business service discovery and definition capability in FortiSIEM completely automates a process that would normally take many people and considerable effort to complete and maintain.

Architecture

The FortiSIEM virtual appliance solution operates as a turnkey, guest host application running within the most popular hypervisors with the option of using NFS or local storage. The implementation process is flexible and can be accomplished in phases to support a variety of distributed and hybrid-cloud implementations The FortiSIEM virtual appliance is placed on a network where it can obtain operational data, as well as establish sessions with the infrastructure. Remote sites can use the FortiSIEM Collector client to locally discover, collect, compress and securely transmit of operation data back to the FortiSIEM virtual appliance. FortiSIEM’ scale-out architecture allows for virtual appliance clustering to increase processing capacity and availability. Additional virtual appliances can be added on-the-fly with nominal configuration, which will automatically distribute workload across cluster members to extend event analysis throughput and to reduce query response time.

 

 

Page 91


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiSIEM Basics

FortiSIEM Basics

These topics provide an overview of the FortiSIEM solution, including its component and various deployment configurations.

Supervisors, Workers, Collectors, and Organizations

Enterprise Deployment Options

Standalone Supervisor Deployment for Enterprises

Supervisor and Worker Cluster Deployment for Enterprises

Supervisor with Collectors Deployment for Enterprises

Matrix of Enterprise Deployment Configuration Options

Multi-Tenant Deployment Options for Managed Service Providers or Multiple Organizations

Standalone Supervisor Deployment for Multi-Tenancy

Supervisor and Worker Cluster Deployment for Multi-Tenancy

Supervisor with Collectors Deployment for Multi-Tenancy

Matrix of Multi-Tenancy Deployment Configuration Options  Export Restrictions


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiSIEM What’s new in Release 4.2.1

What’s new in Release 4.2.1

This release adds features and functionality in several areas.

Systems Features

Fundamental system upgrade

Run on Microsoft HyperV

Regex based search

Statistical anomaly detection

Ability to drop events

Enhanced PDF export

Remote connectivity to collector devices

CMDB device discovery filter

Delta discovery

Query/Rule usability enhancements

Support OpenLDAP for user discovery and external authentication

Support secure LDAP protocols: LDAPS and LDAP Start TLS CMDB Report extensions

Performance and Availability Monitoring

Customizable high performance summary dashboards

Generalized Selenium based Web Synthetic Transaction Monitoring (STM)

End-to-end Email Synthetic Transaction Monitoring (STM)

Custom SSH based command output monitoring

Log Management and Security Incident Event Monitoring (SIEM)

Watch list

Agent less file change and file integrity monitoring

Log integrity validation

Compliance reporting

Device Support

Miscellaneous Key Enhancements

Quick interface utilization drill down via Netflow

Manually define trunk ports

Add CMR Support for Cisco VoIP

Limit excessive generated incidents

Cisco ASA/IOS Remote Access VPN Monitoring

Most Expensive Query report

VM Snapshot monitoring Excluded Disks

General GUI related fixes and enhancements

Platform related fixes and enhancements

Performance Monitoring / STM related fixes and enhancements

Rule / Query / Report Engine related fixes and enhancements

Parsing related fixes and enhancements

Discovery related fixes and enhancements Open Issues

 

Systems Features

Fundamental system upgrade

This release upgrades the AccelOps platform to CentOS 6.4, Glassfish 3.2, Postgres 9.1 and JDK 1.7. This significantly enhances the stability and robustness of the base operating system and key sub-systems. In addition, the Apache web server is also upgraded to 2.2.25 to fix many vulnerabilities.

Run on Microsoft HyperV

In addition to VMware ESX, Redhat KVM and Amazon EC2, AccelOps supervisor, worker and collectors will now also run on Microsoft HyperV virtualization platform.

Installing AccelOps Supervisor, worker and collector on Microsoft HyperV is covered here.

Regex based search

Prior to Release 4.2.1, AccelOps allows the ability to search raw messages by AND/OR combination of keywords and via the CONTAINS and NOT CONTAINS operator. This release adds the ability to search via regular expressions (REGEXP operator). Regular expressions can return precise search results than keyword based searches. Regular expressions can be used in searches, queries and rules for any string valued attribute such as Event Type, Raw Message etc.

Regex based search for real time search is covered here.

Regex based search for historical search is covered here.

Regex based search for rules is covered here.

