What’s new in Release 4.5.2

Bug Fixes

New Device Support

Bug Fixes

Bug ID	Severity	Component	Description
15260	Major	GUI	Group By cannot be saved in Rule sub-patterns when creating / editing rules
15346	Major	GUI	VCenter Cluster level CPU and Memory Utilization events are not generated
15368	Major	App Server	Sometimes airline monitoring events have customer id 1 (Super/local) instead of correct customer id (corresponding airline)
15398	Major	System	Upgrade issue – VMware pulling via Collectors – Old VMware SDK libraries (vim25-4.0.jar,vim-4.0.jar) in Collector causes VMware event pulling problems
15399	Major	System	Upgrade issue – missing perl-IO-Socket-SSL and perl-NetAddr-IP packages on 4.5.1 Collector causes eStreamer communication to fail from Collelctor
15400	Major	Parser	“use_dns_lookup=no” flag NOT working for SyslogNGParser and UnixParser
15266, 15330	Normal	Parser	Excessive DNS failed login causes phoenix.log to grow
15373	Normal	Data	Windows successful logon event parsed incorrectly as logon failure events
15317	Normal	GUI	Mistakenly removes Event  Receive Status for Windows Agent when user disables WMI event pull
15397	Normal	Data Manager	Occasional crash in phDataManager due to out-of-scope pointer usage
15294	Normal	Parser	Strange device types created in CMDB from Netflow discovery
15313	Normal	App Server	Exception causes App server task cache and database to go out of synch – this causes memory leak in Agent Manager
15343	Normal	App Server	Creating a rule exception in Super Local will erroneously remove the corresponding entry from system watch list
15120	Minor	Data	Fortinet IPS Event Severity Parsing is incorrect
15249	Minor	Data	Some CMDB Reports containing single quote in Filter condition incorrectly displayed and do not produce correct results
15253	Minor	Data	Reporting device name is parsed wrong in LinuxInotifyParser
15255	Minor	Data	Windows Server Failed Logons report definition is incorrect because logon failure events do not have winLogonType
15265	Minor	Data	Reporting Device name is parsed incorrectly in agentless FIM events
15320	Minor	Data	AccelOps-WUA-WinLog should be parsed to syslog
15344	Minor	Data	Parsing error for sourcefire, cisco acs, junos
15371	Minor	Data	H3C syslog events have incorrect Reporting IP 0.0.7.224
15376	Minor	Data	One system CMDB report in Ungrouped category
15345	Minor	Data	Some profile rules did not report incident attributes correctly
15369	Minor	Data	Should not show SSH credential for Cisco FirePower in Credential tab
15285	Enhancement	Data	Parse  IOS-CDP-NATIVE_VLAN_MISMATCH
15372	Enhancement	Enhancement	Parse attribute from Windows System Time Change events and add a PCI report

New Device Support

Symantec DLP – log analysis – see here

IBM OS400 (iSeries) Log Parsing via Townsend Agent – see here

Tufin SecureTrack – log analysis – see here

IBM Guardium – log analysis – see here

 

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

What’s New in Release 4.6.1

 

 

This release adds features and functionality in several areas.

Platform Features

Two factor authentication

Salesforce ticketing and CMDB integration

Ability to decommission a device from CMDB

Ability to export/import widget dashboard

Dark theme dashboard

Disaster recovery scripts

Performance and Availability Monitoring

Microsoft Azure compute discovery

Link usage dashboard

Log Management and SIEM

CyberArk Password Vault Integration

Salesforce CRM Audit support

Microsoft Azure Audit support

Cisco CloudAMP API support

ISO 27001 Compliance support

Device Support

New Support

Significant Enhancements

Allow users to move devices from one system defined CMDB group to another

Handle syslog over TCP

Reduce system CPU usage for SNMP V3

Keep Identity and Location database table size within limits

Allow scheduled reports to be copied to a new location

Allow queries via API to return results in csv format (gzipped)

Add a flag to control the use of winexe in discovery

Allow user to format Comment field in ServiceNow and ConnectWise for Incident Outbound

Ability to choose host name resolution mechanism during discovery

Create CMDB Report for Custom Threshold

Allow user to choose ports during SNMP port during discovery

Bug Fixes / Enhancements

Current Open Bugs/Enhancements

Platform Features

Two factor authentication

Presently the following 1-factor authentication methods are available for authenticating AccelOps GUI users:

Local authentication

External authentication via LDAP (Microsoft Active Directory and OpenLDAP), via RADIUS and Cloud Authentication via SAML (Okta)

This release makes AccelOps more secure by enabling 2-factor authentication via Duo Security. Administrator needs to tighten user’s

authentication profile by specifying two factor authentication. AccelOps will prompt the user for second factor credential after regular login. Other 2 factor authentication services e.g. Google Authenticator will be added in future releases.

Details on how to set up two factor authentication is described here.

Salesforce ticketing and CMDB integration

This release extends third party CMDB and ticketing integration by providing a plugin module for Salesforce.

Devices discovered in AccelOps can be synced to Salesforce

A ticket can be created in Salesforce when an incident triggers in AccelOps Ticket status is updated in AccelOps when it is closed in Salesforce

Details on Salesforce ticketing and CMDB integration is discussed here.

Ability to decommission a device from CMDB

Often there is a need to decommission a device and assign its IP Address to a new device. Currently, user has to delete the old device otherwise the old and the new devices will be merged as they share IP addresses. However there may be a need to keep the device in CMDB for audit purposes.

This release solves this problem by providing a separate folder for decommissioned devices. Once a device is decommissioned, it is removed from all CMDB groups and maintenance calendars, performance monitoring are stopped. The device is moved to the Decommissioned device folder. A new device with the same IP address can now be discovered and the two devices will coexist in CMDB.

For details, see here.

Ability to export/import widget dashboard

This release provides the ability to export a widget dashboard definition into an XML file. Every dashboard customization e.g. chart types, widget positioning is saved. Another user can then import the XML file and see exactly the same dashboard. This feature saves lots of work in recreating dashboards.

