FortiSIEM Custom Configuration Change Monitoring

Custom Configuration Change Monitoring

This features provides a way for collecting configuration files for any device and monitoring changes.

Define a new vendor, model (Optional)

If the device vendor and model is not yet defined in FortiSIEM, then the new definition needs to be added.

To check whether you device is already defined

  1. Go to Admin > Device Support > Device/App Types
  2. In the Search area, type in the vendor name and see if it exists.

To add a new device type

  1. Go to Admin > Device Support > Device/App Types
  2. Click New
  3. Fill in the following information
    1. Vendor: Type in the name of the Vendor (e.g. Fortinet or Cisco)
    2. Model: Type in the model – be very generic – preferable software model e.g. FortiOS, IOS – do not enter hardware model for appliances
    3. Version: Most of the time ANY
    4. Device/App Group: Select the CMDB Group to which the new device will belong
    5. Business Service Group: Define the Business Service Group to which the new device will belong f. Description: Add description
  4. Click Save
Create a valid access method
  1. Go to Admin > Setup > Credentials (Step 1)
  2. Click Add.
  3. Create an SSH credential
    1. Device Type – Select your device
    2. Access Protocol – Set to SSH
    3. Define User Name and Password
  4. Click Save
  5. Go to Admin > Setup > Step 2: IP Range to Credentials
  6. Click Add
  7. Enter the following information for IP Range to Credential Mapping
    1. IP/Range – the access IP of the device
    2. Credentials – pick the credential in Step 3
    3. Click OK
  8. Select the entry and Click Test Connectivity or Test Connectivity without Ping
  9. Make sure Test Connectivity
Create a Performance Object
  1. Go to Admin > Device Support > Performance Monitoring
  2. Under Enter Performance Object are, Click New
  3. Enter the following information to create a new Performance Object
    1. Name – enter a name for reference
    2. Type – set to System
    3. Method – set to LOGIN
    4. Used For – set to Configuration Monitoring
    5. Expect Script – Click Upload to store a configuring pulling expect script in FortiSIEM
    6. Polling Frequency – determines how often configuration will be pulled – recommended 30 minutes
  4. Click Save
Create Device Type to Performance Object association
  1. Go to Admin > Device Support > Performance Monitoring
  2. Under Enter Device Type to Performance Object Association, Click New
  3. Enter the following information to create an association
    1. Name – enter a name for reference
    2. Device Types – select the relevant device type for custom configuration polling
    3. Perf Objects – Select the performance object created in previous step 4. Click Save
Discover the device
  1. Go to Admin > Setup > Discovery
  2. Click Add
  3. In Include Range, enter the IP address of the device
  4. Click OK
  5. Select the entry and then click Discover
Validation Check

The expect script will be executed and configuration will be discovered.

  1. Go to Admin > Setup > Monitor Change/Performance. Search for the device and check the configuration monitoring task under Syste m Monitor
  2. Go to Search for the device and check for the configuration under Configuration tab for the selected device.
This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “FortiSIEM Custom Configuration Change Monitoring

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.