System Configuration

You can customize FortiSOAR™ and configure several default options used throughout the system, including the way FortiSOAR™ gets displayed to the users and the way notifications are sent to the users. To configure the system, you must be assigned CRUD permissions to the Application module. The Application module is assigned by default to the Application Administrator role. For information about roles, refer to the Default Roles section in the "Security Management" chapter.

Click the Settings (Setting icon) icon to open the System (System Configuration) page. Use the Application Configuration tab on the System Configuration page to edit several default options found throughout the system, especially in the user profile. These include the following:

  • Default notifications mechanism
  • Default notifications for health of HA clusters
  • Default Comment Modification
  • Default Playbook Recovery options
  • Default timezone for exporting reports
  • Default theme
  • Schedule purging of audit logs and executed playbook logs
  • Default country code
  • Default navigation bar style

For more information on user profile configuration, refer to the User Profiles section in the "Security Management" chapter.

System Configuration Menu - Application Configuration tab

Tip

You can modify all the default values on a per-user basis on any user's Profile page.

To enable sending system notifications, including requests for resetting passwords, and also for sending emails outside FortiSOAR™ you must configure the SMTP connector. For more information on FortiSOAR™ Built-in connectors, including the SMTP connector, see the "FortiSOAR™ Built-in connectors" article present on the support site. You must log onto the support site to view this information.

Click Settings > Audit Log to open the Audit Log page. Use the Audit Log page to view a chronological record of all actions across FortiSOAR™. For more information, see Audit Log.

Click Settings > License Manager to open the License Manager page. Use the License Manager page to update your license and view the details of your FortiSOAR™ license. For more information, see License Manager.

Use the Environment Variables tab on the System Configuration page to add proxies to serve HTTP, HTTPS, or other protocol requests from FortiSOAR™ or define environment variables. For the procedure for configuring proxy settings and defining environment variables is included in the Configuring Proxy Settings and environment variables topic in the Additional configuration settings for FortiSOAR™ chapter of the "Deployment Guide."

Use the Branding tab on the System Configuration page to customize FortiSOAR™ branding based on your license type. For more information, see Branding.

Use the System Fixtures tab on the System Configuration page to view the links to various playbook collections and templates, which are included by default with FortiSOAR™. For more information, see System Fixtures.

Application Configuration

On the Application Configuration page, you can configure settings that will apply across FortiSOAR™. You can edit the settings and then click Save to apply the changes or click Revert to revert your changes.

Configuring Notifications

Currently, FortiSOAR™ supports only email as a notification mechanism.

FortiSOAR™ sends notifications to users for updates to tasks or activities. Non-admin users can change their notification setting by editing their user profile to either enable or disable email notifications. Changes made by a non-admin user to the notification settings are applicable only to those users who have not changed their default user profile settings.

Important

You must configure your SMTP connector before you can configure notifications and to complete the process of adding new users. If you do not configure the SMTP connector, users are created. However, the password reset notification link cannot be sent to the users. For more information on FortiSOAR™ Built-in connectors, including the SMTP connector, see the "FortiSOAR™ Built-in connectors" article present on the support site. You must log onto the support site to view this information.

In the future, in-app notifications and SMS notifications will enable additional notification mechanisms.

Note

SMS messages and other notification means can be integrated using Playbooks. Some mechanisms, such as Everbridge, are already built with some defaults in place.

Configuring Notifications for health of HA cluster

To receive email notifications for failures of services within your High Availability (HA) cluster, in the HA Cluster Health section, click the Enable Notification checkbox.

Once you click the Enable Notification checkbox in the Email field specify the email address that will be notified in case of service failures. From the Select a Service drop-down list, select the service to be used for notifications. You can choose between SMTP or Exchange.

Note: By default, the HA cluster health check runs every 5 minutes.

Configuring Comments

Users can edit and delete their own comments, if you (the administrator) has enabled the settings for comment modification and if the user has appropriate CRUD permissions on the Comments module. To allow users to edit and delete their own comments, click the Settings icon, which opens the System Configuration page.

On the Application Configuration tab, in the Comment Modification section, select the Allow Comment Modification checkbox (by default, this is checked in case of a fresh installation of version 5.0.0 and later). You can also specify the time until when the user can edit or delete their comments in the Allow users to modify /delete their comments for a duration of field. For example, if you select 1 minute from this field, then users can edit and delete their comments until 1 minute after which they have added the comment. By default, the Allow users to modify/delete their comments for a duration of field is set to 5 minutes. Users cannot edit or delete their comments after the time specified in the Allow users to modify/delete their comments for a duration of field.