For details, see here.

Dark theme dashboard

This release allows users to have a dark theme dashboard. Currently this is a global setting – so all users would have the same theme.

For details, see here.

Disaster recovery scripts

A common way to perform disaster recovery is as follows

Set up an separate AccelOps cluster (Super, Workers) in a distant location – this would be a passive instance

Replicate the CMDB, SVN and event database

CMDB can be replicated by copying the exported file or by enabling PostgreSQL replication

SVN and event database can be copied over via rsynch or NFS mechanisms

This release provides a script which can bring up the passive instance and make it active. When disaster strikes, the user would do the following steps

1. Run the script on the passive instance supervisor node.
2. Register the passive Supervisor

Performance and Availability Monitoring

Microsoft Azure compute discovery

This release enables users to discover virtual machines in the Microsoft Azure cloud using Azure API. The API provides basic information like host name and access IP address. Therefore, SNMP and/or WMI must be used to discover the virtual machines in depth.

For details, see here.

Link usage dashboard

For perimeter network devices such as firewalls and routers, it is important to know which interfaces are busy and which traffic is consuming the most resources. This special dashboard provides this view and enables users to determine which router interfaces are overly utilized, which applications are using them and what is the QoS statistics.

For details, see here.

Log Management and SIEM

CyberArk Password Vault Integration

AccelOps needs credentials to communicate to devices. Until this release, credentials needed to be stored locally (encrypted). This release allows device credentials to be fetched from CyberArk Password Vault. This makes AccelOps more secure.

Setting up CyberArk is discussed here.

Using CyberArk for discovery is discussed here.

Configuring AccelOps for receiving CyberArk syslog is discussed here.

Salesforce CRM Audit support

Audit logs from Salesforce CRM application can now be collected by AccelOps. For details see here.

Microsoft Azure Audit support

Audit trails from Microsoft Azure cloud can now be collected by AccelOps. For details, see here.

Cisco CloudAMP API support

Rather than have a FireSIGHT Manager on premise, customers can choose to send alerts to the cloud. Using Cisco provided CloudAMP API, AccelOps is now able to collect (mostly end point) alerts from the Cisco Cloud.

For details, see here.

ISO 27001 Compliance support

This release adds reports for ISO 27001/27002 compliance specifications.

Device Support

New Support

1. Cisco ONS – discovery, performance monitoring via SNMP and log analysis – see here
2. Cylance Protect – log analysis – see here
3. Pulse Secure VPN – log analysis – see here
4. Cyphort – log analysis – see here
5. McAfee Stonesoft IPS – log analysis – see here

Significant Enhancements

Allow users to move devices from one system defined CMDB group to another

User could already move devices from one user defined group. This release extends that functionality to system defined groups.Using this feature, user can fix device mis-classifications by discovery.

Handle syslog over TCP

AccelOps can now ingest syslog over TCP as defined in IETF RFC 6587.

Reduce system CPU usage for SNMP V3

In earlier release, the use of SNMP V3 caused significant system CPU usage during performance monitoring. This issue is resolved by reducing the number of process forks.

Keep Identity and Location database table size within limits

Identity and location entries can quickly fill up PostgreSQL database. This release allow you to control the growth of Identity and location entries by specifying two entries in the phoenix_config.txt.

PURGE_IDENTITY_LOCATION_OVER_MONTHS specifies the maximum age of Identity location database table entries. PURGE_IDENTITY_LOCATION_OVER_ROWS specifies the maximum number of rows in the Identity location database table.

When any one of the above limits are hit, the Identity location database table is purged.

Allow scheduled reports to be copied to a new location

Earlier releases allow scheduled reports to be emailed. Now the reports can be copied to be remote location via SSH.

For details, see here

Allow queries via API to return results in csv format (gzipped)

It is possible to retrieve query results via API. The results are in XML format, which is not very efficient if the result set is large. This release allows query results to be retrieved in gzipped csv files.

Add a flag to control the use of winexe in discovery

AccelOps discovery uses winexe to detect HyperV VM, Windows domain controller diagnostic (dcdiag) and replication monitoring (repadmin /replsummary). The winexe command is used to run a command on a remote windows server. However, by the nature of this command implementation by Microsoft, winexe starts a service called winexesvc on the remote server which customers do not find acceptable.

This release provides users an option to turn off winexe based discovery. This option is available in the discovery dialog.

Allow user to format Comment field in ServiceNow and ConnectWise for Incident Outbound

External ticketing systems do not have so many detailed incident attributes as AccelOps. This release enables to create a custom formatted string in the comment field in the external ticketing system.

For details, see here.

Ability to choose host name resolution mechanism during discovery

AccelOps discovers by IP addresses and used first DNS and then SNMP/WMI to get host names from IP addresses. This release allows users to control the behavior.

An discovery option now allows users to choose between DNS first (i.e. the current behavior) or SNMP/WMI first (that means SNMP/WMI then DNS).

Note – host names, once discovered are not overwritten by discovery.

Create CMDB Report for Custom Threshold

It is possible to now have a CMDB Report containing only those devices for which user has modified default thresholds.

Allow user to choose ports during SNMP port during discovery

AccelOps can now connect to SNMP via non-standard port. User can define the port during discovery. This option is available in the discovery dialog.

