FortiSIEM Setting Access Credentials for Device Discovery

Setting Access Credentials for Device Discovery

Before you can discover devices, you need to provide the access protocol and credentials associated with the IP address or range where your devices are located. FortiSIEM will then use this information to access your devices, pull information from them, and begin monitoring them.

Access Protocols Required for Discovery

SNMP, VM SDK (for VMware vCenter), or WMI (for Windows devices) must be one of the access protocols for which you provide credentials in order for the devices associated with an IP address or range to be discovered. If your device does not use one of these protocols, then you must configure it to communicate with FortiSIEM as described in the topics under Configuring External Systems for Discovery, Monitoring and Log Collection. As described in those topics, you may also need to set up additional configurations within your devices to send logs and other information to FortiSIEM.

Associate Credentials Only with the IP Address Where They Will be Used

Credentials should only be associated with IP addresses where they can be used. Assigning multiple credentials to IP addresses where they are not used will trigger discovery operations for each credential, and the system will wait for a timeout to occur for each credential before it moves to the next one. This will cause the discovery process to require much more processing time and processing power from the FortiSIEM system. You can, however, associate the same credential (for example, a generic SNMP access credential) to multiple IP addresses where it will be used to communicate with a device over that protocol.

 

Before starting the discovery process, credentials need to be defined and then associated to specific IP addresses.

 

Define Credentials
  1. Log into your Supervisor node.
  2. Go to Admin > Setup Wizard > Discovery.
  3. Under Enter Credentials, click Add.
  4. Enter a Name for the credential.
  5. Select a Device Type to associate with the credential.
  6. Select the Access Protocol for which you want to enter credentials.

Note that the Device Type selection determines which Access Protocols are available. Change the default destination ports only if needed

  1. Choose Password Configuration method
    1. Manual – means that you have to define credentials in FortiSIEM
    2. CyberArk – means Accelps will fetch credentials from CyberArk
  2. If you choose Password Configuration as Manual, then enter the credentials required for the Access Protocol.
  3. If you choose Password Configuration as CyberArk, then choose CyberArk parameters
    1. AppID must be set to FortiSIEM
    2. Specify Safe, Folder, Object: This is the CyberArk Vault Safe, Folder, Object where the credential is defined.
    3. Specify User Name: This is the User Name of the credential
    4. Specify Platform (Policy ID): This is the platform related property for the credential. Specify this only if this property is also set in CyberArk. The match will be case sensitive.
    5. Specify Database: This is a property for the database credential. Specify this only if this property is also set in CyberArk. The match will be case sensitive.
    6. Check Include Address for Query: If checked, FortiSIEM will query the CyberArk credential by IP or host name. Specify this if CyberArk credential objects are specified by IP.
  4. Click Save. The credentials you created will be added to the list.
Specify Device to Credential Mapping
  1. Under Enter IP Range to Credential Associations, click Add.
  2. Select the credential you just created from the list.

Note that you can add multiple credentials to the same IP/host information in this step by clicking +.

  1. Enter an IP address, IP range, or Host Name to associate with the credential.
Test Connectivity

You need to perform a Test Connectivity to make sure that the credentials are correct.

  1. Select the IP/credential association you just created, and click Test Connectivity. A ping will be performed first to make sure that the host is alive. If ping is disabled in your network, then choose Test Connectivity without ping.

A dialog will show you the results of your connectivity tests. Note that the connectivity tests can take several minutes, so you may want to use the Run in Background option.

 

FortiSIEM Setting up CyberArk

Setting up CyberArk

This section specifies how FortiSIEM can be configured to fetch credentials from CyberArk.

Installing CyberArk Provider in FortiSIEM
  1. Login to FortiSIEM as root
  2. Run the rpm command to begin the installation:

The installation runs automatically and does not require any interactive response from the user. When the installation is complete, the following message appears: “Installation process completed successfully.”

Configuring CyberArk Provider in FortiSIEM
  1. Login as root
  2. Open the Vault.ini file and specify the parameters of the Vault that will be accessed by the Provider
  3. Run CreateCredFile to create a credential file for the administrative user that will create the Vault environment during installation.
  4. Check the log file /var/tmp/aim-install-logs/CreateEnv.log to make sure that the Provider environment was created successfully
  5. Start the CyberArk Application Password Provider service manually as a privileged user
  6. Run ldconfig
Configuring CyberArk for communication with FortiSIEM
  1. Login to CyberArk Password Vault Web Access (PVWA) Interface as an user allowed to managed applications (it requires Manage Users authorization).
  2. Add FortiSIEM as an Application
    1. Go to Applications and click Add Application.
    2. Set Name to FortiSIEM
    3. In the Description, specify a short description of the application that will help you identify it (e.g. FortiSIEM SIEM)
    4. In the Business owner section, specify contact information about the application’s Business owner.
    5. In the lowest section, specify the Location of the application in the Vault hierarchy. If a Location is not selected, the application will be added in the same Location as the user who is creating this application.
    6. Click Add; the application is added and is displayed in the Application Detailspage
  3. Check Allow extended authentication restrictions – this enables you to specify an unlimited number of machines and Windows domain OS users for a single application
  4. Specify the application’s (FortiSIEM) Authentication This information enables the Credential Provider to check certain application characteristics before retrieving the application password.
    1. In the Authentication tab, click Add; a drop-down list of authentication characteristics is displayed.
    2. Specify the OS user as “admin” and Click
    3. Specify the application path as “/opt/phoenix/bin”. Make sure Path is folder and Allow internal scripts to request credentials… check boxes are checked
    4. Do not specify a hash
    5. In the Allowed Machines tab, click Add and specify the IP/host name of the FortiSIEM Supervisor, Workers and Collectors 5.  Authorize FortiSIEM to retrieve accounts.
    6. Go to Policies > Access Control (Safes)
    7. For every Safe, Click on Members.
    8. Click on Add Safe Member
    9. Search for FortiSIEM. An entry will already exist. Select that entry.
    10. Check Retrieve accounts.
    11. Click Add

