DO NOT REPRINT

© FORTINET

FortiSOAR Administrator
Study Guide
for FortiSOAR 7.3
DO NOT REPRINT
© FORTINET
Fortinet Training Institute - Library

https://training.fortinet.com

Fortinet Product Documentation

https://docs.fortinet.com

Fortinet Knowledge Base

https://kb.fortinet.com

Fortinet Fuse User Community

https://fusecommunity.fortinet.com/home

Fortinet Forums

https://forum.fortinet.com

Fortinet Product Support

https://support.fortinet.com

FortiGuard Labs

https://www.fortiguard.com

Fortinet Training Program Information

https://www.fortinet.com/nse-training

Fortinet | Pearson VUE

https://home.pearsonvue.com/fortinet

Fortinet Training Institute Helpdesk (training questions, comments, feedback)

https://helpdesk.training.fortinet.com/support/home

4/21/2023
DO NOT REPRINT
© FORTINET

TABLE OF CONTENTS

01 Introduction to FortiSOAR 4
02 Device Management 65
03 System Configuration 127
04 High Availability 180
05 Searching, War Rooms, and Upgrading 230
06 System Monitoring and Troubleshooting 271
 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

In this lesson, you will learn what Security Orchestration, Automation and Response is, and how FortiSOAR
can help security operation center teams. You will also learn about FortiSOAR architecture and some initial
configuration.

FortiSOAR Administrator 7.3 Study Guide 4

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiSOAR Administrator 7.3 Study Guide 5

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

In this section, you will learn about SOAR technology, and the importance of SOAR in a SOC environment.

By demonstrating competence in SOAR, you will be able to describe the basics of SOAR technology and
understand SOC maturity.

FortiSOAR Administrator 7.3 Study Guide 6

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

Gartner defines SOAR as technologies that enable organizations to take inputs from a variety of sources
(mostly from security information and event management (SIEM) systems) and apply workflows aligned to
processes and procedures.

Orchestration is the process of collecting data, which is usually alerts and incidents from different sources,
and performing various actions from one platform. Orchestration also helps you to streamline and optimize
frequently occurring processes and workflows.

Automation and orchestration are different, but related, concepts. Automation enables security teams to be
more efficient by reducing or replacing human interaction with IT systems, and instead use a centralized
platform to perform tasks in order to reduce cost, complexity, and errors. Automated workflows and responses
enable the security teams to automatically respond to security events.

Incident response is an organized approach to addressing and managing the aftermath of a security breach or
cyberattack, also known as an IT incident, computer incident, or security incident. The goal is to handle the
situation in a way that limits damage and reduces recovery time and costs.

SOAR is the technology that can orchestrate data, automate workflows, and respond to incidents. All of that
can be performed from a single platform.

FortiSOAR Administrator 7.3 Study Guide 7

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

The majority of organizations juggle at least 50 discrete cybersecurity products at once, posing a threat to
data security, according to a new report from Oracle and KPMG. Keeping the security team up-to-date on all
the latest features and functions for different vendors is a challenge.

Based on market research, the incident management segment is projected to grow at a higher compounded
annual growth than the network forensics segment. This will result in a very high volume of alerts and
incidents. Manually addressing every incident is not feasible for large organizations. The threat landscape is
evolving and attackers are more sophisticated than before. Responding to incidents manually can be slow,
and that could provide attackers with the opportunity to breach other systems, which could have been stopped
if the incidents were resolved quicker.

Cybersecurity has become a major priority for organizations looking to protect themselves against the
massive cost of data breaches, but there’s an international problem hindering that goal. There are millions of
cybersecurity positions open and unfilled around the world. Without trained security staff, organizations don’t
have the capability to deploy the right controls or develop security processes to detect and prevent
cyberattacks.

FortiSOAR Administrator 7.3 Study Guide 8

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

A security operations center (SOC) is a facility that houses an information security team responsible for
monitoring and analyzing an organization’s security posture on an ongoing basis. The SOC team’s goal is to
detect, analyze, and respond to cybersecurity incidents using a combination of technology solutions and a
strong set of processes. Security operations centers are typically staffed with security analysts and engineers
as well as managers who oversee security operations. SOC staff work closely with organizational incident
response teams to ensure security issues are addressed quickly upon discovery.

Security operations centers monitor and analyze activity on networks, servers, endpoints, databases,
applications, websites, and other systems, looking for anomalous activity that could be indicative of a security
incident or compromise. The SOC is responsible for ensuring that potential security incidents are correctly
identified, analyzed, defended, investigated, and reported.

FortiSOAR Administrator 7.3 Study Guide 9

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

Security and risk management leaders can improve the odds of selecting the right tool for the organization by
gaining consensus during a premortem analysis on what could go wrong, and which success metrics should
apply to a project. The premortem can also serve as an early-stage vehicle for collecting initial use cases and
requirements. Those can be further refined as part of the formal project definition and approval cycles.

As part of a project to bring tools into the SOC, a solid understanding of the scope, technologies being
considered, and affected processes is required. As your SOC team grows, you must consider the scope,
technology, and implementation requirements.

FortiSOAR Administrator 7.3 Study Guide 10

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

An organization building a SOC prioritizes technology purchases to get real-time monitoring capabilities in
order to better understand what is happening when observing the consequences of the event. This first level
of visibility, while potentially limiting the SOC to reactive activities, is necessary.

As the SOC matures and learns, it builds the processes to treat basic incidents, and starts to differentiate
event treatment based on their impact. Additional tools might help at this stage to speed up initial assessment,
with individual alerts being aggregated and augmented with additional context.

More mature organizations might need to strengthen their ability to perform root cause analysis of the incident
and elimination of the threat. You want to ensure that when you close an incident, the risk of recurrence is
correctly handled. After the end-to-end workflow itself becomes more refined, orchestration and other
productivity improvements will move the SOC forward.

FortiSOAR Administrator 7.3 Study Guide 11

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

Smaller or newly formed SOCs, or those that were previously outsourced where the technology was provided
by the provider, often start with FortiSIEM or log management solutions. This is necessary to start seeing
what is happening in the organization, leveraging logs from network and endpoint security controls already in
place, and possibly from other sources, based on criticality to the organization, for example, domain
controllers, critical applications, and other externally exposed assets.

The need to have a common repository of incidents could be addressed within a SIEM tool or within the IT
case management or service desk tool. You should consider using a security incident response platform
(SIRP) tool, or the SIRP capabilities of a FortiSOAR tool, if the incident and case management capabilities in
the FortiSIEM tool are not advanced enough, or there are security and privacy concerns with using the IT
service desk tool. Every “greenfield” SOC will not have the resources (budget, people, time) to implement
SIRP at the beginning, but you should strongly consider it at the start of instrumenting the SOC, rather than
trying to bolt it on later in the SOC building journey.

If security and privacy concerns make the IT service desk tool inappropriate, and if the preferred SIEM tool
lacks adequate case management capabilities, security leaders face an early maturity bottleneck. They must
consider a SIEM tool with more advanced case management capabilities, or leverage a SIRP tool or the SIRP
capabilities of a SOAR tool, which would normally be beyond their current maturity level.

FortiSOAR Administrator 7.3 Study Guide 12

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

This slide shows four key use cases in which FortiSOAR can help a matured SOC.

FortiSOAR provides a unified incident response management platform where incidents can be investigated
and remediated.

To avoid false positives, alerts are triaged and checked to verify if the alert is legitimate by automatically
extracting indicators, and checking their reputation against threat intelligence platforms.

SOC optimization ensures that SOAR solutions enable security operations teams to automate the tiresome,
repetitive, and monotonous elements of their workflow that don’t depend upon human interaction. This takes
some of the pressure off security analysts, and frees them to focus on the day-to-day incident response and
bigger-picture cyber defense strategies.

Having a SOAR platform also helps SOC teams to collaborate with each other through a central platform
without relying on any external case management software.

FortiSOAR Administrator 7.3 Study Guide 13

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 14

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

Good job! You now understand SOAR.

Now, you will learn about SOC alert handling and triage.

FortiSOAR Administrator 7.3 Study Guide 15

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

In this section, you will learn how a SOC team handles alerts and the process of triage and escalation.

By demonstrating competence in SOC alert handling and triage, you will learn how a SOC team handles
alerts and the process of triage and escalation.

FortiSOAR Administrator 7.3 Study Guide 16

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

The SOC Automation Model is divided into three key areas: people, process, and product. Within each area,
an organization can be classified at a maturity level from 1-3, based upon their security posture in that area.
For example, an organization that is level 1 in all categories has a small IT team with no security staff
(people), best effort incident response playbooks (process), and no dedicated security solutions (product). At
the other extreme, an organization may have a large security team with experienced SOC analysts, well-
defined playbooks, and have not only deployed but also measured the effectiveness of their SIEM and SOAR
solutions.

At Level 1: Achieve Visibility Leveraging Security Fabric Analytics At Level 1 of the SOC Automation Model, a
security team has no dedicated security personnel or processes for addressing potential incidents.
Additionally, the average enterprise receives more than 10,000 alerts per day, meaning that SOC analysts are
overwhelmed and have little time for identifying and remediating true threats to the network. Without dedicated
solutions, an organization’s security team lacks visibility into potential threats to their network. The team must
manually collect and correlate all log data before they can analyze it. Many level 1 SOCs lack the knowledge
or the resources to identify true threats, leaving the organization at risk. FortiAnalyzer is an easy-to-deploy
solution for centralizing visibility and threat detection across an organization’s entire Fortinet Security Fabric,
including both on-premises and cloud deployments. FortiAnalyzer correlates log data from multiple Fortinet
devices, providing valuable context to security analysts. By analyzing this data using machine learning (ML)
and indicators of compromise (IOCs) provided by a global threat-intelligence feed, FortiAnalyzer can help
even the smallest security team to pinpoint and rapidly respond to threats within their network.

FortiSOAR Administrator 7.3 Study Guide 17

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

At Level 2: Enhance Multivendor Visibility With SIEM, the average enterprise has 75 different point security
solutions deployed on their network. While each of these solutions provides valuable intelligence about
potential threats to the organization’s network, they often lack the context required to differentiate between a
true threat and a false positive. Additionally, an array of standalone security solutions makes it difficult to
enforce consistent security policies and maintain compliance with strict new data protection regulations, such
as the European Union’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act
(CCPA). A SIEM system is the logical solution to the security complexity caused by a multivendor
environment. A SIEM solution ingests data collected from products created by multiple different vendors and
performs automated correlation and analysis to provide a clearer picture of the overall status of the protected
environment. FortiSIEM allows security teams to map operations to industry best practices and security
standards, such as those published by the National Institute of Standards and Technology (NIST) and the
Center for Internet Security (CIS). In this way, FortiSIEM expands on the visibility that FortiAnalyzer brings to
the Fortinet Security Fabric.

FortiSOAR Administrator 7.3 Study Guide 18

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

At Level 3: Incorporate Automated Response With SOAR, the cyber-threat landscape is accelerating as cyber
criminals increasingly rely upon automation to speed up their attacks. While single-pane-of-glass visibility
speeds up the rate at which a security team can identify a potential threat, a reliance on manual incident
response processes means that defenders will always be a step behind the attackers. SOAR solutions enable
an organization’s security team to leverage automation to speed up incident response. By creating an
automated framework to tie together an organization’s complete security architecture, defensive actions can
be taken by multiple different systems in concert. This minimizes the context switching required of security
personnel, decreasing alert fatigue and speeding incident response. FortiSOAR also enables an organization
to optimize its security processes by leveraging well-defined security playbooks. By automating repetitive
tasks and responses to common threats, FortiSOAR enables a security team to focus their efforts and limited
resources on higher-level tasks.

FortiSOAR Administrator 7.3 Study Guide 19

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

A level 1 analyst is the front line responder to an alert. FortiSIEM or FortiSOAR could receive an alert
depending on the way the log forwarding is set up in your infrastructure. The task of a level 1 analyst is
usually to investigate and triage an alert. If you already have established techniques or procedures on
FortiSIEM or FortiSOAR, then a level 1 analyst could automate some aspects of the investigation, such as
reputation lookups for IOC using playbooks on FortiSOAR, or by using automation scripts on FortiSIEM.

If the alert is not a valid threat, then the analyst can close it as a false positive. Otherwise, the analyst can
open an incident or a case. On FortiSOAR, you can run a playbook to remediate the incident, if a playbook is
available, and then close the incident. If a playbook remediation is not available, then you can escalate the
incident to a level 2 analyst.

FortiSOAR Administrator 7.3 Study Guide 20

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

A level 2 analyst investigates the incident using established techniques or procedures. A key role of a level 2
analyst is to investigate an incident through manual methods and use playbooks wherever possible. If the
incident is not a threat, then the analyst can close it. Otherwise, they can move the incident to the remediation
stage. The level 2 analyst determines if a remediation playbook is available to remediate the incident, and run
the playbook against the incident. If an appropriate script is available, then the analyst can also remediate an
incident from FortiSIEM. After an incident is remediated, the analyst updates the knowledge base within
FortiSOAR, documents the incident, and closes it.

If the analyst is unable to remediate the incident using a playbook or through FortiSIEM, then the analyst must
determine if they can resolve the incident manually. After performing manual remediation, the analyst must
update the knowledge base, document the case, and flag the case for a possible playbook in the future.

If the level 2 analyst cannot remediate the incident, then they can escalate the case to a level 3 analyst.

FortiSOAR Administrator 7.3 Study Guide 21

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

The level 3 analyst takes ownership of the escalated incident and performs further advanced manual
investigation on the incident in addition to all the investigation done by level 1 and level 2 analyst. If the threat
is not valid then the case is documented and closed. If the threat is valid then the level 3 analyst will perform a
manual remediation of the incident.

The remediation could involve follow-up work such as updating FortiSIEM rules, updating firewall policies,
patching all endpoints, and so on. The level 3 analyst will then decide if there is a known technique or
procedure to resolve such an incident, either manual or through a playbook. If there is a known procedure,
then the case is documented and closed. If there is no known procedure, then the analyst will update the
knowledge base, review the procedure with an architect and update the procedure to resolve such incidents.

FortiSOAR case logs provide a record for process updates. The review process also involves developing a
new playbook, if required, so that such incidents can be automatically remediated by the playbook for future
occurrences of such incidents. After the review process is complete, the case can be documented and closed.

FortiSOAR Administrator 7.3 Study Guide 22

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

A level 3 analyst must follow specific protocols while developing a new technique or procedure. The analyst
must identify the threat. Once identified, the analyst must mitigate the risk to avoid risk of exploitation. If
possible, the analyst should try to patch any vulnerable systems, or block any indicators of compromise.

While conducting a thorough investigation, the analyst should be able to identify the indicators that have been
compromised. Based on that investigation, the analyst should build SIEM rules or SOAR playbooks so that
such incidents can be identified and indicators can be enriched.

The analyst’s next task is to remediate the incident automatically through FortiSIEM remediation scripts, or
develop playbooks on FortiSOAR for automatic remediation.

Finally, the analyst must carefully study the impact of remediation on services and networks. Often, a poorly
developed playbook could cause self-inflicted issues, such as bringing down servers or critical network
infrastructure.

FortiSOAR Administrator 7.3 Study Guide 23

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 24

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

Good job! You now understand SOC alert handling and triage.

Now, you will learn about FortiSOAR architecture.

FortiSOAR Administrator 7.3 Study Guide 25

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

In this section, you will learn about FortiSOAR architecture, and various platforms on which you can install
FortiSOAR.

FortiSOAR Administrator 7.3 Study Guide 26

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

In an enterprise architecture, there is one single instance of FortiSOAR. You can ingest data using connectors
into FortiSOAR from various devices in your infrastructure. When available, it is recommended that most logs
be sent through the SIEM, rather than through direct connectors. This ensures the SIEM is a central point of
log aggregation and can be used for analytics and reporting.

After you integrate your FortiSIEM, or any other SIEM solution, with FortiSOAR, incidents generated by
FortiSIEM are ingested by FortiSOAR. Every incident that is sent from FortiSIEM to FortiSOAR is a unique
record on FortiSOAR. You can run remediation playbooks from FortiSOAR against those incidents, and
perform remediation action on the target devices. For example, if the logs that are sent by FortiGate to
FortiSIEM generate an incident that indicates an external malicious actor is trying to access corporate
resources, then FortiSOAR evaluates that incident and rates that external IP against various threat
intelligence platforms. If the IP is malicious, then you can run a remediation playbook to take action against
that IP address. In the scenario shown on this slide, the solution is to block that IP on the FortiGate firewall.
The playbook can automatically log in to FortiGate and put that IP on the quarantine list for an indefinite period
of time.

FortiSOAR Administrator 7.3 Study Guide 27

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

In the case of a shared tenancy model, tenants share the same system as the primary device; tenants are
local, but with restricted access on the system. The SOC team provides cybersecurity monitoring and
management to various tenants in a single FortiSOAR instance. The shared tenancy model ensures that the
data belonging to different tenants is segregated, and data access is controlled using RBAC. Therefore, a
tenant can view only their own data or record, and not the data of other tenants.

You can give each tenant their own login, which they can use to view their dashboards, report, check the
actions taken on their records, check their SLA management, and so on.

FortiSOAR Administrator 7.3 Study Guide 28

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

In the case of a distributed tenancy model, the tenant node instance of FortiSOAR is remote and every tenant
has their own instance of FortiSOAR. The primary FortiSOAR node resides at the MSSP location and
communicates with the tenant node through a secure channel. Tenant data remains in the tenant
environment, and they control how much data they want to share with the primary node. All sensitive
information stays with the tenant node. Since the actual workflow execution happens at the tenant node itself,
the primary node requires only the summary of information to help identify what investigations should run. The
primary node pushes any action that needs to be executed to the tenant node. Similarly, any playbook that
needs to be executed is pushed by the primary node to the tenant node.

You can choose to deploy a dedicated secure message exchange server by specifying that option when using
the regular FortiSOAR virtual appliance installer. Alternatively, you can enable the embedded secure
message exchange server available on every FortiSOAR node. For a production environment, it is
recommended to use an external secure message exchange server for improved scalability and availability.

FortiSOAR Administrator 7.3 Study Guide 29

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

In a multi-tenant hybrid model, the MSSP’s primary node centrally manages some customers. If the customer
is managed by the primary node, then there is no requirement for a tenant node for that customer. However,
you can also set up other customers who use a distributed method for the same primary FortiSOAR node. For
those customers, you must install a tenant node.

FortiSOAR Administrator 7.3 Study Guide 30

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

FortiSOAR supports HA clusters that you can deploy in both active-passive and active-active configurations.
You can configure FortiSOAR with either an externalized PostgreSQL database, or an internal PostgreSQL
database. For both, you can configure active-active or active-passive HA clusters. One FortiSOAR cluster can
have only one active primary node. All the other nodes are either active secondary nodes or passive nodes.

FortiSOAR Administrator 7.3 Study Guide 31

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

A key element of the FortiSOAR architecture is its form factor. FortiSOAR is available as a virtual instance
and comes as a 64-bit, hardened, Rocky Linux virtual machine that is preconfigured and pre-installed with
FortiSOAR. All you have to do is import the virtual instance into your preferred environment.

Instead of deploying a virtual instance, you can also self-install FortiSOAR on a Rocky Linux or RHEL
operating system. Prior to 7.3.0, you could install FortiSOAR on the CentOS platform. However, because
CentOS has announced its end-of-life cycle, FortiSOAR now requires Rocky Linux 8.6 or RHEL 8.6.

FortiSOAR Administrator 7.3 Study Guide 32

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

A major benefit of the FortiSOAR form factor is its scalability. If your company grows, and you start sending
more data to FortiSOAR than what it was initially configured to handle, you can upgrade the VM and add more
resources. It’s easy to add CPUs, memory, and even storage to VMs. There are no charges or fees from
Fortinet, unlike some vendors that charge by the number of CPUs used. The minimum hardware
requirements for one instance of FortiSOAR are 8 vCPU, 20 GB of RAM, and 500 GB of storage. The
recommended hardware requirements for one instance of FortiSOAR are 8 vCPU, 32 GB of RAM and 1 TB of
storage.

There are no size limits for the records database, and no charges or fees for storing months’ or years’ worth of
data. That’s important to note when considering compliance reporting, and PCI or HIPPA requires that you
store a year’s worth of data in order to provide appropriate audit reports. It’s very easy to determine how much
storage you’ll need.

FortiSOAR Administrator 7.3 Study Guide 33

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

FortiSOAR Cloud is a service subscription aimed to ease deployment, management, and scaling. You can
access the FortiSOAR Cloud interface via the FortiCloud Services menu.

To provision a FortiSOAR Cloud instance, you must have a FortiCloud account in addition to a FortiCloud
Premium subscription and a FortiSOAR Cloud Entitlement license. If either license expires, you have a 30-day
grace period to remedy the situation before the cloud portal shuts down the instance.

