FortiSIEM Deployment Scenarios

FortiSIEM can be deployed in Enterprise and Service Provider environments in a highly scale-out fashion.

Enterprise Deployment

Enterprise Deployments with Supervisor and no Collector

Enterprise deployment without Collector (Supervisor only) is the simplest setup where:

  • Logs are sent to the Supervisor.
  • Test Connectivity, Discovery performance monitoring, and Event pulling, (for example: Cloud Services, WMI based Windows log Collection, etc.) are all done from the Supervisor – Go to ADMIN > Setup > Credentials and ADMIN > Setup > Discovery.

This setup has the following drawbacks:

  • Does not scale up when a large number of devices must be monitored or high EPS needs to be handled. This can be solved by deploying Workers – see here.
  • Logs cannot be collected efficiently from devices across the Internet. Devices cannot be monitored across the Internet. This is because of latency and security issues over Wide Area Networks. This can be solved by deploying Collectors – see here.
  • FortiSIEM Agents cannot be used as they need Collectors – see here.

Enterprise Deployment with Supervisor and Worker but no Collector

The scalability issue above can be resolved by deploying Worker nodes. To add a Worker node:

  1. Install a Worker node.
  2. Add the Worker to the Supervisor from ADMIN > License > Nodes > Add.

In this case:

  • Logs can be sent to the Supervisor or Workers. Sending to Workers is recommended since you can load balance across multiple Workers.
  • Test Connectivity and Discovery is always done from Super.
  • However, Performance monitoring and Event pulling jobs (for example: Cloud Services, WMI based Windows log Collection and so on) are done by the Worker nodes in addition to the Supervisor nodes. After Test connectivity and Discovery, Supervisor node distributes the jobs to the Workers. When a new Worker is added to the FortiSIEM Cluster, jobs are re-distributed to the Workers.

Although it provides scalable event handling, this system has the following shortcomings:

  • Logs cannot be collected efficiently from devices across the Internet. Devices cannot be monitored across the Internet. This is because of latency and security issues over Wide Area networks. This can be solved by deploying Collectors – see here.
  • FortiSIEM Agents cannot be used, because they need Collectors – see here.

Enterprise Deployments with Supervisor, Worker and Collector

This solution provides the flexibility of log collection and performance across the Internet and behind firewalls. It also provides even more scalability because the Collectors, instead of the Workers, parse events.

To add a Collector node:

  1. Go to ADMIN > Setup > Collector and create a Collector in the Supervisor.
  2. If you have Workers, define the Workers that the Collectors will upload to (Go to ADMIN > Settings > System > Worker Upload).
  3. If you are not using Workers you should define the Supervisor IP or DNS name of the Supervisor (Go to ADMIN > Settings > System > Worker Upload).

  4. Install a Collector.
  5. Register the Collector to the Supervisor using any FortiSIEM user credential with Admin privileges (see CMDB > User). The built-in admin credential will work. During registration, the Collector will get the Workers to upload events to.

In this case:

  • Logs can be sent to Collectors (preferred). However, they can be sent to Workers or Super as well. Collectors will upload parsed logs to the Workers in a load-balanced fashion.
  • For Test Connectivity and Discovery, choose the Collector for the job. Collectors will collect events and send them to Workers in a load-balanced fashion.

In this configuration, you can add FortiSIEM Windows and Linux Agents:

  1. Go to CMDB > User > Add and create an Agent User for Agents to register to the Supervisor node.
  2. Install the Agents and register them to the Supervisor using the Agent user credential created in the previous step.
  3. Define the Agent Monitoring templates.
  4. Assign templates to the Agents and choose Collectors from the set created earlier.

Agents will send logs to the Collectors in a load-balanced manner. Collectors can then send to Workers in a load-balanced manner. This enables log collection in a geographically distributed and scalable manner.

Service Provider Deployment

In a Service Provider deployment, there can be one or more Organizations. Devices and logs are kept logically separated for two Organizations.

Note: It is very important to assign devices and logs to the correct Organization in FortiSIEM.

A FortiSIEM Service Provider deployment consists of:

  • Supervisor node
  • Worker nodes for scalability
  • Collector nodes for remote data collection
  • Windows/Linux Agents for richer data collection without remote admin credentials

While Supervisor, Workers, and Agents are shared infrastructure across Organizations, Collectors may be present and may be dedicated or shared.

This section provides details on how various infrastructure components are deployed, with an eye towards assigning devices and logs to the right Organization.

Service Provider Deployment - Organizations with Dedicated Collector

In this case, Organization has one of more Collectors that belong to that Organization only. This is suited for large Organizations.

