FortiSIEM Scheduling a Discovery

Leave a reply
Scheduling a Discovery

Discovery can be a long-running process when performed on a large network, or over a large IP range, and so you may want to schedule it to occur when there is less load on your network or during off hours. You may also want to set up a schedule for the process to run and discover new devices on a regular basis.

  1. Log in to your Supervisor node.
  2. Go to Admin > Setup Wizard > Discovery.
  3. Click Schedule.
  4. Click the +
  5. Select from the available ranges.

You can select multiple ranges and set the order in which discovery will run on them by using the up and down arrows.

  1. Set the time at which you want discovery to run.
  2. For a one-time scheduled discovery, enter a Date for the discovery to run.
  3. For recurring discoveries, select how often (hourly, daily, weekly, monthly), you want discovery to run, and then enter other scheduling options.
  4. Click OK.

 

FortiSIEM Discovery Range Definition Options

Leave a reply
Discovery Range Definition Options

When you set the range definition for your discovery processes, several options are available for how you want the discovery process to run.

Option Description
Discovery Type Four types of scans are available for the discovery process:

Smart

Scan

 Smart Scan is an optimized search method in which only the live devices in the network are searched. To use Smart Scan, you first provide a root device (typically the first hop Layer 3 router). FortiSIEM then discovers the root device and learns of its first hop neighbors from the ARP table. These devices are then discovered using existing credentials, and their one hop neighbors are subsequently discovered. This continues until no more devices are discovered. Often a single Layer 3 router, switch, or firewall is sufficient to discover the entire network. However, if a firewall that can block SNMP is installed, then devices on either side of the firewall need to be provided as root devices. Smart Scan is usually faster than Range Scan, but in rare cases discovery can miss a device when it is quiet and not present in the ARP table of adjacent devices.
Range Scan (d

efault)

 In contrast to Smart Scan, Range Scan is a brute force method in which FortiSIEM attempts to discover all the devices in the IP ranges you provide. With Range Scan, FortiSIEM will first attempt to ping a device, and if that succeeds, discovery will proceed.
AWS

Scan

 AWS Scan is used to discover devices in Amazon Web Services. See Discovering Amazon Web Services (AWS) Infrastructure for more information.
L2

Scan

 L2 Scan is used to update the Layer 2 connectivity information used in the Identity and Location report. It does not discover system and application monitors, installed and running software, or users and groups, and, in contrast to the other scan methods, it does not update the CMDB and executes more quickly.
Root IPs For Smart Scan only, provide the root IPs from which you want the Smart Scan to start.
Include/Exclude

Domains (AWS

Only)

 Enter the domains you want to include or exclude from the discovery process.
Include/Exclude

Zones (AWS

Only)

 Enter the zones you want to include or exclude from the discovery process.
Include/Exclude

Ranges

 Enter the IP addresses or host names you want to include or exclude from the discovery process.
Include/Exclude

Device Types

 Click the Edit icon to select devices that you want to include or exclude from the discovery process. Note that if you have entries for both of these option, the discovery process will prioritize included devices over excluded ones.
Do Not Ping

Before

Discovery

 To save time, FortiSIEM first attempts to reach devices by ping before initiating discovery. You should select this option if ping has been disabled for your network, otherwise discovery will fail.
Ping Only

Discovery

 Select this option if you are only interested in discovering whether a device or service is up or down.
Only Discover

Devices not in

CMDB

 If you select this option, discovery will only find those devices whose IP addresses do not match the address of any device in CMDB. To make an exception to this rule, specify a list of IP addresses in the Exclude Ranges field. The primary use case for this is for indirect device discovery such as VCenter-based VM discovery, or WLAN controller-based access point discovery. By specifying the VCenter IP address in the Exclude Ranges field, new guest VMs can always be discovered even if the VCenter is already in the CMDB.
Include

Powered Off

VMs

 By default, only powered on VMs are discovered.
Include VM

Templates

 By default, VM templates are not discovered.
Discover

Routes

 Selected by default, if you clear this option then discovery will not use the route table to find next hop devices. This can be useful if your network includes border routers, which can significantly impact the time required for the discovery process.

FortiSIEM Inspecting Changes Since Last Discovery

Leave a reply
Inspecting Changes Since Last Discovery

After you run discovery for the first time, FortiSIEM keeps track of changes to your discovered devices during subsequent discovery runs, including new devices, changed devices, and failed devices.

  1. Log in to your Supervisor node.
  2. Go to Admin > Discovery Results.
  3. Select a discovery result.
  4. Click View Changes.
  5. Expand the folder Discovery Delta.
  6. Move your mouse cursor over a folder or item until a blue Information icon appears, and then click on the icon to view basic information about the item.

