Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.6.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Deployment Guide

    Home FortiSOAR Cloud 7.6.0 Deployment Guide
    7.6.0
    7.6.5
    7.6.4
    7.6.2
    7.6.1
    7.6.0
    7.5.0
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.3.1
    7.3.0
    7.2.1
    7.2.0
    7.0.2
    7.0.1
    7.0.0

    Monitoring and Maintaining FortiSOAR Cloud

    Monitoring and Maintaining FortiSOAR Cloud

    FortiSOAR Cloud offers users the convenience of using FortiSOAR without the need to provision a VM in their environment. From release 7.6.0 onwards, FortiSOAR offers a more integrated and streamlined experience for users in the cloud. Fortinet provides proactive monitoring for FortiSOAR Cloud instances. This means that the system is continuously monitored to detect and address issues before they impact the user. A fortisoar_support user from Fortinet with SSH access is added to all FortiSOAR Cloud instances. This access allows the support team to address the monitored alerts, perform upgrades, and assist with investigation and troubleshooting. These enhancements aim to improve operational efficiency in managing and monitoring FortiSOAR Cloud instances.

    Key updates include:

    • Addition, by default, of a fortisoar_support user with 'Root SSH' access to FortiSOAR Cloud instances.
    • Addition of all FortiSOAR Cloud customer instances to the FortiSOAR support group for monitoring.
    • Installation and configuration of a FortiMonitor agent in all FortiSOAR Cloud instances.
    • Option provided to customers to opt out of monitoring by the fortisoar_support user and remove their FortiSOAR Cloud instances from the FortiSOAR support group, and also to delete the fortisoar_support user. For details, see the Opting out of Fortinet monitoring topic.

    Details about the fortisoar_support user

    From release 7.6.0 onwards, a CLI user named 'fortisoar_support' with SSH access is automatically added to FortiSOAR Cloud instances. The 'fortisoar_support' user focuses on monitoring, troubleshooting, support, and upgrades of FortiSOAR Cloud instances. This user can monitor the network, view log files, and execute commands for troubleshooting, managing services, and upgrades, etc. For example, the 'fortisoar_support' user can use the 'csadm' command for upgrades or OS commands such as 'top' to check system performance, etc.

    The 'fortisoar_support' user is restricted from sending data outside the monitored FortiSOAR Cloud instance. All activities performed by the fortisoar_support user are audited and logged for accountability and traceability. Logs are regularly rotated and purged.
    Logs related to the fortisoar_support user are logged with the key fortisoar-support-user-audit. Users can use the ausearch command to search through the logs. For example, to filter and display logs related to the fortisoar_support user in a human-readable format, use the following command :
    ausearch --key fortisoar-support-user-audit --interpret

    Opting out of Fortinet monitoring

    Customers can opt out of Fortinet monitoring as follows:

    • Remove the fortisoar_support user to revoke their SSH access, using the command:
      userdel -r fortisoar_support
      This command removes the fortisoar_support user from the OS, and the '-r' option specifies the removal of the the fortisoar_support user's home directory.
      Caution

      Removing the fortisoar_support user revokes their access to the SSH console of your FortiSOAR Cloud instance by Fortinet. This action means that Fortinet's proactive monitoring, upgrades, and assistance with investigation and troubleshooting will no longer be available.

    • Delete any files associated with the fortisoar_support user from their FortiSOAR Cloud instance:
      rm -rf /etc/ssh/sshd_config.d/fortisoar-support-user-login.conf /etc/sudoers.d/fortisoar-support-user /etc/audit/rules.d/fortisoar-audit-rule.rules
      Note

      Audit logs of actions previously performed by the fortisoar_support user will remain accessible to the customer even after the fortisoar_support user is removed.

    • Stop FortiMonitor Agent from monitoring their FortiSOAR Cloud instance they can uninstall it using the command:
      csadm system fortimonitor agent uninstall

    Installation and configuration of a FortiMonitor agent in all FortiSOAR Cloud instances

    From release 7.6.0 onwards, a FortiMonitor agent is automatically installed and configured in all FortiSOAR Cloud instances by default. This agent continuously monitors the instances, collects performance parameter values and then sends them to FortiMonitor.

    Once a FortiSOAR Cloud instance is provisioned, the FortiMonitor agent is added to the FortiMonitor Dashboard. This dashboard provides a centralized interface for Fortinet to monitor the health and performance of Fortinet cloud instances. It offers real-time visibility into system metrics and alerts for proactive troubleshooting and remediation. The fortisoar_support user can access and utilize the FortiMonitor Dashboard to monitor system health, analyze performance parameter values, and take remediation actions as needed. For more information on FortiSOAR integration with FortiMonitor, see FortiSOAR's "Administration Guide."