Statistical anomaly detection

This release enables users to baseline any performance metric or flow data collected by AccelOps and create an alert when the current value of the metrics deviates significantly from its statistical baseline. Baselines are created on an hourly basis for each distinct hour of the day and separately for work and non-work days – a total of 48 buckets. This fine-grained approach allows for accurate behavioral analysis. The baselines are learned automatically and updated continuously in an attempt to learn the new normal. The following baselines are available out of the box

Network Traffic Analysis

Network traffic – by sender, by receiver, by connection – total flows, sent bytes, received bytes, sent packets, received packets

Firewall TCP/UDP port traffic – by inbound,  by outbound – permitted traffic and denied traffic – total flows Firewall total denied flows

VPN usage – by user – time spent and total traffic volume

Host resource usage – CPU, Memory, Virtual Memory, Disk I/O

Application resource usage – CPU, Memory

Network interface usage – by interface – utilization, sent bytes, received bytes, sent errors, received errors SAN usage – LUN I/O

NAS usage – Volume usage, Protocol latency

DNS requests – by sender – requests, unique resolution requests

ICMP requests – by sender – requests, unique destinations

Web requests – count, errors, distinct clients

Reporting eps

Login – successful count, failed count

Server process count

Login – successful count, failed count

Reported Event types

Reported Errors

User seen – distinct count

Statistical anomaly detection is covered here.

Ability to drop events

Certain devices and applications generate a significant of logs. Often logs are very verbose and certain log types are of little value and waste valuable storage. This release provides the ability for user to drop the events immediately after they are accepted by AccelOps. These logs do not count towards licensed eps and do not trigger rules.

Ability to drop events is covered here

Enhanced PDF export

The charting technology in PDF reports is significantly enhanced – the exported charts now look similar to what the users see in GUI.

Remote connectivity to collector devices

After detecting a problem, often there is a need to open a session to a monitored device either via Telnet/SSH, VNC, HTTP(S), Microsoft RDP directly from AccelOps GUI. This release release enables AccelOps users to launch terminal sessions to monitored devices for the following two cases

device is in the same data center as Supervisor/Worker

device is in a remote date center behind a firewall and monitored by a Collector. This case uses a reverse SSH tunnels between Collector and Super

The topic of opening remote connections to collector devices is covered here.

CMDB device discovery filter

This release enables users to control the CMDB device discovery process by including or excluding certain device types. For virtualization discovery, powered off VMs and VM templates can also be excluded. This facilitates a “clean” CMDB consisting of only the devices of importance to the user.

Setting up CMDB device discovery filters is discussed here.

The following reports in CMDB > Reports > System Audit can be used to report on devices added or deleted to CMDB via discovery

CMDB: Device Addition and Deletion History

CMDB: Device Modification History

Delta discovery

Because of the depth at which AccelOps discovers a device, a full discovery of a range of devices can take some time. Often there is a need to quickly detect only the new devices in the network. This is an important PCI compliance requirement – for security purposes, it is critical to know if there are any new devices plugged in to the network. This release enables users to quickly discover devices and applications that are not already in AccelOps CMDB.

Setting up delta discovery is discussed here.

The following reports in CMDB > Reports > System Audit can be used to report on devices added or deleted to CMDB via discovery

CMDB: Device Addition and Deletion History

CMDB: Device Modification History

Query/Rule usability enhancements

This release improves the Query/Rule usability by creating the following shortcut operations.

Ability to turn a query to a rule (see here) and vice versa (see here)

Ability to convert a historical search to a real time search and vice versa (see here) Ability to smart copy a query from one tab to another (see here)

Ability to create display and filter templates and use them later in a query or rule (see here)

Support OpenLDAP for user discovery and external authentication

This release extends user discovery and external authentication capabilities from Microsoft Active Directory to also include OpenLDAP servers.

Setting up OpenLDAP based discoveries and external user authentication is covered here.

Support secure LDAP protocols: LDAPS and LDAP Start TLS

This release extends secure LDAP protocols: LDAPS and LDAPStartTLS for user discovery and external authentication. This topic is covered here.

CMDB Report extensions

Currently users can create CMDB reports for exporting CMDB information. Currently this includes a report of devices in CMDB, their installed and running applications, hardware inventory etc. This release extends this capability to include users, rules and reports. Specifically users can now run reports on

Discovered users

AccelOps administrative users and their roles

Active Rules with exceptions if any

Scheduled Reports

Active Performance Monitors

For details see here

The following inbuilt reports in CMDB Report section can be used to quickly get relevant information.

