FortiSOAR

Basic Information

Fortinet FortiSOAR is a Security Orchestration, Automation, and Response (SOAR) platform designed to enhance security operations by centralizing incident management and automating threat investigation and response.

• Model: FortiSOAR is available as a virtual appliance, a Fortinet-hosted (PaaS) solution, or as a Management Extension Application (MEA) on FortiAnalyzer and FortiManager.
• Version: Documentation is available for various versions, with 7.6.4 appearing as the latest referenced version in official documentation.
• Release Date: Specific product release dates vary by version; the platform undergoes continuous development and updates.
• Minimum Requirements:
  • For FortiSOAR MEA: 4 CPUs, 8 GB RAM.
  • For Virtual Appliance: 8 vCPUs, 32 GB RAM, 500 GB disk space.
• Supported Operating Systems: Rocky Linux 8.6 or RHEL 8.6 for script-based installations. Older versions supported CentOS 7.
• Latest Stable Version: The latest documented version is 7.6.4.
• End of Support Date: End of Support (EOS) dates are typically contract-dependent and not generally published.
• End of Life Date: End of Life (EOL) dates are typically contract-dependent and not generally published.
• Auto-update Expiration Date: Not publicly specified; updates are managed through Fortinet support contracts and managed upgrades.
• License Type: FortiSOAR offers Perpetual, Perpetual (Trial), and Subscription licenses. Editions include Enterprise, Multi-Tenant, and Starter Edition, with licensing often user-based. FortiFlex licensing is also available.
• Deployment Model: FortiSOAR supports flexible deployment models including virtual appliance (on-premises, public cloud platforms like AWS, VMware ESXi, KVM, Docker), Fortinet-hosted (PaaS/FortiCloud), and as an MEA on FortiAnalyzer/FortiManager.

Technical Requirements

FortiSOAR's technical requirements vary based on deployment scale and model, emphasizing virtualized environments and high-performance storage.

• RAM:
  • Minimum for FortiSOAR MEA: 8 GB.
  • Minimum for Virtual Appliance: 32 GB.
  • Recommended for Virtual Appliance: 48 GB.
• Processor:
  • Minimum for FortiSOAR MEA: 4 CPUs.
  • Minimum for Virtual Appliance: 8 vCPUs.
  • Recommended for Virtual Appliance: 12 vCPUs.
• Storage:
  • Minimum for Virtual Appliance: 500 GB.
  • Recommended for Virtual Appliance: 1 TB.

  High-performance storage, preferably SSDs, is recommended. Disk space requirements depend significantly on usage, audit, and workflow retention policies.

• Ports: Requires access between the FortiSOAR VM and integrated third-party products and services. SMTP (port 25) is typically used for email. Other ports depend on the specific connectors and playbooks utilized.
• Operating System: For script-based installations, Rocky Linux 8.6 or RHEL 8.6 are supported. Older versions were compatible with CentOS 7. Fortinet recommends installing on a non-hardened OS, as FortiSOAR performs its own hardening post-installation.

Analysis of Technical Requirements

FortiSOAR is designed for virtualized environments, with scalable resource allocation. The recommended specifications for RAM, CPU, and storage are substantial, reflecting its role in processing and orchestrating complex security workflows. The emphasis on high-performance storage (SSDs) highlights the need for rapid data access and processing for incident response. OS compatibility focuses on enterprise-grade Linux distributions, ensuring a robust and secure foundation. The dynamic nature of port requirements underscores the platform's extensive integration capabilities, necessitating careful network planning based on deployed connectors.

Support & Compatibility

FortiSOAR offers broad compatibility through its extensive connector library and supports common virtualization platforms.

