Fortinet FortiSOAR Administrator Study Guide for FortiSOAR 7.3
1,054 95 29MB
English Pages [310]
01 Introduction to FortiSOAR
02 Device Management
03 System Configuration
04 High Availability
05 Searching, War Rooms, and Upgrading
06 System Monitoring and Troubleshooting
Recommend Papers
File loading please wait...
Citation preview
DO NOT REPRINT © FORTINET
FortiSOAR Administrator Study Guide for FortiSOAR 7.3
DO NOT REPRINT © FORTINET Fortinet Training Institute - Library https://training.fortinet.com Fortinet Product Documentation https://docs.fortinet.com Fortinet Knowledge Base https://kb.fortinet.com Fortinet Fuse User Community https://fusecommunity.fortinet.com/home Fortinet Forums https://forum.fortinet.com Fortinet Product Support https://support.fortinet.com FortiGuard Labs https://www.fortiguard.com Fortinet Training Program Information https://www.fortinet.com/nse-training Fortinet | Pearson VUE https://home.pearsonvue.com/fortinet Fortinet Training Institute Helpdesk (training questions, comments, feedback) https://helpdesk.training.fortinet.com/support/home
4/21/2023
DO NOT REPRINT © FORTINET
TABLE OF CONTENTS 01 Introduction to FortiSOAR 02 Device Management 03 System Configuration 04 High Availability 05 Searching, War Rooms, and Upgrading 06 System Monitoring and Troubleshooting
4 65 127 180 230 271
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
In this lesson, you will learn what Security Orchestration, Automation and Response is, and how FortiSOAR can help security operation center teams. You will also learn about FortiSOAR architecture and some initial configuration.
FortiSOAR Administrator 7.3 Study Guide
4
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
In this lesson, you will learn about the topics shown on this slide.
FortiSOAR Administrator 7.3 Study Guide
5
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
In this section, you will learn about SOAR technology, and the importance of SOAR in a SOC environment. By demonstrating competence in SOAR, you will be able to describe the basics of SOAR technology and understand SOC maturity.
FortiSOAR Administrator 7.3 Study Guide
6
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
Gartner defines SOAR as technologies that enable organizations to take inputs from a variety of sources (mostly from security information and event management (SIEM) systems) and apply workflows aligned to processes and procedures. Orchestration is the process of collecting data, which is usually alerts and incidents from different sources, and performing various actions from one platform. Orchestration also helps you to streamline and optimize frequently occurring processes and workflows. Automation and orchestration are different, but related, concepts. Automation enables security teams to be more efficient by reducing or replacing human interaction with IT systems, and instead use a centralized platform to perform tasks in order to reduce cost, complexity, and errors. Automated workflows and responses enable the security teams to automatically respond to security events. Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, also known as an IT incident, computer incident, or security incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. SOAR is the technology that can orchestrate data, automate workflows, and respond to incidents. All of that can be performed from a single platform.
FortiSOAR Administrator 7.3 Study Guide
7
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
The majority of organizations juggle at least 50 discrete cybersecurity products at once, posing a threat to data security, according to a new report from Oracle and KPMG. Keeping the security team up-to-date on all the latest features and functions for different vendors is a challenge. Based on market research, the incident management segment is projected to grow at a higher compounded annual growth than the network forensics segment. This will result in a very high volume of alerts and incidents. Manually addressing every incident is not feasible for large organizations. The threat landscape is evolving and attackers are more sophisticated than before. Responding to incidents manually can be slow, and that could provide attackers with the opportunity to breach other systems, which could have been stopped if the incidents were resolved quicker. Cybersecurity has become a major priority for organizations looking to protect themselves against the massive cost of data breaches, but there’s an international problem hindering that goal. There are millions of cybersecurity positions open and unfilled around the world. Without trained security staff, organizations don’t have the capability to deploy the right controls or develop security processes to detect and prevent cyberattacks.
FortiSOAR Administrator 7.3 Study Guide
8
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
A security operations center (SOC) is a facility that houses an information security team responsible for monitoring and analyzing an organization’s security posture on an ongoing basis. The SOC team’s goal is to detect, analyze, and respond to cybersecurity incidents using a combination of technology solutions and a strong set of processes. Security operations centers are typically staffed with security analysts and engineers as well as managers who oversee security operations. SOC staff work closely with organizational incident response teams to ensure security issues are addressed quickly upon discovery. Security operations centers monitor and analyze activity on networks, servers, endpoints, databases, applications, websites, and other systems, looking for anomalous activity that could be indicative of a security incident or compromise. The SOC is responsible for ensuring that potential security incidents are correctly identified, analyzed, defended, investigated, and reported.
FortiSOAR Administrator 7.3 Study Guide
9
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
Security and risk management leaders can improve the odds of selecting the right tool for the organization by gaining consensus during a premortem analysis on what could go wrong, and which success metrics should apply to a project. The premortem can also serve as an early-stage vehicle for collecting initial use cases and requirements. Those can be further refined as part of the formal project definition and approval cycles. As part of a project to bring tools into the SOC, a solid understanding of the scope, technologies being considered, and affected processes is required. As your SOC team grows, you must consider the scope, technology, and implementation requirements.
FortiSOAR Administrator 7.3 Study Guide
10
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
An organization building a SOC prioritizes technology purchases to get real-time monitoring capabilities in order to better understand what is happening when observing the consequences of the event. This first level of visibility, while potentially limiting the SOC to reactive activities, is necessary. As the SOC matures and learns, it builds the processes to treat basic incidents, and starts to differentiate event treatment based on their impact. Additional tools might help at this stage to speed up initial assessment, with individual alerts being aggregated and augmented with additional context. More mature organizations might need to strengthen their ability to perform root cause analysis of the incident and elimination of the threat. You want to ensure that when you close an incident, the risk of recurrence is correctly handled. After the end-to-end workflow itself becomes more refined, orchestration and other productivity improvements will move the SOC forward.
FortiSOAR Administrator 7.3 Study Guide
11
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
Smaller or newly formed SOCs, or those that were previously outsourced where the technology was provided by the provider, often start with FortiSIEM or log management solutions. This is necessary to start seeing what is happening in the organization, leveraging logs from network and endpoint security controls already in place, and possibly from other sources, based on criticality to the organization, for example, domain controllers, critical applications, and other externally exposed assets. The need to have a common repository of incidents could be addressed within a SIEM tool or within the IT case management or service desk tool. You should consider using a security incident response platform (SIRP) tool, or the SIRP capabilities of a FortiSOAR tool, if the incident and case management capabilities in the FortiSIEM tool are not advanced enough, or there are security and privacy concerns with using the IT service desk tool. Every “greenfield” SOC will not have the resources (budget, people, time) to implement SIRP at the beginning, but you should strongly consider it at the start of instrumenting the SOC, rather than trying to bolt it on later in the SOC building journey. If security and privacy concerns make the IT service desk tool inappropriate, and if the preferred SIEM tool lacks adequate case management capabilities, security leaders face an early maturity bottleneck. They must consider a SIEM tool with more advanced case management capabilities, or leverage a SIRP tool or the SIRP capabilities of a SOAR tool, which would normally be beyond their current maturity level.
FortiSOAR Administrator 7.3 Study Guide
12
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
This slide shows four key use cases in which FortiSOAR can help a matured SOC. FortiSOAR provides a unified incident response management platform where incidents can be investigated and remediated. To avoid false positives, alerts are triaged and checked to verify if the alert is legitimate by automatically extracting indicators, and checking their reputation against threat intelligence platforms. SOC optimization ensures that SOAR solutions enable security operations teams to automate the tiresome, repetitive, and monotonous elements of their workflow that don’t depend upon human interaction. This takes some of the pressure off security analysts, and frees them to focus on the day-to-day incident response and bigger-picture cyber defense strategies. Having a SOAR platform also helps SOC teams to collaborate with each other through a central platform without relying on any external case management software.
FortiSOAR Administrator 7.3 Study Guide
13
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
14
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
Good job! You now understand SOAR. Now, you will learn about SOC alert handling and triage.
FortiSOAR Administrator 7.3 Study Guide
15
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
In this section, you will learn how a SOC team handles alerts and the process of triage and escalation. By demonstrating competence in SOC alert handling and triage, you will learn how a SOC team handles alerts and the process of triage and escalation.
FortiSOAR Administrator 7.3 Study Guide
16
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
The SOC Automation Model is divided into three key areas: people, process, and product. Within each area, an organization can be classified at a maturity level from 1-3, based upon their security posture in that area. For example, an organization that is level 1 in all categories has a small IT team with no security staff (people), best effort incident response playbooks (process), and no dedicated security solutions (product). At the other extreme, an organization may have a large security team with experienced SOC analysts, welldefined playbooks, and have not only deployed but also measured the effectiveness of their SIEM and SOAR solutions. At Level 1: Achieve Visibility Leveraging Security Fabric Analytics At Level 1 of the SOC Automation Model, a security team has no dedicated security personnel or processes for addressing potential incidents. Additionally, the average enterprise receives more than 10,000 alerts per day, meaning that SOC analysts are overwhelmed and have little time for identifying and remediating true threats to the network. Without dedicated solutions, an organization’s security team lacks visibility into potential threats to their network. The team must manually collect and correlate all log data before they can analyze it. Many level 1 SOCs lack the knowledge or the resources to identify true threats, leaving the organization at risk. FortiAnalyzer is an easy-to-deploy solution for centralizing visibility and threat detection across an organization’s entire Fortinet Security Fabric, including both on-premises and cloud deployments. FortiAnalyzer correlates log data from multiple Fortinet devices, providing valuable context to security analysts. By analyzing this data using machine learning (ML) and indicators of compromise (IOCs) provided by a global threat-intelligence feed, FortiAnalyzer can help even the smallest security team to pinpoint and rapidly respond to threats within their network.
FortiSOAR Administrator 7.3 Study Guide
17
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
At Level 2: Enhance Multivendor Visibility With SIEM, the average enterprise has 75 different point security solutions deployed on their network. While each of these solutions provides valuable intelligence about potential threats to the organization’s network, they often lack the context required to differentiate between a true threat and a false positive. Additionally, an array of standalone security solutions makes it difficult to enforce consistent security policies and maintain compliance with strict new data protection regulations, such as the European Union’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). A SIEM system is the logical solution to the security complexity caused by a multivendor environment. A SIEM solution ingests data collected from products created by multiple different vendors and performs automated correlation and analysis to provide a clearer picture of the overall status of the protected environment. FortiSIEM allows security teams to map operations to industry best practices and security standards, such as those published by the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS). In this way, FortiSIEM expands on the visibility that FortiAnalyzer brings to the Fortinet Security Fabric.
FortiSOAR Administrator 7.3 Study Guide
18
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
At Level 3: Incorporate Automated Response With SOAR, the cyber-threat landscape is accelerating as cyber criminals increasingly rely upon automation to speed up their attacks. While single-pane-of-glass visibility speeds up the rate at which a security team can identify a potential threat, a reliance on manual incident response processes means that defenders will always be a step behind the attackers. SOAR solutions enable an organization’s security team to leverage automation to speed up incident response. By creating an automated framework to tie together an organization’s complete security architecture, defensive actions can be taken by multiple different systems in concert. This minimizes the context switching required of security personnel, decreasing alert fatigue and speeding incident response. FortiSOAR also enables an organization to optimize its security processes by leveraging well-defined security playbooks. By automating repetitive tasks and responses to common threats, FortiSOAR enables a security team to focus their efforts and limited resources on higher-level tasks.
FortiSOAR Administrator 7.3 Study Guide
19
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
A level 1 analyst is the front line responder to an alert. FortiSIEM or FortiSOAR could receive an alert depending on the way the log forwarding is set up in your infrastructure. The task of a level 1 analyst is usually to investigate and triage an alert. If you already have established techniques or procedures on FortiSIEM or FortiSOAR, then a level 1 analyst could automate some aspects of the investigation, such as reputation lookups for IOC using playbooks on FortiSOAR, or by using automation scripts on FortiSIEM. If the alert is not a valid threat, then the analyst can close it as a false positive. Otherwise, the analyst can open an incident or a case. On FortiSOAR, you can run a playbook to remediate the incident, if a playbook is available, and then close the incident. If a playbook remediation is not available, then you can escalate the incident to a level 2 analyst.
FortiSOAR Administrator 7.3 Study Guide
20
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
A level 2 analyst investigates the incident using established techniques or procedures. A key role of a level 2 analyst is to investigate an incident through manual methods and use playbooks wherever possible. If the incident is not a threat, then the analyst can close it. Otherwise, they can move the incident to the remediation stage. The level 2 analyst determines if a remediation playbook is available to remediate the incident, and run the playbook against the incident. If an appropriate script is available, then the analyst can also remediate an incident from FortiSIEM. After an incident is remediated, the analyst updates the knowledge base within FortiSOAR, documents the incident, and closes it. If the analyst is unable to remediate the incident using a playbook or through FortiSIEM, then the analyst must determine if they can resolve the incident manually. After performing manual remediation, the analyst must update the knowledge base, document the case, and flag the case for a possible playbook in the future. If the level 2 analyst cannot remediate the incident, then they can escalate the case to a level 3 analyst.
FortiSOAR Administrator 7.3 Study Guide
21
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
The level 3 analyst takes ownership of the escalated incident and performs further advanced manual investigation on the incident in addition to all the investigation done by level 1 and level 2 analyst. If the threat is not valid then the case is documented and closed. If the threat is valid then the level 3 analyst will perform a manual remediation of the incident. The remediation could involve follow-up work such as updating FortiSIEM rules, updating firewall policies, patching all endpoints, and so on. The level 3 analyst will then decide if there is a known technique or procedure to resolve such an incident, either manual or through a playbook. If there is a known procedure, then the case is documented and closed. If there is no known procedure, then the analyst will update the knowledge base, review the procedure with an architect and update the procedure to resolve such incidents. FortiSOAR case logs provide a record for process updates. The review process also involves developing a new playbook, if required, so that such incidents can be automatically remediated by the playbook for future occurrences of such incidents. After the review process is complete, the case can be documented and closed.
FortiSOAR Administrator 7.3 Study Guide
22
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
A level 3 analyst must follow specific protocols while developing a new technique or procedure. The analyst must identify the threat. Once identified, the analyst must mitigate the risk to avoid risk of exploitation. If possible, the analyst should try to patch any vulnerable systems, or block any indicators of compromise. While conducting a thorough investigation, the analyst should be able to identify the indicators that have been compromised. Based on that investigation, the analyst should build SIEM rules or SOAR playbooks so that such incidents can be identified and indicators can be enriched. The analyst’s next task is to remediate the incident automatically through FortiSIEM remediation scripts, or develop playbooks on FortiSOAR for automatic remediation. Finally, the analyst must carefully study the impact of remediation on services and networks. Often, a poorly developed playbook could cause self-inflicted issues, such as bringing down servers or critical network infrastructure.
FortiSOAR Administrator 7.3 Study Guide
23
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
24
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
Good job! You now understand SOC alert handling and triage. Now, you will learn about FortiSOAR architecture.
FortiSOAR Administrator 7.3 Study Guide
25
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
In this section, you will learn about FortiSOAR architecture, and various platforms on which you can install FortiSOAR.
FortiSOAR Administrator 7.3 Study Guide
26
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
In an enterprise architecture, there is one single instance of FortiSOAR. You can ingest data using connectors into FortiSOAR from various devices in your infrastructure. When available, it is recommended that most logs be sent through the SIEM, rather than through direct connectors. This ensures the SIEM is a central point of log aggregation and can be used for analytics and reporting. After you integrate your FortiSIEM, or any other SIEM solution, with FortiSOAR, incidents generated by FortiSIEM are ingested by FortiSOAR. Every incident that is sent from FortiSIEM to FortiSOAR is a unique record on FortiSOAR. You can run remediation playbooks from FortiSOAR against those incidents, and perform remediation action on the target devices. For example, if the logs that are sent by FortiGate to FortiSIEM generate an incident that indicates an external malicious actor is trying to access corporate resources, then FortiSOAR evaluates that incident and rates that external IP against various threat intelligence platforms. If the IP is malicious, then you can run a remediation playbook to take action against that IP address. In the scenario shown on this slide, the solution is to block that IP on the FortiGate firewall. The playbook can automatically log in to FortiGate and put that IP on the quarantine list for an indefinite period of time.
FortiSOAR Administrator 7.3 Study Guide
27
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
In the case of a shared tenancy model, tenants share the same system as the primary device; tenants are local, but with restricted access on the system. The SOC team provides cybersecurity monitoring and management to various tenants in a single FortiSOAR instance. The shared tenancy model ensures that the data belonging to different tenants is segregated, and data access is controlled using RBAC. Therefore, a tenant can view only their own data or record, and not the data of other tenants. You can give each tenant their own login, which they can use to view their dashboards, report, check the actions taken on their records, check their SLA management, and so on.
FortiSOAR Administrator 7.3 Study Guide
28
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
In the case of a distributed tenancy model, the tenant node instance of FortiSOAR is remote and every tenant has their own instance of FortiSOAR. The primary FortiSOAR node resides at the MSSP location and communicates with the tenant node through a secure channel. Tenant data remains in the tenant environment, and they control how much data they want to share with the primary node. All sensitive information stays with the tenant node. Since the actual workflow execution happens at the tenant node itself, the primary node requires only the summary of information to help identify what investigations should run. The primary node pushes any action that needs to be executed to the tenant node. Similarly, any playbook that needs to be executed is pushed by the primary node to the tenant node. You can choose to deploy a dedicated secure message exchange server by specifying that option when using the regular FortiSOAR virtual appliance installer. Alternatively, you can enable the embedded secure message exchange server available on every FortiSOAR node. For a production environment, it is recommended to use an external secure message exchange server for improved scalability and availability.
FortiSOAR Administrator 7.3 Study Guide
29
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
In a multi-tenant hybrid model, the MSSP’s primary node centrally manages some customers. If the customer is managed by the primary node, then there is no requirement for a tenant node for that customer. However, you can also set up other customers who use a distributed method for the same primary FortiSOAR node. For those customers, you must install a tenant node.
FortiSOAR Administrator 7.3 Study Guide
30
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
FortiSOAR supports HA clusters that you can deploy in both active-passive and active-active configurations. You can configure FortiSOAR with either an externalized PostgreSQL database, or an internal PostgreSQL database. For both, you can configure active-active or active-passive HA clusters. One FortiSOAR cluster can have only one active primary node. All the other nodes are either active secondary nodes or passive nodes.
FortiSOAR Administrator 7.3 Study Guide
31
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
A key element of the FortiSOAR architecture is its form factor. FortiSOAR is available as a virtual instance and comes as a 64-bit, hardened, Rocky Linux virtual machine that is preconfigured and pre-installed with FortiSOAR. All you have to do is import the virtual instance into your preferred environment. Instead of deploying a virtual instance, you can also self-install FortiSOAR on a Rocky Linux or RHEL operating system. Prior to 7.3.0, you could install FortiSOAR on the CentOS platform. However, because CentOS has announced its end-of-life cycle, FortiSOAR now requires Rocky Linux 8.6 or RHEL 8.6.
FortiSOAR Administrator 7.3 Study Guide
32
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
A major benefit of the FortiSOAR form factor is its scalability. If your company grows, and you start sending more data to FortiSOAR than what it was initially configured to handle, you can upgrade the VM and add more resources. It’s easy to add CPUs, memory, and even storage to VMs. There are no charges or fees from Fortinet, unlike some vendors that charge by the number of CPUs used. The minimum hardware requirements for one instance of FortiSOAR are 8 vCPU, 20 GB of RAM, and 500 GB of storage. The recommended hardware requirements for one instance of FortiSOAR are 8 vCPU, 32 GB of RAM and 1 TB of storage. There are no size limits for the records database, and no charges or fees for storing months’ or years’ worth of data. That’s important to note when considering compliance reporting, and PCI or HIPPA requires that you store a year’s worth of data in order to provide appropriate audit reports. It’s very easy to determine how much storage you’ll need.