Only one FortiSOAR instance can be created per FortiCloud account. You can choose which region to deploy
your instance in, but you cannot migrate the instance to a different region later. The primary account holder
can create secondary account holders with permissions to the account and the FortiSOAR cloud instance.

After the instance has been provisioned, you can access it by using the web interface or the SSH console.
The instance also contains an embedded secure message exchange, set as the cloud instance address
running on TCP port 5671. From the FortiSOAR Cloud portal’s interface, you can also reboot and manage
snapshots of the instance.

FortiSOAR Administrator 7.3 Study Guide 34

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 35

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

Good job! You now understand FortiSOAR architecture.

Now, you will learn about FortiSOAR initial configuration.

FortiSOAR Administrator 7.3 Study Guide 36

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

In this section, you will learn about FortiSOAR deployment, licensing, and configuration options that will help
you get FortiSOAR up and running.

By demonstrating competence in FortiSOAR initial configuration, you will learn about FortiSOAR deployment,
licensing, and configuration options that will help you get FortiSOAR up and running.

FortiSOAR Administrator 7.3 Study Guide 37

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

This slide shows a high-level view of the initial deployment methodology of FortiSOAR.

The planning process involves the following tasks:

• Complete site preparation, including hardware and resources for the VM
• Download the FortiSOAR VM

The deployment process involves the following tasks:

• Import the FortiSOAR VM to the ESXi server
• Run the FortiSOAR configuration wizard
• License FortiSOAR using the License Manager
• Configure optional settings, such as editing the VM resource configuration and changing the default
database password for FortiSOAR

The configuration process involves the following tasks:

• Configure SMTP using the SMTP connector
• Point the ntpd service to a valid ntp server
• Set up a proxy server to serve all request for FortiSOAR
• Configure data encryption keys
• Create users, teams, and roles

FortiSOAR Administrator 7.3 Study Guide 38

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

The recommended hardware requirements for the FortiSOAR VM are 8vCPUs, 32 GB RAM, 1 TB disk, and
one virtual NIC. The storage required depends on the environment, specifically how many records are
expected, and how extensive logging is. You can install the FortiSOAR VM on VMware ESXi 5.5 or higher.
You can also install the VM on Amazon Web Services, Redhat KVM, Docker, or have it hosted on FortiCloud.
For inbound networking, ensure that port 22 and port 443 are enabled within the VM network. For FortiSOAR
to correctly interact with your network, you must provide access between the FortiSOAR VM and the third-
party products and services configured within your network. To accomplish this, enable the ports shown on
this slide for SSH, SMTP, DNS, and HTTPS access.

FortiSOAR Administrator 7.3 Study Guide 39

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

The first step to deploying a FortiSOAR VM is to select the appropriate hypervisor. After deploying the VM,
run the configuration wizard to change the host name, configure a proxy, update the network configuration,
generate certificates, generate the device UUID, reset database passwords, restart services, configure the
default HA cluster, and install Python libraries. You can edit the VM resource configuration to determine if you
would like to use a static or dynamic IP.

Determine the type of license that you would like to install. Provide the FortiSOAR UUID while registering the
FortiSOAR instance on FortiCare. You must be logged in as a root user to retrieve the UUID from FortiSOAR.
Download the license from FortiCare and upload it to FortiSOAR through FTP. Ensure that you have
connectivity to globalupdate.fortinet.net. Deploy the license as an enterprise or a multi-tenant
edition.

Now, you should be able to access FortiSOAR through the GUI using the IP that you configured while running
the configuration wizard to go through an initial setup.

It is highly recommended that you confirm the SOAR Framework Solution Pack is installed and up-to-date in
the environment. By default, the solution pack is installed in new 7.3.0 installations, but it can be skipped. This
solution pack contains essential elements for effective incident response, including modules, dashboards,
roles, and widgets.

FortiSOAR Administrator 7.3 Study Guide 40

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

FortiSOAR enforces licensing and restricts the use of FortiSOAR by specifying the following:
• The maximum number of active users in FortiSOAR at any point in time
• The type and edition of the license

There are two main variations of license editions: Enterprise and Multi-tenant. The enterprise edition enables
a regular enterprise production license.

With multi-tenant licensing, there are three different editions.

• MT, which enables multi-tenancy where both shared and distributed multi-tenancy are supported. The
instance where this license is deployed would serve as a primary node in a distributed deployment.
• MT_Tenant, which enables the node as a tenant in a multi-tenant deployment. This is the license to be
deployed for a customer node of a Managed Security Services Provider (MSSP). You can configure the
node as a tenant to the MSSP server for syncing data and actions to and from the MSSP primary server.
• MT_RegionalSOC, which enables the node as a regional SOC deployment at an organization with a
distributed SOC. It is enabled as a complete SOAR platform by the regional SOC team. At the same time,
you can configure it as a tenant to the global SOC where the MT license is deployed, and sync data and
actions from the Global SOC FortiSOAR server.

7.3.0 also introduces a new licensing option that provides full access to FortiGuard threat intel feeds. It
includes an extensive dataset, comprising of IPs, URLs, Domain and malicious hashes carefully curated by
FortiGuard security experts.

FortiSOAR Administrator 7.3 Study Guide 41

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

The FortiSOAR license can be of the following types:

• Perpetual: This type of license provides you with a license for an unlimited time for FortiSOAR.
• Perpetual (Trial): This type of license provides you with a free trial license for an unlimited time for
FortiSOAR, but in a limited context. There are restrictions on the number of users and actions that can be
performed in FortiSOAR in a day. By default, this license is an enterprise type license and is restricted to
three users using FortiSOAR for a maximum of 200 actions a day.
• Subscription: This type of license is a regular license that gives you subscription to FortiSOAR for a
particular number of users and a specific timeframe. You can renew your subscription and change the
number of users as per your requirements. FortiSOAR will synchronize with the FDN server and retrieve
the latest subscription.
• Evaluation: This type of license allows you to evaluate FortiSOAR. The evaluation license is shipped with
a predefined user count and expiry date.

FortiSOAR Administrator 7.3 Study Guide 42

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

You must use the SMTP connector to receive any system or email notifications, including requests for
resetting passwords. The SMTP connector is part of a number of pre-installed connectors or built-ins that are
included with FortiSOAR. By default, the SMTP connector is configured to use FortiSOAR as an SMTP relay
server.

The FortiSOAR Configuration Wizard is available only on the first SSH login. If, at a later stage, you need to
change the hostname of your FortiSOAR VM, then you can use the FortiSOAR CLI to change the hostname.

FortiSOAR comes with a self-signed certificate. Replace FortiSOAR self-signed certificates with your own
signed certificate.

FortiSOAR records each workflow action and audits every important activity such as logins, and the creation,
updates to, and deletion of records. These generate a large volume of data, which might not be useful after
some point in time. Therefore, you must configure a purge schedule for both these logs as per the
organization's retention policy. This will help keep the disk usage for these logs constant over time. The
Playbook Execution History data is significantly large, so it is very important that you schedule a purge of
these logs at regular intervals.

FortiSOAR Administrator 7.3 Study Guide 43

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

The system comes with the default username csadmin and password changeme. It is highly recommended
that you change the username and password after you log in for the first time.

You should set up thresholds, schedules, and notifications to effectively monitor various FortiSOAR system
resources, such as CPU, disk space, and memory utilization, and status of various FortiSOAR services.

You can configure FortiSOAR with either an external PostgreSQL database or an internal PostgreSQL
database. In both cases, you can configure active-active or active-passive high availability clusters.

You must stop and start the FortiSOAR services in the following cases:
• Updating or upgrading the SSL certificates
• Post-update, if playbooks are not working as expected
• Post-reboot, if the FortiSOAR platform is not working as expected

FortiSOAR Administrator 7.3 Study Guide 44

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 45

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

Good job! You now understand FortiSOAR initial configuration.

Now, you will learn about FortiSOAR overview.

FortiSOAR Administrator 7.3 Study Guide 46

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

In this section, you will explore some of the important features of FortiSOAR, and how a SOC can mature by
using FortiSOAR.

By demonstrating competence in FortiSOAR overview, you will explore some of the important features of
FortiSOAR, and how a SOC can mature by using FortiSOAR.

FortiSOAR Administrator 7.3 Study Guide 47

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

When you escalate an alert on FortiSOAR, it becomes an incident. Every incident on FortiSOAR can be
considered as a ticket that an analyst will need to work on until they close the incident.

The FortiSOAR queue management feature provides you with an overview of the work that must be
completed and enables you to assign pending work to users. You can also reassign assignments in case of
absence or analyst shift changes.

Administrators can create applicable dashboards throughout the platform. The dashboards are assigned to
users based on their roles. For example, you can create a dashboard that displays alerts that are severity
critical and high, and then assign them to users who have the role of handling alerts. Users then can prioritize
their work by looking at their dashboard.

FortiSOAR gives you the option to assign levels of accessibility to users using role-based access control
(RBAC) combined with team membership. You can grant users access to specific modules in FortiSOAR
based on their role permissions. Users exercise their permissions in conjunction with their team membership.

FortiSOAR Administrator 7.3 Study Guide 48

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

The Content Hub is an all-new central repository for connectors, widgets, and solution packs, equipped with a
searchable, filter-friendly interface. The Content Hub’s data is synchronized from the FortiSOAR repository
every hour to ensure the content is up-to-date. Prior to 7.2.0, connectors and widgets were managed using
different stores.

To view the hub, you must have at least read permissions on the Content Hub and Applications modules.
To work with add-ons, such as solution packs, widgets, or connectors, ensure the administrator has the
required permissions for each respective module.

The Content Hub is accessible both as a public-facing page at the URL listed on this slide, and within the
FortiSOAR GUI itself.

FortiSOAR Administrator 7.3 Study Guide 49

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

The SOAR Framework Solution Pack is the foundational solution pack that creates the framework, including
modules, dashboard, roles, and the widgets required for effective day-to-day operations of any SOC. The
Incident Response modules have been moved to the solution pack, making it essential for users to install it
to optimally use and experience FortiSOAR incident response.

This solution pack installs several modules, such as alerts, incidents, and indicators, along with corresponding
playbooks, dashboards, reports, and widgets. This makes it a comprehensive solution and provides a fully
functional incident response platform augmented by automation and threat intelligence.

The screenshot included in this slide shows the contained contents of the solution pack, including the roles,
playbooks, and connectors.

Note that the solution pack is installed by default with new installations of FortiSOAR. However, you may need
to install this solution pack on upgraded FortiSOAR nodes.

FortiSOAR Administrator 7.3 Study Guide 50

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

Alerts can be created manually, through playbooks, or ingested into FortiSOAR through a connector. When an
alert is ingested, FortiSOAR can check to verify if the alert is a false positive or not. If the alert is a false
positive, then the alert is cleared. An alert can also be cleared after it’s resolved by an analyst, or after it’s
resolved automatically through a playbook execution.

If the alert is legitimate, then an analyst can escalate the alert to an incident. After the alert becomes an
incident, then a senior analyst could be assigned to that incident and the analyst could clear the incident after
investigation. An analyst can run more playbooks against the incident to enrich the indicators, or fetch more
information about the incident from various threat intelligence platforms. New tasks can be created for the
incident and they could be assigned to an analyst for decision making.

FortiSOAR Administrator 7.3 Study Guide 51

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

In FortiSOAR, you can escalate an alert to an incident. A FortiSOAR incident usually contains multiple alerts
that are linked to each other, and to the incident. This allows FortiSOAR to convey the complexity of a security
incident that has many stages.

After FortiSOAR runs specific playbooks over an alert, it may extract indicators, which are objects FortiSOAR
extracted from various fields of a record. For example, an indicator can have an associated reputation while a
field cannot.

An incident contains various response phases. An analyst works through these phases as they resolve an
incident. From an incident, you can assign tasks to an analyst to resolve a particular issue related to the
incident, such as blocking an IP address. The audit log helps you keep track of the incident’s history. The
comments section is used to track all comments made by an analyst or comments generated by the playbook.

FortiSOAR Administrator 7.3 Study Guide 52

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

The Queue & Shift Management interface is an intelligent, automated assignment solution based on queues
and shift spreads.

The Queue Management tab allows you to manage queues. You can use the configuration wizard to create
new queues, define which record types are associated with the queues, what conditions need to match, who
to assign to the queues, and which assignment methods to use.

Queues provide managers with a view to see what their resources are working on, how many tasks are
pending, and then decide if any tasks need to be reallocated.

Queues provide users with a view that shows them what tasks have been assigned, how many of them are
pending, and what the priority of the tasks are.

The Shift Management tab allows the generation of shift rosters with shift leads and team members. By
leveraging queues and shifts together, FortiSOAR has the ability to manage shift handover processes.
Records are assigned to individual users within a queue, and you can enable shift-based assignment to
assign them to only users who are working.

The Queue & Shift Management interface has replaced the Queue Management interface that was present
in previous releases of FortiSOAR. The previous Queue Management interface did not support automated
record assignments.

FortiSOAR Administrator 7.3 Study Guide 53

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

A dashboard is the default landing page and home that a user sees after logging in to FortiSOAR. You can
create personalized dashboards based on roles. Customizations that you make to your dashboards are visible
and applicable only to you. Administrators must update the dashboard for the changes to apply to all users.
Updates, including removal and additions that administrators make to the dashboards, apply to all users.

FortiSOAR Administrator 7.3 Study Guide 54

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

FortiSOAR allows you to easily set up reporting. You have the option to use the default report templates, edit,
or create your own. Additionally, you can schedule reports, view historical reports, and also search for text in
the report PDF. Click the View button to generate a preview of the report and have the opportunity to fine tune
your reports prior to scheduling them.

These screenshots show the Reports interface, and an example of the customizations available for creating
reports.

FortiSOAR Administrator 7.3 Study Guide 55

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

In FortiSOAR, teams and roles are closely aligned with a data table design.

Teams own specific records, which are rows in a table. In other words, teams define ownership of discrete
records within the database. A record can have more than one team owner. Users can also belong to multiple
teams, thus allowing them to access records owned by their assigned teams.

Roles, on the other hand, govern permissions on the columns within that table, centered around create, read,
update, and delete (CRUD) permissions. Users’ access to different parts of the FortiSOAR platform are
dictated by their effective permissions, which are a combination of all their roles’ permissions. For example, a
user without the proper permissions may not be able to see some features in FortiSOAR, or a user can see
records for a module, but does not have access to modify them.

FortiSOAR Administrator 7.3 Study Guide 56

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

You can use the following tips to make it easier to work with playbooks and playbook steps in the playbook
designer:
• You can activate or deactivate a playbook
• You can select a step by clicking while holding CTRL; to select all the steps, press CTRL+A
• You can drag and drop multiple selected steps
• You can copy multiple selected steps by pressing CTRL+C or copy all the steps by pressing CTRL+A and
then pressing CTRL+C
• You can paste the copied steps into a different playbook by pressing CTRL+V
• You can delete a step or multiple steps by selecting steps and pressing backspace or delete
• You can save versions of a playbook that you are creating or updating; Using versioning, you can save
multiple versions of the same playbook
• You can revert your current playbook to a particular version, making working in playbooks more effective

FortiSOAR Administrator 7.3 Study Guide 57

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

You can connect playbook steps or remove the connection between playbook steps. To connect a playbook
step, use the connection points that appear when you hover over a playbook step. Select a connection point
and drag and drop the arrow connector on the step you want to connect.

At the core of playbooks are steps. Steps represent discrete elements of data processing during the course of
the playbook. You can link steps together in sequences to determine the flow of the playbook, starting from
the trigger. Use the core steps to create and update records. Use the evaluate steps to make decisions based
on user input and require manual intervention by an analyst. Use connector, utility, and code snippet steps to
execute actions on a device. You can also call child playbooks using the reference playbook step.

FortiSOAR Administrator 7.3 Study Guide 58

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

This slide shows all the playbook steps that you can use while configuring a playbook. The steps are broadly
placed into five different categories. Use the core steps to create, find, or modify an alert, incident, task, or
other item in the FortiSOAR database. Use the evaluate steps to make a logical decision, get approval, take
manual input from the user, or otherwise affect the logical flow of the playbook. Use the execute steps to take
an action, such as run the connector function or execute dozens of built-in utilities. Use the reference steps to
refer to child playbooks from parent playbooks.

FortiSOAR Administrator 7.3 Study Guide 59

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

Use connectors to send and retrieve data from various third-party sources. Using connectors, you can
interface to external cybersecurity tools, and perform various automated interactions using FortiSOAR
playbooks. FortiSOAR has already developed a number of connectors that can be used to integrate with a
number of external cyber security tools like SIEMs, such as FortiSIEM, and ticketing systems, such as Jira.

You can use connectors in playbooks for various action-related tasks, such as getting an object from a firewall
device, blocking an IP address on a firewall, disabling an account on Active Directory, getting data for
enrichment of an indicator, and so on.

FortiSOAR also enables administrators to develop custom connectors. You can create your own connector or
edit an existing connector as per your requirements, using the Connector Wizard present in the FortiSOAR
GUI.

FortiSOAR Administrator 7.3 Study Guide 60

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

The Help feature contains the Knowledge Center, which is the FortiSOAR product documentation, along
with tutorials and examples, to help you work effectively with FortiSOAR.

There are also additional modules that hold data for physical security events, compliance, fraud, and threat
intelligence.

You can also click on User Community to access the FortiSOAR community. From there, you can ask
questions, help other FortiSOAR users, access the knowledge base, and more.

FortiSOAR Administrator 7.3 Study Guide 61

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 62

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiSOAR Administrator 7.3 Study Guide 63

 Introduction to FortiSOAR

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to deploy FortiSOAR and configure its
initial settings. You also learned about various key features of FortiSOAR, and how these features can help a
SOC mature and reduce the alert fatigue of SOC analysts.

FortiSOAR Administrator 7.3 Study Guide 64

 Device Management

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to configure roles and teams, explain team hierarchy, and add, delete and
manage users and user permissions. You will also learn how to configure and manage SLA templates, and
backup and restore the FortiSOAR configuration files.

FortiSOAR Administrator 7.3 Study Guide 65

 Device Management

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiSOAR Administrator 7.3 Study Guide 66

 Device Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in configuring and managing teams and team hierarchies, you will be able to
ensure administrators are operating within their assigned roles, thereby implementing the principle of least
privilege, and mitigating risk to your organization.

FortiSOAR Administrator 7.3 Study Guide 67

 Device Management

DO NOT REPRINT
© FORTINET

In FortiSOAR, users’ levels of accessibility are derived from a combination of roles and team memberships.
You can grant access to specific modules on FortiSOAR to users based on their role permissions. Users
exercise their permissions in conjunction with which team or teams they belong to. Appliance users are also
governed by the same authorization model.

The security model within FortiSOAR achieves the following four essential security goals:
• Grants users the level of access necessary based on your desired organization structure and policies
• Supports sharing of data for collaboration while still respecting your team boundaries
• Supports data partitioning and prevents users from accessing data that is not explicitly meant for them
• Restricts external applications and scripts (appliances) from using the API beyond the requirements for
accomplishing the desired RESTful actions

FortiSOAR Administrator 7.3 Study Guide 68

 Device Management

DO NOT REPRINT
© FORTINET

Use the Teams menu to add new teams and edit user membership, in bulk, within each team. You can also
define membership within teams on an individual basis, using the individual user or appliance profile.

By default, FortiSOAR has at least one team in place after installation, the SOC Team. It is recommended that
you do not modify or delete it and, instead, add new teams, as per your requirements. There is no limit to how
many teams you can have in the system. Teams do not necessarily have to represent a specific team within
your organization, but instead, teams represent a group of users who own a set of records. In this way, you
can think of teams as row ownership within a table. The records are rows, and at least one team must own
that row.

Note that whenever you add a new team, you must update the playbook assignment. Playbook is the default
appliance in FortiSOAR that is included in a new team. Only a user with create, read, update, and delete
access to the Appliances module can update the playbook assignment, to ensure that the appliance has the
necessary role to perform data read or write to modules. If the playbook does not have appropriate
permissions, then it fails.

FortiSOAR Administrator 7.3 Study Guide 69

 Device Management

DO NOT REPRINT
© FORTINET

Teams govern record ownership within the FortiSOAR security model, and team hierarchy reflects how team
ownership relates between discrete teams. You can use the Team Hierarchy editor to define team
relationships in accordance with each team’s relationships with other teams in the system. The table on this
slide shows the possible team relationships.

This model helps to support more advanced team relationship use cases, such as allowing for internal
investigations among existing users without alerting the user and providing legal personas with their own
permissions during incidents.

Records created by nth level of team hierarchy are visible to parent teams. For example, records owned by
grandchildren teams are visible to the grandparent teams.

However, if two teams are children of the same parent, this does not mean that the children are siblings to
each other. If you want them to be siblings, then you must explicitly define them as siblings. Similarly, if a
team has a parent defined, adding a sibling to it does not create a parent-child relationship between the parent
and the new team.