Comments Modification section

Users can edit or delete their comments in the collaboration window or in the Comments widget.

A user who has Security Update permissions can edit comments of any FortiSOAR™ user, and a user who has Security Delete permissions can delete comments of any FortiSOAR™ user. There is no time limit for the Security user to update or delete comments.

Scheduling purging of audit logs and executed playbook logs

You can schedule purging, on a global level, for both audit logs and executed playbook logs. Click the Settings icon, which opens the System Configuration page. In the Purge Logs section, you can define the schedule for both Audit Logs and Executed Playbook Logs. By default, audit logs and executed playbooks logs are not purged.

Note

By default, the purge schedule job runs every midnight (UTC time) and clears all logs that have exceeded the time duration that you have specified. If you want to run the purging activity at a different time of the day or for a different duration, you can do so by editing the schedule of purging on the Schedules page once you enable purging of the logs.

To purge Audit Logs, you must be assigned a role that has a minimum of Read permission on the Security module, Read permission on the Application module, and Delete permissions on the Audit Log module. To purge Executed Playbook Logs, you must be assigned a role that has a minimum of Read permission on the Security module and Delete permissions on the Playbooks module.

To enable purging of Audit logs and Executed Playbook Logs, you require to select the Enable Purging checkbox that appears in the Audit Logs and Executed Playbook Logs sections respectively.

Purge Logs Section

Once you select the Enable Purging checkbox, you require to define the schedule for purging of audit log and executed playbook logs. To specify the time for which you want to retain the logs, you must select the appropriate option from the Keep logs of drop-down list. You can choose from the following options: Last month, Last 3 months, Last 6 months, Last year, or Custom as shown in the following image:

Purge Logs - Specifying time to retain audit logs

If you choose Custom, then you must specify the number of days for which you want to retain the logs.

Note

For purging purposes, 1 month is considered as 30 days and 1 year is considered as 365 days.

Schedule purging clears all logs that belong to a timeframe earlier than what you have specified.

Warning

The schedule purging activity deletes logs permanently, and you cannot revert this operation.

For example, if you want to retain audit logs for a month, then select Last month from the Keep logs of drop-down list. Once you save this setting all audit logs that are older than 1 month (30 days) will be cleared, and this will be an ongoing process, as the audit log records will all be time-stamped and the ones older than 30 days will be purged.

Similarly, define a schedule for purging of executed playbook logs, in the Purge Logs - Executed Playbook Logs section. Once you enable purging of executed playbook logs, a system schedule to periodically clear playbook execution logs is created in Automation > Schedule. Once you save the setting, a link to the View System Schedule will be created using which you can view the schedule.

Configuring Playbook Recovery

Use the autosave feature in playbooks to recover playbook drafts in cases where you accidentally close your browser or face any issues while working on a playbook.

In the Playbook Recovery section, you can define the following:

  • If you do not want FortiSOAR™ to save playbook drafts, clear the Enable Playbook Recovery option. By default, this option is checked.
  • In the Save Drafts Every field, enter the time, in seconds, after which FortiSOAR™ will save playbook drafts. By default, FortiSOAR™ saves playbook drafts 15 seconds after the last change.
    The minimum time that you can set for saving playbook drafts is 5 seconds after the last change.
    System Configuration - Configuring Playbook recover

Configuring the default timezone for exporting reports

You can define a timezone that will be used by default for exporting reports. This timezone will be applied by default to all reports that you export from the Reports page. To apply the default timezone, click the Enable Timezone Selection option in the Report Export section. Then from the Timezone drop-down list, search for and select the timezone in which you want to export the report. For example, if you want to search for the timezone of Los Angeles, you can type los in the search box below the Timezone field to find the correct timezone, as shown in the following image:

Selecting the default Timezone for exporting reports

Configuring Themes

You can configure the FortiSOAR™ theme that will apply to all the users in the system.

Non-admin users can change the theme by editing their user profile. Changes made by a non-admin user to the theme are applicable only to those users who have not changed their default user profile settings.

There are currently three theme options, Dark, Light, and Space, with Space being the default. On the Application Configuration page, select the theme that you want to apply across FortiSOAR™. Click Preview Theme to view how the theme would look and click Save to apply the theme.

To revert the theme to the default, click Revert Theme.