FortiSOAR Administrator 7.3 Study Guide
33
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
FortiSOAR Cloud is a service subscription aimed to ease deployment, management, and scaling. You can access the FortiSOAR Cloud interface via the FortiCloud Services menu. To provision a FortiSOAR Cloud instance, you must have a FortiCloud account in addition to a FortiCloud Premium subscription and a FortiSOAR Cloud Entitlement license. If either license expires, you have a 30-day grace period to remedy the situation before the cloud portal shuts down the instance. Only one FortiSOAR instance can be created per FortiCloud account. You can choose which region to deploy your instance in, but you cannot migrate the instance to a different region later. The primary account holder can create secondary account holders with permissions to the account and the FortiSOAR cloud instance. After the instance has been provisioned, you can access it by using the web interface or the SSH console. The instance also contains an embedded secure message exchange, set as the cloud instance address running on TCP port 5671. From the FortiSOAR Cloud portal’s interface, you can also reboot and manage snapshots of the instance.
FortiSOAR Administrator 7.3 Study Guide
34
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
35
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
Good job! You now understand FortiSOAR architecture. Now, you will learn about FortiSOAR initial configuration.
FortiSOAR Administrator 7.3 Study Guide
36
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
In this section, you will learn about FortiSOAR deployment, licensing, and configuration options that will help you get FortiSOAR up and running. By demonstrating competence in FortiSOAR initial configuration, you will learn about FortiSOAR deployment, licensing, and configuration options that will help you get FortiSOAR up and running.
FortiSOAR Administrator 7.3 Study Guide
37
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
This slide shows a high-level view of the initial deployment methodology of FortiSOAR. The planning process involves the following tasks: • Complete site preparation, including hardware and resources for the VM • Download the FortiSOAR VM The deployment process involves the following tasks: • Import the FortiSOAR VM to the ESXi server • Run the FortiSOAR configuration wizard • License FortiSOAR using the License Manager • Configure optional settings, such as editing the VM resource configuration and changing the default database password for FortiSOAR The configuration process involves the following tasks: • Configure SMTP using the SMTP connector • Point the ntpd service to a valid ntp server • Set up a proxy server to serve all request for FortiSOAR • Configure data encryption keys • Create users, teams, and roles
FortiSOAR Administrator 7.3 Study Guide
38
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
The recommended hardware requirements for the FortiSOAR VM are 8vCPUs, 32 GB RAM, 1 TB disk, and one virtual NIC. The storage required depends on the environment, specifically how many records are expected, and how extensive logging is. You can install the FortiSOAR VM on VMware ESXi 5.5 or higher. You can also install the VM on Amazon Web Services, Redhat KVM, Docker, or have it hosted on FortiCloud. For inbound networking, ensure that port 22 and port 443 are enabled within the VM network. For FortiSOAR to correctly interact with your network, you must provide access between the FortiSOAR VM and the thirdparty products and services configured within your network. To accomplish this, enable the ports shown on this slide for SSH, SMTP, DNS, and HTTPS access.
FortiSOAR Administrator 7.3 Study Guide
39
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
The first step to deploying a FortiSOAR VM is to select the appropriate hypervisor. After deploying the VM, run the configuration wizard to change the host name, configure a proxy, update the network configuration, generate certificates, generate the device UUID, reset database passwords, restart services, configure the default HA cluster, and install Python libraries. You can edit the VM resource configuration to determine if you would like to use a static or dynamic IP. Determine the type of license that you would like to install. Provide the FortiSOAR UUID while registering the FortiSOAR instance on FortiCare. You must be logged in as a root user to retrieve the UUID from FortiSOAR. Download the license from FortiCare and upload it to FortiSOAR through FTP. Ensure that you have connectivity to globalupdate.fortinet.net. Deploy the license as an enterprise or a multi-tenant edition. Now, you should be able to access FortiSOAR through the GUI using the IP that you configured while running the configuration wizard to go through an initial setup. It is highly recommended that you confirm the SOAR Framework Solution Pack is installed and up-to-date in the environment. By default, the solution pack is installed in new 7.3.0 installations, but it can be skipped. This solution pack contains essential elements for effective incident response, including modules, dashboards, roles, and widgets.
FortiSOAR Administrator 7.3 Study Guide
40
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
FortiSOAR enforces licensing and restricts the use of FortiSOAR by specifying the following: • The maximum number of active users in FortiSOAR at any point in time • The type and edition of the license There are two main variations of license editions: Enterprise and Multi-tenant. The enterprise edition enables a regular enterprise production license. With multi-tenant licensing, there are three different editions. • MT, which enables multi-tenancy where both shared and distributed multi-tenancy are supported. The instance where this license is deployed would serve as a primary node in a distributed deployment. • MT_Tenant, which enables the node as a tenant in a multi-tenant deployment. This is the license to be deployed for a customer node of a Managed Security Services Provider (MSSP). You can configure the node as a tenant to the MSSP server for syncing data and actions to and from the MSSP primary server. • MT_RegionalSOC, which enables the node as a regional SOC deployment at an organization with a distributed SOC. It is enabled as a complete SOAR platform by the regional SOC team. At the same time, you can configure it as a tenant to the global SOC where the MT license is deployed, and sync data and actions from the Global SOC FortiSOAR server. 7.3.0 also introduces a new licensing option that provides full access to FortiGuard threat intel feeds. It includes an extensive dataset, comprising of IPs, URLs, Domain and malicious hashes carefully curated by FortiGuard security experts.
FortiSOAR Administrator 7.3 Study Guide
41
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
The FortiSOAR license can be of the following types: • Perpetual: This type of license provides you with a license for an unlimited time for FortiSOAR. • Perpetual (Trial): This type of license provides you with a free trial license for an unlimited time for FortiSOAR, but in a limited context. There are restrictions on the number of users and actions that can be performed in FortiSOAR in a day. By default, this license is an enterprise type license and is restricted to three users using FortiSOAR for a maximum of 200 actions a day. • Subscription: This type of license is a regular license that gives you subscription to FortiSOAR for a particular number of users and a specific timeframe. You can renew your subscription and change the number of users as per your requirements. FortiSOAR will synchronize with the FDN server and retrieve the latest subscription. • Evaluation: This type of license allows you to evaluate FortiSOAR. The evaluation license is shipped with a predefined user count and expiry date.
FortiSOAR Administrator 7.3 Study Guide
42
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
You must use the SMTP connector to receive any system or email notifications, including requests for resetting passwords. The SMTP connector is part of a number of pre-installed connectors or built-ins that are included with FortiSOAR. By default, the SMTP connector is configured to use FortiSOAR as an SMTP relay server. The FortiSOAR Configuration Wizard is available only on the first SSH login. If, at a later stage, you need to change the hostname of your FortiSOAR VM, then you can use the FortiSOAR CLI to change the hostname. FortiSOAR comes with a self-signed certificate. Replace FortiSOAR self-signed certificates with your own signed certificate. FortiSOAR records each workflow action and audits every important activity such as logins, and the creation, updates to, and deletion of records. These generate a large volume of data, which might not be useful after some point in time. Therefore, you must configure a purge schedule for both these logs as per the organization's retention policy. This will help keep the disk usage for these logs constant over time. The Playbook Execution History data is significantly large, so it is very important that you schedule a purge of these logs at regular intervals.
FortiSOAR Administrator 7.3 Study Guide
43
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
The system comes with the default username csadmin and password changeme. It is highly recommended that you change the username and password after you log in for the first time. You should set up thresholds, schedules, and notifications to effectively monitor various FortiSOAR system resources, such as CPU, disk space, and memory utilization, and status of various FortiSOAR services. You can configure FortiSOAR with either an external PostgreSQL database or an internal PostgreSQL database. In both cases, you can configure active-active or active-passive high availability clusters. You must stop and start the FortiSOAR services in the following cases: • Updating or upgrading the SSL certificates • Post-update, if playbooks are not working as expected • Post-reboot, if the FortiSOAR platform is not working as expected
FortiSOAR Administrator 7.3 Study Guide
44
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
45
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
Good job! You now understand FortiSOAR initial configuration. Now, you will learn about FortiSOAR overview.
FortiSOAR Administrator 7.3 Study Guide
46
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
In this section, you will explore some of the important features of FortiSOAR, and how a SOC can mature by using FortiSOAR. By demonstrating competence in FortiSOAR overview, you will explore some of the important features of FortiSOAR, and how a SOC can mature by using FortiSOAR.
FortiSOAR Administrator 7.3 Study Guide
47
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
When you escalate an alert on FortiSOAR, it becomes an incident. Every incident on FortiSOAR can be considered as a ticket that an analyst will need to work on until they close the incident. The FortiSOAR queue management feature provides you with an overview of the work that must be completed and enables you to assign pending work to users. You can also reassign assignments in case of absence or analyst shift changes. Administrators can create applicable dashboards throughout the platform. The dashboards are assigned to users based on their roles. For example, you can create a dashboard that displays alerts that are severity critical and high, and then assign them to users who have the role of handling alerts. Users then can prioritize their work by looking at their dashboard. FortiSOAR gives you the option to assign levels of accessibility to users using role-based access control (RBAC) combined with team membership. You can grant users access to specific modules in FortiSOAR based on their role permissions. Users exercise their permissions in conjunction with their team membership.
FortiSOAR Administrator 7.3 Study Guide
48
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
The Content Hub is an all-new central repository for connectors, widgets, and solution packs, equipped with a searchable, filter-friendly interface. The Content Hub’s data is synchronized from the FortiSOAR repository every hour to ensure the content is up-to-date. Prior to 7.2.0, connectors and widgets were managed using different stores. To view the hub, you must have at least read permissions on the Content Hub and Applications modules. To work with add-ons, such as solution packs, widgets, or connectors, ensure the administrator has the required permissions for each respective module. The Content Hub is accessible both as a public-facing page at the URL listed on this slide, and within the FortiSOAR GUI itself.
FortiSOAR Administrator 7.3 Study Guide
49
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
The SOAR Framework Solution Pack is the foundational solution pack that creates the framework, including modules, dashboard, roles, and the widgets required for effective day-to-day operations of any SOC. The Incident Response modules have been moved to the solution pack, making it essential for users to install it to optimally use and experience FortiSOAR incident response. This solution pack installs several modules, such as alerts, incidents, and indicators, along with corresponding playbooks, dashboards, reports, and widgets. This makes it a comprehensive solution and provides a fully functional incident response platform augmented by automation and threat intelligence. The screenshot included in this slide shows the contained contents of the solution pack, including the roles, playbooks, and connectors. Note that the solution pack is installed by default with new installations of FortiSOAR. However, you may need to install this solution pack on upgraded FortiSOAR nodes.
FortiSOAR Administrator 7.3 Study Guide
50
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
Alerts can be created manually, through playbooks, or ingested into FortiSOAR through a connector. When an alert is ingested, FortiSOAR can check to verify if the alert is a false positive or not. If the alert is a false positive, then the alert is cleared. An alert can also be cleared after it’s resolved by an analyst, or after it’s resolved automatically through a playbook execution. If the alert is legitimate, then an analyst can escalate the alert to an incident. After the alert becomes an incident, then a senior analyst could be assigned to that incident and the analyst could clear the incident after investigation. An analyst can run more playbooks against the incident to enrich the indicators, or fetch more information about the incident from various threat intelligence platforms. New tasks can be created for the incident and they could be assigned to an analyst for decision making.
FortiSOAR Administrator 7.3 Study Guide
51
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
In FortiSOAR, you can escalate an alert to an incident. A FortiSOAR incident usually contains multiple alerts that are linked to each other, and to the incident. This allows FortiSOAR to convey the complexity of a security incident that has many stages. After FortiSOAR runs specific playbooks over an alert, it may extract indicators, which are objects FortiSOAR extracted from various fields of a record. For example, an indicator can have an associated reputation while a field cannot. An incident contains various response phases. An analyst works through these phases as they resolve an incident. From an incident, you can assign tasks to an analyst to resolve a particular issue related to the incident, such as blocking an IP address. The audit log helps you keep track of the incident’s history. The comments section is used to track all comments made by an analyst or comments generated by the playbook.
FortiSOAR Administrator 7.3 Study Guide
52
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
The Queue & Shift Management interface is an intelligent, automated assignment solution based on queues and shift spreads. The Queue Management tab allows you to manage queues. You can use the configuration wizard to create new queues, define which record types are associated with the queues, what conditions need to match, who to assign to the queues, and which assignment methods to use. Queues provide managers with a view to see what their resources are working on, how many tasks are pending, and then decide if any tasks need to be reallocated. Queues provide users with a view that shows them what tasks have been assigned, how many of them are pending, and what the priority of the tasks are. The Shift Management tab allows the generation of shift rosters with shift leads and team members. By leveraging queues and shifts together, FortiSOAR has the ability to manage shift handover processes. Records are assigned to individual users within a queue, and you can enable shift-based assignment to assign them to only users who are working. The Queue & Shift Management interface has replaced the Queue Management interface that was present in previous releases of FortiSOAR. The previous Queue Management interface did not support automated record assignments.
FortiSOAR Administrator 7.3 Study Guide
53
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
A dashboard is the default landing page and home that a user sees after logging in to FortiSOAR. You can create personalized dashboards based on roles. Customizations that you make to your dashboards are visible and applicable only to you. Administrators must update the dashboard for the changes to apply to all users. Updates, including removal and additions that administrators make to the dashboards, apply to all users.
FortiSOAR Administrator 7.3 Study Guide
54
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
FortiSOAR allows you to easily set up reporting. You have the option to use the default report templates, edit, or create your own. Additionally, you can schedule reports, view historical reports, and also search for text in the report PDF. Click the View button to generate a preview of the report and have the opportunity to fine tune your reports prior to scheduling them. These screenshots show the Reports interface, and an example of the customizations available for creating reports.
FortiSOAR Administrator 7.3 Study Guide
55
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
In FortiSOAR, teams and roles are closely aligned with a data table design. Teams own specific records, which are rows in a table. In other words, teams define ownership of discrete records within the database. A record can have more than one team owner. Users can also belong to multiple teams, thus allowing them to access records owned by their assigned teams. Roles, on the other hand, govern permissions on the columns within that table, centered around create, read, update, and delete (CRUD) permissions. Users’ access to different parts of the FortiSOAR platform are dictated by their effective permissions, which are a combination of all their roles’ permissions. For example, a user without the proper permissions may not be able to see some features in FortiSOAR, or a user can see records for a module, but does not have access to modify them.
FortiSOAR Administrator 7.3 Study Guide
56
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
You can use the following tips to make it easier to work with playbooks and playbook steps in the playbook designer: • You can activate or deactivate a playbook • You can select a step by clicking while holding CTRL; to select all the steps, press CTRL+A • You can drag and drop multiple selected steps • You can copy multiple selected steps by pressing CTRL+C or copy all the steps by pressing CTRL+A and then pressing CTRL+C • You can paste the copied steps into a different playbook by pressing CTRL+V • You can delete a step or multiple steps by selecting steps and pressing backspace or delete • You can save versions of a playbook that you are creating or updating; Using versioning, you can save multiple versions of the same playbook • You can revert your current playbook to a particular version, making working in playbooks more effective
FortiSOAR Administrator 7.3 Study Guide
57
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
You can connect playbook steps or remove the connection between playbook steps. To connect a playbook step, use the connection points that appear when you hover over a playbook step. Select a connection point and drag and drop the arrow connector on the step you want to connect. At the core of playbooks are steps. Steps represent discrete elements of data processing during the course of the playbook. You can link steps together in sequences to determine the flow of the playbook, starting from the trigger. Use the core steps to create and update records. Use the evaluate steps to make decisions based on user input and require manual intervention by an analyst. Use connector, utility, and code snippet steps to execute actions on a device. You can also call child playbooks using the reference playbook step.
FortiSOAR Administrator 7.3 Study Guide
58
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
This slide shows all the playbook steps that you can use while configuring a playbook. The steps are broadly placed into five different categories. Use the core steps to create, find, or modify an alert, incident, task, or other item in the FortiSOAR database. Use the evaluate steps to make a logical decision, get approval, take manual input from the user, or otherwise affect the logical flow of the playbook. Use the execute steps to take an action, such as run the connector function or execute dozens of built-in utilities. Use the reference steps to refer to child playbooks from parent playbooks.
FortiSOAR Administrator 7.3 Study Guide
59
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
Use connectors to send and retrieve data from various third-party sources. Using connectors, you can interface to external cybersecurity tools, and perform various automated interactions using FortiSOAR playbooks. FortiSOAR has already developed a number of connectors that can be used to integrate with a number of external cyber security tools like SIEMs, such as FortiSIEM, and ticketing systems, such as Jira. You can use connectors in playbooks for various action-related tasks, such as getting an object from a firewall device, blocking an IP address on a firewall, disabling an account on Active Directory, getting data for enrichment of an indicator, and so on. FortiSOAR also enables administrators to develop custom connectors. You can create your own connector or edit an existing connector as per your requirements, using the Connector Wizard present in the FortiSOAR GUI.
FortiSOAR Administrator 7.3 Study Guide
60
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
The Help feature contains the Knowledge Center, which is the FortiSOAR product documentation, along with tutorials and examples, to help you work effectively with FortiSOAR. There are also additional modules that hold data for physical security events, compliance, fraud, and threat intelligence. You can also click on User Community to access the FortiSOAR community. From there, you can ask questions, help other FortiSOAR users, access the knowledge base, and more.
FortiSOAR Administrator 7.3 Study Guide
61
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
62
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.
FortiSOAR Administrator 7.3 Study Guide
63
Introduction to FortiSOAR
DO NOT REPRINT © FORTINET
This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this lesson, you learned how to deploy FortiSOAR and configure its initial settings. You also learned about various key features of FortiSOAR, and how these features can help a SOC mature and reduce the alert fatigue of SOC analysts.
FortiSOAR Administrator 7.3 Study Guide
64
Device Management
DO NOT REPRINT © FORTINET
In this lesson, you will learn how to configure roles and teams, explain team hierarchy, and add, delete and manage users and user permissions. You will also learn how to configure and manage SLA templates, and backup and restore the FortiSOAR configuration files.
FortiSOAR Administrator 7.3 Study Guide
65
Device Management
DO NOT REPRINT © FORTINET
In this lesson, you will learn about the topics shown on this slide.
FortiSOAR Administrator 7.3 Study Guide
66
Device Management
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in configuring and managing teams and team hierarchies, you will be able to ensure administrators are operating within their assigned roles, thereby implementing the principle of least privilege, and mitigating risk to your organization.
FortiSOAR Administrator 7.3 Study Guide
67
Device Management
DO NOT REPRINT © FORTINET
In FortiSOAR, users’ levels of accessibility are derived from a combination of roles and team memberships. You can grant access to specific modules on FortiSOAR to users based on their role permissions. Users exercise their permissions in conjunction with which team or teams they belong to. Appliance users are also governed by the same authorization model. The security model within FortiSOAR achieves the following four essential security goals: • Grants users the level of access necessary based on your desired organization structure and policies • Supports sharing of data for collaboration while still respecting your team boundaries • Supports data partitioning and prevents users from accessing data that is not explicitly meant for them • Restricts external applications and scripts (appliances) from using the API beyond the requirements for accomplishing the desired RESTful actions
FortiSOAR Administrator 7.3 Study Guide
68
Device Management
DO NOT REPRINT © FORTINET
Use the Teams menu to add new teams and edit user membership, in bulk, within each team. You can also define membership within teams on an individual basis, using the individual user or appliance profile. By default, FortiSOAR has at least one team in place after installation, the SOC Team. It is recommended that you do not modify or delete it and, instead, add new teams, as per your requirements. There is no limit to how many teams you can have in the system. Teams do not necessarily have to represent a specific team within your organization, but instead, teams represent a group of users who own a set of records. In this way, you can think of teams as row ownership within a table. The records are rows, and at least one team must own that row. Note that whenever you add a new team, you must update the playbook assignment. Playbook is the default appliance in FortiSOAR that is included in a new team. Only a user with create, read, update, and delete access to the Appliances module can update the playbook assignment, to ensure that the appliance has the necessary role to perform data read or write to modules. If the playbook does not have appropriate permissions, then it fails.
FortiSOAR Administrator 7.3 Study Guide
69
Device Management
DO NOT REPRINT © FORTINET
Teams govern record ownership within the FortiSOAR security model, and team hierarchy reflects how team ownership relates between discrete teams. You can use the Team Hierarchy editor to define team relationships in accordance with each team’s relationships with other teams in the system. The table on this slide shows the possible team relationships. This model helps to support more advanced team relationship use cases, such as allowing for internal investigations among existing users without alerting the user and providing legal personas with their own permissions during incidents. Records created by nth level of team hierarchy are visible to parent teams. For example, records owned by grandchildren teams are visible to the grandparent teams. However, if two teams are children of the same parent, this does not mean that the children are siblings to each other. If you want them to be siblings, then you must explicitly define them as siblings. Similarly, if a team has a parent defined, adding a sibling to it does not create a parent-child relationship between the parent and the new team.
