FortiSOAR-7.6.0-Administration_Guide.pdf

Transcript

Administration Guide
FortiSOAR 7.6.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO LIBRARY
https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM
https://www.fortinet.com/training-certification

FORTINET TRAINING INSTITUTE
https://training.fortinet.com

FORTIGUARD LABS
https://www.fortiguard.com

END USER LICENSE AGREEMENT
https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

August, 2024
FortiSOAR 7.6.0 Administration Guide
00-400-000000-20210113
 TABLE OF CONTENTS

Change Log 10
Overview 11
Common Tasks 11
Tasks and Permissions 12
Guide to setting up FortiSOAR 13
System Configuration 15
General 17
Configuring System and Cluster Health Monitoring 17
Configuring Comments 19
Setting the formats for Date and DateTime fields on the FortiSOAR UI 19
Customizing the behavior of the FortiSOAR Setup Guide 20
Setting a language other than English for your FortiSOAR system 22
Configuring Themes 24
Configuring Default Country Code 24
Configuring Navigation Preferences 24
Enabling Light Mode Setting 25
Application Configuration 25
Purging audit logs, executed playbook logs, and recycle bin records, and reclaiming
unused disk space 25
Configuring the logging level for Playbook Execution Logs 32
Configuring Playbook Recovery 34
Configuring the Simplified Expression View 34
Configuring the default timezone for exporting reports 34
Managing user listings in People Lookup fields 35
Enabling MIME type validations for file uploads 35
Log Forwarding 36
Persisting the FortiSOAR logs 37
Environment Variables 38
Branding 39
System Fixtures 41
Audit Log 44
Viewing Audit Log 47
Viewing User-Specific Audit Logs 51
Viewing Audit Log in the detailed view of a record 51
Purging Audit Logs 54
License Manager 57
Notifications 58
Adding Delivery Rules 60
Setting up Notification Channels 64
Working with Delivery Rules and Notification Channels 67
Modifying the 'Notify On Pending External Manual Input' delivery rule post-upgrade to
release 7.3.0 or later 69
Purging of notifications 70
Data Archival 71

FortiSOAR 7.6.0 Administration Guide 3
Fortinet Inc.
 Methods of Setting Up Data Archival 71
Setting up an External Database for Data Archival 72
Configuring various settings for Data Archival 73
Viewing and Searching Archived Records 76
Blocking specific HTML tags and attributes 77
Security Management 79
Important Concepts 79
Authentication versus Authorization 79
Users and Appliances 79
Teams and Roles 80
Security Management Menus 80
Team Hierarchy 80
Teams 80
Roles 81
Users 81
Access Keys 81
Authentication 81
Password Vault 82
Configuring Team Hierarchy 82
Relationships 82
Using the Editor 83
Configuring Teams 87
Editing Teams 87
Configuring Roles 89
Default Roles 90
Modules in the Roles Page 92
Adding Roles 93
Assigning Roles to Users and Appliances 94
Configuring User Profiles 95
Adding Users 95
User Profiles 97
Managing Access Keys 107
Managing API key-based authentication for appliances 107
Managing HMAC authentication for appliances 112
Appliance Profile 114
Playbook Appliance 115
Troubleshooting 116
Configuring Authentication 117
Configuring Accounts 117
Configuring Two-Factor Authentication (2FA) 120
Configuring LDAP / AD 124
Configuring SSO 126
Configuring FortiSOAR authentication with a RADIUS server 178
Configuring the Password Vault Manager 182
Delete Users 185
Application Editor 186
Module Editor 186

FortiSOAR 7.6.0 Administration Guide 4
Fortinet Inc.
 Creating a New Module 187
Modifying an existing module 191
Saving your changes 202
Viewing your changes 202
Publishing modules 202
Picklist Editor 203
Creating or modifying a picklist 204
Pre-Processing Rules 206
Adding a new 'Drop' type pre-processing rule 207
Adding a new 'Update' type pre-processing rule 211
Supported Operations on the Pre-Processing Rules Page 214
Navigation Editor 215
Modifying the Navigation bar 216
Correlation Settings 218
Recommendation Engine 220
Permissions required 222
Record Similarity, Field Suggestions, and Playbook Suggestions 222
Phishing Classification 235
Export and Import Wizards 241
Permissions required 242
Export Wizard 243
Import Wizard 257
Recycle Bin 269
Permissions Required 270
Using the Recycle Bin 270
Behavior of Recycle Bin in the case of MSSP environments 271
Segmented Network Support 273
Overview 273
FortiSOAR Agent CLI 273
Invoke connector actions using FSR agents in segmented networks 274
Minimal permissions required 274
Installing a connector on an FSR agent 274
Configuring connectors 277
Running remote actions 278
Upgrading an FSR Agent 282
Upgrading the configuration on an FSR Agent machine 285
Running unauthenticated manual inputs in segmented networks 286
Troubleshooting 286
Files to be used for troubleshooting 286
The FSR agent remains stuck in the "Remote Node Unreachable" state after users
update the certificates or if they change the authentication strategy 287
Deactivated FSR agent does not come back to the connected state even after
activating the FSR agent 287
FSR Agents configuration page displays a "Agent does not exist"
error when you click the Export Config link 287
Post restore to release 7.3.0, switching the SME of any Tenant or FSR Agent, the
status of the tenant or agent is displayed as "Remote Node Unreachable" 288

FortiSOAR 7.6.0 Administration Guide 5
Fortinet Inc.
 FortiSOAR Admin CLI 289
Prerequisites 289
FortiSOAR Admin CLI - Usage 289
CLI commands used for forwarding FortiSOAR logs 298
High Availability and Disaster Recovery support in FortiSOAR 300
Overview 300
High Availability Types supported with FortiSOAR 300
High Availability with an internal PostgreSQL database 300
High Availability with an externalized PostgreSQL database 302
Cluster Licensing 303
Viewing and updating the license of an HA cluster 304
Prerequisites to configuring High Availability 305
Process for configuring High Availability 306
Steps to configure FortiSOAR HA cluster with an internal PostgreSQL database 306
Steps to configure FortiSOAR HA cluster with an external PostgreSQL database 307
Takeover 307
Usage of the csadm ha command 308
Overview of nodes in a FortiSOAR HA cluster 312
Checking replication between nodes in an active-passive configuration 312
Installation of connectors on nodes in a HA cluster 312
Changing the hostname of primary and secondary nodes in an HA cluster 313
Changing the hostname of the primary node 313
Changing the hostname of a secondary/passive node 313
Upgrading an HA cluster 314
Load Balancer 314
Setting up HAProxy as a TCP load balancer fronting the two clustered nodes 314
Configuring FortiSOAR in FortiADC 315
Using the Gobetween load balancer 319
Behavior that might be observed while publishing modules when you are accessing
HA clusters using a load balancer 323
Extending support for two NICs on a FortiSOAR appliance for controlled traffic routing 323
Section 1: Rocky Linux or RHEL changes for multihoming (MultiNIC) 324
Section 2: FortiSOAR changes for Multihoming 325
Setting up a High Availability FortiSOAR cluster in the AWS Cloud with Aurora as the
external database 327
Configuration Details 327
Verifying FortiSOAR functionality with the Aurora external database 330
Verifying FortiSOAR cluster failover to another region 330
FortiSOAR Nodes Hydration 331
Upgrading Hydrated FortiSOAR Nodes 332
Tunables 332
Best practices 333
Best practices for changing the shared memory size on HA nodes after setting up an
HA cluster 333
Monitoring health of HA clusters 334
Understanding HA Cluster Health Notifications 334
Troubleshooting issues based on the notifications 336