FortiSOAR Administrator 7.3 Study Guide 70

 Device Management

DO NOT REPRINT
© FORTINET

In the example shown on this slide, the US Analysts team is the team in focus. All other teams are displayed
in relation to the US Analysts team.

The SOC Team is the parent of US Analysts. There are two explicitly defined siblings: France Analysts and
Australia Analysts. US L1, US L2, and US L3 are children of US Analysts.

Note that the team in focus must always be at the sibling level in order to map relationships from its
perspective.

In this lesson, this same hierarchy will be used to demonstrate how records are shared across teams with
relationships.

FortiSOAR Administrator 7.3 Study Guide 71

 Device Management

DO NOT REPRINT
© FORTINET

The Team Hierarchy editor is built to centralize around one team at a time. You can define how that team
relates to all other teams in the system. The central team is referred to as the team in focus.

The Team Hierarchy editor has the All Teams menu and three sections used to define the three relationship
types: Parents, Siblings, and Children. To edit the relationships of any team, you must first bring that team
into focus. To bring a team into focus, you can drag and drop that team to the Drag team here to edit area or
double-click that team’s title in the All Teams menu.

To reset the team in focus, click on Revert. Note that changes are in staging until the settings are saved, so
they will be lost if you click on Revert and if you do not click on Save first.

FortiSOAR Administrator 7.3 Study Guide 72

 Device Management

DO NOT REPRINT
© FORTINET

In the example shown on this slide, the US Analysts team is the parent of US L1, L2, and L3. The SOC
Team is the parent of the US Analysts team. Australia Analysts and France Analysts are its siblings.

To summarize the relationships and ownership:

• Members of the US Analysts team and the SOC Team can act on records of the US L1, L2, and L3 teams
as if they are a member of those teams.
• Members of the SOC Team cannot act on records of Australia Analysts team and France Analysts team
unless there are explicit parent-child relationships. Merely being a sibling of US Analysts does not build
that relationship for them.
• Members of the Australia Analysts team and France Analysts team can act on US Analysts records
due to their sibling relationship.
• Members of the Australia Analysts team and France Analysts team cannot act on records owned by
SOC Team or US L1, L2, and L3.
• Members of the US L1, L2, and L3 teams cannot act on records of any other teams except their own. Note
that they are also not siblings by default even though they share the same parent in US Analysts. The
sibling relationship requires changing the team in focus to one of them and explicitly defining the siblings.

On the left panel are teams unassociated with the US Analysts Team, which means that the SOC Team is
isolated from all the Fraud team’s records and vice versa. If the Fraud team were related to the SOC Team,
you would have seen the relationship in one of the sections on the right.

The exception to this is if the Fraud team is a child of US L1, L2, or L3. In that case, the SOC Team would
also be able to access Fraud team’s records because it would be the great grandparent of the Fraud team
through its parent-child relationship with US Analysts.

FortiSOAR Administrator 7.3 Study Guide 73

 Device Management

DO NOT REPRINT
© FORTINET

This slide shows a different team in focus, the US L1 team. It only has one defined relationship. The US
Analysts team is its parent team, a relationship shown on the previous slide. However, beyond that parent-
child relationship, no other relationships are seen, including to US L2 and L3.

To summarize the relationships in this view, the US L1 team:

• Can only act on its own records
• Has a parent in US Analysts
• No default siblings
• No default children

FortiSOAR Administrator 7.3 Study Guide 74

 Device Management

DO NOT REPRINT
© FORTINET

This slide shows a third team in focus, the US L2 team. There are two relationships – US Analysts as a
parent, and US L3 as a sibling. Note that US L2 and US L3 are explicitly configured as siblings, but US L1 is
not configured as a sibling.

To summarize the relationships in this view, the US L2 team:

• Can act on its own records and US L3’s records
• Has a parent in US Analysts
• Has no children

FortiSOAR Administrator 7.3 Study Guide 75

 Device Management

DO NOT REPRINT
© FORTINET

This slide shows a fourth team, the Australia Analysts team. There are two relationships: US Analysts as a
sibling, and New SOC as a parent. The US Analysts team is an explicit sibling, as shown on the slide when
the US Analysts team was the team in focus.

However, you can see that France Analysts is not a sibling in relation to Australia Analysts, even though
both teams are siblings of US Analysts. You can also see that Australian Analysts has a different parent
from US Analysts.

To summarize the relationships in this view, the Australian Analysts team:

• Can act on its own records and on US Analysts’ records
• Has a parent in New SOC, which can act on its records
• Has no children

FortiSOAR Administrator 7.3 Study Guide 76

 Device Management

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 77

 Device Management

DO NOT REPRINT
© FORTINET

Good job! You now understand security management.

Now, you will learn about user and role configuration.

FortiSOAR Administrator 7.3 Study Guide 78

 Device Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in configuring and managing roles and users, you will be able to ensure
administrators are operating within their assigned roles.

FortiSOAR Administrator 7.3 Study Guide 79

 Device Management

DO NOT REPRINT
© FORTINET

Roles define users’ ability to act upon data within a CRUD permission set on any module in the system. Note
that you must be assigned a role that has CRUD permissions on the Security module to be able to add, edit
and delete teams and roles.

Use the Roles menu to create and define roles within the system. You assign roles based on CRUD
permissions defined across all modules. You can assign roles in the User or Appliance profiles only. You
cannot bulk assign roles.

FortiSOAR implements RBAC also for playbooks. For example, for users to run playbooks, administrators
must assign roles that have execute permission on the Playbooks module to such users. Note that users who
do not have execute permission will not be shown the execute action for the module records. Execute actions
include actions, such as Escalate, Resolve, or any actions that appear in the Execute drop-down list.

FortiSOAR Administrator 7.3 Study Guide 80

 Device Management

DO NOT REPRINT
© FORTINET

The Roles menu allows you to define and modify all the roles within the environment. Roles are not
hardcoded in the system; therefore, role editing is a sensitive permission and must be carefully governed by
administrators.

It is important to note that any user that needs to work with FortiSOAR and records within FortiSOAR must be
assigned a role with a minimum of read permission on the Application, Audit Log Activities, and Security
modules.

Use the Role Editor to add and edit RBAC permissions. Role permissions are based on the CRUD model.
Each module has explicit CRUD permissions that you can modify and save within a single role. You can also
explicitly assign permissions for each field within a module by clicking the Set Field Permissions link for that
module.

A user can have more than one role applied. Each role you grant to a user is added to the user’s overall
RBAC permission set. Therefore, a user’s RBAC permissions is an aggregation of all the CRUD permissions
granted to them by each role you assign to them.

FortiSOAR Administrator 7.3 Study Guide 81

 Device Management

DO NOT REPRINT
© FORTINET

By default, FortiSOAR has at least one role in place after installation: the Security Administrator. If the SOAR
Framework Solution Pack is installed, there are additional roles defined.

The Security Administrator role starts by having full CRUD permissions across the Security module, which
allows the administrator to add and manage roles and teams within the application. The Security
Administrator role also has CRUD permissions on the Secure Message Exchange and Tenants modules,
so that this role can configure multi-tenant systems. It should only be assigned to someone who has been
tasked with the responsibility for building and maintaining the role and team structure for your organization. It
is recommended that you do not remove this role. If you do plan to remove it, you must ensure that at least
one other role with an assigned user has the Security module enabled if you always want to maintain access
to edit teams and roles within the application.

The Application Administrator role grants access to configure application settings, found in the Application
Editor section on the Settings page. All users must have read privileges to the Application module to be able
to use the application interface. You can restrict non-human users, API users, from entering into the
application GUI by not giving them any access to the Application module.

The Full App Permission user is a root user, who has full permissions across FortiSOAR. However, data
partitioning is still in effect depending on the team to which the Full App user belongs to, and what records are
owned by the team.

FortiSOAR Administrator 7.3 Study Guide 82

 Device Management

DO NOT REPRINT
© FORTINET

The Playbook Administrator role has access to the Orchestration and Playbooks component. Only users
who have explicitly been given a minimum of read access to playbooks can see this component on the left
navigation bar. For users to have full privileges to manage playbooks, you must be given CRUD permissions.

The SOC Analyst role is given access to the Alerts module and modules associated with alerts—such as
Comments, Attachments, and so on—and also schedules and reporting. It can also access the Incidents
module. The role is designed to investigate alerts, triage, and escalate alerts to incidents when necessary.
Analysts are also responsible for remediation and containment tasks.

The SOC Manager role has complete access to modules associated with the investigation of Incidents—
such as Alerts, Incidents, Communications, Indicators, Tasks, War Rooms, and more. The role is
designed to manage investigation of incidents, and performing remediation and containment activities.

These default roles can be modified to your organization’s requirements, or new roles can be created for even
more granular control.

FortiSOAR Administrator 7.3 Study Guide 83

 Device Management

DO NOT REPRINT
© FORTINET

This slide shows an example of a new user configuration. You need to enter the user details on the New User
page. Note that the Username field is mandatory and case sensitive and it cannot be changed after it is set.

All new users, including the csadmin user, must change their password when they first log in to FortiSOAR,
regardless of the complexity of the password assigned to the users. After you configure a valid email ID in the
user profile, you can reset your password, whenever required, by clicking the Forgot Password link on the
login page.

Use the SMTP connector to configure a connection to an email server, which is required to complete the
process of adding new users. You can use the SMTP connector to send email notifications. If you have not
configured the SMTP connector, the user is still created. However, the system cannot send the password
reset notification link to the users, and therefore the process remains incomplete.

Locked users are those who have exceeded the number of authentications tries allowed within a one-hour
period. You can define the maximum number of attempts allowed before the user is locked. Only an
administrator who has CRUD permissions on the People module and read and update permissions on the
Security module can unlock the user. By default, users can enter an incorrect password five times before
their account gets locked for 30 minutes. A security administrator can change these default values.

From version 7.0.0 onwards, administrators cannot lock a user using the FortiSOAR GUI; however,
administrators can unlock a user from the GUI by selecting the Unlock checkbox on that user's profile page
and then clicking Save, or locked users can wait for the configured timeout duration before their account gets
unlocked.

FortiSOAR Administrator 7.3 Study Guide 84

 Device Management

DO NOT REPRINT
© FORTINET

There are two user access types in FortiSOAR:

First is the Named type. This access type has a permanent seat reserved, so a license is taken whether or
not the user is logged in. The second is the Concurrent type, which only takes a concurrent spot when a user
logs in. However, if there are no available spots, an error is seen as shown on this slide.

Select the user access type in the Authentication section under the Users profile for either a new or current
user.

The License Manager shows the user seats allocation between named and concurrent users. In the example
shown on this slide, there are two allowed user seats, and one named user already exists. There are three
configured concurrent users. This means that only one user seat is available for the three concurrent users to
share between them.

A reasonable use case for concurrent users is for an organization with employees on different shifts or time
zones. Instead of configuring named users and taking up permanent spots for each user, concurrent users will
allow for more flexibility with allocating user seats.

FortiSOAR Administrator 7.3 Study Guide 85

 Device Management

DO NOT REPRINT
© FORTINET

You can view the login status of a user through the GUI or the CLI. In the GUI, view the status under the
Login Status column. To view the login status through the CLI, use the show-logged-in-users command
on this slide.

To force a concurrent user to log out and free up a seat, either use the log out button under the user’s profile,
or run the logout-user command on this slide.

FortiSOAR Administrator 7.3 Study Guide 86

 Device Management

DO NOT REPRINT
© FORTINET

All users within the system have a profile. Each user has access to their own profile so that they can update
specific information about themselves by clicking the User Profile icon.

To edit user profiles, you must be assigned a role that has a minimum of create, read, and update
permissions on the People module. Otherwise, you will only be able to view your own profile.

The user profile includes the user’s name, email, user name, password, and phone numbers. A user can also
view the team and roles they belong to, as well as update their theme. A users can view their own audit logs,
which display a chronological list of all actions performed across all the modules of FortiSOAR. The audit log
also displays a user’s login successes or failures, and logout events. Login event includes all four supported
login types: Database login, LDAP login, RADIUS login, and SSO login. Audit logs also contain user-specific
terminate and resume playbook events.

FortiSOAR Administrator 7.3 Study Guide 87

 Device Management

DO NOT REPRINT
© FORTINET

The options for two-factor authentications are no two-factor authentication configured, send a voice message,
or send an SMS. FortiSOAR currently supports only TeleSign to deliver the one-time password required for
authentication. You will need a TeleSign account to complete the configuration in the Authentication section
of a user’s profile.

The Work Phone field is mandatory if a security administrator has enforced two-factor authentication across
all FortiSOAR users. You will learn more about this global setting in this lesson.

FortiSOAR Administrator 7.3 Study Guide 88

 Device Management

DO NOT REPRINT
© FORTINET

An administrator can change a user’s team membership and assigned roles directly from their profile without
having to navigate to the Teams and Roles interfaces. You can select multiple checkboxes to grant a user
more than one team or role. This slide shows the selected teams and roles of this particular user.

FortiSOAR Administrator 7.3 Study Guide 89

 Device Management

DO NOT REPRINT
© FORTINET

Administrators with a minimum of read permissions on the Security module will be able to view a
consolidated list of effective permissions based on a user’s assigned roles.

This is useful in the event that the user is assigned multiple roles, and unintended access is given. The
opposite is also true: if a user is unable to access parts of the system, you can confirm if they are missing
permissions. The Effective Role Permissions interface allows the administrator to check all permissions
assigned to a user instead of having to audit each role individually.

FortiSOAR Administrator 7.3 Study Guide 90

 Device Management

DO NOT REPRINT
© FORTINET

Administrators can delete users by running a script on the FortiSOAR CLI. You cannot delete user accounts
on the GUI regardless if you're a user or an administrator.

The slide shows the steps to delete a user on the FortiSOAR CLI.

First, enter the username of the user that you want to delete in the usersToDelete.txt file. The file path is
shown on the slide. This file is an empty text file in which you can enter the ID of users who you want to
delete.

Second, connect over SSH to your FortiSOAR VM and log in as a root user.

Finally, enter the command shown on this slide to execute the deletion script. The userDelete script only
deletes users in the local database and does not work for externalized databases.

It is highly recommended that you use this script to delete or clean up users during the initial stages of
configuring FortiSOAR. If you delete users who have been using FortiSOAR for a while, then the records for
which the deleted user was the only owner, are also lost forever.

FortiSOAR Administrator 7.3 Study Guide 91

 Device Management

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 92

 Device Management

DO NOT REPRINT
© FORTINET

Good job! You now understand role and user configuration.

Now, you will learn about authentication.

FortiSOAR Administrator 7.3 Study Guide 93

 Device Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in configuring user accounts and LDAP integration, you will be able to set up
FortiSOAR to import and authenticate LDAP users.

FortiSOAR Administrator 7.3 Study Guide 94

 Device Management

DO NOT REPRINT
© FORTINET

The FortiSOAR security model treats authentication and authorization separately:

• Authentication defines your ability to log in and access FortiSOAR. FortiSOAR enforces authentication
based on a set of credentials.
• Authorization governs the users’ ability to work with data within FortiSOAR after authentication is complete.
You control authorization by assigning teams and roles to users.

This is an important distinction because when you configure user accounts, you must always define both the
authentication and desired authorization for a user. Otherwise, after a user logs in to FortiSOAR, the user
might be presented with a blank screen due to lack of authorization. Conversely, a user may have excessive
permissions for their role within the organization.

This section will focus on various authentication options for users to log into the system.

FortiSOAR Administrator 7.3 Study Guide 95

 Device Management

DO NOT REPRINT
© FORTINET

FortiSOAR supports the following four types of authentication:

• Native (local database): Users are created on FortiSOAR itself.
• LDAP: Remote LDAP server, such as an Active Directory environment.
• SAML: Open standard for exchanging information between an identity provider and FortiSOAR. Examples
of identity providers would be FortiAuthenticator, Okta, Google and many others.
• RADIUS: Support for RADIUS was added from FortiSOAR 7.2.0 onwards. Microsoft NPS is a commonly
seen RADIUS server.

To configure authentication settings, an administrator requires a minimum of read and update permissions on
the Security module.

FortiSOAR Administrator 7.3 Study Guide 96

 Device Management

DO NOT REPRINT
© FORTINET

On the Account Configuration page, in the Session & Idle Timeout section, you can configure various
settings.

The Idle Timeout value determines the number of minutes a user can be idle on FortiSOAR, after which an
idle warning dialog is displayed. The default value is 30 minutes.

The Idle Timeout Grace Period value is the number of seconds a user is given to view the idle warning
dialog after which FortiSOAR logs the user out. The default value is 60 seconds.

The Token Refresh value is the number of minutes before the session token is refreshed. User interaction is
not required. The default value is 60 minutes.

The Reauthenticate Dashboard User value determines the number of hours after which a dashboard user is
forced to re-authenticate. The default value is 24 hours.

The Reauthenticate Application User is the number of hours after which an application user is forced to re-
authenticate. The default value is 24 hours.

FortiSOAR Administrator 7.3 Study Guide 97

 Device Management

DO NOT REPRINT
© FORTINET

On the Account Configuration page, you can configure various options for user accounts.

You can select Enforce 2FA to globally enforce two-factor authentication on all FortiSOAR users. Before you
enforce two-factor authentication, all users’ profiles must have it configured to prevent users from getting
locked out.

Currently, FortiSOAR supports only TeleSign for two-factor authentication using SMS. You need to have a
TeleSign account to send one-time password codes to the users’ mobile devices. Type information provided
by TeleSign into the Customer ID and API Key fields.

FortiSOAR Administrator 7.3 Study Guide 98

 Device Management

DO NOT REPRINT
© FORTINET

Use the Authentication menu to set up, modify, and turn on or off your LDAP authentication provider.

To configure LDAP authentication, first ensure LDAP Enabled is selected.

Enter the IP/hostname and port of your LDAP authentication server. Optionally, you can enable Use TLS/SSL
and then provide user account credentials to search the directory and import users. You can add users either
by mapping users using the User Attribute Map section, or search for users in the directory and then import
users.

To map users, configure the User Attribute Map. FortiSOAR provides a default user attribute map array that
contains the most common combination of field mappings. You can modify the mappings based on your own
LDAP container fields by editing the map.

In the User Attribute Map section, under Fields, click the editable field name (right-side field name), to map it
to your LDAP fields. The non-editable field name (left-side field name) is the FortiSOAR attribute.

FortiSOAR Administrator 7.3 Study Guide 99

 Device Management

DO NOT REPRINT
© FORTINET

You must have a valid administrative user name and password to search the LDAP resource for user
information. You do not have to use admin credentials, but at a minimum, you must have user credentials to
access the LDAP tree and import all desired user containers.

After you add the credentials in the User Search section, click Allow User Import to configure your
environment to look in the LDAP resource for all new users. If you want to add local users, you must clear the
Allow User Import checkbox to revert your system to the local user import in the Users administration menu.

To narrow down your search, you can enter a path inside the Base DN field to specify the starting point of the
query. The Recursive option allows for searching of users inside nested groups under the base DN.

The Search Attribute field can be used to define which LDAP attribute to specifically search for, such as
sAMAccountName, UPN, and more.

The Search Criteria field can be used to find specific results based on the search attributes defined. For
example, if the attribute defined is sAMAccountName, you can search for a match in the criteria search bar.

FortiSOAR Administrator 7.3 Study Guide 100

 Device Management

DO NOT REPRINT
© FORTINET

Security Assertion Markup Language (SAML) is an XML-based, open standard data format for exchanging
authentication and authorization data between parties. When SAML is enabled, there is a new option to log
into FortiSOAR by clicking on the Use Single Sign on (SSO) button.

SAML defines three roles: the principal, the identity provider (IdP), and the service provider (SP).

The principal is generally a user that has an authentic security context with an IdP, and requires a service
from the SP.

The IdP provides user details in the form of assertions. Before delivering the identity assertion to the SP, the
IdP might request some information from the principal, such as a username and password. SAML specifies
the assertions between the three parties: the messages that assert identity passed from the IdP to the SP.

The SP maintains a security wrapper over the services. When a user requests for a service, the request first
goes to the SP, who then identifies whether a security context for the given user exists. If not, the SP requests
and obtains an identity assertion from the IdP. Based on this assertion, the SP makes the access control
decision for the principal.

Each IdP has its own way of naming attributes for a user profile. Therefore, to fetch the attribute details for a
user from an IdP into the SP, the attributes from the IdP must be mapped to attributes at the SP. This
mapping is configured on the SP itself. If the attribute mapping is incorrect, the SP sets default values for
mandatory attributes like first name, last name, and email.

When a user needs to log into FortiSOAR using SAML authentication, the principal is the user, the IdP would
be a provider such as FortiAuthenticator, and the SP is the FortiSOAR node itself.

FortiSOAR Administrator 7.3 Study Guide 101

 Device Management

DO NOT REPRINT
© FORTINET

Configuring SAML is a two-way process. The SP configuration that is on the FortiSOAR GUI must be made at
the IdP. Similarly, the IdP configuration must be added to the FortiSOAR GUI.