 

FortiSIEM Inspecting Event Pulling Methods for Devices

Leave a reply
Inspecting Event Pulling Methods for Devices

Once you have discovered and approved the devices in your IT infrastructure, you should verify that the FortiSIEM perfMonitor module is polling them over the correct access protocol and pulling event information from them. If you are having issues collecting performance metrics from your devices, you should begin troubleshooting by first checking the status of the event pulling method for the device.

  1. Go to Admin > Setup Wizard > Pull Events.
  2. Review the Event Pulling Status for each of your discovered devices.
Status Description
Successful If event information is being pulled from the device, you will see the name of the event pulling method rendered in plain black text.
Added but

Not

Monitored

 If the name of the event pulling method has a Star icon next to it, event information can be successfully pulled from the device, but the perfMonitor module has not yet initiated monitoring.
Paused A Pause icon indicates that event information is not being pulled from the device because it failed the verification check at the beginning of the monitoring cycle. This is usually caused by an issue with the access protocol credentials. The credential was valid when discovery succeeded, and so the event pulling method was able to monitor the associated metrics, but the perfMonitor module failed on the credential at a later time. You should check the access protocol credentials associated with the devices and event pulling methods, and then re-initiate discovery of the device.
Failed An Alert icon and the name of the event pulling method in red indicates that adding that event pulling method for the device failed.
  1. Click Show Errors to view a more detailed description of any errors associated with an event pulling method.
  2. Click Edit to change any of the event pulling methods associated with a device.
  3. Click Apply to apply any changes to your event pulling methods.
  4. Click Test Pull Events to test any changes you make.

 

FortiSIEM Approving Newly Discovered Devices

Leave a reply
Approving Newly Discovered Devices

When devices are discovered by FortiSIEM, monitoring of them begins automatically, and incidents for those devices will trigger automatically based on the rules associated with that device. However, you can configure the Discovery Settings so incidents will be triggered only for devices you approve. If you select Approved Devices Only for Allow Incident Firing On, then you will need to approve devices before incidents will be triggered for those devices, but they will still be monitored and added to the CMDB.

  1. Log in to your Supervisor node.
  2. Go to Admin > Discovery Results.
  3. Select a discovery result.
  4. Click View Changes.
  5. Expand the folder Discovery Delta.
  6. Expand the folder New Devices.
  7. Select the devices you want to approve, and click Approve Selected.

You can approve all the new devices by selecting the New Devices folder, and then click Approve All.

Related Links

Discovery Settings

FortiSIEM Discovering Microsoft Azure Infrastructure

Leave a reply
Discovering Microsoft Azure Infrastructure

Discovering Microsoft Azure Cloud infrastructure follows the same basic process described in Setting Access Credentials for Device Discovery an d Discovering Devices, but requires a different approach to associating credentials to IP addresses, since Azure uses dynamic, rather than static, IP address assignment.

Create a Certificate file for communicating to Azure Management Server

Setting Access Credentials for Microsoft Azure Discovery

Associating Microsoft Azure with Credentials

Discovering Microsoft Azure Compute Nodes

Create a Certificate file for communicating to Azure Management Server

 

  1. Login to the Azure old portal, upload the .cer to the Settings->”Management Certificates” section.

 

Setting Access Credentials for Microsoft Azure Discovery
  1. Log into your Supervisor node.
  2. Go to Admin > Setup Wizard > Credentials.
  3. Under Enter Credentials, click Add.
  4. Enter a Name for the credential.
  5. For Device Type, select Microsoft Azure Compute.
  6. For Subscription ID, enter .
  7. Upload the Certificate File, enter the region where your AWS instance is located.
  8. Enter the Access Key ID and Secret Access Key associated with your AWS instance.
  9. Click Save.
Associating Microsoft Azure with Credentials

After you’ve defined all the credentials associated with the access protocols used by devices in your Microsoft Azure instance, you need to associate those credentials.

  1. Log into your Supervisor node.
  2. Go to Admin > Setup Wizard > Credentials.
  3. Under Enter IP Range to Credential Associations, click Add.
  4. For IP/Host Name, enter com.
  5. Click +, and add the Microsoft Azure Compute credential created in “Setting Access Credentials for Microsoft Azure Discovery”, as well as any other generic credentials you’ve created.
  6. Click OK.
  7. Click Test Connectivity to make sure you can reach your instance and that all credentials are entered correctly before you initiate discovery.
Discovering Microsoft Azure Compute Nodes

After you’ve defined and tested all the credentials, you can proceed to discovery.

  1. Log into your Supervisor node.
  2. Go to Admin > Setup Wizard > Discovery.
  3. Click Add
  4. For Discovery Type, select Azure Scan.
  5. Click
  6. Select the entry just created and click

If discovery is successful, your discovered instances will be added to Admin > Setup wizard > Monitor Change/Performance and CMDB > Devices > Microsoft Azure Cloud > Azure Compute.