FortiSOAR 7.6.0 Administration Guide 6
Fortinet Inc.
 Sample scale test that were done in the lab to understand the behavior of 'csadm ha
get-replication-stat' 338
Disaster Recovery 342
FAQs 342
Troubleshooting 343
Failure to create an HA cluster 343
Timeout failure while creating an HA cluster 344
Unable to add a node to an HA cluster using join-cluster, and the node gets stuck at a
service restart 344
Fixing the HA cluster when the Primary node of that cluster is halted and then
resumed 345
Unable to join a node to an HA cluster when a proxy is enabled 345
Changes made in nodes in an active-active cluster fronted with a load balancer take
some time to reflect 345
Post Takeover the nodes in an HA cluster do not point to the new active primary node346
After performing the leave-cluster operation, the license is not found on a secondary
node 346
The leave-cluster operation fails at the "Starting PostgreSQL Service" step when a
node in the cluster is faulted 347
Resetting the password for an instance that is part of active/active cluster causes the
other instances of that cluster to not able to log in to FortiSOAR 348
The database of a secondary node in the HA cluster is out of synch with the database
of the primary node 348
Failure of the 'leave-cluster' command on a secondary node that had its database
externalized before joining the HA cluster, and that is currently using an internal
database 349
Common failures observed during the join-cluster operation 349
Elasticsearch Configuration 352
Externalization and Authentication of Elasticsearch 352
Migration of Elasticsearch data 354
Troubleshooting Tips 354
FortiSOAR Search Errors 354
Optimizing the reindexing of Elasticsearch data 355
Externalization of your FortiSOAR PostgreSQL database 356
Prerequisites 356
Externalizing FortiSOAR databases 357
Setting up an externalized database on the cloud 359
Installing the pg_squeeze and pg_repack extensions 359
Installing pg_squeeze 360
Installing pg_repack 361
Backing up and Restoring FortiSOAR 363
Prerequisites 363
Backup Process 363
Data that is backed up during the backup process 363
Prerequisites to running the backup process 364
Performing a backup 364
Restore Process 365

FortiSOAR 7.6.0 Administration Guide 7
Fortinet Inc.
 Restoring data 365
Restoring a backup of an FortiSOAR instance with an externalized database to an
instance that is not externalized 366
Backup and Restore process for FortiSOAR High Availability systems 367
Regenerating RabbitMQ certificates when you are creating an HA cluster using a
restored node 367
Backup and Restore process for the External Secure Message Exchange systems 367
Troubleshooting Backup and Restore Issues 368
Post-restore the FSR agent status is not updated as "Remote Node Unreachable" 368
About FortiSOAR 369
Downloading FortiSOAR logs 371
Monitoring FortiSOAR 372
Benefits of monitoring 372
Manually setting up monitoring for each FortiSOAR component 372
Monitoring uptime of FortiSOAR 373
Monitoring FortiSOAR services 373
Monitoring databases 374
Monitoring Disk Space Utilization 374
Monitoring CPU and Memory Utilization 374
Monitoring connectors 374
Monitoring workflows 375
FortiSOAR integration with FortiMonitor 376
Setting up a FortiSOAR instance to be monitored using FortiMonitor 376
Monitoring FortiSOAR using FortiMonitor 377
Components that are monitored out-of-the box by FortiMonitor on FortiSOAR 377
FortiSOAR-specific components that are monitored by FortiMonitor 377
OnSight Collector 380
Frequently Asked Questions 380
Q. How to add queued playbooks as a metric for monitoring using the FortiSOAR
template 380
Q. How to change the monitoring interval for the License expiry metric 383
Q. How to modify the timings of generating a Takeover Incident 384
Q. How to remove stale entries on FortiMonitor for FortiSOAR metrics after a
takeover 386
Debugging, Troubleshooting, and Optimizing FortiSOAR 388
List of logs used for troubleshooting FortiSOAR 388
List of key FortiSOAR services and processes 391
Configurations required for exporting of records with unsupported character sets in the
PDF format 393
Additional settings for record similarity and field predictions 393
Configure the maximum number of records to be fetched in one call 394
Change the default value of some of the user profile parameters 395
Security considerations for Websockets 396
Backup of the most recent System View Template (SVT) before saving the edited SVT 397
Automation added to fetch Google Chrome updates 397

FortiSOAR 7.6.0 Administration Guide 8
Fortinet Inc.
 Troubleshooting Tips 397
Your Workflow data size has increased 397
Error displayed while performing a search operation in FortiSOAR 397
Reindexing FortiSOAR modules for search 398
FortiSOAR crashing with "out of memory" errors 398
Changing Postgres worker memory 398
Crashing of the Tomcat server when the 'Detailed' mode for Log Forwarding is
enabled 399
FortiSOAR displaying errors such as app.ERROR: Unable to load API credentials
from cache or DAS 399
Recommendation Engine does not work and displays an "ML Service not running"
error 400
Enabling PostgreSQL logging to identify API requests that are taking longer than
expected 400

FortiSOAR 7.6.0 Administration Guide 9
Fortinet Inc.
Change Log

Date Change Description

2024-08-01 Initial release of 7.6.0

FortiSOAR 7.6.0 Administration Guide 10
Fortinet Inc.
Overview

Overview

Use the administration guide to understand how to customize and administer FortiSOAR, including system, security and
user management, and configuring templates.

When you log on to FortiSOAR for the first time as a csadmin user, you will be mandated to
change your password. This enhances the security of your csadmin account and prevents
unauthorized parties from accessing the administration account for FortiSOAR. New
passwords that are set must contain at least 8 characters, one lower-case alphabet, one
upper-case alphabet, one digit, and any one of the following special characters ~ ! @ # $ % ^ &
*|?_
Ensure that you note down your csadmin password since if you forget your initial csadmin
password, then you have to request FortiSOAR to reset this password. Also, when you are
changing your csadmin password, you must ensure that you also update the email ID that is
specified for csadmin, which by default is set to [email protected] (which is not a valid
email ID). You can change the email ID by clicking the User Profile icon ( ) to open the
User Profile page and change the email address in the Email field. Once you set a valid
email ID in the user profile, then you would be able to reset your password, whenever required,
by clicking the Forgot Password link on the login page.

Also, note if you want to move any file from and to a FortiSOAR system, then you must install SCP (yum install
openssh-clients -y) or any SCP client. This is required since the openssh-clients package has been removed
from FortiSOAR for security compliance.

From release 7.2.0 onwards, the Incident Response modules have been removed from the
FortiSOAR platform and moved to the SOAR Framework Solution Pack (SP). The
SOAR Framework Solution Pack (SP) is the Foundational Solution Pack that creates the
framework, including modules, dashboard, roles, widgets, etc., required for effective day-to-
day operations of any SOC. As the Incident Response modules, i.e., Alerts, Incidents,
Indicators, and War Rooms are not part of the FortiSOAR platform, it becomes essential for
users to install the SOAR Framework SP to optimally use and experience FortiSOAR’s
incident response. For detailed information about the SOAR Framework SP, see the
SOAR Framework SP documentation.
From release 7.2.0 onwards, the SOAR Framework Solution Pack is installed by default with
the fresh installations of FortiSOAR.

Common Tasks

Some of the common task that an administrator can perform are:
l License management
l System configuration
l Security management
l User management

FortiSOAR 7.6.0 Administration Guide 11
Fortinet Inc.
Overview

l Appliance management
l Password Vault management
l Playbook configuration
l Application management

You can perform administration tasks using the Settings ( ) icon in the upper right-hand corner near the User Profile
icon.

Apart from the above tasks, you can install the SLA Management Solution Pack to track and
manage SLA for alerts and incidents in FortiSOAR. For more information see the
SLA Management Solution Pack documentation.

