01. Intro To Multi-Tenancy

Question 1

Organizations in FortiSIEM enterprise mode

Answer 1

Only one org exists (Super)

Question 2

Organizations in FortiSIEM provider mode

Answer 2

multi-tenancy through multiple organizations, alongside the super

Question 3

FortiSIEM built-in orgs

Answer 3

Super local
Super global

These orgs are not shown under the Organizations tab.

Question 4

super local organization

Answer 4

known simply as super, can be thought of as the FortiSIEM back end, or a local tenant.

Service providers can discover and monitor their own devices under this organization just like the enterprise edition.

Question 5

Default ownership of any assets

Answer 5

everything belongs to the super organization, unless other customers are added

Question 6

Super global org

Answer 6

a virtual organization that can view all organizations under management, including the super organization.

Question 7

Users in super global org

Answer 7

Are global admins and can see other orgs and their data

Question 8

Scopes definition

Answer 8

Scopes on FortiSIEM are administrative views where logs sent by a collector from a customer location can be viewed locally.

Question 9

How called scope for an individual customer.

Answer 9

Local.

Question 10

Switching org view

Answer 10

Service provider administrator users can change scopes for administration purposes. This allows the administrator to change the organization view.

Question 11

log in to the supervisor node

Answer 11

To login as a super global user, in the CUST/ORG ID field, type super

Organization: super user: admin scope:Global

Question 12

log in to the individual organization

Answer 12

By typing the organization name in the CUST/ORG ID field.

Organization: Banking User: bankadmin Scope: Local

Question 13

Deployment mode: FortiSIEM without a collector

Answer 13

best suited for a hosting type environment.
The key is that each customer is on a unique IP address scheme, with no overlap allowed.
Each customer device is local to the FortiSIEM cluster, and you can distinguish events and incidents by filtering with the reporting IP address of devices that belong to individual customers.

Question 14

Deployment type: FortiSIEM with collector

Answer 14

Most common deployment type
Allows for overlapping IP address ranges
Customer can have one or more collectors defined.
Collectors can be placed anywhere on the LAN, WAN, DMZ, or remote sites across the internet or in the cloud

Question 15

Additional benefit of FortiSIEM with collector deployment

Answer 15

remote administration of customer devices, is possible if collectors are used.

Question 16

Deployment type: Hybrid Deployment

Answer 16

some customers will have collectors, which are responsible for collecting and sending logs to the FortiSIEM cluster, while other customers can send logs directly to the FortiSIEM cluster.

The rules of an overlapping IP address schema still apply in a deployment without a collector. Customers who do not have collectors will need to be on a distinct IP subnet

Question 17

New customer definition

Answer 17

Admin > Setup > Organizations > New
- Organization name - name of the new customer, referenced on the GUI
- Full name - optional, not displayed anywhere
- Admin User and Admin Password - define local administrator account username and password
- Admin email - useful for sending alerts and incidents
- Org ID - automatically given, will be enriched in every new event collected or received for that organization

Question 18

Organizations defined in 2 ways

Answer 18

1. associate one or more collectors. devices monitored by the collector or the events sent to the collector, automatically belong to the associated organization
2. define an IP range for an organization. If the sending IP of a device belongs in the IP range, then the device and logs belong to that organization

Question 19

Max devices definition

Answer 19

Defines the max number of devices org can have in cmdb
This value is reserved from total number of licensed devices
Can’t be higher that total number of licensed devices.
Applies ONLY to orgs with collectors

Question 20

Editing organization definition

Answer 20

Various fields, including the organization name, can be edited after definition. However, fields such as Admin Password, cannot be changed.

Question 21

Creating Organizations without collectors

Answer 21

defined by unique IP addresses, which can be a
- single IP address
- multiple comma separated IP addresses
- IP address range.

CIDR notation is not supported here

All interface IP addresses count during discovery, unless an exclusion is defined

Question 22

credentials for organizations without collectors

Answer 22

Admin > Setup > Credentials
Under super global or super local view

Must login as super global user

Question 23

define discovery definitions for deployment without collectors

Answer 23

Admin > Setup > Discovery

Under super global or super local view

log in as a super global user.

Question 24

For orgs without collectors who performs all discovery?

Answer 24

The supervisor node performs all discovery

Any discoveries that do not match an organization IP range belong to the super organization.

Question 25

Load balancer without collector

Answer 25

Required to scale a deployment without collectors
Distributes logs across all workers and the supervisor

Not all protocols are supported

Question 26

What protocols load balancers supports

Answer 26

Syslog and SNMP traps from the network and servers

Question 27

What protocols are NOT supported by load balancer

Answer 27

WMI for performance monitoring
Windows event log collection

actually polls from FortiSIEM itself and needs to go directly to the device that is being polled.

Question 28

Identify customer data for orgs without collector

Answer 28

receiving node in a FortiSIEM cluster without a collector looks up which customer the reporting IP belongs to, and tags the event with the customer name and customer ID

Question 29

How undefined reporting IP is handled?

Answer 29

Any undefined reporting IP addresses belong to the super organization, and will be tagged as a local asset of the service provider.

Question 30

Scaling without collectors

Answer 30

As EPS increases need to add more workers to FortiSIEM cluster to balance load

Question 31

Typical enterprise architecture with FortiSOAR and FortiSIEM

Answer 31

one single instance of FortiSOAR.
It is recommended that most logs be sent through the SIEM, rather than through direct connectors. This ensures the SIEM is a central point of log aggregation and can be used for analytics and reporting.

incidents generated by FortiSIEM are ingested by FortiSOAR.

Every incident that is sent from FortiSIEM to FortiSOAR is a unique record on FortiSOAR. You can run remediation playbooks from FortiSOAR against those incidents, and perform remediation action on the target devices.

Question 32

Multi-tenancy shared tenancy architecture

Answer 32

tenants share the same system as the primary device; that is, tenants are local, but with restricted access on the system.

The shared tenancy model ensures that the data belonging to different tenants is segregated, and data access is controlled using RBAC. Therefore, a tenant can view only their own data or record, and not the data of other tenants.

give each tenant their own login, which they can use to view their dashboards, report, check the actions taken on their records, check their SLA management, and so on.

Question 33

Multi tenant distributed tenancy architecture

Answer 33

tenant node instance of FortiSOAR is remote and every tenant has their own instance of FortiSOAR.

The primary FortiSOAR node resides at the MSSP location and communicates with the tenant node through a secure channel.

Tenant data remains in the tenant environment, and they control how much data they want to share with the primary node

primary node pushes any action that needs to be executed to the tenant node.

Question 34

multi-tenant hybrid multi tenancy architecture

Answer 34

the primary node centrally manages some customers. If the customer is managed by the primary node, then there is no requirement for a tenant node for that customer.
Then there are other customers who use a distributed method. For those customers, you must install a tenant node.