Configuring Default Country Code

You can configure country code format for contact numbers that will apply to all users in the system. In the Phone Number section, select the Default Country and thereby the default country code that you want to apply across FortiSOAR™ and click Save to apply the code.

Configuring Navigation Preferences

You can configure the behavior of the left navigation bar across FortiSOAR™. You can choose whether you want the left navigation bar to collapse to just display icons of the modules or expand to display both icons and titles of modules. In the Navigation Preferences section, click Collapse Navigation to collapse the left navigation bar and click Save to apply the behavior of the left navigation bar across the system.

Environment Variables

You can use the Environment Variables tab on the System Configuration page to configure proxy settings for FortiSOAR™ and to define any other environment variables.

Important: When you configure proxies using the FortiSOAR™ UI, the Environment Variables tab, the proxies get applied at the application level but not at the OS level. To configure proxies at the OS level, you need to make that entry in the /etc/environment file.

The procedure of how to configure proxy settings and define environment variables is included in the Configuring Proxy Settings and environment variables section in the Additional configuration settings for FortiSOAR™ chapter of the "Deployment Guide".

Important: Whenever you change the proxy server settings or the environment variables you must restart the celeryd and uswgi services for the changes to take effect. Use the # systemctl restart celeryd and # systemctl restart uwsgi commands to restart the celeryd and uswgi services.

System Configuration Menu - Proxy Configuration tab

Note

External web pages that you open (for example, from a link included in the description field of an alert) or view (for example, using the iFrame Widget) in FortiSOAR™ goes through the configured proxy server if you have configured the proxy in the web browser's settings. If the proxy is not configured in the web browser's settings, then the external web pages are opened directly without using the configured proxy server.

Branding

You can customize branding of FortiSOAR™ as per your requirement, if your FortiSOAR™ license that has been enabled with Advanced Branding.

If your FortiSOAR™ license is not enabled with Advanced Branding, then you will only be able to customize the message that appears to all users on the login screen:

Login Message: You can enter a customized message that appears to all users on their login screen and click Save. Or, click Reset To Default to revert to the original message.

Contact your FortiSOAR™ Customer Success representative if you want your FortiSOAR™ license to be enabled with Advanced Branding.

System Fixtures

The FortiSOAR™ UI includes links in the System Configuration page to the various playbook collections and templates, which are included by default when you install your FortiSOAR™ instance. Click the System Fixtures tab on the System Configuration page to view the links to the system playbook collections and templates. Administrators can click these links to easily access all the system fixtures to understand their workings and make changes in them if required. In the previous versions, administrators required to know the complete URL for these fixtures to access them and make required changes.

System Fixtures tab

The following fixtures are included:

Playbooks:

  • System Playbook collection (System Notification and Escalation Playbooks collection): Includes a collection of system-level playbooks that are used to automate tasks, such as the Escalate playbook which is used to escalate an alert to an incident based on specific inputs from the user and linking the alert(s) to the newly created incident.
  • Approval/Manual Task Playbooks collection: Includes a collection of system-level playbooks that are used to automate approvals and manual task, such as the playbook that will be triggered when an approval action is requested from a playbook.
  • SLA Management Playbooks collection: Includes a collection of system-level playbooks that are used to auto-populate date fields in the following cases: when the status of incident or alert records have been changed to Resolved or Closed or when incident or alert records are assigned to a user.
  • Schedule Management Playbooks collection: Includes a collection of system-level playbooks that are used for the scheduler module and used for various scheduler actions such as scheduling playbook execution history cleanup, etc.
  • Report Management Playbooks collection: Includes a collection of system-level playbooks that are used to manage generation of FortiSOAR™ Reports.
  • Data Ingestion Playbooks collection: Includes a collection of data ingestion playbooks for all the connectors that are enabled for data ingestion. This has been deprecated.

For more information on system-level playbooks, see the Playbooks Overview chapter in the "Playbooks Guide."

Email Templates

  • Password Reset Token: Includes an email template that is sent to FortiSOAR™ users' who forget their password and click on the Forgot Password link, so that they can reset their password. This email contains a link that the user can use to create their new password.
  • Send Email To New User: Includes an email template that is sent to a new FortiSOAR™ users' and it contains a link that the new user can use to create their own new password.
  • Send Email For Password Change: Includes an email template that is sent when a user requests for a change in their FortiSOAR™ password.
  • Send Email For Reset Password By Admin: Includes an email template that is sent to FortiSOAR™ users' whose password has been reset by an administrator.