Tasks and Permissions

To manage different modules, appropriate rights must be assigned to users. In FortiSOAR, modules are applied to roles,
for example, the Security module is applied to the Security Administrator role. Role permissions are based on
the Create, Read, Update, and Delete model (CRUD). Each module within FortiSOAR has explicit CRUD permissions
that you can modify and save within a single Role.
For example, to perform all tasks for system configuration, you must be assigned a role that has CRUD permissions on
the Application module, or to be able to add and manage users, you must be assigned a role that at the minimum has
Create and Update permissions on the People module.
By default, FortiSOAR has at least one role in place after installation, the Security Administrator.

Task Permissions required on the module

System configuration: Customizing FortiSOAR and Create, Read, Update, and Delete (CRUD) permissions on
configure several default options used throughout Application module. Default Role - Application
the system, including setting up authentication Administrator.
mechanisms and configuring dashboards and
templates.

Security management: Managing teams and roles. CRUD permissions on Security module. Default Role -
Security Administrator. The security administrator role also has
CRUD permissions on the Secure Message Exchange and
Tenants modules, so that this role can configure multi-tenant
systems.

User management: Adding and removing users CRUD permissions on People module.
and editing their permissions.

Appliances management: Managing appliances CRUD permissions on Appliances module.
and access keys.

Password Vault management: Integrating with CRUD permissions on Connectors module and Read
third-party external vaults to manage sensitive data permission on Application module.

Playbook management: Configuring playbook CRUD permissions on Playbook module. Default Role -
collections and playbooks Playbook Administrator.

FortiSOAR 7.6.0 Administration Guide 12
Fortinet Inc.
Overview

Guide to setting up FortiSOAR

The Setup Guide designed to assist administrators, whether they are new or experienced, in configuring FortiSOAR
according to best practices. It provides guidance on essential configurations and the installation of necessary solution
packs for optimal performance, such as setting up network proxies, enabling audit and playbook log purging, configuring
enrichment, and mitigation playbooks. For details, including permissions required to view the Setup Guide, see the
Setup Guide Widget documentation.
When administrators log into FortiSOAR for the first time, the Setup Guide is displayed:

To minimize the Setup Guide, click the > arrow. To reopen the Setup Guide, click the Setup Guide icon in the top-right
corner of FortiSOAR:

FortiSOAR 7.6.0 Administration Guide 13
Fortinet Inc.
Overview

To hide the FortiSOAR Setup Guide icon, clear the Enable Setup Guide option on the System Configuration
page. For more information, see the System Configuration chapter.

FortiSOAR 7.6.0 Administration Guide 14
Fortinet Inc.
System Configuration

System Configuration

You can customize FortiSOAR and configure several default options used throughout the system, including the way
FortiSOAR gets displayed to the users and the way notifications are sent to the users. To configure the system, you must
be assigned CRUD permissions to the Application module. The Application module is assigned by default to the
Application Administrator role. For information about roles, refer to the Default Roles section in the Security
Management chapter.

Click the Settings ( ) icon to open the System (System Configuration) page. Use the System
Configuration page and its various tabs to customize FortiSOAR as per your requirements:

Click Settings > Audit Log to open the Audit Log page. Use the Audit Log page to view a chronological record of
all actions across FortiSOAR. For more information, see Audit Log.
Click Settings > License Manager to open the License Manager page. Use the License Manager page to update
your license and view the details of your FortiSOAR license. For more information, see License Manager.
Click Settings > Notifications to open the Notifications page. Use the Notifications page to configure rules
for delivery of notifications and also configure notification channels. For more information, see Notifications.
Click Settings > Data Archival to open the Data Archival page. Use the Data Archival page to configure
settings for data archival and to search for records in the data archives. For more information, see Data Archival.
Click Settings > Environment Variables to open the Environment Variables page. Use the Environment
Variables tab on the System Configuration page to add proxies to serve HTTP, HTTPS, or other protocol requests
from FortiSOAR or define environment variables. For the procedure for configuring proxy settings and defining
environment variables is included in the Configuring Proxy Settings and environment variables topic in the Additional
configuration settings for FortiSOAR chapter of the "Deployment Guide."
Use the General tab on the System Configuration page to edit several default options found throughout the
system, especially in the user profile. These include the following:

FortiSOAR 7.6.0 Administration Guide 15
Fortinet Inc.
System Configuration

l Default notifications for system and cluster health monitoring
l Default Comment Modification
l Default DateTime Format
l Behavior of the FortiSOAR Setup Guide
l Setting a language other than English for your FortiSOAR UI
l Default theme
l Default country code
l Default navigation bar style
l Enable light mode setting for the 'Grid' widget across modules
For more information, see General and for more information on user profile configuration, refer to the User Profiles
section in the Security Management chapter.

You can modify all the default values on a per-user basis on any user's Profile page.

Use the Application Configuration tab on the System Configuration page to configure various administrative
options in FortiSOAR. These include the following:
l Purging of audit logs and executed playbook logs and cleaning the database
l Settings for recycle bin records including, purging of recycle bin records and restricting permanent deletion recycle
bin records
l Default Playbook Execution Logging Levels
l Default Playbook Recovery options
l Default rendering of expressions in the Playbook Designer (Simplified Expression View)
l Default timezone for exporting reports
l Manage user listings in 'People' Lookup fields
l Enable MIME type validation for file uploads

To enable sending system notifications, including requests for resetting passwords, and also
for sending emails outside FortiSOAR you must configure the SMTP connector. For more
information, see the SMTP Connector document.

For more information, see Application Configuration.
Use the Log Forwarding tab on the System Configuration page to forward FortiSOAR application and audit logs
to your central log management server. For more information, see Log Forwarding.
Use the Environment Variables tab on the System Configuration page to configure proxy settings for FortiSOAR
and to define any other environment variables. For more information, see Environment Variables.
Use the Branding tab on the System Configuration page to customize FortiSOAR branding based on your license
type. For more information, see Branding.
Use the System Fixtures tab on the System Configuration page to view the links to various playbook collections,
email templates, and the self agent and self tenant pages, which are included by default with FortiSOAR. For more
information, see System Fixtures.

FortiSOAR 7.6.0 Administration Guide 16
Fortinet Inc.
 System Configuration

General

On the General page, you can configure settings, especially those related to user profiles that apply across FortiSOAR.
You can edit the settings and then click Save to apply the changes or click Revert to undo your changes.

Configuring System and Cluster Health Monitoring

You can set up system monitoring for FortiSOAR, both in the case of a single node system and in High Availability (HA)
clusters. To receive email notifications of any FortiSOAR service failure, or of any monitored threshold exceeding the set
threshold, etc., click the Enable Notification checkbox in the System & Cluster Health Monitoring section.

Once you click the Enable Notification checkbox, from the Service drop-down list, select the service to be used for
notifications. You can choose between SMTP or Exchange. In the Email field, specify a comma-separated list of email
addresses of users who should receive email notifications in case of any FortiSOAR service failures, or of any monitored
threshold exceeding the set threshold, etc.

The email that is sent for high CPU consumption also contains information about the
processes that are consuming the most memory.

In the Monitoring Interval (Minutes) field, specify the interval in minutes at which you want to monitor the system and
perform the health check of the HA cluster. By default, the system is monitored every 5 minutes.
In the System Health Thresholds section, you can set the thresholds, in percentages, for Memory Utilization (80%
default), CPU Utilization (80% default), Disk Utilization (80% default), Swap Memory Utilization (50% default), Workflow
Queue, i.e., the value of the celery queue size, and WAL Files Size (GB), which by default is set as 20 GB. The default
value of the workflow queue is set at 100. If the thresholds set are reached or crossed for any of the monitored
parameters, an email notification is sent to all the specified email addresses.
If you have an HA environment, then additionally, RabbitMQ certificates, Nginx certificates, and self-signed PostgreSQL
certificates are also monitored and notifications can be sent to specified users when any of the certificates is nearing
expiry.
Heartbeat failures and replication lags between nodes of your HA cluster can also be monitored and notifications can be

FortiSOAR 7.6.0 Administration Guide 17
Fortinet Inc.
System Configuration

sent to specified users in the event of heartbeat failures and high replication lags between nodes of your HA cluster. You
can specify values for these parameters in the Cluster Health section:

In the Missed Heartbeat Count field, specify the number of missed heartbeats after which notifications of failure will be
sent to all the specified email addresses.

