FortiSOAR-7.6.0-Administration_Guide.pdf
Document Details
2024
Tags
Full Transcript
Administration Guide FortiSOAR 7.6.0 FORTINET DOCUMENT LIBRARY https://docs.fortinet.com FORTINET VIDEO LIBRARY https://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com FORTINET TRAINING & CERTIFICATION PROGRAM https://www.fortin...
Administration Guide FortiSOAR 7.6.0 FORTINET DOCUMENT LIBRARY https://docs.fortinet.com FORTINET VIDEO LIBRARY https://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com FORTINET TRAINING & CERTIFICATION PROGRAM https://www.fortinet.com/training-certification FORTINET TRAINING INSTITUTE https://training.fortinet.com FORTIGUARD LABS https://www.fortiguard.com END USER LICENSE AGREEMENT https://www.fortinet.com/doc/legal/EULA.pdf FEEDBACK Email: [email protected] August, 2024 FortiSOAR 7.6.0 Administration Guide 00-400-000000-20210113 TABLE OF CONTENTS Change Log 10 Overview 11 Common Tasks 11 Tasks and Permissions 12 Guide to setting up FortiSOAR 13 System Configuration 15 General 17 Configuring System and Cluster Health Monitoring 17 Configuring Comments 19 Setting the formats for Date and DateTime fields on the FortiSOAR UI 19 Customizing the behavior of the FortiSOAR Setup Guide 20 Setting a language other than English for your FortiSOAR system 22 Configuring Themes 24 Configuring Default Country Code 24 Configuring Navigation Preferences 24 Enabling Light Mode Setting 25 Application Configuration 25 Purging audit logs, executed playbook logs, and recycle bin records, and reclaiming unused disk space 25 Configuring the logging level for Playbook Execution Logs 32 Configuring Playbook Recovery 34 Configuring the Simplified Expression View 34 Configuring the default timezone for exporting reports 34 Managing user listings in People Lookup fields 35 Enabling MIME type validations for file uploads 35 Log Forwarding 36 Persisting the FortiSOAR logs 37 Environment Variables 38 Branding 39 System Fixtures 41 Audit Log 44 Viewing Audit Log 47 Viewing User-Specific Audit Logs 51 Viewing Audit Log in the detailed view of a record 51 Purging Audit Logs 54 License Manager 57 Notifications 58 Adding Delivery Rules 60 Setting up Notification Channels 64 Working with Delivery Rules and Notification Channels 67 Modifying the 'Notify On Pending External Manual Input' delivery rule post-upgrade to release 7.3.0 or later 69 Purging of notifications 70 Data Archival 71 FortiSOAR 7.6.0 Administration Guide 3 Fortinet Inc. Methods of Setting Up Data Archival 71 Setting up an External Database for Data Archival 72 Configuring various settings for Data Archival 73 Viewing and Searching Archived Records 76 Blocking specific HTML tags and attributes 77 Security Management 79 Important Concepts 79 Authentication versus Authorization 79 Users and Appliances 79 Teams and Roles 80 Security Management Menus 80 Team Hierarchy 80 Teams 80 Roles 81 Users 81 Access Keys 81 Authentication 81 Password Vault 82 Configuring Team Hierarchy 82 Relationships 82 Using the Editor 83 Configuring Teams 87 Editing Teams 87 Configuring Roles 89 Default Roles 90 Modules in the Roles Page 92 Adding Roles 93 Assigning Roles to Users and Appliances 94 Configuring User Profiles 95 Adding Users 95 User Profiles 97 Managing Access Keys 107 Managing API key-based authentication for appliances 107 Managing HMAC authentication for appliances 112 Appliance Profile 114 Playbook Appliance 115 Troubleshooting 116 Configuring Authentication 117 Configuring Accounts 117 Configuring Two-Factor Authentication (2FA) 120 Configuring LDAP / AD 124 Configuring SSO 126 Configuring FortiSOAR authentication with a RADIUS server 178 Configuring the Password Vault Manager 182 Delete Users 185 Application Editor 186 Module Editor 186 FortiSOAR 7.6.0 Administration Guide 4 Fortinet Inc. Creating a New Module 187 Modifying an existing module 191 Saving your changes 202 Viewing your changes 202 Publishing modules 202 Picklist Editor 203 Creating or modifying a picklist 204 Pre-Processing Rules 206 Adding a new 'Drop' type pre-processing rule 207 Adding a new 'Update' type pre-processing rule 211 Supported Operations on the Pre-Processing Rules Page 214 Navigation Editor 215 Modifying the Navigation bar 216 Correlation Settings 218 Recommendation Engine 220 Permissions required 222 Record Similarity, Field Suggestions, and Playbook Suggestions 222 Phishing Classification 235 Export and Import Wizards 241 Permissions required 242 Export Wizard 243 Import Wizard 257 Recycle Bin 269 Permissions Required 270 Using the Recycle Bin 270 Behavior of Recycle Bin in the case of MSSP environments 271 Segmented Network Support 273 Overview 273 FortiSOAR Agent CLI 273 Invoke connector actions using FSR agents in segmented networks 274 Minimal permissions required 274 Installing a connector on an FSR agent 274 Configuring connectors 277 Running remote actions 278 Upgrading an FSR Agent 282 Upgrading the configuration on an FSR Agent machine 285 Running unauthenticated manual inputs in segmented networks 286 Troubleshooting 286 Files to be used for troubleshooting 286 The FSR agent remains stuck in the "Remote Node Unreachable" state after users update the certificates or if they change the authentication strategy 287 Deactivated FSR agent does not come back to the connected state even after activating the FSR agent 287 FSR Agents configuration page displays a "Agent does not exist" error when you click the Export Config link 287 Post restore to release 7.3.0, switching the SME of any Tenant or FSR Agent, the status of the tenant or agent is displayed as "Remote Node Unreachable" 288 FortiSOAR 7.6.0 Administration Guide 5 Fortinet Inc. FortiSOAR Admin CLI 289 Prerequisites 289 FortiSOAR Admin CLI - Usage 289 CLI commands used for forwarding FortiSOAR logs 298 High Availability and Disaster Recovery support in FortiSOAR 300 Overview 300 High Availability Types supported with FortiSOAR 300 High Availability with an internal PostgreSQL database 300 High Availability with an externalized PostgreSQL database 302 Cluster Licensing 303 Viewing and updating the license of an HA cluster 304 Prerequisites to configuring High Availability 305 Process for configuring High Availability 306 Steps to configure FortiSOAR HA cluster with an internal PostgreSQL database 306 Steps to configure FortiSOAR HA cluster with an external PostgreSQL database 307 Takeover 307 Usage of the csadm ha command 308 Overview of nodes in a FortiSOAR HA cluster 312 Checking replication between nodes in an active-passive configuration 312 Installation of connectors on nodes in a HA cluster 312 Changing the hostname of primary and secondary nodes in an HA cluster 313 Changing the hostname of the primary node 313 Changing the hostname of a secondary/passive node 313 Upgrading an HA cluster 314 Load Balancer 314 Setting up HAProxy as a TCP load balancer fronting the two clustered nodes 314 Configuring FortiSOAR in FortiADC 315 Using the Gobetween load balancer 319 Behavior that might be observed while publishing modules when you are accessing HA clusters using a load balancer 323 Extending support for two NICs on a FortiSOAR appliance for controlled traffic routing 323 Section 1: Rocky Linux or RHEL changes for multihoming (MultiNIC) 324 Section 2: FortiSOAR changes for Multihoming 325 Setting up a High Availability FortiSOAR cluster in the AWS Cloud with Aurora as the external database 327 Configuration Details 327 Verifying FortiSOAR functionality with the Aurora external database 330 Verifying FortiSOAR cluster failover to another region 330 FortiSOAR Nodes Hydration 331 Upgrading Hydrated FortiSOAR Nodes 332 Tunables 332 Best practices 333 Best practices for changing the shared memory size on HA nodes after setting up an HA cluster 333 Monitoring health of HA clusters 334 Understanding HA Cluster Health Notifications 334 Troubleshooting issues based on the notifications 336 FortiSOAR 7.6.0 Administration Guide 6 Fortinet Inc. Sample scale test that were done in the lab to understand the behavior of 'csadm ha get-replication-stat' 338 Disaster Recovery 342 FAQs 342 Troubleshooting 343 Failure to create an HA cluster 343 Timeout failure while creating an HA cluster 344 Unable to add a node to an HA cluster using join-cluster, and the node gets stuck at a service restart 344 Fixing the HA cluster when the Primary node of that cluster is halted and then resumed 345 Unable to join a node to an HA cluster when a proxy is enabled 345 Changes made in nodes in an active-active cluster fronted with a load balancer take some time to reflect 345 Post Takeover the nodes in an HA cluster do not point to the new active primary node346 After performing the leave-cluster operation, the license is not found on a secondary node 346 The leave-cluster operation fails at the "Starting PostgreSQL Service" step when a node in the cluster is faulted 347 Resetting the password for an instance that is part of active/active cluster causes the other instances of that cluster to not able to log in to FortiSOAR 348 The database of a secondary node in the HA cluster is out of