FortiSOAR Administrator 7.3 Study Guide
70
Device Management
DO NOT REPRINT © FORTINET
In the example shown on this slide, the US Analysts team is the team in focus. All other teams are displayed in relation to the US Analysts team. The SOC Team is the parent of US Analysts. There are two explicitly defined siblings: France Analysts and Australia Analysts. US L1, US L2, and US L3 are children of US Analysts. Note that the team in focus must always be at the sibling level in order to map relationships from its perspective. In this lesson, this same hierarchy will be used to demonstrate how records are shared across teams with relationships.
FortiSOAR Administrator 7.3 Study Guide
71
Device Management
DO NOT REPRINT © FORTINET
The Team Hierarchy editor is built to centralize around one team at a time. You can define how that team relates to all other teams in the system. The central team is referred to as the team in focus. The Team Hierarchy editor has the All Teams menu and three sections used to define the three relationship types: Parents, Siblings, and Children. To edit the relationships of any team, you must first bring that team into focus. To bring a team into focus, you can drag and drop that team to the Drag team here to edit area or double-click that team’s title in the All Teams menu. To reset the team in focus, click on Revert. Note that changes are in staging until the settings are saved, so they will be lost if you click on Revert and if you do not click on Save first.
FortiSOAR Administrator 7.3 Study Guide
72
Device Management
DO NOT REPRINT © FORTINET
In the example shown on this slide, the US Analysts team is the parent of US L1, L2, and L3. The SOC Team is the parent of the US Analysts team. Australia Analysts and France Analysts are its siblings. To summarize the relationships and ownership: • Members of the US Analysts team and the SOC Team can act on records of the US L1, L2, and L3 teams as if they are a member of those teams. • Members of the SOC Team cannot act on records of Australia Analysts team and France Analysts team unless there are explicit parent-child relationships. Merely being a sibling of US Analysts does not build that relationship for them. • Members of the Australia Analysts team and France Analysts team can act on US Analysts records due to their sibling relationship. • Members of the Australia Analysts team and France Analysts team cannot act on records owned by SOC Team or US L1, L2, and L3. • Members of the US L1, L2, and L3 teams cannot act on records of any other teams except their own. Note that they are also not siblings by default even though they share the same parent in US Analysts. The sibling relationship requires changing the team in focus to one of them and explicitly defining the siblings. On the left panel are teams unassociated with the US Analysts Team, which means that the SOC Team is isolated from all the Fraud team’s records and vice versa. If the Fraud team were related to the SOC Team, you would have seen the relationship in one of the sections on the right. The exception to this is if the Fraud team is a child of US L1, L2, or L3. In that case, the SOC Team would also be able to access Fraud team’s records because it would be the great grandparent of the Fraud team through its parent-child relationship with US Analysts.
FortiSOAR Administrator 7.3 Study Guide
73
Device Management
DO NOT REPRINT © FORTINET
This slide shows a different team in focus, the US L1 team. It only has one defined relationship. The US Analysts team is its parent team, a relationship shown on the previous slide. However, beyond that parentchild relationship, no other relationships are seen, including to US L2 and L3. To summarize the relationships in this view, the US L1 team: • Can only act on its own records • Has a parent in US Analysts • No default siblings • No default children
FortiSOAR Administrator 7.3 Study Guide
74
Device Management
DO NOT REPRINT © FORTINET
This slide shows a third team in focus, the US L2 team. There are two relationships – US Analysts as a parent, and US L3 as a sibling. Note that US L2 and US L3 are explicitly configured as siblings, but US L1 is not configured as a sibling. To summarize the relationships in this view, the US L2 team: • Can act on its own records and US L3’s records • Has a parent in US Analysts • Has no children
FortiSOAR Administrator 7.3 Study Guide
75
Device Management
DO NOT REPRINT © FORTINET
This slide shows a fourth team, the Australia Analysts team. There are two relationships: US Analysts as a sibling, and New SOC as a parent. The US Analysts team is an explicit sibling, as shown on the slide when the US Analysts team was the team in focus. However, you can see that France Analysts is not a sibling in relation to Australia Analysts, even though both teams are siblings of US Analysts. You can also see that Australian Analysts has a different parent from US Analysts. To summarize the relationships in this view, the Australian Analysts team: • Can act on its own records and on US Analysts’ records • Has a parent in New SOC, which can act on its records • Has no children
FortiSOAR Administrator 7.3 Study Guide
76
Device Management
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
77
Device Management
DO NOT REPRINT © FORTINET
Good job! You now understand security management. Now, you will learn about user and role configuration.
FortiSOAR Administrator 7.3 Study Guide
78
Device Management
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in configuring and managing roles and users, you will be able to ensure administrators are operating within their assigned roles.
FortiSOAR Administrator 7.3 Study Guide
79
Device Management
DO NOT REPRINT © FORTINET
Roles define users’ ability to act upon data within a CRUD permission set on any module in the system. Note that you must be assigned a role that has CRUD permissions on the Security module to be able to add, edit and delete teams and roles. Use the Roles menu to create and define roles within the system. You assign roles based on CRUD permissions defined across all modules. You can assign roles in the User or Appliance profiles only. You cannot bulk assign roles. FortiSOAR implements RBAC also for playbooks. For example, for users to run playbooks, administrators must assign roles that have execute permission on the Playbooks module to such users. Note that users who do not have execute permission will not be shown the execute action for the module records. Execute actions include actions, such as Escalate, Resolve, or any actions that appear in the Execute drop-down list.
FortiSOAR Administrator 7.3 Study Guide
80
Device Management
DO NOT REPRINT © FORTINET
The Roles menu allows you to define and modify all the roles within the environment. Roles are not hardcoded in the system; therefore, role editing is a sensitive permission and must be carefully governed by administrators. It is important to note that any user that needs to work with FortiSOAR and records within FortiSOAR must be assigned a role with a minimum of read permission on the Application, Audit Log Activities, and Security modules. Use the Role Editor to add and edit RBAC permissions. Role permissions are based on the CRUD model. Each module has explicit CRUD permissions that you can modify and save within a single role. You can also explicitly assign permissions for each field within a module by clicking the Set Field Permissions link for that module. A user can have more than one role applied. Each role you grant to a user is added to the user’s overall RBAC permission set. Therefore, a user’s RBAC permissions is an aggregation of all the CRUD permissions granted to them by each role you assign to them.
FortiSOAR Administrator 7.3 Study Guide
81
Device Management
DO NOT REPRINT © FORTINET
By default, FortiSOAR has at least one role in place after installation: the Security Administrator. If the SOAR Framework Solution Pack is installed, there are additional roles defined. The Security Administrator role starts by having full CRUD permissions across the Security module, which allows the administrator to add and manage roles and teams within the application. The Security Administrator role also has CRUD permissions on the Secure Message Exchange and Tenants modules, so that this role can configure multi-tenant systems. It should only be assigned to someone who has been tasked with the responsibility for building and maintaining the role and team structure for your organization. It is recommended that you do not remove this role. If you do plan to remove it, you must ensure that at least one other role with an assigned user has the Security module enabled if you always want to maintain access to edit teams and roles within the application. The Application Administrator role grants access to configure application settings, found in the Application Editor section on the Settings page. All users must have read privileges to the Application module to be able to use the application interface. You can restrict non-human users, API users, from entering into the application GUI by not giving them any access to the Application module. The Full App Permission user is a root user, who has full permissions across FortiSOAR. However, data partitioning is still in effect depending on the team to which the Full App user belongs to, and what records are owned by the team.
FortiSOAR Administrator 7.3 Study Guide
82
Device Management
DO NOT REPRINT © FORTINET
The Playbook Administrator role has access to the Orchestration and Playbooks component. Only users who have explicitly been given a minimum of read access to playbooks can see this component on the left navigation bar. For users to have full privileges to manage playbooks, you must be given CRUD permissions. The SOC Analyst role is given access to the Alerts module and modules associated with alerts—such as Comments, Attachments, and so on—and also schedules and reporting. It can also access the Incidents module. The role is designed to investigate alerts, triage, and escalate alerts to incidents when necessary. Analysts are also responsible for remediation and containment tasks. The SOC Manager role has complete access to modules associated with the investigation of Incidents— such as Alerts, Incidents, Communications, Indicators, Tasks, War Rooms, and more. The role is designed to manage investigation of incidents, and performing remediation and containment activities. These default roles can be modified to your organization’s requirements, or new roles can be created for even more granular control.
FortiSOAR Administrator 7.3 Study Guide
83
Device Management
DO NOT REPRINT © FORTINET
This slide shows an example of a new user configuration. You need to enter the user details on the New User page. Note that the Username field is mandatory and case sensitive and it cannot be changed after it is set. All new users, including the csadmin user, must change their password when they first log in to FortiSOAR, regardless of the complexity of the password assigned to the users. After you configure a valid email ID in the user profile, you can reset your password, whenever required, by clicking the Forgot Password link on the login page. Use the SMTP connector to configure a connection to an email server, which is required to complete the process of adding new users. You can use the SMTP connector to send email notifications. If you have not configured the SMTP connector, the user is still created. However, the system cannot send the password reset notification link to the users, and therefore the process remains incomplete. Locked users are those who have exceeded the number of authentications tries allowed within a one-hour period. You can define the maximum number of attempts allowed before the user is locked. Only an administrator who has CRUD permissions on the People module and read and update permissions on the Security module can unlock the user. By default, users can enter an incorrect password five times before their account gets locked for 30 minutes. A security administrator can change these default values. From version 7.0.0 onwards, administrators cannot lock a user using the FortiSOAR GUI; however, administrators can unlock a user from the GUI by selecting the Unlock checkbox on that user's profile page and then clicking Save, or locked users can wait for the configured timeout duration before their account gets unlocked.
FortiSOAR Administrator 7.3 Study Guide
84
Device Management
DO NOT REPRINT © FORTINET
There are two user access types in FortiSOAR: First is the Named type. This access type has a permanent seat reserved, so a license is taken whether or not the user is logged in. The second is the Concurrent type, which only takes a concurrent spot when a user logs in. However, if there are no available spots, an error is seen as shown on this slide. Select the user access type in the Authentication section under the Users profile for either a new or current user. The License Manager shows the user seats allocation between named and concurrent users. In the example shown on this slide, there are two allowed user seats, and one named user already exists. There are three configured concurrent users. This means that only one user seat is available for the three concurrent users to share between them. A reasonable use case for concurrent users is for an organization with employees on different shifts or time zones. Instead of configuring named users and taking up permanent spots for each user, concurrent users will allow for more flexibility with allocating user seats.
FortiSOAR Administrator 7.3 Study Guide
85
Device Management
DO NOT REPRINT © FORTINET
You can view the login status of a user through the GUI or the CLI. In the GUI, view the status under the Login Status column. To view the login status through the CLI, use the show-logged-in-users command on this slide. To force a concurrent user to log out and free up a seat, either use the log out button under the user’s profile, or run the logout-user command on this slide.
FortiSOAR Administrator 7.3 Study Guide
86
Device Management
DO NOT REPRINT © FORTINET
All users within the system have a profile. Each user has access to their own profile so that they can update specific information about themselves by clicking the User Profile icon. To edit user profiles, you must be assigned a role that has a minimum of create, read, and update permissions on the People module. Otherwise, you will only be able to view your own profile. The user profile includes the user’s name, email, user name, password, and phone numbers. A user can also view the team and roles they belong to, as well as update their theme. A users can view their own audit logs, which display a chronological list of all actions performed across all the modules of FortiSOAR. The audit log also displays a user’s login successes or failures, and logout events. Login event includes all four supported login types: Database login, LDAP login, RADIUS login, and SSO login. Audit logs also contain user-specific terminate and resume playbook events.
FortiSOAR Administrator 7.3 Study Guide
87
Device Management
DO NOT REPRINT © FORTINET
The options for two-factor authentications are no two-factor authentication configured, send a voice message, or send an SMS. FortiSOAR currently supports only TeleSign to deliver the one-time password required for authentication. You will need a TeleSign account to complete the configuration in the Authentication section of a user’s profile. The Work Phone field is mandatory if a security administrator has enforced two-factor authentication across all FortiSOAR users. You will learn more about this global setting in this lesson.
FortiSOAR Administrator 7.3 Study Guide
88
Device Management
DO NOT REPRINT © FORTINET
An administrator can change a user’s team membership and assigned roles directly from their profile without having to navigate to the Teams and Roles interfaces. You can select multiple checkboxes to grant a user more than one team or role. This slide shows the selected teams and roles of this particular user.
FortiSOAR Administrator 7.3 Study Guide
89
Device Management
DO NOT REPRINT © FORTINET
Administrators with a minimum of read permissions on the Security module will be able to view a consolidated list of effective permissions based on a user’s assigned roles. This is useful in the event that the user is assigned multiple roles, and unintended access is given. The opposite is also true: if a user is unable to access parts of the system, you can confirm if they are missing permissions. The Effective Role Permissions interface allows the administrator to check all permissions assigned to a user instead of having to audit each role individually.
FortiSOAR Administrator 7.3 Study Guide
90
Device Management
DO NOT REPRINT © FORTINET
Administrators can delete users by running a script on the FortiSOAR CLI. You cannot delete user accounts on the GUI regardless if you're a user or an administrator. The slide shows the steps to delete a user on the FortiSOAR CLI. First, enter the username of the user that you want to delete in the usersToDelete.txt file. The file path is shown on the slide. This file is an empty text file in which you can enter the ID of users who you want to delete. Second, connect over SSH to your FortiSOAR VM and log in as a root user. Finally, enter the command shown on this slide to execute the deletion script. The userDelete script only deletes users in the local database and does not work for externalized databases. It is highly recommended that you use this script to delete or clean up users during the initial stages of configuring FortiSOAR. If you delete users who have been using FortiSOAR for a while, then the records for which the deleted user was the only owner, are also lost forever.
FortiSOAR Administrator 7.3 Study Guide
91
Device Management
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
92
Device Management
DO NOT REPRINT © FORTINET
Good job! You now understand role and user configuration. Now, you will learn about authentication.
FortiSOAR Administrator 7.3 Study Guide
93
Device Management
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in configuring user accounts and LDAP integration, you will be able to set up FortiSOAR to import and authenticate LDAP users.
FortiSOAR Administrator 7.3 Study Guide
94
Device Management
DO NOT REPRINT © FORTINET
The FortiSOAR security model treats authentication and authorization separately: • Authentication defines your ability to log in and access FortiSOAR. FortiSOAR enforces authentication based on a set of credentials. • Authorization governs the users’ ability to work with data within FortiSOAR after authentication is complete. You control authorization by assigning teams and roles to users. This is an important distinction because when you configure user accounts, you must always define both the authentication and desired authorization for a user. Otherwise, after a user logs in to FortiSOAR, the user might be presented with a blank screen due to lack of authorization. Conversely, a user may have excessive permissions for their role within the organization. This section will focus on various authentication options for users to log into the system.
FortiSOAR Administrator 7.3 Study Guide
95
Device Management
DO NOT REPRINT © FORTINET
FortiSOAR supports the following four types of authentication: • Native (local database): Users are created on FortiSOAR itself. • LDAP: Remote LDAP server, such as an Active Directory environment. • SAML: Open standard for exchanging information between an identity provider and FortiSOAR. Examples of identity providers would be FortiAuthenticator, Okta, Google and many others. • RADIUS: Support for RADIUS was added from FortiSOAR 7.2.0 onwards. Microsoft NPS is a commonly seen RADIUS server. To configure authentication settings, an administrator requires a minimum of read and update permissions on the Security module.
FortiSOAR Administrator 7.3 Study Guide
96
Device Management
DO NOT REPRINT © FORTINET
On the Account Configuration page, in the Session & Idle Timeout section, you can configure various settings. The Idle Timeout value determines the number of minutes a user can be idle on FortiSOAR, after which an idle warning dialog is displayed. The default value is 30 minutes. The Idle Timeout Grace Period value is the number of seconds a user is given to view the idle warning dialog after which FortiSOAR logs the user out. The default value is 60 seconds. The Token Refresh value is the number of minutes before the session token is refreshed. User interaction is not required. The default value is 60 minutes. The Reauthenticate Dashboard User value determines the number of hours after which a dashboard user is forced to re-authenticate. The default value is 24 hours. The Reauthenticate Application User is the number of hours after which an application user is forced to reauthenticate. The default value is 24 hours.
FortiSOAR Administrator 7.3 Study Guide
97
Device Management
DO NOT REPRINT © FORTINET
On the Account Configuration page, you can configure various options for user accounts. You can select Enforce 2FA to globally enforce two-factor authentication on all FortiSOAR users. Before you enforce two-factor authentication, all users’ profiles must have it configured to prevent users from getting locked out. Currently, FortiSOAR supports only TeleSign for two-factor authentication using SMS. You need to have a TeleSign account to send one-time password codes to the users’ mobile devices. Type information provided by TeleSign into the Customer ID and API Key fields.
FortiSOAR Administrator 7.3 Study Guide
98
Device Management
DO NOT REPRINT © FORTINET
Use the Authentication menu to set up, modify, and turn on or off your LDAP authentication provider. To configure LDAP authentication, first ensure LDAP Enabled is selected. Enter the IP/hostname and port of your LDAP authentication server. Optionally, you can enable Use TLS/SSL and then provide user account credentials to search the directory and import users. You can add users either by mapping users using the User Attribute Map section, or search for users in the directory and then import users. To map users, configure the User Attribute Map. FortiSOAR provides a default user attribute map array that contains the most common combination of field mappings. You can modify the mappings based on your own LDAP container fields by editing the map. In the User Attribute Map section, under Fields, click the editable field name (right-side field name), to map it to your LDAP fields. The non-editable field name (left-side field name) is the FortiSOAR attribute.
FortiSOAR Administrator 7.3 Study Guide
99
Device Management
DO NOT REPRINT © FORTINET
You must have a valid administrative user name and password to search the LDAP resource for user information. You do not have to use admin credentials, but at a minimum, you must have user credentials to access the LDAP tree and import all desired user containers. After you add the credentials in the User Search section, click Allow User Import to configure your environment to look in the LDAP resource for all new users. If you want to add local users, you must clear the Allow User Import checkbox to revert your system to the local user import in the Users administration menu. To narrow down your search, you can enter a path inside the Base DN field to specify the starting point of the query. The Recursive option allows for searching of users inside nested groups under the base DN. The Search Attribute field can be used to define which LDAP attribute to specifically search for, such as sAMAccountName, UPN, and more. The Search Criteria field can be used to find specific results based on the search attributes defined. For example, if the attribute defined is sAMAccountName, you can search for a match in the criteria search bar.
FortiSOAR Administrator 7.3 Study Guide
100
Device Management
DO NOT REPRINT © FORTINET
Security Assertion Markup Language (SAML) is an XML-based, open standard data format for exchanging authentication and authorization data between parties. When SAML is enabled, there is a new option to log into FortiSOAR by clicking on the Use Single Sign on (SSO) button. SAML defines three roles: the principal, the identity provider (IdP), and the service provider (SP). The principal is generally a user that has an authentic security context with an IdP, and requires a service from the SP. The IdP provides user details in the form of assertions. Before delivering the identity assertion to the SP, the IdP might request some information from the principal, such as a username and password. SAML specifies the assertions between the three parties: the messages that assert identity passed from the IdP to the SP. The SP maintains a security wrapper over the services. When a user requests for a service, the request first goes to the SP, who then identifies whether a security context for the given user exists. If not, the SP requests and obtains an identity assertion from the IdP. Based on this assertion, the SP makes the access control decision for the principal. Each IdP has its own way of naming attributes for a user profile. Therefore, to fetch the attribute details for a user from an IdP into the SP, the attributes from the IdP must be mapped to attributes at the SP. This mapping is configured on the SP itself. If the attribute mapping is incorrect, the SP sets default values for mandatory attributes like first name, last name, and email. When a user needs to log into FortiSOAR using SAML authentication, the principal is the user, the IdP would be a provider such as FortiAuthenticator, and the SP is the FortiSOAR node itself.