Discovered Users

Externally Authenticated AccelOps Users

Locally Authenticated AccelOps Users

Manually Defined Users

Active Rules

Inactive Rules

Rules with Exceptions

Scheduled Reports

Active Performance Monitors

Performance and Availability Monitoring

Customizable high performance summary dashboards

Summary dashboards, a unique AccelOps feature, provide a real-time bird’s cross-domain metrics and health of a device or a group of devices or applications. There are 3 types of dashboards:

single level e.g. All Network dashboard, Hardware summary

two-level dashboards e.g. database performance dashboard, ESX-VM dashboard

three level dashboards e.g. Business Service dashboard (Business Service -> Devices -> Applications), VM Cluster dashboard (Cluster -> ESXs -> VMs)

In this release, all of these dashboards are enhanced for scalability and extensibility:

the dashboards are now configurable users can create their own dashboards

users can add their own performance metrics whether they are collected by default or created by customers as custom monitors paginated dashboard views eliminate the limitation of 300 devices/applications per dashboard – searching and sorting happens across the entire set of devices, not just on the page the user is on

most performance metric computations (like maximum or average interface utilization over all interfaces of a device) are now shifted from the GUI to the Super/Worker cloud – this dramatically reduces GUI network bandwidth and improves GUI rendering speed.

The ability to customize a summary dashboard is covered here.

Generalized Selenium based Web Synthetic Transaction Monitoring (STM)

The ability to monitor websites by running complex multi-level synthetic monitoring tests is an important criterion. This release allows AccelOps customers to record any web transaction from a web browser via Selenium plugin, and then play it back within AccelOps framework for continuous monitoring. Alerts can be triggered when the script fails to run or has an unacceptably large delay.

For setting up a Selenium based Web STM, see here.

End-to-end Email Synthetic Transaction Monitoring (STM)

For properly testing the health of email system, it is important to be able to test the entire path of an email: sender -> SMTP gateway -> receiving SMTP gateway -> receiving mailbox. This release provides AccelOps users a framework to run end-to-end e-mail synthetic tests, e.g. AccelOps will send an email and make sure that the same email is received within an acceptable time limit. Alerts can be triggered when an email fails to arrive or has an unacceptably large delay.

For setting up an end-to-end email STM, see here.

Custom SSH based command output monitoring

Often customers have scripts that monitor certain aspects of a system or an application and there is a need to get those script outputs into AccelOps for reporting and alerting. This release provides customers a framework for running these scripts remotely, bringing back the command output via SSH, parsing the output and creating events for further analysis in AccelOps.

For setting up command output monitoring, see here.

Log Management and Security Incident Event Monitoring (SIEM)

Watch list

This release enables users to create and manage watch lists. Watch lists are (often dynamic) containers that can hold objects of interest, e.g. Network Scanners, Frequent Locked out users, Externally excessive denied ports, High I/O Virtual machines etc. Watch lists can be dynamically populated when a rule triggers. An entry can leave the watch list if it does not trigger in a defined period of time or the entry could be permanent. A watch list can also be populated statically. A watch list can be further used in a rule condition in a nested manner to trigger rules of significant more significance. Watch lists provide a easy way to keep track of important policy violators in a monitoring system without always running reports.

For setting up command output monitoring, see here.

Agent less file change and file integrity monitoring

Unauthorized and untested configuration changes often lead to critical failure conditions. AccelOps already provides a way to keep track of network device configuration changes. This capability is further extended in this release to address the following situations – in an agent less fashion.

File integrity via checksum for specific files or directories on a server – trigger an alert when there is a change in any file in any directory.

The files need to be accessible via SSH or Telnet.

Monitor the content of a file on devices and make sure that it is identical to a target “blessed” file. Alert when the monitored file differs from the target file and show exactly what has changed.

Setting up agent-less file change/integrity monitoring is discussed here.

Log integrity validation

This release enables AccelOps customers to demonstrate to security auditors that the collected logs have not been tampered with, while at rest within AccelOps monitoring system. To achieve this, logs are cryptographically signed immediately upon arrival at the AccelOps point of entry. Using the AccelOps GUI, the cryptographic checksum can be validated to prove to the auditors that logs have not been tampered with. In case the logs have indeed been tampered with, AccelOps can identify the time period of the affected logs.

Log integrity validation is discussed here.