synch with the database of the primary node 348 Failure of the 'leave-cluster' command on a secondary node that had its database externalized before joining the HA cluster, and that is currently using an internal database 349 Common failures observed during the join-cluster operation 349 Elasticsearch Configuration 352 Externalization and Authentication of Elasticsearch 352 Migration of Elasticsearch data 354 Troubleshooting Tips 354 FortiSOAR Search Errors 354 Optimizing the reindexing of Elasticsearch data 355 Externalization of your FortiSOAR PostgreSQL database 356 Prerequisites 356 Externalizing FortiSOAR databases 357 Setting up an externalized database on the cloud 359 Installing the pg_squeeze and pg_repack extensions 359 Installing pg_squeeze 360 Installing pg_repack 361 Backing up and Restoring FortiSOAR 363 Prerequisites 363 Backup Process 363 Data that is backed up during the backup process 363 Prerequisites to running the backup process 364 Performing a backup 364 Restore Process 365 FortiSOAR 7.6.0 Administration Guide 7 Fortinet Inc. Restoring data 365 Restoring a backup of an FortiSOAR instance with an externalized database to an instance that is not externalized 366 Backup and Restore process for FortiSOAR High Availability systems 367 Regenerating RabbitMQ certificates when you are creating an HA cluster using a restored node 367 Backup and Restore process for the External Secure Message Exchange systems 367 Troubleshooting Backup and Restore Issues 368 Post-restore the FSR agent status is not updated as "Remote Node Unreachable" 368 About FortiSOAR 369 Downloading FortiSOAR logs 371 Monitoring FortiSOAR 372 Benefits of monitoring 372 Manually setting up monitoring for each FortiSOAR component 372 Monitoring uptime of FortiSOAR 373 Monitoring FortiSOAR services 373 Monitoring databases 374 Monitoring Disk Space Utilization 374 Monitoring CPU and Memory Utilization 374 Monitoring connectors 374 Monitoring workflows 375 FortiSOAR integration with FortiMonitor 376 Setting up a FortiSOAR instance to be monitored using FortiMonitor 376 Monitoring FortiSOAR using FortiMonitor 377 Components that are monitored out-of-the box by FortiMonitor on FortiSOAR 377 FortiSOAR-specific components that are monitored by FortiMonitor 377 OnSight Collector 380 Frequently Asked Questions 380 Q. How to add queued playbooks as a metric for monitoring using the FortiSOAR template 380 Q. How to change the monitoring interval for the License expiry metric 383 Q. How to modify the timings of generating a Takeover Incident 384 Q. How to remove stale entries on FortiMonitor for FortiSOAR metrics after a takeover 386 Debugging, Troubleshooting, and Optimizing FortiSOAR 388 List of logs used for troubleshooting FortiSOAR 388 List of key FortiSOAR services and processes 391 Configurations required for exporting of records with unsupported character sets in the PDF format 393 Additional settings for record similarity and field predictions 393 Configure the maximum number of records to be fetched in one call 394 Change the default value of some of the user profile parameters 395 Security considerations for Websockets 396 Backup of the most recent System View Template (SVT) before saving the edited SVT 397 Automation added to fetch Google Chrome updates 397 FortiSOAR 7.6.0 Administration Guide 8 Fortinet Inc. Troubleshooting Tips 397 Your Workflow data size has increased 397 Error displayed while performing a search operation in FortiSOAR 397 Reindexing FortiSOAR modules for search 398 FortiSOAR crashing with "out of memory" errors 398 Changing Postgres worker memory 398 Crashing of the Tomcat server when the 'Detailed' mode for Log Forwarding is enabled 399 FortiSOAR displaying errors such as app.ERROR: Unable to load API credentials from cache or DAS 399 Recommendation Engine does not work and displays an "ML Service not running" error 400 Enabling PostgreSQL logging to identify API requests that are taking longer than expected 400 FortiSOAR 7.6.0 Administration Guide 9 Fortinet Inc. Change Log Date Change Description 2024-08-01 Initial release of 7.6.0 FortiSOAR 7.6.0 Administration Guide 10 Fortinet Inc. Overview Overview Use the administration guide to understand how to customize and administer FortiSOAR, including system, security and user management, and configuring templates. When you log on to FortiSOAR for the first time as a csadmin user, you will be mandated to change your password. This enhances the security of your csadmin account and prevents unauthorized parties from accessing the administration account for FortiSOAR. New passwords that are set must contain at least 8 characters, one lower-case alphabet, one upper-case alphabet, one digit, and any one of the following special characters ~ ! @ # $ % ^ & *|?_ Ensure that you note down your csadmin password since if you forget your initial csadmin password, then you have to request FortiSOAR to reset this password. Also, when you are changing your csadmin password, you must ensure that you also update the email ID that is specified for csadmin, which by default is set to [email protected] (which is not a valid email ID). You can change the email ID by clicking the User Profile icon ( ) to open the User Profile page and change the email address in the Email field. Once you set a valid email ID in the user profile, then you would be able to reset your password, whenever required, by clicking the Forgot Password link on the login page. Also, note if you want to move any file from and to a FortiSOAR system, then you must install SCP (yum install openssh-clients -y) or any SCP client. This is required since the openssh-clients package has been removed from FortiSOAR for security compliance. From release 7.2.0 onwards, the Incident Response modules have been removed from the FortiSOAR platform and moved to the SOAR Framework Solution Pack (SP). The SOAR Framework Solution Pack (SP) is the Foundational Solution Pack that creates the framework, including modules, dashboard, roles, widgets, etc., required for effective day-to- day operations of any SOC. As the Incident Response modules, i.e., Alerts, Incidents, Indicators, and War Rooms are not part of the FortiSOAR platform, it becomes essential for users to install the SOAR Framework SP to optimally use and experience FortiSOAR’s incident response. For detailed information about the SOAR Framework SP, see the SOAR Framework SP documentation. From release 7.2.0 onwards, the SOAR Framework Solution Pack is installed by default with the fresh installations of FortiSOAR. Common Tasks Some of the common task that an administrator can perform are: l License management l System configuration l Security management l User management FortiSOAR 7.6.0 Administration Guide 11 Fortinet Inc. Overview l Appliance management l Password Vault management l Playbook configuration l Application management You can perform administration tasks using the Settings ( ) icon in the upper right-hand corner near the User Profile icon. Apart from the above tasks, you can install the SLA Management Solution Pack to track and manage SLA for alerts and incidents in FortiSOAR. For more information see the SLA Management Solution Pack documentation. Tasks and Permissions To manage different modules, appropriate rights must be assigned to users. In FortiSOAR, modules are applied to roles, for example, the Security module is applied to the Security Administrator role. Role permissions are based on the Create, Read, Update, and Delete model (CRUD). Each module within FortiSOAR has explicit CRUD permissions that you can modify and save within a single Role. For example, to perform all tasks for system configuration, you must be assigned a role that has CRUD permissions on the Application module, or to be able to add and manage users, you must be assigned a role that at the minimum has Create and Update permissions on the People module. By default, FortiSOAR has at least one role in place after installation, the Security Administrator. Task Permissions required on the module System configuration: Customizing FortiSOAR and Create, Read, Update, and Delete (CRUD) permissions on configure several default options used throughout Application module. Default Role - Application the system, including setting up authentication Administrator. mechanisms and configuring dashboards and templates. Security management: Managing teams and roles. CRUD permissions on Security module. Default Role - Security Administrator. The security administrator role also has CRUD permissions on the Secure Message Exchange and Tenants modules, so that this role can configure multi-tenant systems. User management: Adding and removing users CRUD permissions on People module. and editing their permissions. Appliances management: Managing appliances CRUD permissions on Appliances module. and access keys. Password Vault management: Integrating with CRUD permissions on Connectors module and Read third-party external vaults to manage sensitive data permission on Application module. Playbook management: Configuring playbook CRUD permissions on Playbook module. Default Role - collections and playbooks Playbook Administrator. FortiSOAR 7.6.0 Administration Guide 12 Fortinet Inc. Overview Guide to setting up FortiSOAR The Setup Guide designed to assist administrators, whether they are new or experienced, in configuring FortiSOAR according to best practices. It provides guidance on essential configurations and the installation of necessary solution packs for optimal performance, such as setting up network proxies, enabling audit and playbook log purging, configuring enrichment, and mitigation playbooks. For details, including permissions required to view the Setup Guide, see the Setup Guide Widget documentation. When administrators log into FortiSOAR for the first time, the Setup Guide is displayed: To minimize the Setup Guide, click the > arrow. To reopen the Setup Guide, click the Setup Guide icon in the top-right corner of FortiSOAR: FortiSOAR 7.6.0 Administration Guide 13 Fortinet Inc. Overview To hide the FortiSOAR Setup Guide icon, clear the Enable Setup Guide option on the System Configuration page. For more information, see the System Configuration chapter. FortiSOAR 7.6.0 Administration Guide 14 Fortinet Inc. System Configuration System Configuration You can customize FortiSOAR and configure several default options used throughout the system, including the way FortiSOAR gets displayed to the users and the way notifications are sent to the users. To configure the system, you must be assigned CRUD permissions to the Application module. The Application module is assigned by default to the Application Administrator role. For information about roles, refer to the Default Roles section in the Security Management chapter. Click the Settings ( ) icon to open the System (System Configuration) page. Use the System Configuration page and its various tabs to customize FortiSOAR as per your requirements: Click Settings > Audit Log to open the Audit Log page. Use the Audit Log page to view a chronological record of all actions across FortiSOAR. For more information, see Audit Log. Click Settings > License Manager to open the License Manager page. Use the License Manager page to update your license and view the details of your FortiSOAR license. For more information, see License Manager. Click Settings > Notifications to open the Notifications page. Use the Notifications page to configure rules for delivery of notifications and also configure notification channels. For more information, see Notifications. Click Settings > Data Archival to open the Data Archival page. Use the Data Archival page to configure settings for data archival and to search for records in the data archives. For more information, see Data Archival. Click Settings > Environment Variables to open the Environment Variables page. Use the Environment Variables tab on the System Configuration page to add proxies to serve HTTP, HTTPS, or other protocol requests from FortiSOAR or define environment variables. For the procedure for configuring proxy settings and defining environment variables is included in the Configuring Proxy Settings and environment variables topic in the Additional configuration settings for FortiSOAR chapter of the "Deployment Guide." Use the General tab on the System Configuration page to edit several default options found throughout the system, especially in the user profile. These include the following: FortiSOAR 7.6.0 Administration Guide 15 Fortinet Inc. System Configuration l Default notifications for system and cluster health monitoring l Default Comment Modification l Default DateTime Format l Behavior of the FortiSOAR Setup Guide l Setting a language other than English for your FortiSOAR UI l Default theme l Default country code l Default navigation bar style l Enable light mode setting for the 'Grid' widget across modules For more information, see General and for more information on user profile configuration, refer to the User Profiles section in the Security Management chapter. You can modify all the default values on a per-user basis on any user's Profile page. Use the Application Configuration tab on the System Configuration page to configure various administrative options in FortiSOAR. These include the following: l Purging of audit logs and executed playbook logs and cleaning the database l Settings for recycle bin records including, purging of recycle bin records and restricting permanent deletion recycle bin records l Default Playbook Execution Logging Levels l Default Playbook Recovery options l Default rendering of expressions in the Playbook Designer (Simplified Expression View) l Default timezone for exporting reports l Manage user listings in 'People' Lookup fields l Enable MIME type validation for file uploads To enable sending system notifications, including requests for resetting passwords, and also for sending emails outside FortiSOAR you must configure the SMTP connector. For more information, see the SMTP Connector document. For more information, see Application Configuration. Use the Log Forwarding tab on the System Configuration page to forward FortiSOAR application and audit logs to your central log management server. For more information, see Log Forwarding. Use the Environment Variables tab on the System Configuration page to configure proxy settings for FortiSOAR and to define any other environment variables. For more information, see Environment Variables. Use the Branding tab on the System Configuration page to customize FortiSOAR branding based on your license type. For more information, see Branding. Use the System Fixtures tab on the System Configuration page to view the links to various playbook collections, email templates, and the self agent and self tenant pages, which are included by default with FortiSOAR. For more information, see System Fixtures. FortiSOAR 7.6.0 Administration Guide 16 Fortinet Inc. System Configuration General On the General page, you can configure settings, especially those related to user profiles that apply across FortiSOAR. You can edit the settings and then click Save to apply the changes or click Revert to undo your changes. Configuring System and Cluster Health Monitoring You can set up system monitoring for FortiSOAR, both in the case of a single node system and in High Availability (HA) clusters. To receive email notifications of any FortiSOAR service failure, or of any monitored threshold exceeding the set threshold, etc., click the Enable Notification checkbox in the System & Cluster Health Monitoring section. Once you click the Enable Notification checkbox, from the Service drop-down list, select the service to be used for notifications. You can choose between SMTP or Exchange. In the Email field, specify a comma-separated list of email addresses of users who should receive email notifications in case of any FortiSOAR service failures, or of any monitored threshold exceeding the set threshold, etc. The email that is sent for high CPU consumption also contains information about the processes that are consuming the most memory. In the Monitoring Interval (Minutes) field, specify the interval in minutes at which you want to monitor the system and perform the health check of the HA cluster. By default, the system is monitored every 5 minutes. In the System Health Thresholds section, you can set the thresholds, in percentages, for Memory Utilization (80% default), CPU Utilization (80% default), Disk Utilization (80% default), Swap Memory Utilization (50% default), Workflow Queue, i.e., the value of the celery queue size, and WAL Files Size (GB), which by default is set as 20 GB. The default value of the workflow queue is set at 100. If the thresholds set are reached or crossed for any of the monitored parameters, an email notification is sent to all the specified email addresses. If you have an HA environment, then additionally, RabbitMQ certificates, Nginx certificates, and self-signed PostgreSQL certificates are also monitored and notifications can be sent to specified users when any of the certificates is nearing expiry. Heartbeat failures and replication lags between nodes of your HA cluster can also be monitored and notifications can be FortiSOAR 7.6.0 Administration Guide 17 Fortinet Inc. System Configuration sent to specified users in the event of heartbeat failures and high replication lags between nodes of your HA cluster. You can specify values for these parameters in the Cluster Health section: In the Missed Heartbeat Count field, specify the number of missed heartbeats after which notifications of failure will be sent to all the specified email addresses. You cannot specify a value lesser than 3 in the Missed Heartbeat Count field. In the Replication Lag field, specify the lag value for the replication lag between nodes. By default, this is set to 3, i.e., 3GB. If the replication lag threshold is reached or crossed, then an email notification is sent to all the specified email addresses. Some examples of how Monitoring Interval (Minutes) and Missed Heartbeat Count values help you in monitoring heartbeats