You cannot specify a value lesser than 3 in the Missed Heartbeat Count field.

In the Replication Lag field, specify the lag value for the replication lag between nodes. By default, this is set to 3, i.e.,
3GB. If the replication lag threshold is reached or crossed, then an email notification is sent to all the specified email
addresses.
Some examples of how Monitoring Interval (Minutes) and Missed Heartbeat Count values help you in monitoring
heartbeats between nodes in an HA cluster:
Case 1
If you have set the Monitoring Interval to 5 minutes and the Missed Heartbeat Count to 3, this means that when the
heartbeat is missed (the cyops-ha service is down) for the last >=15 minutes (monitoring interval * missed heartbeat
count), the heartbeat missed notification will be sent to all the email addresses that you have specified in the Email field.
The cluster health check is performed based on the monitoring interval specified. For example, if you specify 3 minutes
in the Monitoring Interval (Minutes) field, then the HA cluster health check will be run every 3 minutes.
Notifications are sent based on the multiplication of the values that you have set in the monitoring interval and the missed
heartbeat count. For example, if you have set the monitoring interval to 3 and missed heartbeat count to 4, and if the
heartbeat is missed for the last >=12 minutes, then heartbeat missed notifications will be sent to all the email addresses
that you have specified in the Email field.
Case 2
If you have had no heartbeats missed for the last >=15 minutes, considering the monitoring interval that is set to 5
minutes and the missed heartbeat count set to 3, however, there is a service down or a service connectivity failure found

FortiSOAR 7.6.0 Administration Guide 18
Fortinet Inc.
 System Configuration

in the health check, then a notification for service down or service connectivity failure will be sent to all the email
addresses that you have specified in the Email field.
For more information on HA, see the High Availability and Disaster Recovery support in FortiSOAR chapter.

Configuring Comments

A user who has Security Update permissions can edit comments of any FortiSOAR user, and a user who has
Security Delete permissions can delete comments of any FortiSOAR user. There is no time limit for the Security
user to update or delete comments.
Users can edit and delete their own comments in the "Collaboration" window or in the Comments widget, if you (the
administrator) has enabled the settings for comment modification and if the user has appropriate CRUD permissions on
the Comments module.
To allow users to edit and delete their own comments, click the Settings icon, which opens the System
Configuration page. On the Application Configuration tab, in the Comment Modification section, select the
Allow Comment Modification checkbox.

You can also specify the time until when the user can edit or delete their comments in the Allow users to modify
/delete their comments for a duration of field. For example, if you select 1 minute from this field, then users can edit
and delete their comments until 1 minute after which they have added the comment. By default, the Allow users to
modify/delete their comments for a duration of field is set to 5 minutes. Users cannot edit or delete their comments
after the time specified in the Allow users to modify/delete their comments for a duration of field.
You can also specify the behavior of the comment "delete" action, i.e., when a user deletes a comment, you can choose
to permanently delete the comment or flag the comment for deletion, i.e., Soft Delete. If you choose to keep the Soft
Delete checkbox checked (default), then the comments will be soft deleted, i.e., on the UI you will see --Comment
Deleted-- instead of the comment. In case you have cleared the Soft Delete checkbox, you will not see anything on
the UI since the comment has been permanently deleted.

Setting the formats for Date and DateTime fields on the FortiSOAR UI

Using standard syntax (https://angular.io/api/common/DatePipe), you can customize the formats for Date and DateTime
fields on the FortiSOAR UI.
To configure the formats for the DateTime and Date fields, in the Datetime Format section, from the Select Datetime
Format drop-down list, select the required DateTime format. Similarly, from the Select Date Format drop-down list,
select the required Date format and click Save.The FortiSOAR UI now displays all DateTime and Date fields in the set
format.

FortiSOAR 7.6.0 Administration Guide 19
Fortinet Inc.
 System Configuration

For example, if you set the DateTime format to 'HH:mm EEEE MMMM dd', all the DateTime fields on the FortiSOAR UI,
such as Resolved Date, Ack Due Date, etc., will be present in this format, i.e., as '15:24 Wednesday August 30'.

Customizing the behavior of the FortiSOAR Setup Guide

The FortiSOAR Setup Guide helps first-time or recurrent administrators of FortiSOAR to optimally set up FortiSOAR
based on best practices. For more information on the FortiSOAR Setup Guide, see the Overview chapter and the Setup
Guide documentation.

FortiSOAR 7.6.0 Administration Guide 20
Fortinet Inc.
System Configuration

By default, the Setup Guide icon is visible in the top-right corner of FortiSOAR:

To hide the Setup Guide icon, go to the System Configuration page, clear the Enable Setup Guide option, which
is selected by default, and click Save:

Once the updated setting is saved, you will observe that the Setup Guide icon are not visible in the top-right corner of
FortiSOAR.

FortiSOAR 7.6.0 Administration Guide 21
Fortinet Inc.
 System Configuration

Setting a language other than English for your FortiSOAR system

Support for 'Internationalization' has been added to the FortiSOAR platform in release 7.5.0, enabling FortiSOAR to
meet the linguistic, cultural, and other needs of a particular locale. The default language set for the FortiSOAR UI is
English, with additional support now available for the following languages:
l Japanese (Preview)
l Korean (Preview)
l Simplified Chinese (Preview)

'Preview' has been added to languages other than English as the translations have been done
using translation tools, which might result in inaccuracies or incompleteness in the
translations. Your feedback is valuable for improving their accuracy and quality. Additionally,
changing the language from English to another language might affect the user experience on
the FortiSOAR UI to some extent, such as labels exceeding their width or misalignment of
buttons.

To support internationalization, FortiSOAR uses a system widget named "Language Pack" that includes the supported
languages. This widget is automatically installed during the installation or upgrade of FortiSOAR to release 7.5.0 or later.

The "Language Pack" widget is a system widget that cannot be uninstalled, and you should not modify it.
Making changes to it can result in translation issues, causing the FortiSOAR UI to appear in English. English
serves as the fallback language for FortiSOAR. Any content that is not translated will be shown in English.

Administrators must be assigned the 'Read' or 'Usage' permission on 'Widgets' (in addition to other necessary
permissions) to modify the global language settings. Without this permission, the FortiSOAR UI remains in English,
regardless of the language you set.
To change the language in FortiSOAR for all users, switch from English to any of the supported languages by clicking the
Settings icon, which opens the System Configuration page. In the Set Language section, select the language
you want from the Select Language drop-down list for the FortiSOAR UI then click Save to apply the change:

FortiSOAR 7.6.0 Administration Guide 22
Fortinet Inc.
System Configuration

If your FortiSOAR instance is part of a high-availability cluster, changing the language on the
System Configuration page on the primary node will apply the selected language
translation on the secondary nodes when users log out and log back in on secondary nodes.
Similarly, if the language is changed on a secondary node, users must log out and log back in
on the primary node and other secondary nodes for the language changes to be reflected.