Bug Fixes / Enhancements

Id	Severity	Component	Description
15147	Major	System	Upgrade loses user defined parsers for user defined device types
15473	Normal	App Server	Sync Update Config warning not clearing in System Error window
8393	Normal		Credentials can be seen in plain text view when running ps on cli during discovery and performance monitoring
15221	Normal	System	Backend C++ modules need to handle XML with empty attributes and not crash
15482	Enhancement	App Server	Add Device Annotation in CMDB Report and Device Integration Inbound
15500	Normal	Performance Monitor	Interface performance monitoring job may consume large memory when there are large number of interfaces
15975	Normal	Performance Monitor	WMI based log collection executable crashes when handle large messages containing “:”
15816	Normal	Performance Monitor	HyperV Performance monitor job may consume large amount of memory over time
15771	Enhancement	System	Swap sizes on all nodes must be set to memory size to avoid performance issues
15316	Normal	App Server	Excessive number of expired scheduled device maintenance entries causes performance issues. They are now deleted automatically.
15751	Normal	App Server	Cloning/creating rules does not place them under the correct Function group (e.g. Security) unless the system (or numerous processes) are restarted
14478	Normal	System	In some cases, system not able to restore the archived data or delete the restored data
15449	Normal	System	Prevent large Postgresql log files in /cmdb/data/pg_log/ from filling the /cmdb disk
15969	Normal	Database	Baseline profile schema upgrade error causes excessive loging and failed base lines in some cases
15403	Enhancement	GUI	RBAC: Report Server Sync button – disallow in “Run” mode, allow in Edit mode
15468	Normal	Performance Monitor	Java vulnerability pulling agents can randomly fail because of incorrect way of checking for potentially non-existent parameters in the vulnerability scan reports.
15309	Enhancement	Database, App Server	Add Reporting Device Name to an incident. Show this field in Incident dashboard. Make sure Incident XML has this field.
15875	Normal	App Server	Incident ID grew over time and results in an overflow causing incident report export to fail
15499	Normal	GUI	Add “Device Type” in Incident XML for Incident Outbound Integration
16002	Normal	Parser	Event rate in PH_SYSTEM_DEVAPP_EVENTS_PER_SEC is extremely high
15489	Normal	Parser	PH_DEV_MON_HW_TEMP of  HP Comware switch misses hardware components.
15197	Normal	System	EMC VNX connectivity test stops working after upgrade
16080	Normal	System	Need to add Kafka configuration for VA after upgrading to 4.5
15466	Normal	Parser	WinOSWmiParser not parsing event id’s 4800 and 4801 correctly
15988	Normal	Data	SNMP Service Unavailable incident can not triggered

Current Open Bugs/Enhancements

Id	Severity	Component	Description
8867	Normal	Rule Engine	LAST and FIRST operators in rules do not work (may crash Rule Worker module)
11036	Normal	Rule Engine	Rule Worker module may abort when a PctChange Expression is used
14242	Normal	Query Engine	RBAC data conditions not enforced for SP organizations when login in via the super org and moving to another org.
15022	Normal	Parser Engine	Parser module may stall/pause if a host name resolution is slow
11112	Normal	Rule Engine	COUNT DISTINCT operations consume large resources for rules utilizing Anomaly Detection
14478	Normal	GUI	Sometimes GUI pops up warning (Large amount of data stored over the boundaries) when users restore the archived data or delete the restored data
15109	Normal	Performance Monitoring	Failed Custom JDBC job shows in performance page after Discovery
15247	Normal	Parser	AIX Parser cannot parse events correctly.

 

15253	Normal	Parser	Reporting device name is parsed wrong in LinuxInotifyParser (affects Linux file integrity monitoring via AccelOps agent)
14929	Normal	Performance Monitoring	Maintenance calendar issue – Maintenance for a device does not start at the configured time if there is a long running disabled job of another device
15068	Normal	Application Server	Dashboard Search Filtering Does not work for Clariion LUNs under Summary Tab
15231	Normal	Application Server	Generating PDF Reports over 100 Pages will drop Page Footer
15233	Minor	Application Server	“Validation Status” column in Admin->Event DB->Event Integrity does not allow for sorting.
15300	Minor	GUI	For Report Server, if you sync -> unsync -> sync is rapid succession, then the last sync may not take effect
9261	Enhancement	Application Server	Charts in exported reports (PDF format) only contain stacked charts – not line charts

 

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

What’s new in Release 4.6.3

Starting 4.6.3, AccelOps has been re-branded as FortiSIEM.

Special upgrade procedure

Features

FortiSIEM re-branding

Enforce TLS 1.2 for tighter security

Windows Agent Enhancements (Windows Agent and Agent Manager 2.0)

Bug Fixes / Enhancements

Current Open Issues

Special upgrade procedure

Features

FortiSIEM re-branding

From this release onward, AccelOps will be branded FortiSIEM.

Enforce TLS 1.2 for tighter security

FortiSIEM web servers now only advertise TLS1.2. All FortiSIEM components now communicate using secure TLS 1.2 protocol. This includes the following communications

Collector to Super/Worker

Worker to Super

Browser to Super

Windows Agent to Agent Manager

Agent Manager to Collector and Super

Windows Agent Enhancements (Windows Agent and Agent Manager 2.0)

This release contains the following Windows Agent enhancements.

1. Enhanced user file monitoring: Windows Agent allows users to monitor changes in custom files. This release enhances this feature in the following ways.
   1. Allow user to specify a custom string for each monitored file. The specified user defined string would be included in the event type as a signature for that file. For example, if user is monitoring a special MyApp1 log file, then user can specify a custom string e.g. MyApp1 and the event type would be AO-WUA-UserFile-MyApp1. This approach allows the user to write a specific parser for each monitored log file by specifying the string AO-WUA-UserFile-MyApp1 in the event format recognizer.
   2. Allow wildcards in monitored file name; e.g. *radius.log. This enhancement allows for dynamically named log files including dates in file name. For example DHCP and RADIUS files are generated every day and the file names contain the date e.g. 012415radius.log.
2. Ability to monitor any file in Windows Event Manager tree: Prior to this release AccelOps only monitored specific log files in the Windows Event Manager tree, namely Security, Application, Performance events, DNS logs, DHCP logs etc. This release provides the capability to monitor any file in Windows Event Manager tree. User needs to choose the desired Windows Event Manager folder and FortiSIEM Agent will start monitoring events for that application. The corresponding event type will contain the folder name to distinguish it from events from other folders.
3. Windows CD/DVD/USB monitoring: FortiSIEM can now detect insertion/removal and certain file read/write activity on external media such as USB and CD/DVD. Specifically, the following cases are covered in this release
   1. Detect when external media such as USB, CD, DVD is inserted
   2. Detect when external media such as USB, CD, DVD is removed
   3. Detect when a file is written to USB
4. Enhanced File integrity and Registry change monitoring: This release contains the following enhancements:
   1. User can exclude directories while specifying files to be monitored, e.g. monitor “C:\System32” but exclude “C:\System32\Log” b.  Include the process name triggered file modification in FortiSIEM events
   2. Allow environment variables in the file path definition
5. Monitoring Template and License Assignment improvements: for details see here.
   1. User can define multiple monitoring templates per host, e.g. OS monitoring template, Application 1 monitoring template, Application 2 monitoring template etc.
   2. User can assign templates and licenses for large number of hosts with much fewer clicks than earlier releases
   3. A searchable tabular display of Host to license and template assignments.
6. Allow multiple power shell and WMI scripts per monitoring template. Prior releases only allowed one script per template.
7. Create Alerts when an Agent is stopped, uninstalled or unresponsive. This allows users to report and detect these potential policy violations.

