Discovering Devices

FortiSIEM automatically discovers devices, applications, and users in your IT infrastructure and start monitoring them. You can initiate device discovery by providing the credentials that are needed to access the infrastructure component, and from there FortiSIEM will discover information about your component such as the host name, operating system, hardware information such as CPU and memory, software information such as running processes and services, and configuration information. Once discovered, FortiSIEM will also begin monitoring your component on an ongoing basis.

note icon
  1. If the user assigns a Test Connectivity or Discovery task to a Collector, then the Collector performs those tasks. The Supervisor also assigns the performance monitoring task to the same Collector that performed discovery.

  2. For environments without Collector:

    1. Supervisor does discovery and Test Connectivity.

    2. Supervisor then assigns the performance monitoring tasks to the Active Workers in a weighted round robin fashion. Some jobs like vCenter monitoring has a higher weight than simple SNMP based CPU monitoring.

    3. Workers perform the performance monitoring tasks.

    4. If a Worker is removed, its performance monitoring jobs are redistributed to other Workers.

    5. If a Worker is added, new performance monitoring jobs are assigned to that Worker.

    6. If you disable and then enable performance monitoring jobs from the GUI, then a new global job distribution takes place.

This section provides the procedures for discovering devices.

Creating a Discovery Entry

Complete these steps to create a discovery:

  1. Go to ADMIN > Setup > Discovery tab.
  2. Click New.
  3. In the Range Definition dialog box, enter the information below.

    SettingsGuidelines
    Name[Required] Name of the discovery entry that will be used for reference.
    Discovery TypeSelect the type of discovery:
    • Range Scan - FortiSIEM will sequentially discover each device in one or more IP ranges and CIDR subnets.
    • Smart Scan - FortiSIEM will first discover the Root IP, which will provide a list of devices that it knows about. Then FortiSIEM will discover each of the devices learnt from the Root IP device. Each of these devices will provide a list of devices they know about, which FortiSIEM will then discover. This process continues until the list of known devices is exhausted.
    • AWS Scan - FortiSIEM will discover the devices in Amazon Web Services (AWS) Cloud learnt via AWS SDK. For AWS Scan to succeed, there needs to be an AWS Credential mapped to aws.com or amazon.com in the IP to Credential mapping.
    • L2 Scan - FortiSIEM will discover only the Layer 2 connectivity of the devices.
    • Azure Scan - FortiSIEM will discover the devices in Azure Cloud learnt via Azure SDK. For Azure Scan to succeed, there needs to be a Credential mapped to azure.com in the IP to Credential mapping.
    • Nozomi Scan - FortiSIEM will discover the devices in Nozomi SCADAguardian and CMC learnt via Nozomi REST API. For Nozomi Scan to succeed, there needs to be a Credential mapped to Nozomi SCADAguardian/CMC in the IP to Credential mapping.

      See Setting Credentials and the FortiSIEM External Systems Configuration Guide for more information on Credential mapping.
    Root IPsIP address of the Starting device for Smart Scan. See Smart scan definition above.
    Include[Required] A list of IP addresses that will be included for discovery. Allowed IP range syntax is single IP, single range, single CIDR or a list separated by comma – e.g. 10.1.1.1, 10.1.1.2,20.1.1.0/24, 30.1.1.1-30.1.1.10.
    ExcludeA list of IP addresses that will be excluded for discovery. Allowed IP range syntax is single IP, single range, single CIDR or a list separated by comma – e.g. 10.1.1.1, 10.1.1.2,20.1.1.0/24, 30.1.1.1-30.1.1.10.
    Include TypesA list of device Types that will be included for discovery. Click the edit icon to configure the Range Definition and Save.
    Exclude TypesA list of device Types that will be excluded for discovery. Click the edit icon to configure the Range Definition and Save.
    Name resolutionHost names can learn from DNS look up or SNMP/WMI. If these do not match, then choose which discovery method with higher priority. For example, if DNS is chosen then FortiSIEM will get host names from DNS. If DNS lookup fails for an IP, the host names will be obtained from SNMP/WMI.
    OptionsSelect the options for this discovery:
    - Do not ping before discovery: Device will not be pinged before attempting the credentials.
    - Ping before discovery: Device will be pinged before attempting the credentials. A successful ping can shorten discovery times; since FortiSIEM may have to wait for a protocol timeout in case of failed credentials.
    - Winexe based discovery - for windows servers, we discover HyperV metrics and other AD replication metrics via Winexe. However, winexe installs a service and uninstalls the service after it finishes for certain old OS. This setting enables to control this behavior.
    - Only discover devices not in CMDB
    - Discover Routes: Routes help to discover neighboring devices for Smart Scan but “show route” can be expensive for BGP routers. This selection provides a way to control this behavior.
    - Include powered off VMs: This allows the administrator to control whether powered off VMs will be discovered during VCenter discovery
    - Include VM templates: This allows the administrator to control whether VM templates will be discovered during VCenter discovery.
    - Set discovered devices as unmanaged: This allows the administrator to set the discovered devices as unmanaged.
  4. Click Save.

Discovering on Demand

  1. Go to ADMIN > Setup > Discovery.
  2. Select the required discovery from the table.
  3. Click Discover.
  4. Click Results to view the discovery result.
  5. Click Errors to check for any errors found during discovery.
    Use the Run in Background to run discovery in background while performing other operations.
  6. After successful discovery, Discovery Completed. message is displayed with the discovery results.

Scheduling a Discovery

Discovery can be a long-running process when performed on a large network, or over a large IP range, and so you may want to schedule it to occur when there is less load on your network or during off hours. You may also want to set up a schedule for the process to run and discover new devices on a regular basis. 

  1. Go to ADMIN > Setup > Discovery.
  2. Click Scheduled.
  3. Under Discovery Schedule dialog box, click New.
  4. Select from the available ranges.
    You can select multiple ranges and set the order in which discovery will run on them using the up and down arrows.
  5. Set the time at which you want discovery to run. 
    • For a one-time scheduled discovery, select the Start Time.
    • For recurring discoveries, select how often (hourly, daily, weekly, monthly), you want discovery to run, and then enter other scheduling options.   
  6. Click Save.

Searching Previous Discovery Results

Complete these steps to search previously discovered results:

  1. Go to ADMIN > Setup > Discovery.
  2. Select a discovery result.
  3. Click History.
  4. In the Discovery History dialog box, click View Results, View Errors or View Changes to see the related information.

Editing a Discovery

Complete these steps to modify discovery settings:

  1. Select the required option from the table below.
    • Edit - to edit any scheduled discovery settings.
    • Delete - to delete any scheduled discovery.
  2. Click OK.

Exporting Discovery Results

Complete these steps to export discovery history:

  1. Click History.
  2. In the Discovery History dialog box, select the discovery type.
  3. Based on the type of information required, select the required option:
    - View Results - to see the discovery results
    - View Errors - to see the errors during discovery
    - View Changes - to see the changes in discovery
  4. Click Export based on your selection in step#3.
  5. Optional - Enter the User Notes.
  6. Select the Output Format as PDF or CSV.
  7. Click Generate.
    'Export successful message' is displayed under Export Report dialog box.
  8. Click View to see the discovery results.