Users can set the language for their FortiSOAR instance in their profile. The language set in the user profile takes
precedence over the language set by an administrator. For example, if the administrator sets the FortiSOAR language to
'Korean' using this process, but a user sets their profile language to 'Japanese', the user's FortiSOAR UI will be
displayed in Japanese. For information on setting the language in a user profile, refer to the Overview chapter in the
"User Guide."
When changing the language in FortiSOAR from English to any of the supported language, all static text in the
FortiSOAR UI gets displayed in the selected language. Static text includes labels of fields, tabs, and buttons, titles of
dialog boxes, descriptions, static message content, such as content displayed in confirmation, error, or warning
messages, etc.
Content that can be changed by the user, gets displayed in English and not in the selected language, some examples of
such type of content include:
l Names or titles of playbooks, connectors, and built-in widgets such as charts, grids, tabs, etc.
l Tab names, headings, subheadings, etc., in the record detail view and list view as these are user-editable fields.
l Values of picklist items and navigation menu items.
l For modules (mmd) on the Module Editor page, the name of a module and the title of a field must be in English,
as the Type (for modules) and Field API Key (for fields) are auto-generated and must be in English as they are
used to identify the module or field in the API.

Non-default grid columns are not translated until the user resets the columns to their default
settings.
When changes are made to the order of grid columns or when a column is added or deleted
from a module, these changes are stored as user preferences. To have the field names
translated to the user or global preferred language, the columns need to be reset to their
default settings.

Apart from the above the following content also gets displayed in English and not in the selected language:
l Syslogs forwarded from a FortiSOAR system.
l Playbook step results.
l Grid view exported in the CSV format.
l Tooltips, error messages, and toaster messages that are generated from the backend such as tooltips on the
Module Editor page or the health check disconnected error message for the Recommendation Engine.
For information on various services, functions, etc., added for multilingual support for widgets created starting from
release 7.5.0, see the "Widget Development Guide."

Editing locale files for existing modules

You can modify the files for the supported locales (Japanese, Korean, Simplified Chinese) for existing modules using the
Export and Import Wizards. For details on these wizards, see the Export and Import Wizards topic in the Application
Editor chapter. If you want to update some translations of modules, such as the 'Alerts' Module, follow these steps:

FortiSOAR 7.6.0 Administration Guide 23
Fortinet Inc.
 System Configuration

1. Export the 'Alerts' module and download the.zip file of the export.
2. Extract the downloaded.zip file to your local disk. A sample folder structure of the exported 'Alerts' module is as
follows:
exportTemplate folder
--+ modules
---+ alerts
-----+ languages
-------+ en.json
-------+ ja.json
-------+ ko.json
-------+ zh_cn.json
-----+ detail-layout.json
-----+ form-layout.json
-----+ list-layout.json
-----+ mmd.json
--+ picklists
--+ records
--+ info.json
3. Open the language json file you want to edit for the module. For example, to edit the Japanese language file, open
the ja.json file.
4. Update the necessary translations and save the file.
5. Create a.zip file of the Alerts module with the updated translations.
6. Import the zip file to your FortiSOAR instance using the Import Wizard.
7. After a successful import, you will see the updated translations for the 'Alerts' module.

Configuring Themes

You can configure the FortiSOAR theme that will apply to all the users in the system.
Non-admin users can change the theme by editing their user profile. Changes made by a non-admin user to the theme
are applicable only to those users who have not changed their default user profile settings.
There are currently three theme options, Dark, Light, and Space, with Space being the default. On the Application
Configuration page, select the theme that you want to apply across FortiSOAR. Click Preview Theme to view how
the theme would look and click Save to apply the theme.
To revert the theme to the default, click Revert Theme.

Configuring Default Country Code

You can configure country code format for contact numbers that will apply to all users in the system. In the Phone
Number section, select the Default Country and thereby the default country code that you want to apply across
FortiSOAR and click Save to apply the code.

Configuring Navigation Preferences

You can configure the behavior of the left navigation bar across FortiSOAR. You can choose whether you want the left
navigation bar to collapse to just display icons of the modules or expand to display both icons and titles of modules. In

FortiSOAR 7.6.0 Administration Guide 24
Fortinet Inc.
 System Configuration

the Navigation Preferences section, click Collapse Navigation to collapse the left navigation bar and click Save
to apply the behavior of the left navigation bar across the system.

Enabling Light Mode Setting

You can enable the 'Light Mode' for the 'Grid' widget across modules by toggling the Enable light grid to Enabled
(default is Disabled). The lighter version of the grid widget offers improved performance and usability. For details on the
'Light Mode' for Grids, see the 'Grid' topic in the Dashboards, Templates, and Widgets chapter of the User Guide.

Additionally, if you want to honor the module-level light mode settings, select the Allow individual module level
setting to override global setting option. For example, if the light grid is enabled globally, but the 'Indicators' module
needs to be excluded, then you can clear the 'Enable Light Mode' checkbox for the grid in the Indicators module,
resulting in the Indicators module using a regular grid. By default, the Allow individual module level setting to
override global setting option is unchecked, enforcing global-level light-mode settings across all modules, and
overriding any module-specific settings.

Application Configuration

Click the Application Configuration tab on the System Configuration page to open the Application
Configuration page. On the Application Configuration page, you can configure various administrative
settings that will apply across FortiSOAR. You can edit the settings and then click Save to apply the changes or click
Revert to undo your changes.

Purging audit logs, executed playbook logs, and recycle bin records, and
reclaiming unused disk space

You can schedule purging, on a global level, for both audit logs and executed playbook logs. Click the Settings icon,
which opens the System Configuration page. In the Purge Logs section, you can define the schedule for purging
both Audit Logs and Executed Playbook Logs.
By default, audit logs are not purged and executed playbooks logs are purged.

FortiSOAR 7.6.0 Administration Guide 25
Fortinet Inc.
System Configuration

The Purging activity deletes logs permanently, and you cannot revert this operation.

Purging logs deletes old records from the respective tables; however, it does not free up the PostgreSQL database
space, which could cause space and performance issues in FortiSOAR. Therefore, from version 7.0.2 onward,
FortiSOAR provides you with an option to reclaim unused disk space. This activity clears all the empty rows in tables and
indexes, which helps in improving the performance by optimizing the space. By default, this cleanup activity is run
"Weekly at 02:01 AM (UTC) on Sunday"; however, you have the ability to update the schedule of this cleanup activity as
per your requirement.
In release 7.6.0, FortiSOAR has optimized the process of reclaiming unused disk space by utilizing advanced
PostgreSQL utilities. These enhancements address issues such as database bloat and performance slowdowns in
operations such as playbook searches, caused by extensive data retention and the accumulation of a large number of
records over time. This is often a result of PostgreSQL space quickly filling up when numerous playbooks are executed,
even in 'Info' mode. The process reclaims disk space from PostgreSQL by optimally managing data.
The configuration file /opt/cyops-workflow/sealab/sealab/config.ini contains parameters for using
advanced PostgreSQL utilities, i.e., pg_squeeze and pg_repack. To modify default values, edit the config.ini file
and then restart the services using the systemctl restart uwsgi celeryd fsr-workflow celerybeatd
command:
l SQUEEZE_SOFT_TASK_TIMEOUT: This parameter defines the soft time limit for the pg_squeeze task. The soft
time limit allows the task to catch exceptions and clean up before being terminated; the hard timeout is not catch-
able and force terminates the task. If the soft time limit is exceeded and cleanup is stuck then the hard time limit
(expected to be higher than the soft time limit) will force terminate the pg_squeeze task as a safety net and to avoid
forever running of task. The default soft time limit is 3600 seconds.
l SQUEEZE_TASK_TIMEOUT: This parameter sets the hard time limit for the pg_squeeze task. When the task
exceeds this duration, the system will throw an exception. The hard time limit should always be higher than the
SQUEEZE_SOFT_TASK_TIMEOUT and is used to override the CELERYD_TASK_TIME_LIMIT for the 'pg_squeeze'
task. The default hard time limit is 3800 seconds.
l SQUEEZE_EXECUTION_TIME: The system performs a periodic cleaning task in addition to the scheduled one. You
can adjust the UTC time for this task by changing the SQUEEZE_EXECUTION_TIME parameter in the
/opt/cyops-workflow/sealab/sealab/config.ini file. It is recommended to configure 'pg_squeeze' to

FortiSOAR 7.6.0 Administration Guide 26
Fortinet Inc.
System Configuration

run when the ingestion rate is low. The default setting for the SQUEEZE_EXECUTION_TIME parameter is '22-6',
indicating that the cleaning task will occur from 10 PM to 6 AM.
l USE_PG_SQUEEZE and USE_PG_REPACK: In fresh installations from release 7.6.0 onwards, the default settings for
'USE_PG_SQUEEZE' and 'USE_PG_REPACK' parameters are set to 'true'. However, in upgrades to release 7.6.0, the
'USE_PG_SQUEEZE' and 'USE_PG_REPACK' keys are set to 'false', which means that the upgraded systems will
still use full vacuum for cleaning up workflow execution history, which can block of all workflow operations.
NOTE: Before changing the workflow execution cleanup behavior by setting 'USE_PG_SQUEEZE' and 'USE_PG_
REPACK' keys to 'true', in upgraded instances, it is recommended to run a full vacuum first.