FortiSOAR Administrator 7.3 Study Guide
101
Device Management
DO NOT REPRINT © FORTINET
Configuring SAML is a two-way process. The SP configuration that is on the FortiSOAR GUI must be made at the IdP. Similarly, the IdP configuration must be added to the FortiSOAR GUI. This slide outlines the steps to configure SAML. FortiSOAR has been tested with six IdPs—FortiAuthenticator, OneLogin, Auth0, Okta, Google, and Active Directory Federation Services (ADFS). You can use a similar process to configure any other IdP that you use. FortiSOAR requires the first name, last name, and email attributes to be mapped. In the User Attribute Map, under Fields, in the Tree view, click the editable field name (right side field name), to map it to the attribute that is received from the IdP. The non-editable field name (left-side field name) is the FortiSOAR attribute. For example, in the image shown on this slide, you map the FortiSOAR attribute firstName to the IdP attribute First Name.
FortiSOAR Administrator 7.3 Study Guide
102
Device Management
DO NOT REPRINT © FORTINET
This slide shows the steps you must take to map roles in the IdP to teams and roles on FortiSOAR. If you want to ensure that roles defined as part of SAML role mapping will be applied to SSO users in FortiSOAR, then select the Enforce SAML Role Mappings. To map a role in the IdP to a FortiSOAR role and, optionally, a team in FortiSOAR, you can add role mappings in the Team and Role Mapping section. To add new role mappings, do the following: • In the SAML Role field, add the name of the roles that you have defined in your IdP. Note that the name that you have specified in your IdP, and the name that you enter in this field must match exactly, including matching the case of the name specified. • In the Roles column, select the FortiSOAR role(s) that you want to assign to the role that you have specified in the SAML Role field • In the Teams column, select the FortiSOAR teams(s) that you want to assign to the role that you have specified in the SAML Role field. This is optional. • Define a default role (and optionally teams) that is assigned to the SSO user if you have not set up mapped roles of SSO users in FortiSOAR.
FortiSOAR Administrator 7.3 Study Guide
103
Device Management
DO NOT REPRINT © FORTINET
Add the information provided in the Service Provider section in FortiSOAR to the configuration section of your IdP. This information is preconfigured. However, you can edit the fields, such as Entity ID (hostname), within this section. This is especially useful if you are using an alias to access FortiSOAR. You can also edit the certificate information and the private and public keys of your service provider, which is useful in cases where you want to use your own certificates.
FortiSOAR Administrator 7.3 Study Guide
104
Device Management
DO NOT REPRINT © FORTINET
To configure RADIUS authentication, navigate to the Authentication menu, click the RADIUS Configuration tab, and select RADIUS Enabled. Type in the IP or hostname of the RADIUS server, the listening port, and the shared secret. Optionally, you can define two RADIUS servers to provide redundancy. User credentials are always authenticated against the primary RADIUS server first. If the primary server fails to respond, then the credentials are authenticated against the secondary server. Click the Test Connectivity button to test the FortiSOAR connection to either RADIUS server.
FortiSOAR Administrator 7.3 Study Guide
105
Device Management
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
106
Device Management
DO NOT REPRINT © FORTINET
Good job! You now understand authentication on FortiSOAR. Now, you will learn about appliance configuration.
FortiSOAR Administrator 7.3 Study Guide
107
Device Management
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in understanding and configuring appliance users, you will be able to automate many tasks (and playbooks) on FortiSOAR that must talk to appliances outside the network.
FortiSOAR Administrator 7.3 Study Guide
108
Device Management
DO NOT REPRINT © FORTINET
Appliance users are usually used for authenticating on FortiSOAR while calling custom API endpoint triggers. For example, you can use an appliance user to configure auto-forwarding of events and alerts from a SIEM to FortiSOAR. Otherwise, you may need to add a user password, in plain text, in the configuration files. Like regular users, you must assign appropriate roles to appliances and also add appliances as members of appropriate teams which will run the playbooks. This allows appliances to access or modify any data within the system. Team hierarchy restrictions that apply to users also apply to appliance users. As a good security practice, it is recommended that you scope the role and team of an appliance and give it the least privilege it needs to do its job.
FortiSOAR Administrator 7.3 Study Guide
109
Device Management
DO NOT REPRINT © FORTINET
Users represent a discrete individual who is accessing the system. They are differentiated from appliances in that they receive a time-expiring token upon login that determines their ability to authenticate in the system. The authentication engine issues the token after users have successfully entered their credentials and potentially completed the two-factor authentication. By default, tokens are set to have a lifespan of 30 minutes before being regenerated. Appliance users represent non-human users. Appliances use Hash Message Authentication Code (HMAC) to authenticate messages sent to the API. HMAC construction information is based on a public-private key pair instead of a user ID and password combination. Appliance users do not have a login ID and do not add to your license count.
FortiSOAR Administrator 7.3 Study Guide
110
Device Management
DO NOT REPRINT © FORTINET
On the New Appliance page, enter a name to identify the appliance and select the team(s) and role(s) that apply to that appliance. Once you save the new Appliance record, FortiSOAR displays a pair of public-private cryptographic keys in a new window. It is important to note that when the public-private key pair are generated, the private key is shown only once. You must copy this key and keep it somewhere safe for future reference. If you lose this key, you cannot be retrieve it again. You can always regenerate these keys when required, and a new private key is displayed. However, you must then update the keys because the old keys are invalidated.
FortiSOAR Administrator 7.3 Study Guide
111
Device Management
DO NOT REPRINT © FORTINET
By default, there is a Playbook appliance, which belongs to the SOC Team. This appliance is used by the FortiSOAR workflow service to authenticate to the API service when a workflow step is run that reads, creates, updates, or deletes records. As a result, this appliance should have permissions on modules which it will access. When a record is inserted by a workflow such as a playbook or a rule that uses the appliance, then the inserted record is owned by the teams of the appliance user. For example, if a playbook or workflow inserts a new incident record, then the Created By field of this newly inserted record displays the name of the appliance user who has executed the playbook, and the owner of this newly inserted record will be the team or teams assigned to the appliance. If multiple teams are assigned to the appliance, then this newly inserted record would have all those teams as owners. For example, if you create a different appliance named QA, and assign it to the SOC Team and Team A, then the Created By field of a newly inserted alert record displays QA and its owners are the SOC Team and Team A.
FortiSOAR Administrator 7.3 Study Guide
112
Device Management
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
113
Device Management
DO NOT REPRINT © FORTINET
Good job! You now understand appliance configuration. Now, you will learn about SLA template management.
FortiSOAR Administrator 7.3 Study Guide
114
Device Management
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in understanding and creating SLA templates, you will be able to set up SLA management services for incidents and alerts.
FortiSOAR Administrator 7.3 Study Guide
115
Device Management
DO NOT REPRINT © FORTINET
A service-level agreement defines the level of service you expect from a vendor, laying out the metrics by which service is measured, as well as remedies or penalties should agreed-on service levels not be achieved. FortiSOAR provides you with an SLA Templates module you can use to create built-in SLA management for incidents and alerts. You can define SLAs for incidents and alerts of varying degrees of severity, and track whether those SLAs are met or missed. The SLA feature requires the SOAR Framework Solution Pack. From release 7.2.0 onwards, the SOAR Framework Solution Pack is installed, by default, with new installations of FortiSOAR. You must be assigned a role with a minimum of create, read, and update permissions on the SLA Templates module and Playbooks modules, along with the default read permission on the Application module to create and manage SLAs.
FortiSOAR Administrator 7.3 Study Guide
116
Device Management
DO NOT REPRINT © FORTINET
You can create SLA templates for each level of severity of incidents or alerts. You can set SLAs for both alerts and incidents using the same SLA Template interface. For example, you can create five SLAs for incidents and alerts for these five severity levels: Critical, High, Medium, Low, and Minimal. When creating an SLA template, select the severity level of the incident for which you are defining the SLAs. For example, if you select the severity as Critical, and you specify the acknowledgement time as 10 minutes and response time as 15 minutes, this means that to meet the SLA, users must acknowledge incidents within 10 minutes and respond to the incident within 15 minutes of incident generation. FortiSOAR allows you to set which status will mark an incident or alert as acknowledged, and also which status will mark an incident or alert as responded to. The dropdown lists for Incident SLA and Alert SLA sections allow you to configure the acknowledgement and response SLA status, along with the associated timers.
FortiSOAR Administrator 7.3 Study Guide
117
Device Management
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
118
Device Management
DO NOT REPRINT © FORTINET
Good job! You now understand SLA template management. Now, you will learn about backup and restore processes.
FortiSOAR Administrator 7.3 Study Guide
119
Device Management
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in understanding backup and restore processes, you will be able to back up and restore the FortiSOAR configuration files on different FortiSOAR instances.
FortiSOAR Administrator 7.3 Study Guide
120
Device Management
DO NOT REPRINT © FORTINET
You must have root or sudo permissions to perform a backup. Ensure that you have enough disk space available to perform backup and restore tasks. It is recommended that you have available disk space of around three times of the data size. To perform a backup, connect over SSH to the FortiSOAR VM with elevated privileges. This slide shows the CLI commands you need to use to perform the backup type of your choice. In the commands, replace the with your desired location. If you do not specify the path of the backup file, then the CLI interactively asks you to provide it. If you still do not specify any path from the interactive prompt, then by default, FortiSOAR stores the backup in the current working directory. Optionally, from version 6.4.3 onwards, you can exclude all the executed playbook logs from the backup using the commands shown on this slide. Executed playbook logs are primarily meant for debugging so they are not a very critical component to be backed up. However, they constitute a major part of the database size, so excluding them from the backup reduces time and space needed for the backup. FortiSOAR backs up the latest three backups every time it creates a new backup. Any backups older than the last three backups are deleted. Finally, you can also back up only your configuration files. The command for this operation is also shown on this slide.
FortiSOAR Administrator 7.3 Study Guide
121
Device Management
DO NOT REPRINT © FORTINET
The FortiSOAR admin CLI always performs a full database backup of your FortiSOAR server. There are no incremental backups. Backups are performed for a particular version of FortiSOAR, and backups should be restored on the same version. If a newer version of FortiSOAR is available and you want to move to that newer version of FortiSOAR, you must restore the backed-up version only and then upgrade to the latest FortiSOAR version. The slide lists some of the files, configurations, and data that are backed up during the backup process.
FortiSOAR Administrator 7.3 Study Guide
122
Device Management
DO NOT REPRINT © FORTINET
You must have root or sudo permissions to perform backup and restore operations. To perform a restore, move the backup file to the new FortiSOAR server. Use the CLI command shown on this slide to restore the data. After you press enter, you must provide the path of the database backup file. Note that the backup process stores the backup in a locally saved file. After you restore FortiSOAR, you must get and deploy a new license for this FortiSOAR instance. Your existing license will not work on the restored instance. If you back up a FortiSOAR instance which has Secure Message Exchange enabled and is using a signed certificate, then you must reapply the signed certificate on the new instance.
FortiSOAR Administrator 7.3 Study Guide
123
Device Management
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
124
Device Management
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.
FortiSOAR Administrator 7.3 Study Guide
125
Device Management
DO NOT REPRINT © FORTINET
This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this lesson, you learned how to configure roles and teams, establish a team hierarchy, manage users and user permissions, and configure authentication. You also learned how to configure and manage SLA templates, and back up and restore FortiSOAR configuration files.
FortiSOAR Administrator 7.3 Study Guide
126
System Configuration
DO NOT REPRINT © FORTINET
In this lesson, you will learn how to configure the FortiSOAR system, set up proxies, monitor and maintain audit logs, and import and export partial and full FortiSOAR configurations.
FortiSOAR Administrator 7.3 Study Guide
127
System Configuration
DO NOT REPRINT © FORTINET
In this lesson, you will learn about the topics shown on this slide.
FortiSOAR Administrator 7.3 Study Guide
128
System Configuration
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in system configuration, you will understand how to configure applications, syslog forwarding, environmental variables, branding, and system fixtures on FortiSOAR.
FortiSOAR Administrator 7.3 Study Guide
129
System Configuration
DO NOT REPRINT © FORTINET
On the System Configuration bar shown on this slide, you can see various tabs used to configure FortiSOAR system settings. Application Configuration contains various system settings related to how FortiSOAR interacts with users. Log Forwarding contains the settings for forwarding syslog to a destination server. Environment Variables contains the proxy configurations for HTTP/HTTPS, and other specific protocols you can define. Branding contains customization option for logos, banners, product name, company name, and login taglines. System Fixtures contains links to default playbook collections and templates installed with your FortiSOAR instance. These fixtures can be changed to fit your needs.
FortiSOAR Administrator 7.3 Study Guide
130
System Configuration
DO NOT REPRINT © FORTINET
On the Application Configuration page, you can configure settings that apply across FortiSOAR, including notifications, comment management, audit logs purging, playbook options, recycle bin, themes, and more. Notifications allow you to configure email notifications for system issues. Comment Management allow you to enable users to modify comments and perform soft deletion of comments for recordkeeping purposes. Enabling Log purging for audit and playbook execution logs helps free up system resources. You can also set the global logging level for playbook execution, and enable playbook recovery for work in progress. Along with purging logs, you can also purge records sent to the recycle bin. You must have CRUD permissions to the Application module to make changes to Application Configuration. By default, the Application Administrator role has CRUD permissions for the module.
FortiSOAR Administrator 7.3 Study Guide
131
System Configuration
DO NOT REPRINT © FORTINET
Enable Allow Comment Modification to allow users to edit and delete their own comments. Users can edit and delete their own comments in the Collaboration window or in the Comments widget. You can specify the window when the user can no longer modify or delete their posted comments. For example, if you select 1 minute, then users can edit and delete their comments until one minute after they have added the comment. By default, the Allow users to modify/delete their comments for a duration of field is set to 5 minutes. You can also specify the behavior of the comment delete action. When a user deletes a comment, you can choose to permanently delete the comment or flag the comment for deletion (Soft Delete). If you choose to keep the Soft Delete checkbox selected, you will see --Comment Deleted-- in the GUI for deleted comments. If you disable soft deletion, comments are permanently deleted.
FortiSOAR Administrator 7.3 Study Guide
132
System Configuration
DO NOT REPRINT © FORTINET
You can schedule purging globally for both audit logs and executed playbook logs. By default, the system purges executed playbook logs but does not purge audit logs. Note that the scheduled purging activity deletes logs permanently, and you cannot revert this operation. A system schedule, named Purge Executed Playbook Logs is also already created and active on the Schedules page. This schedule runs every day at midnight (UTC time) and clears all logs that have exceeded the time duration that is specified. If you want to run the purging activity at a different time of the day or for a different duration, you can edit this schedule. In the Schedules screenshot on this slide, you can see both log types scheduled for purging to run daily at midnight. Note that playbooks will run slower during any database cleanup job, so plan your purging schedules for an appropriate window.
FortiSOAR Administrator 7.3 Study Guide
133
System Configuration
DO NOT REPRINT © FORTINET
FortiSOAR autosaves playbooks so that you can recover playbook drafts in case you accidentally close your browser or face any issues while working on a playbook. These autosaved drafts do not replace the current saved version of the playbook. They simply ensure that you do not lose any of your work done in the playbook by enabling you to recover the drafts. Playbook recovery in FortiSOAR is user-based, which ensures that users see their own unsaved drafts of the playbook. Since it is also browser-based, it comes into effect as long as you are using the same browser instance. However, playbook drafts might not be saved if you are working in incognito mode. By default, FortiSOAR saves playbook drafts 15 seconds after the last change. However, you can change this time across all playbooks by modifying the timer. The minimum time that you can configure for saving playbook drafts is 5 seconds after the last change. You can also choose to disable playbooks recovery for all playbooks. You can define a time zone that FortiSOAR uses by default for exporting reports. FortiSOAR applies this time zone to all reports that you export from the Reports page.
FortiSOAR Administrator 7.3 Study Guide
134
System Configuration
DO NOT REPRINT © FORTINET
The Recycle Bin allows for soft deletion of workflows and records. It is useful if you accidentally delete records and need to recover them. In the case of Playbook Collections and Playbooks modules, the bin is enabled by default. For other modules, to enable soft deletion, you must go into the specific module under Application Editor and enable the recycle bin, as shown on this slide. To view recycled records, the following permissions are required: • Read on the Application and Playbooks modules • Read on the specific modules whose recycle bin records you wish to view To delete recycled records, the following permissions are required: • Read on the Application module • Delete on the Playbook module • Delete on the specific module whose record you wish to delete To restore recycled records, the following permissions are required: • Read on the Application module • Update and Read on the Playbooks module • Update on the specific module whose record you wish to restore
FortiSOAR Administrator 7.3 Study Guide
135
System Configuration
DO NOT REPRINT © FORTINET
To enable automatic purging of the recycle bin, go to Application Configuration under Settings. Note that you will get a warning indicating the schedule status is Inactive until the settings have been saved. The retention period options available are: Last month, Last 3 months, Last 6 months, Last year, or Custom. Under Automation > Schedules, a system schedule is automatically created and active after you enable recycle bin purging. You can change this schedule to run at a different time.
FortiSOAR Administrator 7.3 Study Guide
136
System Configuration
DO NOT REPRINT © FORTINET
You can configure the FortiSOAR theme that applies to all the users in the system. Non-administrator users can change the theme by editing their user profile. There are currently three theme options, Dark, Light, and Space, with Space being the default. You can configure the country code format for contact numbers that applies to all users in the system. In the Navigation Preferences section, check Collapse Navigation to show the navigation bar as collapsed when a user first logs in.
FortiSOAR Administrator 7.3 Study Guide
137
System Configuration
DO NOT REPRINT © FORTINET
You can forward FortiSOAR application logs and audit logs to a central log management server that supports an Rsyslog client, using both the FortiSOAR GUI and CLI. A central log repository can help ease troubleshooting in a multi-node environment by aggregating all system logs in one place. Under the Log Forwarding tab, select the Enable Log Forwarding to see a list of configuration items, which includes the configuration name, destination server details, protocol, and an option to enable audit and application logs, log detail level, and audit forwarding rules. If no forwarding rules are defined, then all audit logs will be forwarded. To reduce the amount of traffic, the recommended log detail level is Basic. Note that in a FortiSOAR HA setup, FortiSOAR does not replicate Syslog settings to the passive node. If you want to forward logs from the passive node, you must enable this manually using the csadm log forward command.
FortiSOAR Administrator 7.3 Study Guide
138
System Configuration
DO NOT REPRINT © FORTINET
In the event your external log management server is unreachable, then the logs generated during that time period are not sent by FortiSOAR to the external server. You can enable log buffering so that FortiSOAR buffers the logs up to a maximum file size value, and then sends them when the log server comes back online. To enable log buffering, edit the rsyslog config file as shown on this slide. The ActionQueueMaxDiskSpace variable configures the maximum disk space in gigabytes FortiSOAR will use for log buffering. Adjust this value to suit your own environment.
FortiSOAR Administrator 7.3 Study Guide
139
System Configuration
DO NOT REPRINT © FORTINET
You can customize the branding of FortiSOAR as per your organization's requirements. To customize your branding in FortiSOAR, you must have a role that has a minimum of Application update permissions. You can update the FortiSOAR logo to reflect your logo on the FortiSOAR GUI. However, note that the maximum size for a logo is 1 MB. You can also change the favicon that FortiSOAR displays. You can also update the product name, company name, and the login page taglines.
FortiSOAR Administrator 7.3 Study Guide
140
System Configuration
DO NOT REPRINT © FORTINET
The System Fixtures page contains links to various system playbook collections. Playbook collections are similar to a folder structure where you can create and store playbooks. Administrators can click these links to easily access all the system fixtures to understand their workings and make changes in them if required. Note that the fixtures seen from the screenshot may differ from your environment depending on which solution packs are installed. Some example playbooks include: • System Notification and Escalation Playbooks collection includes playbooks that FortiSOAR uses to automate tasks, such as the escalate playbook. FortiSOAR uses the escalate playbook to escalate an alert to an incident based on specific inputs from the user and linking the alert(s) to the newly created incident. • Approval/Manual Task Playbooks collection includes playbooks that FortiSOAR uses to automate approvals and manual tasks, such as the playbook that is triggered when an approval action is requested from a playbook. • SLA Management Playbooks collection includes playbooks that FortiSOAR uses to auto-populate date fields in the following cases: when the status of incident or alert records change to Resolved or Closed or when incident or alert records are assigned to a user. • Schedule Management Playbooks collection includes playbooks that FortiSOAR uses for the scheduler module and various scheduler actions, such as scheduling playbook execution history cleanup, audit log cleanup, and so on. • Report Management Playbooks collection includes playbooks that FortiSOAR uses to manage generation of FortiSOAR reports. • Utilities Playbook collection includes playbooks that FortiSOAR uses to manage system utilities. • War Room Automation collection includes playbooks used to manage war rooms and notify responsible parties.
