Producent oprogramowania Fortinet udostępnił najnowszą aktualizację dla produktu FortiAnalyzer o numerze wersji 7.0.2. Nowa aktualizacja pozbawiona jest błędów, między innymi FortiAnalyzer powinien działać szybciej i przeszukiwanie dzienników nie powinno już zajmować tak wiele czasu. Aktualizacja 7.0.2 rozwiązuje również problem brakujących pakietów IPS w logach na FortiAnalyzer. Najnowsza aktualizacja to również koniec problemów z duplikowaniem wpisów podczas filtrowania dzienników w czasie rzeczywistym. W najnowszej aktualizacji otrzymaliśmy również możliwość instalacji FortiAnalyzer’a na dockerze. Po więcej szczegółowych informacji zapraszamy do dalszej części artykułu.
FortiAnalyzer instalacja w dockerze:
FortiAnalyzer 7.0.1 doker obraz jest dostępny do pobrania ze zweryfikowanych Publisher repozytorium publicznym Fortinet na dockerhub.
Instrukcja instalacji:
- Przejdź do dockerhub pod adresem https://hub.docker.com/ .Wyświetlona zostanie strona główna dockerhub.
- Na banerze kliknij Explore .
- W polu wyszukiwania wpisz Fortinet i naciśnij Enter .Fortinet / FortiManager i Fortinet / FortiAnalyzer wyświetlane są opcje.
- Kliknij fortinet/fortianalyzer .Zostanie wyświetlona strona fortinet/fortianalyzer i dostępne są dwie zakładki: Overview i Tags . Karta Overview jest wybrana domyślnie.
- Na karcie Przegląd skopiuj polecenie docker pull i użyj go, aby pobrać obraz.Polecenie CLI na karcie Overview wskazuje najnowszy dostępny obraz. Użyj karty Tags , aby uzyskać dostęp do różnych wersji, jeśli są dostępne.
Aktualnie wspierane modele:
| FortiAnalyzer | FAZ-150G, FAZ-200F, FAZ-300F, FAZ-300G, FAZ-400E, FAZ-800F, FAZ-800G, FAZ-1000F, FAZ-2000E,
FAZ-3000F, FAZ-3000G, FAZ-3500E, FAZ-3500F, FAZ-3500G, FAZ-3700F, FAZ-3900E |
| Maszyna wirtualna FortiAnalyzer | FAZ_DOCKER, FAZ-VM64, FAZ-VM64-AWS, FAZ-VM64-Azure, FAZ-VM64-GCP, FAZ-VM64-HV (w tym Hyper-V 2016, 2019), FAZ-VM64-KVM, FAZ-VM64-OPC , FAZ-VM64-Xen (zarówno dla Citrix, jak i Open Source Xen) |
Rozwiązane problemy:
Device Manager
| Bug ID | Description |
|---|---|
| 639479 | FortiGate v6.0 with sub-ca certificate may not be able to establish oftp connection with FortiAnalyzer without sub-ca certificate. |
| 687527 | CSF cannot be formed when including FortiGate-6000 or FortiGate-7000 series, as blades are not prompted on Device Manager. |
| 724753 | Display hidden units is not clickable when there is no unauthorized non-hidden devices present. |
| 731063 | FortiAnalyzer supports FortiAuthenticator-300F. |
FortiSOC
| Bug ID | Description |
|---|---|
| 747193 | FortiSoC EMS connector playbook may result in name error. |
FortiView
| Bug ID | Description |
|---|---|
| 579910 | SOC should show AP SSIDs and clients from Event Logs when the Service Profile is in Bridge mode. |
| 640553 | FortiView monitor WiFi widget is not showing Bridged SSID information. |
| 678044 | FortiAnalyzer may not show rescan icon, and drill-down for rescan may show an empty page. |
| 691570 | FortiAnalyzer may not be able to cancel IoC re-scan task. |
| 719441 | FortiView may return sql-report dataset query error when Export to Report Chart in FortiClient Software inventory. |
| 722443 | Top Destinations on FortiView may not display the correct information. |
| 723799 | Policy Name may not show up under FortiView > Traffic > Policy Hits > Policy Column for policies with name information. |
| 724435 | SD-WAN performance status widget may be empty if one of the SD-WAN members is down. |
| 726637 | FortiAnalyzer should be able to filter on device name and show the device name field properly in the Result column. |
| 731348 | FortiView may not apply country filter correctly. |
| 733145 | The SD-WAN Events widget may display Invalid params: device: only alphanumerics, '_’, ’-’ and one pair of '[’,’]’ are valid characters. |
| 734359 | FortiAnalyzer may return error when applying source IP filter and exporting data to PDF with Top Browsing Users. |
| 735153 | IoC incorrectly shows internal host as infected while IPS attack is initiated from outside. |
| 735724 | FortiView Monitors page may be showing two Traffic dashboards or VPN dashboards. |
| 748014 | FortiView may throw an exception when adding filters for Top Endpoint Vulnerabilities (FortiClient). |
Log View
| Bug ID | Description |
|---|---|
| 656507 | FortiAnalyzer may lose sorting when clicking the header column in Log Browse. |
| 661094 | In Log View, importing logs may fail. |
| 674027 | Filtering FortiClient event logs with wildcard UID filter returns no data. |
| 717160 | FortiAnalyzer may show duplicated entries when filtering real-time logs in Log View. |
| 726340 | oftpd may not work properly if many log requests are received at the same time. |
| 727355 | FortiAnalyzer may take very long time on log searches. |
| 745724 | Bandwidth data from SD-WAN event logs may not be inserted. |
