Configuring FortiSIEM
Initial System Configuration
Before you can initiate discovery and monitoring of your IT infrastructure, you will need to configure several general settings, add users, and add organizations for multi-tenant deployments.
Setting Up the Email Gateway
Before you can set up notifications, you have to set up the email gateway that your system will use for all alerts and system notifications.
- Log into your Supervisor node.
- Go to Admin > General Settings > Email Settings.
- Enter the Email Gateway Server.
- Enter any additional account or connection information.
- Click Save.
Setting Up Routing Information for Reports and Incident Notifications
Topics in this section describe how to set up email addresses to send alerts to when a scheduled report runs, and distribution information for notifications associated with incidents. You can also automate the sending of tickets to a Remedy system when an incident occurs. These are all general settings, in that you don’t need to have any rules or reports defined before you configure them. For information on configuring specific notification policies for rules and incidents, see Incident Notifications. For information on configuring Remedy to work with FortiSIEM notifications, see Configuring Remedy to Accept Incident Notifications from FortiSIEM.
Setting Up Email Alert Routing for Scheduled Reports
Setting Up SNMP Traps for Incident Notifications
Setting Up XML Message Routing for Incident Notifications
Setting Up Routing for Remedy Tickets
Related Links
Scheduling Reports
Incident Notifications
Configuring Remedy to Accept Incident Notifications from FortiSIEM
Setting Up Email Alert Routing for Scheduled Reports
You can schedule reports to run and send email notifications to specific individuals. This setting is for default email notifications that will be sent when any scheduled report completes.
- Log into your Supervisor node.
- Go to Admin > General Settings > Analytics.
- Click +.
If you haven’t configured your email gateway yet, you will see an error message.
- Select SMS or Email for the delivery method.
- Enter the email address or SMS number.
- Click OK.
- Click Save All when you are done.
Sending Alerts to the Console
Select Send an alert to console if you also want to send alerts to the console. Alerts are always displayed in the Incidents tab, while the alerts sent to the console are immediately displayed but without any grouping by rule name, incident source, incident target, or other detail information.
Empty Reports
Sometimes a report may be empty because there are no matching events. If you don’t want to send empty reports to users, select Do not send scheduled emails if report is empty. If you are running a multi-tenant deployment, and you select this option while in the Super/Global view, this will apply only to Super/Global reports. If you want to suppress delivery of empty reports to individual organizations, you will have to configure this option in the organizational view.
Related Links
Setting Up the Email Gateway Scheduling Reports
Setting Up SNMP Traps for Incident Notifications
You can define SNMP traps that will be notified when an event triggers an incident.
- Log in to your Supervisor node.
- Go to Admin > General Settings > Analytics.
- Enter the SNMP Trap IP Address.
- Enter the SNMP Community String that will authorize sending the trap to the SNMP trap IP address.
- Select the SNMP Trap Type.
- Select a Protocol.
- Click Test SNMP to check the connection.
- Click Save All.
Related Links
Incident Notifications
Setting Up XML Message Routing for Incident Notifications
You can configure FortiSIEM to send an XML message over HTTP(s) when an a incident is triggered by a rule.
- Log in to your Supervisor.
- Go to Admin > General Settings > Analytics.
- For HTTP(S) Server URL, enter the URL of the remote host where the message should be sent.
- Enter the Username and Password to use when logging in to the remote host, and then Reconfirm the password.
- Click Test HTTP to check the connection.
- Click Save All.
Setting Up Routing for Remedy Tickets
You can set up Remedy to accept notifications from FortiSIEM and generate tickets from those notifications, as described in Configuring Remedy to Accept Incident Notifications from FortiSIEM. These instructions explain how to set up the routing to your Remedy server.
- Log in to your Supervisor node.
- Go to Admin > General Settings > Analytics.
- For WSDL, enter the URL of the Remedy Server.
- Enter the Username and Password associated with your Remedy server, and then Reconfirm the password.
- Click Test Remedy to test the connection.
- Click Save All.
Related Links
Configuring Remedy to Accept Incident Notifications from FortiSIEM
Setting Up User Roles
FortiSIEM has a wide operational scope – it provides performance, availability, and environmental alerts, as well as change and security monitoring for network devices, servers and applications. It is difficult for one admin to monitor across the entire spectrum of available information. In addition, devices may be in widely distributed geographical and administratively disjointed locations. Role-based access control provides a way to partition the FortiSIEM administrative reponsibilities across multiple admins.
A role defines two aspects of a user’s interaction with the FortiSIEM platform:
Which user interface elements a user can see and the ability to use the associated Read/Write/Execute permissions. As an example, the built-in Executive role can see only the dashboard, while the Server Admin role cannot see network devices. Role permissions can be defined to the attribute level in which, for example, a Tier1 Network Admin role can see network devices but not their configurations.
What data can the user see. For example, consider a Windows Admin role and a Unix Admin role. They both can run the same reports, but the Windows admins sees only logs from Windows devices. This definition can also be fine-grained, for example one Windows admin sub-role can be defined to see Windows performance metrics, while another Windows admin sub-role can see Windows authentication logs.
Topics in this section explain how to use the Default roles that come with FortiSIEM, and how to define new ones.
Default Roles
Creating Custom User Roles
Default Roles
To perform any action with FortiSIEM, a user must be assigned a role with the required permissions. The roles listed in this table are default roles. You can create custom roles and permissions by following the instructions in the topic Creating Custom User Roles.
Role |
Permissions |
Full Admin |
Full access to the GUI and full access to the data. Only this role can define roles, create users and map users to roles. |
Network Admin |
Full access to the network device portion of the GUI and full access to logs from network devices |
System Admin |
Full access to the Server/Workstation/Storage part of the GUI and full access to logs from those devices |
Server Admin |
Full access to the Server part of the GUI and full access to logs from those devices |
Windows Server
Admin |
Full access to the Windows Server part of the GUI and full access to logs from those devices |
Unix Server Admin |
Full access to the Unix Server part of the GUI and full access to logs from those devices |
Security Admin |
Full access to Security aspects of all devices |
Storage Admin |
Full access to the Storage device part of the GUI and full access to logs from those devices |
DB Admin |
Full access to the database servers part of the GUI and full access to logs from those devices |
Helpdesk |
Access to the Admin, CMDB, and Dashboard tabs, with view and run permissions for the the Analytics and Incidents tabs |
Read Only Admin |
View access to all tabs and permission to run reports |
Executive |
View access to the Business Service dashboard and personalized My Dashboard tabs, but reports can be populated by logs from any device |
Creating Custom User Roles
- Log in to your Supervisor node.
- Go to Admin > Role Management.
- Click New.
- Enter a Role Name and Role Description.
- Enter the Data Conditions for this role.
This restricts access to the event/log data that is available to the user, and will be appended to any query that is submitted by users with this role. This applies to both Real-Time and Historical searches, as well as Report and Dashboard information.
- Enter the CMDB Report Conditions for this role.
This restricts access to the reports for devices, users, and monitors that are available to the user with this role.
- Select the UI Access Conditions for this role.
This defines the user interface elements that can be accessed by users with this role. By default, child nodes in the tree inherit the permissions of their immediate parent, however you can override those default permissions by explicitly editing the permission of the child node. Options for these settings are:
Setting |
Description |
Full |
No access restrictions |
Edit |
The role can make changes to the UI element |
Run |
The role can execute processes for the UI element |
View |
The role can only view the UI element |
Hide |
The UI element is hidden from the role |
Adding Users for Enterprise Deployments
Adding users to enterprise deployments involves first deciding if you are going to use external authentication, or local authentication credentials defined within each user profile. You can then add users on an individual basis, or, if you are using LDAP authentication, you can discover users within Active Directory over LDAP. For mutt-tenant deployments you can add individual users to an organization as described in these topics, but if you need to add users who have a role in more than one organization (Global users), see the topics under Adding Users to Multi-Tenant Deployments.
Setting Up External Authentication
Adding a Single User
Adding Users from Active Directory via LDAP
Adding Users from Okta
Adding 2-factor Authentication via Duo Security
Setting Up External Authentication
You have three options for setting up external authentication for your FortiSIEM deployment. The first option, LDAP, is discussed in detail in Addin g Users from Active Directory via LDAP. The other options, RADIUS and Okta, follow the same authentication set up process.
- Go to Admin > General Settings > External Authentication.
- Click Add.
- If you are setting up authentication for an organization within a multi-tenant deployment, select the Organization.
- Select the Protocol.
- Complete the protocol settings.
Protocol |
User-Defined Settings |
LDAP |
Access IP
Select Set DN Pattern to open a text field in which you can enter the DN pattern if you want to override the discovered pattern, or you want to add a specific LDAP user.
See Adding Users from Active Directory via LDAP for more information about configuration settings for LDAP. |
RADIUS |
Access IP
Shared Secret
Select CHAP if you are using encrypted authentication to your RADIUS server |
Okta |
Certificate
See Configuring Okta Authentication for more information. |
- Click Test, and then enter credentials associated with the protocol you selected to make sure users can authenticate to your deployment.
You can now associate users to this authentication profile as described in Adding a Single User.
Configuring Okta Authentication
To use Okta authentication for your FortiSIEM deployment, you must set up a SAML 2.0 Application in Okta, and then use the certificate associated with that application when you configure external authentication.
- Log into Okta.
- In the Applications tab, create a new application using Template SAML 2.0 App.
- Under General Settings, configure these settings:
Post Back URL |
https:///phoenix/okta |
Destination |
https:///phoenix/okta |
Recipient |
FortiSIEM |
Audience Restriction |
Super |
authnContextClassRef |
PasswordProtectedTransport |
Request |
Uncompressed |
- Click Save.
- In the Sign On tab, click View Setup Instructions.
- Click Download Certificate.
- Follow the instructions in Setting Up External Authentication and enter the downloaded certificate for Okta authentication.
Adding a Single User
- Log in to your Supervisor node.
- Go to CMDB > Users.
- Click New.
- Complete the User Name and user profile information.
- For System Administrator, select Yes.
- Select a Default Role for the user.
See the topic Default Roles for a list of default roles and permission. You can also create new roles as described in Creating Custom User Roles, which will be available in this menu after you create them.
- For System Account Enabled, select Yes.
- For Session Timeout, enter the number of minutes after which an inactive user will be logged out.
- For User Lockout, enter the number of minutes the user will be unable to log into the system after three successive authentication failures.
- For System Password Reset, enter the number of days after which a user’s current password for logging in to the system will automatically expire.
If left blank, the user’s password will never expire.
- For Password, select Local or External.
If you select Local, enter and then reconfirm the user password. See Setting Up External Authentication for more information about using external authentication.
Multiple Authentication Profiles
If more than one authentication profile is associated with a user, then the servers will be contacted one-by-one until a connection to one of them is successful. Once a server has been contacted, if the authentication fails, the process ends, and the user is notified that the authentication failed.
- Click Save.
Related Links
Default Roles
Creating Custom User Roles
Adding Users from Active Directory via LDAP
If you want to add users to your FortiSIEM deployment from an Active Directory server over LDAP, you must first add the login credentials for your server and associate them to an IP range, and then run the discovery process on the Active Directory server. If the server is discovered successfully, then all the users in that directory will be added to your deployment. You then need to set up an authentication profile, which will become an option you can associate with users as described in Adding a Single User.
Create Login Credentials and Associate with an IP Address
- Log in to your Supervisor node.
- Go to Admin > Setup Wizard > Credentials.
- Enter a Name.
- For Device Type, select Microsoft Windows.
- Select your Access Protocol.
FortiSIEM supports these LDAP protocols:
Protocol |
Port |
LDAP |
Non-secure version on port 389 |
LDAPS |
Secure version on port 636 |
LDAP Start TLS |
Secure version on port 389 |
- For Used For, select Microsoft Active Directory.
- For Base DN, be sure to enter the root of the LDAP user tree.
- Enter the NetBIOS/Domain for your LDAP directory.
- Enter the User Name for your LDAP directory.
For user discovery from OpenLDAP, specify the full DN as the user name. For Active Directory, use your server login name.
- Enter and confirm the Password for your User Name.
- Click Save.
Your LDAP credentials will be added to the list of Credentials.
- Under Enter IP Range to Credential Associations, click Add.
- Select your LDAP credentials from the list of Credentials.
- Enter the IP range or host name for your Active Directory server.
- Click OK.
Your LDAP credentials will appear in the list of credential/IP address associations.
- Click Test Connectivity to make sure you can connect to the Active Directory server.
Discover the Active Directory Server and Users
- Go to Admin > Discovery.
- Click Add.
- For Name, enter Active Directory.
- For Include Range, enter the IP address or host name for your Active Directory server.
- Leave all the default settings, but clear the Discover Routes
- Click OK.
Active Directory will be added to the list of discoverable devices.
- Select the Active Directory device and click Discover.