In High Availability environments, settings related to pg_squeeze and pg_repack, such as USE_PG_SQUEEZE,
USE_PG_REPACK, SQUEEZE_EXECUTION_TIME, etc. must be modified on all cluster nodes.

For more information on optimizing settings see the Debugging, Troubleshooting, and Optimizing FortiSOAR chapter
and for debugging and optimizing playbooks and workflows, see the Debugging and Optimizing Playbooks chapter in the
"Playbooks Guide."

Scheduling purging of audit logs

To purge Audit Logs, you must be assigned a role that has a minimum of Read permission on the Security module,
Read permission on the Application module, and Delete permissions on the Audit Log module.
To enable purging of Audit logs, select the Enable Purging checkbox that appears in the Audit Logs section.
Once you select the Enable Purging checkbox, you require to define the schedule for purging of audit logs. To specify
the time for which you want to retain the logs, you must select the appropriate option from the Keep logs Of drop-down
list. You can choose from the following options: Last month, Last 3 months, Last 6 months, Last year, or Custom as
shown in the following image:

FortiSOAR 7.6.0 Administration Guide 27
Fortinet Inc.
System Configuration

If you choose Custom, then you must specify the number of days for which you want to retain the logs.

For purging purposes, 1 month is considered as 30 days and 1 year is considered as 365
days.

The purging schedule clears all logs that belong to a timeframe earlier than what you have specified.
For example, if you want to retain audit logs for a month, then select Last month from the Keep logs of drop-down list.
Once you save this setting all audit logs that are older than 1 month (30 days) will be cleared, and this will be an ongoing
process, as the audit log records will all be time-stamped and the ones older than 30 days will be purged.

By default, the purge schedule job, runs every midnight (UTC time) and clears all logs that
have exceeded the time duration that you have specified. If you want to run the purging activity
at a different time of the day or for a different duration, you can do so by editing the schedule of
purging on the Schedules page (Automation > Schedules) once you enable purging of the
logs.

Scheduling purging of executed playbook logs

To purge Executed Playbook Logs, you must be assigned a role that has a minimum of Read and Update
permissions on the Security module, Read and Update permissions on the Application module, and Delete
permissions on the Playbooks module.

Purging of executed playbook logs based on date or days criteria

Executed Playbook Logs are purged by default, and therefore the Enable Purging checkbox is already selected in the
Executed Playbook Logs section. By default, any executed playbook logs that are older than 15 days are purged.
You can change time for which you want to retain the playbook execution logs by selecting the appropriate option from
the Keep logs Of drop-down list, as is the case with audit logs.
A system schedule, named "Purge Executed Playbook Logs" is also already created and active on the Schedules
page. This schedule runs every midnight (UTC time) and clears all logs that have exceeded the time duration that is
specified. If you want to run the purging activity at a different time of the day or for a different duration, you can do so by
editing this schedule.

Purging of executed playbook logs based on criteria other than date or days

You can purge executed playbook logs based on some complex query condition that involves multiple parameters and
not just the date or days criteria. For example, clearing logs of ingestion playbooks that have completed their execution.
Being able to clear logs based on these criteria is useful since ingestion playbooks are generally scheduled and they can
occupy a major chunk of playbook history in the database. Therefore, this feature provides you with an option to build
desired queries for purging executed playbook logs and scheduling the purging.
To add the custom criteria, based on the clearing ingestion playbook that have completed their execution example, do
the following:
1. Click the +Additional Criteria link.
2. In the Criteria Title field, enter the title of the criteria based on which you want to purge the executed playbook logs.
For example, Purging Ingestion Playbook Logs.

FortiSOAR 7.6.0 Administration Guide 28
Fortinet Inc.
System Configuration

3. Select the logical operator, All of the below are True (AND), or Any of the below is True (OR). For our example,
we require the AND operator, since we want to purge all playbooks that contain the "ingestion" tag and whose status
is finished, so select All of the below are True (AND).
4. Click the Add Condition link to add conditions for purging the executed playbook logs:
From the Select a field drop-down, select Tags, from the Operator drop-down list select Contains Any and in the
Add Tags field, enter dataingestion. Click the Add Condition link again, and from the Select a field drop-
down, select Status, from the Operator drop-down list select Equals, in the Status drop-down list select Finished.
You can add additional conditions or criteria as per your requirements.
5. Schedule the purging of the executed playbooks logs based on the above-specified criteria by selecting the
appropriate option from the Keep Logs Of drop-down list. You can choose from the following options: Last month,
Last 3 months, Last 6 months, Last year, or Custom.
For our example, we choose the Custom option and specify 1 for days, which means that keep the logs for the
ingestion playbooks that have finished their execution for just 1 day in the database.

6. To save the criteria for purging executed playbook logs, click Save.

Points to be considered while setting multiple purging criteria

If you have added multiple purging criteria, then the purge functionality purges logs sequentially.
For example, if you have defined the following criteria
l Default: Keep logs of the last 2 days.
l If 'Playbook Execution Status = Failed', then keep logs for last 1 day.
l If Tags contain Ingest, then keep logs for last 1 day.
In such a scenario, logs are purged as follows:
1. Retains logs for the last 2 days only, and purges the remaining logs.
2. From the logs of the last 2 days, looks for logs that have 'Playbook Execution Status = Failed', and keeps such logs
for the last 1 day only.
3. Looks for logs that have 'Tags' containing 'Ingest', and keeps such logs for the last 1 day only.

FortiSOAR 7.6.0 Administration Guide 29
Fortinet Inc.
System Configuration

Scheduling storage space reclamation

To reclaim unused space, ensure that the Storage Space Reclamation option is selected (default). This activity clears
all the empty rows in tables and indexes, which helps in improving the performance by optimizing the space.

You can schedule regular storage space reclamation to ensure that space gets regularly freed up in the PostgreSQL
database as per your requirements.

It is recommended to schedule the cleanup process after purging logs and during non-production
hours when system usage is lower. This is because as the process pauses the execution and
operations of all playbooks and slows down your system's performance.

In the Storage Space Reclamation Settings section, you can select the frequency of running the storage space
reclamation activity. You can choose between running this activity Weekly or Daily or to some custom frequency based
on your requirements. By default, a system schedule named "Reclaim Disk Space (Playbook Logs)" is created in
Automation > Schedules to periodically clear the playbook execution logs "Weekly at 02:01 AM on Sunday".
To change this schedule to a custom frequency, click the View link to display its Schedule Details and edit the schedule
as per your requirement, and then click Save. For example, to run this activity "Weekly on Mondays at 12:01", change

FortiSOAR 7.6.0 Administration Guide 30
Fortinet Inc.
System Configuration

the schedule as follows:

You can view the % of disk space that is being used for playbook logs that is eligible for cleanup and which can be
reclaimed, and you can also immediately initiate a cleanup of playbook logs by clicking the Initiate Cleanup Now link,
which displays a confirmation dialog. Clicking Confirm on the dialog immediately starts the disk space reclamation
activity.

