NSE6_FSR-7.3 Fortinet NSE 6 - FortiSOAR 7.3 Administrator Question and Answers

In a FortiSOAR High Availability (HA) cluster setup with an externalized PostgreSQL database, it is necessary to configure the database server to allow incoming connections from all FortiSOAR nodes. This configuration involves modifying the pg_hba.conf file to set up host-based authentication and control which IP addresses can connect. The postgresql.conf file must also be adjusted to enable listening on all necessary IP addresses, which is critical for FortiSOAR nodes to connect to the database server securely and reliably. Together, these configurations ensure that all FortiSOAR nodes can access the database, facilitating effective HA functionality​.

When deleting a user account in FortiSOAR, the user ID must be entered into the usersToDelete.txt file. This file is specifically used to list users that are marked for deletion. Once the user IDs are listed in this file, the system can process the deletion of these accounts as part of its user management operations. This method ensures that only specified users are deleted, as referenced in FortiSOAR's administrative controls​.

When importing modules into FortiSOAR using the configuration wizard and selecting "Merge with Existing" as the bulk action, the behavior for field handling is as follows: any fields that already exist in the system are overwritten with the imported values. New fields from the imported module are added to the system, while fields that are not part of the imported module remain unaffected and are retained in the system. This option ensures that existing data structures are updated with new information without losing existing, but non-imported, fields​.

Elasticsearch in FortiSOAR is used for its robust data handling capabilities, allowing rapid storage, searching, and analysis of vast amounts of data in near real-time. Its integration with FortiSOAR’s global search enables efficient querying across all records, providing quick response times and a seamless user experience. The Elasticsearch database is crucial for handling extensive datasets and delivering swift search results, making it integral to FortiSOAR's performance and data management capabilities​.

Administrators can collect and review FortiSOAR logs for troubleshooting in two primary ways. First, they can download logs directly from the GUI, which provides access to various logs through an intuitive interface. Secondly, using the command-line interface, the csacta log --collect command can be used to gather all logs within a specified directory, enabling more detailed offline analysis. Both methods offer comprehensive log collection to aid in diagnosing and resolving issues​.

When the PostgreSQL database is externalized in FortiSOAR, certain HA-related CLI commands become inapplicable. Specifically, the csada ha firedrill command, which is used to test the integrity of the HA cluster by simulating failures, is not applicable in scenarios where the database is managed outside FortiSOAR. Externalizing the database changes how FortiSOAR manages database connections, making some internal commands like firedrill redundant​.

When configuring the system proxy for FortiSOAR, it is essential to ensure connectivity to certain URLs to maintain system updates and licensing. For FortiSOAR, access to https://iepo.fortisoar.fortinet.com is required for incident enrichment and analysis, while https://globalupdate.fortinet.net is necessary for global updates to keep the system up-to-date with the latest threat information. These connections allow FortiSOAR to communicate with Fortinet's servers to fetch updated threat intelligence and system updates, which are critical for the operational effectiveness of FortiSOAR​.