Bug Fixes / Enhancements

Bug ID	Severity	Component	Description
13156	Major	System	In high eps environment, license checking may fail because of the inability to fork new processes, resulting in workers to become unavailable.
16125	Major	App Server	The feature “Fire Incidents for Approved devices only” does not work correctly
16555	Major	App Server	User added widgets to dashboards in Super global mode always run in adhoc query mode (instead of inline mode), making dashboards run slowly
16433	Normal	Parser	Netflow Application from Fortinet firewalls is not handled correctly
16248	Normal	Parser	Syslog over TCP does not work correctly – logs are not complete
16442	Normal	App Server	Summary dashboard loads slowly when there are large number of devices with location specified
16586	Normal	App Server	Incident Notification over XML over HTTPS Notification does not work correctly because of handshake failure.
16286	Enhancement	GUI	Add search filter for collectors in Admin > General Settings > Event Org mapping > Add > Collectors
16567	Normal	Performance Monitoring	AWS RDS monitoring sometimes does not work correctly.

16470	Normal	Rule Engine	Incidents may not trigger when Event Dropping Rules refer to stale CMDB Objects
16581	Normal	GUI	‘Copy to remote’ option is turned off for ‘Scheduled for’ when user schedules a report in Super/global mode.
16530	Normal	Performance Monitoring	SNMP V3 with AES not working after upgrading to 4.6.2
16481	Normal	Performance Monitoring	STM job credential manipulation may cause discover and performance monitor to crash. This is first introduced in 4.6.2 enhancement that obfuscates user names and password in system calls from back end processes
16093	Enhancement	App Server	Report names are not meaningful when they are copied over to an external location in “Copy to remote” feature
16251	Enhancement	GUI, Parser	Allow comma separated External Org in Event Org Mapping. This allows for multiple external organizations to map to a single FortiSIEM organization.

Current Open Issues

Id	Severity	Component	Description
8867	Normal	Rule Engine	LAST and FIRST operators in rules do not work (may crash Rule Worker module)
11036	Normal	Rule Engine	Rule Worker module may abort when a PctChange Expression is used
14242	Normal	Query Engine	RBAC data conditions not enforced for SP organizations when login in via the super org and moving to another org.
15022	Normal	Parser Engine	Parser module may stall/pause if a host name resolution is slow. Work around for now is to disable host name resolution.
11112	Normal	Rule Engine	COUNT DISTINCT operations consume large resources for rules utilizing Anomaly Detection
14478	Normal	GUI	Sometimes GUI pops up warning (Large amount of data stored over the boundaries) when users restore the archived data or delete the restored data
15109	Normal	Performance Monitoring	Failed Custom JDBC job shows in performance page after Discovery
15247	Normal	Parser	AIX Parser cannot parse events correctly.
15253	Normal	Parser	Reporting device name is parsed wrong in LinuxInotifyParser (affects Linux file integrity monitoring via AccelOps agent)
14929	Normal	Performance Monitoring	Maintenance calendar issue – Maintenance for a device does not start at the configured time if there is a long running disabled job of another device
15068	Normal	Application Server	Dashboard Search Filtering Does not work for Clariion LUNs under Summary Tab
15231	Normal	Application Server	Generating PDF Reports over 100 Pages will drop Page Footer
15233	Minor	Application Server	“Validation Status” column in Admin->Event DB->Event Integrity does not allow for sorting.
15300	Minor	GUI	For Report Server, if you sync -> unsync -> sync is rapid succession, then the last sync may not take effect
9261	Enhancement	Application Server	Charts in exported reports (PDF format) only contain stacked charts – not line charts

What’s new in Release 4.6.2

 

This release contains the following bugs fixes.

Bug Fixes

Bug ID	Severity	Component	Description
15161	Major	Performance Monitor, Discovery	The ability for AccelOps to connect to SNMP on a UDP port different than default 161, a 4.6.1 feature, does not work correctly.
16235	Major	Parser	WMI based pulling of Windows Security, Application and System logs truncates some event attributes. So certain windows eports and rules may not work correctly.
16249	Minor	Discovery	Default hardware serial numbers (like “None” in CentOS) causes two devices to be merged incorrectly during discovery
16237	Minor	Performance Monitoring	Long running performance monitoring jobs may cause new performance monitoring jobs to not take effect

 

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

What’s new in Release 4.7.1

Features

HTML5 based GUI for Incident

You can logon to the HTML5 version of Incident page using the link https://<SupervisorIP>/phoenix/html.

For details see here.

Malware URL threat feed

Previous releases allowed users to import Malware domain, IP, file hashes and Anonymity Networks as external threat intelligence feed. This release extends this functionality to Malware URLs.

For details, see here.

Syslog over TLS

This release enables FortiSIEM to receive encrypted Syslog over TLS.

For details, see here.