FortiSOAR Administrator 7.3 Study Guide
141
System Configuration
DO NOT REPRINT © FORTINET
The System Fixtures page also contains links to a few email templates, which are included by default. Clicking on any of the templates will bring up an interface to view, edit, clone, export, or delete them. You can add new templates or customize existing templates to fit your organization’s business needs. This slide shows the four default templates included in FortiSOAR: • • • •
Password Reset Token includes an email template used for user password reset procedures. This email contains a link that the user can use to create their new password. Send Email To New User is an email template that is sent to a new user, which contains a link for them to set a new password. Send Email For Password Change includes an email template that is sent when a user requests a change in their FortiSOAR password. Send Email For Reset Password By Admin includes an email template that is sent to FortiSOAR users whose password has been reset by an administrator.
An example of the Password Reset Token template is shown on this slide. Clicking on the Edit Record button allows you to change the information inside the defined fields, which in this example would be the content inside the Name, Subject, and Content fields. Clicking on the pencil icon on the top right brings up the Edit Template interface to edit the email template’s structure.
FortiSOAR Administrator 7.3 Study Guide
142
System Configuration
DO NOT REPRINT © FORTINET
The Navigation editor allows you to modify the system navigation bar, which contains shortcuts to different FortiSOAR menus. Use the Add As Group option to add the selected modules and pages into a group. After that, you can name the group. In the example on this slide, the group is called Artifacts Management. Note that groups are collapsible on the bar, and can be identified by the down arrow. Click the arrow to expand the list to see all entries. Use the Add To Menu option to create an entry, or separate entries if multiple modules are selected, at the top level on the navigation bar. You can rearrange the panel’s order by dragging and dropping the entries under the Navigation interface. Any items not required can be removed from the navigation bar by clicking on the bin icon. In addition, the icon for each navigation shortcut can be changed by picking from a list of default icons. In the example shown on this slide, two navigation items are added to the bar: Artifacts Management and External Website. Artifacts Management is a new group, which includes the Attachments, Comment, and Events modules. In the top right screenshot on this slide, you can see that the modules are slightly indented compared to the Artifacts Management group container, indicating that they are nested. The External Website navigation item contains a link to the Google homepage. First, the title and the URL are configured using the Pages tab. Then, this entry is added to the bar as a single item via the Add to Menu button.
FortiSOAR Administrator 7.3 Study Guide
143
System Configuration
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
144
System Configuration
DO NOT REPRINT © FORTINET
Good job! You now understand system configuration. Now, you will learn about proxy configuration.
FortiSOAR Administrator 7.3 Study Guide
145
System Configuration
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in understanding forward proxies and reverse proxies on FortiSOAR, you will be able to configure FortiSOAR to accept connections on its proxy server.
FortiSOAR Administrator 7.3 Study Guide
146
System Configuration
DO NOT REPRINT © FORTINET
You can configure FortiSOAR to direct traffic to an explicit forward proxy to act as an intermediary between itself and public webservers. Some benefits of implementing a proxy include extra security, privacy, load balancing, access control, and content caching. You can also configure a reverse proxy or load balancer to direct requests to a FortiSOAR cluster. The proxy server can be a firewall such as a FortiGate, a FortiProxy, or a third-party proxy offering.
FortiSOAR Administrator 7.3 Study Guide
147
System Configuration
DO NOT REPRINT © FORTINET
A FortiSOAR VM needs access to a few different FQDNs on the internet. For upgrading FortiSOAR, installing connectors, and accessing the widget library, ensure FortiSOAR has HTTPS access to repo.fortisoar.fortinet.com. For installing Python dependencies for connectors, make sure your FortiSOAR VM has HTTPS access to pypi.python.org. You can also use the parallel python repository URL repo.fortisoar.fortinet.com with some configuration if your organization does not permit PyPI. For synchronization of FortiSOAR license details, make sure the FortiSOAR VM has HTTPS access to globalupdate.fortinet.net. If you have configured any SaaS or API endpoints, such as VirusTotal, make sure your FortiSOAR VM can connect to them. You must ensure that these endpoints are open from the organization’s proxy. You can configure your proxy for the first time using the FortiSOAR Configuration Wizard. If you subsequently need to change the proxy, then you can use the csadm CLI commands or use the GUI.
FortiSOAR Administrator 7.3 Study Guide
148
System Configuration
DO NOT REPRINT © FORTINET
This slide shows the Environment Variables page on FortiSOAR where you can configure HTTP, HTTPS, and other protocol proxies. To configure an HTTP proxy to serve all HTTP requests from FortiSOAR, enter the details in the HTTP section. To configure an HTTPS proxy server to serve all HTTPS requests from FortiSOAR, enter the details in the HTTPS section on the Environment Variables page. If both protocols will use the same settings, you can select the Use Same As Above option. In the No Proxy List field, enter a comma-separated list of addresses that you do not need to route through a proxy server. In the Other Environment Variables section, you can add environmental variables and configure proxies for other protocols, such as FTP, in a key-value pair. For example, enter FTP in the Key field and 1.1.1.1 in the Value field.
FortiSOAR Administrator 7.3 Study Guide
149
System Configuration
DO NOT REPRINT © FORTINET
If you have a reverse proxy in your environment, then you must configure this reverse proxy server for FortiSOAR live sync functionality. The example configuration shown on this slide applies only to an Apache proxy server. You can enable any other reverse proxy using a similar pattern to support the web socket functionality.
FortiSOAR Administrator 7.3 Study Guide
150
System Configuration
DO NOT REPRINT © FORTINET
To configure a reverse proxy on FortiSOAR, you must update the config.yml file. This slide shows the path for the file and an example configuration. Ensure that the FortiSOAR URL matches the FortiSOAR SSL certificate alternate DNS name. After updating the file, you must restart all FortiSOAR services. This slide shows the command you must use. After all FortiSOAR services successfully restart, you should be able to load all the modules using the reverse proxy server.
FortiSOAR Administrator 7.3 Study Guide
151
System Configuration
DO NOT REPRINT © FORTINET
In specific cases you must stop and start FortiSOAR services: • If you update your SSL certificates • Post-update, if playbooks are not working as expected • Post-reboot, if the FortiSOAR VM is not working as expected Any user who has root or super-user permissions can use the csadm commands. This slide shows the commands with various options. You can use the csadm commands to see service statuses, and stop, start, or restart services.
FortiSOAR Administrator 7.3 Study Guide
152
System Configuration
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
153
System Configuration
DO NOT REPRINT © FORTINET
Good job! You now understand how to configure FortiSOAR to use proxies. Now, you will learn about audit logs.
FortiSOAR Administrator 7.3 Study Guide
154
System Configuration
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in setting and purging audit logs, you will be able to manage and store the audit logs that are necessary for PCI compliance.
FortiSOAR Administrator 7.3 Study Guide
155
System Configuration
DO NOT REPRINT © FORTINET
Audit logs include historical data of operations performed in FortiSOAR. Some examples include the name of the user who deleted a record, linking and delinking events, picklist events, and model metadata events, including changes made in model metadata during the staging phrase. You can use the free text search along with various filtering criteria to search audit logs. You can also add auditing for new services directly in the Audit Logs view. Audit logs also contain operations related to playbooks, such as trigger, update, terminate, resume, create and delete playbook versions, and so on. Other examples include: • User login success, failures, and logout events. The login event includes all supported login types, which are database, LDAP, SAML SSO, and RADIUS • System notifications • Recycle bin operations • Data archival operations Singular description attribute value fields containing a "." or "$" are replaced with an "_" in audit logs. For example, if you have a field named SourceID, and defined its singular description value with Source.ID, then in the audit logs this appears as Source_ID.
FortiSOAR Administrator 7.3 Study Guide
156
System Configuration
DO NOT REPRINT © FORTINET
To view your own audit logs, you must have a role with a minimum of read permission on the Audit Log Activities module. To view and filter audit logs of all users, you must have a role with a minimum of read permission on the People, Appliances, Security, and Audit Log Activities modules. To delete your own audit logs, you must have a role with a minimum of delete permission on the Audit Log Activities module. To delete audit logs of all users, you must have a role with a minimum of delete permission on the Security and Audit Log Activities modules. Note that the delete permission on the Audit Log Activities module is not enabled by default for the Full App Permissions role. Therefore, if you want any user to have the ability to delete audit logs, you must explicitly assign the delete permission on the module.
FortiSOAR Administrator 7.3 Study Guide
157
System Configuration
DO NOT REPRINT © FORTINET
You can filter the audit logs to display the audit logs for a particular record type by selecting the record type (module) from the Record Type drop-down list. You can also filter audit logs by users, operations, data ranges, and the free text search bar. To view the details of an audit log entry, click the arrow icon in the audit entry row. Details in the audit log entry are in JSON format, and include the old data and updated data for a record. You can export audit logs to either a CSV or PDF file.
FortiSOAR Administrator 7.3 Study Guide
158
System Configuration
DO NOT REPRINT © FORTINET
You can view logs specific to a particular module in the Application Editor section. In the Select a module to edit or create new module drop-down list, select the module whose audit log you want to view, and then click the Audit Logs button. You can view the same details and perform the same actions as mentioned earlier on the Audit Logs page. Similarly, you can also view logs specific to a particular picklist in the Application Editor section. In the Select a picklist or edit or create a new picklist drop-down list, select the picklist whose audit log you want to view and click the Audit Logs button.
FortiSOAR Administrator 7.3 Study Guide
159
System Configuration
DO NOT REPRINT © FORTINET
Use the User-Specific Audit Logs section to view the chronological list of all the actions across all the modules of FortiSOAR for a particular user. Users can view their own audit logs by clicking the User Profile icon, selecting the Edit Profile option, and then clicking the Audit Logs panel. Administrators who have a minimum of read permission on the Audit Log Activities module along with access to the People module, which allows them to access a user’s profile, can view user-specific audit logs. The user-specific audit logs display the user’s operations on the platform, including logins, logouts, create, delete, and many more. You can also perform the same actions here as you can perform in Audit Logs.
FortiSOAR Administrator 7.3 Study Guide
160
System Configuration
DO NOT REPRINT © FORTINET
Use the Audit Log tab, which is present in the detail view of a record, to view the graphical representation of all the actions performed on that particular record. The Audit Log tab uses the Timeline widget to display the graphical representation of the details of the record. You cannot edit the Timeline widget. You can toggle the view in the Audit Log tab to view the details in both grid view and the timeline graphical view. The screenshot on this slide depicts the timeline view. A timeline object displays the action performed on the record—such as created, updated, commented, attached, or linked—the name of the person who made the update, and the date and time that the update was made. In the timeline, you may see some records created by playbooks. This signifies that the record was created by a workflow entity, such as a playbook or a rule. You can toggle between the expanded and collapsed view of the Audit Log tab using the full-screen mode icon.
FortiSOAR Administrator 7.3 Study Guide
161
System Configuration
DO NOT REPRINT © FORTINET
You can manually purge audit logs using the Purge Logs button on the upper-right corner of the Audit Log page. Purging audit logs allows you to permanently delete old audit logs that you do not need, and frees up space on your FortiSOAR VM. As described earlier in this lesson, you can also schedule purging for both audit logs and executed playbook logs. To purge audit logs, you must be assigned a role that has a minimum of read permission on the Security module and delete permission on the Audit Log Activities module. In the Purge all logs before field, you can select a time criteria to ensure only old audit logs are deleted. By default, logs of all events are purged. However, you can control the event types that FortiSOAR chooses for purging. For example, if you do not want FortiSOAR to purge events of type Login Failure and Trigger, then you can clear that checkbox.
FortiSOAR Administrator 7.3 Study Guide
162
System Configuration
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
163
System Configuration
DO NOT REPRINT © FORTINET
Good job! You now understand audit logs. Now, you will learn how to export and import a FortiSOAR configuration.
FortiSOAR Administrator 7.3 Study Guide
164
System Configuration
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in the exporting and importing of a FortiSOAR configuration, you will be able to export various FortiSOAR components, such as configuration information, dashboards, playbook collections, and import these to another FortiSOAR VM.
FortiSOAR Administrator 7.3 Study Guide
165
System Configuration
DO NOT REPRINT © FORTINET
Administrators can use the configuration import and export wizard for configuration information, dashboards, application settings, and more. In 7.0 and later versions, the wizard supports the importing and exporting of templates, installed connectors, connector configurations, widgets, teams, and users. In 7.0.2 and later versions, the export wizard creates a ZIP file for all the exported content. Prior to version 7.0.2, content was exported in the JSON format. You can use both the ZIP and JSON format to import content using the Import Wizard. To export and import configurations using the wizards, you must assign users a role that has create, read and update permissions on the Application, Security, and Playbook modules. Depending on which elements need to be exported or imported, you may need to grant additional permissions. For example, to import files you must assign a role that has create and read permissions on the Files module. To import connectors you must assign a role that has create, read, and update permissions on the Connectors module. To export connectors you must assign a role that has read permissions on the Connectors module.
FortiSOAR Administrator 7.3 Study Guide
166
System Configuration
DO NOT REPRINT © FORTINET
You can use the Configuration Export Wizard to export module configuration information such as module metadata, field definitions, picklists, view templates, and more. You can also export playbook collections, dashboards, reports, and administrative settings, such as application configuration, system views, and so on. If you want to use a playbook to schedule configuration exports using an existing export template, you must add the UUID of the export template in the playbook. You can retrieve the UUID of the export template by clicking the Copy UUID to Clipboard icon in the Actions column. The Export History page displays a list of configurations that have been exported. On this page you can download a copy of the configuration module, as well as delete it.
FortiSOAR Administrator 7.3 Study Guide
167
System Configuration
DO NOT REPRINT © FORTINET
In the Export Wizard, on the Choose Entities page, you can choose to export Module Configurations. On the Filter Data page you can select the modules that you want to export. You can choose to export one, all, or multiple modules. You can also choose to export all or any of the configuration information associated with a module as well, such as the module schema, listing view, record view, and add views. The Auto-Select Required Picklists needs to be enabled because you must also export the picklists associated with the module when you export the module. This is to ensure there are no issues when you import the configuration into another environment. For example, if you select Schema for the Alerts module, you will observe picklists that are required for the Alerts module are automatically selected. If you want to export only picklists, click the Picklists menu item, and select the picklists you want to export. Using this menu item, you can export the picklists that are not associated with any module. When you import a picklist using the wizard, and if the picklist already exists on your system, then the wizard replaces the existing picklist. On the Review Export page, you can review the configuration information that you are exporting, specify the name of the template that you are exporting, and specify the name of the ZIP file for the export.
FortiSOAR Administrator 7.3 Study Guide
168
System Configuration
DO NOT REPRINT © FORTINET
You can export playbook collections and global variables. Global variables can be declared once and then used across multiple playbooks. Currently, you have to export the complete playbook collection when using the Export Wizard, and cannot select specific playbooks to export from within a playbook collection. However, you can still export individual playbooks through the Playbooks interface. When you import a playbook collection, and if that playbook collection exists, you can choose to either overwrite the existing playbook collection or create a new playbook collection and append the original playbook collection name with a number. When you import a global variable that already exists on your system, then the Import Wizard replaces the existing global variable. You can also export all or specific dashboards and report templates. On the Review Export page, after you review the information, click Save & Run Export to export the dashboard or report template in a ZIP file that you can download and use in another environment. If you import a dashboard or report template, and if that dashboard or report template already exists in the system, then the wizard replaces the existing dashboard or report template.
FortiSOAR Administrator 7.3 Study Guide
169
System Configuration
DO NOT REPRINT © FORTINET
You can export connectors that are installed on your system. You can choose to export one, multiple, or all connectors. You can also choose to export the configuration information associated with a connector. Use caution with the storage of exported connector files. Password and API keys are not encrypted during export, which means that anyone who has access to the exported file can access the connectors. You can also export one or more widgets installed on FortiSOAR. If a widget is not found in the widget repository, then the Export Wizard will export the ZIP file for it.
FortiSOAR Administrator 7.3 Study Guide
170
System Configuration
DO NOT REPRINT © FORTINET
You can export administrative settings and customizations on your FortiSOAR node. For example, you can export the system settings, such as branding and notifications, SSO, LDAP, and RADIUS configurations, high availability configurations, proxy and environment variables, and so on. Passwords are write-only fields and therefore you cannot export them using the wizard. If, for example, you export the LDAP configurations and import them into another instance, you must manually enter the passwords for all the users to be able to perform any activity related to users, such as searching for users or updating details of users. You can also export security settings, which includes users, teams, and roles that exist in your environment. You have the option to export only certain users, teams, and roles instead of including every setting.
FortiSOAR Administrator 7.3 Study Guide
171
System Configuration
DO NOT REPRINT © FORTINET
You can use the Import Wizard to import configurations or metadata information for modules, playbook collections, dashboards, and so on, from other environments into your FortiSOAR VM. Using the Import Wizard, you can move model metadata, picklists, system view templates, dashboards, reports, roles, playbooks, and application settings across environments. If you close the wizard without clicking Run Import, then the status of your import shows as Reviewing. You can click the Continue icon in the Actions column to display the Configurations page of the Import Wizard, and you can continue reviewing the import configurations. If you click Run Import, and the import process completes, then the status of your import shows as Import Complete. You can use both ZIP and JSON formats to import content.
FortiSOAR Administrator 7.3 Study Guide
172
System Configuration
DO NOT REPRINT © FORTINET
This slide shows how to import dashboards and reports. To import Dashboards or Reports, on the Options page, click Dashboard(s) or Report(s). The Observation column displays whether the dashboards or reports that you are importing are New or Existing. If you import dashboards or reports templates, then apart from displaying whether it is an existing or new dashboard or report, you can assign a default role to the dashboard or report.
FortiSOAR Administrator 7.3 Study Guide
173
System Configuration
DO NOT REPRINT © FORTINET
For schemas of the modules that you import, you can choose whether you want to merge with existing configurations, replace existing configurations, or append new fields to the configurations. You can click Review Field Level Actions to view the detailed schema of the module you import. The Merge With Existing setting merges the configurations. For example, if you import an existing module— Alerts—which has three new fields in the configuration that you are importing and ten existing fields, and you select Merge, then after the import, the Alerts module has 13 fields. Therefore, merging overwrites existing fields, adds new fields, and keeps non-imported fields. The Replace Existing setting replaces the existing configuration with the imported configuration. It overwrites existing fields, adds new fields, and deletes non-imported fields. The Append New Fields setting keeps the existing fields intact, as well as adds new fields. It keeps existing fields, adds new fields, and keeps non-imported fields.
FortiSOAR Administrator 7.3 Study Guide
174
System Configuration
DO NOT REPRINT © FORTINET
To import connectors, on the Options page, click Connectors. The Choose Connectors to Import page displays whether the connectors that you are importing are New or Existing, as seen on this slide. If the connectors are new, then the connector import installs them. If there are any configurations to import, it will also import them into the system. If the connectors are existing, the logic is different, and depends on a few factors.
FortiSOAR Administrator 7.3 Study Guide
175
System Configuration
DO NOT REPRINT © FORTINET
For existing connectors, it is important to compare the version of the connector you are importing against the system’s connectors’ versions. If you are trying to import a connector which already exists on the FortiSOAR instance, one of three things can happen based on the versions of the connectors: • If the version of the installed connector is older than the one being imported, then the connector import upgrades the connector and replaces its configuration. • If the version of the installed connector is the same or higher than the one being imported, then the connector import replaces only the connector’s configuration. • If the version of the installed connector is the same or higher than the one being imported, but the connector has no configuration, then the connector import replaces nothing. Note that create, read, and update permissions are required on the Connectors module to import connectors.
FortiSOAR Administrator 7.3 Study Guide
176
System Configuration
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
177
System Configuration
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.
FortiSOAR Administrator 7.3 Study Guide
178
System Configuration
DO NOT REPRINT © FORTINET
This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this lesson, you learned how to configure applications, proxies and reverse proxies. You learned how to manage audit logs and the recycle bin. You also learned how to export and import modular configurations from a FortiSOAR instance.
FortiSOAR Administrator 7.3 Study Guide
179
High Availability
DO NOT REPRINT © FORTINET
In this lesson, you will learn about high availability (HA) and the different ways that you can achieve HA on FortiSOAR.