Others
| Bug ID | Description |
|---|---|
| 615795 | Some IPS packets may be missing on FortiAnalyzer. |
| 621473 | FortiSOC is missing in cloud-based VMs. |
| 682539 | Local Connector Update Endpoint may fail due to endpoint’s record contains unicode characters. |
| 687180 | When using the operator >= for „Greater than or Equal to” in FortiAnalyzer CLI, it does not accept the syntax and throws an error. |
| 716576 | User with read-only permissions cannot get the list of ADOMs via JSON request. |
| 726012 | FortiAnalyzer requires a FortiGuard Indicators of Compromise license in order to see compromised hosts. |
| 726782 | The percent of used memory is much higher in 7.0 than 6.4. |
| 729741 | An error message may appear on console during upgrade. |
| 730554 | FortiAnalyzer HA may use high memory usage. |
| 731070 | FortiAnalyzer should add support for FortiNAC v9.1 in supported-platforms. |
| 731319 | There may be high memory usage on logfwd with FortiAnalyzer collector. |
| 733792 | JSON RPC may fail with code -32603. |
| 735510 | sqllogd may cause high memory usage. |
| 744293 | Several extra ports are opened when scanning FortiAnalyzer HA cluster’s virtual IP. |
| 744918 | fortilogd may not write logs for FortiGate-401E-DC. |
| 745025 | HMAC given in log-checksum md5-auth option does not match. |
| 746022 | There may be multiple siemdbd crashes on redisAppendCommand. |
| 746625 | siemagentd may crash. |
Reports
| Bug ID | Description |
|---|---|
| 677090 | Report Filter may not work with devname. |
| 715680 | Default chart VPN User Logins may return different values in two reports for the same device or data range. |
| 726688 | All predefined report/template/chart/macro/dataset may be missing from newly created ADOM after a reboot. |
| 728923 | Log type selector for FortiGate has duplicate traffic log field names due to FortiClient Traffic is changed to Traffic. |
| 734152 | Report group filter may not work in FortiProxy ADOM. |
| 734167 | Report log field filter drop-down may be missing pick-list in non FortiGate ADOM. |
| 744024 | FortiAnalyzer is unable to disable and remove reports from hidden ADOM. |
| 744915 | FortiView summary does not match with the sessions shown in the session table. |
System Settings
| Bug ID | Description |
|---|---|
| 672273 | Initial data sync may never finish on Azure or GCP HA cluster unless „diag test app clusterd 97 init-sync done” is run. |
| 710986 | An existing log forwarding entry is gone after its status changed from On to Off. |
| 721627 | FortiAnalyzer HA cluster always uses VIP for log forwarding to server instead of another interface. |
| 730296 | RADIUS authentication using mschap2 may not work. |
| 739136 | Task monitor shows incorrect user for newly created ADOM. |
Znane problemy:
Event Management
| Bug ID | Description |
|---|---|
| 691220 | Event handler may not be triggered correctly when there is more than one match. |
FortiSOC
| Bug ID | Description |
|---|---|
| 717841 | IOC events and FortiGate Event Handler events are not being sent to FortiGate from FortiAnalyzer. |
FortiView
| Big ID | Description |
|---|---|
| 641596 | FortiAnalyzer may show „No Data” in „User Vulnerabilities Summary” widget. |
| 727056 | SD-WAN Monitor may show incorrect bandwidth. |
| 741910 | Top Cloud Applications may show 0 KB utilization under the Bandwidth column. |
| 744910 | Bandwidth should not be used in the FortiView’s graphs or tables when they are actually showing bytes received and sent. |
Log View
| Bug ID | Description |
|---|---|
| 704206 | When filtering with „Action” and „Source IP” under Traffic menu, the filter output may be incorrect with the combination of smart action with any other field. |
| 691552 | FortiAnalyzer may be missing a double quote in direction log field. |
Others
| Bug ID | Description |
|---|---|
| 616355 | FortiGate may display „SSL error” or „OFTP error” when testing connectivity with FortiAnalyzer. |
| 701753 | SIEM database should be trimmed at the same time when quota enforcement occurs. |
Reports
| Bug ID | Description |
|---|---|
| 653207 | FortiAnalyzer may have incorrect dataset queries without considering the 'direction’ field. |
| 740220 | Log field list for filter may be empty with FortiClient ADOM. |
System Settings
| Bug ID | Description |
|---|---|
| 653371 | CEF log forwarding start time does not match with event time. |
| 669402 | FortiAnalyzer may not time out admin a session after many hours. |
| 708958 | Changing Timezone on FortiAnalyzer does not take effect on FortiSOC. |
| 734001 | FortiAnalyzer HA may randomly fail-over. |
| 742804 | TACACS user is not able to browse Log View. |
| 748107 | Additional timestamp, tz field, is being added to forwarded logs from FortiAnalyzer. |
Notatki producenta: FortiAnalyzer 7.0.2
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie