| Solution |
Prerequisites:
- From FortiSIEM:
Create a new Windows agent user account. Log into the supervisor as a full admin for the organization. Enterprise deployments will not have an organization option - this is expected.
Create a new Windows agent user for Enterprise. Go to CMDB -> Users -> FortiSIEM Users -> New -> Add User Name, Select the pencil icon beside System Admin, checkmark Agent Admin, add Password, and Save.
Create a new Windows agent user for the Service Provider. Go to Global View -> Admin -> Setup -> Organization -> Select the Organization -> Edit -> Agent User: enter a username, Agent Password: enter a password -> Save.
Collect the Organization's information from Admin -> Setup -> Organization <-- Organization Name and Organization ID.
- From Windows Host: Test connection on port 443 to Supervisor with the following command from Powershell:
Test-NetConnection <Super_IP> -port 443
Results > TcpTestSucceded = True
- Net framework version.
Check the NetFramework version in the Windows host is up to date with the following command. Make sure the version is 4.6.2 or higher.
reg query "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" /s
- TLS v1.2.
Check that TLS1.2 is enabled and running on the Host with the following command:
reg query "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"
If TLS1.2 is not enabled, run the following command in Powershell:
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 00000000
- Installation:
Run the FSMLogAgent.exe file -> Choose License Type and Add the registration information.
Troubleshooting.
There are 3 reasons for the registration to fail:
- Package requirements are not installed in the host, or the OS version is not supported.
- Registration information is incorrect. This includes Supervisor IP/FDQN, username, password, Orgname, and OrgID.
- Connection issues include network configuration/communication on port 443, NAT, SSL inspection, external firewall rules blocking, and certificate configuration. Etc.
Review the Agent Trace.log on the Windows host.
C:\ProgramData\FortiSIEM\Logs\Trace.log
401 - Authentication Failure
403 - Forbidden (agent account failure possibility or configuration for Windows agent on the supervisor side has not been completed)
502 - Server unavailable (possible problem with the FortiSIEM Application Server - contact support)
For 401, and 403 Errors, review registration information. For example: ORG name, ORG ID, agent username, and password. If necessary, create a new Windows agent user account.
Manual URL Check:
Using a web browser enter: https://<ip of super>/phoenix/rest/register/winAgent.
A username and password prompt is expected. Do not enter any credentials here as it will not pass. This is only a check to verify the availability of the URL
Check supervisor logs to verify the host connection. SSH to Supervisor:
cat /var/log/httpd/ssl_access_log <-- Review the generic code.
Leave running the tail command in Supervisor and run the installation in the host:
tail -f /opt/glas*/dom*/dom*/logs/phoenix.log <-- Registration log entries will be received.
For example:
[PH_AUDIT_AGENT_INSTALLED]:[phCustId]=1,[hostName]=WIN-MI0ECB8CCHN.DCServer.local,[eventSeverity]=PHL_INFO,[phEventCategory]=2,[procName]=AppServer,[srcIpAddr]=192.20.10.11,[type]=Windows,[user]=agent_admin,[monitorState]=Registered,[phAgentId]=200001,[phLogDetail]=Agent is installed
[PH_AUDIT_USER_LOGIN_FAILURE]:[phCustId]= 1,[eventSeverity]=PHL_INFO,[phEventCategory]=2,[procName]=AppServer,[srcIpAddr]=192.20.10.11,[user]=agent_admin,[phLogDetail]=Invalid username or password.
|