between nodes in an HA cluster: Case 1 If you have set the Monitoring Interval to 5 minutes and the Missed Heartbeat Count to 3, this means that when the heartbeat is missed (the cyops-ha service is down) for the last >=15 minutes (monitoring interval * missed heartbeat count), the heartbeat missed notification will be sent to all the email addresses that you have specified in the Email field. The cluster health check is performed based on the monitoring interval specified. For example, if you specify 3 minutes in the Monitoring Interval (Minutes) field, then the HA cluster health check will be run every 3 minutes. Notifications are sent based on the multiplication of the values that you have set in the monitoring interval and the missed heartbeat count. For example, if you have set the monitoring interval to 3 and missed heartbeat count to 4, and if the heartbeat is missed for the last >=12 minutes, then heartbeat missed notifications will be sent to all the email addresses that you have specified in the Email field. Case 2 If you have had no heartbeats missed for the last >=15 minutes, considering the monitoring interval that is set to 5 minutes and the missed heartbeat count set to 3, however, there is a service down or a service connectivity failure found FortiSOAR 7.6.0 Administration Guide 18 Fortinet Inc. System Configuration in the health check, then a notification for service down or service connectivity failure will be sent to all the email addresses that you have specified in the Email field. For more information on HA, see the High Availability and Disaster Recovery support in FortiSOAR chapter. Configuring Comments A user who has Security Update permissions can edit comments of any FortiSOAR user, and a user who has Security Delete permissions can delete comments of any FortiSOAR user. There is no time limit for the Security user to update or delete comments. Users can edit and delete their own comments in the "Collaboration" window or in the Comments widget, if you (the administrator) has enabled the settings for comment modification and if the user has appropriate CRUD permissions on the Comments module. To allow users to edit and delete their own comments, click the Settings icon, which opens the System Configuration page. On the Application Configuration tab, in the Comment Modification section, select the Allow Comment Modification checkbox. You can also specify the time until when the user can edit or delete their comments in the Allow users to modify /delete their comments for a duration of field. For example, if you select 1 minute from this field, then users can edit and delete their comments until 1 minute after which they have added the comment. By default, the Allow users to modify/delete their comments for a duration of field is set to 5 minutes. Users cannot edit or delete their comments after the time specified in the Allow users to modify/delete their comments for a duration of field. You can also specify the behavior of the comment "delete" action, i.e., when a user deletes a comment, you can choose to permanently delete the comment or flag the comment for deletion, i.e., Soft Delete. If you choose to keep the Soft Delete checkbox checked (default), then the comments will be soft deleted, i.e., on the UI you will see --Comment Deleted-- instead of the comment. In case you have cleared the Soft Delete checkbox, you will not see anything on the UI since the comment has been permanently deleted. Setting the formats for Date and DateTime fields on the FortiSOAR UI Using standard syntax (https://angular.io/api/common/DatePipe), you can customize the formats for Date and DateTime fields on the FortiSOAR UI. To configure the formats for the DateTime and Date fields, in the Datetime Format section, from the Select Datetime Format drop-down list, select the required DateTime format. Similarly, from the Select Date Format drop-down list, select the required Date format and click Save.The FortiSOAR UI now displays all DateTime and Date fields in the set format. FortiSOAR 7.6.0 Administration Guide 19 Fortinet Inc. System Configuration For example, if you set the DateTime format to 'HH:mm EEEE MMMM dd', all the DateTime fields on the FortiSOAR UI, such as Resolved Date, Ack Due Date, etc., will be present in this format, i.e., as '15:24 Wednesday August 30'. Customizing the behavior of the FortiSOAR Setup Guide The FortiSOAR Setup Guide helps first-time or recurrent administrators of FortiSOAR to optimally set up FortiSOAR based on best practices. For more information on the FortiSOAR Setup Guide, see the Overview chapter and the Setup Guide documentation. FortiSOAR 7.6.0 Administration Guide 20 Fortinet Inc. System Configuration By default, the Setup Guide icon is visible in the top-right corner of FortiSOAR: To hide the Setup Guide icon, go to the System Configuration page, clear the Enable Setup Guide option, which is selected by default, and click Save: Once the updated setting is saved, you will observe that the Setup Guide icon are not visible in the top-right corner of FortiSOAR. FortiSOAR 7.6.0 Administration Guide 21 Fortinet Inc. System Configuration Setting a language other than English for your FortiSOAR system Support for 'Internationalization' has been added to the FortiSOAR platform in release 7.5.0, enabling FortiSOAR to meet the linguistic, cultural, and other needs of a particular locale. The default language set for the FortiSOAR UI is English, with additional support now available for the following languages: l Japanese (Preview) l Korean (Preview) l Simplified Chinese (Preview) 'Preview' has been added to languages other than English as the translations have been done using translation tools, which might result in inaccuracies or incompleteness in the translations. Your feedback is valuable for improving their accuracy and quality. Additionally, changing the language from English to another language might affect the user experience on the FortiSOAR UI to some extent, such as labels exceeding their width or misalignment of buttons. To support internationalization, FortiSOAR uses a system widget named "Language Pack" that includes the supported languages. This widget is automatically installed during the installation or upgrade of FortiSOAR to release 7.5.0 or later. The "Language Pack" widget is a system widget that cannot be uninstalled, and you should not modify it. Making changes to it can result in translation issues, causing the FortiSOAR UI to appear in English. English serves as the fallback language for FortiSOAR. Any content that is not translated will be shown in English. Administrators must be assigned the 'Read' or 'Usage' permission on 'Widgets' (in addition to other necessary permissions) to modify the global language settings. Without this permission, the FortiSOAR UI remains in English, regardless of the language you set. To change the language in FortiSOAR for all users, switch from English to any of the supported languages by clicking the Settings icon, which opens the System Configuration page. In the Set Language section, select the language you want from the Select Language drop-down list for the FortiSOAR UI then click Save to apply the change: FortiSOAR 7.6.0 Administration Guide 22 Fortinet Inc. System Configuration If your FortiSOAR instance is part of a high-availability cluster, changing the language on the System Configuration page on the primary node will apply the selected language translation on the secondary nodes when users log out and log back in on secondary nodes. Similarly, if the language is changed on a secondary node, users must log out and log back in on the primary node and other secondary nodes for the language changes to be reflected. Users can set the language for their FortiSOAR instance in their profile. The language set in the user profile takes precedence over the language set by an administrator. For example, if the administrator sets the FortiSOAR language to 'Korean' using this process, but a user sets their profile language to 'Japanese', the user's FortiSOAR UI will be displayed in Japanese. For information on setting the language in a user profile, refer to the Overview chapter in the "User Guide." When changing the language in FortiSOAR from English to any of the supported language, all static text in the FortiSOAR UI gets displayed in the selected language. Static text includes labels of fields, tabs, and buttons, titles of dialog boxes, descriptions, static message content, such as content displayed in confirmation, error, or warning messages, etc. Content that can be changed by the user, gets displayed in English and not in the selected language, some examples of such type of content include: l Names or titles of playbooks, connectors, and built-in widgets such as charts, grids, tabs, etc. l Tab names, headings, subheadings, etc., in the record detail view and list view as these are user-editable fields. l Values of picklist items and navigation menu items. l For modules (mmd) on the Module Editor page, the name of a module and the title of a field