FortiSIEM can run as a:

• Virtual Appliance on a wide variety of Hypervisors.
• Single node with local or external event database storage or as a cluster with external storage.
• Dedicated hardware appliance (with no clustering option).

Before beginning with the installation, make the following decisions:

• Installation type: Hardware appliance or Virtual appliance
  • If Virtual Appliance, then:
    • Hypervisor type
    • Enterprise version or Service Provider version
    • Single node (All-in-one Supervisor) or a FortiSIEM cluster (single Supervisor and multiple Workers)
    • Local event database or external storage (cluster requires external storage)
    • External storage type - FortiSIEM event database or Elasticsearch
    • Collectors is needed or not

Step 1 - Install the Virtual or Hardware Appliance

You can choose to use all-in-one FortiSIEM Hardware Appliance or a Virtual Appliance based solution.

To install FortiSIEM Hardware Appliance (FSM-2000F, FSM-3500F, FSM-500F), see here.

To install a FortiSIEM Virtual Appliance based solution:

• Select the hypervisor (VMWare ESX, AWS, HyperV, KVM) on which FortiSIEM is going to run.
• Select event database storage – local or NFS or Elasticsearch.
• Set up external storage if needed: NFS and Elasticsearch.
  See 'FortiSIEM - NFS Storage Guide' and 'FortiSIEM - Elasticsearch Storage Guides' here.
• Install FortiSIEM Virtual Appliance (see Step -0)

Step 2 - Install License

Apply the license provided by Fortinet. Note that for Virtual appliance install, the UUID of the Supervisor node must match the license while for hardware appliance, the hardware serial numbers must match the license.

After applying the license, the system will reboot and provide a login page.

Login with the following default values:

• USER ID - admin
• PASSWORD - admin*1
• CUST/ORG ID - super
• DOMAIN - LOCAL

For more information about FortiSIEM Licensing, see the Licensing Guide here.

Step 3 - Specify Event Database Storage

If you chose Virtual Appliances, then specify storage option (see here – ADMIN > Setup > Event Storage).

Hardware appliances only support local disk event database storage.

Step 4 - Check System Health and License

Ensure that:

• All the system components are up and in good health (ADMIN > Health > Cloud Health – see here).
• The license matches your purchase by visiting the ADMIN > License > License page – see here.

Step 5 - (Optional) Create Organizations for Service Provider deployments

A Service Provider would consist of multiple Organizations.

These Organizations can be defined in two ways:

• Case 1 - By associating one or more collectors to an Organization – any log received by those Collectors or any devices discovered by those collectors will belong to that Organization. This typically makes sense for remote management scenarios
• Case 2 - By associating an IP range to an Organization – this typically makes sense for hosted scenarios.

In both cases, create organizations by visiting ADMIN > Setup > Organizations (see here).

The system will create default system users with Full Admin functionality for each created organization.

Step 6 - (Optional) Check Full Admin Organization Users for Service Provider deployments

FortiSIEM will automatically create a Super-global Full Admin user and one Full Admin user for each Organization. Ensure that you are able to login to:

• each Organization using the system created Full Admin users.
• Super-Global mode using Super-global Full Admin user and then switch to any Organization

Step 7 - Add Email Gateway

FortiSIEM will send notifications for incidents via email. Setup the email gateway by visiting ADMIN > General Settings > System > Email (see here for details).

Step 8 - (Optional) Add Collector

If your monitored devices are behind a firewall or in a distant location across the Internet, then you will need a Collector to collector to collect logs and performance metrics from that location.

FortiSIEM Collectors can be Hardware Appliances or Virtual Appliances. Hardware Appliances are easiest to install.

• For FSM-500F

See 500F Collector Configuration Guide for the installation above.

Install the FortiSIEM Collector Virtual appliance based on the Hypervisor of your choice:

• VMWare ESX
• AWS
• KVM
• Microsoft Hyper-V

See the Installation and Upgrade Guide here for the installations above. Register the Collector to the FortiSIEM Supervisor node – see the section 'Registering the Collector to the Supervisor' in the Installation and Upgrade Guide here.

Step 9 - (Optional) Set Event Upload Destination for the Collector(s)

You need to specify the FortiSIEM nodes where the Collector will upload events to, in ADMIN > General Settings > System > Worker Upload (see here). There are three options:

• In a simple setup with one Supervisor node, specify the Supervisor node. This is not recommended in larger setups as this will make the Supervisor node busy
• You may want to specify one or more Worker nodes, listed by Worker IP addresses. The Collectors will load balance across the specified Worker nodes. In this manner, streaming analytics like inline reports and rule are distributed over Worker nodes.
• You may specify a load balancer name that sits in front of the Worker nodes. Note that in this case, you have to carefully tune the load balancing configuration to get optimum performance.

The second option works the best in most cases.

Step 10 - (Optional) Check Collector Health

You want to make sure that Collectors are up and running properly. Go to ADMIN > Health > Collector Health to check this out (see here for details).

At this point, the system is ready to receive events or perform discovery.

Step 11 - Receive Syslog and Netflow

First check the list of supported devices whose logs are parsed by FortiSIEM out of the box. The list is ADMIN > Device Support > Parsers. See also the external device support document for further details (see here). If your device is in that list, then FortiSIEM will likely parse your logs out of the box.

Note that with every new version, vendors add new log types or sometimes, even change the log format in a non-backward compatible manner. In that case, the built-in parser may need to be adjusted (this topic will be covered in Advanced Operations). If your device is not on the list of built-in parsed devices, then a custom parser needs to be written. This topic will be covered in Advanced Operations.

Configure your device to send logs to FortiSIEM. If your device is behind a Collector, then the logs will be sent to the Collector. Otherwise, logs can be sent to Supervisor or Worker node. For devices with high event rates, it is recommended to add a Worker node (Step 19) and send logs directly to Worker node. Most vendors have straightforward methods to send syslog to external systems – see here but be aware that the information may be a little out of date. Consider your vendor's manual in that case.

FortiSIEM automatically receives Netflow variations of well-defined ports.

Step 12 – Check CMDB Devices and Run Searches for Received Events

If the logs in Step 11 are received correctly in FortiSIEM, then you should see the sending devices in the correct CMDB device and application group.

You can also search for the logs and see how they are parsed. Go to ANALYTICS > Shortcuts from the folder drop-down and run 'Raw Messages', 'Top Reporting Devices' or 'Top Event Types' queries (see here for details).

Step 13 - Discover Devices

Some systems (for example, Linux based servers) have generic log patterns – so logs cannot precisely tell the Operating system. If you want to get accurate information from such systems, then you need to discover them via protocols such as SNMP, SSH. For Windows servers, if you want to collect logs via WMI, then you need to discover them via WMI only or SNMP and WMI.

To perform discovery first go to ADMIN > Setup > Credentials and set up credentials and then go to ADMIN > Setup > Discovery and run discoveries. For Service Provider deployments with collectors, do the discoveries from each organization since IP addresses and names can be overlapping.

You can run the discovery in the foreground or in the background. If you run in the foreground, then you will know when it finishes. If you run in the background, then you need to go to Tasks section to see the discovery completion percentages and status. Note that ill-defined discoveries can take a long time to complete – see here for guidelines.

To see the benefits of discovery, see the External Systems Configuration Guide here and search your device type.

Step 14 - Check CMDB and Performance Monitors for Discovered Devices

After discovery is complete, you will see CMDB get populated with the discovered devices in the correct device, application and network segment folders. See here for details.

Note the following:

• If the number of devices is within your license limits, then the discovered devices will be in managed and Pending state. Otherwise, a set of (randomly chosen) devices exceeding license limit will be in the Unmanaged state. FortiSIEM will not receive logs from unmanaged devices, nor they can be monitored. You can flip a device from Unmanaged to Managed and vice-versa. You can also buy additional licenses to rectify this situation.
• If devices have overlapping IP addresses, then they will be merged. Check for this incident “PH_RULE_DEVICE_MERGED_OVERLAP_IP” to look for merged devices. To correct this situation, you have two choices:
  • Change the overlapping IP address on the device, delete the device from CMDB and rediscover.
  • If the overlapping IP is a Virtual IP (VIP), then add this IP to the VIP list in ADMIN > General Settings > Discovery. Delete the device from CMDB and re-discover.

After you have corrected the situation, make sure that devices are not merged and appear correctly in CMDB.

Note that in the enterprise mode, discoveries are done by the Supervisor node. In the Service Provider version, there are two possibilities, depending on how organizations are defined (see Step 5)

• For Organizations defined by IP addresses, discoveries are done by the Supervisor node. After discovery, the devices should belong to the correct organization.
  • If all interfaces of a device belong to the specified Organization IP range, then the device belongs to that Organization.
  • On the other hand, if at least one IP does not belong to specified Organization IP range, then the device belongs to the Super/local Organization (representing the Hosting Service Provider Organization).
• For Organizations with Collectors, discoveries are done by the associated Collector node. Check CMDB to see that the devices are marked with the correct Organization and Collector.

As part of discovery, FortiSIEM also discovers which performance metrics it can collect and which logs it can pull. See ADMIN > Setup > Pull Events and ADMIN > Setup > Monitor Performance tabs (see here for details). You can turn off log/performance metric collection or tune the polling intervals.

Performance monitoring and log collection is continuous process. If you tested the credentials before running discoveries (ADMIN > Setup > Credentials > Test Connectivity) and fixed the errors showing up in Discovery error tab, then the metric/log collection should not have errors. After running for some time, there can be errors – some reasons being (a) network connectivity issues from FortiSIEM to the devices, (b) someone changed the credentials or access policies on the device, (c) the device can have performance issues. Please check for errors in the ADMIN > Setup > Pull Events and ADMIN > Setup > Monitor Performance tabs (see here for details) and fix them. If credentials have changed, then you need to change the credentials in ADMIN > Setup > Credentials and rediscover the corresponding devices.

Step 15 - Check Monitored Device health

You can watch the current health of a device in CMDB by selecting the device and choosing the Device health option from the menu. To see the performance metrics in real time, select the device in CMDB and choosing the Real time performance option from the menu.

Step 16 - Check Incidents

FortiSIEM provides a large number of inbuilt machine and user behavior anomalies in the form of rules. These rules are active by default and will trigger incidents. See here on how to navigate incidents. Advanced Operations will discuss how to tune these rules for your environment.

Step 17 – Notify an Incident via Email

You may want to notify users via email when an incident trigger. This is achieved in one of two ways.

• Create an Incident Notification Policy and specifying the incident matching criteria and the receiver email address. See here for details.
• Select an incident from INCIDENTS > List view, go to Actions and select Send email. See here for details.

Note that many other advanced actions are possible such as:

• Customizing the email template
• Remediating the incident by running a script
• Opening a ticket in an external ticketing system and so on.

See Advanced Operations for details.

Step 18 – Create a Ticket in FortiSIEM

You can use FortiSIEM built-in ticketing system to handle tickets. Currently, this is handled outside of the notification policy concept (Step 16).

To create a FortiSIEM ticket, select one or more incidents from INCIDENTS tab > List view, go to Actions and select Create Ticket.

Step 19 - View System Dashboards

FortiSIEM provides several built-in dashboards:

• Incident Dashboard – Overview and Risk View.
• Incident Location View - (see here for details).
• Incident and Location Dashboard – select DASHBOARD > Incident and Location Dashboard (this requires you to collect DHCP, Active Directory logon events – see here for details.
  

Go to DASHBOARD and select the dashboard of your choice.

Step 20 - (Optional) Add Worker

For larger software based deployments that involve multiple collectors or large number of monitored devices or devices with high event rates, it is highly recommended to deploy one or more Workers to distribute the Supervisor node’s workload. Note that Workers cannot be added to Hardware based appliances.

Workers can be added by visiting ADMIN > License > Nodes - see here for details.

After adding the Worker(s), remember to add the workers to the collect event upload destination list (ADMIN > General Settings > System > Worker Upload - see here for details).

Step 21 - (Optional) Check Worker Health

Check the health of the Workers by visiting ADMIN > Health > Cloud Health.

• The health of all nodes should be Normal, load average should be within bounds (typically less than the number of cores), CPU should not be pegged at 99%, and little swap should be used.
• Click on any node and check the health of individual processes running on that node in the bottom pane. Status should be Up with large Up times and reasonable CPU and memory usage.

Step 22 - Check License Usage

Check whether the system is operating within licensed parameters (Monitored device count and EPS) by visiting ADMIN > License > Usage (see here for details).

Step 23 - Set Home Page

Set your home page along with other GUI settings by visiting ADMIN > General Settings > System UI (see here for details).

Step 24 – Log on to the console and check status

In rare situations when the GUI is not responding, you may need to SSH in to the system console of Supervisor, Worker and Collector nodes and issue some commands. The list of node IP addresses are available in ADMIN > License > Nodes, ADMIN > Health > Cloud Health and ADMIN > Health > Collector Health.

Log on to each of them using the default password as below. Step 25 shows how to change the default password.

FortiSIEM provides two SSH user accounts:

• User: 'root' and password: 'ProspectHills'
• User: 'admin' and password: 'admin*1'

The following commands are available:

• Run phstatus from the admin account – shows the status of all FortiSIEM processes.
• Run phstatus –a from the root account – shows the detailed status of all FortiSIEM processes along with events per second and local I/O rates.

The following Linux commands are useful:

• Run top from the admin account – shows the CPU, memory usage of all Linux processes.
• Run iostat –x 2 to check the I/O statistics for local disk.
• Run nfsiostat –x 2 to check the NFS I/O statistics for Supervisor and Worker for NFS based deployments.
• Run tail -300f /opt/phoenix/log/phoenix.log to see the C++ module log.

Step 25 – Change default passwords

FortiSIEM provides these default passwords. Please change them before running the system for production.

On Supervisor, Workers, Collectors and Report Server:

• User: root and password: ProspectHills
• User: admin and password: admin*1

On GUI:

• Enterprise deployment – User: admin and password: admin*1 with full Admin User rights
• Service Provider deployment – One user for Super/Global, Super/Local and each user created organizations - user: admin and password: admin*1

The GUI accounts can be changed from the GUI by clicking Edit User Profile on top right corner. Linux passwords can be changed by issuing “passwd” command as a logged in user.