Fortinet NSE6_FSR-7.3 - Fortinet NSE 6 - FortiSOAR 7.3 Administrator

In a FortiSOAR High Availability (HA) cluster setup with an externalized PostgreSQL database, it is necessary to configure the database server to allow incoming connections from all FortiSOAR nodes. This configuration involves modifying the pg_hba.conf file to set up host-based authentication and control which IP addresses can connect. The postgresql.conf file must also be adjusted to enable listening on all necessary IP addresses, which is critical for FortiSOAR nodes to connect to the database server securely and reliably. Together, these configurations ensure that all FortiSOAR nodes can access the database, facilitating effective HA functionality​.

In FortiSOAR, when a user is configured with "Concurrent" access type, their ability to log in depends on the availability of concurrent user seats. This means the user can only log in if there are available seats in the concurrent pool. If all seats are occupied, the user must wait until a seat becomes free. Thisconfiguration allows multiple users to share a pool of licenses, making it suitable for environments where not all users need constant access​.

In a FortiSOAR HA cluster, if the former primary node is relegated to a secondary role but is stuck in a Faulted state, it indicates that the node has lost sync or faced a failure during a role change. To restore its functionality, first, you should remove it from the cluster using the csadm ha leave-cluster command. Once it has left the cluster, you can use the csadm ha join-cluster command to re-add the node as a secondary node. This process will allow it to sync back up with the cluster and resume its role as intended​.

In FortiSOAR's high availability (HA) setup, if the cyops-ha service becomes unresponsive, the system is configured to send a "heartbeat missed" notification after a specified period, which in this case is 60 minutes. This delay allows for transient issues to be resolved without triggering immediate alerts, while also ensuring that administrators are informed of prolonged service disruptions. Timely notifications about the cyops-ha service's status help maintain the reliability and responsiveness of the HA environment​.

The FortiSOAR perpetual trial license includes limitations on both the number of users and the number of actions that can be performed. These restrictions are in place to provide prospective users with a functional evaluation of FortiSOAR while limiting its usage in a production environment. The trial license does not support multi-tenancy and restricts the overall capacity for scaling, making it suitable only for testing and familiarization with FortiSOAR’s capabilities​.

When configuring the system proxy for FortiSOAR, it is essential to ensure connectivity to certain URLs to maintain system updates and licensing. For FortiSOAR, access to https://iepo.fortisoar.fortinet.com is required for incident enrichment and analysis, while https://globalupdate.fortinet.net is necessary for global updates to keep the system up-to-date with the latest threat information. These connections allow FortiSOAR to communicate with Fortinet's servers to fetch updated threat intelligence and system updates, which are critical for the operational effectiveness of FortiSOAR​.

In FortiSOAR, SLA (Service Level Agreement) templates can be created for specific modules, including Alerts and Indicators. These templates are essential for tracking response and resolution times, ensuring compliance with defined service levels. By configuring SLAs on the Alerts and Indicators modules, organizations can monitor the time taken to address these items, which is critical in maintaining efficient incident response and management practices. The SLA templates can be customized according to specific business requirements and are applied to records within these modules to enforce timely actions​.

When importing modules into FortiSOAR using the configuration wizard and selecting "Merge with Existing" as the bulk action, the behavior for field handling is as follows: any fields that already exist in the system are overwritten with the imported values. New fields from the imported module are added to the system, while fields that are not part of the imported module remain unaffected and are retained in the system. This option ensures that existing data structures are updated with new information without losing existing, but non-imported, fields​.

When the PostgreSQL database is externalized in FortiSOAR, certain HA-related CLI commands become inapplicable. Specifically, the csada ha firedrill command, which is used to test the integrity of the HA cluster by simulating failures, is not applicable in scenarios where the database is managed outside FortiSOAR. Externalizing the database changes how FortiSOAR manages database connections, making some internal commands like firedrill redundant​.