FortiSOAR Administrator 7.3 Study Guide
180
High Availability
DO NOT REPRINT © FORTINET
In this lesson, you will learn about the topics shown on this slide.
FortiSOAR Administrator 7.3 Study Guide
181
High Availability
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating a competent understanding of HA, you will be able to use different methods to achieve HA clustering with FortiSOAR.
FortiSOAR Administrator 7.3 Study Guide
182
High Availability
DO NOT REPRINT © FORTINET
There are multiple ways you can implement HA for FortiSOAR. FortiSOAR provides a native clustering solution, which allows you to join FortiSOAR nodes into an HA cluster. When you deploy a FortiSOAR instance using the FortiSOAR Configuration Wizard, the instance is a single node cluster acting as the active primary node. You can join more nodes to form a multi-node cluster. FortiSOAR HA uses PostgreSQL database clustering. It supports active-active and active-passive configurations with both internal and external PostgreSQL databases. You can deploy HA clusters to fulfill disaster recovery or scaling. For disaster recovery, you can configure an active-passive cluster that has the passive node located in a remote data center. For scaling workflow execution across multiple nodes, you can use colocated active-active cluster nodes. Using the native clustering option is recommended since recovery times are fastest if a primary node becomes unavailable. Another high availability option is creating nightly database backups and incremental VM snapshots. FortiSOAR provides backup scripts that are scheduled to run at predefined intervals and make full database backups on a shared or backed up drive. You must supplement the full backups with incremental VM snapshots whenever there are changes made to the file system, such as connector installation changes, configuration file changes, upgrades, schedule changes, and so on. You can also achieve high availability by using your virtualization platform, such as VMware HA and AWS EBS snapshots. This method relies on your expertise and infrastructure. You can configure an external PostgreSQL database and use your own database HA solution. You must take VM snapshots whenever there are changes to the file system, such as connector installation changes, configuration file changes, upgrades, schedule changes, and so on.
FortiSOAR Administrator 7.3 Study Guide
183
High Availability
DO NOT REPRINT © FORTINET
The primary node in FortiSOAR is unique for various reasons. A FortiSOAR HA cluster can have only one active primary node. Secondary nodes, on the other hand, can be active or passive. For a FortiSOAR environment using the internal database, all active nodes talk to the primary node’s database for all read/write operations. The databases of all other nodes are in read-only mode and has replication set up to the primary node. In addition, since version 7.2.0, replication slots are used to set up your HA cluster. Replication slots add support for differential synchronization between the primary and the secondary nodes when there are synchronization issues instead of doing full synchronizations. Differential synchronization enhances the performance of various HA operations such as restoring the secondary nodes after a firedrill, or forming an HA cluster after upgrading a secondary node. The following functions run only on the primary node: • • •
The Workflow Scheduler runs only on the primary node although queued workflows are distributed amongst all active nodes Active nodes index data for quicksearch into ElasticSearch on the primary node Integrations and connectors which have a listener configured for notifications, such as IMAP, Exchange, Syslog
Because the primary node handles multiple functions that the secondary nodes do not, it is essential to have replication functioning so another node can take over should it become unavailable.
FortiSOAR Administrator 7.3 Study Guide
184
High Availability
DO NOT REPRINT © FORTINET
Prior to 7.2.0, you were required to upload the TGZ file of the custom connectors on all the nodes within the HA cluster, and the connectors needed to be manually installed on each node using the CLI. You were also required to upload the same version of the connector to all the nodes, and that the Delete all existing versions option is selected while uploading the TGZ file on all the nodes. Starting from release 7.2.0, the process has been streamlined. When you install custom connectors on the primary node, the following connectors are automatically installed on other nodes of the HA cluster: • Custom connectors • Older versions of connectors that did not have their RPM available on the FortiSOAR server • Connectors that were created and published using the Create New Connector wizard In addition, starting from version 7.2.1, after you install a connector dependency on a FortiSOAR node using the Install link on the connector's Configurations dialog, then that dependency is installed on the other nodes of the HA cluster.
FortiSOAR Administrator 7.3 Study Guide
185
High Availability
DO NOT REPRINT © FORTINET
High availability with an internal PostgreSQL database is based on internal clustering that takes care of replicating data to all cluster nodes, and provides an administration CLI to manage the cluster and perform the takeover operation, when necessary. Takeover is the process in which one of the secondary nodes takes over as the primary node of the HA cluster. This can be done using the CLI only. FortiSOAR uses PostgreSQL streaming replication, which is asynchronous in nature. You can configure HA on FortiSOAR with an internal PostgreSQL database in both A-A and A-P mode.
FortiSOAR Administrator 7.3 Study Guide
186
High Availability
DO NOT REPRINT © FORTINET
In an A-P HA cluster configuration, one or more passive or standby nodes are available to take over if the primary node fails. The primary node does all the data processing. However, when the primary node fails, a standby node takes over as the primary node. In this configuration, you can have one active node and one or more passive nodes configured in a cluster. This provides redundancy while data is being replicated asynchronously.
FortiSOAR Administrator 7.3 Study Guide
187
High Availability
DO NOT REPRINT © FORTINET
In an A-A HA cluster configuration, at least two nodes are actively running the same kind of service at the same time. The main aim of the A-A cluster is to achieve load balancing and horizontal scaling, while data is replicated asynchronously. If there are multiple active nodes in the environment, you should set up a proxy or a load balancer to effectively direct requests to all nodes.
FortiSOAR Administrator 7.3 Study Guide
188
High Availability
DO NOT REPRINT © FORTINET
FortiSOAR ensures that changes done in the file system of any of the cluster nodes—as a result of a connector installation or uninstallation, or any changes in the module definitions—are synced across every node. This ensures that a secondary or passive node can take over in the least amount of time, in case the primary node fails. When using an external PostgreSQL database, you should also configure your database’s own HA solution. This ensures there is resiliency in case the primary database server becomes unavailable.
FortiSOAR Administrator 7.3 Study Guide
189
High Availability
DO NOT REPRINT © FORTINET
Starting from version 6.4.4, user entitlement does not need to be the same across all cluster nodes—you do not have to buy additional user licenses for clustered nodes. User count entitlement is always validated from the primary node. The secondary nodes can have the basic two-user entitlement. In an HA cluster, the License Manager page displays the information about all the nodes in the cluster. As shown in the image on this slide, the primary node is primary.internal.lab and that node is licensed with two users; therefore, the total user count displays as 2 Users. To update the license for each node, click Update License and upload the license for that node. If you update a license that does not match the system UUID, then the GUI displays a warning while you are updating the license. If you update the same license in more than one environment, then the license is detected as a duplicate, and your FortiSOAR GUI will be blocked in 2 hours. During a takeover operation, the new primary node will swap licenses with the old primary node. If the old primary node is not operational during a takeover, then it will synchronize with FDN with its old license when it comes back, which will cause a duplicate license scenario since the new primary unit will be using the same license. In this case, you need to manually deploy the license previously used by the secondary node before the takeover onto the former primary node.
FortiSOAR Administrator 7.3 Study Guide
190
High Availability
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
191
High Availability
DO NOT REPRINT © FORTINET
Good job! You now understand HA overview. Now, you will learn how to configure HA on FortiSOAR.
FortiSOAR Administrator 7.3 Study Guide
192
High Availability
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in configuring HA, you will be able to configure FortiSOAR HA cluster using an internal or external PostgreSQL database.
FortiSOAR Administrator 7.3 Study Guide
193
High Availability
DO NOT REPRINT © FORTINET
You need to verify the following prerequisites before configuring your FortiSOAR HA cluster: • • •
•
All nodes must be on the same version. All nodes must be resolvable through DNS. Your SSH session must not time out. You can increase the session timeout value in your SSH application, or use the screen or tmux command to ensure that the SSH session does not time out. Refer to the Fortinet Knowledge Base article mentioned on this slide for more details. If you have an external firewall or any other security policies between the HA nodes, then you must ensure that the following ports are open between the HA nodes: 5432 for PostgreSQL, 6379 for Redis, and 9200 for Elasticsearch.
It is highly recommended that you install the cluster behind a load balancer so that the cluster address remains unchanged regardless of which node is the primary. You can configure FortiSOAR HA cluster through the CLI only.
FortiSOAR Administrator 7.3 Study Guide
194
High Availability
DO NOT REPRINT © FORTINET
When configuring HA, you must join nodes to an HA cluster in a sequential order. Use the FortiSOAR admin CLI (csadm) command to configure HA for your FortiSOAR instances. This slide shows the various command options. To configure a node as a secondary node, ensure you can resolve all nodes through DNS. You can then connect over SSH to the node you want to configure as a secondary node and enter the command shown on this slide. After you enter this command, you are prompted to enter the SSH password to access your primary node. This slide also shows the command you must use to join a node to a cluster in a cloud environment with keybased authentication. When you join a node to an HA cluster, the list-nodes command does not display that a node is in the process of joining the cluster. The newly added node appears in the list-nodes command only after it successfully joins the HA cluster.
FortiSOAR Administrator 7.3 Study Guide
195
High Availability
DO NOT REPRINT © FORTINET
If you are configuring HA with an external database, first configure the PostgreSQL database for the primary node of the cluster, and then add the host names of the secondary nodes to the pg_hba.conf and postgresql.conf files of the external database. This ensures that the external database trusts the FortiSOAR nodes for incoming connections. After you have configured the external database, ensure that you have met all HA prerequisites, and then create the HA cluster by following the same steps mentioned in the Configuring HA with internal Database section earlier in the lesson.
FortiSOAR Administrator 7.3 Study Guide
196
High Availability
DO NOT REPRINT © FORTINET
Use the csadm ha takeover command to perform a takeover when your active primary node is down. Run this command on the secondary node that you want to configure as your active primary node. Licenses are swapped between the old primary node and the new primary node during a takeover operation. The nodes’ UUIDs remain the same. If during takeover you specify no to the Do you want to invoke ‘join-cluster’ on other cluster nodes? prompt, or if any node is not reachable, then you will have to reconfigure all the nodes in the cluster to point to the new active primary node using the csadm ha join-cluster command.
FortiSOAR Administrator 7.3 Study Guide
197
High Availability
DO NOT REPRINT © FORTINET
A firedrill can be performed to test the replication status of a cluster when using an internal database. It is a good idea to periodically run a firedrill to ensure that a secondary node is ready to take over for the primary node. You can perform a firedrill on a secondary (active or passive) node only. Running the firedrill suspends the replication to the node database and sets it up as a standalone node pointing to its local database. After you have completed the firedrill, ensure that you perform a restore, as seen on this slide, to return the node to the HA cluster. All changes made while the node was in a firedrill will be discarded since that is considered test data.
FortiSOAR Administrator 7.3 Study Guide
198
High Availability
DO NOT REPRINT © FORTINET
The table on this slide lists all the subcommands that you can use with the csadm ha command. You can use the csadm ha subcommands to perform various cluster operations. The list-nodes set of commands displays nodes within the HA cluster. The show-health set of commands displays health information of the nodes. The export-conf command exports the active primary node’s configuration to a file, in the event you wish to export the configuration to a secondary node. The get-replication-status command displays the replication delay and status between cluster nodes. For the primary node, this command displays the replication statistics. Running the firedrill suspends the replication to the node database and sets it up as a standalone node pointing to its local database. Because the fire drill is performed primarily to ensure that the database replication is set up correctly, it is not applicable when the database is externalized. After you complete the firedrill, ensure that you perform a restore to get the nodes back in a replicating state.
FortiSOAR Administrator 7.3 Study Guide
199
High Availability
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
200
High Availability
DO NOT REPRINT © FORTINET
Good job! You now understand HA configuration. Now, you will learn how to externalize the PostgreSQL database.
FortiSOAR Administrator 7.3 Study Guide
201
High Availability
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in externalizing the FortiSOAR PostgreSQL database, you will be able to migrate data from your local database to a remote one. .
FortiSOAR Administrator 7.3 Study Guide
202
High Availability
DO NOT REPRINT © FORTINET
Externalization is migration of data from your local database instance to a remote database instance that has the same version of PostgreSQL. FortiSOAR version 7.3 uses PostgreSQL version 14. To externalize your FortiSOAR PostgreSQL database, you must have root access on FortiSOAR and you must use the FortiSOAR CLI with the csadm commands. First, you need to prepare your remote database instance. It must allow inbound communication from your FortiSOAR VM, and have PostgreSQL version 14 running. Then, you should prepare your local FortiSOAR instance. Ensure that port 5432 is open for PostgreSQL to allow inbound and outbound communication with the remote instance. If the FortiSOAR instance was connected previously to the same instance of the database that is being externalized, it could lead to a stale connection being presented to the FortiSOAR database on the external PostgreSQL server. To resolve this issue and release all stale connections, restart the postgres service using the command shown on this slide. Ensure that you have stopped all your schedules and that you have no playbooks in the running state. You must also ensure that you have enough disk space available to perform database externalization tasks. It is recommended that you have at least three times the data size you are transferring in available disk space. For example, if your data size is 2 GB, then you should have around 6 GB of available disk space, to ensure that the processes do not stop or fail. Use the command listed on this slide to find out the current database size.
FortiSOAR Administrator 7.3 Study Guide
203
High Availability
DO NOT REPRINT © FORTINET
Now you will learn more about the workflow for externalizing the FortiSOAR database. Refer to the slides for specific commands. In summary, to externalize FortiSOAR databases, you must do the following: Step 1: Create a copy of the db_config file, and name it db_external_config. This slide shows the directory where you can find the original file. Step 2: Update the newly created external configuration file for PostgreSQL in the postgres section. This includes the external, host, password, port, and user fields. SSL is optional. By default, the port and user are already populated. However, if you wish to change the default port and user, you must modify this file and ensure your database server has the same information. You can also mirror the postgres section’s configuration to the postgres_archival section to externalize the archival database. Note, once you externalize the FortiSOAR database, you must also externalize the archival database. However, you do not have to point it to the same database server.
FortiSOAR Administrator 7.3 Study Guide
204
High Availability
DO NOT REPRINT © FORTINET
Step 3: Configure the PostgreSQL database server. First, add firewall exceptions and reload the firewall service. Next, edit the pg_hba.conf and postgresql.conf files to trust the FortiSOAR connections. Once you finished editing the files, you must restart the PostgreSQL service. You also need to create the cyberpqsql user.
FortiSOAR Administrator 7.3 Study Guide
205
High Availability
DO NOT REPRINT © FORTINET
Step 4: Check connectivity between the FortiSOAR instance and the remote database server. Step 5: Start the externalization process. Step 6: After you have completed externalizing the database, restart all schedules and playbooks. In case of database externalization issues, you can review the db.log file for further troubleshooting.
FortiSOAR Administrator 7.3 Study Guide
206
High Availability
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
207
High Availability
DO NOT REPRINT © FORTINET
Good job! You now understand how to externalize the PostgreSQL database. Now, you will learn about HA best practices and cluster monitoring.
FortiSOAR Administrator 7.3 Study Guide
208
High Availability
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in applying best practices, you will be able to configure and manage HA clusters effectively.
FortiSOAR Administrator 7.3 Study Guide
209
High Availability
DO NOT REPRINT © FORTINET
Fronting and accessing the FortiSOAR HA cluster with a load balancer or a reverse proxy is recommended so that the address remains unchanged on takeover. You must ensure that the SIEM and other endpoints that FortiSOAR connects to are reachable on the virtualized host name (DNS) that would remain intact even after a failover (local or globally). The FortiSOAR node connects outbound to the SIEM, to periodically pull information. In case of downtime, after the FortiSOAR node comes back up, it would pull missing information from the last pulled time, ensuring there is no data loss even during down time.
FortiSOAR Administrator 7.3 Study Guide
210
High Availability
DO NOT REPRINT © FORTINET
The postgresql.conf file has two settings that you can configure to fine-tune a FortiSOAR HA cluster: • max_wal_senders defines the maximum number of walsender processes. By default, this is set as 10. • wal_keep_size defines the maximum number of replication slots, which adds support for differential synchronization to help speed up HA operations. By default, this is also set as 10. Every secondary node needs one walsender process on the primary node, which means that with the default value you can configure a maximum of 10 secondary nodes. If you have more than 10 secondary nodes, then you must edit the max_wal_senders attribute in the postgresql.conf file on the primary node and restart the PostgreSQL server.
FortiSOAR Administrator 7.3 Study Guide
211
High Availability
DO NOT REPRINT © FORTINET
There are various system settings in the postgresql.conf file that determine the size of shared memory for tracking transaction IDs, locks, and prepared transactions. You should ensure these shared memory structures have at least the same values on all secondary nodes compared to the primary node. If the secondary nodes have values lower than the primary node, HA operations could run into potential issues if there are not enough resources. For example, an HA failover could run into issues if the secondary node has lower values. When a secondary node is promoted to the primary role, it will become the new reference point for these parameters. If other secondary nodes do not have the same value as the newly promoted node, the same issues could occur. As a result, it is best practice to keep these values consistent across all the nodes.
FortiSOAR Administrator 7.3 Study Guide
212
High Availability
DO NOT REPRINT © FORTINET
You can set up system monitoring for FortiSOAR HA clusters. In the Monitoring Interval (Minutes) field, specify the interval in minutes at which you want to monitor the system and perform the health check of the HA cluster. In the Missed Heartbeat Count field, specify the count of missed heartbeats after which notifications of failure are sent to the email addresses you have specified. You cannot specify a value less than 3 in the Missed Heartbeat Count field. In the Replication Lag field, specify the threshold, in gigabytes, for the replication lag between nodes. If the replication lag threshold is reached, then an email notification is sent to the specified email addresses. For example, if you set the Monitoring Interval to 5 Minutes and the Missed Heartbeat Count to 3, this means that when the heartbeat is missed and the cyops-ha service is down for the last 15 minutes or more the heartbeat missed notification is sent to the email address that you specify in the Email field.
FortiSOAR Administrator 7.3 Study Guide
213
High Availability
DO NOT REPRINT © FORTINET
HA cluster failure notifications provide useful information about potential causes, and also remediation steps. For example, if the heartbeat misses from the secondary node exceed the cluster monitoring setting, then the health notification check sends a heartbeat failure notification and exits. If the data replication from the primary node is broken, then the health notification check sends a notification containing the replication lag with respect to the last known replay_lsn of the secondary node and exits.
FortiSOAR Administrator 7.3 Study Guide
214
High Availability
DO NOT REPRINT © FORTINET
If the replication lag reaches or crosses the threshold specified, then the health notification check sends a notification containing the replication lag, as shown on this slide. If any services are not running, then the health notification check sends a “service failure” notification and exits.
FortiSOAR Administrator 7.3 Study Guide
215
High Availability
DO NOT REPRINT © FORTINET
If a firedrill is in progress on a secondary node, then the health notification check sends the notification shown on the slide and exits. You can ignore the lag that the system displays in this case because this lag indicates the amount of data the fire drill node needs to sync when you run the csadm ha restore command. You can also check the lag using the get-replication-stat command on the primary node. Note that replication statistics are not applicable to an externalized database.
FortiSOAR Administrator 7.3 Study Guide
216
High Availability
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
217
High Availability
DO NOT REPRINT © FORTINET
Good job! You now understand HA best practices and how to set up cluster monitoring on FortiSOAR HA. Now, you will learn about troubleshooting different HA issues.
FortiSOAR Administrator 7.3 Study Guide
218
High Availability
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in using troubleshooting techniques, you will be able to address HA issues. .
FortiSOAR Administrator 7.3 Study Guide
219
High Availability
DO NOT REPRINT © FORTINET
To troubleshoot HA issues, you can review HA logs. The directory path of the log file is shown on this slide. When you receive a heartbeat failure notification on a secondary/passive node or on an active node, do the following: 1. Check if the cyops-ha service is running on that node, using the systemctl status cyops-ha command. 2. If it is not running, then you must restart the cyops-ha service. When you receive a notification where the node name differs from actual FQDN of the node, as shown on this slide, do the following: 1. Connect to the problematic node using SSH. 2. Use the csadm hostname --set command to enter the correct FQDN for the node.