System Settings for Recycle Bin

Scheduling purging of recycle bin records

You can schedule the purging of recycle bin records to periodically clear the soft-deleted records from the recycle bin.
For more information, see the Recycle Bin chapter.
To purge Recycle Bin records, you must be assigned a role that has a minimum of Read and Update permissions on the
'Application' module. To enable purging of recycle bin records do the following:
1. Click the Settings icon, which opens the System Configuration page.
2. On the System Configuration page, click the Application Configuration tab.
3. In the Purge Recycle Bin section, select Enable Purging.
4. Once you select the Enable Purging checkbox, you require to define the schedule for purging of recycle bin
records.
5. In the Purge Recycle Bin section, set up the purging schedule, which is a system schedule named 'Recycle Bin
Cleanup' that runs periodically as per the time-frame you have configured and purges recycle bin records:
a. Click View beside Schedule Status, which is set to Inactive, to open the Schedule Details dialog.
b. Click Start Schedule to begin the schedule immediately, or you can also set the Start Time and End Time for
the schedule.

FortiSOAR 7.6.0 Administration Guide 31
Fortinet Inc.
 System Configuration

c. In the Schedule Frequency section, choose the frequency of running this schedule.
For example, to purge recycle bin records daily at 6:00 am, click Daily and then in the hour field enter 6 and in
the minute field enter 0.
d. From the Timezone drop-down list, select the timezone in which you want the schedule to run. By default, this
is set as UTC.
e. If you want to ensure that you do not rerun the workflow, if previous scheduled instance is yet running, then
click Limit execution to one active instance at a time.
f. (Optional) From the Start Time field, select the date and time from when the schedule should start running.
g. (Optional) From the End Time field, select the date and time till when the schedule should run, i.e., the date
and time to stop the schedule. For more details on schedules, see the Schedules chapter in the "User Guide."
h. Click Save to save the schedule.
Once the schedule is saved, you can see that the Schedule Status has changed to Active:
6. To specify the time for which you want to retain the recycle bin records, you must select the appropriate option from
the Keep records upto drop-down list. You can choose from the following options: Last month, Last 3 months, Last
6 months, Last year, or Custom as shown in the following image:

If you choose Custom, then you must specify the number of days for which you want to retain the recycle bin
records.
For example, if you want to retain the recycle bin records for a month, then select Last month from the Keep
records upto drop-down list. Once you save this setting all recycle bin records that are older than 1 month (30
days) will be cleared, and this will be an ongoing process, as the records will all be time-stamped and the ones older
than 30 days will be purged.

Restricting access for permanent deletion of recycle bin records to only "admin" users

To restrict access for permanently deleting records to only users with the 'Administrator' role, i.e., users having Delete
permission on the 'Application' module, select the Restrict Permanent Delete option. If you enable this settings, then
non-admin users can soft-delete records but cannot permanently delete them, which would help prevent accidental
deletion of records by non-admin users. For more information on the Recycle Bin, see the Recycle Bin chapter.

Configuring the logging level for Playbook Execution Logs

You can define the logging levels for your playbook execution logs, both globally as well as at the individual playbook
level. On the System Configuration page, you can choose either INFO or DEBUG as the global playbook logging
level.

FortiSOAR 7.6.0 Administration Guide 32
Fortinet Inc.
System Configuration

INFO is set as the default global playbook logging level for fresh installations of FortiSOAR. If
you are upgrading FortiSOAR, then the DEBUG mode is set as the default playbook logging
level to ensure that there is no data loss.

l INFO: At the 'INFO' (default) level, only the final playbook execution status and individual playbook step status
information is available after playbooks have completed their execution. It is recommended that you keep the
logging level at INFO for production instances and in scenarios where you want to use storage space efficiently.
When you retain the default INFO logging level, the Enable DEBUG level logging for failed
playbooks checkbox is selected by default, which means that 'DEBUG-level' logging is set for failed playbooks and
users do not need to rerun the playbook to view the exact reason for playbook failures.
l DEBUG: At the 'DEBUG' level, detailed logging is enabled that includes additional execution information like step
input, output, configurations and other details.

Enabling DEBUG level logging can quickly fill up the storage space. It is recommended to
use it only while designing or debugging playbooks, or use this option wisely only for
certain playbooks where this data might be useful

Retaining the selection of the Allow individual playbook log level logging settings to override global settings
checkbox honors the logging level that has been set at the individual playbook level. If you clear this checkbox, or do not
change the logging level at the individual playbook level (default is INFO), then the global playbook logging level gets
applicable. This is useful if you want to temporarily switch logging for the entire environment.

You can set the logging level of individual playbooks, even if you clear the Allow individual
playbook log level logging settings to override global settings checkbox; however, at
the time of playbook execution the global playbook logging level gets applied.

FortiSOAR 7.6.0 Administration Guide 33
Fortinet Inc.
 System Configuration

Configuring Playbook Recovery

Use the autosave feature in playbooks to recover playbook drafts in cases where you accidentally close your browser or
face any issues while working on a playbook.
In the Playbook Recovery section, you can define the following:
l If you do not want FortiSOAR to save playbook drafts, clear the Enable Playbook Recovery option. By default, this
option is checked.
l In the Save Drafts Every field, enter the time, in seconds, after which FortiSOAR will save playbook drafts. By
default, FortiSOAR saves playbook drafts 15 seconds after the last change.
The minimum time that you can set for saving playbook drafts is 5 seconds after the last change.

Configuring the Simplified Expression View

For fresh installations of FortiSOAR release 7.4.0 or later, by default, the Simplified Expression View option is
selected on the Application Configuration page, rendering a simplified expression based on tags rather than the
full Jinja expression in the playbook designer.
For upgraded FortiSOAR systems, by default, the Simplified Expression View option is cleared. If you deselect this
option, then the complete Jinja expressions are displayed in the playbook designer. For more information, see the
"Playbooks Guide."

Configuring the default timezone for exporting reports

You can define a timezone that will be used by default for exporting reports. This timezone will be applied by default to all
reports that you export from the Reports page. To apply the default timezone, click the Enable Timezone Selection
option in the Report Export section in the Application Configuration page. Then from the Timezone drop-
down list, search for and select the timezone in which you want to export the report. For example, if you want to search
for the timezone of Los Angeles, you can type los in the search box below the Timezone field to find the correct
timezone, as shown in the following image:

FortiSOAR 7.6.0 Administration Guide 34
Fortinet Inc.
 System Configuration

Managing user listings in People Lookup fields

You can choose to display only active users in 'people lookup' fields, such as assignedTo, across FortiSOAR. To
manage user listings in people look up fields, ensure that the Restrict people lookups to active users checkbox in the
People Lookup Filter section is selected. If the Restrict people lookups to active users checkbox is cleared
then both active and inactive users will be displayed in people lookup fields.

Enabling MIME type validations for file uploads

You can specify the MIME types that will be disallowed from being uploaded in Attachments, Comments, or any other
modules that have fields of type 'File'. Using this option, administrators can restrict potentially malicious files of types
such as.exe,.bat, etc. to be uploaded into FortiSOAR, which users can later download. FortiSOAR has not added this
restriction as defaults since there could be business use cases such as where users as part of automation read the file
being sent to them in emails, and then upload the same to FortiSOAR to be used in the future for different operations like
sandboxing, etc. Therefore, administrators can enable MIME type validations for file uploads as per their organization’s
policies by adding MIME types in the Restricted File MIME Types section:

From release 7.2.1 onwards, by default, SVG files are disallowed from being uploaded in any modules that have fields of
type 'File'. If you want to allow uploading of SVG files, then you can remove the image/svg and image/svg+xml tags from
the Restricted File MIME Types section.
In addition to restricting MIME types, you can also block specific HTML tags and attributes from being added to HTML
content in Rich Text fields. For more information, see Blocking specific HTML tags and attributes.