Device Audit framework

FortiSIEM discovers devices in depth, collects various performance/availability metrics, parses logs, traps and triggers rules. This release provides users a framework to run an audit on devices based on the collected information. Audit criteria can be based on

OS version

Installed software version

A set of reports representing audit violations

A set of rules triggering incidents representing audit violations

User can define audit criteria and run a check against devices – either on-demand or periodically on a schedule. The results can be displayed on GUI, exported as PDF from GUI or emailed with PDF attachments.

For details, see here.

Device Support – New

Aruba Switches – discovery (Bug 15800) Alertlogic IPS – log parsing (Bug 16250)  AWS Elastic Load Balancer – log parsing (Bug 15752)

Device Support – Enhancements

F5 load balancer – detailed performance monitoring

Fortinet FortiOS – more detailed data collection and trap parsing

Aruba Clearpass Manager – more detailed log parsing (Bug 15542)

Checkpoint GAIA – monitor memory using UCD MIBs (Bug 16203)

HP/UX – more detailed syslog parsing (Bug 15565)

InfoBlox – more detailed syslog parsing (Bug 16121, Bug 16191)

Dell Equallogic – more detailed syslog parsing (Bug 15433)

TrendMicro Officescan – more detailed syslog parsing (Bug 16122)

Checkpoint FireWall-1 – parsing fix (Bug 16119)

Microsoft Windows – Added event id 4769 (Bug 16191)

Microsoft Windows – Added event id 6274, 6272 (Bug 12163)

Microsoft Windows – Added event id 5137 (Bug 7429)

Juniper SecureAccess – parser enhancement (Bug 16035)

Palo Alto Firewall – parser enhancements (Bug 16727, 16169)

Fortinet FortiOS  Firewall – parser enhancements (Bug 16554)

Symantec Endpoint Control – parser enhancements (Bug 16210)

F5 ASM – parser enhancements (Bug 16726)

McAfee Stonesoft IPS – parser enhancements (Bug 16729)

Cisco Call Manager – parser enhancements (Bug 16395)

Cisco ACS Parser – parser enhancement (Bug 15550)

Imperva SecureSphere – parser improvements (Bug 16036)

HP Procurve – syslog parsing enhancement (Bug 12072)

Bug Fixes / Enhancements

Bug ID	Severity	Component	Description
16779	Minor	App Server	A user cannot change their own password if the CMDB Tab view is restricted from them
16767	Minor	System	File rename error on cross-partition operation may lead to event database archive failure
16340	Minor	Parser	Incorrectly formatted Netflow packets can cause parser module to crash
16460	Minor	App Server	Users who do not have permissions for Admin > Discovery can not launch discovery from CMDB
16009	Minor	App Server	User created custom types (device, event, attribute) are created as Origin = System after upgrade
16655	Minor	App Server	Empty “Time” in Incident Notification Policy can cause notification policy to not trigger
16067	Minor	GUI	Can not add more than 100 devices to a CMDB Device folder
16654	Minor	GUI	Can not handle CMDB Reports with filter conditions containing strings with spaces, e.g. Installed Software Name = ‘Attack Definition’
16764	Minor	App Server	Incident Notification Policy may some times trigger twice for the same incident id
15296	Enhancement	App Server	Ability tp export test connectivity error, discovery error and discovery change delta results as PDF reports
16898	Minor	App Server	Run script notification may sometimes fail to run
16055	Minor	Parser	The ‘vulnSolution’ event attribute populated from Vulnerability pulling agents such Qualys and Nessus need to allow for URLs.
16007	Minor	App Server	An exception may happen during clear incident processing resulting in the clear incident not getting stored
16867	Enhancement	Parser	SSH script for Foundry switches fails when the switch is configured to login to enable mode directly without typing in “enable; username; password”
16870	Minor	Performance Monitoring	For custom SNMP monitoring, snmpbulkwalk command does not working for some OIDs while snmpwalk works
15527	Enhancement	GUI	Allow users to edit the same property for multiple devices in one shot by simply multi-selecting the devices and entering new values
16382	Enhancement	App Server	On CMDB Reports, Add ‘Processor Name’ attribute to “Server Hardware: Processor” report
16431	Enhancement	Parser	System error message “Success ratio too low” is enhanced to report only when a large of retry attempts have occurred

Current Open Issues

Id	Severity	Component	Description
8867	Normal	Rule Engine	LAST and FIRST operators in rules do not work (may crash Rule Worker module)
11036	Normal	Rule Engine	Rule Worker module may abort when a PctChange Expression is used
14242	Normal	Query Engine	RBAC data conditions not enforced for SP organizations when login in via the super org and moving to another org.
15022	Normal	Parser Engine	Parser module may stall/pause if a host name resolution is slow. Work around for now is to disable host name resolution.
11112	Normal	Rule Engine	COUNT DISTINCT operations consume large resources for rules utilizing Anomaly Detection
14478	Normal	GUI	Sometimes GUI pops up warning (Large amount of data stored over the boundaries) when users restore the archived data or delete the restored data
15109	Normal	Performance Monitoring	Failed Custom JDBC job shows in performance page after Discovery
15247	Normal	Parser	AIX Parser cannot parse events correctly.
15253	Normal	Parser	Reporting device name is parsed wrong in LinuxInotifyParser (affects Linux file integrity monitoring via AccelOps agent)
14929	Normal	Performance Monitoring	Maintenance calendar issue – Maintenance for a device does not start at the configured time if there is a long running disabled job of another device
15068	Normal	Application Server	Dashboard Search Filtering Does not work for Clariion LUNs under Summary Tab
15231	Normal	Application Server	Generating PDF Reports over 100 Pages will drop Page Footer
15233	Minor	Application Server	“Validation Status” column in Admin->Event DB->Event Integrity does not allow for sorting.
15300	Minor	GUI	For Report Server, if you sync -> unsync -> sync is rapid succession, then the last sync may not take effect
9261	Enhancement	Application Server	Charts in exported reports (PDF format) only contain stacked charts – not line charts

 

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

What’s new in Release 4.7.2

Device Support

FortiSandbox – discovery, performance monitoring, log analysis and external threat intelligence (see here)

FortiWeb – discovery, performance monitoring and log analysis (see here)

