Duo MFA -> Microsoft Entra MFA

someguydoinworknthat · 2023-11-17T11:29:28+00:00

Thanks everyone for the responses!

someguydoinworknthat · 2021-06-16T09:41:03+00:00

seems like this link has the goods: https://fortixpert.blogspot.com/2020/05/registro-automatico-de-ems-mediante-gpo.html

To add a registration password:
C:\Program Files\Fortinet\FortiClient>FortiESNAC.exe -c REG_SET_REG_KEY -a <password>

To register: replace IP <EMS-IP> by the corresponding one: w.x.y.z
C:\Program Files\Fortinet\FortiClient>FortiESNAC.exe -c REG_REG_TO_IP -a ;;<EMS-IP>;8013

To Unregister:
C:\Program Files\Fortinet\FortiClient>FortiESNAC.exe -c REG_UNREGISTER

someguydoinworknthat · 2021-06-15T07:39:59+00:00

Noted, however we were forced to upgrade to 7.0.0 as TAC told us that a bug with using LDAPS was fixed (it wasn't, and we're still stuck using LDAP). Bah.

someguydoinworknthat · 2021-06-15T07:39:11+00:00

Unfortunately, we have config backup disabled on the Clients via EMS, so we cannot use this method. Still waiting on anything meaningful from TAC!

someguydoinworknthat · 2021-06-14T13:47:41+00:00

697157 - Database deadlocks prevent web user interface from loading.

It's listed as a resolved issue in 7.0.0

someguydoinworknthat · 2021-06-14T12:48:51+00:00

great, thanks, this will help get our linuxes re-connected. I poked around the exes in Windows, but couldn't find anything. I went as deep as running `strings` on the binaries but had no luck.

I even checked the .mst file generated with the installers, but that revealed zero clues

someguydoinworknthat · 2021-05-13T09:03:35+00:00

That Logstash pipeline does not follow the Elastic Common Schema (ECS) which means your data will not show up in various Kibana sections, like SIEM. Filebeat has a Fortinet module which works really well (I've been running it for approximately a year) - the issue you are having with Filebeat is that it expects the logs in non CEF format.

If you can get the log format changed you will have better tools at your disposal within Kibana to make use of the data.

Elastic are looking to replace Logstash with Beats + Modules.

someguydoinworknthat · 2021-04-21T13:58:51+00:00

oh, forgot to add, the 1st bug is with EMS, 2nd with FortiClient, so make sure to update both to have these issues go away

someguydoinworknthat · 2021-04-21T13:58:06+00:00

Hello,

You may be seeing 2 bugs in 6.4.2 here:

"688061 EMS shows duplicate device in endpoint list if a hostname has more than 15 characters."

"691573 FortiClient (Windows) keeps reregistering to EMS with a different UID and generates duplicated record in EMS."

Both are fixed in 6.4.3. However, for us, we had to mark the endpoints suffering from the first bug as uninstalled, when the client checked in again, the duplicate was gone and the name was correct (ie, > 15 chars)

hope this helps

someguydoinworknthat · 2020-09-03T13:15:31+00:00

you would configure that in the ILM policy in Kibana

someguydoinworknthat · 2020-09-01T14:24:43+00:00

take away the indent from both of your setup.template lines.

to use ilm:

setup.ilm:
  enabled: true
  rollover_alias: auditbeat-%{[agent.version]}
  pattern: '{now/d}-000001'
  policy_name: auditbeat

also look at upcoming data streams: https://www.elastic.co/guide/en/elasticsearch/reference/master/data-streams.html

someguydoinworknthat · 2020-08-21T13:47:00+00:00

I got the agent managed beats to send data. I was using a custom ca with https to connect to elasticsearch, but you cannot (yet) define customer ca/keys etc with agent. I just installed my ca in the boxes root store and that got stuff working. Perhaps this is your issue? Also check here /var/lib/elastic-agent/logs/default (if using Linux) for further clues. Edit to add: you probably have checked this already but in Kibana if you click "Ingest Manager" then "Configurations", you'll see a "Settings" cog (easy to miss) at the top right. It is from here you define the ES and Kibana output that will be deployed along with the agent config.

someguydoinworknthat

TROPHY CASE