FortiSOAR 7.6.0 Administration Guide 35
Fortinet Inc.
System Configuration

Log Forwarding

Many organizations use an external log management server (syslog server) to manage logs and maintain all logs at a
single place, making analysis efficient. FortiSOAR application logs and audit logs can be forwarded to your central log
management server that supports a Rsyslog client, using both the FortiSOAR UI and the csadm CLI. You can also select
the category of the logs you want to forward to the external log management server. For information about configuring
forwarding of logs to an external log management server using the CLI, see the FortiSOAR Admin CLI chapter.

If you have a FortiSOAR HA setup, then note that Syslog settings are not replicated to the
passive node. If you want to forward logs from the passive node, you must enable it manually
using the csadm log forward command.

You could also send FortiSOAR logs to a SIEM, since all SIEMs support syslog ingestion, and which would help you
achieve the following
l Ease High Availability (HA) troubleshooting since now you can use consolidated logs instead of having to go
individual nodes to debug HA issues.
l Ability to forward FortiSOAR logs to your SIEM, if you have a policy of setting up log forwarding to SIEM for all your
production devices.
Once the logs are in the a SIEM, you can further configure rules for raising alerts for specific failure, making system
monitoring more effective.
Click Settings > System Configuration and then click the Log Forwarding tab to open the Log Forwarding page.
Use the Log Forwarding page to setup, modify, and enable or disable your syslog forwarding of FortiSOAR logs to
your central syslog server. To enable syslog forwarding, click the Enable Log Forwarding check box.

Once you select the Enable Log Forwarding, you require to fill in the details of the syslog server to which you want to
forward the FortiSOAR logs, the type of logs to forward, etc.

FortiSOAR 7.6.0 Administration Guide 36
Fortinet Inc.
 System Configuration

You can configure only a single syslog server.

1. In the Configuration Name field, add the name of the configuration in which you want to store the log forwarding
configuration details.
Note: The name that you specify must not have any special characters, underscores, or spaces.
2. In the Syslog Server Details section, enter the following details:
a. In the Server field enter the DNS name or IP address of the syslog server to which you want to forward the
FortiSOAR logs.
b. From the Protocol drop-down list, select the protocol that you want to use to communicate with the syslog
server. You can choose between UDP, TCP, or RELP.
c. In the Port field enter the port number that you want to use to communicate with the syslog server.
d. (Optional) To securely communicate with the syslog server, click Enable TLS.
Once you click Enable TLS, in the Certificate field, you must enter your CA certificate.
If you have a client certificate for your FortiSOAR client, then in the Client Certificate and Client Key fields,
you must enter the client certificate and the client key.
3. In the Choose Log Types To Forward section, choose the types of FortiSOAR logs you want to forward to the
syslog server.
Application Logs include OS logs, and this checkbox is selected by default. To also forward FortiSOAR audit logs,
click the Audit Logs checkbox. Once you select audit logs, you can define the following:
a. From the Specify Audit Log Detail Level drop-down list, select the amount of data, Basic or Detailed that
you want to forward to the syslog server. Basic (default and recommended) sends high-level details of the
event per audit log, whereas Detailed sends detailed information about the event per audit log.
b. In the Configure Audit Log Forward Rules section, define the rules to forward audit logs:
From the Record Type drop-down list, select the record types such as, Alerts, Incidents, etc. whose audit logs
you want to forward to the syslog server.
From the User drop-down list, select the users such as, CS Admin etc., whose audit logs you want to forward to
the syslog server.
From the Operation drop-down list, select the operations such as Create, UpdateConfig, Delete, etc., whose
audit logs you want to forward to the syslog server.
From the Playbooks drop-down list, select the operations such as Generate Incident Summary Report,
Playbook Execution History Cleanup, etc., whose audit logs you want to forward to the syslog server.
To add more rules, click the Define More Rules link.
Important: If you do not define rules, then all the audit logs will be forwarded.
4. Once you have completed configuring syslog forwarding, click Save.
FortiSOAR performs validations such as, whether the syslog server is reachable on the specified port etc. before
adding the syslog server.
Once the syslog server is added, you can update or remove the configuration as per your requirements.

Persisting the FortiSOAR logs

If your external log management server goes down, then the FortiSOAR logs generated during that time period will not
be sent by FortiSOAR to your syslog server. If you want to persist the logs for the time frame when external log
management server is down and send those logs when server comes back online, you need to do the following:
In the /etc/rsyslog.d/00-rsyslog-fortisoar-settings.conf file, add the following contents after the ####
add the server details after this #### line:

FortiSOAR 7.6.0 Administration Guide 37
Fortinet Inc.
System Configuration

#### add the server details after this ####
$ActionQueueType LinkedList
$WorkDirectory /home/csadmin/.offline-rsyslogs/
#
# for the workdir mentioned above, make sure you run
# chown -R -t syslogd_var_lib_t /home/csadmin/.offline-rsyslogs/
#
$ActionQueueMaxDiskSpace 1gb # 1gb space limit (You can change this value)
$ActionQueueFileName fortisoar-offline-rsyslog
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on

Next, run the following commands:
mkdir -p /home/csadmin/.offline-rsyslogs/
chcon -R -t syslogd_var_lib_t /home/csadmin/.offline-rsyslogs/
systemctl restart rsyslog

Environment Variables

You can use the Environment Variables tab on the System Configuration page to configure proxy settings for
FortiSOAR and to define any other environment variables.
The procedure of how to configure proxy settings and define environment variables is included in the Configuring
Proxy Settings and environment variables section in the Additional configuration settings for FortiSOAR
chapter of the "Deployment Guide".

External web pages that you open (for example, from a link included in the description field of
an alert) or view (for example, using the iFrame Widget) in FortiSOAR goes through the
configured proxy server if you have configured the proxy in the web browser's settings. If the
proxy is not configured in the web browser's settings, then the external web pages are opened
directly without using the configured proxy server.

FortiSOAR 7.6.0 Administration Guide 38
Fortinet Inc.
System Configuration

Branding

You can customize branding of FortiSOAR as per your requirement. Branding is not bound based on licensing, i.e., all
customers can customize FortiSOAR branding as per their requirements.
To customize your branding in FortiSOAR, you must have a role which has a minimum of Application Update
permission and then can do any or all of the following branding changes:

l Changing Logos: You can update the FortiSOAR logo to reflect your logo in the FortiSOAR UI. However, note that
the maximum file size for a logo is 1 MB. Also, the different logos have specific dimensions, and if the image files
exceed the specified dimensions, then the FortiSOAR UI displays relevant error messages and prevents users from
uploading images that exceed the file size and/or have the wrong dimensions.
You can update your logo in the Logo Settings section:
Brand Logo (Small) - Dark Theme and Brand Logo (Large) - Dark Theme: Click the FortiSOAR logos and browse to
the logos that you want to display in FortiSOAR Dark or Steel theme in two dimensions: Small (90px X 72px) and
Large (210px X 24px).
Brand Logo (Small) - Light Theme and Brand Logo (Large) - Light Theme: Click the FortiSOAR logos and browse to
the logos that you want to display in FortiSOAR Light theme in two dimensions: Small (90px X 72px) and Large
(210px X 24px).
Note: You can hover on the information icon to view where these logos will appear in FortiSOAR.
l Changing the Favicon: To change the favicon that is displayed in FortiSOAR, click the FortiSOAR favicon and
browse to the icon that you want to display as a favicon. Dimensions of favicon must be 16px X 16px.

FortiSOAR 7.6.0 Administration Guid