FortiMail – log analysis (see here)

MalwareBytes – log analysis (see here)

Sophos UTM – log analysis (see here)

Bug Fixes

Bug ID	Severity	Component	Description
17552	Major	System	Patch Linux Kernel Local Privilege Escalation Vulnerability (“Dirty COW”) – CVE-2016-5195
15161	Major	App Server	FortiSIEM users cannot change their own passwords if they are read only users or were restricted by RBAC from viewing or making changes to CMDB users page
17025	Major	Parser	Cisco ASA parser code introduced in 4.5.1 leaks memory
17216, 17056	Major	System	FortiSIEM hangs during upgrade and reboot if there is no internet connectivity. This is because in 4.7.1, OS update was done during upgrade and reboot. This release provides two solutions: (1) OS upgrade via yum update now only happens during upgrade and not during reboot and (2) FortiSIEM goes to repositories set up in AWS Cloudfront AWS edge locations listed here (https://aws.amazon.com/cloudfront/details/#edge-locations) depending on where the FortiSIEM node is connecting from. The Cloudfront CDN distribution is created and controlled by FortiSIEM engineering. If the connection to this edge location fails, it connects to origin server ima ges-os.accelops.net which is hosted by FortiSIEM engineering in AWS
17466	Major	Rule Engine	Rule Engine sometimes crashes while evaluating FIRST and LAST aggregation operators
16991	Normal	Performance Monitor	Sometime Java Agent has too many open files
17290	Normal	Parser	AIX log Parser incorrectly parses reporting device name
15868	Normal	Performance Monitoring	Palo Alto Firewall configuration pulling SSH script not logging out
16969	Normal	System	FortiSIEM Worker ssl.conf is overwritten during upgrade – e.g. if FortiSIEM Worker is configured to use valid CA certificates, these are overwritten during an upgrade to use self-signed. FortiSIEM Supervisor works correctly.
16984	Normal	System	Re-registered license not getting updated in Worker and Report Server.
16992	Normal	Performance Monitoring	Java agents (e.g. SQL based monitoring) can result in too many open files

 

16995	Normal	Rule Engine	While testing rules, Rule Master module may time out if the rule test evaluates to FALSE. RuleMaster never reports the status to the GUI.
17008	Normal	GUI	White labeling does not work correctly in HTML5 GUI
17058	Normal	GUI	User can no longer approve multiple CMDB devices at a time.
17068	Normal	GUI	Ticketing system GUI can not load tickets if any ticket does not have a due date
17097	Normal	Performance Monitoring	FortiGate SSH based commands for Audit do not work when VDOMs are configured
17114	Normal	App Server	CMDB replication setting in postgresql.conf on both Super and Report Server lost after upgrade
17115	Normal	System	Prevent event loss during eps surge by adding another warning period to elastic eps enforcement
17352	Normal	GUI	Sometimes, the list of users in Assigned To in a ticket created from incident, may not be shown properly
17354	Normal	Query Engine	Sometimes Incident Query with Incident Reporting IP IN A Device Group does not return result.
17380	Normal	Parser	Device type in TrendMicro Deep Security Manager parser is incorrect.
17382	Normal	Discovery	Can not connect to a device via Telnet/SSH when user name is empty but password and enable password is set
17387	Normal	Discovery	Custom device discovery does not work when discovered device type is Generic Unix or Generic Linux.
17409	Normal	GUI	CMDB > Device > Link usage does not show data for non-FortiGate devices
17483	Normal	Discovery	SDEE based Test Connectivity to Cisco IPS does not work for Cisco IPS 7.0 and earlier that does not support TLS 1.2
17076	Enhancement	Data	Some Cylance Protect syslog can not be parsed
17092	Enhancement	Performance Monitoring	Allow a higher priority queue for Airline log monitoring
17098	Enhancement	GUI	Remove “Forticare” from default exported Audit report name
17115	Enhancement	Device Support	Extend IBM Townsend parser
17248	Enhancement	Device Support	Update FortiGate IPS Event types (Signatures)
17255	Enhancement	Device Support	Update Forcepoint (previously McAfee Stonesoft) parser
17405	Enhancement	Device Support	Update F5 ASM parser
17057	Enhancement	Device Support	Update Nginx parser

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Features

HTML5 based GUI for dashboard

You can logon to HTML5 version of Dashboard page using the link https://<SupervisorIP>/phoenix/html.

For details see Dashboards – HTML5 version.

Policy based event retention

Currently, the on-line event database storage is managed in a FCFS basis. When the event database gets full, oldest events are purged or archived. This release enables you to set event retention policies based on Customer (Service Provider case), Reporting Devices and Event Types. For example, performance metrics and flow events should be kept for 30 days but server logs for 1 year.

This release also provides visibility into which reporting Device and Event Type is consuming most storage on a per-day basis. This enables administrators to write better data retention policies.

Note that this feature will consume significant compute and storage I/O resources. Since events are stored in a compressed manner, these events have to be first uncompressed, then filtered according to the data retention policies and finally the logs that remain have to be re-indexed. It is recommended that you create these policies after some thought and change infrequently. Run the reports to monitor the performance of retention policy execution.

For details, see Managing Online Event Data..

Vulnerability correlation and device risk scoring

In this release, FortiSIEM assigns a risk score (0-100) to a device by combining Asset Weight, Vulnerabilities found on that device, Security and Non-security incident counts and severities. Users can modify certain factors to tailor the risk computation for their environment. A view is created that shows the devices ranked by risk scores along with a timeline view of the incidents that resulted in that score. The risk score is computed hourly and the trend is presented in the view.

For details, see here for Flash version and here for HTML5 version. Risk computation is detailed here.

Scalable windows agent architecture enabling agent sending events to collectors (Windows Agent/Agent Manager 2.1)

FortiSIEM Windows agents provides efficient log collection and other important functionalities such as file integrity monitoring, registry and installed software change monitoring, removable media insertion and write activity etc. In previous releases, a set of Windows agents were associated with a single Windows Agent Manager (WAM), which was responsible for configuring the Windows Agents and then relaying logs from the Agents to a Collector. This architecture has several issues, e.g. (a) WAM is a single point of failure for configuration and log relay, (b)rigid association of Agents to a single WAM results in deployment and bookkeeping issues when large number of agents need to be deployed.