Setup

  1. Create Organizations as follows:
    1. Log in to Super-Global Organization.
    2. Go to ADMIN > Setup > Organizations and create an Organization.
    3. Define Admin credentials (for Collector registration) and Agent credentials (for FortiSIEM Agent registration).
    4. Add Collectors to that Organization.
  2. Install the Collectors and register them to Supervisor. Use any Organization Admin credentials defined in ADMIN > Setup > Organizations, to register the Collector.

Operations

Collecting Logs via Agents
  1. Install Agents and register them to the Supervisor. Use the Agent credentials for the Organization that the Agents belong to.
  2. Define the Agent Monitoring templates. Assign the templates to agents and designate Collectors belonging to the specific Organization.

Agents will send logs to Collectors in a load-balanced fashion. Since Agents are configured with the Organization ID, they include the Organization in every log. This information is used by Collectors to assign devices and logs to the correct Organization.

Collecting Logs without Agents

Configure devices to send logs to the Organization’s Collectors. Since these collectors belong to one organization, it assigns received devices and logs to that Organization.

Discovery and Performance Monitoring by IP Address Range

Log in to the specific Organization and:

  1. Define the credential.
  2. Do Test Connectivity and Discovery using a specific Collector.
Event Pulling for Cloud Services

Log in to the specific Organization and:

  1. Define the credential.
  2. Do Test Connectivity and Discovery using a specific Collector.

Service Provider Deployment - Organizations with Shared Multi-tenant Collector

It may not be economically viable for smaller Organizations to deploy their own collectors. But Collectors may be needed to deploy Agents and to scale out data collection across many smaller Organizations managed under the same FortiSIEM.

Setup

In this setup, special multi-tenant Collectors must be defined under the Super/Local Organization as follows:

  1. Log in to the Super-Local Organization. This is a built-in organization meant for the Service Provider’s use only .
  2. Go to ADMIN > Setup > Collector and add Collectors to that Organization. These are called multi-tenant Collectors as they handle devices and logs from multiple Organizations.
  3. Install the Collectors and register them to the Supervisor. Use any Full Admin user in CMDB > User to register the Collector.
  4. For each Collector that will be multi-tenant, do the following:
    SSH into the Collector and modify the following line under /opt/phoenix/config/phoenix_config.txt:
    Multi_Tenant_Collectors=false

    Change:
    Multi_Tenant_Collectors=false

    To:
    Multi_Tenant_Collectors=true
  5. Reboot the Collector.

Then create Organizations as follows:

  1. Log in to Super-Global Organization.
  2. Go to ADMIN > Setup > Organizations and create an Organization.
  3. Add Agent credentials for Agent registration.
  4. Define the Include/Exclude IP Address ranges if devices belonging to various Organizations are going to send logs to multi-tenant Collectors.

Operations

Collecting Logs via Agents
  1. Install Agents and register them to the Supervisor. Use the Agent credentials for the Organization that the Agents belong to.
  2. Define Agent Monitoring templates. Assign templates to Agents and designate multi-tenant collectors belonging to the Super-local Organization.

FortiSIEM Agents will send logs to multi-tenant Collectors in a load-balanced fashion. Since Agents are configured with the Organization ID, they include the Organization in every log. This information is used by multi-tenant Collectors to assign devices and logs to the correct Organization.

Collecting Logs without Agents

Configure devices to send logs to the multi-tenant Collectors. Make sure the reporting device IP matches the Include/Exclude IP ranges defined for that Organization in ADMIN > Setup > Organization. A multi-tenant Collector uses the reporting device IP to assign devices and logs to the correct Organization.

Discovery and Performance Monitoring by IP Address Range

This is possible so long as the IP Address range matches the Include/Exclude IP ranges defined for that Organization in ADMIN > Setup > Organizations.

This can be done in two ways:

  1. (Recommended) From Super/Global Organization:
    1. Define the credential.
    2. Do Test Connectivity and Discovery. We will automatically choose a multi-tenant collector
  2. Alternatively, log in to the Super/Local Organization and:
    1. Define the credential.
    2. Do Test Connectivity and Discovery using a specific multi-tenant Collector.

Approach #1 is recommended because the Collector is automatically chosen.

Event Pulling for Cloud Services

From Super/Global Organization:

  1. Define the credential. Specify the Organization in the credential.
  2. Perform Test Connectivity and Discovery.
    FortiSIEM will automatically choose a multi-tenant Collector.
Collecting Logs from Multi-tenant Devices

A shared Collector also enables you to collect logs from multi-tenant devices such as FortiGate with Virtual Domains (VDOM). This assumes that the logs contain an attribute (such as FortiGate VDOM) that enables FortiSIEM to classify logs from multi-tenant devices to different Organizations.

From a Super/Global Organization:

  1. Go to ADMIN > Settings > Event Handling > Event Org Mapping.
  2. Click New and enter the Organization mappings for the discriminating log attribute (such as VDOM).
  3. Click Save.