- After discovery completes, go to CMDB > Users to view the discovered users.
You may need to click Refresh for the user tree hierarchy to load.
Adding Users from Okta
Create an Okta API Token
- Log in to Okta using your Okta credentials.
- Got to Administration > Security > API Tokens.
- Click Create Token.
You will use this token when you set up the Okta login credentials in the next section. Note that this token will have the same permissions as the person who generated it.
Create Login Credentials and Associate Them with an IP Address
- Log in to your Supervisor node.
- Go to Admin > Setup Wizard > Credentials.
- Enter a Name.
- For Device Type, select com.
- For Access Protocol, select Okta API.
- Enter the NetBIOS/Domain associated with your Okta account.
For example, FortiSIEM.okta.com.
- For Pull Interval, enter how often, in minutes, you want FortiSIEM to pull information from Okta.
- Enter and reconfirm the Security Token you created.
- Click Save.
Your LDAP credentials will be added to the list of Credentials.
- Under Enter IP Range to Credential Associations, click Add.
- Select your Okta credentials from the list of Credentials.
- Enter the IP range or host name for your Okta account.
- Click OK.
Your Okta credentials will appear in the list of credential/IP address associations.
- Click Test Connectivity to make sure you can connect to the Active Directory server.
Discover Okta Users
- Go to Admin > Discovery.
- Click Add.
- For Name, enter Okta.
- For Include Range, enter the IP address or host name for your Active Directory server.
- Leave all the default settings, but clear the Discover Routes
- Click OK.
Okta will be added to the list of discoverable devices.
- Select the Okta device and click Discover.
- After discovery completes, go to CMDB > Users to view the discovered users.
You may need to click Refresh for the user tree hierarchy to load.
Adding 2-factor Authentication via Duo Security
Obtain keys for FortiSIEM to communicate with Duo Security
- Sign up for a Duo Security account: This will be admin account for Duo Security.
- Log in to Duo Security Admin Panel and navigate to Applications
- Click Protect an Application. Locate Web SDK in the applications.
- Get Duo Server Name, Integration key, Secret key from the page. You will need it when you configure FortiSIEM.
- Generate Application key as a long string. This is a password that Duo Security will not know. You can choose any 40 character long string or generate it as follows using python
Create and Manage FortiSIEM users in Duo Security
This determines how the 2-factor authentication response page will look like in FortiSIEM and how user will respond to the second factor authentication challenge
- Log in to Duo Security as admin user
- Choose the Logo which will be shown to users as they log on
- Choose the super set of 2-factor Authentication Methods.
- Optional – you can create the specific users that will logon via FortiSIEM. If the users are not pre-created here, then user accounts will be created automatically when they attempt 2-factor authentication for the first time.
Add 2-factor authentication option for FortiSIEM users
- Create a 2-factor authentication profile
- Go to Admin > General Settings > External Authentication. b. Click Add
- Enter Name
- Set Organization to be the scopre of the users who will be authenticated.
- For AO-VA, specify System.
- For AO-SP, specify System if this will be used globally. Else specify a specific organization
- Set IP/Host as the host name of Duo Security Server from Step 4 in “Obtain keys for FortiSIEM to communicate with
Duo Security”
- Set Integration key, Secret key from Step 4 in “Obtain keys for FortiSIEM to communicate with Duo Security”
- Set Application key from Step 5 in “Obtain keys for FortiSIEM to communicate with Duo Security” vii. Click Save
- Add the 2-factor authentication profile to an user
- Go to CMDB > User
- Select a specific user
- Check Second Factor checkbox
- Select the 2-factor authentication profile created in Step 1
- Click Save
Login to FortiSIEM using 2-factor authentication
Before logging in to FortiSIEM with 2-factor authentication, make sure that the three steps are completed.
Obtain keys for FortiSIEM to communicate with Duo Security
Create and Manage FortiSIEM users in Duo Security
Add 2-factor authentication option for FortiSIEM users
Follow these steps
- Logon to FortiSIEM normally (first factor) using the credential defined in FortiSIEM – local or external in LDAP
- If the 2-factor authentication is enabled, the user will now be redirected to the 2-factor step
- If the user is not created in Duo system (by Duo admin), a setup wizard will let you set some basic information like phone number and ask you download the Duo app.
- If the user already exists in FortiSIEM, then follow the authentication method and click Log in The user will be able to log in to FortiSIEM