Compliance reporting

AccelOps already provides compliance reports for the following standards: PCI, HIPAA, COBIT, GLBA, FISMA, NERC, GPG13. This release extends this set by providing compliance reports for the following standards

SANS Critical Controls ISO

Device Support

Checkpoint Provider-1 – collect  firewall logs from CLM and audit logs from MDM – see here for details

MySQL database – discovery, performance monitoring and audit log collection and analysis – see here for details

IBM DB2 Audit Log  – audit log parsing and analysis –  see Configuring Security Gateways for details

Cisco AVC – log analysis via Netflow

McAfee Foundstone Vulnerability Scanner – full log parsing and analysis  – see Web Server Configuration for details HyperV log parsing via Honeycomb agent

Windows log parsing and file integrity monitoring via Honeycomb agent

Windows log parsing via Correlog agent

Dell Blade center

EMC Data Domain

Citrix NetScaler performance monitoring

Link interface errors (1.3.6.1.2.1.10.7.2)

EMC Isilon

Alcatel AAA Radius syslog

Miscellaneous Key Enhancements

Quick interface utilization drill down via Netflow

This release enables users to quickly analyze a network interface usage issue by combining SNMP and Netflow. SNMP provides interface utilization metrics and Netflow provides the traffic on that interface. AccelOps makes this connection seamless assuming that the router/switch is monitored by SNMP and also sending Netflow to AccelOps.

To achieve this drill down

Go to CMDB, select the router and click ‘Interface Stats’. The displayed data is from SNMP.

Note that for any interface, there is a drill down for Inbound or Outbound traffic. Select the desired direction and the interface usage for the chosen direction is displayed. This information is gathered from Netflow.

Manually define trunk ports

User identity and location is a key feature in AccelOps. To accomplish this, AccelOps automatically discovers switch trunk ports to ensure that only the access ports and not trunk ports show up in Identity and Location reports. An exception is of course VoIP ports which have PCs connected to them. This release enables to manually label certain discovered interfaces as trunk ports. Future discoveries will take this input into consideration and not create Identity and location entries for those user defined trunk ports.

To label a discovered interface as a trunk port, go to CMDB; choose a device; ‘Edit’ interfaces; check the Trunk Port checkbox and click Save. You need to do a discovery again to get new identity and location information.

Add CMR Support for Cisco VoIP

Cisco VoIP Call information is in two files

CDR records – this contains primarily the Call originator and Call destination information CMR records – this contains call quality information – MOS scores

Prior to this release, AccelOps only handled CDR records. This release is able to “join” CDR and CMR records to append the call quality information to the call originator/destination information in a single event.

Limit excessive generated incidents

 

Cisco ASA/IOS Remote Access VPN Monitoring

 

Most Expensive Query report

As part of database performance monitoring, AccelOps can now monitor the most expensive queries. Currently it works for Oracle and MS SQL Server.

 

Two rules are provided that trigger when a query takes more than 5 minutes to complete. The query has to complete for the rule to trigger.

VM Snapshot monitoring

VM Snapshots consume lots of space. This release allows you monitor the space taken up by snapshots

Excluded Disks

Often there are certain disk volumes that are either read only or always close to full and never grow. Because of these disks, these servers always as CRITICAL in dashboards. This release enables users to exclude these disks from monitoring – details are here.

Fixed Issues

General GUI related fixes and enhancements

Bug 7580: While trying to validate a custom parser (cloned), user gets “Backend error code: 139” and cannot continue working on parser Bug 7589: Remove 300 device limitation in custom dashboard

Bug 7648: Devices do not update after moving Organizations

Bug 7713: Chart is not displayed in report if generate the report with “Display as” columns.

Bug 7780:  CSV exported report does not need extra commas

Bug 7958: Dashboard displays error when Request XML is over 20MB

Bug 8119: Clear Reason for system cleared has incorrect “active for more than 7 days”

Bug 8166: When creating a Ticket the “Assigned To” drop down contains ALL LDAP users, not just AO users

Bug 8170: Add search box on floating dialog boxes showing Performance Monitor errors

Bug 8180: Customer ID of All Report Notification report shows Super always

Bug 8683: Dashboard for Oracle does not display instance status

Bug 8713: Need to allow to import downloaded malware domain csv file manually

Bug 8719: Display IPS Generator ID and IPS Signature ID in wrong format

Bug 8725: “Last Update” of malware domain/blocked IP is not updated

Bug 8736: Ability to set values for ports, applications, device types at global level in CMDB that apply to all orgs

Bug 8762: If you schedule a report and set a custom value in Maximum graphs or Maximum rows and save it then go back into scheduled reports, it goes back to default values. It appears graphs/rows are saved with the custom values because scheduled reports work correctly.

