Quick Start
This section includes the following information to help you get started with using FortiSOAR MEA:
Enabling the FortiSOAR MEA
FortiManager provides access to a FortiSOAR MEA application that is released and signed by Fortinet.
|
Only root users or users with sudo permissions can enable management extensions. |
Enabling the FortiSOAR MEA using the FortiManager GUI
- Ensure you are using ADOM version 6.4 or later.
- Log on to FortiManager and navigate to Administration > System Settings > Management Extensions.
- Click the grayed-out tile for FortiSOAR MEA to enable the application.
- Click OK on the confirmation dialog to install and open the FortiSOAR MEA .
Note: It may take some time to install the application. Also, note that on the first boot of FortiSOAR MEA, the Configuration Wizard runs automatically and performs the initial configuration steps for FortiSOAR MEA, such as enabling the embedded (default) Secure Message Exchange (SME), installing the trial license, etc. All of these steps take some time for completion.
Enabling the FortiSOAR MEA using the CLI
- Login to FortiManager using SSH.
- Enable the FortiSOAR MEA using the following commands:
FMG-VM64 # config system docker(docker) # set status enable(docker) # set fortisoar enable(docker) # end
You can check the status of the FortiSOAR MEA using the following command:FMG-VM64 # diagnose docker status
Licensing FortiSOAR MEA
Once the FortiSOAR MEA extension is enabled, a trial FortiSOAR experience gets activated. The FortiSOAR MEA is shipped with a Trial (Extension) license by default and you do not need to install any additional license to use FortiSOAR MEA on FortiManager. The trial mode is limited by 2 users that can use FortiSOAR MEA for a maximum of 300 actions a day.
|
|
Important steps such as "Create Records", "Update Records", "Find Records", "Connection Actions", etc., are counted towards the maximum action count limit of 300. However, steps used for data manipulation such as "Wait", "Approval", "Loops", "Reference a Playbook", etc. are not counted towards the action count restriction. |
For a more extensive usage without action count limit and to enable more users, you can update the trial license at any time to a FortiSOAR license. However, since the trial license is an "Enterprise" type license, you can only deploy a FortiSOAR license of type "Enterprise" using the FortiSOAR UI.
To update the Trial (Extenstion) license to a FortiSOAR license:
- Log onto FortiSOAR.
- Click Settings > License Manager to open the
License Managerpage as shown in the following image:
- To update your license, click Update License and either drag-and-drop your updated license or click and browse to the location where your license file is located, then select the file and click Open.
For detailed information on deploying the FortiSOAR "Enterprise" license, see the Licensing FortiSOAR chapter in the "Deployment Guide."
|
|
Administration credentials are needed for deploying subsequent FortiSOAR licenses. However, for FortiSOAR running as a FortiManager extension, the FortiManager session is used to validate users; therefore, users does not need to enter credentials, while uploading the FortiSOAR license. |
Accessing FortiSOAR MEA using SSH
If you SSH to FortiSOAR MEA on FortiManager for the first time, then you must accept the FortiSOAR MEA EULA. To accept the EULA on the FortiManager CLI, do the following:
- Login to FortiManager using SSH.
- Ensure that the FortiSOAR MEA Extensions is enabled. For more information, see Enabling the FortiSOAR MEA MEA using the CLI section.
- Get the FortiManager root prompt by running the
execute shellcommand. - Run the following command:
docker exec -ti -u csadmin fortisoar_fortisoar_1 bash -l
This command will ask you to accept the EULA. You must accept the EULA before you can proceed to the FortiSOAR MEA Configuration Wizard.
After you accept the EULA and the Configuration Wizard is run, you can perform various operations on the FortiManager CLI such as checking the statuses of the FortiSOAR MEA using the FortiSOAR Admin CLI (csadm). For example, to check the status of services run thecsadm services –-statuscommand. For more information on 'csadm' see the see the FortiSOAR™ Administration Guide.
FortiSOAR MEA usage
|
|
All users get created as 'admin' users when they log onto FortiSOAR MEA for the first time, as only admin users have access to FortiSOAR MEA on FortiManager. |
By default, the SOAR Framework Solution Pack (SP) is installed on FortiSOAR MEA. The SOAR Framework Solution Pack (SP) is the Foundational Solution Pack that creates the framework, including modules, dashboard, roles, widgets, etc., required for effective day-to-day operations of any SOC. From release 7.2.0 the Incident Response modules, i.e., Alerts, Incidents, Indicators, and War Rooms are not part of the FortiSOAR MEA platform, making it essential for users to install the SOAR Framework SP to optimally use and experience FortiSOAR MEA’s incident response. For detailed information about the SOAR Framework SP, see the SOAR Framework SP documentation.
|
|
In release 7.2.0 the SOAR Framework Solution Pack is installed by default on your FortiSOAR MEA system. |
Backing up and restoring FortiSOAR MEA configurations
When FortiSOAR MEA is enabled, and you perform a backup of FortiManager using its UI, then the FortiSOAR MEA configurations also get backed up. You can then use these backed up configurations to restore the FortiSOAR MEA configuration.
|
|
Only FortiSOAR MEA configurations are backed up, FortiSOAR MEA data is not backed up. To backup and restore both the configurations and data of FortiSOAR MEA, use the csadm db command. For more information, see the Backing up and Restoring FortiSOAR chapter in the "Administration Guide." |
Troubleshooting issues faced in FortiSOAR MEA
The default Trial(Extension) license does not get installed
There might be cases when your default Trial(Extension) does not get installed or you face an issue with license synchronization during deployment.
Resolution
Upload your license using the FortiSOAR UI and once the license is uploaded, you can install the license. If you are still facing a synchronization issue, click the Retry Sync button on the UI.
First and last name of LDAP users are repeated for successive logins by different LDAP users after the first login
Once the administrators have configured LDAP on FortiManager and added users from LDAP on FortiManager, the FortiManager now has both native and LDAP users. Now, when users' login to FortiSOAR MEA using FortiManager, users might see that the first name and last name for first LDAP user who logs in gets set correctly; however, the first and last name of all LDAP users who log after the first login get set as first name and last name of the first LDAP user.
Resolution
Once the administrators have created LDAP users on FortiManager they require to edit each user profile on FortiManager and clear the Match all users on remote server checkbox.