To modify the content of the email templates, click the email template whose content you want to change, for example, click Password Reset Token to open the email template. Click the Edit Record button to edit the contents of the template. You can also click the Edit Template icon to edit the structure of the email or click Actions to perform actions on the record.

Opening the Password Reset Token Email Template

Clicking Edit Record opens the email template in a form format using which you can change the contents of the email as per your requirement, and then click Save to save your changes.

Editing the Email Template in the Form Format

In case you have deleted the email templates, and you require to update or modify the default email templates, then you require to edit the mailtemplate.yml file located at /opt/cyops/configs/cyops-api/.

Audit Log

You can view the historical record of activities across FortiSOAR™ using the Audit Log, the User-Specific Audit Logs, and the graphical representation of the Audit Log in the detail view of a record. From version 5.1.0 onwards, the audit logs also contain terminate and resume playbook events.

Audit Log Permissions

  • To view your own audit logs, you must have a role with a minimum of Read permission on the Audit Log Activities module. To view audit logs of all users, you must have a role with a minimum of Read permission on the Security and Audit Log Activities modules.
  • To delete your own audit logs, you must have a role with a minimum of Delete permission on the Audit Log Activities module. To delete audit logs of all users, you must have a role with a minimum of Delete permission on the Security and Audit Log Activities modules.
    For version 5.0.0 or later installation, the Delete permission on the Audit Log Activities module will be removed for both csadmin and playbook appliances roles, and also this will not be enabled (checked) by default for the Full App Permissions role. Therefore, if you want any user or role to have the right to delete audit logs, you must explicitly assign the Delete permission on the Audit Log Activities module to that particular user or role.

If you cannot access the Audit Log, you must ask your administrator for access. FortiSOAR™ displays an error, as shown in the following image, if you do not have access to Audit Logs:

Audit Log - No access error message

You can view historical record of activities across FortiSOAR™ using the following options:

  • Audit Log: Audit Log displays a chronological list of all the actions across all the modules of FortiSOAR™. Click Settings > Audit Log to open the Audit Log page.
  • User-Specific Audit Logs: User-Specific Audit Logs displays a chronological list of all the actions across all the modules of FortiSOAR™ for a particular user.
  • Viewing Audit Log in the detailed view of a record: You can view a graphical presentation, or grid view, of all the actions performed on that particular record. The audit log is displayed in a graphical format using the Timeline widget.

Audit Logs also include data such as playbook events, recording the name of the user who had deleted the record, linking and delinking events, picklist events, and model metadata events (including changes made in model metadata during the staging phrase). Free text search, additional filtering criteria, the ability to quickly add auditing for a new service and lazy loading has also been implemented in audit logs.

The data included in the audit log has been further enhanced to contain the following types of entries:

  • Users' login success or failures and logout events. The login event includes all three supported login types, which are DB Login, LDAP Login, and SSO Login.
  • Users' login with an invalid username.
  • Locked users's attempts to log on to FortiSOAR™.
  • Inactive users's attempts to log on to FortiSOAR™.

Important

If you have a field, in a module, whose Singular Description attribute value contains a . or $ then the Audit Logs replace the . or $ with an _. For example, if you have a field SourceID whose singular description you have specified as Source.ID, then in this field will appear as Source_ID in Audit Logs.

You can purge Audit Logs using the Purge Logs button on the top-right of the Audit Log page. You will see the Purge Logs button only if you have Delete permissions on the Audit Log Activities module.

Audit Logs - Purge Logs

You can also use the Audit Log Purge API to purge audit logs on an automated as well as an on-demand basis. For more information see the API Methods section in the "API Guide."

Viewing Audit Log

Use the Audit Log to view a chronological list of all the actions across all the modules of FortiSOAR™. To view the Audit Log page, you must have access to the Audit Log Activities module. Click Settings > Audit Log to open the Audit Log page. The audit log also displays users' login success or failures and logout events. The login event includes all three supported login types, which are DB Login, LDAP Login, and SSO Login.

Audit Log

You can filter the audit logs to display the audit logs for a particular record type by selecting the record type (module) from the Record Type drop-down list. You can also filter audit logs on users, operations, and data range, apart from modules.

To filter audit logs on for a particular user, select the user from the Select User drop-down list.

To filter audit logs on for a particular operation, select the operation from the Select Operation drop-down list. You can choose from the operations such as, Comment, Create, Delete, Link, Login Failed, Snapshot Created, Trigger, Unlink, Update, etc.

You can also filter audit logs for a particular date range by selecting the From Date and To Date using the calendar icon.