FortiSOAR Administrator 7.3 Study Guide
220
High Availability
DO NOT REPRINT © FORTINET
You might receive a notification that the secondary node is out-of-sync with the primary node when the PostgreSQL service status shows that requested WAL segments have already been removed or the csadm ha get-replication-stat command shows a higher time lapsed from the last sync when compared to the general time lapsed. In this case, since the secondary node is completely out-of-sync with the primary node, you must rejoin the node to the cluster. The steps to rejoin the cluster are shown on this slide. When there are heavy write operations on the primary node and the secondary node has not yet copied the data before the data has rolled over, the primary and secondary nodes are out-of-sync and need to be fully synchronized. In this case, increase the wal_keep_size setting in the postgresql.conf file. You must also restart the PostgreSQL service by running the command shown on this slide.
FortiSOAR Administrator 7.3 Study Guide
221
High Availability
DO NOT REPRINT © FORTINET
If the PostgreSQL service on the primary node or external database server is not running, the cyops-ha service will be down across the entire cluster. As a result of this, you cannot access the FortiSOAR GUI, and you must investigate why the postgresql-14 service is down. Run the command listed on this slide for more information regarding the service, and begin troubleshooting with the reason provided by the system as to why the service is not running.
FortiSOAR Administrator 7.3 Study Guide
222
High Availability
DO NOT REPRINT © FORTINET
This slide shows the output of the csadm ha get-replication-stat command when the PostgreSQL service on the secondary/passive node has stopped, but is still running on the primary. You can identify this from the amount of total_lag shown in the command output.
FortiSOAR Administrator 7.3 Study Guide
223
High Availability
DO NOT REPRINT © FORTINET
After you restart the PostgreSQL service on the secondary/passive node, you can see that the total_lag on the primary node decreases, and this amount will decrease further over time. On the secondary node, you will see an expected spike in the total_lag because the primary node is now pushing all the buffered data to the secondary node. Because of this, it will take a while for the secondary node to write all the data to its PostgreSQL database.
FortiSOAR Administrator 7.3 Study Guide
224
High Availability
DO NOT REPRINT © FORTINET
If the process to configure HA using the automated join-cluster command fails, and the HA cluster is not created for reasons such as proxies set up, and so on, you can do the following and configure HA with a more manual process: 1. Connect to the FortiSOAR VM as a root user and run the csadm ha command. This will display the options available to configure HA. 2. To configure a node as a secondary node, perform the following steps: a) Connect over SSH to the active primary node and run the csadm ha export-conf command to export the configuration details of the active primary node to a file named ha.conf. b) Copy the ha.conf file from the active primary node to the node that you want to configure as a secondary node. c) On the active primary node, add the hostnames of the secondary nodes to the allowlist using the commands shown on this slide. d) In the case of an externalized database, you must add all the nodes in the cluster to the allowlist in the pg_hba.conf file. e) Ensure that all HA nodes are resolvable through DNS. f) Connect over SSH to the server that you want to configure as a secondary node, and then run the join-cluster command shown on this slide. g) If you run the csadm ha join-cluster command without adding the hostnames of the secondary nodes to the allowlist, then you will get a Failed to verify error. h) When you join a node to an HA cluster, the list-nodes command does not display that a node is in the process of joining the cluster. The newly added node will be displayed in the listnodes command only after it has joined the HA cluster.
FortiSOAR Administrator 7.3 Study Guide
225
High Availability
DO NOT REPRINT © FORTINET
If your primary node stops because of a system crash, and another node has taken over as primary, the list-nodes command on other nodes will display that the former primary node is in a faulted state. Even after the former primary node resumes services, it will only remain the primary node of its own cluster. To fix the HA cluster, do the following: 1. On the former primary node that has resumed running, run leave-cluster, which removes this node from the HA cluster. 2. Run the join-cluster command to join this node to the HA cluster with the new primary node.
FortiSOAR Administrator 7.3 Study Guide
226
High Availability
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
227
High Availability
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.
FortiSOAR Administrator 7.3 Study Guide
228
High Availability
DO NOT REPRINT © FORTINET
This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this lesson, you learned how to configure, manage, and troubleshoot HA cluster issues on FortiSOAR. You also learned how to manage cluster licensing, and externalize the FortiSOAR PostgreSQL database.
FortiSOAR Administrator 7.3 Study Guide
229
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
In this lesson, you will learn how FortiSOAR leverages Elasticsearch for improving search results, and about the FortiSOAR recommendation engine, which predicts and assigns field values in records. You will also learn how to provision and operate a war room as well as how to upgrade the FortiSOAR firmware.
FortiSOAR Administrator 7.3 Study Guide
230
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
In this lesson, you will learn about the topics shown on this slide.
FortiSOAR Administrator 7.3 Study Guide
231
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in Elasticsearch, you will learn how FortiSOAR leverages the Elasticsearch mechanism to improve search results.
FortiSOAR Administrator 7.3 Study Guide
232
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
Elasticsearch allows you to store, search, and analyze huge volumes of data quickly in almost real time, and returns answers within milliseconds. It is able to achieve fast search responses because instead of searching the text directly, it searches an index. FortiSOAR leverages the fast search capability of Elasticsearch for a quick text search across all records and files in the FortiSOAR database. FortiSOAR has a local instance of Elasticsearch by default, which you can view the status of by running the csadm services command to check on services. FortiSOAR also supports externalization of Elasticsearch data. Externalization is the indexing of data to an Elasticsearch instance that has the same or a higher version of Elasticsearch outside of the FortiSOAR instance. The minimum version of the Elasticsearch cluster must be 7.0.2 if you want to externalize the Elasticsearch data.
FortiSOAR Administrator 7.3 Study Guide
233
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
The global search mechanism in FortiSOAR leverages an Elasticsearch database to achieve rapid, efficient searches across the entirety of the record system. In the screenshot, you can see an inquiry typed into the search bar, and the matching results returned below. All the record data is stored in Elasticsearch, including from file attachments, and made searchable. It uses the full-text match query function within Elasticsearch. This passes the search string through the standard analyzer, stripping any extra characters to the root term. For instance, the term “phishing” would be searched the same way as the term “PHISHING!”. However, in the case of tags, an exact match is required with no case sensitivity. If there are multiple search terms, an AND operator is used to search for matches. You can set the Match Type as Broad Search or Exact Text Search. An Exact Text Search does not split up text with spaces or special characters. This is useful for looking up an exact match for an email address, for example. You can sort the search results by Relevance, which is based on the number of instances of the keyword within the record body. You can also sort the results by when the record was modified, the Most Recently Modified record, or the Least Recently Modified record. Clicking a search result displays the record details.
FortiSOAR Administrator 7.3 Study Guide
234
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
If you need to change the location of your Elasticsearch instance to a remote machine, you must update the db_config.yml file. In the db_config.yml file, update the host and port (if needed) in the elasticsearch section as shown on this slide. You need to assign nginx permission to the SSL certificate that you have specified in the db_config.yml file using the command shown on this slide.
FortiSOAR Administrator 7.3 Study Guide
235
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
After you complete the externalization of Elasticsearch, you must migrate your data from the local instance to the remote Elasticsearch machine. To migrate the remote Elasticsearch machine, run the command shown on this slide.
FortiSOAR Administrator 7.3 Study Guide
236
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
FortiSOAR search performs indexing in an asynchronous manner in the backend. Users could face certain scenarios that could lead to a restart of services, which can cause indexing to stop. FortiSOAR might display any of the following errors when users are performing a search operation on FortiSOAR: • Search indexing is in progress. Partial results are returned. • Search indexing has stopped. You must manually rerun indexing or raise a support ticket for the same. • We are sorry, but the server encountered an error while handling your search request. Please contact your administrator for assistance. In these cases, review the falcon.log log file to check which modules are published and indexed and which modules are yet to be published.
FortiSOAR Administrator 7.3 Study Guide
237
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
The falcon log sample on this slide shows the Attachments and Emails modules currently being indexed and their total number of records. Any failure in indexing any modules is logged here. You can monitor the progress of this file while the indexing is in progress. If any modules are missing from the published list, or if the falcon.log file of a module includes Publish Module: ‘’ Unsuccessful, you must manually run the indexing for those modules using the commands shown on this slide.
FortiSOAR Administrator 7.3 Study Guide
238
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
239
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
Good job! You now understand Elasticsearch. Now, you will learn about the FortiSOAR recommendation engine.
FortiSOAR Administrator 7.3 Study Guide
240
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating a competent understanding of the recommendation engine, you will learn how FortiSOAR leverages the Elasticsearch mechanism and FortiSOAR machine learning to improve search results and predict field values.
FortiSOAR Administrator 7.3 Study Guide
241
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
FortiSOAR is equipped with the Recommendation Engine that analyzes your existing record data using different algorithms to recommend similar records and predict and assign field values in records. It is based on finding similarities of patterns in historical data. FortiSOAR provides you with two recommendation strategies: • Elasticsearch Based Text Classification, which is based on analysis of similar records search using Elasticsearch efficient algorithms to analyze the search results. This is the default recommendation engine. • Machine Learning Based Clustering, which is based on training the machine learning (ML) engine using the data existing on your FortiSOAR instance, and it uses traditional ML supervised classification algorithms, such as Knearest Neighbors. This recommendation strategy was introduced in FortiSOAR version 7.0. A scenario in which analysts can use the recommendation engine is the case of a phishing alert being created in FortiSOAR from your email gateway. Users might click the URLs, which in turn creates multiple malware alerts from your SIEM. Separate alerts are then generated in FortiSOAR. Because FortiSOAR displays similar alerts to the alert that an analyst is working on, it provides the analyst with a complete picture of the event and makes it easier for the analyst to take remedial action. Note that records in the recycle bin will not be included in the recommendation results.
FortiSOAR Administrator 7.3 Study Guide
242
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
FortiSOAR displays records that are similar to the record which you are working on: for example, records with similar file hashes, source IP, domains, and so on, based on the similarity criteria you define. As seen in the first screenshot, the Recommendation Engine is enabled, and the Recommendation Strategy is set to Elastic Based Text Classification. This is the default recommendation strategy. On the Recommendation Settings page of a record, there are two tabs: Similar Records and Suggestions. The Similar Records tab lets you configure settings to fine tune which records you want to match. The Suggestions tab lets you define which fields will have suggestions provided. In the Similarity Criteria section, select the fields and relations to create the criteria based on which records will be displayed, such as domains, IP addresses, URLs, and so on. You can also assign weights to the selected fields by selecting the Assign Specific Weights checkbox. Use the slider to assign weights for each field from 1 to 10, with 10 being the highest value. To filter similar record suggestions, in the Filter Suggestions section, add the filter criteria. For example, if you only want to show similar records that have been created in the last year, then you can add a date filter. Note that you can define multiple criteria, and select to match either all the conditions, or any of the conditions. From the Choose Playbook list, search and select the playbooks that will be displayed on the Recommendations pane and which you can execute on similar records. In the Similarity Record Layout section, you can specify the fields of the similar records that you want to include. For example, you can select Name, Severity, Assigned To, and Status, as the fields of the similar records that should be displayed.
FortiSOAR Administrator 7.3 Study Guide
243
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
This slide shows the configuration options for the Suggestions tab. The settings configured on this page will affect which suggested field changes are shown by the recommendation engine. For example, in the screenshot Severity and Assigned To are selected in the Fields To Suggest section. When the recommendation engine returns results, it may suggest an appropriate severity level and an assignee for this particular record. You can also define different similarity criteria, optionally specify criteria weights, or choose to use the same selection as Similar Records. You can also filter suggestions to match either all the conditions, or any of the conditions.
FortiSOAR Administrator 7.3 Study Guide
244
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
Based on the similarity criteria that you have defined, the Recommendation tab displays similar records. The example alert on this slide originated from FortiSIEM, and the Source field was specified as a similarity criteria. From the images on this slide, you can see that the recommended severity is Medium and the assignee is John Smith. If you agree with the suggestions and want to make the changes in the record, click the check marks in the rows of the field, which updates or adds the field value in the record. The Playbooks drop-down list contains the list of playbooks that you specified while configuring the recommendation settings. You can select all the alerts the engine identified as similar, or select individual alerts and perform the playbook action on them.
FortiSOAR Administrator 7.3 Study Guide
245
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
If you select Machine Learning Based Clustering, you must train the ML engine using the existing data on the FortiSOAR instance. AI/ML technology can leverage past learning and similar patterns to intelligently predict values of record fields such as Assigned To and Severity. For example, for an incoming alert of type Malware, FortiSOAR can fall back to similar Malware alerts that already exist in your system and, based on the similarity in patterns, suggest values to the Assigned To and Severity fields in the new record. This saves time in a SOC because FortiSOAR now does the task of sifting through records and assigning them automatically.
FortiSOAR Administrator 7.3 Study Guide
246
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
As a best practice and for consistent results, you should have a single configuration per module. For example, make one configuration for the Alerts module, and another one for the Incidents module. To train the FortiSOAR ML Engine, do the following: 1. From the Module to train for drop-down list, select the module from which you want to select the fields for training and the fields that you want to predict. 2. From the Feature Set list, select the field(s) you want to use to predict the field values. To select multiple fields, press Ctrl and select the fields. In the case of the example shown on this slide, where you want to predict the Type and Severity fields based on the Source, select the Source field. 3. From the Verdict list, select the field(s) that you want to predict. To select multiple fields, press Ctrl and select the fields. In the case of the example shown on this slide, where you want to predict the Type and Severity fields, select the Type and Severity fields. 4. From the Date Range drop-down list, select the time range of records with which you want to populate the training set. You can select from options such as Last Month, Last 6 months, Last year, and so on. You can also select Custom and then enter a specific number of days with which to populate the training set. The Training Set Size specifies the number of records that make up the training set. However, the value that you select from the Date Range drop-down list overrides this parameter. 5. From the Algorithm drop-down list, select the ML supervised classification algorithm with which you want to predict the fields. You can choose between K-Nearest Neighbors (default) or Decision Tree. 6. In the Listener Port field, specify the port number of the socket where the ML connector will load the ML models for efficient storage and delivery. By default, this is set as 10443.
FortiSOAR Administrator 7.3 Study Guide
247
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
After you have trained your dataset, FortiSOAR starts to analyze the dataset and, based on the analysis, displays records that are similar to the record you are working on, as well as predicts the values of field records that you have added to the Verdict field. Because the dataset in the example shown on this slide is trained to predict the Severity and Type fields based on the Source field, FortiSOAR provides suggestions for those fields. If you agree with the recommendations, then click the check mark beside the field, and that populates that field in the record.
FortiSOAR Administrator 7.3 Study Guide
248
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
249
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
Good job! You now understand the FortiSOAR recommendation engine. Now, you will learn about the war room.
FortiSOAR Administrator 7.3 Study Guide
250
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating a competent understanding of the war room, you will be able to set up and operate a war room to investigate an incident.
FortiSOAR Administrator 7.3 Study Guide
251
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
War rooms enable SOC teams to get into a collaborative space to mitigate a critical cyber threat scenario or campaign. To effectively run a war room, you must be able to communicate effectively to both internal and external stakeholders. You must also be able to coordinate between teams, investigate the root cause, and resolve the problem by allocating tasks to specialists, agreeing on milestones, taking notes of technical analysis and solution proposals, and getting feedback on all points. When appropriate, you have the ability to escalate issues so that the management team can decide on the next course of action. Starting from version 7.2.0, the incident response modules have been moved to the SOAR Framework Solution Pack, which also includes war rooms. If the solution pack has not been installed, you can find it on the Content Hub.
FortiSOAR Administrator 7.3 Study Guide
252
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
FortiSOAR provides you with the war room framework and allows you to define policies to achieve the functionality required to effectively run the war room. The process that is generally followed for threat mitigation is: 1. Create a response team who will be owners tasked with responding to the threat. In a FortiSOAR war room record, on the Dashboard screen, you can create a response team easily and add or remove users or teams, or both. 2. Create a task list of all activities that the team must usually perform to respond to a threat and assign them to appropriate members of the response team. You can do this on the Task Management tab in the war room record. 3. Investigate the threat or incident to find out the root cause and provide the mitigation for the threat. On the Investigate tab, you can look at related incidents, alerts, indicators, and the assets involved in the investigation. This enables you to look at the bigger picture and assist in investigating and mitigating the threat. 4. Timely threat reporting to stakeholders is important. On the Communication tab in a war room record, you can view the summary and current status of this threat, send email updates, specify the next steps, and make notes about actions taken. In the top screenshot, you can see the four tabs Dashboard, Task Management, Investigate, and Communication corresponding to the four steps shown on this slide. To create and use war rooms, you need CRUD permissions on the War Rooms module. Note that war rooms have their own RBAC settings. You can further define which elements of war rooms can be edited, read-only, or inaccessible.
FortiSOAR Administrator 7.3 Study Guide
253
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
The war room record opens on the Dashboard tab, which contains the summary of the incident. This is where you can create the response team and assign ownership of the incident to specific users or teams. After you finish setting up the war room, click Go Live to open a window. Optionally, you can add an external collaboration link to collaborate with stakeholders that are not part of FortiSOAR, and then click Go Live again. The Dashboard tab contains details of the incident, such as the description and current status of the incident, time elapsed, assets impacted, and the threat types. It also contains the incidents, alerts, indicators, and artifacts that are related to this incident. The Info Center section contains information, such as who launched or set up the war room, when the war room became active, and the conference bridge and collaboration details. It also contains the details of the response team, which are teams and users designated as owners of this war room. Use the Communication tab to view the summary of the incident, attach or send announcements associated with this threat, and define next steps. You can also link or send announcements to all the members of the response team.
FortiSOAR Administrator 7.3 Study Guide
254
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
Once you click Go Live, the status of the war room changes from Draft to Active, notifications are sent to all the members of the war room, and the incidents that are linked to the war room display the active war room in the header widget. Use the Task Manager tab to manage all tasks related to the war room. You can create a task list and manage task assignments and track tasks until their completion. The Task Manager contains various tasks that are grouped by fields, such as the Status of the task. In the example shown on this slide, an urgent task is assigned to user John Smith. This task then appears in the Assigned column. You can also leave a comment for John Smith in the Workspace notifying him of the task. The Workspace panel is a collapsible panel on the right side of the detail view. On the Workspace panel, stakeholders can collaborate by adding comments to the record. This enables participation of various stakeholders and team members across the organization. You can add mentions or tag users in comments using the @ symbol, and then select the users from the displayed list. Users who are tagged are notified of their mentions by email.
FortiSOAR Administrator 7.3 Study Guide
255
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
Use the Investigate tab to investigate the incident and perform root cause analysis. It contains all the records and evidence linked to that specific incident, giving you a complete picture of all the events that led to the security threat. The Investigate tab contains an Artifacts tab that contains a graphical representation of all the records that are linked to this incident. The Investigate tab also contains an Evidences tab, where you can view all evidence related to the threat. You can investigate the war room by executing connector actions directly on the war room record. In the example shown on this slide, a Get Domain Reputation action was directly run with the VirusTotal connector on this record. Because the result of the action has an impact on this threat, it is tagged as Evidence, which then is added to the Evidences tab. You can also manually upload evidence on this tab.
FortiSOAR Administrator 7.3 Study Guide
256
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
After you complete the investigation into the incident, you can set the status of the war room to Closed. You can generate a War Room Summary Report from FortiSOAR or email the summary report as an attachment to the response team. Click the Timeline tab to view a historical timeline for the current war room, which displays the chronological history of all the activities that were performed in the war room.
FortiSOAR Administrator 7.3 Study Guide
257
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
258
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
Good job! You now understand the war room. Now, you will learn about the FortiSOAR upgrade process.
FortiSOAR Administrator 7.3 Study Guide
259
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in upgrading FortiSOAR, you will be able to upgrade a FortiSOAR instance in standalone mode or in an HA cluster.
FortiSOAR Administrator 7.3 Study Guide
260
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
Before you upgrade your FortiSOAR version, there are a few prerequisites that you must meet. Ensure that you can connect to globalupdate.fortinet.net; otherwise, the license deployment fails. You can choose to upgrade your instance without connectivity to globalupdate.fortinet.net. However, your license will not be deployed. Connectivity to this FQDN is required for fetching the license entitlements and product functioning after the upgrade. It is recommended that you clean up unnecessary playbook execution run history to optimize the overall upgrade time. If you do not clean up the historical logs for playbooks, it might lead to issues during the upgrade, such as playbooks not getting listed in the executed playbooks log, and so on. You should also let active playbooks finish, and stop all data ingestion playbooks and other schedules prior to upgrading. You must take a VM snapshot of your current system. In case of an upgrade failure, these VM snapshots will allow you to revert to the latest working state. It is highly recommended that you take a backup of the FortiSOAR built-in connectors’ configuration, such as SSH, IMAP, database, utilities, and so on. The configuration of your FortiSOAR built-in connectors might be reset if there are changes to the configuration parameters across versions. Ensure that the SSH session does not time out by entering tmux mode. Refer to Linux documentation on how to use the tmux command. Ensure that repo.fortisoar.fortinet.com is reachable from your VM. If you are connecting using a proxy, then ensure that you set up proxy details using the csadm network command and that repo.fortisoar.fortinet.com is allowed in your proxy. You can find the upgrade path documentation for different versions on docs.fortinet.com. It is essential to review your starting version and identify if you can upgrade to your target version directly, or if you need to go through more than one hop.
