Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
bboudjema
Staff
Staff

Created on ‎06-19-2023 06:54 AM Edited on ‎01-17-2024 02:57 AM By Community Manager

Article Id 260999

Technical Tip: How to enable and troubleshoot FortiSOAR/FortiSIEM modules on FortiAnalyzer

Description

 

This article provides a detailed explanation of the steps involved in enabling the FortiSOAR and FortiSIEM docker modules on FortiAnalyzer. It also highlights possible issues that may occur after performing this operation and offers guidance on troubleshooting them.

 

Scope

 

FortiAnalyzer.

 

Solution

 

Definition:

 

A Docker-based MEA (Managed Exchange Application) module refers to a software module or containerized application designed to provide monitoring and management capabilities. It leverages Docker technology to encapsulate the MEA functionality within a lightweight and isolated container.

 

Starting from version 7.2 and onwards, the FortiAnalyzer appliance offers compatibility with Managed Exchange Application (MEA) modules, namely FortiSOAR and FortiSIEM.

 

Solution:

 

Prerequisites:

 

A valid FortiSOAR license is a mandatory requirement.

FortiSOAR MEA must be licensed appropriately for use in production.

 

Note:

By default, FortiSOAR MEA includes a Trial (Extension) License. The trial mode is limited to 2 users that can use FortiSOAR MEA for a maximum of 300 actions a day: https://docs.fortinet.com/document/fortianalyzer/7.0.2/fortisoar-7-0-2-r1-release-notes/11736/fortis...

 

To proceed with the subsequent steps, it is imperative to ensure that FortiManager has uninterrupted connectivity with FortiGuard servers. This ensures that the necessary communication and data exchange can take place seamlessly.

 

diag fmupdate view-linkd-log fds

 

Ping the FGD FQDNs:

 

execute ping fds1.fortinet.com

 

Example of diag fmupdate view-linkd-log fds command: (expected successful communication highlighted in green).

 

bboudjema_0-1687181822929.png

 

  1. To enable the Managed Event Analysis (MEA) feature and the FortiSOAR/FortiSIEM modules, follow the steps outlined below:

  2.  

    config system docker

        set status enable

        set fsmcollector enable

        set fortisoar enable

    end

 

bboudjema_1-1687181822930.png

 

 

In an ideal scenario, FortiAnalyzer establishes a connection with the FortiGuard server to obtain the latest module packages, ensuring the acquisition of the most up-to-date image module.

 

For instance (below captures):

 

The FortiSIEM image is retrieved from the registry.fortinet.com/fortisiem/ repository.

The FortiSOAR image is retrieved from the registry.fortinet.com/fortisoar/ repository.

 

bboudjema_2-1687181822937.png

 

bboudjema_3-1687181822948.png

 

     2. Potential errors that might be encountered when enabling FortiSOAR and FortiSIEM modules:

 

Can't pull fsmcollector (Error: error contacting notary server: dial tcp 173.243.139.82:4443: i/o timeout

 

bboudjema_4-1687181822949.png

 

 

This error indicates that FortiAnalyzer is unable to fetch update packages for a container module from FortiGuard servers due to a blocked port on the network firewall. In other terms, FortiAnalyzer will not be able to enable docker/MEA extensions.

 

The port to open is 4443/443 as mentioned in the following documentation on the firewall rule that points to registry.fortinet.com: https://docs.fortinet.com/document/fortianalyzer/7.4.0/cli-reference/194126/docker

 

To verify the status of the module:

 

Upon completion of the operation, it is imperative that the status of the modules is verified to be in the 'running' state:

 

diag docker status

 

bboudjema_5-1687181822950.png

 

Despite having successfully opened the 4443 port, it is important to acknowledge the potential occurrence of additional errors. These errors may manifest in the following scenarios:

 

If such errors occur, the following commands effectively eliminate all FortiSOAR and FortiSIEM volumes and subsequently initiate a restart of the mentioned modules.

 

diag docker reset fortisoar

diag docker reset fortisiem

 

Failure to reset both modules may result in the manifestation of the subsequent errors:

 

In the case of the FortiSOAR module, the following error may occur: 'The creation of the container is impossible: no such file or directory'.

 

bboudjema_6-1687181822956.png

 

In the case of the FortiSIEM module, the following error may occur: 'Driver failed programming external connectivity on endpoint fsmcollector'.

 

bboudjema_7-1687181822969.png

 

Upon enabling both the Managed Event Analysis (MEA) and the FortiSOAR/FortiSIEM modules, a 'Management extensions' panel will be displayed in the left menu:

 

FortiSOAR and FortiSIEM extension:

 

bboudjema_8-1687181822971.png

 

     3. Troubleshooting:

 

In the event of an error, the following command can be utilized as a remedial measure:

 

diag debug app docker 255

diag debug enable

 

To upgrade modules (optional):

 

diagnose docker upgrade fortisoar

diagnose docker upgrade fortisiem

 

bboudjema_9-1687181822980.png

 

To disable the docker support and monitor:

 

diagnose docker cleanup


config system docker
(docker)# set status disable
(docker)# end

 

Related document:

docker

Labels:
767
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.