This slide outlines the steps to configure SAML.

FortiSOAR has been tested with six IdPs—FortiAuthenticator, OneLogin, Auth0, Okta, Google, and Active
Directory Federation Services (ADFS). You can use a similar process to configure any other IdP that you use.

FortiSOAR requires the first name, last name, and email attributes to be mapped. In the User Attribute Map,
under Fields, in the Tree view, click the editable field name (right side field name), to map it to the attribute
that is received from the IdP. The non-editable field name (left-side field name) is the FortiSOAR attribute. For
example, in the image shown on this slide, you map the FortiSOAR attribute firstName to the IdP attribute
First Name.

FortiSOAR Administrator 7.3 Study Guide 102

 Device Management

DO NOT REPRINT
© FORTINET

This slide shows the steps you must take to map roles in the IdP to teams and roles on FortiSOAR.

If you want to ensure that roles defined as part of SAML role mapping will be applied to SSO users in
FortiSOAR, then select the Enforce SAML Role Mappings. To map a role in the IdP to a FortiSOAR role
and, optionally, a team in FortiSOAR, you can add role mappings in the Team and Role Mapping section.

To add new role mappings, do the following:

• In the SAML Role field, add the name of the roles that you have defined in your IdP. Note that the name
that you have specified in your IdP, and the name that you enter in this field must match exactly, including
matching the case of the name specified.
• In the Roles column, select the FortiSOAR role(s) that you want to assign to the role that you have
specified in the SAML Role field
• In the Teams column, select the FortiSOAR teams(s) that you want to assign to the role that you have
specified in the SAML Role field. This is optional.
• Define a default role (and optionally teams) that is assigned to the SSO user if you have not set up mapped
roles of SSO users in FortiSOAR.

FortiSOAR Administrator 7.3 Study Guide 103

 Device Management

DO NOT REPRINT
© FORTINET

Add the information provided in the Service Provider section in FortiSOAR to the configuration section of
your IdP. This information is preconfigured. However, you can edit the fields, such as Entity ID (hostname),
within this section. This is especially useful if you are using an alias to access FortiSOAR. You can also edit
the certificate information and the private and public keys of your service provider, which is useful in cases
where you want to use your own certificates.

FortiSOAR Administrator 7.3 Study Guide 104

 Device Management

DO NOT REPRINT
© FORTINET

To configure RADIUS authentication, navigate to the Authentication menu, click the RADIUS Configuration
tab, and select RADIUS Enabled. Type in the IP or hostname of the RADIUS server, the listening port, and
the shared secret.

Optionally, you can define two RADIUS servers to provide redundancy. User credentials are always
authenticated against the primary RADIUS server first. If the primary server fails to respond, then the
credentials are authenticated against the secondary server.

Click the Test Connectivity button to test the FortiSOAR connection to either RADIUS server.

FortiSOAR Administrator 7.3 Study Guide 105

 Device Management

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 106

 Device Management

DO NOT REPRINT
© FORTINET

Good job! You now understand authentication on FortiSOAR.

Now, you will learn about appliance configuration.

FortiSOAR Administrator 7.3 Study Guide 107

 Device Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding and configuring appliance users, you will be able to
automate many tasks (and playbooks) on FortiSOAR that must talk to appliances outside the network.

FortiSOAR Administrator 7.3 Study Guide 108

 Device Management

DO NOT REPRINT
© FORTINET

Appliance users are usually used for authenticating on FortiSOAR while calling custom API endpoint triggers.
For example, you can use an appliance user to configure auto-forwarding of events and alerts from a SIEM to
FortiSOAR. Otherwise, you may need to add a user password, in plain text, in the configuration files.

Like regular users, you must assign appropriate roles to appliances and also add appliances as members of
appropriate teams which will run the playbooks. This allows appliances to access or modify any data within
the system.

Team hierarchy restrictions that apply to users also apply to appliance users. As a good security practice, it is
recommended that you scope the role and team of an appliance and give it the least privilege it needs to do its
job.

FortiSOAR Administrator 7.3 Study Guide 109

 Device Management

DO NOT REPRINT
© FORTINET

Users represent a discrete individual who is accessing the system. They are differentiated from appliances in
that they receive a time-expiring token upon login that determines their ability to authenticate in the system.
The authentication engine issues the token after users have successfully entered their credentials and
potentially completed the two-factor authentication. By default, tokens are set to have a lifespan of 30 minutes
before being regenerated.

Appliance users represent non-human users. Appliances use Hash Message Authentication Code (HMAC) to
authenticate messages sent to the API. HMAC construction information is based on a public-private key pair
instead of a user ID and password combination. Appliance users do not have a login ID and do not add to
your license count.

FortiSOAR Administrator 7.3 Study Guide 110

 Device Management

DO NOT REPRINT
© FORTINET

On the New Appliance page, enter a name to identify the appliance and select the team(s) and role(s) that
apply to that appliance.

Once you save the new Appliance record, FortiSOAR displays a pair of public-private cryptographic keys in a
new window. It is important to note that when the public-private key pair are generated, the private key is
shown only once. You must copy this key and keep it somewhere safe for future reference. If you lose this
key, you cannot be retrieve it again. You can always regenerate these keys when required, and a new private
key is displayed. However, you must then update the keys because the old keys are invalidated.

FortiSOAR Administrator 7.3 Study Guide 111

 Device Management

DO NOT REPRINT
© FORTINET

By default, there is a Playbook appliance, which belongs to the SOC Team. This appliance is used by the
FortiSOAR workflow service to authenticate to the API service when a workflow step is run that reads,
creates, updates, or deletes records. As a result, this appliance should have permissions on modules which it
will access.

When a record is inserted by a workflow such as a playbook or a rule that uses the appliance, then the
inserted record is owned by the teams of the appliance user. For example, if a playbook or workflow inserts a
new incident record, then the Created By field of this newly inserted record displays the name of the
appliance user who has executed the playbook, and the owner of this newly inserted record will be the team
or teams assigned to the appliance.

If multiple teams are assigned to the appliance, then this newly inserted record would have all those teams as
owners. For example, if you create a different appliance named QA, and assign it to the SOC Team and Team
A, then the Created By field of a newly inserted alert record displays QA and its owners are the SOC Team
and Team A.

FortiSOAR Administrator 7.3 Study Guide 112

 Device Management

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 113

 Device Management

DO NOT REPRINT
© FORTINET

Good job! You now understand appliance configuration.

Now, you will learn about SLA template management.

FortiSOAR Administrator 7.3 Study Guide 114

 Device Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding and creating SLA templates, you will be able to set up SLA
management services for incidents and alerts.

FortiSOAR Administrator 7.3 Study Guide 115

 Device Management

DO NOT REPRINT
© FORTINET

A service-level agreement defines the level of service you expect from a vendor, laying out the metrics by
which service is measured, as well as remedies or penalties should agreed-on service levels not be achieved.
FortiSOAR provides you with an SLA Templates module you can use to create built-in SLA management for
incidents and alerts. You can define SLAs for incidents and alerts of varying degrees of severity, and track
whether those SLAs are met or missed.

The SLA feature requires the SOAR Framework Solution Pack. From release 7.2.0 onwards, the SOAR
Framework Solution Pack is installed, by default, with new installations of FortiSOAR.

You must be assigned a role with a minimum of create, read, and update permissions on the SLA Templates
module and Playbooks modules, along with the default read permission on the Application module to create
and manage SLAs.

FortiSOAR Administrator 7.3 Study Guide 116

 Device Management

DO NOT REPRINT
© FORTINET

You can create SLA templates for each level of severity of incidents or alerts. You can set SLAs for both alerts
and incidents using the same SLA Template interface. For example, you can create five SLAs for incidents
and alerts for these five severity levels: Critical, High, Medium, Low, and Minimal.

When creating an SLA template, select the severity level of the incident for which you are defining the SLAs.
For example, if you select the severity as Critical, and you specify the acknowledgement time as 10 minutes
and response time as 15 minutes, this means that to meet the SLA, users must acknowledge incidents within
10 minutes and respond to the incident within 15 minutes of incident generation. FortiSOAR allows you to set
which status will mark an incident or alert as acknowledged, and also which status will mark an incident or
alert as responded to.

The dropdown lists for Incident SLA and Alert SLA sections allow you to configure the acknowledgement
and response SLA status, along with the associated timers.

FortiSOAR Administrator 7.3 Study Guide 117

 Device Management

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 118

 Device Management

DO NOT REPRINT
© FORTINET

Good job! You now understand SLA template management.

Now, you will learn about backup and restore processes.

FortiSOAR Administrator 7.3 Study Guide 119

 Device Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding backup and restore processes, you will be able to back up
and restore the FortiSOAR configuration files on different FortiSOAR instances.

FortiSOAR Administrator 7.3 Study Guide 120

 Device Management

DO NOT REPRINT
© FORTINET

You must have root or sudo permissions to perform a backup. Ensure that you have enough disk space
available to perform backup and restore tasks. It is recommended that you have available disk space of
around three times of the data size.

To perform a backup, connect over SSH to the FortiSOAR VM with elevated privileges. This slide shows the
CLI commands you need to use to perform the backup type of your choice. In the commands, replace the
<BACKUP_DIR_PATH> with your desired location. If you do not specify the path of the backup file, then the
CLI interactively asks you to provide it. If you still do not specify any path from the interactive prompt, then by
default, FortiSOAR stores the backup in the current working directory.

Optionally, from version 6.4.3 onwards, you can exclude all the executed playbook logs from the backup using
the commands shown on this slide. Executed playbook logs are primarily meant for debugging so they are not
a very critical component to be backed up. However, they constitute a major part of the database size, so
excluding them from the backup reduces time and space needed for the backup.

FortiSOAR backs up the latest three backups every time it creates a new backup. Any backups older than the
last three backups are deleted.

Finally, you can also back up only your configuration files. The command for this operation is also shown on
this slide.

FortiSOAR Administrator 7.3 Study Guide 121

 Device Management

DO NOT REPRINT
© FORTINET

The FortiSOAR admin CLI always performs a full database backup of your FortiSOAR server. There are no
incremental backups.

Backups are performed for a particular version of FortiSOAR, and backups should be restored on the same
version. If a newer version of FortiSOAR is available and you want to move to that newer version of
FortiSOAR, you must restore the backed-up version only and then upgrade to the latest FortiSOAR version.

The slide lists some of the files, configurations, and data that are backed up during the backup process.

FortiSOAR Administrator 7.3 Study Guide 122

 Device Management

DO NOT REPRINT
© FORTINET

You must have root or sudo permissions to perform backup and restore operations. To perform a restore,
move the backup file to the new FortiSOAR server. Use the CLI command shown on this slide to restore the
data.

After you press enter, you must provide the path of the database backup file. Note that the backup process
stores the backup in a locally saved file. After you restore FortiSOAR, you must get and deploy a new license
for this FortiSOAR instance. Your existing license will not work on the restored instance. If you back up a
FortiSOAR instance which has Secure Message Exchange enabled and is using a signed certificate, then
you must reapply the signed certificate on the new instance.

FortiSOAR Administrator 7.3 Study Guide 123

 Device Management

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 124

 Device Management

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiSOAR Administrator 7.3 Study Guide 125

 Device Management

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to configure roles and teams, establish a
team hierarchy, manage users and user permissions, and configure authentication. You also learned how to
configure and manage SLA templates, and back up and restore FortiSOAR configuration files.

FortiSOAR Administrator 7.3 Study Guide 126

 System Configuration

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to configure the FortiSOAR system, set up proxies, monitor and maintain
audit logs, and import and export partial and full FortiSOAR configurations.

FortiSOAR Administrator 7.3 Study Guide 127

 System Configuration

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiSOAR Administrator 7.3 Study Guide 128

 System Configuration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in system configuration, you will understand how to configure applications,
syslog forwarding, environmental variables, branding, and system fixtures on FortiSOAR.

FortiSOAR Administrator 7.3 Study Guide 129

 System Configuration

DO NOT REPRINT
© FORTINET

On the System Configuration bar shown on this slide, you can see various tabs used to configure
FortiSOAR system settings.

Application Configuration contains various system settings related to how FortiSOAR interacts with users.

Log Forwarding contains the settings for forwarding syslog to a destination server.

Environment Variables contains the proxy configurations for HTTP/HTTPS, and other specific protocols you
can define.

Branding contains customization option for logos, banners, product name, company name, and login
taglines.

System Fixtures contains links to default playbook collections and templates installed with your FortiSOAR
instance. These fixtures can be changed to fit your needs.

FortiSOAR Administrator 7.3 Study Guide 130

 System Configuration

DO NOT REPRINT
© FORTINET

On the Application Configuration page, you can configure settings that apply across FortiSOAR, including
notifications, comment management, audit logs purging, playbook options, recycle bin, themes, and more.

Notifications allow you to configure email notifications for system issues.

Comment Management allow you to enable users to modify comments and perform soft deletion of
comments for recordkeeping purposes.

Enabling Log purging for audit and playbook execution logs helps free up system resources. You can also
set the global logging level for playbook execution, and enable playbook recovery for work in progress.

Along with purging logs, you can also purge records sent to the recycle bin.

You must have CRUD permissions to the Application module to make changes to Application
Configuration. By default, the Application Administrator role has CRUD permissions for the module.

FortiSOAR Administrator 7.3 Study Guide 131

 System Configuration

DO NOT REPRINT
© FORTINET

Enable Allow Comment Modification to allow users to edit and delete their own comments. Users can edit
and delete their own comments in the Collaboration window or in the Comments widget.

You can specify the window when the user can no longer modify or delete their posted comments. For
example, if you select 1 minute, then users can edit and delete their comments until one minute after they
have added the comment. By default, the Allow users to modify/delete their comments for a duration of
field is set to 5 minutes.

You can also specify the behavior of the comment delete action. When a user deletes a comment, you can
choose to permanently delete the comment or flag the comment for deletion (Soft Delete). If you choose to
keep the Soft Delete checkbox selected, you will see --Comment Deleted-- in the GUI for deleted
comments. If you disable soft deletion, comments are permanently deleted.

FortiSOAR Administrator 7.3 Study Guide 132

 System Configuration

DO NOT REPRINT
© FORTINET

You can schedule purging globally for both audit logs and executed playbook logs. By default, the system
purges executed playbook logs but does not purge audit logs. Note that the scheduled purging activity deletes
logs permanently, and you cannot revert this operation.

A system schedule, named Purge Executed Playbook Logs is also already created and active on the
Schedules page. This schedule runs every day at midnight (UTC time) and clears all logs that have exceeded
the time duration that is specified. If you want to run the purging activity at a different time of the day or for a
different duration, you can edit this schedule.

In the Schedules screenshot on this slide, you can see both log types scheduled for purging to run daily at
midnight.

Note that playbooks will run slower during any database cleanup job, so plan your purging schedules for an
appropriate window.

FortiSOAR Administrator 7.3 Study Guide 133

 System Configuration

DO NOT REPRINT
© FORTINET

FortiSOAR autosaves playbooks so that you can recover playbook drafts in case you accidentally close your
browser or face any issues while working on a playbook. These autosaved drafts do not replace the current
saved version of the playbook. They simply ensure that you do not lose any of your work done in the playbook
by enabling you to recover the drafts.

Playbook recovery in FortiSOAR is user-based, which ensures that users see their own unsaved drafts of the
playbook. Since it is also browser-based, it comes into effect as long as you are using the same browser
instance. However, playbook drafts might not be saved if you are working in incognito mode.

By default, FortiSOAR saves playbook drafts 15 seconds after the last change. However, you can change this
time across all playbooks by modifying the timer. The minimum time that you can configure for saving
playbook drafts is 5 seconds after the last change. You can also choose to disable playbooks recovery for all
playbooks.

You can define a time zone that FortiSOAR uses by default for exporting reports. FortiSOAR applies this time
zone to all reports that you export from the Reports page.

FortiSOAR Administrator 7.3 Study Guide 134

 System Configuration

DO NOT REPRINT
© FORTINET

The Recycle Bin allows for soft deletion of workflows and records. It is useful if you accidentally delete
records and need to recover them.

In the case of Playbook Collections and Playbooks modules, the bin is enabled by default. For other
modules, to enable soft deletion, you must go into the specific module under Application Editor and enable
the recycle bin, as shown on this slide.

To view recycled records, the following permissions are required:

• Read on the Application and Playbooks modules
• Read on the specific modules whose recycle bin records you wish to view

To delete recycled records, the following permissions are required:

• Read on the Application module
• Delete on the Playbook module
• Delete on the specific module whose record you wish to delete

To restore recycled records, the following permissions are required:

• Read on the Application module
• Update and Read on the Playbooks module
• Update on the specific module whose record you wish to restore

FortiSOAR Administrator 7.3 Study Guide 135

 System Configuration

DO NOT REPRINT
© FORTINET

To enable automatic purging of the recycle bin, go to Application Configuration under Settings.

Note that you will get a warning indicating the schedule status is Inactive until the settings have been saved.

The retention period options available are: Last month, Last 3 months, Last 6 months, Last year, or
Custom.

Under Automation > Schedules, a system schedule is automatically created and active after you enable
recycle bin purging. You can change this schedule to run at a different time.

FortiSOAR Administrator 7.3 Study Guide 136

 System Configuration

DO NOT REPRINT
© FORTINET

You can configure the FortiSOAR theme that applies to all the users in the system. Non-administrator users
can change the theme by editing their user profile.

There are currently three theme options, Dark, Light, and Space, with Space being the default.

You can configure the country code format for contact numbers that applies to all users in the system.

In the Navigation Preferences section, check Collapse Navigation to show the navigation bar as collapsed
when a user first logs in.

FortiSOAR Administrator 7.3 Study Guide 137

 System Configuration

DO NOT REPRINT
© FORTINET

You can forward FortiSOAR application logs and audit logs to a central log management server that supports
an Rsyslog client, using both the FortiSOAR GUI and CLI. A central log repository can help ease
troubleshooting in a multi-node environment by aggregating all system logs in one place.

Under the Log Forwarding tab, select the Enable Log Forwarding to see a list of configuration items, which
includes the configuration name, destination server details, protocol, and an option to enable audit and
application logs, log detail level, and audit forwarding rules. If no forwarding rules are defined, then all audit
logs will be forwarded. To reduce the amount of traffic, the recommended log detail level is Basic.

Note that in a FortiSOAR HA setup, FortiSOAR does not replicate Syslog settings to the passive node. If you
want to forward logs from the passive node, you must enable this manually using the csadm log forward
command.

FortiSOAR Administrator 7.3 Study Guide 138

 System Configuration

DO NOT REPRINT
© FORTINET

In the event your external log management server is unreachable, then the logs generated during that time
period are not sent by FortiSOAR to the external server. You can enable log buffering so that FortiSOAR
buffers the logs up to a maximum file size value, and then sends them when the log server comes back
online.

To enable log buffering, edit the rsyslog config file as shown on this slide. The
ActionQueueMaxDiskSpace variable configures the maximum disk space in gigabytes FortiSOAR will use
for log buffering. Adjust this value to suit your own environment.

FortiSOAR Administrator 7.3 Study Guide 139

 System Configuration

DO NOT REPRINT
© FORTINET

You can customize the branding of FortiSOAR as per your organization's requirements.

To customize your branding in FortiSOAR, you must have a role that has a minimum of Application update
permissions.

You can update the FortiSOAR logo to reflect your logo on the FortiSOAR GUI. However, note that the
maximum size for a logo is 1 MB. You can also change the favicon that FortiSOAR displays.

You can also update the product name, company name, and the login page taglines.

FortiSOAR Administrator 7.3 Study Guide 140

 System Configuration

DO NOT REPRINT
© FORTINET

The System Fixtures page contains links to various system playbook collections. Playbook collections are
similar to a folder structure where you can create and store playbooks. Administrators can click these links to
easily access all the system fixtures to understand their workings and make changes in them if required. Note
that the fixtures seen from the screenshot may differ from your environment depending on which solution
packs are installed.

Some example playbooks include:

• System Notification and Escalation Playbooks collection includes playbooks that FortiSOAR uses to
automate tasks, such as the escalate playbook. FortiSOAR uses the escalate playbook to escalate an alert
to an incident based on specific inputs from the user and linking the alert(s) to the newly created incident.
• Approval/Manual Task Playbooks collection includes playbooks that FortiSOAR uses to automate
approvals and manual tasks, such as the playbook that is triggered when an approval action is requested
from a playbook.
• SLA Management Playbooks collection includes playbooks that FortiSOAR uses to auto-populate date
fields in the following cases: when the status of incident or alert records change to Resolved or Closed or
when incident or alert records are assigned to a user.
• Schedule Management Playbooks collection includes playbooks that FortiSOAR uses for the scheduler
module and various scheduler actions, such as scheduling playbook execution history cleanup, audit log
cleanup, and so on.
• Report Management Playbooks collection includes playbooks that FortiSOAR uses to manage
generation of FortiSOAR reports.
• Utilities Playbook collection includes playbooks that FortiSOAR uses to manage system utilities.
• War Room Automation collection includes playbooks used to manage war rooms and notify responsible
parties.

