02. Defining FortiSOAR, Collectors And Agents

Question 1

Function of collector

Answer 1

collect logs and performance metrics from geographically disparate networks.
Data collection protocols (SNMP, WMI) are chatty
Syslog uses UDP and thus unreliable
Collector solves this problems

Question 2

Who serves as Syslog and snmp trap destination for local devices?

Answer 2

Collector

Question 3

FortiSIEM collector formats

Answer 3

1. Appliance
2. VM
3. ISO image

Question 4

Advantage of using collector VM image

Answer 4

Can increase vCPU and memory to handle higher loads

Question 5

FortiSIEM collector minimum requirement for appliance

Answer 5

4 CPU
16 GB RAM
3 TB DISK

Question 6

FortiSIEM collector minimum requirement for ISO image

Answer 6

4 vCPU
8GB RAM
40 GB disk

Question 7

FortiSIEM collector minimum requirement for VM

Answer 7

4 vCPU
4 GB RAM
Os - 25 GB disk
OPT - 100 GB disk

Question 8

Collector processes

Answer 8

Collectors run a reduced set of system processes

The processes that run on a collector are for specific functions, such as discovery, performance monitoring, event parsing, and log data collection.

Admin > Health > Collector Health

phMonitorAgent
phParser
phCheckpoint
phEventPackager
phAgentManager
phPerfMonitor
phEventForwarder
phDiscover

Question 9

Collector Operations

Answer 9

The collector
1. parses the logs
2. forwards the compressed logs to the supervisor or worker nodes over an encrypted HTTPS channel.
3. buffers the logs locally for a period of time, if the network connection to the super or worker is not available.

Question 10

How frequently collector is uploading data?

Answer 10

every five seconds or 10 MB, whichever is reached first

five seconds for low EPS environments, and 10 MB for high EPS environments.

Question 11

compression ratio

Answer 11

8:1 ratio

Uses standard zlib

Question 12

Data enrichment

Answer 12

collector enriches each event with a collector ID, organization ID, and org name. The collector name is not added during the event enrichment process.

Question 13

a built-in mechanism to buffer events in case there is WAN link failure

Answer 13

By default, there are a maximum of 10,000 event files that are buffered on the collector. Each event file contains five seconds’ worth of events and is limited to 10 MB in size before compression. The average event size is estimated to be 200 Bytes, which depends on the device type and event.
Buffer size is dependent upon the EPS being received

The collector drops events when the buffer is full

Question 14

Buffer calculation examples

Answer 14

Revisit later and fill card with examples

Question 15

What state is collector when deployed

Answer 15

Unconfigured state

Question 16

Collector registration process includes

Answer 16

which customer it belongs to
where it will upload data
how long it is valid

Question 17

Single virtual appliance (va) setup

Answer 17

Supervisor is only node collectors can upload data to.
Not recommended for large deployments due to performance strain

Question 18

FortiSIEM cluster setup

Answer 18

specify one or more worker nodes using the worker IP addresses.
The collectors load balance across the specified worker nodes.

streaming analytics, like inline reports and rules, are distributed over the worker nodes.

Question 19

FortiSIEM cluster best practice

Answer 19

The best practice is to upload all the data to the worker nodes and leave the supervisor node for performing other important tasks.

Question 20

Worker upload setting

Answer 20

cannot define collectors before you set the worker upload address.

Admin > Settings > System > Worker upload

Collector receive this data during registration

Question 21

Installing worker

Answer 21

Deploy image
At the command prompt go to /usr/local/bin
Run configFSM.sh script
Configure time zone
Select worker for config target
Select fips options
Configure network

Question 22

Workers on hardware based appliances

Answer 22

Can’t add workers to hardware appliances

Question 23

What port worker listen on

Answer 23

TCP/443

Question 24

Communication between collector and worker

Answer 24

Is one way Collector to worker. Need to define VIP on fw in front of worker and add rule to allow outbound traffic from collectors to VIP on port 443

Best practice is to use FQDN for upload address

Question 25

Communication between collector and supervisor

Answer 25

tasks, such as discovery, test credentials, parser changes, custom performance monitoring tests, and more, from the supervisor node.
The supervisor node uses the same session to communicate with the collectors.
You need to allow only an outbound connection in the customer firewall policy.
The supervisor does not explicitly initiate any connections to the collector nodes.
Port TCP/443

Question 26

Difference between collector health data and event data

Answer 26

Collector health information and tasks are sent only to the supervisor, and the event data is sent to all nodes that are defined in the worker upload settings.

Question 27

Modes of data ingestion

Answer 27

Notification based
Schedule based
App push

Question 28

notification-based mode

Answer 28

connectors such as IMAP, Exchange, Syslog, and so on, have a notification service that is instantly notified when a message arrives on the server. In turn, the notification service triggers a FortiSOAR playbook to create FortiSOAR records from the fetched data.

Question 29

schedule-based mode

Answer 29

connectors such as QRadar, Anomali, ServiceNow, and so on, use the fetch APIs of the integration. By default, these fetch playbooks are scheduled to run every five minutes,

Question 30

app push mode

Answer 30

connectors, such as Splunk, have a FortiSOAR add-on that you can install on the server side to push data from the server to FortiSOAR.

it triggers FortiSOAR playbooks to create the records in FortiSOAR

Question 31

Data ingestion mode best practice

Answer 31

most integrations that support a notification-based ingestion also support a schedule-based ingestion. However, you must configure only one of the two, otherwise both pull data from the same source, which might result in data loss due to conflicts.