• All Files

Home

System Settings

 

The following section describes the procedures for system settings:

• UI settings
• Email settings
• Collector Image Server settings
• Worker Upload settings
• Data Update Server settings
• Lookup settings
• Kafka settings

UI settings

The initial view of FortiSIEM UI after login can be configured using the UI settings including dashboard, logos and theme.

Follow the procedure below to set FortiSIEM UI:

1. Go to ADMIN > General Settings > System > UI tab.
2. Select and enter the following information under UI Settings:
   • Home - select the tab to display when you login to FortiSIEM.
   • Incident Home - select List or Risk view of display for INCIDENTS tab.
   • Dashboard Home - select the dashboard to display by default on DASHBOARD tab from the drop-down.
   • Dashboard Theme - select dark or light theme. Currently the dark theme setting is a global setting - so all users would have the same theme.
3. Select the type of dashboards to be visible/hidden from Dashboard Settings using the left/right arrows. The up/down arrows can be used to sort the Dashboards.
4. Select and upload the UI Logo and Report Logo.
   The supported image formats are PNG for UI Logo and SVG for Report Logo.
5. Click Save.

Note: All the above settings will take effect when you login again the next time or refresh the browser in the same login session.

Email settings

The system can be configured to send email as an incident notification action or send scheduled reports. Use these fields to specify outbound email server settings.

Follow the procedure below to configure email settings:

1. Go to ADMIN > General Settings > System > Email tab.
2. Enter the following information under Email Settings:
   
   

   Settings	Guidelines
   Email Gateway Server	[Required] Holds the gateway server used for email.
   Server Account ID	[Required] The account name for the gateway.
   Account password	[Required] The password for the account.
   Server Port	Port used by the gateway server.
   Secure Connection (TLS)	Protocol used by the gateway server. This can be Exchange or SMTP.
   Admin Email Ids	Email addresses for all of the admins.
   Default Email Sender	Default email address of the sender.

3. Click Test Email button to test the new email settings.
4. Click Save.

Configuring Incident Email Template

1. Click New under the section Incident Email Template.
2. Enter the Name of the template.
3. Select the Organization from the list.
4. Enter the Email Subject. You can also choose the incident attribute variables from Insert Content drop-down as part of Email Subject.
5. Enter the Email Body by selecting the attribute variables from Insert Content drop-down into your template, rather than typing. If required, enable Support HTML for HTML content support.
6. Click Save.
7. Click Preview to preview the email template.

To set an email template as default, select the template in the list, and then click Set as Default. When you are creating a notification policy and need to select an email template, if you leave the option blank, the default template will be used. For Service Provider deployments, to select a template as default for an organization, first select the organization, then set the default email template for that organization.

Collector Image Server settings

Collector image can be upgraded using this field by specifying the location of the upgrade images and the credentials to access them.

Follow the procedure below to configure Collector Image Server image settings:

1. Go to ADMIN > General Settings > System > Collector Image Server tab.
2. Enter the following information:
   • Image Download URL
   • Image Server Username
   • Image Server Password
3. Click Save.

Worker Upload settings

Collectors upload events and configurations to Worker nodes. Use this field to specify the Worker host names or IP addresses.

There are two cases:

• explicit list of Worker IP addresses or host names - Collector forwards to this list in a round robin manner.
• host name of a load balancer - Collector forward this to the load balancer which needs to be configured to distribute events to the workers.

Follow the procedure below to configure Worker upload settings:

1. Go to ADMIN > General Settings > System > Worker Upload tab.
2. Enter the Worker Address.
   You can add more addresses by clicking '+' or use '-' to remove any added address.
3. Click Save.

Data Update Server settings

Data Update Server settings are used to specify the location of the data update images and the credentials needed to access them.

Prerequisites

• Contact FortiSIEM support and make sure that your license includes Data Update Service.
• Make sure you have Data Update URL which is typically https://images.FortiSIEM.net/upgrade/ds- contact FortiSIEM to make sure that this information has not changed.
• Make sure you have license credentials.

Follow the procedure below to configure Data Update server settings:

1. Go to ADMIN > General Settings > System > Data Update Server tab.
2. Enter the following information:
   • Data Update URL
   • Server Username and Server Password - these are the license credentials.
   • Notify Email - you will receive an email notification when new data updates are available.
3. Click Save.

Lookup settings

Lookup setting can be used to find any IP or domain by providing the link.

Follow the procedure below for lookup:

1. Go to ADMIN > General Settings > System >Lookup tab.
2. Enter the Name.
3. Select the Client Type to IP or Domain.
4. Enter the Link for look-up.
5. Click Save.

Kafka settings

FortiSIEM events found in system event database can be exported to an external system via Kafka message bus.

FortiSIEM supports both forwarding events to an external system via Kafka message bus as a 'Producer' and receiving events from a third-party system to FortiSIEM via Kafka message bus as a 'Consumer'.

As a Producer:

• Make sure you have set up a Kafka Cloud (here) with a specific Topic for FortiSIEM events.
• Make sure you have identified a set of Kafka brokers that FortiSIEM is going to send events to.
• Make sure you have configured Kafka receivers which can parse FortiSIEM events and store in a database. An example would be Logstash receiver (see here) that can store in an Elastic Search database.
• Supported Kafka version: 0.8

As a Consumer:

• Make sure you have set up a Kafka Cloud (here) with a specific Topic, Consumer Group and a Consumer for sending third party events to FortiSIEM.
• Make sure you have identified a set of Kafka brokers that FortiSIEM will receive events from.
• Supported Kafka version: 0.8

Follow the procedure below for configuring Kafka settings in FortiSIEM:

1. Go to ADMIN > General Settings > Kafka tab.
2. Enter the Name and Topic.
3. Select or search the Organization from the drop-down.
4. Add Brokers by clicking + icon.
   1. Enter IP address or Host name of the broker.
   2. Enter Broker port (default 9092).
5. Click Save.
6. Select the Client Type to Producer or Consumer.
7. If the Consumer is selected in step 6, enter the Consumer Name and Group Name fields.
8. Click Save.

For all the above settings, you can use the Edit button to modify or Delete button to remove any setting from the list.