Discovery Settings

Before you initiate discovery, you should configure the Discovery Settings in your Supervisor. 

  1. Log in to your Supervisor node.
  2. Go to Admin >  General Settings > Discovery.
  3. Configure the settings as required for your deployment.
    See Setting Device Location Information for information on how to manually enter locations for devices, or to upload a CSV file of device locations.  
    Setting Description
    Virtual IPs

    Often a common virtual IP address will exist in multiple machines for load balancing and failover purposes. When you discover devices, you need to have these virtual IP addresses defined within your discovery settings for two reasons:

    • Listing the virtual IP addresses ensures that two or more devices with the same virtual IP will not be merged into one device during device discovery, so each of the load-balanced devices will maintain their separate identity in the CMDB
    • The virtual IP will not be used as an access IP during discovery, since the identity of the device when accessed via the virtual IP is unpredictable

    Click the Edit icon to enter a Virtual IP address, and then click + to add more.

    Excluded Shared Device IPs

    An enterprise often has servers that share credentials, for example mail servers, web proxies, and source code control servers, and a large number of users will authenticate to these servers to access their services. Providing a list of of the IP addresses for these servers allows FortiSIEM to exclude these servers from user identity and location calculations in the Analytics > IdentityandLocation report.

    For example, suppose user U logs on to server M to retrieve his mail, and server M authenticates user U via Active Directory. If server M is not excluded, the Analytics > Identity and Location Report will contain two entries for user U: one for the workstation that U logs into, and also one for server M. You can eliminate this behavior by adding server M to the list of Server IPs with shared credentials.

    Allow Incident Firing On

    With this setting you can control incident firings based on approved device status. If you select Approved Devices Only, then FortiSIEM will use this logic to determine if an incident is triggered:

    • If an incident reporting device is not approved, the incident does not trigger
    • If an incident reporting device is approved, then there are two possible cases: (a) at least one Source, Destination or Host IP is approved and the incident triggers, or (b) none of the Source, Destination or Host IPs are approved and the incident does not trigger

    If you select Approved Devices Only, then when the discovery process completes, you will need to approve devices, as described in Approving Newly Discovered Devices, before incidents are triggered.

    CMDB Device Filter

    This setting allows you to limit the set of devices that the system automatically discovers from logs and netflows. After receiving a log from a device, the system automatically discovers that device, and then adds it to CMDB. For example, when a Netflow analysis detects a TCP/UDP service is running on a server, the server, along with the open ports, are added to CMDB. Sometimes you may not want to add all of these devices to CMDB, so you can create filters to exclude a specific set of devices from being added to CMDB. 

    Each filter consists of a required Excluded IP Range field and an optional Except field. A device will not be added to CMDB if it falls in the range defined in the Excluded IP Range field. For example, if you wanted to exclude the 172.16.20.0/24 network from CMDB, you would to add a filter with 172.16.20.0-172.16.20.255 in its Excluded IP Range field.

    The Except field allows you to specify some exceptions in the excluded range. For example, if you wanted to exclude the 172.16.20.0/24 network without excluding the 172.16.20.0/26 network, you would add a filter with 172.16.20.0-172.16.20.255 in the Excluded IP Range field, and 172.16.20.192-172.16.20.255 in the Except field.

    Click Add to add a new CMDB Device Filter, then click Apply.

    Application Filtering

    This setting allows you to limit the set of applications/processes that the system automatically learns from discovery.

    You may be more interested in discovering and monitoring server processes/daemons, rather than client processes, that run on a server. To exclude client processes from being discovered and listed in the CMDB, enter these applications here. An application/process will not be added to CMDB if it matches one of the entries defined in this table.

    Click Add, then enter the Process Name and any Parameters for that process that you want to filter.

    M atching is exact and case-insensitive based on Process Name and Parameter. If Parameter is empty, then only Process Name is matched.