This release vastly improves the above architecture. WAM is primarily used for configuring Agents. As part of the configuration, Agents can be associated to one or more FortiSIEM collectors. Agents send log directly to the assigned set of collectors in a round robin fashion. A single WAM can configure a large number of Agents.  By removing the WAM from the event forwarding path and utilizing the Collector infrastructure, this architecture provides great scalability.

For details, see here

Dynamic CMDB groups

CMDB Device Groups and Business Service Groups are critical to FortiSIEM Analytics. It enables users to write rules as reports of the form

“Reporting IP IN A CMDB Group”. Currently, CMDB Device Groups are populated during discovery based on an internal template keying on Device vendor and model, e.g. Fortinet FortiGate belongs to both Firewall Group and VPN Group, Cisco IOS belongs to Router/Switch Group etc. Business Groups have to created manually and kept up to date.

This release automates this process by allowing the user to define rules for dynamically associating devices to CMDB groups and Business Services. A rule condition can be based on Device Vendor, Model, Host Name and IP Range. When there is a match, the matching devices would be placed in the specified CMDB Groups and Business Services. The Dynamic CMDB Group happens automatically during discovery. But the assignment rules can also be applied at any time to force immediate assignment. Note that this dynamic CMDB Group assignment is in addition t o the  internal template based assignment during discovery.

For details, see Creating Dynamic CMDB Group Policies..

Display CMDB reports in dashboard

Currently, a dashboard can only show reports containing event data. Starting with this release, CMDB reports can also be displayed on the same dashboard, side by side with event data.

For details, see here for Flash version and here for HTML5 version.

Multi-line syslog handling

Often applications generate a single syslog in multiple lines. For analysis purposes, the multiple lines need to put together into a single log. This feature enables you to do that.

User can write multiple multi-line syslog combining rules based on reporting IP and begin and ending patterns. All matching syslog within the begin and ending pattern are combined into a single log.

For details, see Multi-line Syslog Handling..

Custom configuration change monitoring

FortiSIEM can collect configurations from devices and detect changes. Currently, FortiSIEM supports a limited set of devices for this feature and users can not add devices of their choice.

This release provides a way for users to do configuration change monitoring for any device. The user simply needs to upload their own configuration collection script into the system and associate to a device type. When that device type is discovered, a configuration change detection job is created via the user defined custom configuration collection script.

For details, see Custom Configuration Change Monitoring.

STIX/TAXII support for external threat intelligence

This release allows you to download any threat intelligence data in STIX format using TAXII transport protocol without writing any code. Supported IOCs include Malware Domain, IP, URL and hash.

For details, see Custom Malware Domain Threat Feed, Custom Malware IP Threat Feed, Custom Malware Hash Threat Feed and Custom Malware URL Threat Feed.

Enhancements

Ability to monitor a subset of interfaces and processes

Currently, FortiSIEM monitors all interfaces and processes and there is no way to disable monitoring a subset of interfaces and processes. Many network devices (e.g. Voice Gateways) have logical interfaces that do not need to be monitored. Similarly servers have processes that may not need to be monitored. Often these redundant interfaces and processes create lots of events and consumes lots of storage over time, specially if there are many devices with such interfaces/processes.

This release allows you to specify a set of important interfaces and processes. Once this set is defined, FortiSIEM switches to monitoring only this set of important interfaces and processes.

For details, see Adding Important Interfaces and Adding Important Processes.

Ability to flag a WAN interface

Often it is important to monitor only WAN interfaces in a dashboard or report. Typically a deployment has many routers/firewalls with one or two WAN interfaces. Since WAN interfaces are not clearly marked in any configuration or SNMP MIB, the only way to create a report is manually list all the devices and interface pairs in the query. This makes the query quite cumbersome.

This release enables you to mark an interface as a WAN interface. The interface events will have the WAN flag set. To query all WAN interfaces, one simply has to specify “isWAN = true” in the query. This makes writing a query extremely simple.

For details, see Adding Important Interfaces.

Ability to define per-process CPU, Memory thresholds

FortiSIEM provides a way to specify global thresholds and per device local thresholds and refer to them in a rule. This way a single rule can capture global and local thresholds.

The thresholds can be a single value such as Critical CPU threshold, Warning CPU threshold or a map such as a map of interface utilization, disk utilization. While the single values are completely customizable meaning that users can add their own; map thresholds need a definition of the keys (such as interface name, disk name) to be defined in the system.

This release extends the map thresholds to also include process name. User can define global thresholds for process CPU utilization, process Memory utilization and per device, per process overrides (e.g. SQL Server).

For details, see Setting Global and Per-Device Threshold Properties.

Ability to include attachments in a ticket

FortiSIEM provides its own ticketing system for users that do not want to rely on an external ticketing system. Often there is a need to include attachments in a ticket, e.g. to demonstrate the problem while creating a ticket and  to demonstrate the problem resolution while closing a ticket. This release allows you to include (PDF and PNG formatted) attachments  into a ticket and export that ticket in PDF format to also include the attachments.

For details, see Ticket Related Operations..

Allow exceptions for merging based on hardware serial numbers

FortiSIEM has an algorithm based on hardware serial numbers, host name, IP and MAC addresses to merge devices in CMDB, which is needed since FortiSIEM repeatedly discovers devices. Currently, hardware serial number is a definitive factor – two devices are merged if their serial number is identical. However often some virtualized devices have generic serial numbers e.g. “Unknown”, “0000” etc which causes devices to merged incorrectly. This release provides a way to create a list of virtual serial numbers which are not considered for merge purposes.

For details, see Discovery Settings.

Device / Application Support

Windows Server 2016 – discovery, performance monitoring and log analysis like other Windows Servers – see Microsoft Windows Server Configuration.

