What’s New in 5.0.0

Read Before Installing or Upgrading to FortiSIEM Release 5.0.0
  1. Starting FortiSIEM 5.0.0 release, FortiSIEM all-in-one hardware appliances (FSM 3500F/FSM 2000F) will run on bare metal, bypassing the OpenStack Hypervisor layer. This will simplify installation and maintenance and improve performance. The user has two options:
    (a) Stay on OpenStack and simply upgrade FortiSIEM application to 5.0.0. In this case, follow the steps in the 'Upgrading FortiSIEM' section of Hardware Configuration Guide (FSM 3500F/FSM 2000F) here.
    (b) Recommended - Migrate the current data on your appliance and move to new FSM 3500F/FSM 2000F OS - basically run on bare metal but retain the old data. Follow the steps in the Migration Guide (FSM 3500F/FSM 2000F) here.
  2. Starting this release, you have to explicitly choose Event Database Storage for fresh software based installs. If you upgrade to 5.0.0, then the existing database will be maintained. If you plan to switch to another database, then the data will not be migrated.
  3. Upgrade notes:
    - Customers in releases prior to 4.10.0 must first upgrade to 4.10.0 before upgrading to 5.0.0. Customers in 4.10.0 can upgrade to 5.0.0 - this is because of license changes in 4.9.0 and 4.10.0.
    - Make sure that Super, Worker, Collector and Report Server can connect to FortiSIEM hosted CentOS repo on https port 443 under the URLs below. Otherwise, some packages may not install and 5.0.0 binaries will not run.
    - https://os-pkgs-cdn.fortisiem.fortinet.com/centos6/
    - https://os-pkgs.fortisiem.fortinet.com/centos6/
  4. AWS Customers only - After upgrading to 5.0.0, customers' needs to apply the new license using EC2 instance Hardware ID.
  5. Kafka and Event Forwarding Settings are not compatible with release 4.0. Once you upgrade to 5.0.0, the configuration in 4.10 will be lost. You have to redo the Kafka and Event Forwarding definitions after you have upgraded to 5.0.0
  6. Export and Import on these tabs only support user-defined entries:
    - Admin > Device Support > Device/App
    - Admin > Device Support > Event Attribute
    - Admin > Device Support > Event Type
    - Admin > Device Support > Dashboard Column
  7. Kafka based Event Forwarding is now Rule-based and done from Collectors.
  8. FortiSIEM 5.0.0 release supports receiving logs via Kafka into FortiSIEM. Kafka based log pulling can only support 10K events per pull. If more than 10K events are suddenly generated, it may take more than one pull to consume all the events.
  9. If Elasticsearch is chosen as the Event Database, the Supervisor needs an additional 8 GB RAM - in this case, the minimum requirement of the Supervisor is 32 GB RAM.
  10. Since the GUI layout is different in Flash and HTML5, FortiSIEM User Roles defined in Flash GUI in 4.10.0 will not work in HTML5 GUI. The user needs to define new roles for use in HTML5 GUI.
  11. Since the Dashboard layout is different in Flash and HTML5, user-created Dashboards in Flash GUI in 4.10.0 or earlier will not be shown in the HTML5 GUI. However, you can export from the Flash GUI and import into the Dashboard of your choice in HTML5 GUI.

FortiSIEM 5.0.0 is a significant milestone release including the following features and functionality.

New Features

FortiSIEM 5.0.0 release includes the following new features:

Key Enhancements

FortiSIEM 5.0.0 release includes the following key enhancements:

New Device Support

  • FortiAuthenticator – discovery and log analysis
  • Palo Alto Traps – log analysis
  • EMC Isilon – log analysis
  • Radware Network IPS – log analysis
  • HyTrust CloudControl – log analysis
  • Vormetric Data Security Manager – log analysis
  • Cisco ASA Firepower SFR module – log analysis
  • Checkpoint GAIA – log analysis
  • CodeGreen DLP – log analysis
  • TrendMicro Interscan Web Filter
  • Language support for Windows security logs – Korean, German, Russian
  • Microsoft Exchange Tracking – log analysis

HTML5 based GUI with Online Help Documentation

This release provides a fresh HTML5 based GUI that combines the best ideas from the current Adobe Flash based GUI with advances in JavaScript technology.