FortiSOAR Administrator 7.3 Study Guide 141

 System Configuration

DO NOT REPRINT
© FORTINET

The System Fixtures page also contains links to a few email templates, which are included by default.
Clicking on any of the templates will bring up an interface to view, edit, clone, export, or delete them. You can
add new templates or customize existing templates to fit your organization’s business needs.

This slide shows the four default templates included in FortiSOAR:

• Password Reset Token includes an email template used for user password reset procedures. This email
contains a link that the user can use to create their new password.
• Send Email To New User is an email template that is sent to a new user, which contains a link for them to
set a new password.
• Send Email For Password Change includes an email template that is sent when a user requests a
change in their FortiSOAR password.
• Send Email For Reset Password By Admin includes an email template that is sent to FortiSOAR users
whose password has been reset by an administrator.

An example of the Password Reset Token template is shown on this slide.

Clicking on the Edit Record button allows you to change the information inside the defined fields, which in
this example would be the content inside the Name, Subject, and Content fields.

Clicking on the pencil icon on the top right brings up the Edit Template interface to edit the email template’s
structure.

FortiSOAR Administrator 7.3 Study Guide 142

 System Configuration

DO NOT REPRINT
© FORTINET

The Navigation editor allows you to modify the system navigation bar, which contains shortcuts to different
FortiSOAR menus.

Use the Add As Group option to add the selected modules and pages into a group. After that, you can name
the group. In the example on this slide, the group is called Artifacts Management. Note that groups are
collapsible on the bar, and can be identified by the down arrow. Click the arrow to expand the list to see all
entries.

Use the Add To Menu option to create an entry, or separate entries if multiple modules are selected, at the
top level on the navigation bar.

You can rearrange the panel’s order by dragging and dropping the entries under the Navigation interface.
Any items not required can be removed from the navigation bar by clicking on the bin icon. In addition, the
icon for each navigation shortcut can be changed by picking from a list of default icons.

In the example shown on this slide, two navigation items are added to the bar: Artifacts Management and
External Website.

Artifacts Management is a new group, which includes the Attachments, Comment, and Events modules.
In the top right screenshot on this slide, you can see that the modules are slightly indented compared to the
Artifacts Management group container, indicating that they are nested.

The External Website navigation item contains a link to the Google homepage. First, the title and the URL
are configured using the Pages tab. Then, this entry is added to the bar as a single item via the Add to Menu
button.

FortiSOAR Administrator 7.3 Study Guide 143

 System Configuration

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 144

 System Configuration

DO NOT REPRINT
© FORTINET

Good job! You now understand system configuration.

Now, you will learn about proxy configuration.

FortiSOAR Administrator 7.3 Study Guide 145

 System Configuration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding forward proxies and reverse proxies on FortiSOAR, you will
be able to configure FortiSOAR to accept connections on its proxy server.

FortiSOAR Administrator 7.3 Study Guide 146

 System Configuration

DO NOT REPRINT
© FORTINET

You can configure FortiSOAR to direct traffic to an explicit forward proxy to act as an intermediary between
itself and public webservers. Some benefits of implementing a proxy include extra security, privacy, load
balancing, access control, and content caching.

You can also configure a reverse proxy or load balancer to direct requests to a FortiSOAR cluster.

The proxy server can be a firewall such as a FortiGate, a FortiProxy, or a third-party proxy offering.

FortiSOAR Administrator 7.3 Study Guide 147

 System Configuration

DO NOT REPRINT
© FORTINET

A FortiSOAR VM needs access to a few different FQDNs on the internet.

For upgrading FortiSOAR, installing connectors, and accessing the widget library, ensure FortiSOAR has
HTTPS access to repo.fortisoar.fortinet.com.

For installing Python dependencies for connectors, make sure your FortiSOAR VM has HTTPS access to
pypi.python.org. You can also use the parallel python repository URL
repo.fortisoar.fortinet.com with some configuration if your organization does not permit PyPI.

For synchronization of FortiSOAR license details, make sure the FortiSOAR VM has HTTPS access to
globalupdate.fortinet.net.

If you have configured any SaaS or API endpoints, such as VirusTotal, make sure your FortiSOAR VM can
connect to them.

You must ensure that these endpoints are open from the organization’s proxy. You can configure your proxy
for the first time using the FortiSOAR Configuration Wizard. If you subsequently need to change the proxy,
then you can use the csadm CLI commands or use the GUI.

FortiSOAR Administrator 7.3 Study Guide 148

 System Configuration

DO NOT REPRINT
© FORTINET

This slide shows the Environment Variables page on FortiSOAR where you can configure HTTP, HTTPS,
and other protocol proxies.

To configure an HTTP proxy to serve all HTTP requests from FortiSOAR, enter the details in the HTTP
section. To configure an HTTPS proxy server to serve all HTTPS requests from FortiSOAR, enter the details
in the HTTPS section on the Environment Variables page. If both protocols will use the same settings, you
can select the Use Same As Above option.

In the No Proxy List field, enter a comma-separated list of addresses that you do not need to route through a
proxy server.

In the Other Environment Variables section, you can add environmental variables and configure proxies for
other protocols, such as FTP, in a key-value pair. For example, enter FTP in the Key field and 1.1.1.1 in
the Value field.

FortiSOAR Administrator 7.3 Study Guide 149

 System Configuration

DO NOT REPRINT
© FORTINET

If you have a reverse proxy in your environment, then you must configure this reverse proxy server for
FortiSOAR live sync functionality.

The example configuration shown on this slide applies only to an Apache proxy server. You can enable any
other reverse proxy using a similar pattern to support the web socket functionality.

FortiSOAR Administrator 7.3 Study Guide 150

 System Configuration

DO NOT REPRINT
© FORTINET

To configure a reverse proxy on FortiSOAR, you must update the config.yml file. This slide shows the path
for the file and an example configuration. Ensure that the FortiSOAR URL matches the FortiSOAR SSL
certificate alternate DNS name.

After updating the file, you must restart all FortiSOAR services. This slide shows the command you must use.
After all FortiSOAR services successfully restart, you should be able to load all the modules using the reverse
proxy server.

FortiSOAR Administrator 7.3 Study Guide 151

 System Configuration

DO NOT REPRINT
© FORTINET

In specific cases you must stop and start FortiSOAR services:

• If you update your SSL certificates
• Post-update, if playbooks are not working as expected
• Post-reboot, if the FortiSOAR VM is not working as expected

Any user who has root or super-user permissions can use the csadm commands. This slide shows the
commands with various options. You can use the csadm commands to see service statuses, and stop, start,
or restart services.

FortiSOAR Administrator 7.3 Study Guide 152

 System Configuration

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 153

 System Configuration

DO NOT REPRINT
© FORTINET

Good job! You now understand how to configure FortiSOAR to use proxies.

Now, you will learn about audit logs.

FortiSOAR Administrator 7.3 Study Guide 154

 System Configuration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in setting and purging audit logs, you will be able to manage and store the
audit logs that are necessary for PCI compliance.

FortiSOAR Administrator 7.3 Study Guide 155

 System Configuration

DO NOT REPRINT
© FORTINET

Audit logs include historical data of operations performed in FortiSOAR. Some examples include the name of
the user who deleted a record, linking and delinking events, picklist events, and model metadata events,
including changes made in model metadata during the staging phrase. You can use the free text search along
with various filtering criteria to search audit logs. You can also add auditing for new services directly in the
Audit Logs view.

Audit logs also contain operations related to playbooks, such as trigger, update, terminate, resume, create
and delete playbook versions, and so on.

Other examples include:

• User login success, failures, and logout events. The login event includes all supported login types, which
are database, LDAP, SAML SSO, and RADIUS
• System notifications
• Recycle bin operations
• Data archival operations

Singular description attribute value fields containing a "." or "$" are replaced with an "_" in audit logs. For
example, if you have a field named SourceID, and defined its singular description value with Source.ID,
then in the audit logs this appears as Source_ID.

FortiSOAR Administrator 7.3 Study Guide 156

 System Configuration

DO NOT REPRINT
© FORTINET

To view your own audit logs, you must have a role with a minimum of read permission on the Audit Log
Activities module. To view and filter audit logs of all users, you must have a role with a minimum of read
permission on the People, Appliances, Security, and Audit Log Activities modules.

To delete your own audit logs, you must have a role with a minimum of delete permission on the Audit Log
Activities module. To delete audit logs of all users, you must have a role with a minimum of delete
permission on the Security and Audit Log Activities modules.

Note that the delete permission on the Audit Log Activities module is not enabled by default for the Full
App Permissions role. Therefore, if you want any user to have the ability to delete audit logs, you must
explicitly assign the delete permission on the module.

FortiSOAR Administrator 7.3 Study Guide 157

 System Configuration

DO NOT REPRINT
© FORTINET

You can filter the audit logs to display the audit logs for a particular record type by selecting the record type
(module) from the Record Type drop-down list. You can also filter audit logs by users, operations, data
ranges, and the free text search bar.

To view the details of an audit log entry, click the arrow icon in the audit entry row. Details in the audit log
entry are in JSON format, and include the old data and updated data for a record.

You can export audit logs to either a CSV or PDF file.

FortiSOAR Administrator 7.3 Study Guide 158

 System Configuration

DO NOT REPRINT
© FORTINET

You can view logs specific to a particular module in the Application Editor section. In the Select a module
to edit or create new module drop-down list, select the module whose audit log you want to view, and then
click the Audit Logs button. You can view the same details and perform the same actions as mentioned
earlier on the Audit Logs page.

Similarly, you can also view logs specific to a particular picklist in the Application Editor section. In the
Select a picklist or edit or create a new picklist drop-down list, select the picklist whose audit log you want
to view and click the Audit Logs button.

FortiSOAR Administrator 7.3 Study Guide 159

 System Configuration

DO NOT REPRINT
© FORTINET

Use the User-Specific Audit Logs section to view the chronological list of all the actions across all the
modules of FortiSOAR for a particular user.

Users can view their own audit logs by clicking the User Profile icon, selecting the Edit Profile option, and
then clicking the Audit Logs panel. Administrators who have a minimum of read permission on the Audit Log
Activities module along with access to the People module, which allows them to access a user’s profile, can
view user-specific audit logs.

The user-specific audit logs display the user’s operations on the platform, including logins, logouts, create,
delete, and many more. You can also perform the same actions here as you can perform in Audit Logs.

FortiSOAR Administrator 7.3 Study Guide 160

 System Configuration

DO NOT REPRINT
© FORTINET

Use the Audit Log tab, which is present in the detail view of a record, to view the graphical representation of
all the actions performed on that particular record. The Audit Log tab uses the Timeline widget to display the
graphical representation of the details of the record. You cannot edit the Timeline widget.

You can toggle the view in the Audit Log tab to view the details in both grid view and the timeline graphical
view. The screenshot on this slide depicts the timeline view.

A timeline object displays the action performed on the record—such as created, updated, commented,
attached, or linked—the name of the person who made the update, and the date and time that the update was
made. In the timeline, you may see some records created by playbooks. This signifies that the record was
created by a workflow entity, such as a playbook or a rule.

You can toggle between the expanded and collapsed view of the Audit Log tab using the full-screen mode
icon.

FortiSOAR Administrator 7.3 Study Guide 161

 System Configuration

DO NOT REPRINT
© FORTINET

You can manually purge audit logs using the Purge Logs button on the upper-right corner of the Audit Log
page. Purging audit logs allows you to permanently delete old audit logs that you do not need, and frees up
space on your FortiSOAR VM. As described earlier in this lesson, you can also schedule purging for both
audit logs and executed playbook logs.

To purge audit logs, you must be assigned a role that has a minimum of read permission on the Security
module and delete permission on the Audit Log Activities module.

In the Purge all logs before field, you can select a time criteria to ensure only old audit logs are deleted.

By default, logs of all events are purged. However, you can control the event types that FortiSOAR chooses
for purging. For example, if you do not want FortiSOAR to purge events of type Login Failure and Trigger,
then you can clear that checkbox.

FortiSOAR Administrator 7.3 Study Guide 162

 System Configuration

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 163

 System Configuration

DO NOT REPRINT
© FORTINET

Good job! You now understand audit logs.

Now, you will learn how to export and import a FortiSOAR configuration.

FortiSOAR Administrator 7.3 Study Guide 164

 System Configuration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in the exporting and importing of a FortiSOAR configuration, you will be able to
export various FortiSOAR components, such as configuration information, dashboards, playbook collections,
and import these to another FortiSOAR VM.

FortiSOAR Administrator 7.3 Study Guide 165

 System Configuration

DO NOT REPRINT
© FORTINET

Administrators can use the configuration import and export wizard for configuration information, dashboards,
application settings, and more.

In 7.0 and later versions, the wizard supports the importing and exporting of templates, installed connectors,
connector configurations, widgets, teams, and users.

In 7.0.2 and later versions, the export wizard creates a ZIP file for all the exported content. Prior to version
7.0.2, content was exported in the JSON format. You can use both the ZIP and JSON format to import content
using the Import Wizard.

To export and import configurations using the wizards, you must assign users a role that has create, read and
update permissions on the Application, Security, and Playbook modules.

Depending on which elements need to be exported or imported, you may need to grant additional
permissions. For example, to import files you must assign a role that has create and read permissions on the
Files module. To import connectors you must assign a role that has create, read, and update permissions on
the Connectors module. To export connectors you must assign a role that has read permissions on the
Connectors module.

FortiSOAR Administrator 7.3 Study Guide 166

 System Configuration

DO NOT REPRINT
© FORTINET

You can use the Configuration Export Wizard to export module configuration information such as module
metadata, field definitions, picklists, view templates, and more. You can also export playbook collections,
dashboards, reports, and administrative settings, such as application configuration, system views, and so on.

If you want to use a playbook to schedule configuration exports using an existing export template, you must
add the UUID of the export template in the playbook. You can retrieve the UUID of the export template by
clicking the Copy UUID to Clipboard icon in the Actions column.

The Export History page displays a list of configurations that have been exported. On this page you can
download a copy of the configuration module, as well as delete it.

FortiSOAR Administrator 7.3 Study Guide 167

 System Configuration

DO NOT REPRINT
© FORTINET

In the Export Wizard, on the Choose Entities page, you can choose to export Module Configurations. On
the Filter Data page you can select the modules that you want to export. You can choose to export one, all, or
multiple modules. You can also choose to export all or any of the configuration information associated with a
module as well, such as the module schema, listing view, record view, and add views.

The Auto-Select Required Picklists needs to be enabled because you must also export the picklists
associated with the module when you export the module. This is to ensure there are no issues when you
import the configuration into another environment. For example, if you select Schema for the Alerts module,
you will observe picklists that are required for the Alerts module are automatically selected.

If you want to export only picklists, click the Picklists menu item, and select the picklists you want to export.
Using this menu item, you can export the picklists that are not associated with any module. When you import
a picklist using the wizard, and if the picklist already exists on your system, then the wizard replaces the
existing picklist.

On the Review Export page, you can review the configuration information that you are exporting, specify the
name of the template that you are exporting, and specify the name of the ZIP file for the export.

FortiSOAR Administrator 7.3 Study Guide 168

 System Configuration

DO NOT REPRINT
© FORTINET

You can export playbook collections and global variables. Global variables can be declared once and then
used across multiple playbooks. Currently, you have to export the complete playbook collection when using
the Export Wizard, and cannot select specific playbooks to export from within a playbook collection.
However, you can still export individual playbooks through the Playbooks interface.

When you import a playbook collection, and if that playbook collection exists, you can choose to either
overwrite the existing playbook collection or create a new playbook collection and append the original
playbook collection name with a number. When you import a global variable that already exists on your
system, then the Import Wizard replaces the existing global variable.

You can also export all or specific dashboards and report templates. On the Review Export page, after you
review the information, click Save & Run Export to export the dashboard or report template in a ZIP file that
you can download and use in another environment. If you import a dashboard or report template, and if that
dashboard or report template already exists in the system, then the wizard replaces the existing dashboard or
report template.

FortiSOAR Administrator 7.3 Study Guide 169

 System Configuration

DO NOT REPRINT
© FORTINET

You can export connectors that are installed on your system. You can choose to export one, multiple, or all
connectors. You can also choose to export the configuration information associated with a connector.

Use caution with the storage of exported connector files. Password and API keys are not encrypted during
export, which means that anyone who has access to the exported file can access the connectors.

You can also export one or more widgets installed on FortiSOAR. If a widget is not found in the widget
repository, then the Export Wizard will export the ZIP file for it.

FortiSOAR Administrator 7.3 Study Guide 170

 System Configuration

DO NOT REPRINT
© FORTINET

You can export administrative settings and customizations on your FortiSOAR node. For example, you can
export the system settings, such as branding and notifications, SSO, LDAP, and RADIUS configurations, high
availability configurations, proxy and environment variables, and so on.

Passwords are write-only fields and therefore you cannot export them using the wizard. If, for example, you
export the LDAP configurations and import them into another instance, you must manually enter the
passwords for all the users to be able to perform any activity related to users, such as searching for users or
updating details of users.

You can also export security settings, which includes users, teams, and roles that exist in your environment.
You have the option to export only certain users, teams, and roles instead of including every setting.

FortiSOAR Administrator 7.3 Study Guide 171

 System Configuration

DO NOT REPRINT
© FORTINET

You can use the Import Wizard to import configurations or metadata information for modules, playbook
collections, dashboards, and so on, from other environments into your FortiSOAR VM. Using the Import
Wizard, you can move model metadata, picklists, system view templates, dashboards, reports, roles,
playbooks, and application settings across environments.

If you close the wizard without clicking Run Import, then the status of your import shows as Reviewing. You
can click the Continue icon in the Actions column to display the Configurations page of the Import Wizard,
and you can continue reviewing the import configurations. If you click Run Import, and the import process
completes, then the status of your import shows as Import Complete.

You can use both ZIP and JSON formats to import content.

FortiSOAR Administrator 7.3 Study Guide 172

 System Configuration

DO NOT REPRINT
© FORTINET

This slide shows how to import dashboards and reports.

To import Dashboards or Reports, on the Options page, click Dashboard(s) or Report(s). The
Observation column displays whether the dashboards or reports that you are importing are New or Existing.

If you import dashboards or reports templates, then apart from displaying whether it is an existing or new
dashboard or report, you can assign a default role to the dashboard or report.

FortiSOAR Administrator 7.3 Study Guide 173

 System Configuration

DO NOT REPRINT
© FORTINET

For schemas of the modules that you import, you can choose whether you want to merge with existing
configurations, replace existing configurations, or append new fields to the configurations.

You can click Review Field Level Actions to view the detailed schema of the module you import.

The Merge With Existing setting merges the configurations. For example, if you import an existing module—
Alerts—which has three new fields in the configuration that you are importing and ten existing fields, and you
select Merge, then after the import, the Alerts module has 13 fields. Therefore, merging overwrites existing
fields, adds new fields, and keeps non-imported fields.

The Replace Existing setting replaces the existing configuration with the imported configuration. It overwrites
existing fields, adds new fields, and deletes non-imported fields.

The Append New Fields setting keeps the existing fields intact, as well as adds new fields. It keeps existing
fields, adds new fields, and keeps non-imported fields.

FortiSOAR Administrator 7.3 Study Guide 174

 System Configuration

DO NOT REPRINT
© FORTINET

To import connectors, on the Options page, click Connectors. The Choose Connectors to Import page
displays whether the connectors that you are importing are New or Existing, as seen on this slide.

If the connectors are new, then the connector import installs them. If there are any configurations to import, it
will also import them into the system.

If the connectors are existing, the logic is different, and depends on a few factors.

FortiSOAR Administrator 7.3 Study Guide 175

 System Configuration

DO NOT REPRINT
© FORTINET

For existing connectors, it is important to compare the version of the connector you are importing against the
system’s connectors’ versions.

If you are trying to import a connector which already exists on the FortiSOAR instance, one of three things can
happen based on the versions of the connectors:
• If the version of the installed connector is older than the one being imported, then the connector import
upgrades the connector and replaces its configuration.
• If the version of the installed connector is the same or higher than the one being imported, then the
connector import replaces only the connector’s configuration.
• If the version of the installed connector is the same or higher than the one being imported, but the
connector has no configuration, then the connector import replaces nothing.

Note that create, read, and update permissions are required on the Connectors module to import connectors.

FortiSOAR Administrator 7.3 Study Guide 176

 System Configuration

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 177

 System Configuration

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiSOAR Administrator 7.3 Study Guide 178

 System Configuration

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to configure applications, proxies and
reverse proxies. You learned how to manage audit logs and the recycle bin. You also learned how to export
and import modular configurations from a FortiSOAR instance.

FortiSOAR Administrator 7.3 Study Guide 179

 High Availability

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about high availability (HA) and the different ways that you can achieve HA on
FortiSOAR.

FortiSOAR Administrator 7.3 Study Guide 180

 High Availability

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiSOAR Administrator 7.3 Study Guide 181

 High Availability

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating a competent understanding of HA, you will be able to use different methods to achieve HA
clustering with FortiSOAR.

FortiSOAR Administrator 7.3 Study Guide 182

 High Availability

DO NOT REPRINT
© FORTINET

There are multiple ways you can implement HA for FortiSOAR.

FortiSOAR provides a native clustering solution, which allows you to join FortiSOAR nodes into an HA cluster.
When you deploy a FortiSOAR instance using the FortiSOAR Configuration Wizard, the instance is a single
node cluster acting as the active primary node. You can join more nodes to form a multi-node cluster.
FortiSOAR HA uses PostgreSQL database clustering. It supports active-active and active-passive
configurations with both internal and external PostgreSQL databases.

You can deploy HA clusters to fulfill disaster recovery or scaling. For disaster recovery, you can configure an
active-passive cluster that has the passive node located in a remote data center. For scaling workflow
execution across multiple nodes, you can use colocated active-active cluster nodes. Using the native
clustering option is recommended since recovery times are fastest if a primary node becomes unavailable.

Another high availability option is creating nightly database backups and incremental VM snapshots.
FortiSOAR provides backup scripts that are scheduled to run at predefined intervals and make full database
backups on a shared or backed up drive. You must supplement the full backups with incremental VM
snapshots whenever there are changes made to the file system, such as connector installation changes,
configuration file changes, upgrades, schedule changes, and so on.

You can also achieve high availability by using your virtualization platform, such as VMware HA and AWS
EBS snapshots. This method relies on your expertise and infrastructure.

You can configure an external PostgreSQL database and use your own database HA solution. You must take
VM snapshots whenever there are changes to the file system, such as connector installation changes,
configuration file changes, upgrades, schedule changes, and so on.

FortiSOAR Administrator 7.3 Study Guide 183

 High Availability

DO NOT REPRINT
© FORTINET

The primary node in FortiSOAR is unique for various reasons.

A FortiSOAR HA cluster can have only one active primary node. Secondary nodes, on the other hand, can be
active or passive.

For a FortiSOAR environment using the internal database, all active nodes talk to the primary node’s
database for all read/write operations. The databases of all other nodes are in read-only mode and has
replication set up to the primary node.

In addition, since version 7.2.0, replication slots are used to set up your HA cluster. Replication slots add
support for differential synchronization between the primary and the secondary nodes when there are
synchronization issues instead of doing full synchronizations. Differential synchronization enhances the
performance of various HA operations such as restoring the secondary nodes after a firedrill, or forming an
HA cluster after upgrading a secondary node.

The following functions run only on the primary node:

• The Workflow Scheduler runs only on the primary node although queued workflows are distributed
amongst all active nodes
• Active nodes index data for quicksearch into ElasticSearch on the primary node
• Integrations and connectors which have a listener configured for notifications, such as IMAP, Exchange,
Syslog

Because the primary node handles multiple functions that the secondary nodes do not, it is essential to have
replication functioning so another node can take over should it become unavailable.

FortiSOAR Administrator 7.3 Study Guide 184

 High Availability

DO NOT REPRINT
© FORTINET

Prior to 7.2.0, you were required to upload the TGZ file of the custom connectors on all the nodes within the
HA cluster, and the connectors needed to be manually installed on each node using the CLI. You were also
required to upload the same version of the connector to all the nodes, and that the Delete all existing
versions option is selected while uploading the TGZ file on all the nodes.

Starting from release 7.2.0, the process has been streamlined. When you install custom connectors on the
primary node, the following connectors are automatically installed on other nodes of the HA cluster:
• Custom connectors
• Older versions of connectors that did not have their RPM available on the FortiSOAR server
• Connectors that were created and published using the Create New Connector wizard

In addition, starting from version 7.2.1, after you install a connector dependency on a FortiSOAR node using
the Install link on the connector's Configurations dialog, then that dependency is installed on the other
nodes of the HA cluster.

FortiSOAR Administrator 7.3 Study Guide 185

 High Availability

DO NOT REPRINT
© FORTINET

High availability with an internal PostgreSQL database is based on internal clustering that takes care of
replicating data to all cluster nodes, and provides an administration CLI to manage the cluster and perform the
takeover operation, when necessary. Takeover is the process in which one of the secondary nodes takes over
as the primary node of the HA cluster. This can be done using the CLI only.

FortiSOAR uses PostgreSQL streaming replication, which is asynchronous in nature. You can configure HA
on FortiSOAR with an internal PostgreSQL database in both A-A and A-P mode.

FortiSOAR Administrator 7.3 Study Guide 186

 High Availability

DO NOT REPRINT
© FORTINET

In an A-P HA cluster configuration, one or more passive or standby nodes are available to take over if the
primary node fails. The primary node does all the data processing. However, when the primary node fails, a
standby node takes over as the primary node.

In this configuration, you can have one active node and one or more passive nodes configured in a cluster.
This provides redundancy while data is being replicated asynchronously.

FortiSOAR Administrator 7.3 Study Guide 187

 High Availability

DO NOT REPRINT
© FORTINET

In an A-A HA cluster configuration, at least two nodes are actively running the same kind of service at the
same time. The main aim of the A-A cluster is to achieve load balancing and horizontal scaling, while data is
replicated asynchronously. If there are multiple active nodes in the environment, you should set up a proxy or
a load balancer to effectively direct requests to all nodes.

FortiSOAR Administrator 7.3 Study Guide 188

 High Availability

DO NOT REPRINT
© FORTINET

FortiSOAR ensures that changes done in the file system of any of the cluster nodes—as a result of a
connector installation or uninstallation, or any changes in the module definitions—are synced across every
node. This ensures that a secondary or passive node can take over in the least amount of time, in case the
primary node fails.

When using an external PostgreSQL database, you should also configure your database’s own HA solution.
This ensures there is resiliency in case the primary database server becomes unavailable.

FortiSOAR Administrator 7.3 Study Guide 189

 High Availability

DO NOT REPRINT
© FORTINET

Starting from version 6.4.4, user entitlement does not need to be the same across all cluster nodes—you do
not have to buy additional user licenses for clustered nodes. User count entitlement is always validated from
the primary node. The secondary nodes can have the basic two-user entitlement.

In an HA cluster, the License Manager page displays the information about all the nodes in the cluster. As
shown in the image on this slide, the primary node is primary.internal.lab and that node is licensed with two
users; therefore, the total user count displays as 2 Users. To update the license for each node, click Update
License and upload the license for that node.

If you update a license that does not match the system UUID, then the GUI displays a warning while you are
updating the license. If you update the same license in more than one environment, then the license is
detected as a duplicate, and your FortiSOAR GUI will be blocked in 2 hours.

During a takeover operation, the new primary node will swap licenses with the old primary node. If the old
primary node is not operational during a takeover, then it will synchronize with FDN with its old license when it
comes back, which will cause a duplicate license scenario since the new primary unit will be using the same
license. In this case, you need to manually deploy the license previously used by the secondary node before
the takeover onto the former primary node.

FortiSOAR Administrator 7.3 Study Guide 190

 High Availability

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 191

 High Availability

DO NOT REPRINT
© FORTINET

Good job! You now understand HA overview.

Now, you will learn how to configure HA on FortiSOAR.

FortiSOAR Administrator 7.3 Study Guide 192

 High Availability

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in configuring HA, you will be able to configure FortiSOAR HA cluster using an
internal or external PostgreSQL database.

FortiSOAR Administrator 7.3 Study Guide 193

 High Availability

DO NOT REPRINT
© FORTINET

You need to verify the following prerequisites before configuring your FortiSOAR HA cluster:

• All nodes must be on the same version.

• All nodes must be resolvable through DNS.
• Your SSH session must not time out. You can increase the session timeout value in your SSH application,
or use the screen or tmux command to ensure that the SSH session does not time out. Refer to the
Fortinet Knowledge Base article mentioned on this slide for more details.
• If you have an external firewall or any other security policies between the HA nodes, then you must ensure
that the following ports are open between the HA nodes: 5432 for PostgreSQL, 6379 for Redis, and 9200
for Elasticsearch.

It is highly recommended that you install the cluster behind a load balancer so that the cluster address
remains unchanged regardless of which node is the primary.

You can configure FortiSOAR HA cluster through the CLI only.

FortiSOAR Administrator 7.3 Study Guide 194

 High Availability

DO NOT REPRINT
© FORTINET

When configuring HA, you must join nodes to an HA cluster in a sequential order.

Use the FortiSOAR admin CLI (csadm) command to configure HA for your FortiSOAR instances. This slide
shows the various command options.

To configure a node as a secondary node, ensure you can resolve all nodes through DNS. You can then
connect over SSH to the node you want to configure as a secondary node and enter the command shown on
this slide. After you enter this command, you are prompted to enter the SSH password to access your primary
node.

This slide also shows the command you must use to join a node to a cluster in a cloud environment with key-
based authentication.

When you join a node to an HA cluster, the list-nodes command does not display that a node is in the
process of joining the cluster. The newly added node appears in the list-nodes command only after it
successfully joins the HA cluster.

FortiSOAR Administrator 7.3 Study Guide 195

 High Availability

DO NOT REPRINT
© FORTINET

If you are configuring HA with an external database, first configure the PostgreSQL database for the primary
node of the cluster, and then add the host names of the secondary nodes to the pg_hba.conf and
postgresql.conf files of the external database. This ensures that the external database trusts the
FortiSOAR nodes for incoming connections.

After you have configured the external database, ensure that you have met all HA prerequisites, and then
create the HA cluster by following the same steps mentioned in the Configuring HA with internal Database
section earlier in the lesson.

FortiSOAR Administrator 7.3 Study Guide 196

 High Availability

DO NOT REPRINT
© FORTINET

Use the csadm ha takeover command to perform a takeover when your active primary node is down. Run
this command on the secondary node that you want to configure as your active primary node.

Licenses are swapped between the old primary node and the new primary node during a takeover operation.
The nodes’ UUIDs remain the same.

If during takeover you specify no to the Do you want to invoke ‘join-cluster’ on other
cluster nodes? prompt, or if any node is not reachable, then you will have to reconfigure all the nodes in
the cluster to point to the new active primary node using the csadm ha join-cluster command.

FortiSOAR Administrator 7.3 Study Guide 197

 High Availability

DO NOT REPRINT
© FORTINET

A firedrill can be performed to test the replication status of a cluster when using an internal database. It is a
good idea to periodically run a firedrill to ensure that a secondary node is ready to take over for the primary
node.

You can perform a firedrill on a secondary (active or passive) node only. Running the firedrill suspends the
replication to the node database and sets it up as a standalone node pointing to its local database.

After you have completed the firedrill, ensure that you perform a restore, as seen on this slide, to return the
node to the HA cluster. All changes made while the node was in a firedrill will be discarded since that is
considered test data.

FortiSOAR Administrator 7.3 Study Guide 198

 High Availability

DO NOT REPRINT
© FORTINET

The table on this slide lists all the subcommands that you can use with the csadm ha command. You can use
the csadm ha subcommands to perform various cluster operations.

The list-nodes set of commands displays nodes within the HA cluster. The show-health set of
commands displays health information of the nodes.

The export-conf command exports the active primary node’s configuration to a file, in the event you wish
to export the configuration to a secondary node.

The get-replication-status command displays the replication delay and status between cluster nodes.
For the primary node, this command displays the replication statistics.

Running the firedrill suspends the replication to the node database and sets it up as a standalone node
pointing to its local database. Because the fire drill is performed primarily to ensure that the database
replication is set up correctly, it is not applicable when the database is externalized. After you complete the
firedrill, ensure that you perform a restore to get the nodes back in a replicating state.

FortiSOAR Administrator 7.3 Study Guide 199

 High Availability

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 200

 High Availability

DO NOT REPRINT
© FORTINET

Good job! You now understand HA configuration.

Now, you will learn how to externalize the PostgreSQL database.

FortiSOAR Administrator 7.3 Study Guide 201

 High Availability

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in externalizing the FortiSOAR PostgreSQL database, you will be able to
migrate data from your local database to a remote one.
.

FortiSOAR Administrator 7.3 Study Guide 202

 High Availability

DO NOT REPRINT
© FORTINET

Externalization is migration of data from your local database instance to a remote database instance that has
the same version of PostgreSQL. FortiSOAR version 7.3 uses PostgreSQL version 14. To externalize your
FortiSOAR PostgreSQL database, you must have root access on FortiSOAR and you must use the
FortiSOAR CLI with the csadm commands.

First, you need to prepare your remote database instance. It must allow inbound communication from your
FortiSOAR VM, and have PostgreSQL version 14 running.

Then, you should prepare your local FortiSOAR instance. Ensure that port 5432 is open for PostgreSQL to
allow inbound and outbound communication with the remote instance. If the FortiSOAR instance was
connected previously to the same instance of the database that is being externalized, it could lead to a stale
connection being presented to the FortiSOAR database on the external PostgreSQL server. To resolve this
issue and release all stale connections, restart the postgres service using the command shown on this
slide. Ensure that you have stopped all your schedules and that you have no playbooks in the running state.

You must also ensure that you have enough disk space available to perform database externalization tasks. It
is recommended that you have at least three times the data size you are transferring in available disk space.
For example, if your data size is 2 GB, then you should have around 6 GB of available disk space, to ensure
that the processes do not stop or fail. Use the command listed on this slide to find out the current database
size.

FortiSOAR Administrator 7.3 Study Guide 203

 High Availability

DO NOT REPRINT
© FORTINET

Now you will learn more about the workflow for externalizing the FortiSOAR database. Refer to the slides for
specific commands.

In summary, to externalize FortiSOAR databases, you must do the following:

Step 1: Create a copy of the db_config file, and name it db_external_config. This slide shows the
directory where you can find the original file.

Step 2: Update the newly created external configuration file for PostgreSQL in the postgres section. This
includes the external, host, password, port, and user fields. SSL is optional. By default, the port and user are
already populated. However, if you wish to change the default port and user, you must modify this file and
ensure your database server has the same information. You can also mirror the postgres section’s
configuration to the postgres_archival section to externalize the archival database. Note, once you
externalize the FortiSOAR database, you must also externalize the archival database. However, you do not
have to point it to the same database server.

FortiSOAR Administrator 7.3 Study Guide 204

 High Availability

DO NOT REPRINT
© FORTINET

Step 3: Configure the PostgreSQL database server. First, add firewall exceptions and reload the firewall
service. Next, edit the pg_hba.conf and postgresql.conf files to trust the FortiSOAR connections. Once
you finished editing the files, you must restart the PostgreSQL service. You also need to create the
cyberpqsql user.

FortiSOAR Administrator 7.3 Study Guide 205

 High Availability

DO NOT REPRINT
© FORTINET

Step 4: Check connectivity between the FortiSOAR instance and the remote database server.

Step 5: Start the externalization process.

Step 6: After you have completed externalizing the database, restart all schedules and playbooks.

In case of database externalization issues, you can review the db.log file for further troubleshooting.

FortiSOAR Administrator 7.3 Study Guide 206

 High Availability

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 207

 High Availability

DO NOT REPRINT
© FORTINET

Good job! You now understand how to externalize the PostgreSQL database.

Now, you will learn about HA best practices and cluster monitoring.

FortiSOAR Administrator 7.3 Study Guide 208

 High Availability

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in applying best practices, you will be able to configure and manage HA
clusters effectively.

FortiSOAR Administrator 7.3 Study Guide 209

 High Availability

DO NOT REPRINT
© FORTINET

Fronting and accessing the FortiSOAR HA cluster with a load balancer or a reverse proxy is recommended so
that the address remains unchanged on takeover.

You must ensure that the SIEM and other endpoints that FortiSOAR connects to are reachable on the
virtualized host name (DNS) that would remain intact even after a failover (local or globally). The FortiSOAR
node connects outbound to the SIEM, to periodically pull information. In case of downtime, after the
FortiSOAR node comes back up, it would pull missing information from the last pulled time, ensuring there is
no data loss even during down time.

FortiSOAR Administrator 7.3 Study Guide 210

 High Availability

DO NOT REPRINT
© FORTINET

The postgresql.conf file has two settings that you can configure to fine-tune a FortiSOAR HA cluster:
• max_wal_senders defines the maximum number of walsender processes. By default, this is set as 10.
• wal_keep_size defines the maximum number of replication slots, which adds support for differential
synchronization to help speed up HA operations. By default, this is also set as 10.

Every secondary node needs one walsender process on the primary node, which means that with the
default value you can configure a maximum of 10 secondary nodes. If you have more than 10 secondary
nodes, then you must edit the max_wal_senders attribute in the postgresql.conf file on the primary
node and restart the PostgreSQL server.

FortiSOAR Administrator 7.3 Study Guide 211

 High Availability

DO NOT REPRINT
© FORTINET

There are various system settings in the postgresql.conf file that determine the size of shared memory
for tracking transaction IDs, locks, and prepared transactions. You should ensure these shared memory
structures have at least the same values on all secondary nodes compared to the primary node.

If the secondary nodes have values lower than the primary node, HA operations could run into potential
issues if there are not enough resources. For example, an HA failover could run into issues if the secondary
node has lower values.

When a secondary node is promoted to the primary role, it will become the new reference point for these
parameters. If other secondary nodes do not have the same value as the newly promoted node, the same
issues could occur. As a result, it is best practice to keep these values consistent across all the nodes.

FortiSOAR Administrator 7.3 Study Guide 212

 High Availability

DO NOT REPRINT
© FORTINET

You can set up system monitoring for FortiSOAR HA clusters.

In the Monitoring Interval (Minutes) field, specify the interval in minutes at which you want to monitor the
system and perform the health check of the HA cluster. In the Missed Heartbeat Count field, specify the
count of missed heartbeats after which notifications of failure are sent to the email addresses you have
specified. You cannot specify a value less than 3 in the Missed Heartbeat Count field. In the Replication
Lag field, specify the threshold, in gigabytes, for the replication lag between nodes. If the replication lag
threshold is reached, then an email notification is sent to the specified email addresses.

For example, if you set the Monitoring Interval to 5 Minutes and the Missed Heartbeat Count to 3, this
means that when the heartbeat is missed and the cyops-ha service is down for the last 15 minutes or more
the heartbeat missed notification is sent to the email address that you specify in the Email field.

FortiSOAR Administrator 7.3 Study Guide 213

 High Availability

DO NOT REPRINT
© FORTINET

HA cluster failure notifications provide useful information about potential causes, and also remediation steps.

For example, if the heartbeat misses from the secondary node exceed the cluster monitoring setting, then the
health notification check sends a heartbeat failure notification and exits.

If the data replication from the primary node is broken, then the health notification check sends a notification
containing the replication lag with respect to the last known replay_lsn of the secondary node and exits.

FortiSOAR Administrator 7.3 Study Guide 214

 High Availability

DO NOT REPRINT
© FORTINET

If the replication lag reaches or crosses the threshold specified, then the health notification check sends a
notification containing the replication lag, as shown on this slide.

If any services are not running, then the health notification check sends a “service failure” notification and
exits.

FortiSOAR Administrator 7.3 Study Guide 215

 High Availability

DO NOT REPRINT
© FORTINET

If a firedrill is in progress on a secondary node, then the health notification check sends the notification shown
on the slide and exits.

You can ignore the lag that the system displays in this case because this lag indicates the amount of data the
fire drill node needs to sync when you run the csadm ha restore command.

You can also check the lag using the get-replication-stat command on the primary node. Note that
replication statistics are not applicable to an externalized database.

FortiSOAR Administrator 7.3 Study Guide 216

 High Availability

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 217

 High Availability

DO NOT REPRINT
© FORTINET

Good job! You now understand HA best practices and how to set up cluster monitoring on FortiSOAR HA.

Now, you will learn about troubleshooting different HA issues.

FortiSOAR Administrator 7.3 Study Guide 218

 High Availability

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in using troubleshooting techniques, you will be able to address HA issues.
.

FortiSOAR Administrator 7.3 Study Guide 219

 High Availability

DO NOT REPRINT
© FORTINET

To troubleshoot HA issues, you can review HA logs. The directory path of the log file is shown on this slide.

When you receive a heartbeat failure notification on a secondary/passive node or on an active node, do the
following:
1. Check if the cyops-ha service is running on that node, using the systemctl status cyops-ha
command.
2. If it is not running, then you must restart the cyops-ha service.

When you receive a notification where the node name differs from actual FQDN of the node, as shown on this
slide, do the following:
1. Connect to the problematic node using SSH.
2. Use the csadm hostname --set command to enter the correct FQDN for the node.