must be in English, as the Type (for modules) and Field API Key (for fields) are auto-generated and must be in English as they are used to identify the module or field in the API. Non-default grid columns are not translated until the user resets the columns to their default settings. When changes are made to the order of grid columns or when a column is added or deleted from a module, these changes are stored as user preferences. To have the field names translated to the user or global preferred language, the columns need to be reset to their default settings. Apart from the above the following content also gets displayed in English and not in the selected language: l Syslogs forwarded from a FortiSOAR system. l Playbook step results. l Grid view exported in the CSV format. l Tooltips, error messages, and toaster messages that are generated from the backend such as tooltips on the Module Editor page or the health check disconnected error message for the Recommendation Engine. For information on various services, functions, etc., added for multilingual support for widgets created starting from release 7.5.0, see the "Widget Development Guide." Editing locale files for existing modules You can modify the files for the supported locales (Japanese, Korean, Simplified Chinese) for existing modules using the Export and Import Wizards. For details on these wizards, see the Export and Import Wizards topic in the Application Editor chapter. If you want to update some translations of modules, such as the 'Alerts' Module, follow these steps: FortiSOAR 7.6.0 Administration Guide 23 Fortinet Inc. System Configuration 1. Export the 'Alerts' module and download the.zip file of the export. 2. Extract the downloaded.zip file to your local disk. A sample folder structure of the exported 'Alerts' module is as follows: exportTemplate folder --+ modules ---+ alerts -----+ languages -------+ en.json -------+ ja.json -------+ ko.json -------+ zh_cn.json -----+ detail-layout.json -----+ form-layout.json -----+ list-layout.json -----+ mmd.json --+ picklists --+ records --+ info.json 3. Open the language json file you want to edit for the module. For example, to edit the Japanese language file, open the ja.json file. 4. Update the necessary translations and save the file. 5. Create a.zip file of the Alerts module with the updated translations. 6. Import the zip file to your FortiSOAR instance using the Import Wizard. 7. After a successful import, you will see the updated translations for the 'Alerts' module. Configuring Themes You can configure the FortiSOAR theme that will apply to all the users in the system. Non-admin users can change the theme by editing their user profile. Changes made by a non-admin user to the theme are applicable only to those users who have not changed their default user profile settings. There are currently three theme options, Dark, Light, and Space, with Space being the default. On the Application Configuration page, select the theme that you want to apply across FortiSOAR. Click Preview Theme to view how the theme would look and click Save to apply the theme. To revert the theme to the default, click Revert Theme. Configuring Default Country Code You can configure country code format for contact numbers that will apply to all users in the system. In the Phone Number section, select the Default Country and thereby the default country code that you want to apply across FortiSOAR and click Save to apply the code. Configuring Navigation Preferences You can configure the behavior of the left navigation bar across FortiSOAR. You can choose whether you want the left navigation bar to collapse to just display icons of the modules or expand to display both icons and titles of modules. In FortiSOAR 7.6.0 Administration Guide 24 Fortinet Inc. System Configuration the Navigation Preferences section, click Collapse Navigation to collapse the left navigation bar and click Save to apply the behavior of the left navigation bar across the system. Enabling Light Mode Setting You can enable the 'Light Mode' for the 'Grid' widget across modules by toggling the Enable light grid to Enabled (default is Disabled). The lighter version of the grid widget offers improved performance and usability. For details on the 'Light Mode' for Grids, see the 'Grid' topic in the Dashboards, Templates, and Widgets chapter of the User Guide. Additionally, if you want to honor the module-level light mode settings, select the Allow individual module level setting to override global setting option. For example, if the light grid is enabled globally, but the 'Indicators' module needs to be excluded, then you can clear the 'Enable Light Mode' checkbox for the grid in the Indicators module, resulting in the Indicators module using a regular grid. By default, the Allow individual module level setting to override global setting option is unchecked, enforcing global-level light-mode settings across all modules, and overriding any module-specific settings. Application Configuration Click the Application Configuration tab on the System Configuration page to open the Application Configuration page. On the Application Configuration page, you can configure various administrative settings that will apply across FortiSOAR. You can edit the settings and then click Save to apply the changes or click Revert to undo your changes. Purging audit logs, executed playbook logs, and recycle bin records, and reclaiming unused disk space You can schedule purging, on a global level, for both audit logs and executed playbook logs. Click the Settings icon, which opens the System Configuration page. In the Purge Logs section, you can define the schedule for purging both Audit Logs and Executed Playbook Logs. By default, audit logs are not purged and executed playbooks logs are purged. FortiSOAR 7.6.0 Administration Guide 25 Fortinet Inc. System Configuration The Purging activity deletes logs permanently, and you cannot revert this operation. Purging logs deletes old records from the respective tables; however, it does not free up the PostgreSQL database space, which could cause space and performance issues in FortiSOAR. Therefore, from version 7.0.2 onward, FortiSOAR provides you with an option to reclaim unused disk space. This activity clears all the empty rows in tables and indexes, which helps in improving the performance by optimizing the space. By default, this cleanup activity is run "Weekly at 02:01 AM (UTC) on Sunday"; however, you have the ability to update the schedule of this cleanup activity as per your requirement. In release 7.6.0, FortiSOAR has optimized the process of reclaiming unused disk space by utilizing advanced PostgreSQL utilities. These enhancements address issues such as database bloat and performance slowdowns in operations such as playbook searches, caused by extensive data retention and the accumulation of a large number of records over time. This is often a result of PostgreSQL space quickly filling up when numerous playbooks are executed, even in 'Info' mode. The process reclaims disk space from PostgreSQL by optimally managing data. The configuration file /opt/cyops-workflow/sealab/sealab/config.ini contains parameters for using advanced PostgreSQL utilities, i.e., pg_squeeze and pg_repack. To modify default values, edit the config.ini file and then restart the services using the systemctl restart uwsgi celeryd fsr-workflow celerybeatd command: l SQUEEZE_SOFT_TASK_TIMEOUT: This parameter defines the soft time limit for the pg_squeeze task. The soft time limit allows the task to catch exceptions and clean up before being terminated; the hard timeout is not catch- able and force terminates the task. If the soft time limit is exceeded and cleanup is stuck then the hard time limit (expected to be higher than the soft time limit) will force terminate the pg_squeeze task as a safety net and to avoid forever running of task. The default soft time limit is 3600 seconds. l SQUEEZE_TASK_TIMEOUT: This parameter sets the hard time limit for the pg_squeeze task. When the task exceeds this duration, the system will throw an exception. The hard time limit should always be higher than the SQUEEZE_SOFT_TASK_TIMEOUT and is used to override the CELERYD_TASK_TIME_LIMIT for the 'pg_squeeze' task. The default hard time limit is 3800 seconds. l SQUEEZE_EXECUTION_TIME: The system performs a periodic cleaning task in addition to the scheduled one. You can adjust the UTC time for this task by changing the SQUEEZE_EXECUTION_TIME parameter in the /opt/cyops-workflow/sealab/sealab/config.ini file. It is recommended to configure 'pg_squeeze' to FortiSOAR 7.6.0 Administration Guide 26 Fortinet Inc. System Configuration run when the ingestion rate is low. The default setting for the SQUEEZE_EXECUTION_TIME parameter is '22-6', indicating that the cleaning task will occur from 10 PM to 6 AM. l USE_PG_SQUEEZE and USE_PG_REPACK: In fresh installations from release 7.6.0 onwards, the default settings for 'USE_PG_SQUEEZE' and 'USE_PG_REPACK' parameters are set to 'true'. However, in upgrades to release 7.6.0, the 'USE_PG_SQUEEZE' and 'USE_PG_REPACK' keys are set to 'false', which means that the upgraded systems will still use full vacuum for cleaning up workflow execution history, which can block of all workflow operations. NOTE: Before changing the workflow execution cleanup behavior by setting 'USE_PG_SQUEEZE' and 'USE_PG_ REPACK' keys to 'true', in upgraded instances, it is recommended to run a full vacuum first. In High Availability environments, settings related to pg_squeeze and pg_repack, such as USE_PG_SQUEEZE, USE_PG_REPACK, SQUEEZE_EXECUTION_TIME, etc. must be modified on all cluster nodes. For more information on optimizing settings see the Debugging, Troubleshooting, and Optimizing FortiSOAR chapter and for debugging and optimizing playbooks and workflows, see the Debugging and Optimizing Playbooks chapter in the "Playbooks Guide." Scheduling purging of audit logs To purge Audit Logs, you must be assigned a role that has a minimum of Read permission on the Security module, Read permission on the Application module, and Delete permissions on the Audit Log module. To enable purging of Audit logs, select the Enable Purging checkbox that appears in the Audit Logs section. Once you select the Enable Purging checkbox, you require to define the schedule for purging of audit logs. To specify the time for which you want to retain the logs, you must select the appropriate option from the Keep logs Of drop-down list. You can choose from the following options: Last month, Last 3 months, Last 6 months, Last year, or Custom as shown in the following image: FortiSOAR 7.6.0 Administration Guide 27 Fortinet Inc. System Configuration If you choose Custom, then you must specify the number of days for which you want to retain the logs. For purging purposes, 1 month is considered as 30 days and 1 year is considered as 365 days. The purging schedule clears all logs that belong to a timeframe earlier than what you have specified. For example, if you want to retain audit logs for a month, then select Last month from the Keep logs of drop-down list. Once you save this setting all audit logs that are older than 1 month (30 days) will be cleared, and this will be an ongoing process, as the audit log records will all be time-stamped and the ones older than 30 days will be purged. By default, the purge schedule job, runs every midnight (UTC time) and clears all logs that have exceeded the time duration that you have specified. If you want to run the purging activity at a different time of the day or for a different duration, you can do so by editing the schedule of purging on the Schedules page (Automation > Schedules) once you enable purging of the logs. Scheduling purging of executed playbook logs To purge Executed Playbook Logs, you must be assigned a role that has a minimum of Read and Update permissions on the Security module, Read and Update permissions on the Application module, and Delete permissions on the Playbooks module. Purging of executed playbook logs based on date or days criteria Executed Playbook Logs are purged by default, and therefore the Enable Purging checkbox is already selected in the Executed Playbook Logs section. By default, any executed playbook logs that are older than 15 days are purged. You can change time for which you want to retain the playbook execution logs by selecting the appropriate option from the Keep logs Of drop-down list, as is the case with audit logs. A system schedule, named "Purge Executed Playbook Logs" is also already created and active on the Schedules page. This schedule runs every midnight (UTC time) and clears all logs that have exceeded the time duration that is specified. If you want to run the purging activity at a different time of the day or for a different duration, you can do so by editing this schedule. Purging of executed playbook logs based on criteria other than date or days You can purge executed playbook logs based on some complex query condition that involves multiple parameters and not just the date or days criteria. For example, clearing logs of ingestion playbooks that have completed their execution. Being able to clear logs based on these criteria is useful since ingestion playbooks are generally scheduled and they can occupy a major chunk of playbook history in the database. Therefore, this feature provides you with an option to build desired queries for purging executed playbook logs and scheduling the purging. To add the custom criteria, based on the clearing ingestion playbook that have completed their execution example, do the following: 1. Click the +Additional Criteria link. 2. In the Criteria Title field, enter the title of the criteria based on which you want to purge the executed playbook logs. For example, Purging Ingestion Playbook Logs. FortiSOAR 7.6.0 Administration Guide 28 Fortinet Inc. System Configuration 3. Select the logical operator, All of the below are True (AND), or Any of the below is True (OR). For our example, we require the AND operator, since we want to purge all playbooks that contain the "ingestion" tag and whose status is finished, so select All of the below are True (AND). 4. Click the Add Condition link to add conditions for purging the executed playbook logs: From the Select a field drop-down, select Tags, from the Operator drop-down list select Contains Any and in the Add Tags field, enter dataingestion. Click the Add Condition link again, and from the Select a field drop- down, select Status, from the Operator drop-down list select Equals, in the Status drop-down list select Finished. You can add additional conditions or criteria as per your requirements. 5. Schedule the purging of the executed playbooks logs based on the above-specified criteria by selecting the appropriate option from the Keep Logs Of drop-down list. You can choose from the following options: Last month, Last 3 months, Last 6 months, Last year, or Custom. For our example, we choose the Custom option and specify 1 for days, which means that keep the logs for the ingestion playbooks that have finished their execution for just 1 day in the database. 6. To save the criteria for purging executed playbook logs, click Save. Points to be considered while setting multiple purging criteria If you have added multiple purging criteria, then the purge functionality purges logs sequentially. For example, if you have defined the following criteria l Default: Keep logs of the last 2 days. l If 'Playbook Execution Status = Failed', then keep logs for last 1 day. l If Tags contain Ingest, then keep logs for last 1 day. In such a scenario, logs are purged as follows: 1. Retains logs for the last 2 days only, and purges the remaining logs. 2. From the logs of the last 2 days, looks for logs that have 'Playbook Execution Status = Failed', and keeps such logs for the last 1 day only. 3. Looks for logs that have 'Tags' containing 'Ingest', and keeps such logs for the last 1 day only. FortiSOAR 7.6.0 Administration Guide 29 Fortinet Inc. System Configuration Scheduling storage space reclamation To reclaim unused space, ensure that the Storage Space Reclamation option is selected (default). This activity clears all the empty rows in tables and indexes, which helps in improving the performance by optimizing the space. You can schedule regular storage space reclamation to ensure that space gets regularly freed up in the PostgreSQL database as per your requirements. It is recommended to schedule the cleanup process after purging logs and during non-production hours when system usage is lower. This is because as the process pauses the execution and operations of all playbooks and slows down your system's performance. In the Storage Space Reclamation Settings section, you can select the frequency of running the storage space reclamation activity. You can choose between running this activity Weekly or Daily or to some custom frequency based on your requirements. By default, a system schedule named "Reclaim Disk Space (Playbook Logs)" is created in Automation > Schedules to periodically clear the playbook execution logs "Weekly at 02:01 AM on Sunday". To change this schedule to a custom frequency, click the View link to display its Schedule Details and edit the schedule as per your requirement, and then click Save. For example, to run this activity "Weekly on Mondays at 12:01", change FortiSOAR 7.6.0 Administration Guide 30 Fortinet Inc. System Configuration the schedule as follows: You can view the % of disk space that is being used for playbook logs that is eligible for cleanup and which can be reclaimed, and you can also immediately initiate a cleanup of playbook logs by clicking the Initiate Cleanup Now link, which displays a confirmation dialog. Clicking Confirm on the dialog immediately starts the disk space reclamation activity. System Settings for Recycle Bin Scheduling purging of recycle bin records You can schedule the purging of recycle bin records to periodically clear the soft-deleted records from the recycle bin. For more information, see the Recycle Bin chapter. To purge Recycle Bin records, you must be assigned a role that has a minimum of Read and Update permissions on the 'Application' module. To enable purging of recycle bin records do the following: 1. Click the Settings icon, which opens the System Configuration page. 2. On the System Configuration page, click the Application Configuration tab. 3. In the Purge Recycle Bin section, select Enable Purging. 