You can also search for audit logs using free text search. Click the Search icon and enter a search criterion in the Search Logs field to search the audit logs.

The Audit Log displays the following historical information for each record:

  • Title: Title of the record on which the action was performed.
    Note: In case of Approval playbooks the playbook audit log displays the Approval Description field, which represents the name of the approval record, in the Title field. In this case, the Title field will be displayed in the format Approval [Approval Description] Operation Performed. For example, Approval [Approval Test] Created. For playbook audit log entries that were created prior to upgrading to version 4.11.0, then these entries will have blank approval names.
  • Record Type: Type (module) of the record on which the action was performed.
  • Operation: Operation that was performed.
  • User: User who performed the operation
  • Source: Source IP address where the operation that was performed.
  • Transaction date: Date and time that the record was updated in the format DD/MM/YYYY HH:MM.

To view the details of an audit log entry, click the expand icon (>) in the audit entry row. Details in the audit log entry are present in the JSON format, and include the old data and updated (new) data for a record, in case of an update operation, and all attributes and their details, such as ID and type, for a record, in case of a create operation. You can copy the data using the Copy to Clipboard button.

Audit Log: Log Details

You can perform the following operations on the Audit Log page, by clicking the More Options icon (More Options icon) to the right of the table header:

  • Export All Columns As CSV: Use this option to export all the columns of the audit log to a .csv file.
  • Export Visible Columns As CSV: Use this option to export visible columns of the audit log to a .csv file.
    Note: You can hide columns by deselecting a column from the list of columns present within the More Options menu. The hidden columns appear with a red cross.
    More Options menu with hidden columns
  • Export Visible Columns As PDF: Use this option to export visible columns of the audit log to a .pdf file.
  • Reset Columns To Default: Use this option to reset the audit log fields to the default fields specified for the audit log.

You can view logs specific to a particular module, by clicking Settings > Modules (in the Application Editor section) and from the Select a module to edit or create new module drop-down list, select the module whose audit log you want to view, and then click the Audit Logs button.

Audit Log for a particular module

You view the same details and perform the same actions as mentioned earlier on the Audit Logs Dialog. You can filter the audit logs for modules on users, operations, and date range. For example, you can filter logs which have an Create operation performed on a particular record type (module), as shown in the following image:

Audit Logs: Alert Module Audit log

Similarly, you can also view logs specific to a particular picklist, go to Settings > Picklists (in the Application Editor section). From the Select a picklist or edit or create a new picklist drop-down list select the picklist whose audit log you want to view and click the Audit Logs button. You view the same details and perform the same actions as mentioned earlier on the Audit Logs Dialog. You can filter the audit logs for picklists on users, operations, and date range.

Viewing User-Specific Audit Logs

Use the User-Specific Audit Logs to view the chronological list of all the actions across all the modules of FortiSOAR™ for a particular user. Users can view their own audit logs by clicking the User Profile icon and selecting the Edit Profile option and clicking the Audit Logs panel. Administrators who have a minimum of Read access on the Audit Log Activities module along with access to the People module, which allows them to access a user's profile, can view User Specific Audit Logs. The user-specific audit log also displays user's login success or failures and logout events. The login event includes all three supported login types, which are DB Login, LDAP Login, and SSO Login.

User-Specific Audit Logs

Use the same filtering and searching techniques mentioned in the Viewing Audit Log section. You can filter the user-specific audit logs on record types (modules) and date range.

The user-specific audit logs display the same information as the audit log, and you can also perform the same actions here as you can perform in case of audit logs. For more information, see the Viewing Audit Log section.

Viewing Audit Log in the detailed view of a record

Use the Audit Log tab, which is present in the detail view of a record, to view the graphical presentation of all the actions performed on that particular record. The Audit Log tab uses the Timeline widget to display the graphical representation of the details of the record. You cannot edit the Timeline widget. For more information about widgets, see the Using Template Widgets topic in the "User Guide."

You can toggle the view in the Audit Log tab to view the details in both the grid view and the timeline (graphical) view. Use the same filtering and searching techniques mentioned in the Viewing Audit Log section. You can filter the user-specific audit logs on record types and date range.

Click a record within a module to open the detail view of a record and then click the Audit Log tab to view the graphical representation, or grid view of the details of the record, as shown in the following image:

Timeline Widget output on the Detail View page

A timeline item mentions the action performed on the record, such as Created, Updated, Commented, Attached, or Linked, the name of the person who has made the update, and the date and time that the update was made.

Note

In the timeline, you might see some records created by Playbook. This signifies that the record was created by a workflow entity, such as a Playbook or a Rule.

When you update any detail in a record, then you can click the refresh button in the timeline to view the updates in timeline immediately. To view the complete details of the updates made at a particular timeline item, click the arrow (>) present to the right of the item. The following image displays the details shown for a specific timeline item:

Detailed timeline item

You can toggle between the expanded and collapsed view of the audit log tab, using the Full-screen Mode icon. To move to a full screen view of the audit log, click the Full-screen Mode icon, which opens the audit log in the full screen as shown in the following image:

Audit log in full screen

To exit the full screen, press ESC.

You can toggle between the timeline view and grid view in the Audit Log tab. The grid view in the detailed view of a record appears as shown in the following image:

Grid Widget output on the Detail View page

The grid view also displays the same information as the audit log, and you can also perform the same operations here as you can perform in case of audit logs. For more information, see the Viewing Audit Log section.

Purging Audit Logs

You can purge Audit Logs using the Purge Logs button on the top-right of the Audit Log page. Purging audit logs allows you to permanently delete old audit logs that you do not require and frees up space on your FortiSOAR™ instance. You can also schedule purging, on a global level, for both audit logs and executed playbook logs. For information on scheduling Audit Logs and Executed Playbook Logs, see Scheduling purging of audit logs and executed playbook logs.

To purge Audit Logs, you must be assigned a role that has a minimum of Read permission on the Security module and Delete permissions on the Audit Log Activies module.

Audit Logs - Purge Logs

To purge Audit Logs, click the Purge Logs button on the Audit Log page, which displays the Purge Audit Logs dialog:

Purge Logs Dialog - Date and Time Selection

In the Purge all logs before, field, select the time frame (using the calendar widget) before which you want to clear all the audit logs. For example, if you want to clear all audit logs before January 1st, 2019, 12:00 AM, then select this date and time using the calendar widget.

Purge Logs Dialog - Date and Time Selection

By default, logs of all events are purged. However, you can control the event types that will be chosen for purging. For example, if you do not want to purge events of type "Login Failure" and "Trigger", then you must clear the Login Failure and Trigger checkboxes, as shown in the following image:

Purge Logs Dialog - Choosing Events to Purge

To purge the logs, click the Purge Logs button, which displays a warning as shown in the following image:

Purge Audit Log Dialog Warning

Click the I Have Read the warning - Purge Logs to continue the purging process.

License Manager

FortiSOAR™ enforces licensing using the License Manager. The License Manager restricts the usage of FortiSOAR™ by specifying the following:

  • The maximum number of active users in FortiSOAR™ at any point in time
  • The expiry date of the license.

For details of the FortiSOAR™ licensing process, including deploying your FortiSOAR™ license for the first time, see Licensing in FortiSOAR™ in the "Deployment Guide."

You can use the License Manager to view your license details and for updating your license. FortiSOAR™ displays a message about the expiration of your license 30 days prior to the date your license is going to expire. You must update your license within 30 days if you want to keep using FortiSOAR™.

Click Settings > License Manager to open the License Manager page as shown in the following image:

License Manager

Customer Name displays the name on whose name the license is issued.

Total Users displays the number of users that can use FortiSOAR™. You cannot create more users, in your FortiSOAR™ environment, than the value specified in this field. For example, if the Total Users field is set to 50, you cannot create a 51st active user in FortiSOAR™.

Expiry Date displays the date at which your FortiSOAR™ license will expire and Remaining Days displays the number of days left for your license to expire.

FortiSOAR™ starts displaying a message about the expiration of your license 30 days prior to the date your license is going to expire. Request your FortiSOAR™ CS representative to generate a new license for you within 30 days of your license expiration. You must provide your hardware key to your FortiSOAR™ CS representative for license generation. For more information about how to retrieve your hardware key and the FortiSOAR™ License Process, see Licensing in FortiSOAR™.

Once your FortiSOAR™ CS representative has generated a license for you, then you can install the license for the first time by clicking Import License and either drag-and-drop your newly generated license or click and browse to the location where your license file is located, then select the file and click Open.

If you want to update your license, and you have asked your FortiSOAR™ CS representative to generate a new license for you and your FortiSOAR™ CS representative has generated a license for you, then you can update your license by clicking Update License and either drag-and-drop your updated license or click and browse to the location where your license file is located, then select the file and click Open.