The following table provides a high level overview of the changes in the HTML5 GUI. For a complete mapping of Flash GUI to HTML5 GUI, see Appendix A.

Area Enhancements
Overall
  • Bigger font for ease in readability
  • Dark theme for ease of readability (light theme in a future release)
  • Clean, airy look with consolidated buttons
  • Right-click rolled into button action, considering mobile devices
  • Dynamically adjusting table column width for maximum readability
CMDB
  • Simplified CMDB navigation tree to contain Devices, Applications, Users, Business Service and CMDB Reports. The rest have been moved to Resources.
  • Action button consolidates all Flash right-click operations on a device
  • Consolidated device health pop-up
  • Ability to choose device property columns
Analytics
  • Combines Real-time and Historical Search
  • Combines Display and Group By
  • Validity checks in Display Columns
Dashboard
  • Two-layer dashboard hierarchy – dashboard folders with each containing multiple dashboards. Each dashboard can be any one of Summary dashboard, Widget dashboard, Business Service dashboard and Identity location dashboard. This provides a good way to mix and match various presentation techniques in one dashboard folder.
  • Ability for users to customize the dashboards they want to see and also the home dashboard.
  • Ability to dynamically update Widget dashboard via search.
  • A New Business service dashboard with high level incident counts and impacted devices.
Incidents
  • Two new Incident views – Overview and Risk View to complement List View, with drill downs from each view.
  • An intuitive way to search incidents in List View.
  • Action button consolidates all Flash right click operations on one incident or multiple incidents.
Resources
  • Consolidates all CMDB Helper Objects and Rules/Reports
  • Incident Remediation library
Admin
  • Allows user to specify event database storage options - local disk, NFS or Elasticsearch.
  • Consolidated navigation tree folders including License and Health folders.

The following items are not available in the current HTML5 GUI release. Some of them may be added in future releases:

  • Topology View
  • Specific Incident dashboards - Fishbone View, Calendar View
  • VM View
  • IPS Vulnerability Map
  • Incident > Add Rule exception Via Patches
  • CMDB > Link Usage View
  • Analytics > Audit
  • Analytics > Display Column Sets, Filter Criteria Sets
  • Event Database Management
  • Dashboard Slideshow view
  • Simple keyword based search

Elasticsearch Event Database Option

This release provides the Elasticsearch database option for storing events. Existing customers can continue using the FortiSIEM EventDB and decide to switch at some point. Data Migration procedures from FortiSIEM EventDB to Elasticsearch is not available. New customers can choose Elasticsearch.

Elasticsearch is a distributed database that provides linearly scalable event insertion speed and query response time improvement. However, you need to deploy more nodes and use more storage. The higher storage capacity applies to local disks on Elasticsearch nodes, which are relatively inexpensive. For details, see FortiSIEM - Sizing Guide here.

In earlier FortiSIEM releases, event database option (local disk or external NFS) was chosen during installation. Starting with release 5.0.0, user needs to choose event database option from the GUI – the additional Elasticsearch option is provided along with local disk and external NFS options.

In FortiSIEM 5.0.0, Elasticsearch will be a drop-in replacement – the system works seamlessly for NFS, local disk and Elasticsearch, with the following exceptions:

  • Policy based data retention is currently not supported on Elasticsearch – FortiSIEM will just purge from Elasticsearch when a limit (10 GB by default and configurable) is reached.
  • Percent Change aggregation function and CMDBDeviceToAttr look-up functions are currently not supported.
  • Aggregation queries with multiple Group By conditions are interpreted differently – current event database considers multiple Group By as a tuple while Elasticsearch treats them as nested. So the sorted results are displayed differently in Elasticsearch. Consider a query with Group By A, B and display count in descending order. In current FortiSIEM event database, each row will be sorted descending by count. Elasticsearch will show the results sorted first by A and then by B. This is how Elasticsearch currently works, although there are plans to extend to tuple sorting in their later Elasticsearch releases.