FortiSOAR Administrator 7.3 Study Guide 220

 High Availability

DO NOT REPRINT
© FORTINET

You might receive a notification that the secondary node is out-of-sync with the primary node when the
PostgreSQL service status shows that requested WAL segments have already been removed or the csadm
ha get-replication-stat command shows a higher time lapsed from the last sync when compared to
the general time lapsed. In this case, since the secondary node is completely out-of-sync with the primary
node, you must rejoin the node to the cluster. The steps to rejoin the cluster are shown on this slide.

When there are heavy write operations on the primary node and the secondary node has not yet copied the
data before the data has rolled over, the primary and secondary nodes are out-of-sync and need to be fully
synchronized. In this case, increase the wal_keep_size setting in the postgresql.conf file. You must
also restart the PostgreSQL service by running the command shown on this slide.

FortiSOAR Administrator 7.3 Study Guide 221

 High Availability

DO NOT REPRINT
© FORTINET

If the PostgreSQL service on the primary node or external database server is not running, the cyops-ha
service will be down across the entire cluster. As a result of this, you cannot access the FortiSOAR GUI, and
you must investigate why the postgresql-14 service is down. Run the command listed on this slide for
more information regarding the service, and begin troubleshooting with the reason provided by the system as
to why the service is not running.

FortiSOAR Administrator 7.3 Study Guide 222

 High Availability

DO NOT REPRINT
© FORTINET

This slide shows the output of the csadm ha get-replication-stat command when the PostgreSQL
service on the secondary/passive node has stopped, but is still running on the primary. You can identify this
from the amount of total_lag shown in the command output.

FortiSOAR Administrator 7.3 Study Guide 223

 High Availability

DO NOT REPRINT
© FORTINET

After you restart the PostgreSQL service on the secondary/passive node, you can see that the total_lag on
the primary node decreases, and this amount will decrease further over time.

On the secondary node, you will see an expected spike in the total_lag because the primary node is now
pushing all the buffered data to the secondary node. Because of this, it will take a while for the secondary
node to write all the data to its PostgreSQL database.

FortiSOAR Administrator 7.3 Study Guide 224

 High Availability

DO NOT REPRINT
© FORTINET

If the process to configure HA using the automated join-cluster command fails, and the HA cluster is not
created for reasons such as proxies set up, and so on, you can do the following and configure HA with a more
manual process:

1. Connect to the FortiSOAR VM as a root user and run the csadm ha command. This will display the
options available to configure HA.

2. To configure a node as a secondary node, perform the following steps:

a) Connect over SSH to the active primary node and run the csadm ha export-conf command
to export the configuration details of the active primary node to a file named ha.conf.
b) Copy the ha.conf file from the active primary node to the node that you want to configure as a
secondary node.
c) On the active primary node, add the hostnames of the secondary nodes to the allowlist using the
commands shown on this slide.
d) In the case of an externalized database, you must add all the nodes in the cluster to the allowlist
in the pg_hba.conf file.
e) Ensure that all HA nodes are resolvable through DNS.
f) Connect over SSH to the server that you want to configure as a secondary node, and then run the
join-cluster command shown on this slide.
g) If you run the csadm ha join-cluster command without adding the hostnames of the
secondary nodes to the allowlist, then you will get a Failed to verify error.
h) When you join a node to an HA cluster, the list-nodes command does not display that a node
is in the process of joining the cluster. The newly added node will be displayed in the list-
nodes command only after it has joined the HA cluster.

FortiSOAR Administrator 7.3 Study Guide 225

 High Availability

DO NOT REPRINT
© FORTINET

If your primary node stops because of a system crash, and another node has taken over as primary, the
list-nodes command on other nodes will display that the former primary node is in a faulted state. Even
after the former primary node resumes services, it will only remain the primary node of its own cluster.

To fix the HA cluster, do the following:

1. On the former primary node that has resumed running, run leave-cluster, which removes this node
from the HA cluster.
2. Run the join-cluster command to join this node to the HA cluster with the new primary node.

FortiSOAR Administrator 7.3 Study Guide 226

 High Availability

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 227

 High Availability

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiSOAR Administrator 7.3 Study Guide 228

 High Availability

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to configure, manage, and troubleshoot
HA cluster issues on FortiSOAR. You also learned how to manage cluster licensing, and externalize the
FortiSOAR PostgreSQL database.

FortiSOAR Administrator 7.3 Study Guide 229

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how FortiSOAR leverages Elasticsearch for improving search results, and about
the FortiSOAR recommendation engine, which predicts and assigns field values in records. You will also learn
how to provision and operate a war room as well as how to upgrade the FortiSOAR firmware.

FortiSOAR Administrator 7.3 Study Guide 230

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiSOAR Administrator 7.3 Study Guide 231

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in Elasticsearch, you will learn how FortiSOAR leverages the Elasticsearch
mechanism to improve search results.

FortiSOAR Administrator 7.3 Study Guide 232

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

Elasticsearch allows you to store, search, and analyze huge volumes of data quickly in almost real time, and
returns answers within milliseconds. It is able to achieve fast search responses because instead of searching
the text directly, it searches an index.

FortiSOAR leverages the fast search capability of Elasticsearch for a quick text search across all records and
files in the FortiSOAR database. FortiSOAR has a local instance of Elasticsearch by default, which you can
view the status of by running the csadm services command to check on services.

FortiSOAR also supports externalization of Elasticsearch data. Externalization is the indexing of data to an
Elasticsearch instance that has the same or a higher version of Elasticsearch outside of the FortiSOAR
instance. The minimum version of the Elasticsearch cluster must be 7.0.2 if you want to externalize the
Elasticsearch data.

FortiSOAR Administrator 7.3 Study Guide 233

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

The global search mechanism in FortiSOAR leverages an Elasticsearch database to achieve rapid, efficient
searches across the entirety of the record system. In the screenshot, you can see an inquiry typed into the
search bar, and the matching results returned below. All the record data is stored in Elasticsearch, including
from file attachments, and made searchable.

It uses the full-text match query function within Elasticsearch. This passes the search string through the
standard analyzer, stripping any extra characters to the root term. For instance, the term “phishing” would be
searched the same way as the term “PHISHING!”. However, in the case of tags, an exact match is required
with no case sensitivity. If there are multiple search terms, an AND operator is used to search for matches.

You can set the Match Type as Broad Search or Exact Text Search. An Exact Text Search does not split
up text with spaces or special characters. This is useful for looking up an exact match for an email address,
for example.

You can sort the search results by Relevance, which is based on the number of instances of the keyword
within the record body. You can also sort the results by when the record was modified, the Most Recently
Modified record, or the Least Recently Modified record. Clicking a search result displays the record details.

FortiSOAR Administrator 7.3 Study Guide 234

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

If you need to change the location of your Elasticsearch instance to a remote machine, you must update the
db_config.yml file. In the db_config.yml file, update the host and port (if needed) in the
elasticsearch section as shown on this slide.

You need to assign nginx permission to the SSL certificate that you have specified in the db_config.yml
file using the command shown on this slide.

FortiSOAR Administrator 7.3 Study Guide 235

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

After you complete the externalization of Elasticsearch, you must migrate your data from the local instance to
the remote Elasticsearch machine.

To migrate the remote Elasticsearch machine, run the command shown on this slide.

FortiSOAR Administrator 7.3 Study Guide 236

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

FortiSOAR search performs indexing in an asynchronous manner in the backend. Users could face certain
scenarios that could lead to a restart of services, which can cause indexing to stop.

FortiSOAR might display any of the following errors when users are performing a search operation on
FortiSOAR:
• Search indexing is in progress. Partial results are returned.
• Search indexing has stopped. You must manually rerun indexing or raise a
support ticket for the same.
• We are sorry, but the server encountered an error while handling your search
request. Please contact your administrator for assistance.

In these cases, review the falcon.log log file to check which modules are published and indexed and which
modules are yet to be published.

FortiSOAR Administrator 7.3 Study Guide 237

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

The falcon log sample on this slide shows the Attachments and Emails modules currently being indexed and
their total number of records. Any failure in indexing any modules is logged here. You can monitor the
progress of this file while the indexing is in progress.

If any modules are missing from the published list, or if the falcon.log file of a module includes Publish
Module: ‘<name of module>’ Unsuccessful, you must manually run the indexing for those modules
using the commands shown on this slide.

FortiSOAR Administrator 7.3 Study Guide 238

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 239

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

Good job! You now understand Elasticsearch.

Now, you will learn about the FortiSOAR recommendation engine.

FortiSOAR Administrator 7.3 Study Guide 240

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating a competent understanding of the recommendation engine, you will learn how FortiSOAR
leverages the Elasticsearch mechanism and FortiSOAR machine learning to improve search results and
predict field values.

FortiSOAR Administrator 7.3 Study Guide 241

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

FortiSOAR is equipped with the Recommendation Engine that analyzes your existing record data using
different algorithms to recommend similar records and predict and assign field values in records. It is based
on finding similarities of patterns in historical data.

FortiSOAR provides you with two recommendation strategies:

• Elasticsearch Based Text Classification, which is based on analysis of similar records search using
Elasticsearch efficient algorithms to analyze the search results. This is the default recommendation engine.
• Machine Learning Based Clustering, which is based on training the machine learning (ML) engine using
the data existing on your FortiSOAR instance, and it uses traditional ML supervised classification
algorithms, such as Knearest Neighbors. This recommendation strategy was introduced in FortiSOAR
version 7.0.

A scenario in which analysts can use the recommendation engine is the case of a phishing alert being created
in FortiSOAR from your email gateway. Users might click the URLs, which in turn creates multiple malware
alerts from your SIEM. Separate alerts are then generated in FortiSOAR. Because FortiSOAR displays similar
alerts to the alert that an analyst is working on, it provides the analyst with a complete picture of the event and
makes it easier for the analyst to take remedial action.

Note that records in the recycle bin will not be included in the recommendation results.

FortiSOAR Administrator 7.3 Study Guide 242

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

FortiSOAR displays records that are similar to the record which you are working on: for example, records with
similar file hashes, source IP, domains, and so on, based on the similarity criteria you define. As seen in the
first screenshot, the Recommendation Engine is enabled, and the Recommendation Strategy is set to
Elastic Based Text Classification. This is the default recommendation strategy.

On the Recommendation Settings page of a record, there are two tabs: Similar Records and
Suggestions. The Similar Records tab lets you configure settings to fine tune which records you want to
match. The Suggestions tab lets you define which fields will have suggestions provided.

In the Similarity Criteria section, select the fields and relations to create the criteria based on which records
will be displayed, such as domains, IP addresses, URLs, and so on. You can also assign weights to the
selected fields by selecting the Assign Specific Weights checkbox. Use the slider to assign weights for each
field from 1 to 10, with 10 being the highest value.

To filter similar record suggestions, in the Filter Suggestions section, add the filter criteria. For example, if
you only want to show similar records that have been created in the last year, then you can add a date filter.
Note that you can define multiple criteria, and select to match either all the conditions, or any of the
conditions.

From the Choose Playbook list, search and select the playbooks that will be displayed on the
Recommendations pane and which you can execute on similar records.

In the Similarity Record Layout section, you can specify the fields of the similar records that you want to
include. For example, you can select Name, Severity, Assigned To, and Status, as the fields of the similar
records that should be displayed.

FortiSOAR Administrator 7.3 Study Guide 243

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

This slide shows the configuration options for the Suggestions tab.

The settings configured on this page will affect which suggested field changes are shown by the
recommendation engine.

For example, in the screenshot Severity and Assigned To are selected in the Fields To Suggest section.
When the recommendation engine returns results, it may suggest an appropriate severity level and an
assignee for this particular record.

You can also define different similarity criteria, optionally specify criteria weights, or choose to use the same
selection as Similar Records.

You can also filter suggestions to match either all the conditions, or any of the conditions.

FortiSOAR Administrator 7.3 Study Guide 244

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

Based on the similarity criteria that you have defined, the Recommendation tab displays similar records. The
example alert on this slide originated from FortiSIEM, and the Source field was specified as a similarity
criteria.

From the images on this slide, you can see that the recommended severity is Medium and the assignee is
John Smith. If you agree with the suggestions and want to make the changes in the record, click the check
marks in the rows of the field, which updates or adds the field value in the record.

The Playbooks drop-down list contains the list of playbooks that you specified while configuring the
recommendation settings. You can select all the alerts the engine identified as similar, or select individual
alerts and perform the playbook action on them.

FortiSOAR Administrator 7.3 Study Guide 245

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

If you select Machine Learning Based Clustering, you must train the ML engine using the existing data on
the FortiSOAR instance. AI/ML technology can leverage past learning and similar patterns to intelligently
predict values of record fields such as Assigned To and Severity.

For example, for an incoming alert of type Malware, FortiSOAR can fall back to similar Malware alerts that
already exist in your system and, based on the similarity in patterns, suggest values to the Assigned To and
Severity fields in the new record. This saves time in a SOC because FortiSOAR now does the task of sifting
through records and assigning them automatically.

FortiSOAR Administrator 7.3 Study Guide 246

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

As a best practice and for consistent results, you should have a single configuration per module. For example,
make one configuration for the Alerts module, and another one for the Incidents module.

To train the FortiSOAR ML Engine, do the following:

1. From the Module to train for drop-down list, select the module from which you want to select the fields
for training and the fields that you want to predict.
2. From the Feature Set list, select the field(s) you want to use to predict the field values. To select multiple
fields, press Ctrl and select the fields. In the case of the example shown on this slide, where you want to
predict the Type and Severity fields based on the Source, select the Source field.
3. From the Verdict list, select the field(s) that you want to predict. To select multiple fields, press Ctrl and
select the fields. In the case of the example shown on this slide, where you want to predict the Type and
Severity fields, select the Type and Severity fields.
4. From the Date Range drop-down list, select the time range of records with which you want to populate
the training set. You can select from options such as Last Month, Last 6 months, Last year, and so on.
You can also select Custom and then enter a specific number of days with which to populate the training
set. The Training Set Size specifies the number of records that make up the training set. However, the
value that you select from the Date Range drop-down list overrides this parameter.
5. From the Algorithm drop-down list, select the ML supervised classification algorithm with which you want
to predict the fields. You can choose between K-Nearest Neighbors (default) or Decision Tree.
6. In the Listener Port field, specify the port number of the socket where the ML connector will load the ML
models for efficient storage and delivery. By default, this is set as 10443.

FortiSOAR Administrator 7.3 Study Guide 247

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

After you have trained your dataset, FortiSOAR starts to analyze the dataset and, based on the analysis,
displays records that are similar to the record you are working on, as well as predicts the values of field
records that you have added to the Verdict field. Because the dataset in the example shown on this slide is
trained to predict the Severity and Type fields based on the Source field, FortiSOAR provides suggestions
for those fields.

If you agree with the recommendations, then click the check mark beside the field, and that populates that
field in the record.

FortiSOAR Administrator 7.3 Study Guide 248

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 249

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

Good job! You now understand the FortiSOAR recommendation engine.

Now, you will learn about the war room.

FortiSOAR Administrator 7.3 Study Guide 250

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating a competent understanding of the war room, you will be able to set up and operate a war
room to investigate an incident.

FortiSOAR Administrator 7.3 Study Guide 251

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

War rooms enable SOC teams to get into a collaborative space to mitigate a critical cyber threat scenario or
campaign.

To effectively run a war room, you must be able to communicate effectively to both internal and external
stakeholders. You must also be able to coordinate between teams, investigate the root cause, and resolve the
problem by allocating tasks to specialists, agreeing on milestones, taking notes of technical analysis and
solution proposals, and getting feedback on all points. When appropriate, you have the ability to escalate
issues so that the management team can decide on the next course of action.

Starting from version 7.2.0, the incident response modules have been moved to the SOAR Framework
Solution Pack, which also includes war rooms. If the solution pack has not been installed, you can find it on
the Content Hub.

FortiSOAR Administrator 7.3 Study Guide 252

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

FortiSOAR provides you with the war room framework and allows you to define policies to achieve the
functionality required to effectively run the war room.

The process that is generally followed for threat mitigation is:

1. Create a response team who will be owners tasked with responding to the threat. In a FortiSOAR war
room record, on the Dashboard screen, you can create a response team easily and add or remove users
or teams, or both.
2. Create a task list of all activities that the team must usually perform to respond to a threat and assign
them to appropriate members of the response team. You can do this on the Task Management tab in the
war room record.
3. Investigate the threat or incident to find out the root cause and provide the mitigation for the threat. On the
Investigate tab, you can look at related incidents, alerts, indicators, and the assets involved in the
investigation. This enables you to look at the bigger picture and assist in investigating and mitigating the
threat.
4. Timely threat reporting to stakeholders is important. On the Communication tab in a war room record,
you can view the summary and current status of this threat, send email updates, specify the next steps,
and make notes about actions taken.

In the top screenshot, you can see the four tabs Dashboard, Task Management, Investigate, and
Communication corresponding to the four steps shown on this slide.

To create and use war rooms, you need CRUD permissions on the War Rooms module. Note that war rooms
have their own RBAC settings. You can further define which elements of war rooms can be edited, read-only,
or inaccessible.

FortiSOAR Administrator 7.3 Study Guide 253

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

The war room record opens on the Dashboard tab, which contains the summary of the incident. This is where
you can create the response team and assign ownership of the incident to specific users or teams.

After you finish setting up the war room, click Go Live to open a window. Optionally, you can add an external
collaboration link to collaborate with stakeholders that are not part of FortiSOAR, and then click Go Live
again.

The Dashboard tab contains details of the incident, such as the description and current status of the incident,
time elapsed, assets impacted, and the threat types. It also contains the incidents, alerts, indicators, and
artifacts that are related to this incident.

The Info Center section contains information, such as who launched or set up the war room, when the war
room became active, and the conference bridge and collaboration details. It also contains the details of the
response team, which are teams and users designated as owners of this war room.

Use the Communication tab to view the summary of the incident, attach or send announcements associated
with this threat, and define next steps. You can also link or send announcements to all the members of the
response team.

FortiSOAR Administrator 7.3 Study Guide 254

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

Once you click Go Live, the status of the war room changes from Draft to Active, notifications are sent to all
the members of the war room, and the incidents that are linked to the war room display the active war room in
the header widget.

Use the Task Manager tab to manage all tasks related to the war room. You can create a task list and
manage task assignments and track tasks until their completion. The Task Manager contains various tasks
that are grouped by fields, such as the Status of the task.

In the example shown on this slide, an urgent task is assigned to user John Smith. This task then appears in
the Assigned column. You can also leave a comment for John Smith in the Workspace notifying him of the
task. The Workspace panel is a collapsible panel on the right side of the detail view. On the Workspace
panel, stakeholders can collaborate by adding comments to the record. This enables participation of various
stakeholders and team members across the organization. You can add mentions or tag users in comments
using the @ symbol, and then select the users from the displayed list. Users who are tagged are notified of
their mentions by email.

FortiSOAR Administrator 7.3 Study Guide 255

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

Use the Investigate tab to investigate the incident and perform root cause analysis. It contains all the records
and evidence linked to that specific incident, giving you a complete picture of all the events that led to the
security threat.

The Investigate tab contains an Artifacts tab that contains a graphical representation of all the records that
are linked to this incident.

The Investigate tab also contains an Evidences tab, where you can view all evidence related to the threat.
You can investigate the war room by executing connector actions directly on the war room record. In the
example shown on this slide, a Get Domain Reputation action was directly run with the VirusTotal
connector on this record. Because the result of the action has an impact on this threat, it is tagged as
Evidence, which then is added to the Evidences tab. You can also manually upload evidence on this tab.

FortiSOAR Administrator 7.3 Study Guide 256

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

After you complete the investigation into the incident, you can set the status of the war room to Closed. You
can generate a War Room Summary Report from FortiSOAR or email the summary report as an attachment
to the response team.

Click the Timeline tab to view a historical timeline for the current war room, which displays the chronological
history of all the activities that were performed in the war room.

FortiSOAR Administrator 7.3 Study Guide 257

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 258

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

Good job! You now understand the war room.

Now, you will learn about the FortiSOAR upgrade process.

FortiSOAR Administrator 7.3 Study Guide 259

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in upgrading FortiSOAR, you will be able to upgrade a FortiSOAR instance in
standalone mode or in an HA cluster.

FortiSOAR Administrator 7.3 Study Guide 260

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

Before you upgrade your FortiSOAR version, there are a few prerequisites that you must meet. Ensure that
you can connect to globalupdate.fortinet.net; otherwise, the license deployment fails. You can
choose to upgrade your instance without connectivity to globalupdate.fortinet.net. However, your
license will not be deployed. Connectivity to this FQDN is required for fetching the license entitlements and
product functioning after the upgrade. It is recommended that you clean up unnecessary playbook execution
run history to optimize the overall upgrade time. If you do not clean up the historical logs for playbooks, it
might lead to issues during the upgrade, such as playbooks not getting listed in the executed playbooks log,
and so on. You should also let active playbooks finish, and stop all data ingestion playbooks and other
schedules prior to upgrading.

You must take a VM snapshot of your current system. In case of an upgrade failure, these VM snapshots will
allow you to revert to the latest working state. It is highly recommended that you take a backup of the
FortiSOAR built-in connectors’ configuration, such as SSH, IMAP, database, utilities, and so on. The
configuration of your FortiSOAR built-in connectors might be reset if there are changes to the configuration
parameters across versions.

Ensure that the SSH session does not time out by entering tmux mode. Refer to Linux documentation on how
to use the tmux command. Ensure that repo.fortisoar.fortinet.com is reachable from your VM. If
you are connecting using a proxy, then ensure that you set up proxy details using the csadm network
command and that repo.fortisoar.fortinet.com is allowed in your proxy.

You can find the upgrade path documentation for different versions on docs.fortinet.com. It is essential to
review your starting version and identify if you can upgrade to your target version directly, or if you need to go
through more than one hop.

FortiSOAR Administrator 7.3 Study Guide 261

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

Workflow execution history persists extensively in the database for debugging and validating the input and
output of playbooks at each step. A very large execution history can build up, consuming extra disk space.
This could increase the time required for upgrading FortiSOAR. To delete the workflow run history but keeping
the last specified number of entries, run the command shown on this slide as the root user.

It is highly recommended that you set up cleaning of the workflow execution history using a weekly cron
schedule. To set up a weekly schedule to delete the workflow history, you have to add a cron expression
entry in the /etc/crontab file per your requirements. The command to edit a cron job is crontab -e.
The slide shows an example entry in the /etc/crontab file that will schedule a workflow execution history
cleanup for every Saturday night and delete all workflow run history apart from the last 1000 entries.

FortiSOAR Administrator 7.3 Study Guide 262

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

Note that running the command shown on the previous slide deletes the workflow entries but does not release
the disk space back to the OS. The space is still reserved for the Postgres process. This is the desired
behavior, and no further action is required if the execution history cleanup is scheduled because the Postgres
process would need the freed-up disk space to store further workflows. If, however, you also want to reclaim
disk space for backups, restores, or other activities, you must also run a full vacuum on the database. The
commands to accomplish this are shown on this slide.

There is also a scenario where the cleandb command might fail. If you do not regularly schedule the
workflow execution cleanup, and you are deleting a very large set of entries at once, they may fail to load into
memory. In this case, run the commands shown on the slide to do the cleanup in batches.

FortiSOAR Administrator 7.3 Study Guide 263

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

This slide shows the commands you need to run to download the upgrade installer. You must be able to
connect over SSH to the FortiSOAR VM, and you will need root access.

FortiSOAR Administrator 7.3 Study Guide 264

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

After the installer download completes, run the upgrade installer using the following commands shown on this
slide.

The FortiSOAR upgrade installer checks the boot partition for disk space, and if the partition has insufficient
space, then the upgrade installer exits after displaying an appropriate error message. The boot partition
contains kernel-related files which are used during boot. If you need to clean up the boot partition while
upgrading FortiSOAR, run the commands shown on this slide.

The FortiSOAR upgrade installer also checks the pgsql disk space to ensure that there is sufficient disk
space. If there is not enough disk space for pgsql, the upgrade installer also exits in this case. To resolve
this, you must increase the partition size for pgsql.

After you upgrade the FortiSOAR instance, you will be logged out of the FortiSOAR GUI.

FortiSOAR Administrator 7.3 Study Guide 265

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

This slide shows the two methods of upgrading an existing FortiSOAR instance to 7.3.0. The upgrade process
is different when going to 7.3.0 because the underlying operating system has changed.

Note that the supported migration paths are from FortiSOAR 7.2.1 or 7.2.2 on RHEL 7.0 or Centos 7.9. If your
FortiSOAR environment is older than 7.2.1, follow the previous slides to upgrade to the required version. You
must follow a supported upgrade path, which can be identified at docs.fortinet.com.

The first method requires you to deploy a new FortiSOAR 7.3.0 instance on either Rocky Linux 8.6 or RHEL
8.6. After that, you will need to migrate existing data into the new environment using the script shown on this
slide. You will need to export the data, transfer the TGZ file onto the new instance, and then import the data.

The second method is an in-place method. You can download the second file from the FortiSOAR repository
listed on this slide. Ensure that you have stopped all workflow schedules, data ingestion, and other scheduled
jobs prior to upgrading. Check that the Playbook appliance has create and read permissions on the Widgets
module. It is important to take backup snapshots prior to starting the upgrade. Ensure there are at least 2 GB
free in /opt and /var.

FortiSOAR Administrator 7.3 Study Guide 266

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

This slide shows the steps you must follow to upgrade a FortiSOAR cluster. Note that the procedure to
upgrade an active-passive and an active-active cluster is the same.

For the purposes of a cluster upgrade procedure, assume the following:

• Node A is the active primary node.
• Node B is the passive secondary node.
• Both nodes are installed behind a reverse proxy or load balancer.

Keep in mind that you must allow approximately 30 minutes of downtime, per node, for the upgrade.

Before you can upgrade an active-active HA cluster, you must first configure the reverse proxy or load
balancer to pass requests only to node A. This ensures that all requests to the FortiSOAR cluster are passed
only to node A, which frees up node B for you to upgrade.

Log in using SSH to node B with the root user, and use the csadm ha leave-cluster command. This
makes node B a standalone device.

Upgrade node B by following the same upgrade procedures for a standalone device. After the node B upgrade
completes, you can upgrade node A. It is important to note that the upgrade of node A incurs downtime.

After you upgrade both nodes, return to node B and run the join-cluster command to set up the cluster.
Lastly, reconfigure the reverse proxy or load balancer to handle requests from both node A and node B.

FortiSOAR Administrator 7.3 Study Guide 267

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 268

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiSOAR Administrator 7.3 Study Guide 269

 Searching, War Rooms, and Upgrading

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how FortiSOAR uses Elasticsearch, as well
as how to configure the recommendation engine. You also learned how to use a war room to mitigate a
malicious incident and upgrade a standalone or cluster of FortiSOAR instances.

FortiSOAR Administrator 7.3 Study Guide 270

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to monitor the FortiSOAR database, system resources, and services. You
will also learn how to troubleshoot various issues on FortiSOAR.

FortiSOAR Administrator 7.3 Study Guide 271

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiSOAR Administrator 7.3 Study Guide 272

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in monitoring FortiSOAR, you will learn how to monitor various system
resources, database accuracies, and services on FortiSOAR.

FortiSOAR Administrator 7.3 Study Guide 273

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

To help maintain a robust SOAR environment, you can set up system monitoring and purging of audit and
playbook logs as part of your initial deployment and configuration process. You can also set up system
monitoring for FortiSOAR for both single and HA deployments.

Email notifications can be sent if any FortiSOAR service fails, or if any monitored thresholds are exceeded,
such as for CPU, memory, or disk utilization. In the case of HA clusters, you can also monitor for, and get
notified of, heartbeat failures and high replication lag between the cluster nodes.

Implementing effective application monitoring offers:

• Increased server, services, and application availability
• Faster detection of network outages and protocol failures
• Faster detection of failed services, processes, and scheduled jobs

FortiSOAR Administrator 7.3 Study Guide 274

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiSOAR includes a default system monitoring dashboard, the System Health Status dashboard, which
allows you to monitor various FortiSOAR system resources and services.

The following types of system monitoring are available in the System Monitoring widget:
• CPU Usage
• Virtual Memory Usage
• Swap Memory Usage
• Disk Space Usage
• Service Status

FortiSOAR Administrator 7.3 Study Guide 275

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

The Service Status widget displays the status of all FortiSOAR services. Services that are available are
displayed with a green circle. If any service is down, then that service will be displayed with a red warning
symbol.

The Connector Health Status widget tracks the health of all the configurations of all the configured
connectors. Each connector configuration row displays the number of configurations that are being monitored.
For example, in the image shown on this slide, all the connectors displays 1 Configuration Monitored status.

If any of the configurations of a connector is unavailable, then the widget displays Unavailable in red and the
Health Check Status also displays Unavailable. For example, in the image shown on this slide, the
configuration of the Symantec ATP connector is Unavailable. To view the details of this status, click the
down arrow icon on the connector row, to display the Health Check Status of that configuration. In the
example shown on this slide, the Symantec ATP connector Health Check Status displays Disconnected.
You can hover over the warning icon to see the reason for the disconnection. If any connector is deactivated,
then it appears as Deactivated in red and the Health Check displays as Deactivated.

FortiSOAR Administrator 7.3 Study Guide 276

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

Use the utilization widgets to display the utilization of various FortiSOAR system resources. Utilization widgets
include CPU utilization, Disk Space Utilization, Memory Utilization, and so on. You can configure these
widgets in a similar manner and use them to display the utilization of various FortiSOAR system resources.

The Threshold Percentage setting specifies the percentage after which you want to take some corrective
action. On the dashboard, the widgets indicate in red when the threshold is reached or exceeded. Similarly,
the widget displays green, yellow, or amber according to the threshold value.

You can reach this dashboard editing interface by clicking on the icon depicted on this slide.

FortiSOAR Administrator 7.3 Study Guide 277

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

The advantage of having the System Health Status Dashboard is that users with access to the dashboard
can check the various system usage levels without them having administrative access. You can also define
various thresholds for each system resource and, if these thresholds are reached, you can take corrective
action.

For users who must monitor the health of FortiSOAR but might not need access to other areas of FortiSOAR
such as playbooks, incident management, and triage, you can configure role-based access to the System
Health Status Dashboard.

FortiSOAR Administrator 7.3 Study Guide 278

 System Configuration

DO NOT REPRINT
© FORTINET

To receive email notifications of any FortiSOAR service failure, or monitored thresholds exceeding the set
threshold, select Enable Notification in the System & Cluster Health Monitoring section.

In the Service field, select the service you want to use for notifications. You can choose between SMTP or
Exchange. In the Email field, specify the email address that is notified in case of any service failures,
threshold breaches, and so on. The SMTP or Exchange connector must be configured before notifications
will work.

In the Monitoring Interval (Minutes) field, specify the interval in minutes at which you want to monitor the
system and perform the health check of the HA cluster. By default, the system is monitored every 5 minutes.

In the System Health Thresholds section, you can set the thresholds, in percentages, for Memory
Utilization (80% by default), CPU Utilization (80% by default), Disk Utilization (80% by default), and Swap
Memory Utilization (50% by default). You can also set the Workflow Queue Threshold, which is related to
the celery queue size, and WAL Files Size, which is related to the database’s write-ahead logs.

If the thresholds set are reached for any of the monitored parameters, the system sends an email notification
to the specified email addresses.

FortiSOAR Administrator 7.3 Study Guide 279

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

As the root user, you can verify FortiSOAR services from the CLI.

To manage all FortiSOAR services, run the csadm services command shown on this slide. The csadm
commands pertain to all services. For example, if you use the restart option, all services will restart. The same
applies to the start, stop, and status options.

When you run the csadm services command, the status of FortiSOAR services display with a background
color so that you can quickly and easily identify which services are running and which are not running. The
status of services that are running display a green background, and the status of services that are not running
display a red background.

FortiSOAR Administrator 7.3 Study Guide 280

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

To manage the status of individual FortiSOAR services, run the systemctl status command shown on
this slide. For example, to see the status of the cyops-search service, use the systemctl status
cyops-search command. This displays information about the process, including if it is active, its process ID,
and more.

If you want to start, stop, or restart individual services, you can use the systemctl commands shown on this
slide.

FortiSOAR Administrator 7.3 Study Guide 281

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

If you need to view the status of the PostgreSQL database, or the Elasticsearch database, use the commands
shown on this slide.

FortiSOAR Administrator 7.3 Study Guide 282

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

You can run the commands shown on this slide to monitor disk space utilization, as well as CPU and memory
usage.

The df command reports how much disk space your environment is using. The grep and awk commands are
used to filter the output to make it easier to read, but they are not mandatory.

The ps command allows you to view information related to processes.

You can also see the RAM and swap memory usage by running the free –m command.

FortiSOAR Administrator 7.3 Study Guide 283

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 284

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

Good job! You now understand how to monitor FortiSOAR.

Now, you will learn about the FortiSOAR logs, services, and processes.

FortiSOAR Administrator 7.3 Study Guide 285

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in logs, services, and processes, you will learn about the list of logs for
troubleshooting FortiSOAR, and how to set different levels of logging. You will also learn about key FortiSOAR
services and processes.

FortiSOAR Administrator 7.3 Study Guide 286

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiSOAR generates different types of log files for different subsystems. The table shown on this slide lists
the various log files contained in the /var/log/cyops directory or subdirectories and their purpose. You can
use the appropriate log file to gather more information about any errors or events that happen during
FortiSOAR operations.

Note that the table contains relative paths for subdirectories in /var/log/cyops, and not absolute paths.

FortiSOAR Administrator 7.3 Study Guide 287

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

This slide lists more of the different log files FortiSOAR generates for various subsystems in the
/var/log/cyops/ directory. Note that the upgrade log file is contained within the main directory.

FortiSOAR Administrator 7.3 Study Guide 288

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

Use the tomcat.log file to troubleshoot issues related to audit logs. The location of the log file is shown on
this slide.

To troubleshoot operating system level errors, view the message logs located at /var/log/messages.

There are various logs to help you troubleshoot issues related to dedicated tenant nodes or FortiSOAR
agents. The log file names and their directory path are shown on this slide.

You can set five different severity levels for the log files:
• DEBUG: low-level system information for debugging purposes
• INFO: general system information
• WARNING: information describing a minor problem that has occurred
• ERROR: information describing a major problem that has occurred
• CRITICAL: information describing a critical problem that has occurred

FortiSOAR Administrator 7.3 Study Guide 289

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

The various log files have different log severity level parameters. This slide lists a few of them.

For sealab or workflow logs, modify the config.ini file in the cyops-workflow directory shown on this
slide. You must configure the WORKFLOW_LOG_LEVEL parameter to the required logging level. For example,
WORKFLOW_LOG_LEVEL = 'INFO'. After the change you must restart the uwsgi service.

For integrations, modify config.ini file in the cyops-integrations directory. You must set the
connector_logger_level parameter to the required logging level. After the change you must also restart
the uwsgi service.

For celery, modify the celeryd.conf file in the celery directory shown on this slide. After the change you
must restart the celeryd service.

For nginx (GUI), API, or PHP, modify the config_prod.yml file in the nginx directory shown on this slide.
You must modify the level parameter to the required logging level. After the change you must restart nginx
using the command shown on this slide.

FortiSOAR Administrator 7.3 Study Guide 290

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

This slide contains a list of all key FortiSOAR services and processes that make FortiSOAR functional.

FortiSOAR Administrator 7.3 Study Guide 291

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

This slide is a continuation of the list of key FortiSOAR services and processes that make FortiSOAR
functional.

FortiSOAR Administrator 7.3 Study Guide 292

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

Starting from 7.0.0, it is possible to collect FortiSOAR log files from the GUI. On previous versions, the CLI is
the only way to collect logs. To do so, click the FortiSOAR dialog box near the lower-left corner of the GUI. On
the release version menu, click on the Download Logs button. There is an option to specify a password to
protect the log file. Only users who have the shared password can access the log files. The downloaded file
exists in the TAR.GZ format.

FortiSOAR Administrator 7.3 Study Guide 293

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

It is useful to also know how to collect log files using the CLI in case of any issues with the GUI itself.

To collect all the previously mentioned log files using a single command, run the csadm command listed on
this slide. If no target directory is specified, the present working directory is used instead. Note that the
command requires elevated privileges.

Once the file has been downloaded, you can optionally transfer the file from the FortiSOAR node onto a local
machine, such as by using an SFTP client. Note that you may need to change permissions on the file in order
to transfer it. For example, you may need to run the command chmod on the file.

To extract the contents of the file, run the tar command listed on this slide. After the file has been extracted,
you can find most service directories in fortisoar-logs/var/log/; however, the tomcat logs are in
fortisoar-logs/opt/cyops-tomcat/logs.

FortiSOAR Administrator 7.3 Study Guide 294

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 295

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

Good job! You now understand logs, services, and processes on FortiSOAR.

Now, you will learn about troubleshooting various FortiSOAR issues.

FortiSOAR Administrator 7.3 Study Guide 296

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in troubleshooting FortiSOAR, you will learn about the importance of licenses
and users on FortiSOAR, and how to configure them.

FortiSOAR Administrator 7.3 Study Guide 297

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiSOAR displays meaningful messages and troubleshooting tips during the license deployment process,
and also validates the license, making it easier for you to debug issues. Also, if your connection to FDN is
through a proxy, you must update the proxy’s settings.

If you have a subscription-based license, then the number of users and expiry date are not present inside the
license. You must sync them from FDN after the installation. The License has expired message after
installation occurs because of the following two reasons:
• Sync with FDN failed
• Sync was successful but you provided the wrong contract information.

To verify run the java command shown on this slide.

FortiSOAR Administrator 7.3 Study Guide 298

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

If you have an evaluation or perpetual license, then the number of users and expiry date are present inside
the license. If a license deployment failure occurs for these types of licenses, then check the license
information using the csadm license command shown on this slide.

After deploying the license, if the system is still not reachable, restart the cyops-auth service and then
investigate the fdn.log and das.log files.

To find a node’s UUID, which uniquely identifies the FortiSOAR instance, you can use the License Manager
in the GUI, or run the --get-device-uuid command.

FortiSOAR Administrator 7.3 Study Guide 299

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

If your connector's configuration or action fails, you can check the connector logs located in the
connectors.log file. You can optionally run a tail -f to see new logs as you test the problematic
connector.

As mentioned previously in this lesson, you can also increase the logging level of the integrations
configuration file by changing the connector_logger_level parameter.

After changing the logging level, you must restart the uswgi service.

FortiSOAR Administrator 7.3 Study Guide 300

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

The max_reset_attempts parameter defines the maximum number of times users can click the Reset
Password link before actually resetting their password. By default this is set to 10 times

If the user exceeds the value in password reset attempts, then they will not receive a new link to reset their
password until a specified time expires, which is defined in the reset_locktime parameter.

To modify the max_reset_attempts parameter, you must run the curl command shown on this slide. The
command changes the number of times users can click the Reset Password link to 5 times, that is, a user
can click the Reset Password link five times without actually configuring their new password. However, if the
user clicks the Reset Password link for the sixth time, the user will be blocked.

FortiSOAR Administrator 7.3 Study Guide 301

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

The reset_locktime parameter defines the time period, in hours, a user is locked out from resetting their
password after they exceed the max_reset_attempts value. By default, this is set to 12 hours.

To change the value of the reset_locktime parameter, you must run the curl command shown on this
slide. The command changes the number of hours that a user will be locked out from receiving a reset
password link to two hours. This lock out will trigger only if they have exceeded the value defined in the
max_reset_attempts parameter.

FortiSOAR Administrator 7.3 Study Guide 302

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

You can manage account lockout timers under the Failed Authentication section on the Account
Configuration page.

The Maximum Failed Login Attempts setting specifies the number of times users can enter an incorrect
password while logging into FortiSOAR before their account gets locked. By default, this is set to 5 attempts.

The Account Unlock Time setting specifies the duration, in minutes, user accounts are automatically
unlocked after exceeding the number of failed login attempts. By default, this is set to 30 minutes.

FortiSOAR Administrator 7.3 Study Guide 303

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

If you get any errors while performing a global search in FortiSOAR, check that the elasticsearch and the
cyops-search services are running.

If these services are not running, then start them using the commands shown on this slide.

FortiSOAR Administrator 7.3 Study Guide 304

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

By default, FortiSOAR configures Elaticsearch to use 4 GB of RAM.

If there are too many records, or if there are very heavy records, the system might eventually crash with out-
of-memory errors. To fix this, you must increase the memory allocated to Elasticsearch.

In the /etc/elasticsearch/jvm.options file, change the -Xms4g and -Xmx4g parameters to a higher
value based on the available memory on your server. After this change, restart the Elasticsearch service.

FortiSOAR Administrator 7.3 Study Guide 305

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

When the primary data in the system becomes large (for example, when you have more than one million
alerts) you might notice that the system is slow to respond. The slowness can be caused due to database
queries taking longer with the increased database size.

You can fine-tune this behavior by increasing the shared buffer and worker memory for Postgres. Increase the
shared_buffers and work_mem parameters in the postgresql.conf file. The directory path for the file
is shown on this slide. After editing the file, restart the postgresql-14 service.

FortiSOAR Administrator 7.3 Study Guide 306

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiSOAR Administrator 7.3 Study Guide 307

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiSOAR Administrator 7.3 Study Guide 308

 System Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to set up monitoring of FortiSOAR
services and resources. You also learned how to troubleshoot various issues in FortiSOAR.

FortiSOAR Administrator 7.3 Study Guide 309

DO NOT REPRINT
© FORTINET

No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.