Now FortiSIEM should be ready to retrieve passwords from CyberArk via Test Connectivity and Discovery.

 

 

FortiSIEM Discovery for Multi-Tenant Deployments

Discovery for Multi-Tenant Deployments

In multi-tenant deployments with organizations, the discovery process differs depending on whether or not you are using Collectors. This is because of the way in which IP addresses are used to establish the relationship between devices and organizations.

If you are using Collectors, IP address overlap between organizations is allowed

If you are not using Collectors, then each organization must have a unique IP address

These two requirements determine which administrative account you will use for discovery.

For organizations with collectors, you must initiate discovery using the administrative account associated with the organization. Every device discovered by a collector is automatically assigned to the organization that the collector belongs to.

For organizations without collectors, you must initiate discovery using the Super/Global administrative account. Devices for all organizations are discovered at the same time, and are assigned to organizations based on the IP address assignments you set up for the organization.

.

If a device matches only one organization’s IP address assignment, then it is assigned to that organization

If a device matches multiple organization definitions, then it is assigned to the Super/Global organization. These would typically be devices that are part of the Super/Global organization’s network backbone.

Related Links

How Devices are Added to Organizations

Managing Organizations for Multi-Tenant Deployments

 

FortiSIEM Setting Device Location Information

Setting Device Location Information

In the Admin > General Settings > Discovery screen, you can set device locations based on IP range and organization. You can do this manually for each organization or IP range, or upload a CSV file that contains location information. This information can then be applied to devices already in the CMDB, or during the discovery process, to set their location.

Manually Creating Location Information

Uploading Location Information from a CSV File

Prerequisite

Procedure

Manually Creating Location Information

  1. Log into your Supervisor node.
  2. Go to Admin > General Settings > Discovery.
  3. Under Location, click Add.
  4. For Multi-Tenant deployments, enter the Organization you want to associate with the IP range and devices.
  5. Enter the IP/IP Range you want to associate with the location.

This can be in either CIDR notation, such as 192.168.64.0/24, or range notation, such as 192.168.64.0-192.168.64.255.

  1. Enter the Display Name you want to use for this location.

For example, San Jose Office, Northern California Campus, etc.

  1. Enter any additional location information that is relevant for your location.
  2. Click OK.
  3. In the Location Definition dialog, select Update Manual Devices if you want to update devices that have had their locations set manually in the CMDB.
  4. Click OK.

The location information will appear in the Location pane.

  1. Select a location in the Location pane, and then click Apply to associate all devices in the CMDB with that IP/IP range to that organization and location.

A dialog will indicate how many devices have been updated.

  1. Click OK.
  2. Go to CMDB > Devices and check that your device locations have been updated.

Uploading Location Information from a CSV File

Prerequisite

Before you can upload it, you must first create a CSV file with this format.

Comma-separated IP address, Range, or Subnet Location Display

Name

Update Manual Devices

(False/True)

Geographic Information

(“region:;country:;state:;city:;building:;floor:;latitude:;longitude:;”)

Example

“10.1.1.1/24,20.1.1.1-20.1.1.10” San Jose

Datacenter

USA

true  
“30.1.1.10” Fremont

Datacenter

USA

true “region:North America;country:United

States;state:California;city:Fremont;building:10;floor:4;latitude:3

Procedure

  1. Log into your Supervisor node.
  2. Go to Admin > General Settings > Discovery.
  3. Under Location, click Import.
  4. Browse to your CSV file and select it.
  5. Click Upload.

 

FortiSIEM Discovery Settings

Discovery Settings

Before you initiate discovery, you should configure the Discovery Settings in your Supervisor.

  • Log in to your Supervisor node.
  1. Go to Admin > General Settings > Discovery.
  2. Configure the settings as required for your deployment.

See Setting Device Location Information for information on how to manually enter locations for devices, or to upload a CSV file of device locations.