For details about how FortiSIEM works with Elasticsearch, see Key Concepts.

User Entity Behavior Anomaly Detection

FortiSIEM already tracks IP addresses to user and geo-location in its User Identity and Location database. This information is now used as the foundation for machine learning techniques for the following two use cases:

  • Login location anomaly detection – FortiSIEM will detect if the same user is simultaneously logging from two different locations at times that are not physically possible because of geographical distance and travel speed limitations. This covers various login scenarios:
    • Logging into a server
    • VPN into corporate network
    • Logging into a Cloud SSO platform such as OKTA
    • Logging onto a Cloud Service such as Google Apps, Office365, Salesforce
  • Login pattern anomaly detection – FortiSIEM profiles user login behavior: users logging on to infrastructure devices using specific computers on specific hours of day and detect the following anomalies:
    • User logging in to a server during times that he typically never logs on
    • User logging in to a server that he typically never logs on
    • Excessive user login to a server over the whole day

User Risk Scoring

FortiSIEM 4.10 provides a machine risk score by combining asset criticality, un-patched vulnerabilities and incident severity. This concept is now extended to users. Users may use multiple machines (mobile phone, tablet, laptops, workstations) and may trigger incidents on infrastructure devices. A user risk score is calculated by combining the associated user machine risk scores and users own risk scores. User and machine scores are now presented in a unified Entity Risk dashboard.

Incident Mitigation Framework and Library

In FortiSIEM 4.10, users could write their own remediation scripts and attach them as an Incident action. That required users to hard code credentials in the script even if FortiSIEM had the credentials in its CMDB. In this release, incident mitigation concept is formalized by eliminating that shortcoming.

  • A REST API is provided to pull credentials from FortiSIEM CMDB
  • A mitigation library is provided with 29 built-in mitigation actions that show the use of the API. Users can write their own mitigation scripts and include in the library from the GUI.
  • A mitigation action can be taken on demand when an incident triggers or as part of a notification policy action.

FortiSIEM’s inbuilt multi-vendor and multi-function incident mitigation library includes:

  • Blocking an IP on FortiGate, Palo Alto and Cisco ASA firewalls and FortiWeb
  • Block a MAC on all FortiSwitches managed by FortiGate firewall
  • Block a MAC on Cisco IOS router/switch device
  • Quarantine end points via Fortinet EMS and FortiClient
  • Disable an interface on Windows and Linux Servers
  • Disable a port on Cisco IOS device
  • Add an IP for fine-grained control to FortiADC and FortiCache
  • Add source email address to FortiMail Session Profile
  • Block a web domain on Infoblox and Microsoft Windows DNS
  • De-authenticate a user on FortWLC, Cisco and Aruba WLAN Controllers
  • De-authenticate a user on FortiAuthenticator, Linux Server and Microsoft Active Directory
  • Delete a file with specific checksums on Windows and Linux Servers
  • Delete a file by name on Linux Servers
  • Restart a service on Windows and Linux Servers
  • Reboot a Windows or Linux server

Event Insertion Performance Improvement

FortiSIEM event indexing and insertion performance is improved significantly (approximately 25-50%):

  • FSM-2000F hardware appliance can now handle 15K EPS without loss.
  • FSM-3500F hardware appliance can now handle 30K EPS without loss.
  • A Single Supervisor and a Single Worker performance is also improved as follows:
    • A node with 8 vCPU can handle 10K EPS without loss.
    • A node with 16 vCPU can handle 15K EPS without loss.

These benchmarks were done with specific data set and the performance in your environment may differ. For details, see FortiSIEM - Sizing Guide here.

Hardware Appliance Directly On Hardware without OpenStack

FortiSIEM Hardware Appliances (FSM-2000F and FSM-3500F) now run directly on bare metal hardware without OpenStack. It is easier to install, configure and manage and gives better performance since OpenStack resources can now be used by FortiSIEM.

Existing customers have two options:

  • Choose to stay on OpenStack and simply upgrade FortiSIEM guest from 4.10.0 to 5.0.0.
    See the 'Upgrading FortiSIEM' section of the Hardware Configuration Guides by selecting the models here.
  • Migrate to 5.0.0 without losing their data.
    See the Migration Guides for 2000F and 3500F.

Event Forwarding Enhancements

FortiSIEM can forward events to third-party systems. In this release, this feature is enhanced in the following ways:

  • Event forwarding is now more robust by buffering events in files just like Collector to Worker event forwarding. If a forwarding destination is not temporarily reachable, events are stored locally and then attempted later for forwarding.
  • Event forwarding criteria is now more fine grained including Reporting IP, Event Type, Source and Destination IP and Event payload.
  • More event forwarding protocols are included:
    • Syslog – UDP, TCP, TCP/SSL
    • Netflow
    • Kafka
  • Kafka based event forwarding can now be controlled by filtering criteria.
  • All event forwarding now happens from the FortiSIEM node that first receives the event from 3rd party system (typically a FortiSIEM Collector). In earlier releases, Kafka based event forwarding happened from Super/Worker nodes.

Ability to Handle IPFIX

FortiSIEM can handle high volume network flow data from firewalls and other network devices in the form of Netflow Version 5, Version 9, SFlow, JFlow, and Cisco AVC. This release enhances this support to include IPFIX.

Ability to Handle AWS EC2 VPC Traffic Log

In this release, FortiSIEM is able to receive, parse and analyze AWS EC2 VPC traffic like any other traffic log.

Ability to Receive Logs via Kafka

FortiSIEM can forward logs to an external system via Kafka. In this release, FortiSIEM can receive logs via Kafka. This allows FortiSIEM to have robust 2-way log exchange with 3rd party systems.

Policy-Based FortiSIEM Ticket Escalation

Administrators can now define ticket escalation policies for FortiSIEM internal ticketing system. After defining a ticket due date, user can define policies to escalate to the manager of the assignee when the ticket is not yet resolved and current time is 'close' to the due date.

Multiple Language Support in Event Report

Log data may contain certain log attribute values (for example, user name) in various languages. This release enables PDF and CSV reports to properly show these log values in various languages. Currently, out-of-the-box supported languages are English, Korean, Russian, Japanese and Chinese. User can add a language of their choice.

ConnectWise Ticketing System Integration via REST API

FortiSIEM has a built-in integration with ConnectWise ticketing system via a SOAP API. Since the SOAP API is being deprecated, FortiSIEM 5.0 release can now do the same functionality via the new REST API.

Ability to Add More User Context into Events in Real-time

FortiSIEM can discover users from Active Directory and OpenLDAP and add user context to events in real time. For example, when the user name matches in an event, FortiSIEM adds the full user name to the event to make the user identifiable. In this release, more user attributes such as employee serial number and membership groups are added to events in real time.

Ability to Handle AWS Terminated Instances in CMDB

FortiSIEM can discover server instances in AWS and populate it's CMDB. Until this release, the deletion from CMDB used to be a manual audit worthy event, since it is difficult to tell for sure, whether the server has been terminated or it is a network connectivity issue. In AWS, where instances are brought up and torn down quickly, stale server instances in CMDB causes license exhaustion. In this release, FortiSIEM is able to analyze the AWS CloudTrail log and delete the terminated devices from CMDB.

Ability to Include Multiple Incidents to a Ticket in FortiSIEM Internal Ticketing System

You can now add more than one (related) incident to a ticket in the FortiSIEM internal ticketing system.

NIST 800-171 Compliance Support

This release adds reports for NIST 800-171 Compliance.

Full Catalog of FortiSIEM System Errors Using Distinct Event Types

Stating this release, FortiSIEM internal errors are generated with proper event types and severity so they can be queried easily from FortiSIEM.