FortiSIEM Whats New In 4.4.3

What’s new in Release 4.4.3

This release contains the following bug fixes and enhancements.

Bug

ID

Severity Component Description
13806 Major Performance

Monitoring

Server restart detection based on up time does not always work correctly in one case – if the server was in maintenance mode and this is the first time after maintenance and there was a server restart during maintenance.
14527 Major App Server Newly created Blocked IP and Domain groups can not be always downloaded correctly by the back end modules because the name in malware value group is incorrectly replaced by natural Id
14565 Major App Server Adding an Incident related report to Business Service Dashboard can cause the Dashboard to not show results
14650 Major App Server Upgrade from 4.4.1 to 4.4.2 may lead to duplicate Windows Servers in CMDB. In 4.4.2, hardware serial number is added to Windows server from Bios discovery via WMI. If a windows server existed in CMDB before 4.4.2, rediscovery in 4.4.2 would create a new windows server in CMDB with hardware serial number. The two windows servers one without hardware serial number and one with, would nor be merged. Workaround in 4.4.2 would be to delete the Windows server without hardware serial number.
14652 Major App Server Some rules created before 4.4.2 does not work after upgrade. The rule caching optimization introduced in 4.4.2 has a bug which ignores some rules with empty created date values. Workaround in 4.4.2 would be to disable and then re-enable the rule.
14705 Major App Server User edits to interface speeds are overwritten by Discovery. This bug was introduced when we added two fields – sent speed and receive speed to replace the single interface speed
14726 Major App Server Custom properties (such as global CPU utilization thresholds, per-device CPU utilization thresholds) are lost after upgrade
14201 Normal Parser Drop IPv6 net flow records if IPv6 and IPv4 records are mixed in received Netflow records – since we do not currently handle IPv6 records and they take up lots of storage space
14476 Normal System Disable rate limit on rsyslog – this would ensure that all internal logs would be accurately received by the system
14477 Normal Performance

Monitoring

Performance Monitor module crashes sometime due to memory corruption
14528 Normal App Server Blocked Domain and IP fields can not be downloaded if a field contains double quote in a field
14666 Normal Performance

Monitoring

The character \” in raw message causes custom WMI based performance monitor to have errors
14690 Normal Data The “A system User Created” rule in incorrectly categorized as a Availability rule
14700 Normal Data

Manager

Do not abort when DataManager module fails to create directories in NFS. Create a log

PH_UNABLE_CREATE_DIR_1. The rule “System Critical: DataManager event store failed” would trigger.

14724 Normal Report

Worker

In the Summary dashboard, the display of Availability Status column depends on the display of Ping Packet Loss column. So if the Ping Packet Loss column is removed, then the Availability Status column is also not displayed.
14395 Enhancement System Optimize the number of value group requests from back end modules to Application Server by caching – this would reduce the load on the Application Server specially when there are lots of value groups resulting from large number of organizations, business services or large number pf CMDB Objects used in rules and reports
14567 Enhancement System Beaconing – report Unknown Event Types as aggregates – not the raw events themselves
14584 Enhancement Discovery,

Performance Monitoring

Add discovery and Performance Monitoring for Cisco FirePower IPS module
14688 Enhancement Discovery,

Performance Monitoring

Add discovery and Performance Monitoring for Dell NSeries 4xxx switches
14691 Enhancement Discovery,

Performance

Monitoring

Add discovery and Performance Monitoring for H3C Comware
14684 Enhancement App Server Bound the number of API downloaded Threat feed entries in the AccelOps CMDB – by default we never keep more than 100K active entries per threat feed group in AccelOps CMDB by default. This number can be increased or decreased by the user at their own risk. Since there is not guarantee on the quality and number of items in the external threat database, a sudden surge of downloaded entries can have detrimental effect on AccelOps system performance.
14720 Enhancement Data Parse a new format of Bit9 syslog
14651 Enhancement Data Parse Dell NSeries syslog
14671 Enhancement Data Squid Parser needs enhancements for RHEL 7 and squid 3.3
14694 Enhancement Data AccelOps Windows Agent generated DHCP logs must also populated Identity location table

 

14699 Enhancement Data Add 11 more Windows Security event types

 

 

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.