FortiDDoS – log analysis – see FortiDDoS Configuration

Google Apps – audit log analysis – see Google Apps Audit Configuration.

Microsoft Office 365 – audit log analysis – see Microsoft Office365 Audit Configuration

Cisco ACI – performance monitoring – see Cisco Application Centric Infrastructure (ACI) Configuration

Brocade CER and MLX routers – performance monitoring – see Brocade NetIron CER Routers

Clavister IPS – log analysis – see here

Cisco SF 300 SG300/350 switches – discovery, performance monitoring – see Cisco 300 Series Routers

Fortinet 5001B firewalls – discovery, performance monitoring – per CPU utilization extensions – see Fortinet FortiGate Firewall

Configuration

Bug Fixes / Enhancements

Bug ID	Severity	Component	Description
17906	major	Parser	FortiSandbox Parser does not support FortiSandbox VM
17415	major	Parser	Some WatchGuard events are not parsed
17453	major	Parser	Update the SourceFire parser to support version 6 and later and  Snort messages.
18053	major	GUI	Incorrect Admin > General Settings > Discovery > Application Filter
17281	normal	App Server	Handle rediscovery of devices moved from a system defined group
17346	normal	App Server	Should not update ‘Worker up’ error message every 3 minute if the worker is not in down status
18056	normal	Parser	Parse event severity from Stonesoft events
12617	normal	Parser	Event severity of some Snort events are incorrect
16765	normal	GUI	Multiple users cannot use the same dashboard name
16845	normal	System	FortiSIEM Login credential anonymization algorithm causes unnecessary login failures
16514	normal	App Server	Reports: Display Column “Display As” not working for scheduled PDF reports
18108	normal	App Server	Incident Id in Notification Email includes HTML tags in Email Subject
17418	normal	GUI	Add Remediation to Rule Export
15868	normal	Discovery	FortiSIEM SSH not logging out of Palo Alto Firewall during configuration discovery
17979	normal	GUI	Improve display performance of CMDB > Link Usage page in GUI
17422	normal	Parser	Imperva DAM Unknown Event Types in Panasonic logs
16985	normal	App Server	Allow Super-Global admin assign incident  ticket to a org user in Super
17555	normal	Parser	Application recognition inconsistency in Netflow IPFIX analysis
17507	normal	Rule	Error in System defined Rule “Cisco Call Manager DDR Down”
17110	normal	Parser	Reporting device name parsed wrong in Motorola AirDefense Parser
16966	normal	GUI	Virtual IPs disappear after exporting and importing credentials
16956	normal	GUI	When two super global users create a dashboard for an org, they see each others dashboards in that org
16311	normal	GUI	Sometimes the value of application performance shows incompletely when the bar is red
17253	normal	GUI	Page header of Ticket export has display issues
17540	normal	GUI	Can’t export the result of a cloned Audit Rule to PDF
16023	normal	GUI	Incidents page – Filter condition will change after user cancels it via “…” and “e”
17436	normal	GUI	Cannot save new ticket without assignee or due date.
17837	normal	System	Reverse tunnel vulnerability not fixed on 4.7.2 upgrade
16763	normal	Parser	Event parse status is wrong for MYSQL_JDBC_PULL_STAT
16762	enhancement	Parser	Parse ‘reporting device name’ ‘host name’ at the first time for log discovered device.
13823	enhancement	GUI	Allow Users to select Important Processes per device from the software tab in  CMDB
17094	enhancement	GUI	Need CMDB Report for Running Applications
17860	enhancement	App Server	Threat Feed integration with InSights required by Panasonic
15792	enhancement	App Server	Support ‘Report Logo’ and ‘UI Logo’ for Organizations UI and PDF reports
16973	enhancement	App Server	Improve and Optimize CI lookup
16983	enhancement	App Server	Need a way to specify ticket due dates to specific times
17093	enhancement	DataManager	Create an event for when Incoming EPS is more than Guaranteed EPS
12049	enhancement	Parser	Parse more Symantec AV Events
18003	enhancement	Parser	Some event type display names have %s
17428	enhancement	App Server	In CMDB Report,  allow Organization and Collector Name as columns

16994

enhancement

GUI

Allow the ability to launch integration policy from a specific Incident

Current Open Issues

Id	Severity	Component	Description
8867	Normal	Rule Engine	LAST and FIRST operators in rules do not work (may crash Rule Worker module)
11036	Normal	Rule Engine	Rule Worker module may abort when a PctChange Expression is used
14242	Normal	Query Engine	RBAC data conditions not enforced for SP organizations when login in via the super org and moving to another org.
15022	Normal	Parser Engine	Parser module may stall/pause if a host name resolution is slow. Work around for now is to disable host name resolution.
11112	Normal	Rule Engine	COUNT DISTINCT operations consume large resources for rules utilizing Anomaly Detection
14478	Normal	GUI	Sometimes GUI pops up warning (Large amount of data stored over the boundaries) when users restore the archived data or delete the restored data
15109	Normal	Performance Monitoring	Failed Custom JDBC job shows in performance page after Discovery
15247	Normal	Parser	AIX Parser cannot parse events correctly.
15253	Normal	Parser	Reporting device name is parsed wrong in LinuxInotifyParser (affects Linux file integrity monitoring via AccelOps agent)
14929	Normal	Performance Monitoring	Maintenance calendar issue – Maintenance for a device does not start at the configured time if there is a long running disabled job of another device
15068	Normal	Application Server	Dashboard Search Filtering Does not work for Clariion LUNs under Summary Tab
15231	Normal	Application Server	Generating PDF Reports over 100 Pages will drop Page Footer
15233	Minor	Application Server	“Validation Status” column in Admin->Event DB->Event Integrity does not allow for sorting.
15300	Minor	GUI	For Report Server, if you sync -> unsync -> sync is rapid succession, then the last sync may not take effect
9261	Enhancement	Application Server	Charts in exported reports (PDF format) only contain stacked charts – not line charts

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!