4. Once you select the Enable Purging checkbox, you require to define the schedule for purging of recycle bin records. 5. In the Purge Recycle Bin section, set up the purging schedule, which is a system schedule named 'Recycle Bin Cleanup' that runs periodically as per the time-frame you have configured and purges recycle bin records: a. Click View beside Schedule Status, which is set to Inactive, to open the Schedule Details dialog. b. Click Start Schedule to begin the schedule immediately, or you can also set the Start Time and End Time for the schedule. FortiSOAR 7.6.0 Administration Guide 31 Fortinet Inc. System Configuration c. In the Schedule Frequency section, choose the frequency of running this schedule. For example, to purge recycle bin records daily at 6:00 am, click Daily and then in the hour field enter 6 and in the minute field enter 0. d. From the Timezone drop-down list, select the timezone in which you want the schedule to run. By default, this is set as UTC. e. If you want to ensure that you do not rerun the workflow, if previous scheduled instance is yet running, then click Limit execution to one active instance at a time. f. (Optional) From the Start Time field, select the date and time from when the schedule should start running. g. (Optional) From the End Time field, select the date and time till when the schedule should run, i.e., the date and time to stop the schedule. For more details on schedules, see the Schedules chapter in the "User Guide." h. Click Save to save the schedule. Once the schedule is saved, you can see that the Schedule Status has changed to Active: 6. To specify the time for which you want to retain the recycle bin records, you must select the appropriate option from the Keep records upto drop-down list. You can choose from the following options: Last month, Last 3 months, Last 6 months, Last year, or Custom as shown in the following image: If you choose Custom, then you must specify the number of days for which you want to retain the recycle bin records. For example, if you want to retain the recycle bin records for a month, then select Last month from the Keep records upto drop-down list. Once you save this setting all recycle bin records that are older than 1 month (30 days) will be cleared, and this will be an ongoing process, as the records will all be time-stamped and the ones older than 30 days will be purged. Restricting access for permanent deletion of recycle bin records to only "admin" users To restrict access for permanently deleting records to only users with the 'Administrator' role, i.e., users having Delete permission on the 'Application' module, select the Restrict Permanent Delete option. If you enable this settings, then non-admin users can soft-delete records but cannot permanently delete them, which would help prevent accidental deletion of records by non-admin users. For more information on the Recycle Bin, see the Recycle Bin chapter. Configuring the logging level for Playbook Execution Logs You can define the logging levels for your playbook execution logs, both globally as well as at the individual playbook level. On the System Configuration page, you can choose either INFO or DEBUG as the global playbook logging level. FortiSOAR 7.6.0 Administration Guide 32 Fortinet Inc. System Configuration INFO is set as the default global playbook logging level for fresh installations of FortiSOAR. If you are upgrading FortiSOAR, then the DEBUG mode is set as the default playbook logging level to ensure that there is no data loss. l INFO: At the 'INFO' (default) level, only the final playbook execution status and individual playbook step status information is available after playbooks have completed their execution. It is recommended that you keep the logging level at INFO for production instances and in scenarios where you want to use storage space efficiently. When you retain the default INFO logging level, the Enable DEBUG level logging for failed playbooks checkbox is selected by default, which means that 'DEBUG-level' logging is set for failed playbooks and users do not need to rerun the playbook to view the exact reason for playbook failures. l DEBUG: At the 'DEBUG' level, detailed logging is enabled that includes additional execution information like step input, output, configurations and other details. Enabling DEBUG level logging can quickly fill up the storage space. It is recommended to use it only while designing or debugging playbooks, or use this option wisely only for certain playbooks where this data might be useful Retaining the selection of the Allow individual playbook log level logging settings to override global settings checkbox honors the logging level that has been set at the individual playbook level. If you clear this checkbox, or do not change the logging level at the individual playbook level (default is INFO), then the global playbook logging level gets applicable. This is useful if you want to temporarily switch logging for the entire environment. You can set the logging level of individual playbooks, even if you clear the Allow individual playbook log level logging settings to override global settings checkbox; however, at the time of playbook execution the global playbook logging level gets applied. FortiSOAR 7.6.0 Administration Guide 33 Fortinet Inc. System Configuration Configuring Playbook Recovery Use the autosave feature in playbooks to recover playbook drafts in cases where you accidentally close your browser or face any issues while working on a playbook. In the Playbook Recovery section, you can define the following: l If you do not want FortiSOAR to save playbook drafts, clear the Enable Playbook Recovery option. By default, this option is checked. l In the Save Drafts Every field, enter the time, in seconds, after which FortiSOAR will save playbook drafts. By default, FortiSOAR saves playbook drafts 15 seconds after the last change. The minimum time that you can set for saving playbook drafts is 5 seconds after the last change. Configuring the Simplified Expression View For fresh installations of FortiSOAR release 7.4.0 or later, by default, the Simplified Expression View option is selected on the Application Configuration page, rendering a simplified expression based on tags rather than the full Jinja expression in the playbook designer. For upgraded FortiSOAR systems, by default, the Simplified Expression View option is cleared. If you deselect this option, then the complete Jinja expressions are displayed in the playbook designer. For more information, see the "Playbooks Guide." Configuring the default timezone for exporting reports You can define a timezone that will be used by default for exporting reports. This timezone will be applied by default to all reports that you export from the Reports page. To apply the default timezone, click the Enable Timezone Selection option in the Report Export section in the Application Configuration page. Then from the Timezone drop- down list, search for and select the timezone in which you want to export the report. For example, if you want to search for the timezone of Los Angeles, you can type los in the search box below the Timezone field to find the correct timezone, as shown in the following image: FortiSOAR 7.6.0 Administration Guide 34 Fortinet Inc. System Configuration Managing user listings in People Lookup fields You can choose to display only active users in 'people lookup' fields, such as assignedTo, across FortiSOAR. To manage user listings in people look up fields, ensure that the Restrict people lookups to active users checkbox in the People Lookup Filter section is selected. If the Restrict people lookups to active users checkbox is cleared then both active and inactive users will be displayed in people lookup fields. Enabling MIME type validations for file uploads You can specify the MIME types that will be disallowed from being uploaded in Attachments, Comments, or any other modules that have fields of type 'File'. Using this option, administrators can restrict potentially malicious files of types such as.exe,.bat, etc. to be uploaded into FortiSOAR, which users can later download. FortiSOAR has not added this restriction as defaults since there could be business use cases such as where users as part of automation read the file being sent to them in emails, and then upload the same to FortiSOAR to be used in the future for different operations like sandboxing, etc. Therefore, administrators can enable MIME type validations for file uploads as per their organization’s policies by adding MIME types in the Restricted File MIME Types section: From release 7.2.1 onwards, by default, SVG files are disallowed from being uploaded in any modules that have fields of type 'File'. If you want to allow uploading of SVG files, then you can remove the image/svg and image/svg+xml tags from the Restricted File MIME Types section. In addition to restricting MIME types, you can also block specific HTML tags and attributes from being added to HTML content in Rich Text fields. For more information, see Blocking specific HTML tags and attributes. FortiSOAR 7.6.0 Administration Guide 35 Fortinet Inc. System Configuration Log Forwarding Many organizations use an external log management server (syslog server) to manage logs and maintain all logs at a single place, making analysis efficient. FortiSOAR application logs and audit logs can be forwarded to your central log management server that supports a Rsyslog client, using both the FortiSOAR UI and the csadm CLI. You can also select the category of the logs you want to forward to the external log management server. For information about configuring forwarding of logs to an external log management server using the CLI, see the FortiSOAR Admin CLI chapter. If you have a FortiSOAR HA setup, then note that Syslog settings are not replicated to the passive node. If you want to forward logs from the passive node, you must enable it manually using the csadm log forward command. You could also send FortiSOAR logs to a SIEM, since all SIEMs support syslog ingestion, and which would help you achieve the following l Ease High Availability (HA) troubleshooting since now you can use consolidated logs instead of having to go individual nodes to debug HA issues. l Ability to forward FortiSOAR logs to your SIEM, if you have a policy of setting up log forwarding to SIEM for all your production devices. Once the logs are in the a SIEM, you can further configure rules for raising alerts for specific failure, making system monitoring more effective. Click Settings > System Configuration and then click the Log Forwarding tab to open the Log Forwarding page. Use the Log Forwarding page to setup, modify, and enable or disable your syslog forwarding of FortiSOAR logs to your central syslog server. To enable syslog forwarding, click the Enable Log Forwarding check box. Once you select the Enable Log Forwarding, you require to fill in the details of the syslog server to which you want to forward the FortiSOAR logs, the type of logs to forward, etc. FortiSOAR 7.6.0 Administration Guide 36 Fortinet Inc. System Configuration You can configure only a single syslog server. 1. In the Configuration Name field, add the name of the configuration in which you want to store the log forwarding configuration details. Note: The name that you specify must not have any special characters, underscores, or spaces. 2. In the Syslog Server Details section, enter the following details: a. In the Server field enter the DNS name or IP address of the syslog server to which you want to forward the FortiSOAR logs. b. From the Protocol drop-down list, select the protocol that you want to use to communicate with the syslog server. You can choose between UDP, TCP, or RELP. c. In the Port field enter the port number that you want to use to communicate with the syslog server. d. (Optional) To securely communicate with the syslog server, click Enable TLS. Once you click Enable TLS, in the Certificate field, you must enter your CA certificate. If you have a client certificate for your FortiSOAR client, then in the Client Certificate and Client Key fields, you must enter the client certificate and the client key. 3. In the Choose Log Types To Forward section, choose the types of FortiSOAR logs you want to forward to the syslog server. Application Logs include OS logs, and this checkbox is selected by default. To also forward FortiSOAR audit logs, click the Audit Logs checkbox. Once you select audit logs, you can define the following: a. From the Specify Audit Log Detail Level drop-down list, select the amount of data, Basic or Detailed that you want to forward to the syslog server. Basic (default and recommended) sends high-level details of the event per audit log, whereas Detailed sends detailed information about the event per audit log. b. In the Configure Audit Log Forward Rules section, define the rules to forward audit logs: From the Record Type drop-down list, select the record types such as, Alerts, Incidents, etc. whose audit logs you want to forward to the syslog server. From the User drop-down list, select the users such as, CS Admin etc., whose audit logs you want to forward to the syslog server. From the Operation drop-down list, select the operations such as Create, UpdateConfig, Delete, etc., whose audit logs you want to forward to the syslog server. From the Playbooks drop-down list, select the operations such as Generate Incident Summary Report, Playbook Execution History Cleanup, etc., whose audit logs you want to forward to the syslog server. To add more rules, click the Define More Rules link. Important: If you do not define rules, then all the audit logs will be forwarded. 4. Once you have completed configuring syslog forwarding, click Save. FortiSOAR performs validations such as, whether the syslog server is reachable on the specified port etc. before adding the syslog server. Once the syslog server is added, you can update or remove the configuration as per your requirements. Persisting the FortiSOAR logs If your external log management server goes down, then the FortiSOAR logs generated during that time period will not be sent by FortiSOAR to your syslog server. If you want to persist the logs for the time frame when external log management server is down and send those logs when server comes back online, you need to do the following: In the /etc/rsyslog.d/00-rsyslog-fortisoar-settings.conf file, add the following contents after the #### add the server details after this #### line: FortiSOAR 7.6.0 Administration Guide 37 Fortinet Inc. System Configuration #### add the server details after this #### $ActionQueueType LinkedList $WorkDirectory /home/csadmin/.offline-rsyslogs/ # # for the workdir mentioned above, make sure you run # chown -R -t syslogd_var_lib_t /home/csadmin/.offline-rsyslogs/ # $ActionQueueMaxDiskSpace 1gb # 1gb space limit (You can change this value) $ActionQueueFileName fortisoar-offline-rsyslog $ActionResumeRetryCount -1 $ActionQueueSaveOnShutdown on Next, run the following commands: mkdir -p /home/csadmin/.offline-rsyslogs/ chcon -R -t syslogd_var_lib_t /home/csadmin/.offline-rsyslogs/ systemctl restart rsyslog Environment Variables You can use the Environment Variables tab on the System Configuration page to configure proxy settings for FortiSOAR and to define any other environment variables. The procedure of how to configure proxy settings and define environment variables is included in the Configuring Proxy Settings and environment variables section in the Additional configuration settings for FortiSOAR chapter of the "Deployment Guide". External web pages that you open (for example, from a link included in the description field of an alert) or view (for example, using the iFrame Widget) in FortiSOAR goes through the configured proxy server if you have configured the proxy in the web browser's settings. If the proxy is not configured in the web browser's settings, then the external web pages are opened directly without using the configured proxy server. FortiSOAR 7.6.0 Administration Guide 38 Fortinet Inc. System Configuration Branding You can customize branding of FortiSOAR as per your requirement. Branding is not bound based on licensing, i.e., all customers can customize FortiSOAR branding as per their requirements. To customize your branding in FortiSOAR, you must have a role which has a minimum of Application Update permission and then can do any or all of the following branding changes: l Changing Logos: You can update the FortiSOAR logo to reflect your logo in the FortiSOAR UI. However, note that the maximum file size for a logo is 1 MB. Also, the different logos have specific dimensions, and if the image files exceed the specified dimensions, then the FortiSOAR UI displays relevant error messages and prevents users from uploading images that exceed the file size and/or have the wrong dimensions. You can update your logo in the Logo Settings section: Brand Logo (Small) - Dark Theme and Brand Logo (Large) - Dark Theme: Click the FortiSOAR logos and browse to the logos that you want to display in FortiSOAR Dark or Steel theme in two dimensions: Small (90px X 72px) and Large (210px X 24px). Brand Logo (Small) - Light Theme and Brand Logo (Large) - Light Theme: Click the FortiSOAR logos and browse to the logos that you want to display in FortiSOAR Light theme in two dimensions: Small (90px X 72px) and Large (210px X 24px). Note: You can hover on the information icon to view where these logos will appear in FortiSOAR. l Changing the Favicon: To change the favicon that is displayed in FortiSOAR, click the FortiSOAR favicon and browse to the icon that you want to display as a favicon. Dimensions of favicon must be 16px X 16px. FortiSOAR 7.6.0 Administration Guid