SIEM

Expand all | Collapse all

Remediations Acton Issue

  • 1.  Remediations Acton Issue

    Posted Sep 25, 2019 11:12 PM
    hello,
    I have FortiSEM FS-1000F with a perpetual license but the support is expired now, I had notification rule includes run script FortiGate--after5.2 to block the source IP when the incident "Permitted traffic from suspicions external source " is generated. the problem is when I view the running task the script is a freeze on 0%.is this issue caus my support is expired?


  • 2.  RE: Remediations Acton Issue

    GROUP ADMIN
    Posted Sep 26, 2019 03:20 AM
    There isn't a FSM 1000F appliance, there is 500F Collector, 2000F Super and 3500F Super. Expired support should not impact remediations, but would advise to get it back under support for the latest updates and fixes.

    I typically use the "Block IP FortiOS API" remediation, you just need to make sure you an https credential associated with the device.

    In the FSM GUI go to Admin / Setup / Credentials and create the following credentials under "Step 1: Enter Credentials"

    As well as having SNMP and ideally SSH credentials defined, also create an HTTPS credential for example:

    HTTPS

    • Name: HTTPS - Fortigate
    • Device Type: Fortinet FortiOS
    • Access Protocol: HTTPS
    • Port: 443
    • Password config: Manual
    • User Name: admin
    • Password: FortiSIEM
    • Save.

    Then associate that credential with the FGT IP.


    After that, rediscover the device and try remediating with the API remediation option.



  • 3.  RE: Remediations Acton Issue

    Posted Sep 26, 2019 03:33 AM
    Sorry, is 2000F .i seen this remediation action needs SSH access only from resources tabs. is necessary to enable




  • 4.  RE: Remediations Acton Issue

    GROUP ADMIN
    Posted Sep 26, 2019 04:24 AM
    You can use SSH remediation or the API remediation. API connects in over HTTPS. But you must have the appropriate credential associated and discovered with the device.


  • 5.  RE: Remediations Acton Issue

    GROUP ADMIN
    Posted Sep 26, 2019 04:26 AM
    Just one point on API (HTTPS) remediation with the FGT, the FGT needs to be licensed.


  • 6.  RE: Remediations Acton Issue

    Posted Sep 26, 2019 05:10 AM
    yes I had the credential and the remediation scripts worked before, and I want to be added the notification rule didn't send the emails or run the script now. so do you think is support issue?


  • 7.  RE: Remediations Acton Issue

    GROUP ADMIN
    Posted Sep 26, 2019 05:42 AM
    If the Incident triggered and fired a notification then depending on the Notification Window defined in the Rule it won't trigger a notification again until either the Incident is cleared or the Notification Window expires.

    Suggest try clearing the Incident and triggering it again.