Setting Description
Virtual IPs Often a common virtual IP address will exist in multiple machines for load balancing and failover purposes. When you discover devices, you need to have these virtual IP addresses defined within your discovery settings for two reasons:

Listing the virtual IP addresses ensures that two or more devices with the same virtual IP will not be merged into one device during device discovery, so each of the load-balanced devices will maintain their separate identity in the

CMDB

The virtual IP will not be used as an access IP during discovery, since the identity of the device when accessed via the virtual IP is unpredictable

Click the Edit icon to enter a Virtual IP address, and then click + to add more.

Excluded

Shared

Device IPs

An enterprise often has servers that share credentials, for example mail servers, web proxies, and source code control servers, and a large number of users will authenticate to these servers to access their services. Providing a list of of the IP addresses for these servers allows FortiSIEM to exclude these servers from user identity and location calculations in the Analytics > Identity and Location report.

For example, suppose user U logs on to server M to retrieve his mail, and server M authenticates user U via Active Directory. If server M is not excluded, the Analytics > Identity and Location Report will contain two entries for user U: one for the workstation that U logs into, and also one for server M. You can eliminate this behavior by adding server M to the list of Server IPs with shared credentials.

Allow

Incident

Firing On

With this setting you can control incident firings based on approved device status. If you select Approved Devices Only, then FortiSIEM will use this logic to determine if an incident is triggered:

If an incident reporting device is not approved, the incident does not trigger

If an incident reporting device is approved, then there are two possible cases: (a) at least one Source, Destination or Host IP is approved and the incident triggers, or (b) none of the Source, Destination or Host IPs are approved and the incident does not trigger

If you select Approved Devices Only, then when the discovery process completes, you will need to approve devices, as described in Approving Newly Discovered Devices, before incidents are triggered.

CMDB

Device

Filter

This setting allows you to limit the set of devices that the system automatically discovers from logs and netflows. After receiving a log from a device, the system automatically discovers that device, and then adds it to CMDB. For example, when a Netflow analysis detects a TCP/UDP service is running on a server, the server, along with the open ports, are added to CMDB. Sometimes you may not want to add all of these devices to CMDB, so you can create filters to exclude a specific set of devices from being added to CMDB.

Each filter consists of a required Excluded IP Range field and an optional Except field. A device will not be added to

CMDB if it falls in the range defined in the Excluded IP Range field. For example, if you wanted to exclude the 172.16.

20.0/24 network from CMDB, you would to add a filter with 172.16.20.0-172.16.20.255 in its Excluded IP Range field.

The Except field allows you to specify some exceptions in the excluded range. For example, if you wanted to exclude the 172.16.20.0/24 network without excluding the 172.16.20.0/26 network, you would add a filter with 172.16.2

0.0-172.16.20.255 in the Excluded IP Range field, and 172.16.20.192-172.16.20.255 in the Except field.

Click Add to add a new CMDB Device Filter, then click Apply.

Application

Filtering

This setting allows you to limit the set of applications/processes that the system automatically learns from discovery.

You may be more interested in discovering and monitoring server processes/daemons, rather than client processes, that run on a server. To exclude client processes from being discovered and listed in the CMDB, enter these applications here. An application/process will not be added to CMDB if it matches one of the entries defined in this table.

 

Click Add, then enter the Process Name and any Parameters for that process that you want to filter.

 

FortiSIEM Discovering Infrastructure

Discovering Infrastructure

FortiSIEM can automatically discover the devices, applications, and users in your IT infrastructure and begin monitoring them. You initiate device discovery by providing the credentials that are needed to access the infrastructure component, and from there FortiSIEM is able to discover information about your component such as the host name, operating system, hardware information such as CPU and memory, software information such as running processes and services, and configuration information. Once discovered, FortiSIEM will also begin monitoring your component on an ongoing basis.

Though FortiSIEM is able to automatically manage device discovery, the pulling of event information such as logs and IPS events from your device, and establishing what aspects of your device functionality it can monitor, you can also manually configure the way FortiSIEM interacts with your infrastructure by creating custom event pulling methods and monitoring profiles for your devices.

 

FortiSIEM Using Virtual IPs to Access Devices in Clustered Environments

Using Virtual IPs to Access Devices in Clustered Environments

AccelOps communicates to devices and applications using multiple protocols. In many instances, access credentials for discovery protocols such as SNMP and WMI will need to be associated to the real IP address (assigned to a network interface) of the device, while application performance or synthetic transaction monitoring protocols (such as JDBC) will need the Virtual IP (VIP) assigned to the cluster. Since AccelOps uses a single access IP to communicate to a device, you need to create an address translation for the Virtual IPs.

  1. Log into your AccelOps virtual appliance as root.
  2. Update the mapping in your IP table to map the IP address used in setting up your access credentials to the virtual IP.

As an example, suppose an Oracle database server is running on a server with a network address of 10.1.1.1, which is in a cluster with a VIP of 192.168.1.1. The port used to communicate with Oracle over JDBC is 1521. In this case, the update command would be: