Release Notes

FortiSIEM 6.6.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: techdoc@fortinet.com

07/22/2022
FortiSIEM 6.6.0 Release Notes
 TABLE OF CONTENTS

Change Log 4
What's New in 6.6.0 5
New Features 5
ClickHouse Cluster 5
Generalized HTTPS based Event Collection 5
Key Enhancements 6
Custom Image Upload Endpoint 6
Performance Improvements 6
Update Glassfish CA Certificate store with Java CA Cert Store 7
System Upgrades 7
New Device Support 7
Bug Fixes and Minor Enhancements 7
Known Issues 10

FortiSIEM 6.6.0 Release Notes 3

Fortinet Inc.
Change Log

Date Change Description

07/15/2022 Initial version of FortiSIEM 6.6.0 Release Notes

FortiSIEM 6.6.0 Release Notes 4

Fortinet Inc.
 What's New in 6.6.0

What's New in 6.6.0

l New Features
l Key Enhancements
l New Device Support
l Bug Fixes and Minor Enhancements
l Known Issues

New Features

l ClickHouse Cluster
l Generalized HTTPS based Event Collection

ClickHouse Cluster

In this release, you can set up a ClickHouse Cluster using Supervisor and Worker nodes. All operations can be done
from FortiSIEM GUI. The first step is to add storage to the FortiSIEM nodes for storing events. Then you configure the
Cluster by specifying the number of shards and choosing the Keeper Cluster members and Server Cluster Replicas.
Insertion, Replication and Queries are distributed to Supervisor and Worker nodes resulting in a redundant scale out and
architecture.
For understanding concepts see Background Information.
For adding storage to Worker nodes, see Initial Configuration.
For configuring ClickHouse Cluster, see ClickHouse Configuration.
For configuring a ClickHouse retention policy, see Creating a ClickHouse Online Event Retention Policy.
For sizing guide on how to achieve high insert and query efficiency with ClickHouse, see the 6.6.0 Sizing Guide.

Generalized HTTPS based Event Collection

Increasingly Cloud Applications such as Cisco Umbrella, Microsoft Defender for Endpoint, WorkDay, Box.com, etc. are
providing events and alerts via HTTPS based API. Rather than develop application by application support, this release
provides a generalized way to configure an HTTPS based access method and pull data via that access method. A
customer just needs to write a specific log parser for the application. This approach can cover all HTTPS based logging
applications without requiring a new FortiSIEM release.
This release includes built in support for Cisco Umbrella Activity API and Microsoft Defender using Graph API using this
Generalized HTTPS Access Method.
For details on configuring HTTPS API, see Generic Log API Poller HTTPS Advanced Integration from the External
Systems Configuration Guide.

FortiSIEM 6.6.0 Release Notes 5

Fortinet Inc.
 What's New in 6.6.0

For details on creating HTTPS Credential for Cisco Umbrella Activity API, see Cisco Umbrella Configuration from the
External Systems Configuration Guide.
For details on creating HTTPS Credential for Microsoft Defender API, see Windows Defender for Endpoint Configuration
from the External Systems Configuration Guide.

Key Enhancements

l Custom Image Upload Endpoint

l Performance Improvements
l Update Glassfish CA Certificate store with Java CA Cert Store
l System Upgrades

Custom Image Upload Endpoint

During Collector/Agent/Content upgrades, the Upgrade URL for Collectors and Agents is automatically generated by the
App Server based on the Supervisor host name or IP in the GUI. However this approach does not work when there are
Load Balancers in front of Supervisor node. This release provides an option for the user to specify a Load Balancer Host
Name or IP and Supervisor will use it to create the custom endpoint for Collectors and Agents. If you use Load Balancer
Host Name, it must be resolvable by Agents and Collectors. The Load Balancer is an easier choice.
For details on Setting up Custom Image Upload Endpoint, see Custom Update.

Performance Improvements

The following performance improvements have been made in 6.6.0.

l Incident Handling Performance Improvement
l IdentityWorker Performance Improvement
l ReportWorker and RuleWorker Performance Improvement
l QueryMaster Memory Usage Improvement

Incident Handling Performance Improvement

App Server on Supervisor post-processes Incidents to add meta data, update risk scores, stores in PostGRESQL
database and then executes notification policies and external integrations. FortiSIEM Manager aggregates Incidents
from all Supervisors and stores them in local PostGRESQL database for display in FortiSIEM Manager GUI. Therefore,
fast incident handling is critical for the system to work correctly at high loads.
This release contains extensive Incident handling performance optimizations. FortiSIEM Manager can handle about
1500 Incidents/sec from FortiSIEM Supervisors.

IdentityWorker Performance Improvement

This is achieved by making IdentityWorker multi-threaded while getting events from shared buffer.

FortiSIEM 6.6.0 Release Notes 6

Fortinet Inc.
 What's New in 6.6.0

ReportWorker and RuleWorker Performance Improvement

This is achieved by optimizing IN Group query handling code

QueryMaster Memory Usage Improvement

This is achieved by frequently calling memory release operations in Google tcmalloc library.

Update Glassfish CA Certificate store with Java CA Cert Store

Many Java based external integrations required users to import root CA certificates, as the Glassfish CA store was not
populated after migrating to Glassfish V5 in an earlier FortiSIEM release. In this release, during migration and upgrade
process, the Glassfish CA store is populated with valid certificates from the Java CA cert store. With this change, Java
based external integrations should work more seamlessly.

System Upgrades

Upgrade to Rocky Linux 8.6 with patches released on May 16, 2022. See https://docs.rockylinux.org/release_notes/8_6/
and https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.6_release_notes/bug_
fixes#bug-fix_securityfor more information.

New Device Support

l Cisco Umbrella Activity API - done via Generalized HTTPS based Event Collection methodology
l Microsoft Defender for end point using Graph API - done via Generalized HTTPS based Event Collection
methodology

Bug Fixes and Minor Enhancements

Bug ID Severity Module Description

822029 Minor Anomaly Exclude network logon events from UEBA AI engine.

824268 Minor App Server IPS to CVE validation does not work correctly.

821804 Minor App Server Restarting App Server sometimes gives heap error and it is not
fixed by re-deploying.

816715 Minor App Server Org id in the device maintenance table did NOT get deleted when
customer deletes the org.

FortiSIEM 6.6.0 Release Notes 7

Fortinet Inc.
What's New in 6.6.0

Bug ID Severity Module Description

816492 Minor App Server Older open SAML library causes login failure to OKTA
authentication portal.

815696 Minor App Server When user changes org scope, create this event PH_AUDIT_
USER_CHANGE_ORG_SCOPE instead of PH_AUDIT_USER_
SUED.

815025 Minor App Server Specifying Reporting device group and Event type Group does not
work correctly for Event forwarding, Event Dropping and Retention
Policy and Org mapping.

813642 Minor App Server HTTP Error page reveals App Server name and version.

811630 Minor App Server If you change the priority of a system rule, after FortiSIEM
upgrade, the rule's priority is incorrectly reset to its default priority.

821813 Minor Data Time Stamps are not parsed properly for Falcon Data Replicator.

821585 Minor Data SystemShutdown event group has some incorrect event types.

817295 Minor Data WinOSPull parser has incorrect function definition.

814834 Minor Data Update BarracudaCloudGenFW parser format recognizer.

814409 Minor Data Update FortiSIEM Claroty CTD parser.

811907 Minor Data Reduce parser test events down to 10 for ease of cloning and
testing.

811224 Minor Discovery AWS credentials are included in aws-phgetflowlogs.php in clear

text.

821427 Minor ElasticSearch Add 7 day allowance to write data to Elasticsearch to cover data
buffering more than 2 days.

818548 Minor Event Pulling AWS Kinesis fails to sync shards and leases on connection.

817081 Minor Event Pulling AWS Kinesis buffer size are incorrect and causes event pull
failure.

821263 Minor GUI Ticket Note not saved in Incident Ticket.

820583 Minor GUI Show proper error codes returned by FortiSOAR executing
playbook or connectors.

814430 Minor GUI GUI does not allow dot in user name field.

810866 Minor GUI When you disable a Device in Pull Events with a search filter, a
different device in the global list is disabled.

816499 Minor Parser Increase TCP/UDP buffer from 16KB to 24KB to handle large
events up to 24KB.

814318 Minor Report For ClickHouse Storage, Incident CSV export does not contain
result for incident status and resolution.

FortiSIEM 6.6.0 Release Notes 8

Fortinet Inc.
What's New in 6.6.0

Bug ID Severity Module Description

809386 Enhancement App Server The events PH_DEV_MON_LOG_DEVICE_DELAY_LOW and

PH_DEV_MON_LOG_DEVICE_DELAY_HIGH do not generate
reliably.

802322 Enhancement App Server Changing Supervisor IP may lead to two Supervisor entries
showing up in Cloud Health.

801605 Enhancement App Server Users who have Read only admin permission on Super Global but
have Full Admin on Org, cannot edit credentials in the Org after
switching to that Org.

804904 Enhancement App Server,GUI New Dashboard folders may not appear in the drop-down in the
dashboard folder section.

810382 Enhancement Data Some generic events from FortiGate need to be further parsed.

809024 Enhancement Data Event Type generated from Windows logs received via Epilog is
incorrect and very long.

803091 Enhancement Data Update FortiGate parser to support Bandwidth Delta values.

802247 Enhancement Data Update MSDefender AdvancedHunting parser.

797026 Enhancement Data Update Nginx event parser.

792333 Enhancement Data Update FortiAI parser to handle new log format and relabeling of
product to FortiNDR.

779162 Enhancement Data Update Claroty parser to accommodate year timestamp in syslog
header and new event.

774819 Enhancement Data Update FortiMail log parser.

684254 Enhancement Data Update Extreme switch log parser.

807886 Enhancement Data Manager A log from Elasticsearch event insert code contains password.

801973 Enhancement Data Manager Online data is not removed when defining online retention policies
for all events.

807102 Enhancement Discovery SNMP V3 Trap support causes Auth Password and Priv Password
directly in snmptrapd.conf on Collectors.

796086 Enhancement Discovery Support more HP switches for discovery, performance and
availability metrics via SNMP.

775692 Enhancement Discovery Test connectivity results sometimes display Windows OMI text
password in GUI.

644096 Enhancement Discovery, Perf Enable AES256 and SHA256 for SNMP V3.
Monitoring

809387 Enhancement ElasticSearch Limit the number of dynamically allocated shards.

795638 Enhancement Event Pulling Sophos logs via API are polled very frequently; thereby quickly
reaching API limit.

FortiSIEM 6.6.0 Release Notes 9

Fortinet Inc.
What's New in 6.6.0

Bug ID Severity Module Description

810548 Enhancement GUI System notifications are unreadable and overlaps with page
information.

783383 Enhancement Rule Suppress excessive PH_REPORT_PACK_FAILED events.

Known Issues

1. Sometimes App Server may not come up properly after upgrading to 6.6.0. This is rare and Fortinet has only seen it
occur in Azure, although the hypervisor platform has very little to do with it. If this issue occurs, you will see that the
backend ph processes will be down and there will not be any upgrade errors in ansible. In this situation, use the
following workaround to get the system up and running.
a. Download gf_admin-keyfile and deploy-fresh.sh.
b. Copy the file gf_admin-keyfile to Fortisiem Supervisor node under
/opt/phoenix/deployment/jumpbox.
c. Login to FortiSIEM Super console and run the following command.
cp /opt/phoenix/deployment/deploy-fresh.sh /opt/phoenix/deployment/deploy-
fresh.sh.orig
d. Copy the file deploy-fresh.sh to FortiSIEM Super under /opt/phoenix/deployment.
e. Login to the Supervisor console and run the following commands.
chmod +x /opt/phoenix/deployment/deploy-fresh.sh
su - admin
/opt/phoenix/deployment/deploy-fresh.sh /opt/phoenix/deployment/phoenix.ear
2. If you are running ClickHouse and upgrade from 6.5.0 to 6.6.0 and go to Storage > Online Settings and click Test, it
will fail. Fortinet introduced a new disk attribute called "Mounted On" to facilitate disk addition/deletion that was not
present in 6.5.0. Follow these steps to fix the problem.
a. Go to ADMIN > Setup > Storage > Online. ClickHouse should be the selected database.
b. For Hot tier and for every configured disk within the tier, do the following:
i. The existing disk should have empty Mounted On.
ii. Click + to add a disk. For the new disk, Disk Path should be empty and Mounted On set to /data-
clickhouse-hot-1.
iii. Copy the Disk Path from the existing disk into this newly disk. The new disk should have the proper Disk
Path and Mounted On fields.
iv. Delete the first disk with empty Mounted On.

FortiSIEM 6.6.0 Release Notes 10

Fortinet Inc.
What's New in 6.6.0

Do this for all disks you have configured in 6.5.0. After your changes, the disks should be ordered /data-
clickhouse-hot-1, /data-clickhouse-hot-2, /data-clickhouse-hot-3 from top to bottom.
c. Repeat the same steps for the Warm tier (if one was configured in 6.5.0), except that the Mounted On fields
should be /data-clickhouse-warm-1, /data-clickhouse-warm-2, /data-clickhouse-warm-3 from top to bottom.
d. When done, click Test, then click Deploy.
3. In Elasticsearch based deployments, queries containing "IN Group X" are handled using Elastic Terms Query. By
default, the maximum number of terms that can be used in a Terms Query is set to 65,536. If a Group contains more
than 65,536 entries, the query will fail.
The workaround is to change the “max_terms_count” setting for each event index. Fortinet has tested up to 1 million
entries. The query response time will be proportional to the size of the group.
Case 1. For already existing indices, issue the REST API call to update the setting
PUT fortisiem-event-*/_settings
{
"index" : {
"max_terms_count" : "1000000"
}
}

Case 2. For new indices that are going to be created in the future, update fortisiem-event-template so
those new indices will have a higher max_terms_count setting
a. cd /opt/phoenix/config/elastic/7.7
b. Add "index.max_terms_count": 1000000 (including quotations) to the “settings” section of the
fortisiem-event-template.
Example:
...
"settings": {
"index.max_terms_count": 1000000,

...
c. Navigate to ADMIN > Storage > Online and perform Test and Deploy.
d. Test new indices have the updated terms limit by executing the following simple REST API call.
GET fortisiem-event-*/_settings

FortiSIEM 6.6.0 Release Notes 11

Fortinet Inc.
 www.fortinet.com

Copyright© 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.