 

FortiSIEM Discovering Amazon Web Services (AWS) Infrastructure

Leave a reply
Discovering Amazon Web Services (AWS) Infrastructure

Discovering infrastructure in AWS follows the same basic process described in Setting Access Credentials for Device Discovery and Discovering Devices, but requires a different approach to associating credentials to IP addresses, since AWS uses dynamic, rather than static, IP address assignment. The generic AWS SDK credential is used to discover Amazon Machine Instances (AMIs) and associated information such as host name, instance ID, and instance state, while credentials for generic versions of WMI, SMTP, and other access protocols are used to discover associated devices as you would for any other discovery process.

Setting Access Credentials for AWS Instances

Associating the AWS Host with Credentials

If you have not already configured Access Keys and permissions on AWS, please follow the steps outlined in AWS Access Key IAM Permissions and IAM Policies.

Setting Access Credentials for AWS Instances
  1. Log into your Supervisor node.
  2. Go to Admin > Setup Wizard > Discovery.
  3. Under Enter Credentials, click Add.
  4. Enter a Name for the credential.
  5. For Device Type, select Amazon AWS SDK.
  6. For Access Protocol, select AWS SDK.
  7. For Region, enter the region where your AWS instance is located.
  8. Enter the Access Key ID and Secret Access Key associated with your AWS instance.
  9. Click Save.
Associating the AWS Host with Credentials

After you’ve defined all the credentials associated with the access protocols used by devices in your AWS instance, you need to associate those credentials to the AWS host. In other deployment configurations, you would associate credentials with IP addresses corresponding to your device locations, but since AWS uses dynamic IP addressing, you need to associate all your credentials to the same host.

  1. Under Enter IP Range to Credential Associations, click Add.
  2. For IP/Host Name, enter com.
  3. Click +, and add the AWS SDK credential, as well as any other generic credentials you’ve created.
  4. Click OK.
  5. Click Test Connectivity to make sure you can reach your instance and that all credentials are entered correctly before you initiate discovery.

Both the connectivity test and the discovery process will try to connect to the Amazon instances first, and from there will try to connect to the private IPs of discovered instances using the other access protocols.

  1. You can now initiate discovery of your instances and associated devices as described in Discovering Devices, but for Discovery Type, select AWS Scan.

If discovery is successful, your discovered instances and devices will be added to Admin > Setup wizard > Monitor Change/Performance, and in CMDB > Devices, you will see an Amazon EC2 directory, which will include your discovered instances. If you have defined other access credentials, the discovered devices will also appear in that directory, as well as under CMDB > Server. You can query these devices from either directory.

 

FortiSIEM Discovering Devices

Leave a reply
Discovering Devices
Prerequisites

Make sure you have configured the Discovery Settings for your deployment

Set up the Access Credentials for your devices so FortiSIEM can communicate with them

Procedure

After you have set up the access protocols for your devices as described in Setting Access Credentials for Device Discovery, you are ready to discover devices in your IT infrastructure.

  1. Log in to your Supervisor node.

Discovering Devices for Multi-Tenant Deployments

If you have a multi-tenant FortiSIEM deployment that uses Collectors and you and want to discover devices for a specific organization, rather than the Global organization, log into your Supervisor node as an admin user for that organization. See Dis covery for Multi-Tenant Deployments for more information about how discovery works for multi-tenant deployments with and without Collectors.

  1. Go to Admin > Setup Wizard > Discovery.
  2. Click Add.

You can also schedule single or recurring discovery processes as described in Scheduling a Discovery.

  1. In the Range Definition dialog, set the options for this discovery.

See Discovery Range Definition Options for more information about the options available in this dialog.

  1. Click OK.

Your range definition will be added to the list.

  1. Select your range definition, and then click Discover.

A discovery dialog will show you the progress of your discovery. For long-running discoveries, you can use the Run in Background optio n.

  1. When discovery completes, the results will be displayed in the dialog. Click Errors to view any errors.

Possible Causes of Discovery Errors

If there are errors during the discovery process, the Errors screen will inform you of their severity, impact, and potential resolution. Some possible reasons for errors include:

A device is not online or not reachable via ping. FortiSIEM will attempt to ping devices before initiating a full discovery to save time.

A device is not responding to SNMP or WMI requests, or there is a firewall blocking these requests from FortiSIEM The SNMP/WMI credentials are incorrect

WMI may not have been set up correctly on the server. See the appropriate topic under Configuring External Systems for Discovery, Monitoring and Log Collection for how to configure WMI for your device.

Approving Newly Discovered Devices

If you selected Approved Devices Only for the discovery setting Allow Incident Firing On, as described in Discovery Settings, then you will need to approve your newly discovered devices before incidents will be triggered for those devices. See Approving Newly Discovered Devices for more information.