Bug 8768: After changing the Font – some words do not fit correctly

Bug 8826: Customer added a second email address in Admin -> General Settings -> Analytics. Scheduled Report emails are not being sent to the second address

Bug 8946: Org Users should not  be able to see Systems Errors from other Orgs Bug 8962: Allow for bulk delete of report results.

Bug 8963: Perf Incidents are not displayed properly from Dashboard (Exec. Summary)

Bug 8989:  Disk utilization drill-down dialog stop working once browser loose focus

Bug 9072: When editing credentials of various protocols, they all display the ‘description’ field. SNMP v3 protocol does not display this field. This led users to incorrectly use the context field to to put description which caused failures.

 

Bug 9073: When looking at a widget – in this case “Top Incidents by Severity, Count”, and you drill down into an incident, you are brought to the incident page with a list of the incidents – BUT – after sorting the widget, and drill down on the same incident, you are show an incorrect incident

Bug 9096: Parse out additional fields in Symantec AV events

Bug 9116: Remove SMS notification configuration from user guide

Bug 9182: Clear incident notification email contains incorrect host name which belongs to another org with the same IP

Bug 9311: Too many tasks causes GUI to be slow

Bug 9332: The report output limitation is incorrect in the pop up report run dialog

Bug 9374: Maintenance Calendar does not save Devices folders

Bug 9391: Notification policy does not work when set only the days of the week and the start date, toggle the days of the week

Bug 9539: Need to forbid “Test Rule” button for rules from organizations

Bug 9628: Daylight saving time (DST) causes report editing to not properly re-save time

Bug 9675: For Juniper SRX devices that have virtual interfaces with a 192.0.0.0 subnet mask, user cannot edit and modify any CMDB fields for this device

Bug 9734: Read-Only Admin Role allows credential to IP association edits with double click

Bug 9839: Provide ability to export IP Range to Credential associations. Currently, the Export button on Admin->Setup->Credentials only exports the credentials but not the IP to Credential associations

Bug 9892: When export CMDB report run for 1 Org, you get data for ALL Orgs

Bug 9953: Deleting Clear Conditions in Rule do not work

Bug 10023: In Dashboard > widgets > combo view,  y -axis has no scale value

Bug 10046: Last updated method overwrites the health page. Discover first using WMI then VM_SDK and you get just the VM stats Bug 10161: When SVN has too many configuration/installed software revisions on single device, UI got timed out by 120 seconds.

Finally, UI shows error and cannot see device configuration

Bug 10186: Email notification contains another organizations Interface description

Bug 10202: AO-SP: Rule Sync Errors dialog show other organization’s error

Bug 10215: AO-SP: For Rule Synch errors, an Org user should be able see ONLY his own changes causing synch errors. Super/global should be able to see all Organization errors

Bug 10263: LDAP discovery does not add users when there is an exception caused by the address field is too large to fit into our 256 character column field on ph_contact

Bug 10288: For Report Bundles, report end times are off by 1 minute

Bug 10292: For Report Bundles, absolute schedule time not saved when custom email notification is chosen

Bug 10344: Prevent user from entering more characters then allowed in text fields in UI. When creating a device maintenance schedule, entering too many characters in the description field resulted in “transaction marked for rollback” message

Bug 10673: Custom group does not show up in role management UI Access tree. This issue is affecting to many places such as Dashboard, CMDB, query condition builder

Bug 10829: When selecting multiple devices in CMDB for setting up maintenance schedule the devices do not have name in dialog box. This is GUI issue only.

Platform related fixes and enhancements

Bug 7600: Provide a CMDB Report for Active Rules for an Organization

Bug 7680: External authentication does not work with OpenLDAP

Bug 7953: Events dropped based on Elastic EPS being too slow in changing values

Bug 8142: Event Packager port unnecessarily open on the super and workers

Bug 8213: Back end modules should check certificates during SSL communication

Bug 8278: Script for creating bluecoat ftp directory does not change owner.group to ftpuser.ftpuser

Bug 8279: Every time AO device is rebooted bluecoat ftp directory owner.group are reset to admin.admin preventing files from being ftp’ed to AO

Bug 8650: Need to consolidate NSCD package to nscd-2.5-24 with its updated configuration Bug 8676: Proxy configuration does not work

