Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.5.1
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiSIEM 7.5.1 User Guide
    7.5.1
    7.5.1
    7.5.0
    7.4.2
    7.4.1
    7.4.0
    7.3.5
    7.3.4
    7.3.3
    7.3.2
    7.3.1
    7.3.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.9
    7.1.8
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    4.10.0
    4.9.0
    4.8.1
    4.7.2

    Generic

    Generic

    Before you initiate discovery, you should configure the Discovery Settings in your Supervisor as required for your deployment.

    1. Go to Admin > Settings > Discovery > Generic tab.
    2. Enter the following information under Generic Settings section. In a SP deployment, you must define all these settings for each Organization by logging in to the Organization directly.

      3. Setting Description
      Virtual IPs Often a common virtual IP address will exist in multiple machines for load balancing and fail-over purposes. When you discover devices, you must have these virtual IP addresses defined within your discovery settings for two reasons:
      • Listing the virtual IP addresses ensures that two or more devices with the same virtual IP will not be merged into one device during device discovery, so each of the load-balanced devices will maintain their separate identity in the CMDB
      • The virtual IP will not be used as an access IP during discovery, since the identity of the device when accessed via the virtual IP is unpredictable

      Enter the Virtual IP and click + to add more, if required.
      Excluded Shared Device IPs An enterprise often has servers that share credentials, for example mail servers, web proxies, and source code control servers, and a large number of users will authenticate to these servers to access their services. Providing a list of the IP addresses for these servers allows FortiSIEM to exclude these servers from user identity and location calculations in the Analytics > Identity and Location report.
      For example, suppose user A logs on to server B to retrieve his mail, and server B authenticates user A via Active Directory. If server B is not excluded, the Analytics > Identity and Location Report will contain two entries for user A: one for the workstation that A logs into, and also one for server B. You can eliminate this behavior by adding server B to the list of Server IPs with shared credentials.

      Enter the Excluded Shared Device IPs and click + to add more, if required.
      Virtual Device Hardware Serial Numbers If two or more devices have identical hardware serial number, specify them here. In general, hardware serial number is used to uniquely identify a device and therefore two devices with identical hardware serial number is merged into a single device in CMDB. If a hardware serial number is present in the Virtual Hardware Serial Numbers list, then it is excluded for merging purposes.

      Enter the Virtual Device Hardware Serial Numbers and click + to add more, if required.
      Allow Incident Firing on This setting allows you to control incident firings based on approved device status.
      If the Approved Devices Only option is selected, the following logic is used:
      (a) If at least one Source, Destination or Host IP is approved, the incident triggers.
      (b) Else if at least one incident reporting device is approved, the incident triggers.
      (c) Else the incident does not trigger.
      Note: System devices (Super, Worker, and Collectors) will always be considered to be approved devices. In other words, incidents will fire for these system devices even if Approved Devices Only option is selected.

      Select All Devices or Approved Devices Only accordingly.
    3. Click Save.
    Previous
    Next

    Generic

    Generic

    Before you initiate discovery, you should configure the Discovery Settings in your Supervisor as required for your deployment.

    1. Go to Admin > Settings > Discovery > Generic tab.
    2. Enter the following information under Generic Settings section. In a SP deployment, you must define all these settings for each Organization by logging in to the Organization directly.

      3. Setting Description
      Virtual IPs Often a common virtual IP address will exist in multiple machines for load balancing and fail-over purposes. When you discover devices, you must have these virtual IP addresses defined within your discovery settings for two reasons:
      • Listing the virtual IP addresses ensures that two or more devices with the same virtual IP will not be merged into one device during device discovery, so each of the load-balanced devices will maintain their separate identity in the CMDB
      • The virtual IP will not be used as an access IP during discovery, since the identity of the device when accessed via the virtual IP is unpredictable

      Enter the Virtual IP and click + to add more, if required.
      Excluded Shared Device IPs An enterprise often has servers that share credentials, for example mail servers, web proxies, and source code control servers, and a large number of users will authenticate to these servers to access their services. Providing a list of the IP addresses for these servers allows FortiSIEM to exclude these servers from user identity and location calculations in the Analytics > Identity and Location report.
      For example, suppose user A logs on to server B to retrieve his mail, and server B authenticates user A via Active Directory. If server B is not excluded, the Analytics > Identity and Location Report will contain two entries for user A: one for the workstation that A logs into, and also one for server B. You can eliminate this behavior by adding server B to the list of Server IPs with shared credentials.

      Enter the Excluded Shared Device IPs and click + to add more, if required.
      Virtual Device Hardware Serial Numbers If two or more devices have identical hardware serial number, specify them here. In general, hardware serial number is used to uniquely identify a device and therefore two devices with identical hardware serial number is merged into a single device in CMDB. If a hardware serial number is present in the Virtual Hardware Serial Numbers list, then it is excluded for merging purposes.

      Enter the Virtual Device Hardware Serial Numbers and click + to add more, if required.
      Allow Incident Firing on This setting allows you to control incident firings based on approved device status.
      If the Approved Devices Only option is selected, the following logic is used:
      (a) If at least one Source, Destination or Host IP is approved, the incident triggers.
      (b) Else if at least one incident reporting device is approved, the incident triggers.
      (c) Else the incident does not trigger.
      Note: System devices (Super, Worker, and Collectors) will always be considered to be approved devices. In other words, incidents will fire for these system devices even if Approved Devices Only option is selected.

      Select All Devices or Approved Devices Only accordingly.
    3. Click Save.
    Previous
    Next