• Latest Version: The latest documented version is 7.6.4.
• OS Support: Rocky Linux 8.6 and RHEL 8.6 are supported for installation. Older versions supported CentOS 7.
• Supported Hypervisors: AWS Cloud, Fortinet-FortiCloud, VMware ESXi (versions 5.5, 6.0, 6.5, 7.0, 8.0), Redhat KVM, and Docker.
• End of Support Date: General end-of-support dates are not publicly available and are typically specified within individual support contracts.
• Localization: Specific localization options are not explicitly detailed in public documentation.
• Available Drivers: FortiSOAR utilizes "connectors" for integration, supporting over 500 multi-vendor security products, including SIEMs, EDRs, and ticketing systems. A Content Hub provides an extensive library of ready-made connectors and playbooks. Custom connectors can also be developed.

Analysis of Overall Support & Compatibility Status

FortiSOAR demonstrates strong compatibility with major virtualization platforms and a vast ecosystem of security tools through its extensive connector library. This allows for flexible deployment and integration into diverse enterprise environments. While specific lifecycle dates are contract-dependent, Fortinet provides continuous updates and a robust support infrastructure. The ability to create custom connectors further enhances its adaptability to unique customer needs.

Security Status

FortiSOAR incorporates a comprehensive set of security features, with a focus on protecting sensitive data and ensuring secure access.

• Security Features:
  • Automates alert triage, investigation, and response workflows.
  • Integrates threat intelligence from FortiGuard Labs and other sources.
  • Provides asset and vulnerability management capabilities.
  • Includes an Incident War Room for collaborative investigation.
  • Features an ML-powered recommendation engine for alert grouping and threat assessment.
  • Supports role-based access control (RBAC) for managing sensitive data.
  • Employs a sessionless security model with unique, limited-lifespan authentication tokens.
  • API actions are reviewed against user authorization privileges.
• Known Vulnerabilities: Various CVEs have been reported across different FortiSOAR versions, including OS Command Injection, Cross-site scripting (XSS), Relative path traversal, and sensitive information disclosure (e.g., connector passwords in plain-text). Fortinet regularly releases patches to address these vulnerabilities.
• Blacklist Status: Not applicable for a SOAR platform.
• Certifications: Specific industry certifications are not explicitly detailed in publicly available documentation.
• Encryption Support:
  • Data at Rest: Supports Full Disk Encryption (FDE) using LUKS (Linux Unified Key Setup) starting from release 7.6.1.
  • Data in Transit: All network communication, including HTTPS, TCP, and REST APIs, is encrypted.
  • Encryption keys are unique per instance and require secure backup.
• Authentication Methods: Supports multiple authentication methods including database users, LDAP/Active Directory integration, Single Sign-On (SSO) via SAML, RADIUS server authentication, and Two-Factor Authentication (2FA) using Google Authenticator or Telesign. API access uses HMAC and API key-based authentication.
• General Recommendations: Fortinet recommends using systems that meet or exceed recommended specifications, securing encryption keys, applying patches promptly, configuring 2FA, and using limited privilege sets for API actions to enhance security.

Analysis of Overall Security Rating

FortiSOAR exhibits a strong overall security posture, integrating robust features for incident response, threat intelligence, and access control. Comprehensive encryption for both data at rest and in transit, coupled with diverse authentication methods, provides significant protection. The regular disclosure and patching of vulnerabilities by Fortinet indicate an active commitment to product security. Users are advised to adhere to best practices regarding system configuration, patching, and access management to maintain optimal security.

Performance & Benchmarks

FortiSOAR's performance is optimized for efficient alert ingestion and playbook execution, with scalability achieved through resource allocation and clustering.

• Benchmark Scores: Fortinet conducts performance benchmarking for major releases, evaluating metrics such as alert ingestion rates and playbook execution times. Benchmarks are available for versions like 7.0.1, 7.0.2, 7.5.0, and 7.6.2.
• Real-world Performance Metrics:
  • High-Availability (HA) clusters demonstrate more effective workload processing and faster execution times compared to single-node systems.
  • In sustained ingestion tests, a single-node system processing 28,800 alerts per day (with 288,000 playbook executions) showed an average CPU usage of 51%.
  • Performance is influenced by factors such as ingestion rate, number of workflows, and purging policies.
• Power Consumption: As a software-based platform, direct power consumption metrics are not applicable; power consumption depends on the underlying hardware infrastructure.
• Carbon Footprint: Not directly measured for the software asset; depends on the hosting infrastructure's energy efficiency.
• Comparison with Similar Assets: FortiSOAR is commonly compared with other SOAR solutions such as Microsoft Sentinel and Palo Alto Networks Cortex XSOAR in the market.