Bug 8718: Add CMDB Report for Users in AccelOps

Bug 8869: Provide capability in CMDB reports to extract intersection (AND) of 2 criteria – when the criteria partially overlap

Bug 8983: Need to auto-compact JMS request queue

Bug 9065: Empty username and password in the base URL definition causes upgrade failed

Bug 9184: Support CS MARS type drop rules

Bug 9283: Documentation for Amazon AWS need to say Access key and Secret access key instead of User ID and Password

Bug 9341: Global EPS license is ignored when Elastic EPS allocates EPS based on previous configuration

Bug 9630: Create a report for all users with system roles in AccelOps

Bug 9669: Limit the amount of times that AppServer retries a transaction

Bug 9928: Create a report for Monitor Change Performance errors

Bug 9937: Do not overwrite phoenix_config.txt upon upgrade

Bug 10009: Create a report to show all processes and open ports

Bug 10143: Customer certificate overwritten in ssl.conf with 3.7.6 upgrade

Bug 10223: Cache files created by incident notification are never removed

Bug 10525: Provide an option to not show the Domain drop-down list from logon page for external authentication Bug 10567: Fix customer found Apache security vulnerabilities

Performance Monitoring / STM related fixes and enhancements

Bug 7787: Add Virtual Memory Utilization Attributes support

Bug 8254: False high Exch Metrics

Bug 8700: Monitor VM snapshots

Bug 8837: AO is losing checkpoint firewall events every time phCheckpoint crashes

Bug 8919: The average processing time for Glassfish servlets and processors are wrong

Bug 8981: Windows log pulling time interval not implemented correctly

Bug 9137: Add load balancing metrics for Cisco ACE load balancer

Bug 9458: Need instance availability monitoring via Amazon AWS SDK

Bug 9508: Add performance monitoring for Citrix NetScaler

Bug 9627: “PH_DB_DATA_ERROR: cannot decrypt password for principal” exception thrown when running perfMonitor rest API on

Super in SP mode when there are devices monitored by a collector

Bug 10028: Performance monitor job status does not update (shows yellow star)

Bug 10222: Enhance custom performance monitor to include string index (currently only integer index)

Bug 10249: Cisco ASA CPU, memory utilization not populated correctly

Bug 10471: NX-OS devices PH_DEV_MON_INTF_UTIL not calculated correctly sometimes

Bug 10512: Apache metrics are not being pulled

Bug 10527: Fail to collect UDP echo IP SLA stats

Bug 10608: Monitoring Windows network interface statistics via WMI sometimes crashes when server has more than 1 network interface

Bug 10618: Hardware Monitoring for Cisco IOS and NX-OS devices stops after 3.7.6 upgrade

Bug 10650: Important process with long parameters (like java) are not being detected as down when they are indeed down

Bug 10827: Enhance Linux disk utilization by accounting for reserved space

Bug 10921: Generate per-host LUN usage metrics for EMC VNX/Clarion

Rule / Query / Report Engine related fixes and enhancements

Bug 7509: Prohibit user from choosing past dates in scheduled reports

Bug 8376: Reports saved as csv have blank “Event Name” column

Bug 8811: Query returns nothing for user defined port/protocol group

Bug 9405: Analytics can only query top level CMDB Application Groups

Bug 10183: When running a long report, App server needs to retry if Query Master does not respond

Bug 10345: Report Scheduler not sending reports at the correct time

Bug 10348: Daylight Savings Time (DST) causes report editing to not properly re-save time

Bug 10349: Quartz worker thread pool are too small to handle large set of scheduled reports

Bug 10487: Enhance CONTAIN operator to match anywhere in string – not just in the beginning Bug 10767: Eliminate Rule synch errors caused by Rule exception

Parsing related fixes and enhancements

Bug 7625: Suppress certain events from being parsed

Bug 7639: Windows Parser does not completely parse when key pair fields are in Spanish

Bug 8216: Parse out additional fields in ASA-722051 event

Bug 8355: Allow event forwarding based on event severity

Bug 8702: Event Type Win-Security- 4656 does not parse object type and object name

Bug 8758: Symantec AnitVirus logs – virus file name not being parsed

Bug 8874: Fix Microsoft UAG parser

Bug 8889: Fix Forescout CounterACT parser

Bug 8895: Allow parsing of “:” in certain Cisoc IOS messages

Bug 8999: Windows WMI OS Parser does not properly parse all fields on SQL Server Events

Bug 9024: Windows Parser needs to strip the @Domain.xxx at the end of “account name” in the key-value-pair

Bug 9026: from Admin->Device Support->Event Type, if you click on the amplifier icon on the search box and uncheck ‘Device Type’, it ignores the search columns settings which always includes Device Type as part of search. Actually it ignores whatever is unchecked, it always displays the default

Bug 9451: WatchGuard Firewall Parser Missing Events

Bug 9587: Email subject is sometimes not parsed by Cisco IronPort Mail parser

Bug 9641: Save event name from Cisco IPS Alerts

Bug 9709: Add support for Alcatel AAA Radius syslog

Bug 9843: NetApp snnp traps not parsed

Bug 9861: Change Parser to not create User= “-” for event type IIS-Web-Client_Access_Denied

Bug 9862: F5 BIG-IP LTM new version has syslog not parsed by our current parser

Bug 9955: Cisco switch events for dynamic ARP inspection (SW_DAI-4-DHCP_SNOOPING_DENY) are not being fully parsed

Bug 10090: Cisco ASA Parser enhancement –  add the type of Remote Access connection that is used when a DAP is applied

Bug 10091: Parse WLAN AP Host Name attribute for Cisco WLAN disassociation SNMP traps

Bug 10092: Enhance Cisco Call Manager CDR parser to get the CM Login User ID of the caller

Bug 10119: Logon Fail events misclassified as Login Success events

Bug 10286: AccelOps is not parsing Severity and Source / Destination addresses, Event Type, Event Name, etc. from Snort Sensor IDS logs, because of the <br0> between the [Priority 1]: and {TCP}

Bug 10324: Parse addition fields for Symantec Endpoint Protection (SEP) logs

Bug 10381: Fix JunOS log parsing errors

Bug 10408: Parse logs generated by Correlog windows agent

Bug 10418: Parse user name from Windows MSSQL Event 18453 Bug 10458: Convert TOS values to DSCP values in Netflow

Bug 10511:  Parse out Account Name and Object Name for Win 4670 events

Discovery related fixes and enhancements

Bug 6574: Provide an option for removing VM monitoring

Bug 6955: Support secure LDAP protocol

Bug 7888: Checkpoint running SPLAT OS being incorrectly discovered as Generic Linux

Bug 8681: Redhat 10GB Interface discovered as 10MB

Bug 8769: Support MySQL – discovery, performance monitoring and log collection

Bug 8984: Compress Discovery result before sending to App server

Bug 9042: MS SQL Server JDBC discovery fails but AO still pulls some perf metrics but not all This is unique to MS SQL Server 2012.

Bug 9058: LDAP discovery using “daysToPasswordExpiry” is completely wrong

Bug 9070: Add SNMP support for Dell Blade Center / Chassis Mgmt Controller

Bug 9134: Support EMC Data Domain

Bug 9290: Add region to AWS EC2 discovery

Bug 9420: Checkpoint discovery does not have Installed Software/Running Process on GAIA/Security Platform

Bug 9474: VM discovery does not work with symbol character for password

Bug 9584: Make the ‘show ip route’ command optional in discovery of Border routers with millions of routes

Bug 9790: VMSDK discovery failure does not show complete failure reason

Bug 9827: Option to include or exclude VM Guest hosts during ESXi / VMSDK discovery

Bug 10025: Add device support for standalone Cisco WLAN AP (not controllers) running IOS

Bug 10171: Cisco IPS module in ASA has wrongly discovered IPS SW version

Bug 10437: Cannot discover Cisco device by SSH with high privilege user

Bug 10524: Discovering powered off VMs may cause incorrect merge if the VMs have a shared IP address

Bug 10530: Linux interface speed incorrect

Bug 10677: Interface alias not discovered when an interface has more than one addresses

 

Open Issues

Bug 7537: Can not create new incident category in VA mode. AO-SP works correctly. Workaround is to manually add the incident category to a rule in the database.

Bug 7191:  Device Maintenance window cannot be larger than 1 day

 

 

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiSIEM What’s new in Release 4.2.2

What’s new in Release 4.2.2

This release fixes several issues and adds several enhancements on top of 4.2.1 release.

 

Note: To upgrade to this release, migrate to 4.2.1 first and then upgrade to 4.2.2. It is not possible to directly upgrade from 3.7.x to 4.2.2

because of the operating system changes.