    Previous
    Next

    Monitoring and Maintaining FortiSOAR Cloud

    Monitoring and Maintaining FortiSOAR Cloud

    FortiSOAR Cloud offers users the convenience of using FortiSOAR without the need to provision a VM in their environment. From release 7.6.0 onwards, FortiSOAR offers a more integrated and streamlined experience for users in the cloud. Fortinet provides proactive monitoring for FortiSOAR Cloud instances. This means that the system is continuously monitored to detect and address issues before they impact the user. A fortisoar_support user from Fortinet with SSH access is added to all FortiSOAR Cloud instances. This access allows the support team to address the monitored alerts, perform upgrades, and assist with investigation and troubleshooting. These enhancements aim to improve operational efficiency in managing and monitoring FortiSOAR Cloud instances.

    Key updates include:

    • Addition, by default, of a fortisoar_support user with 'Root SSH' access to FortiSOAR Cloud instances.
    • Addition of all FortiSOAR Cloud customer instances to the FortiSOAR support group for monitoring.
    • Installation and configuration of a FortiMonitor agent in all FortiSOAR Cloud instances.
    • Option provided to customers to opt out of monitoring by the fortisoar_support user and remove their FortiSOAR Cloud instances from the FortiSOAR support group, and also to delete the fortisoar_support user. For details, see the Opting out of Fortinet monitoring topic.

    Details about the fortisoar_support user

    From release 7.6.0 onwards, a CLI user named 'fortisoar_support' with SSH access is automatically added to FortiSOAR Cloud instances. The 'fortisoar_support' user focuses on monitoring, troubleshooting, support, and upgrades of FortiSOAR Cloud instances. This user can monitor the network, view log files, and execute commands for troubleshooting, managing services, and upgrades, etc. For example, the 'fortisoar_support' user can use the 'csadm' command for upgrades or OS commands such as 'top' to check system performance, etc.

    The 'fortisoar_support' user is restricted from sending data outside the monitored FortiSOAR Cloud instance. All activities performed by the fortisoar_support user are audited and logged for accountability and traceability. Logs are regularly rotated and purged.
    Logs related to the fortisoar_support user are logged with the key fortisoar-support-user-audit. Users can use the ausearch command to search through the logs. For example, to filter and display logs related to the fortisoar_support user in a human-readable format, use the following command :
    ausearch --key fortisoar-support-user-audit --interpret

    Opting out of Fortinet monitoring

    Customers can opt out of Fortinet monitoring as follows:

    • Remove the fortisoar_support user to revoke their SSH access, using the command:
      userdel -r fortisoar_support
      This command removes the fortisoar_support user from the OS, and the '-r' option specifies the removal of the the fortisoar_support user's home directory.
      Caution

      Removing the fortisoar_support user revokes their access to the SSH console of your FortiSOAR Cloud instance by Fortinet. This action means that Fortinet's proactive monitoring, upgrades, and assistance with investigation and troubleshooting will no longer be available.

    • Delete any files associated with the fortisoar_support user from their FortiSOAR Cloud instance:
      rm -rf /etc/ssh/sshd_config.d/fortisoar-support-user-login.conf /etc/sudoers.d/fortisoar-support-user /etc/audit/rules.d/fortisoar-audit-rule.rules
      Note

      Audit logs of actions previously performed by the fortisoar_support user will remain accessible to the customer even after the fortisoar_support user is removed.

    • Stop FortiMonitor Agent from monitoring their FortiSOAR Cloud instance they can uninstall it using the command:
      csadm system fortimonitor agent uninstall

    Installation and configuration of a FortiMonitor agent in all FortiSOAR Cloud instances

    From release 7.6.0 onwards, a FortiMonitor agent is automatically installed and configured in all FortiSOAR Cloud instances by default. This agent continuously monitors the instances, collects performance parameter values and then sends them to FortiMonitor.

    Once a FortiSOAR Cloud instance is provisioned, the FortiMonitor agent is added to the FortiMonitor Dashboard. This dashboard provides a centralized interface for Fortinet to monitor the health and performance of Fortinet cloud instances. It offers real-time visibility into system metrics and alerts for proactive troubleshooting and remediation. The fortisoar_support user can access and utilize the FortiMonitor Dashboard to monitor system health, analyze performance parameter values, and take remediation actions as needed. For more information on FortiSOAR integration with FortiMonitor, see FortiSOAR's "Administration Guide."

    Previous
    Next