Analysis of Overall Performance Status

FortiSOAR is engineered for high performance in security orchestration and automation, particularly in handling large volumes of alerts and executing complex playbooks. Its architecture supports scalability through clustering and externalized databases, allowing organizations to tailor resources to their specific workload demands. Benchmarking results consistently show that HA configurations significantly improve processing efficiency. Optimal performance relies on adhering to recommended system specifications and proper configuration of FortiSOAR settings.

User Reviews & Feedback

User feedback highlights FortiSOAR's strengths in automation and integration, while also pointing out areas for improvement in initial deployment and customization.

• Strengths:
  • Automation and Orchestration: Users highly value its capabilities to streamline security operations, automate repetitive tasks, and reduce manual intervention.
  • Integrations: Praised for seamless integration with over 500 Fortinet and third-party security tools, enhancing incident response.
  • Incident Management: Effective for centralized incident management, alert triage, and threat intelligence integration.
  • Ease of Use: Many users find the interface intuitive and the "no-code" playbook design beneficial for creating workflows.
  • Customer Support: Fortinet's support and community are frequently cited as helpful.
  • AI-Driven Features: The ML-powered recommendation engine aids in alert grouping and threat assessment.
• Weaknesses:
  • Setup Complexity: Initial setup and configuration can be complex, especially for teams with limited experience or when integrating numerous tools and customizing workflows.
  • Scripting Flexibility: Some users desire more advanced scripting options beyond the "no-code" approach for deeper customization.
  • Alert Fatigue: Extensive features can lead to alert fatigue if not properly configured and managed.
  • Naming Conventions: Inconsistencies in terminology (e.g., "alert" vs. "incident") between FortiSOAR and other Fortinet products can cause confusion.
• Recommended Use Cases: FortiSOAR is recommended for security incident response, alert triage, investigation, and response workflows, particularly for SOC, NOC, and OT teams. It is also used for asset and vulnerability management, threat intelligence management, compliance automation, and crisis management.

Summary

Fortinet FortiSOAR is a robust and highly capable Security Orchestration, Automation, and Response (SOAR) platform, serving as a central hub for security operations. Its primary strength lies in its extensive automation and orchestration capabilities, which significantly streamline incident response, reduce manual effort, and improve overall SOC efficiency. The platform boasts broad compatibility with over 500 third-party security tools through its rich connector library, allowing for seamless integration into diverse enterprise environments. Key features like AI-driven recommendations, a collaborative Incident War Room, and comprehensive threat intelligence integration further empower security teams to detect, investigate, and mitigate threats effectively.

However, FortiSOAR presents some challenges, particularly during initial setup and complex customizations, which may require significant expertise. While its "no-code" playbook design is a strength for many, some advanced users express a desire for greater scripting flexibility. The platform's performance scales well with adequate resources and High-Availability configurations, making it suitable for demanding workloads. Security is a core focus, with extensive encryption for data at rest and in transit, multi-factor authentication options, and robust access controls. Fortinet's proactive approach to addressing known vulnerabilities through regular patches further reinforces its security posture.

Overall, FortiSOAR is an excellent choice for organizations seeking to automate and optimize their security operations, particularly those with complex, multi-vendor security ecosystems. Its strengths in automation, integration, and incident management outweigh its initial configuration complexities, making it a valuable asset for enhancing incident response and reducing mean time to detect (MTTD) and mean time to respond (MTTR). Organizations should plan for adequate resources and potentially specialized expertise for initial deployment and advanced customization to fully leverage its capabilities.

The information provided is based on publicly available data and may vary depending on specific device configurations. For up-to-date information, please consult official manufacturer resources.