FortiSOAR Administrator 7.3 Study Guide
261
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
Workflow execution history persists extensively in the database for debugging and validating the input and output of playbooks at each step. A very large execution history can build up, consuming extra disk space. This could increase the time required for upgrading FortiSOAR. To delete the workflow run history but keeping the last specified number of entries, run the command shown on this slide as the root user. It is highly recommended that you set up cleaning of the workflow execution history using a weekly cron schedule. To set up a weekly schedule to delete the workflow history, you have to add a cron expression entry in the /etc/crontab file per your requirements. The command to edit a cron job is crontab -e. The slide shows an example entry in the /etc/crontab file that will schedule a workflow execution history cleanup for every Saturday night and delete all workflow run history apart from the last 1000 entries.
FortiSOAR Administrator 7.3 Study Guide
262
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
Note that running the command shown on the previous slide deletes the workflow entries but does not release the disk space back to the OS. The space is still reserved for the Postgres process. This is the desired behavior, and no further action is required if the execution history cleanup is scheduled because the Postgres process would need the freed-up disk space to store further workflows. If, however, you also want to reclaim disk space for backups, restores, or other activities, you must also run a full vacuum on the database. The commands to accomplish this are shown on this slide. There is also a scenario where the cleandb command might fail. If you do not regularly schedule the workflow execution cleanup, and you are deleting a very large set of entries at once, they may fail to load into memory. In this case, run the commands shown on the slide to do the cleanup in batches.
FortiSOAR Administrator 7.3 Study Guide
263
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
This slide shows the commands you need to run to download the upgrade installer. You must be able to connect over SSH to the FortiSOAR VM, and you will need root access.
FortiSOAR Administrator 7.3 Study Guide
264
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
After the installer download completes, run the upgrade installer using the following commands shown on this slide. The FortiSOAR upgrade installer checks the boot partition for disk space, and if the partition has insufficient space, then the upgrade installer exits after displaying an appropriate error message. The boot partition contains kernel-related files which are used during boot. If you need to clean up the boot partition while upgrading FortiSOAR, run the commands shown on this slide. The FortiSOAR upgrade installer also checks the pgsql disk space to ensure that there is sufficient disk space. If there is not enough disk space for pgsql, the upgrade installer also exits in this case. To resolve this, you must increase the partition size for pgsql. After you upgrade the FortiSOAR instance, you will be logged out of the FortiSOAR GUI.
FortiSOAR Administrator 7.3 Study Guide
265
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
This slide shows the two methods of upgrading an existing FortiSOAR instance to 7.3.0. The upgrade process is different when going to 7.3.0 because the underlying operating system has changed. Note that the supported migration paths are from FortiSOAR 7.2.1 or 7.2.2 on RHEL 7.0 or Centos 7.9. If your FortiSOAR environment is older than 7.2.1, follow the previous slides to upgrade to the required version. You must follow a supported upgrade path, which can be identified at docs.fortinet.com. The first method requires you to deploy a new FortiSOAR 7.3.0 instance on either Rocky Linux 8.6 or RHEL 8.6. After that, you will need to migrate existing data into the new environment using the script shown on this slide. You will need to export the data, transfer the TGZ file onto the new instance, and then import the data. The second method is an in-place method. You can download the second file from the FortiSOAR repository listed on this slide. Ensure that you have stopped all workflow schedules, data ingestion, and other scheduled jobs prior to upgrading. Check that the Playbook appliance has create and read permissions on the Widgets module. It is important to take backup snapshots prior to starting the upgrade. Ensure there are at least 2 GB free in /opt and /var.
FortiSOAR Administrator 7.3 Study Guide
266
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
This slide shows the steps you must follow to upgrade a FortiSOAR cluster. Note that the procedure to upgrade an active-passive and an active-active cluster is the same. For the purposes of a cluster upgrade procedure, assume the following: • Node A is the active primary node. • Node B is the passive secondary node. • Both nodes are installed behind a reverse proxy or load balancer. Keep in mind that you must allow approximately 30 minutes of downtime, per node, for the upgrade. Before you can upgrade an active-active HA cluster, you must first configure the reverse proxy or load balancer to pass requests only to node A. This ensures that all requests to the FortiSOAR cluster are passed only to node A, which frees up node B for you to upgrade. Log in using SSH to node B with the root user, and use the csadm ha leave-cluster command. This makes node B a standalone device. Upgrade node B by following the same upgrade procedures for a standalone device. After the node B upgrade completes, you can upgrade node A. It is important to note that the upgrade of node A incurs downtime. After you upgrade both nodes, return to node B and run the join-cluster command to set up the cluster. Lastly, reconfigure the reverse proxy or load balancer to handle requests from both node A and node B.
FortiSOAR Administrator 7.3 Study Guide
267
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
268
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.
FortiSOAR Administrator 7.3 Study Guide
269
Searching, War Rooms, and Upgrading
DO NOT REPRINT © FORTINET
This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this lesson, you learned how FortiSOAR uses Elasticsearch, as well as how to configure the recommendation engine. You also learned how to use a war room to mitigate a malicious incident and upgrade a standalone or cluster of FortiSOAR instances.
FortiSOAR Administrator 7.3 Study Guide
270
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
In this lesson, you will learn how to monitor the FortiSOAR database, system resources, and services. You will also learn how to troubleshoot various issues on FortiSOAR.
FortiSOAR Administrator 7.3 Study Guide
271
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
In this lesson, you will learn about the topics shown on this slide.
FortiSOAR Administrator 7.3 Study Guide
272
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in monitoring FortiSOAR, you will learn how to monitor various system resources, database accuracies, and services on FortiSOAR.
FortiSOAR Administrator 7.3 Study Guide
273
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
To help maintain a robust SOAR environment, you can set up system monitoring and purging of audit and playbook logs as part of your initial deployment and configuration process. You can also set up system monitoring for FortiSOAR for both single and HA deployments. Email notifications can be sent if any FortiSOAR service fails, or if any monitored thresholds are exceeded, such as for CPU, memory, or disk utilization. In the case of HA clusters, you can also monitor for, and get notified of, heartbeat failures and high replication lag between the cluster nodes. Implementing effective application monitoring offers: • Increased server, services, and application availability • Faster detection of network outages and protocol failures • Faster detection of failed services, processes, and scheduled jobs
FortiSOAR Administrator 7.3 Study Guide
274
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
FortiSOAR includes a default system monitoring dashboard, the System Health Status dashboard, which allows you to monitor various FortiSOAR system resources and services. The following types of system monitoring are available in the System Monitoring widget: • CPU Usage • Virtual Memory Usage • Swap Memory Usage • Disk Space Usage • Service Status
FortiSOAR Administrator 7.3 Study Guide
275
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
The Service Status widget displays the status of all FortiSOAR services. Services that are available are displayed with a green circle. If any service is down, then that service will be displayed with a red warning symbol. The Connector Health Status widget tracks the health of all the configurations of all the configured connectors. Each connector configuration row displays the number of configurations that are being monitored. For example, in the image shown on this slide, all the connectors displays 1 Configuration Monitored status. If any of the configurations of a connector is unavailable, then the widget displays Unavailable in red and the Health Check Status also displays Unavailable. For example, in the image shown on this slide, the configuration of the Symantec ATP connector is Unavailable. To view the details of this status, click the down arrow icon on the connector row, to display the Health Check Status of that configuration. In the example shown on this slide, the Symantec ATP connector Health Check Status displays Disconnected. You can hover over the warning icon to see the reason for the disconnection. If any connector is deactivated, then it appears as Deactivated in red and the Health Check displays as Deactivated.
FortiSOAR Administrator 7.3 Study Guide
276
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
Use the utilization widgets to display the utilization of various FortiSOAR system resources. Utilization widgets include CPU utilization, Disk Space Utilization, Memory Utilization, and so on. You can configure these widgets in a similar manner and use them to display the utilization of various FortiSOAR system resources. The Threshold Percentage setting specifies the percentage after which you want to take some corrective action. On the dashboard, the widgets indicate in red when the threshold is reached or exceeded. Similarly, the widget displays green, yellow, or amber according to the threshold value. You can reach this dashboard editing interface by clicking on the icon depicted on this slide.
FortiSOAR Administrator 7.3 Study Guide
277
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
The advantage of having the System Health Status Dashboard is that users with access to the dashboard can check the various system usage levels without them having administrative access. You can also define various thresholds for each system resource and, if these thresholds are reached, you can take corrective action. For users who must monitor the health of FortiSOAR but might not need access to other areas of FortiSOAR such as playbooks, incident management, and triage, you can configure role-based access to the System Health Status Dashboard.
FortiSOAR Administrator 7.3 Study Guide
278
System Configuration
DO NOT REPRINT © FORTINET
To receive email notifications of any FortiSOAR service failure, or monitored thresholds exceeding the set threshold, select Enable Notification in the System & Cluster Health Monitoring section. In the Service field, select the service you want to use for notifications. You can choose between SMTP or Exchange. In the Email field, specify the email address that is notified in case of any service failures, threshold breaches, and so on. The SMTP or Exchange connector must be configured before notifications will work. In the Monitoring Interval (Minutes) field, specify the interval in minutes at which you want to monitor the system and perform the health check of the HA cluster. By default, the system is monitored every 5 minutes. In the System Health Thresholds section, you can set the thresholds, in percentages, for Memory Utilization (80% by default), CPU Utilization (80% by default), Disk Utilization (80% by default), and Swap Memory Utilization (50% by default). You can also set the Workflow Queue Threshold, which is related to the celery queue size, and WAL Files Size, which is related to the database’s write-ahead logs. If the thresholds set are reached for any of the monitored parameters, the system sends an email notification to the specified email addresses.
FortiSOAR Administrator 7.3 Study Guide
279
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
As the root user, you can verify FortiSOAR services from the CLI. To manage all FortiSOAR services, run the csadm services command shown on this slide. The csadm commands pertain to all services. For example, if you use the restart option, all services will restart. The same applies to the start, stop, and status options. When you run the csadm services command, the status of FortiSOAR services display with a background color so that you can quickly and easily identify which services are running and which are not running. The status of services that are running display a green background, and the status of services that are not running display a red background.
FortiSOAR Administrator 7.3 Study Guide
280
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
To manage the status of individual FortiSOAR services, run the systemctl status command shown on this slide. For example, to see the status of the cyops-search service, use the systemctl status cyops-search command. This displays information about the process, including if it is active, its process ID, and more. If you want to start, stop, or restart individual services, you can use the systemctl commands shown on this slide.
FortiSOAR Administrator 7.3 Study Guide
281
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
If you need to view the status of the PostgreSQL database, or the Elasticsearch database, use the commands shown on this slide.
FortiSOAR Administrator 7.3 Study Guide
282
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
You can run the commands shown on this slide to monitor disk space utilization, as well as CPU and memory usage. The df command reports how much disk space your environment is using. The grep and awk commands are used to filter the output to make it easier to read, but they are not mandatory. The ps command allows you to view information related to processes. You can also see the RAM and swap memory usage by running the free –m command.
FortiSOAR Administrator 7.3 Study Guide
283
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
284
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
Good job! You now understand how to monitor FortiSOAR. Now, you will learn about the FortiSOAR logs, services, and processes.
FortiSOAR Administrator 7.3 Study Guide
285
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in logs, services, and processes, you will learn about the list of logs for troubleshooting FortiSOAR, and how to set different levels of logging. You will also learn about key FortiSOAR services and processes.
FortiSOAR Administrator 7.3 Study Guide
286
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
FortiSOAR generates different types of log files for different subsystems. The table shown on this slide lists the various log files contained in the /var/log/cyops directory or subdirectories and their purpose. You can use the appropriate log file to gather more information about any errors or events that happen during FortiSOAR operations. Note that the table contains relative paths for subdirectories in /var/log/cyops, and not absolute paths.
FortiSOAR Administrator 7.3 Study Guide
287
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
This slide lists more of the different log files FortiSOAR generates for various subsystems in the /var/log/cyops/ directory. Note that the upgrade log file is contained within the main directory.
FortiSOAR Administrator 7.3 Study Guide
288
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
Use the tomcat.log file to troubleshoot issues related to audit logs. The location of the log file is shown on this slide. To troubleshoot operating system level errors, view the message logs located at /var/log/messages. There are various logs to help you troubleshoot issues related to dedicated tenant nodes or FortiSOAR agents. The log file names and their directory path are shown on this slide.
You can set five different severity levels for the log files: • • • • •
DEBUG: low-level system information for debugging purposes INFO: general system information WARNING: information describing a minor problem that has occurred ERROR: information describing a major problem that has occurred CRITICAL: information describing a critical problem that has occurred
FortiSOAR Administrator 7.3 Study Guide
289
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
The various log files have different log severity level parameters. This slide lists a few of them. For sealab or workflow logs, modify the config.ini file in the cyops-workflow directory shown on this slide. You must configure the WORKFLOW_LOG_LEVEL parameter to the required logging level. For example, WORKFLOW_LOG_LEVEL = 'INFO'. After the change you must restart the uwsgi service. For integrations, modify config.ini file in the cyops-integrations directory. You must set the connector_logger_level parameter to the required logging level. After the change you must also restart the uwsgi service. For celery, modify the celeryd.conf file in the celery directory shown on this slide. After the change you must restart the celeryd service. For nginx (GUI), API, or PHP, modify the config_prod.yml file in the nginx directory shown on this slide. You must modify the level parameter to the required logging level. After the change you must restart nginx using the command shown on this slide.
FortiSOAR Administrator 7.3 Study Guide
290
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
This slide contains a list of all key FortiSOAR services and processes that make FortiSOAR functional.
FortiSOAR Administrator 7.3 Study Guide
291
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
This slide is a continuation of the list of key FortiSOAR services and processes that make FortiSOAR functional.
FortiSOAR Administrator 7.3 Study Guide
292
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
Starting from 7.0.0, it is possible to collect FortiSOAR log files from the GUI. On previous versions, the CLI is the only way to collect logs. To do so, click the FortiSOAR dialog box near the lower-left corner of the GUI. On the release version menu, click on the Download Logs button. There is an option to specify a password to protect the log file. Only users who have the shared password can access the log files. The downloaded file exists in the TAR.GZ format.
FortiSOAR Administrator 7.3 Study Guide
293
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
It is useful to also know how to collect log files using the CLI in case of any issues with the GUI itself. To collect all the previously mentioned log files using a single command, run the csadm command listed on this slide. If no target directory is specified, the present working directory is used instead. Note that the command requires elevated privileges. Once the file has been downloaded, you can optionally transfer the file from the FortiSOAR node onto a local machine, such as by using an SFTP client. Note that you may need to change permissions on the file in order to transfer it. For example, you may need to run the command chmod on the file. To extract the contents of the file, run the tar command listed on this slide. After the file has been extracted, you can find most service directories in fortisoar-logs/var/log/; however, the tomcat logs are in fortisoar-logs/opt/cyops-tomcat/logs.
FortiSOAR Administrator 7.3 Study Guide
294
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
295
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
Good job! You now understand logs, services, and processes on FortiSOAR. Now, you will learn about troubleshooting various FortiSOAR issues.
FortiSOAR Administrator 7.3 Study Guide
296
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in troubleshooting FortiSOAR, you will learn about the importance of licenses and users on FortiSOAR, and how to configure them.
FortiSOAR Administrator 7.3 Study Guide
297
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
FortiSOAR displays meaningful messages and troubleshooting tips during the license deployment process, and also validates the license, making it easier for you to debug issues. Also, if your connection to FDN is through a proxy, you must update the proxy’s settings. If you have a subscription-based license, then the number of users and expiry date are not present inside the license. You must sync them from FDN after the installation. The License has expired message after installation occurs because of the following two reasons: • Sync with FDN failed • Sync was successful but you provided the wrong contract information. To verify run the java command shown on this slide.
FortiSOAR Administrator 7.3 Study Guide
298
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
If you have an evaluation or perpetual license, then the number of users and expiry date are present inside the license. If a license deployment failure occurs for these types of licenses, then check the license information using the csadm license command shown on this slide. After deploying the license, if the system is still not reachable, restart the cyops-auth service and then investigate the fdn.log and das.log files. To find a node’s UUID, which uniquely identifies the FortiSOAR instance, you can use the License Manager in the GUI, or run the --get-device-uuid command.
FortiSOAR Administrator 7.3 Study Guide
299
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
If your connector's configuration or action fails, you can check the connector logs located in the connectors.log file. You can optionally run a tail -f to see new logs as you test the problematic connector. As mentioned previously in this lesson, you can also increase the logging level of the integrations configuration file by changing the connector_logger_level parameter. After changing the logging level, you must restart the uswgi service.
FortiSOAR Administrator 7.3 Study Guide
300
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
The max_reset_attempts parameter defines the maximum number of times users can click the Reset Password link before actually resetting their password. By default this is set to 10 times If the user exceeds the value in password reset attempts, then they will not receive a new link to reset their password until a specified time expires, which is defined in the reset_locktime parameter. To modify the max_reset_attempts parameter, you must run the curl command shown on this slide. The command changes the number of times users can click the Reset Password link to 5 times, that is, a user can click the Reset Password link five times without actually configuring their new password. However, if the user clicks the Reset Password link for the sixth time, the user will be blocked.
FortiSOAR Administrator 7.3 Study Guide
301
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
The reset_locktime parameter defines the time period, in hours, a user is locked out from resetting their password after they exceed the max_reset_attempts value. By default, this is set to 12 hours. To change the value of the reset_locktime parameter, you must run the curl command shown on this slide. The command changes the number of hours that a user will be locked out from receiving a reset password link to two hours. This lock out will trigger only if they have exceeded the value defined in the max_reset_attempts parameter.
FortiSOAR Administrator 7.3 Study Guide
302
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
You can manage account lockout timers under the Failed Authentication section on the Account Configuration page. The Maximum Failed Login Attempts setting specifies the number of times users can enter an incorrect password while logging into FortiSOAR before their account gets locked. By default, this is set to 5 attempts. The Account Unlock Time setting specifies the duration, in minutes, user accounts are automatically unlocked after exceeding the number of failed login attempts. By default, this is set to 30 minutes.
FortiSOAR Administrator 7.3 Study Guide
303
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
If you get any errors while performing a global search in FortiSOAR, check that the elasticsearch and the cyops-search services are running. If these services are not running, then start them using the commands shown on this slide.
FortiSOAR Administrator 7.3 Study Guide
304
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
By default, FortiSOAR configures Elaticsearch to use 4 GB of RAM. If there are too many records, or if there are very heavy records, the system might eventually crash with outof-memory errors. To fix this, you must increase the memory allocated to Elasticsearch. In the /etc/elasticsearch/jvm.options file, change the -Xms4g and -Xmx4g parameters to a higher value based on the available memory on your server. After this change, restart the Elasticsearch service.
FortiSOAR Administrator 7.3 Study Guide
305
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
When the primary data in the system becomes large (for example, when you have more than one million alerts) you might notice that the system is slow to respond. The slowness can be caused due to database queries taking longer with the increased database size. You can fine-tune this behavior by increasing the shared buffer and worker memory for Postgres. Increase the shared_buffers and work_mem parameters in the postgresql.conf file. The directory path for the file is shown on this slide. After editing the file, restart the postgresql-14 service.
FortiSOAR Administrator 7.3 Study Guide
306
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
FortiSOAR Administrator 7.3 Study Guide
307
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.
FortiSOAR Administrator 7.3 Study Guide
308
System Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this lesson, you learned how to set up monitoring of FortiSOAR services and resources. You also learned how to troubleshoot various issues in FortiSOAR.
FortiSOAR Administrator 7.3 Study Guide
309
DO NOT REPRINT © FORTINET
No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from Fortinet Inc., as stipulated by the United States Copyright Act of 1976. Copyright© 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.