Discovery Settings

This section describes the procedures for the following Discovery settings:

Generic

Before you initiate discovery, you should configure the Discovery Settings in your Supervisor as required for your deployment.

  1. Go to ADMIN > Settings > Discovery > Generic tab.
  2. Enter the following information under Generic Settings section. In a SP deployment, you must define all these settings for each Organization by logging in to the Organization directly.
  3. Setting Description
    Virtual IPs Often a common virtual IP address will exist in multiple machines for load balancing and fail-over purposes. When you discover devices, you must have these virtual IP addresses defined within your discovery settings for two reasons:
    • Listing the virtual IP addresses ensures that two or more devices with the same virtual IP will not be merged into one device during device discovery, so each of the load-balanced devices will maintain their separate identity in the CMDB
    • The virtual IP will not be used as an access IP during discovery, since the identity of the device when accessed via the virtual IP is unpredictable

    Enter the Virtual IP and click + to add more, if required.
    Excluded Shared Device IPs An enterprise often has servers that share credentials, for example mail servers, web proxies, and source code control servers, and a large number of users will authenticate to these servers to access their services. Providing a list of the IP addresses for these servers allows FortiSIEM to exclude these servers from user identity and location calculations in the ANALYTICS > Identity and Location report.
    For example, suppose user A logs on to server B to retrieve his mail, and server B authenticates user A via Active Directory. If server B is not excluded, the ANALYTICS > Identity and Location Report will contain two entries for user A: one for the workstation that A logs into, and also one for server B. You can eliminate this behavior by adding server B to the list of Server IPs with shared credentials.

    Enter the Excluded Shared Device IPs and click + to add more, if required.
    Virtual Device Hardware Serial Numbers If two or more devices have identical hardware serial number, specify them here. In general, hardware serial number is used to uniquely identify a device and therefore two devices with identical hardware serial number is merged into a single device in CMDB. If a hardware serial number is present in the Virtual Hardware Serial Numbers list, then it is excluded for merging purposes.

    Enter the Virtual Device Hardware Serial Numbers and click + to add more, if required.
    Allow Incident Firing on This setting allows you to control incident firings based on approved device status.
    If the Approved Devices Only option is selected, the following logic is used:
    (a) If at least one Source, Destination or Host IP is approved, the incident triggers.
    (b) Else if at least one incident reporting device is approved, the incident triggers.
    (c) Else the incident does not trigger.
    Note: System devices (Super, Worker, and Collectors) will always be considered to be approved devices. In other words, incidents will fire for these system devices even if Approved Devices Only option is selected.

    Select All Devices or Approved Devices Only accordingly.

  4. Click Save.

Device Filter

This setting allows you to limit the set of devices that the system automatically learns from logs and Netflows. After receiving a log from a device, the system automatically learns that device and adds it to CMDB. When a TCP/UDP service is detected running on a server from Netflow analysis, the server along with the open ports are added to CMDB.

Sometimes, you may not want to add all of these devices to CMDB. You can create filters to exclude a specific set of devices from being added to CMDB. Each filter consists of a required Excluded IP Range field and an optional Except field.

  1. Go to ADMIN > Settings > Discovery > Device Filter tab.
  2. Click New.
  3. In the Range Definition dialog box, enter the following information:
    1. Excluded IP Ranges - A device will not be added to CMDB if it falls in the range defined in the Excluded IP Range field. For example, if you wanted to exclude the 172.16.20.0/24 network from CMDB, add a filter with 172.16.20.0-172.16.20.255 in its Excluded IP Range field.
    2. Except - This field allows you to specify some exceptions in the excluded range. For example, if you wanted to exclude the 172.16.20.0/24 network without excluding the 172.16.20.0/26 network, add a filter with 172.16.20.0-172.16.20.255 in the Excluded IP Range field, and 172.16.20.192-172.16.20.255 in the Except field.
    You can add multiple values for these fields by clicking the + icon or remove an entry by clicking the - icon.
  4. Click Save.

Application Filter

This setting allows you to limit the set of applications/processes that the system automatically learns from discovery. You may be more interested in discovering and monitoring server processes/daemons, rather than client processes, that run on a server. To exclude client processes from being discovered and listed in the CMDB, enter these applications here. An application/process will not be added to CMDB if it matches one of the entries defined in this table.

  1. Go to ADMIN > Settings > Discovery > Application Filter tab.
  2. Click New.
  3. In the Process Definition dialog box, enter the Process Name and any Parameters for that process that you want to filter.
    Matching is exact and case-insensitive based on Process Name and Parameter. If Parameter is empty, then only Process Name is matched.
  4. Select the Organization from the drop-down list.
  5. Click Save.

Location

This setting allows you to set location information for devices in CMDB. Location information can be defined for a set of IP addresses. When applied, this information will overwrite the existing Location information in the CMDB. Future discoveries will not overwrite this information. Use this method to update locations of multiple devices with private IP addresses only. It is not necessary to update locations for public address space in this manner, because this information can also be obtained from a separate built-in database location.

  1. Go to ADMIN > Settings > Discovery > Location tab.
  2. Click New.
  3. In the Location Definition dialog box, select or enter the following information:
    • Organization Type
    • IP/IP Range
    • Location
    • Update Manual Devices (This enables the system to overwrite the location information for manually defined devices in CMDB.)  
  4. Click Save.
  5. Select the new location from the list and click Apply.

CMDB Groups

This setting allows you to write rules to add devices in CMDB Device Group and Business Service Groups of your choice. When a device is discovered, the policies defined here are applied and the device is assigned to the group(s) defined in the matching policies. This device grouping does not overwrite the CMDB Device group assigned during discovery. The grouping defined here is in addition to the discovery defined CMDB group.

  1. Go to ADMIN > Settings > Discovery > CMDB Groups tab.
  2. Click New.
  3. In the CMDB Group Definition dialog box, select or enter the following information:
    • Organization - the organization which this rule applies to
    • Vendor - the matching device vendor
    • Model - the matching device model
    • Host Name - matching device host name via regular expression match
    • IP Range - matching device access IP - format is single IP, IP range, CIDR
    • Custom Properties - see Grouping Devices by Custom Properties
    • Groups - specify the groups which the matching devices will be added to
    • Biz Services- specify the business services which the matching devices will be added to
  4. Click Save.
  5. Select the new CMDB group from the list and click Apply.

Conditions are matched in ANDed manner: Both the actions are taken, that is, if both a Group and a Business Service is specified, then the device will be added to both the specified Group and Business Service.

To apply one or more CMDB Group policies:

  1. Select one or more policies and click Apply or click Apply All to apply all policies.
  2. Once a policy is saved, then next discovery will apply these policies. That means, discovered devices will belong to the groups and business services defined in the policies.

Note: For all the above configurations, use the Edit button to modify any setting or Delete to remove any setting.

Grouping Devices by Custom Properties

FortiSIEM allows you to define device groups based on IP address, host name, or device type. You can also group devices based on custom properties. These steps assume that you have already defined the custom properties you are interested in. See Working with Custom Properties.

To group devices by custom properties:

  1. In the CMDB Group Definition dialog box, click the edit icon next to Custom Properties.
  2. Click + to add a new group definition based on the custom property.
  3. Select a custom property from the Property drop-down list.
  4. Enter a Value for the property. You can add multiple values by clicking the + button.
  5. Click Save, then click Save again to return to the CMDB Group Definition dialog box.
  6. In the Add To section of the dialog box, select the group to which the CMDB Group will be added from the Groups drop-down list.