 

General GUI related fixes and enhancements

Platform related fixes and enhancements

Performance Monitoring / STM related fixes and enhancements

Rule / Query / Report Engine related fixes and enhancements

Parsing related fixes and enhancements

Discovery related fixes and enhancements Open Issues

 

General GUI related fixes and enhancements

Bug 5532: User can write duplicate event forwarding rules

Bug 8100: Under CMDB > Blocked IP addresses > Emerging Threats, the last updated time stays at 1969 even after setting up the “Update Automatically”

Bug 9023: For Selenium based Web STM, the Selenium script upload file feature should report an error message when user doesn’t select a file

Bug 10279: Exporting and then importing back the same report creates two reports

Bug 10306: Remedy incident clear time is incorrect in AccelOps

Bug 10741: Adding a Selenium script definition using Edit/Paste fails with run time error: Could not find Firefox in your system Path.

Bug 10816: Clone Event Attribute Type has not Value Type

Bug 10848: Null column header shows in report when exporting incident “Incident Notification Error”

Bug 10880: In Analytics > Generated Reports, a user with  read only view privilege should not be able to delete a report

Bug 10972: Maintenance calendar month view should display as March 2014 instead of 03,2014

Bug 10993:  Load Report page is not paginated – loads slowly

Bug 11017: User with edit and run privilege can not export Identity and Location Report

Bug 11027: User with View and Run privilege should not be able to Import Rules

Bug 11046: GUI allows multiple organizations without collectors with overlapping IP address ranges

Bug 11047: Incident notification via email: Incident details incorrectly shows Triggered Event Count  instead of Incident Count

Bug 11051: Clicking Related Incidents for “Excessive Denied Connections From An External Country” shows errors

Bug 11067: Test Connectivity button does not work but the drop down menu works

Bug 11072: Schedule field in CMDB report on Report does not support multiple records

Bug 11178: Imported custom dashboard column can not show in org view

Bug 11264: Add “free disk” to Exec Summary and All Device dashboard

Bug 11306: Allow other Flow sources like SFLOW, ASA Netflow in CMDB > Interface Stats > Inbound/outbound flow drill down   a

Selenium scrip

Platform related fixes and enhancements

Bug 11122: Incident notification via SNMP and HTTP(S) fails on VA mode

Bug 11127: Notification action is successful but the Incident Notification Status column is empty

Bug 11168: Incidents which belong org with collector can display in orgs without collector on incident dashboard calendar view page Bug 11184: System error “succeed ratio too low” isn’t cleared automatically Bug 11286: Upgrade to CentOS 6.5

Performance Monitoring / STM related fixes and enhancements

Bug 11053: Capture reserved disk size for Linux disk space monitoring

Bug 11195: Incorrect User Connections information on MySQL dashboard

Bug 11221: Linux disk space monitoring (via SSH) does not work for Debian Linux

Bug 11305: Remove PH_DEV_MON_CUST restriction from Custom performance jobs – this allows new device type’s CPU, Memory to be shown in dashboards

Bug 11332: Faulty Hardware monitoring – if failed once – then never reattempted again

Rule / Query / Report Engine related fixes and enhancements

Bug 11246: Unable generate reports using Network Segment folders

Parsing related fixes and enhancements

Bug 11099: Parse PostFix SMTP gateway logs

Bug 11149: Need to alert on Microsoft Cluster Service Failure errors

Bug 11153: Add parsing for Symantec IDS events

Bug 11167: Incorrect error handling for XML parsing by the parser module

Bug 11177: Need to set event severity from syslog priority field

Bug 11201: Fortinet parser extensions to cover more event parsing

Bug 11222: Clone and Test CiscoIPSParser does not work

Discovery related fixes and enhancements

Bug 11193: CMDB reports wrong memory unit for EMC VNX and Clarion

Bug 11232: Merge across Collectors incorrect in some cases – we need enhancement to merge same host across collectors so long they belong to same organization

Bug 11233: CMDB view is incorrect for VCenter discovered VMs when multiple guests on common ESX is split across customers

Bug 11236: Nx-OS interface speed incorrect when an interface has both ifHighSpeed and ifSpeed entries

Bug 11244: Need to add Windows 2008 R2, Windows 2003 R2, Windows 2012 R2 as new device types

Bug 11261: Cisco IOS router discovery crashes in certain cases with Cisco VoIP entries

Bug 11263: Show datastores for ESX during VCenter/ESX discovery

Bug 11264: Detailed Linux device type discovery using SSH – replace General Linux with Redhat Linux, Ubuntu Linux etc

Bug 11277: Remove extra “System Reserved” disk for Windows via WMI

Open Issues

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!